RE: Fake AV site
I saw that site about a week ago when I was at home. I think I was using Chrome at the time however. Likewise I just closed my browser tab (and performed a full scan with ESET). From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: 20 May 2011 01:29 To: NT System Admin Issues Subject: Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its scan before the windows security alert popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33pu-4PcTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake AV site
Jeff, did you intentionally crop the top of the screen capture to eliminate the URL ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Matthew B Ames [mailto:matthew.a...@qinetiq.com] Sent: Friday, May 20, 2011 4:02 AM To: NT System Admin Issues Subject: RE: Fake AV site I saw that site about a week ago when I was at home. I think I was using Chrome at the time however. Likewise I just closed my browser tab (and performed a full scan with ESET). From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: 20 May 2011 01:29 To: NT System Admin Issues Subject: Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its scan before the windows security alert popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33pu-4P cTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. http://www.qinetiq.com http://www.qinetiq.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake AV site
Hmmm, must be a fake-av construction kit. The interior dialog box titled ‘Windows Security Alert’ is identical, word for word, letter for letter, except for a seemingly random display of the ‘threats’ found to a fake-av I dealt with at a client site a few months ago, that was triggered from momentecue4.com . Identical including the same heinous spelling and grammatical errors ! Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: Thursday, May 19, 2011 8:29 PM To: NT System Admin Issues Subject: Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its scan before the windows security alert popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33pu-4P cTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake AV site
I've seen this a handful of times within the last month or so, seems to be more prevalent recently. Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com http://www.fiserv.com/ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, May 20, 2011 8:34 AM To: NT System Admin Issues Subject: RE: Fake AV site Hmmm, must be a fake-av construction kit. The interior dialog box titled 'Windows Security Alert' is identical, word for word, letter for letter, except for a seemingly random display of the 'threats' found to a fake-av I dealt with at a client site a few months ago, that was triggered from momentecue4.com . Identical including the same heinous spelling and grammatical errors ! Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: Thursday, May 19, 2011 8:29 PM To: NT System Admin Issues Subject: Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its scan before the windows security alert popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33p u-4PcTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Fake AV site
more so to crop the password toolbar and other tabs I had open (no, there was nothin' naughty, I promise!). The domain name is visible on the file download warning; page was index.php with a long string of characters as a parameter to it. I didn't go back to see if the parameter was necessary to launch that particular page; maybe this weekend in a VM if I'm bored. I have the URL and page source (obfuscated javascript) saved. On a related note, does anyone know how to search within the Temporary Internet Files on Win7? I'm curious as to where this site came from; I think it may have been an errant click on an advertisement. I was going to try a findstr on the directory, but its all hidden and virtualized now; what you see in explorer is not what you see on the command line. Of course, I may not find a thing if it was a redirect from an ad site, but thought it worth knowing how to do anyway. On Fri, May 20, 2011 at 8:00 AM, Erik Goldoff egold...@gmail.com wrote: Jeff, did you intentionally crop the top of the screen capture to eliminate the URL ? *Erik Goldoff*** *IT Consultant* *Systems, Networks, Security * ' Security is an ongoing process, not a one time event ! ' *From:* Matthew B Ames [mailto:matthew.a...@qinetiq.com] *Sent:* Friday, May 20, 2011 4:02 AM *To:* NT System Admin Issues *Subject:* RE: Fake AV site I saw that site about a week ago when I was at home. I think I was using Chrome at the time however. Likewise I just closed my browser tab (and performed a full scan with ESET). *From:* Jeff Bunting [mailto:bunting.j...@gmail.com] *Sent:* 20 May 2011 01:29 *To:* NT System Admin Issues *Subject:* Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its scan before the windows security alert popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33pu-4PcTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. http://www.qinetiq.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake AV site
Incredible the number of fake av variants … here’s a google link for ‘images’ for “fake av” showing screen captures of all sorts ! http://www.google.com/search?hl=en http://www.google.com/search?hl=enq=fake+avbav=on.2,or.r_gc.r_pw.um=1ie =UTF-8tbm=ischsource=ogsa=Ntab=wibiw=1334bih=803 q=fake+avbav=on.2,or.r_gc.r_pw.um=1ie=UTF-8tbm=ischsource=ogsa=Ntab= wibiw=1334bih=803 Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Guyer, Don [mailto:don.gu...@fiserv.com] Sent: Friday, May 20, 2011 9:08 AM To: NT System Admin Issues Subject: RE: Fake AV site I’ve seen this a handful of times within the last month or so, seems to be more prevalent recently. Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed – A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 http://www.fiserv.com/ www.fiserv.com From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, May 20, 2011 8:34 AM To: NT System Admin Issues Subject: RE: Fake AV site Hmmm, must be a fake-av construction kit. The interior dialog box titled ‘Windows Security Alert’ is identical, word for word, letter for letter, except for a seemingly random display of the ‘threats’ found to a fake-av I dealt with at a client site a few months ago, that was triggered from momentecue4.com . Identical including the same heinous spelling and grammatical errors ! Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: Thursday, May 19, 2011 8:29 PM To: NT System Admin Issues Subject: Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its scan before the windows security alert popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33pu-4P cTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake AV site
Often you’ll get these browser based fake av popups as a result of SEO and/or DNS poisoning , not so much from any ‘errant’ click. Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: Friday, May 20, 2011 9:18 AM To: NT System Admin Issues Subject: Re: Fake AV site more so to crop the password toolbar and other tabs I had open (no, there was nothin' naughty, I promise!). The domain name is visible on the file download warning; page was index.php with a long string of characters as a parameter to it. I didn't go back to see if the parameter was necessary to launch that particular page; maybe this weekend in a VM if I'm bored. I have the URL and page source (obfuscated javascript) saved. On a related note, does anyone know how to search within the Temporary Internet Files on Win7? I'm curious as to where this site came from; I think it may have been an errant click on an advertisement. I was going to try a findstr on the directory, but its all hidden and virtualized now; what you see in explorer is not what you see on the command line. Of course, I may not find a thing if it was a redirect from an ad site, but thought it worth knowing how to do anyway. On Fri, May 20, 2011 at 8:00 AM, Erik Goldoff egold...@gmail.com wrote: Jeff, did you intentionally crop the top of the screen capture to eliminate the URL ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Matthew B Ames [mailto:matthew.a...@qinetiq.com] Sent: Friday, May 20, 2011 4:02 AM To: NT System Admin Issues Subject: RE: Fake AV site I saw that site about a week ago when I was at home. I think I was using Chrome at the time however. Likewise I just closed my browser tab (and performed a full scan with ESET). From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: 20 May 2011 01:29 To: NT System Admin Issues Subject: Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its scan before the windows security alert popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33pu-4P cTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. http://www.qinetiq.com http://www.qinetiq.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
