These days it is quite common to receive bogus email alerts purporting to come from security companies, informing you about some apparent infection on your computer and telling you to install software or an update (attached to the email) to clean your computer. We have all seen them and now, most of us simply ignore them. In most cases, helpful spam filtering software makes sure we are not bothered by them.
Less frequently we see Web sites built with the sole purpose of distributing malicious code. In some cases the fraudulent sites imitate the alert pages of a legitimate security company with the hope of tricking unsuspecting users into downloading malicious code. The level of credibility of these Web sites varies, but in most cases they contain logos, colors, and other (copyrighted) branding details ripped off from the legitimate site. This makes them somewhat harder for the casual or misinformed web user to detect, when they are, in fact, phony. In more sophisticated cases, all but a few of the links and pages are actually real and link to the legitimate company’s Web site. A well informed visitor can usually spot the fake pages pretty easily, as they are typically hosted on a different domain than that of the legitimate company and contain language or style not used by real security companies. However, even the most Web-savvy user needs to be very cautious.
In the most recent case, we have seen a fake virus alert written in Portuguese that directs users to a phony Symantec Brazil Web site in order to download a removal tool to clean the virus. The Web site uses Symantec’s Security Check logo, as well as the ThreatCon icon in an attempt to add credibility to the scam. Once downloaded, the executable even has an icon that looks like a part of the Symantec logo. However, this “tool” happens to be an information stealing Trojan horse that we currently detect as Trojan.Bakloma.
We received some initial reports about these phishing emails and fake Web sites last week and immediately added detection of the threat downloaded. Protection has been available to Symantec customers since the 15th of August (initially as a generic Trojan horse). We also requested that the page in question was taken down. Unfortunately, at time of writing this, the URL is still live and continues to host malicious code.
Some excellent tips about how to avoid falling prey to similar phishing scams can be obtained on the following Web sites: