Browsers include an alert system that displays warnings when trying to access a dangerous site, in fact users can help this system by reporting fraudulent sites from the browser.
A real alert A dangerous site is like this, in this case taking Firefox as an example:
Real Firefox warning about a dangerous site
Attackers are taking advantage of this to their advantage and as they design fake scanned pages that simulate the Windows environment, too. copy the design of these warnings. A clear example is the one that can be seen in the following image:
Attackers page with false warning
When comparing it with the previous capture, that is to say the real warning, it will be noted that in this case a supposed analysis of the system is being carried out and some viruses have already been detected. When finished, the false page offers the download of a fake antivirus which infects the system.
Many victims download it believing that it is a software really recommended by the browser:
Download of the fake antivirus at the end of the scan
VirusTotal analysis of this installer (InstallInternetDefender_795.exe) reveals its low detection rate (6/43).
But Firefox is not the only one affected, if the same malicious page is accessed with Internet explorer, Chrome or Safari A false custom warning will be displayed for each browser.
These kinds of attacks are not new, they have been implemented for a long time and even in some cases the victim's operating system is also controlled to carry out different actions.
How can you end up on such a page?
It is the simplest of all and can happen at any time, for example, by searching on Google and just accessing a compromised site that is redirecting all your visitors into the trap.
Some time ago I published a video where you can see how these kinds of attacks work, they can even occur when searching for images, because if they are on a compromised server when the image is displayed, the script in charge of performing the redirections is also loaded.
As we can see, the techniques used to cheat are quite ingenious and if the antivirus does not detect the threat, the difference between being infected or not in the hands of the user.