Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:

Fake Antivirus that mimics Windows

When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.

Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.

That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:

Fake antivirus that mimics Macintosh

Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.

Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment.

The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:

Malicious link in Google results

Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events.  The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.

This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying.  Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons.  Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.

Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

• Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
• The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
• Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
• The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users¹, Twitter Crime Rate², and Tweet Number³.  Key highlights:

• In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
• Only 28.87 percent of Twitter users are actual True Twitter Users.
• Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
• One in every eight Twitter users has at least 10 times more followers than they are following.
• Only one in 10 users is following more than 100 users, and almost half are following less than five.
• The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

• Download the Barracuda Labs 2010 Midyear Security Report at http://www.barracudalabs.com/research_resources.html.
• View the Barracuda Labs security research portal at http://barracudalabs.com.
• Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

If you’re working on your Atlantic Coast Conference brackets this week, be extra careful where you click. Cybercriminals are up to their old tricks and hoping you’ll make a fast break to their Web sites.

To raise the chances that you will, they’ve taken over popular search terms such as “ACC Tournament Schedule 2010″ and “ACC Tournament Bracket” and inserted poisoned links that lead to Rogue AV sites. SEO poisoning continues to pick up steam as attackers race to re-direct your browser to a Web site serving up various malicious programs. In this case, “CleanUp Antivirus” Rogue AV seems to be the flavor of choice.

As part of this experiment, Barracuda Labs discovered that a Google search for “ACC Tournament Schedule 2010″ returned 23 malicious links within the first 50 results. Unless you know how to tell the difference between the good links and the bad ones, you stand almost a 50% chance of having your computer taken over by “Scareware” that tries to separate you from as much as $90 for the fake software.

We discuss Rogue AV and SEO poisoning in more detail in our 2009 Annual Report released this week. The attacks are becoming increasingly more popular as hackers target vulnerabilities in legitimate Web sites, making it more likely for the page to be visited and the malicious content to be delivered. .

CNBC sites surveys that show almost 45% of American workers participate in March Madness pools at work. Much of this research is happening on company time, causing a significant decrease in employee productivity as loyal fans follow their favorite teams. While the boss may turn a blind eye to that activity, a malware infection sure won’t help your ranking at work.

Barracuda Web Filter and Barracuda Web Security Service customers are protected from this attack.

Below are screenshots that trace the attack.

Top results for ACC Tournament Schedule 2010 from Google

Top results for ACC Tournament Schedule 2010 from Google

Beginning at result 11, the links all lead to malicious content.

Beginning at result 11, the links all lead to malicious content.

When the user clicks on a poisoned link, the following page pops up briefly.

When you click on a poisoned link, this page pops up briefly.

Next, an official-looking warning appears.

Next, an official-looking warning appears.

Followed by bad news, which is completely untrue.

Followed by bad news, which is completely untrue.

The Web page wants the user to run a file. Don’t do this!

The Web page wants you to run a file. Don't do this!

If the user does run the file, the user will become infected with CleanUp Antivirus.

If you do run the file, you are infected with CleanUp Antivirus.

CleanUp Antivirus repeatedly sends you to this ‘money page’ where the user is asked to submit a credit card.

CleanUp Antivirus repeatedly sends you to this 'money page' where the user is asked to submit a credit card.