The website of popular Swedish tabloid Aftonbladet has been compromised to redirect visitors to a website sporting bogus infection warnings in order to trick them into buying a fake AV solution.
Aftonbladet.se is currently the 6th most visited website in Sweden, but the attack is aimed only at visitors who use Internet Explorer.
Users who fell for the trick and downloaded the fake AV (“Windows Efficiency Master”) had their systems compromised and were unable to use a number of antivirus services.
The computer was rebooted to prevent analysis tools from working, and the victims were unable to run any other application and were faced with fake scan results and a payment screen:
Unable to search the web for a solution or to see whether this might be a scam, some of them have surely taken out their credit card and paid for the fake AV’s “full version”.
“This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same,” notes Panda Security malware researcher Bart Blaze.
Fox-IT security specialist Yonathan Klijnsma has noted similar attacks on several other popular websites such as Businessinsider.com, and has named the malware NameChanger FakeAV because its variants sport similar graphics but often change name (Windows Prime Accelerator / Virtual Security / Cleaning Toolkit / Virtual Angel / Malware Firewall / etc.).
The first sample of Tritax malware was spotted around May 2009, and variants of it have been around ever since.
Chances are good that these attacks have been mounted by the same individual or group. The predilection for compromising popular websites is obvious and logical, and it’s impossible to know which will be targeted next.
So, it might be a good idea to check out which AV solutions detect the malware and download and use one of them to protect yourself while surfing the web – just remember to keep it up-to-date.