X

Kaspersky finds fake antivirus program in ads on ICQ

Ad for clothing line that is shown in ICQ also pops up a fake antivirus warning, encouraging the user to download a program that's not a legitimate antivirus product.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
 
The dubious ad in ICQ also displays a warning from Antivirus8 that says malware is detected on the machine and encourages the user to download software.
The dubious ad in ICQ also displays a warning from Antivirus8 that says malware is detected on the machine and encourages the user to download software. Kaspersky

A Kaspersky researcher has discovered a fake antivirus warning linked to ads on ICQ, which is popular in Russia and Eastern Europe.

The ad that showed up in the ICQ window was for a women's clothing company called Charlotte Russe and clicking on the ad directs to the company's Web site, said Roel Schouwenberg, a senior antivirus researcher at Moscow-based Kaspersky.

Around the same time the ad was displayed another pop-up appeared in a new browser from "Antivirus8," that said suspicious activity was detected on the system and it encouraged the user to download the program, which is not a legitimate antivirus product, Schouwenberg told CNET.

The malware attack is interesting for several reasons. The rogue antivirus "scareware" appears without the user doing anything that normally triggers such pop-ups, such as clicking on malicious links in search results, he said. The attack also does not appear to have an exploit included in it; just the social-engineering aspect in which the user is lured into downloading supposed antivirus protection that is totally unnecessary, he added.

In addition, the ad image related to the fake antivirus pop-up is hosted on a server that appears to be unassociated to the retail company, according to Schouwenberg. "This means that somebody went through the trouble of pretending to be this store" to get the ad server yieldmanager to approve and run the ads, he wrote in a blog post.

"They put in quite a lot of effort to seem legitimate," he said. "Attacking yieldmanager successfully and having fake anti-virus in the ICQ ads...is something that is very high level and hard to achieve."

Schouwenberg speculated that there could be two fraud gangs associated with the attack-- one responsible for the fake antivirus portion and the other responsible for getting the malware to be distributed via the ads on ICQ.

Kaspersky reported the problem to yieldmanager, which is owned by Yahoo. Right Media, which operates yieldmanager, did not respond to an e-mail from CNET seeking comment.