I usually don’t check my site statistics log everyday, every week or even every month, I usually have a occasional glance to get a general idea about the browsers being used to access this site and from where the visitors are coming if I sense a spike in website traffic. Last night I was bored enough to browse the stats, when I found number of visitors referred from a curious looking URL: h**p://securityhelpcenter.com/block.php?id=2003-2&url=http://malwarehelp.org/anti_spyware_download.html.
May be a script to log the outgoing links?
Loading the link in the web browser threw up a Google warning that you see in Firefox when visiting links that Google determined as attack sites….or is it? On closer inspection the differences between the original and the masquerader began to resolve clearly. The appearance is deceptively same as the original Google warning, similar in color, logo and placement of the buttons. Though the text is different, it’s similar in tone. The link is actually an attempt to de-fraud people into buying a fake security software.
Clicking on the “Continue Unprotected” button in the fake google warning page loads the anti-spyware software download page on this website, While clicking on the “Get security software” button loads the URL h**p://securityhelpcenter.com/1/?id=2003-2, a payment gateway page promoting a fake anti-virus software going by the name “Personal Antivirus“. The payment processor for this campaign is secure.securedpaymentsystem.com through internetsoftwarepayments.com
The block.php file is just a (open) redirect script which makes it possible to redirect to any valid webpage using a code similar to the following:
h**p://securityhelpcenter.com/block.php?id=2003-2&url=ENTER YOUR URL HERE
The domain securityhelpcenter.com is registered to one Sunil A Mittal, No.13 1ST AVENUE, Adyar, India and hosted at IP 22.214.171.124 appears to be located in Berlin, Germany. The IP address seems to be a den full of questionable websites with many involved in the distribution of fake security and other unwanted software. Some of the domains associated with this IP are:
Domains directly associated with this scam
This is another case where the scammers use the visual recognition associated with brands like Google to channel victims from reputable sites to those that harbor fake security software for phishing.
Update (17 Apr 2009)
If you are infected with the “Personal Antivirus” rogue, the procedure below should help you to get rid of it.
- If Internet Explorer is hijacked, use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
- Also download CCleaner.
- Boot in to Windows Safe mode.
- Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
- Turn System Restore off and on.
- Install, scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
If you still see symptoms associated with this rogue security software, please post your problem at one of the Recommended Online Forums for Malware Help.