Black hat SEO is the most used and effective technique to spread fake antivirus, attackers infect sites to take advantage of their positioning power and thus get visits on their fake pages.
In the following example reported yesterday on the forum, It all starts with a simple search on Google Images:
The search is simply the name of a model, so far everything normal, however one of these photos is published on an infected site.
By clicking on it to see it bigger the visitors are redirected to a Fake page that simulates a system scan:
The design mimics the Windows environment to confuse, if the victim believes that the alerts are real, they will end up downloading a fake antivirus that will infect their computer:
Fake program is downloaded
Analysis in VirusTotal: freesystemscan.exe (7/43)
Once it is run a false window which looks like a Microsoft antivirus alert, it is very convincing especially if you really have the antivirus installed and it does not detect malware:
Fake Microsoft Security Essentials window
Seconds later, the installation of the false program begins as if MSE were recommending it, in this case it is called Windows Safeguard Utility:
Rogue Windows Safeguard Utility
Like other fake utilities, they simulate detecting all kinds of errors so that the victim finally ends up buying a license. The purchase window is also false, it seems to be a safe page open in the browser, but it is not … when entering the card data, it ends up in the hands of cybercriminals:
Window that steals card data
Delete the program:
The fastest and easiest way to eliminate this kind of bogus program is to use Malwarebytes. The problem in some cases is that malware has the ability to block it and even, as you can see in the following screenshot, show a false warning so that the user believes that it is a malicious program:
Malwarebytes Crashes and Alerts Displayed
To avoid this you simply have to rename the Malwarebytes runtime file, as indicated in their help forum. Once this is done the false utility will be detected and removed:
Malwarebytes removing the fake program
The infected site:
As I commented at the beginning, the model's photo is on a legitimate site that was infected. Attackers use automated programs to create thousands of spam pages on their server, covering a large number of searches, some manage to get good positions.
In the following screenshot you can see that they take advantage of all kinds of keywords, the search is a site: URL + photos to see how many pages there are with the word photos:
Photos of all kinds on the infected site
You can see that the spam pages have a common .php file that generates them, making a search similar to the previous one, you can see that they have indexed under that domain more than 2 million pages spam:
More than 2 million indexed spam pages
That's a lot of spam pages! In Alexa you can see the growth of the site in the last weeks, apparently the infection started in late April:
Traffic estimation at the infected site
Attack optimization for images:
The pages are optimized to take advantage of image search engines like Google Images, perhaps because it is easier to position itself or better results to infect.
All pages have 3 or 4 photos and links to other spam pages within the same site:
All spam pages have the same structure
This is the source code:
Spam pages source code
Thanks Federico for the notice in the forum.
See also: Where is Uruguay? (BlackHat SEO) .Infected image + Vulnerable Java = hidden Trojan download.