Example of a fake antivirus web page with screenshots

So I was browsing for something today via google Images and I happened upon a malicious web page.

The web page tried to convince me to install an “Anti-Virus” program, on the premise that “Chrome Security” had found viruses on my computer.

Back in 2010, Google themselves issued a warning about these very same “fake antivirus” attacks:

“Constant improvements are being made on the fake anti-virus software with sophisticated tactics designed to trick the computer users in downloading and installing the software which is meant to create malicious code in your computer.” — Source: techgenie.com

Take a careful look at the below screenshots I captured and see firsthand how an attack like this works. The key here is that the website detects your browser and displays a message that matches the browser to make it more believable.

Click for larger image

The website first gives you a simple dialog. Clicking OK here begins the following series of screens. The safest thing to do once you get a dialog like this is to click the X and then close the window. Notice that the dialog message contains a vital “tell”: the website is displaying the message, not your browser.

Click for larger image

Click for larger image

This screen shows the fake “scan”, which is likely just a flash video (I didn’t actually check). The safest thing here is to close the tab/window immediately.

Click for larger image

Click for larger image

The “result” screen. Notice that it’s tried to download an .exe file, no doubt the fake antivirus software itself. The fake antivirus software would actually be the trojan — the web page itself is mostly harmless, minus the persuasion to install the payload. The safest thing here to is to close the tab/window immediately.

So in this case I can report the site to Google by clicking wrench icon > Tools > Report an issue.

The take-away lessons from this are:

  • Your browser doesn’t have any tools within it to detect viruses
  • Any notice about viruses should display as being from your antivirus program, not your web browser
  • Close web page prompts and pop-ups using the X rather than hitting any OK or other buttons

Also, I’m running Linux, and therefore none of the above “viruses” could have actually been detected, not to mention the exe couldn’t have done anything to me. :)