Kaspersky Lab has uncovered a rogue antivirus scam tied to ads on ICQ, an instant messaging program.
According to Kaspersky, pop-ups for a women’s clothing company called Charlotte Russe that appeared when ICQ was fetching new ads. After ICQ shows a browser window, the browser pops up a message stating Antivirus 8 has found suspicious activity, Kaspersky Lab Senior Malware Researcher Roel Schouwenberg explained.
“Interestingly enough, we didn’t observe any exploit behavior,” he said. “This attack seems to be relying on social engineering only. That’s rather strange for such a high-level attack. What I suspect may be the case is that different people are responsible for each respective part of the attack. One person/gang is responsible for setting up the Fake AV page and someone else is responsible for getting people to visit the page.”
The servers are based in different locations, and their command and control appears to be hosted in Germany.
“The bad guys registered domains related to a clothing brand, as well as ad-related domains,” Schouwenberg said. “When just looking at the domain names these domains appear legitimate. Combine that with adding an I-frame which immediately looks suspicious, and the immediate conclusion is that this particular server got hacked. In reality, this server didn’t get hacked at all; it belongs to the bad guys.”
Kaspersky said the company has contacted Yieldmanager, the company distributing the ad.