Issues surrounding the crash of Air France Flight 447 have not been fully resolved up to now but, it didn’t need be for cybercriminals; they’re already taking advantage of this tragedy too.

Through SEO poisoning, searches for reports related to the plane crash yield links that when opened trigger multiple redirections to various sites, which ultimately lead to download of rogue antivirus software.

The URLs shown above (Figure 2) are detected as follows:

• hxxp:// cnnnews2009.{BLOCKED}.com/french-airbus-crash.html – detected as HTML_REDIRECT.ED
• hxxp:// cnnnews2009.{BLOCKED}.com/images/menu.js – detected as JS_CRYPTED.HW
• hxxp:// {BLOCKED}ware-live-scanv3.com/1/?id=2022&smersh=8186a276d&back=%3DDQwxDDwNcQNMI%3DN/My computer Online Scan.htm detected as JS_FAKEAV.BIM

As of this writing the other URLs are inaccessible. On the other hand, the downloaded rogue antivirus Install_2022.exe is detected as TROJ_FAKEAV.BIM. Upon execution, it connects to a URL to download another file which is now detected as TROJ_YEKTEL.AA.

Upon execution, TROJ_YEKTEL.AA displays an installation prompt for a supposed antivirus application called Personal Antivirus. Should any user proceed with the installation, he or she will be greeted by a parade of malware detections supposedly found on their system. The said malware detections are fake, and are used to scare the user into getting a copy of the full version of the software—for a fee of course.

It is saddening to see cybercriminals trying to pull off one of these rogue antivirus schemes using most recent tragedies where so much mourning is involved.

Nonetheless, Trend Micro Smart Protection Network already stops this threat from affecting users, as the malicious URLs and files are already blocked and detected respectively.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!