Video shows how drive-by attacks turn healthy paranoia against their victims.
by Dan Goodin
Malware that masquerades as legitimate antivirus programs is one of the more insidious threats to plague people browsing websites. In many cases, attackers rely on simple text and graphics to trick visitors into thinking they’re on the verge of a successful drive-by attack and deliver the warning under the guise of a trusted security application. People who fall for the ruse by following the advice presented in the advisory end up infecting themselves.
A recently captured video of one of these attacks in progress demonstrates why they continue to work—at least on less-experienced users who despite their lack of savvy know enough to be wary of online attacks. Shortly after visiting a legitimate site, the computer presents a Window carrying the name of a well-known security application, in this case Microsoft Security Essentials. The window provides a plausible warning and recommends the user take immediate action to head off imminent infection. The video was shot by researchers from security firm Invincea as they browsed to the main page of Dailymotion.com.
As convincing as the attacks are to some, the video makes clear that these scams aren’t usually hard to spot by people with a small amount of training. Malware warnings, for instance, should never require a user to install an executable file, as the warning in the video does. Legitimate malware warnings will also never be delivered in a browser window and should be generated only by anti-malware programs already installed. When in doubt, users who receive malware warnings should close the browser altogether and see if the popup window persists. Opening an antivirus program from the Windows start menu and running a scan from there is also a good move.
The advice will likely strike some readers as obvious. But for the Aunt Mildreds and Uncle Earnests of the world who are still new to the Internet—or possible a more seasoned Internet user who is in a rush—the Invincea video may be useful.
Interestingly, the video marks the second time this month DailyMotion has been observed delivering rogue malware warnings to visitors. A DailyMotion representative told ThreatPost Invincea’s original notification was never acknowledged. The company suspects today’s attack is a continuation of the earlier one and the site was never cleaned up. Invincea said only three of the 50 major antivirus programs initially detected the rogue malware, although that figure is sure to improve as providers update their wares.