It seems that cybercriminals use every bit of news or information worthy of public interest to spread FAKEAV malware. This time around, FAKEAV binaries are being delivered via news about the recently concluded “2010 Kids’ Choice Awards.” The following keywords lead to poisoned Google search results (see Figure 1):
- Kids Choice Awards 2010 Live
- Kids Choice Awards 2010 Air Date
- Kids Choice Awards 2010 Date
- Kids Choice Awards 2010 Logo
- Kids Choice Awards 2010 Performances
- Kids Choice Awards 2010 Performers
- Kids Choice Awards 2010 Vote
- Kids Choice Awards 2010 Sweepstakes
Clicking poisoned links leads users to a fake antivirus alert asking them if they want to protect their systems (see Figure 2).
Users who choose the “recommended” option are then prompted to download the actual FAKEAV executable file detected by Trend Micro as TROJ_FRAUDLO.IA (see Figure 3).
TrendLabs advises users to be extremely careful, as this particular blackhat search engine optimization (SEO) attack targets younger audiences. Younger users are more likely to believe fake antivirus warnings are real, increasing risks of infection. This is not the only attack targeting sites that may be visited by younger users, however. As the website of the talent show, “If I Can Dream,” was recently defaced although no malicious payloads were seen in the said attack.
Trend Micro product users are protected by Smart Protection Network™, which prevents the download of the malicious files onto systems via the Web and file reputation services.