Pulling Back the Curtain on Rogue AV Tech Support

ID THREATPOST:A00BF861B06F2CD99E726CF6752899D5
Type threatpost
Reporter Nicolas Brulez
Modified 2013-05-02T19:01:34


We’ve blogged a few times about rogue AV, explaining how search

engines have been abused using Black Hat Search Engine Optimization
techniques to redirect web surfers to rogue AV websites. Recently, we’ve noticed that the rogue AVs being spread are all
equipped with an “Online Support” button.

See the top right corner:

Pressing Support takes you into a live chat with the rogue AV Tech
Support. We wondered whether it was a bot answering questions based on
keywords or real people – and yes, they turned out to be real!

We learned that they offer Technical Support by chat, but also by
phone and email. The email is especially useful if you don’t speak
English. The live chat tells you (in English) to send an email in your
native language to a given email address to receive support in your
native language:

If you are infected with a rogue AV program which you picked up while
using a search engine (Black Hat SEO again), and connect to their
support, they will ask you which AV you want support for.

Once you tell them, they’ll provide you a ’Free Trial’ version of the
program that will remove the infections found by the first one (they
have very similar names).

The trial version looks like this:

This program has the same user interface, but a slightly different
name – with the same “Online support” button.

The rogue AV will use the language of your OS. So if you are using a
French Windows XP for instance, the rogue AV user interface will be in
French, which makes it even more convincing.

Read the full post at Securelist.