Tweet

News outlets all over the world are talking about the recent cross-border clash between North and South Korea. The shelling, one of the worst incidents between the two countries in years, is naturally being used by cybercriminals behind fake antivirus malware.

Within hours of the incident, certain Korea-related search terms have already been poisoned.

Note that the Google preview of the page shows its supposed content. However, clicking the search result offered opens these (familiar) pages:

This malware redirects users to different pages, depending on what browsers they are using, as discussed in the following previous posts:

• FAKEAV Update: Java Vulnerabilities and Improved Fake Alerts
• Customized Malware Attacks Become Widespread

Fortunately for users, we already protect users against this threat. The sites hosting these malicious files are already blocked and the fake antivirus variant seen in this attack is now detected as TROJ_FAKEAV.SMRY.