Poisoned links discovered on ICQ

A Kaspersky researcher has discovered a poisoned link to a legitimate e-business which creates a fake antivirus warning and encourages the downloading of dodgy software.

The ad that showed up in the ICQ window was for a women’s clothing company called Charlotte Russe and clicking on the ad directs to the company’s website.

Roel Schouwenberg, of Kaspersky said that once the advert was displayed another pop-up appeared in a new browser from “Antivirus8,” that said suspicious activity was detected on the system and it encouraged the user to download the program. In other words, scareware.

What has Kaspersky worried is that the scareware appears without the user doing anything that normally triggers such pop-ups.

At the moment the attack also does not appear to have an exploit included in it; just the usual unnecessary anti-virus software.

Another aspect to the attack is that the antivirus pop-up is hosted on a server that appears not to be associated with the retail company.

Schouwenberg said that the hacker went through the trouble of pretending to be this store to get the ad server yield manager to approve and run the ads.

Writing from his bog, Schouwenberg said the hacker went through a lot of effort to seem legitimate. Attacking the yield manager successfully and having fake anti-virus in the ICQ ads is high level and hard to get away with.

He thinks that there could be two fraud gangs associated with the attack – one responsible for the fake antivirus portion and the other responsible for getting the malware to be distributed via the ads on ICQ.