Security researcher Chris Boyd, aka “Paperghost” is showing off a newly discovered variation on the fake AV theme that was recently encountered in the wild.
In a new twist on the phony AV/clean-up utility scam, this latest version threatens to shut down an end user’s computer if they fail to click on a flashing warning window that pops up on their desktop within a set amount of time, typically 30 seconds.
This adds a whole new layer of urgency to the fake security program format, as now, in addition to having to deduce whether the involved pop-ups is authentic or not, users are being led to believe that they must do so within a certain limited timeframe.
Boyd published a screenshot of the attack on the Spywareguideblog. By clicking on the warning, users automatically download a fake AV client which actually harbors downloader malware dubbed “registrydoctor2008.com.”
“A fake timer counting down till they shut down your computer, to ‘protect it’ from some imaginary threat,” Boyd noted. “Nice of them. Would the average user even be able to hit the download button, install the program and run it in the panic-filled 30 seconds they claim is all you have left?”
If any particular attack angle established itself as the most popular approach of 2008 it was certainly the fraudulent AV social engineering technique.
It should be interesting to see if the attacks, as so many others before them, dissipate slightly in 2009 as vendors and end users are made more aware to be on the lookout for the threats.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.