• Home
• Prices
• About Us
  • How It Started
  • Mission Statement
  • Why Choose Computer Wizard?
  • Business Practices
• Virus Corner
• Services
  • Hardware Repair
  • Software Problems
  • Networking
  • In-Shop Service
  • Remote Assistance
  • Business Solutions
  • Computer Hardware Recycling
• Service Area
• FAQ
• Refer A Friend
• Feedback
• Contact Us
  • Directions to Us
• CWI Articles
• Educational
• For Experts
• How-To
• Important
• News
• Service Announcements
• Success Stories
• Tips & Tricks

Recognizing Fake Antivirus Websites

Today I had the “luck” of running into a cleverly crafted website which could have easily infected my computer if I hadn’t been knowledgeable enough to know what to do. I took screen shots of this event because I believe this provides data to analyze the methods of these malicious attacks and how to equip you with some knowledge about spotting and avoiding them.

I run into the fake antivirus, also called rogue antivirus, infections more frequently than anything else. It seems to be a very viable scam. Unfortunately antiviruses are not able to keep up with them as they change so often that the antivirus’ databases are always lagging behind on these. And I don’t know any sure-fire way to get rid of these pests once they got on the computer – other than getting the computer to a knowledgeable repairman.

So… The best thing is to prevent them to get on your computer in the first place. Let’s see this illustrated guide to recognizing them (this is just an example and there could be ones that look entirely different):

Note: all pictures in this article are small in order to make the text more readable but you can see the full size pictures by clicking on them.

Well, I was searching for a picture of a birthday cake in a particular format. I typed “.svg birthday cake” in Google. Here’s what I got:

Look at the first search result and let me call your attention to a couple of things right here:

1. If you look at the excerpt created by Google then you see a number of disrelated, non-sequitor things. These are indicative of websites that try to position themselves on too many search result pages.
2. The website address contains a number of random characters (the green text). Normal websites try to make the addresses talk, meaning usually each word in the address is an english word, or some technical term – not a series of random characters.

These were the first things I noticed, but I was curious so I clicked on it. And here’s what I got:

A popup. Let’s take a closer look:

Note the grammatical error in the second paragraph. Criminals tend to have bad grammar (interestingly enough, gross grammatical errors  are one of the first things security personnel look for on suspicious packages that might contain explosives) . Plus a legitimate company would have taken the time to check out the messages they display.

Anyways, let me show you a couple of other things:

1. The address is completely different from what I clicked on. It was “wxw.khiqxc.myip.org/….”, this ended up at “privatevirusscannerv2.com/…”
   Redirection is not unusual but this is again something that indicates something is fishy. Most websites don’t redirect.
2. I use McAfee site advisor. It stayed gray (bottom right corner of the big picture above). Which indicates that this is a completely new website not reviewed by McAfee yet. I added my own comment on this website (there was 2 already there, confirming what I’ve found).  By the time I wrote up this article the site became blocked by SiteAdvisor.
   This again underscores that these sites and the software they try to spread is so volatile that protection software is likely to miss them.

Here’s the $100 question: You get a popup like this, what do you do?

My suggestion is: don’t click on either OK or Cancel. Try to close the whole browser immediately! Try pressing CTRL-F4 (which is the “close window” shortcut), or CTRL-W. If these don’t work then click on the little X on the top right corner of the pop-up message. But try the other methods first – they are safer.

Because I was curious as to what will come next I just closed the popup.  The following screens were quite remarkable from a technical standpoint and were quite detailed:

That’s an almost exact replica of a My Computer screen of a Windows XP computer. Except for the fact that the whole thing is inside your browser window.

The screen at this point is animated and shows a fake virus scan as it finds a large number of dangerous viruses on my computer. It’s all made up! It’s just a web page, and as such it has no access to the files on the computer (thank god!).

The purpose of this screen is to get you concerned about the state of your computer. And eventually click somewhere on the screen. A click on a website is like an approval of action. So if you for some reason you get to a page that does a “virus scan” without your asking then try to close the browser immediately. Do not click on anything on the page!!!

There is one more interesting detail on this screen. If you look at the left side you’ll see a section called “Your Info”. The normal “My Computer” screen doesn’t have that. It’s the scammers’ invention. Here it lists my IP address, my location (city and country). And in red it tells me: “Your private data is under attack!”. It’s an old trick.

When your browsers requests a page from a web server it sends a bunch of other information with that request, such as your IP address, the browser that you use and the name of the operating system you use, etc.  Here’s an example:

208.80.195.41 – - [24/Jul/2009:00:34:26 -0400] “GET / HTTP/1.0″ 301 0 computerwizardindy.com “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {F9E0D40E-1BFC-D07D-DA17-C4468202B57D}; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.5 0727)” “-”

This is an entry in my website’s access log. From this I see that a guy from San Diego, CA requested the page for “computerwizardindy.com” (the home page), he was using Internet Explorer 6 and Windows XP – and the poor guy had his computer burdened with an adware called “FunWebProducts”. All this information is available to any website when you visit it. It only require some programming skill to decode this information and display it as an alarming “Big Brother is watching you” type of information. It’s not that. Simply, your browser is broadcasting this information.

Allright. Let’s get back to this scam and see what’s the result of its “virus scan”:

Hmmm.. Quite interesting.

According to this I had “527 potential aggressive items” on my computer. Even my nonexistent D: drive had 142 trojans. By the way, the numbers don’t add up either!

At then end of the scan there’s another pop-up telling me that I need to download Personal Antivirus to handle this (nonexistent) infection. Again there’s another gross grammatical error in the message (“to be heal”).

After closing the pop-up another interesting trick show up: an imitation of a Windows system message.

Because it looks so much like a real system message you’d be compelled to click on it. Don’t!

Remember when you encounter a site like this the only safe thing to do is close the browser as fast as you can, without clicking anywhere on the web page.

I hope this was an educational reading and you gained some insight into the techniques of fake antivirus scammers. And above all I hope you’ll be able to avoid getting scammed!

Did you find this information useful?
Please consider donating.