Seems like fake AV programs are still everywhere! Just a couple of weeks ago, Halloween costume searchers were targeted by these nasty programs through SEO poisoning. Now I’ve just encountered 2 scenarios resulting to rogue AV downloads, also done through hijacking Google search results:
In the first scenario, queries for the string refa+zeitaufnahmebogen on the German Google website (www.google.de) yield suspicious results:
Figure 1. Search results for refa+zeitaufnahmebogen
The first result on the query is the URL with the page title “Folie 0.” However, clicking the associated link connects the user to the following rogue AV website that we have all grown so familiar of:
Figure 2. Rogue AV website displaying fake infection results
The string refa+zeitaufnahmebogen is related to a German association for work design.
Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely.
Malicious results were also found generated from queries for the string absentee voting:
Figure 3. Queries for “absentee voting” show malicious results
And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name, and is also already detected as TROJ_FAKEAV.WP.
Apparently malicious Rogue AV is not dying out just yet.