Glaswegian

Researchers at Marshal8e6’s TRACElabs have intercepted a spam campaign that’s issuing bogus “Conficker Infection Alerts” and redirecting users to rogue security software upon clicking on the links.

The event-based social engineering campaign is also impersonating various Microsoft security departments in order to improve its truthfulness. This is the second attempt in recent weeks to hijack anticipated traffic, following last week’s campaign consisting of typosquatted conficker removal tool domains aiming to impersonate the legitimate ones.

Here’s the message, its associated subjects and related rogue security software domains used in the spam campaign:

Typical messages include: Infection Alert; Conficker Infection Alert; Microsoft Alert; Security Breach, with the end user redirected to the following scareware domains upon clicking on the links: antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com.

Such event-based scareware/malware/spam campaigns are constantly evolving from the static theme picked up from the front page of a major news portal, to the real-time syndicating of hot keywords and hijacking of popular titles in order to occupy the top search positions at a specific online video sharing service. Ironically, the original Conficker variant was directly aiming to monetize the infected hosts by pushing rogue security software and earning revenue in the process, at least temporarily until the affiliate network went in a cover-up phase, and Conficker introduced a new variant that was no longer generating so much noise that could potentially result in more leads to the original authors — they wish.


http://blogs.zdnet.com/security/?p=3105