Fake antivirus peddlers helped by Microsoft, IRS

Just weeks after the U.S. Federal Trade Commission shut down two companies accused of selling fake antivirus software, a new player has moved into the market, aided by glitches in the Microsoft and U.S. Internal Revenue Service Web sites.

Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who first reported the activity on his blog Tuesday.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Many Web sites use redirector links to take visitors away from the site, although the Web site operators try to stop them from being misused by scammers. For example, the Google URL http://www.google.com/search?q=idg&btnI=3564 uses Google's "I'm feeling lucky" feature to send Web surfers to IDG.com.

If criminals can use a redirector on a major Web site like Microsoft.com or IRS.gov, however, they can make their malicious links pop up very high in Google search results, Warner said in an interview.

"Microsoft is a super-powerful site as far as search engine weight is concerned," he said.

The bad guys have tricked search engines into returning their malicious links to tens of thousands of search terms, Warner said. They've done this by using special software to add these redirector links to "tens of thousands of blog comments, guestbook entries, and imaginary blog stories all around the Internet," Warner said in his blog posting.

You can see the results of this activity. A Google search for the term "Microsoft Office 2002 download" yields a Microsoft.com redirection link as its first result. That link had been redirecting visitors to a malicious Web site, which launched Web-based attack code against victims and tried to trick them into downloading fake antivirus software, Warner said. By Tuesday evening, Microsoft had fixed the problem, so the Microsoft.com link that pops up in the google search results was no longer taking surfers to the malicious Web site.

The IRS has now addressed the issue too, but about 20 other sites remain a problem Warner said.

The fake antivirus software, also called "scareware," installs a keylogger on the victim's computer, presumably to steal login names and passwords, and also launches fake warning popups on every Web page that the victim visits telling him he needs to buy antivirus software, called System Security. The price for the fake product? A believable-sounding $51.45.

The FTC estimates that 1 million consumers were taken in by other fake antivirus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. On Dec. 10 a federal court ordered two companies, Innovative Marketing and ByteHosting Internet Services, to stop promoting these products.

Warner doesn't know who is behind System Security, but he believes that the scammers behind this latest operation may be connected to the earlier scams. "It's similar enough that it's got to be somebody who has a relationship with the last group," he said.