Fake AV distributed via user profiles on popular sites

An investigation into the methods of distibution of the FakeRean familiy of fake AVs has revealed some interesting facts, says GFI.

In order to lure people into downloading the PDF exploit that drops and installs FakeRean, these malware peddlers seemingly offer links to sites with adult content.

And to make sure that the links to the malicious sites are online at any given time, they have set them up as posts on forums of a variety of online services such as SourceForge, Twitter, Flickr, Stumbleupon, last.fm, Yahoo Answers, and many, many more – or by adding it as profile information.

According to the GFI researchers, the SourceForge domain is particularly plagued by these “portal” pages posing as user profiles:

The “portal” pages include a drawing of a scantily clad girl and apparently asks the user to click on the button appropriate to his age (“I am not 18+” or “I am 18+”), but it really doesn’t matter which button is pressed – both redirect him to a page hosted on seoholding.com, serving the malicious PDF exploit.