StartupBritain Serves Up Fake AV On Launch
A government-backed Website for entrepreneurs directed users to a site hosting fake antivirus the day it launched.
The site, Startup Britain, redirected Internet Explorer visitors to fake antirivus software hosted on a third-party site, Bankling.com, according to BBC News. Startup Britain launched on March 28.
"There were some issues with a link on the website at the launch. This issue has been addressed and any links that were not operating as intended have been amended or removed," the site's administrators told BBC News.
There were links on Startupbritain.org that pointed to a WordPress blog that automatically put up a fake antivirus page to trick users into install a "free System Security Antivirus." At least two instances of the fake AV were hosted in Indian and Latvia, according to Paul Mutton, a researcher with Netcraft.
Users saw a prompt, "Your computer contains various signs of viruses and malware programs presence."
As is the case with these fake antivirus scams, there was no infection.
It was "free" to download and scan the system, but users had to pay before the fake software would "clean" the system of the alleged malware it had detected.
Only Internet Explorer users, including versions 7 and 8, were shown the scareware dialog box. Firefox users did not.
The malicious link appeared in an article about US investor Warren Buffet, according to security firm Sophos. "Startup Britain has linked to a site, and haven't told you that the link leads offsite," said Sophos senior threat researcher Paul Baccas. "If you link to an external site, you should check its veracity and that it's clean. However, we don't know when the site was infected," he said.
While this wasn't strictly malvertising in the sense that the link did not get served up by an advertisement via a third-party network, the parallels are striking. According to security firm Dasient, more than 1.2 million websites were infected by malicious software in the third quarter of 2010. Attackers are increasingly using legitimate Websites to spread malware in the background without directly compromising the sites.