Impersonation is a form of flattery by itself, however, not when it comes to the very latest round of rogue security software this time impersonating ZDNet, CNET's and PC Magazine's reviews section, making it look like legitimate and highly respected technology sites have actually reviewed and recommend the rogue security software.
According to Lawrence Abrams from Bleeping Computer the latest rogue security software Anti-virus-1 redirects infected users attempting to visit the sites to a legitimately looking reviews of the scareware. By using this novel approach the rogue software vendor's aim is to add more legitimacy to Anti-virus-1's existence in general. However, if they truly wanted to achieve better social engineering result, they could have at least used a more recent version of the impersonated sites.
Here's how it's done anyway:
Upon installation the software modifies the HOSTS file and redirects affected users attempting to visit the review sites to a centralized location used for the hosting and promotion of even more rogue security software:
O1 - Hosts: 188.8.131.52 www.review.2009softwarereviews.com O1 - Hosts: 184.108.40.206 review.2009softwarereviews.com O1 - Hosts: 220.127.116.11 a1.review.zdnet.com O1 - Hosts: 18.104.22.168 www.d1.reviews.cnet.com O1 - Hosts: 22.214.171.124 www.reviews.toptenreviews.com O1 - Hosts: 126.96.36.199 reviews.toptenreviews.com O1 - Hosts: 188.8.131.52 www.reviews.download.com O1 - Hosts: 184.108.40.206 reviews.download.com O1 - Hosts: 220.127.116.11 www.reviews.pcadvisor.c.uk O1 - Hosts: 18.104.22.168 reviews.pcadvisor.co.uk O1 - Hosts: 22.214.171.124 www.reviews.pcmag.com O1 - Hosts: 126.96.36.199 reviews.pcmag.com O1 - Hosts: 188.8.131.52 www.reviews.pcpro.co.uk O1 - Hosts: 184.108.40.206 reviews.pcpro.co.uk O1 - Hosts: 220.127.116.11 www.reviews.reevoo.com O1 - Hosts: 18.104.22.168 reviews.reevoo.com O1 - Hosts: 22.214.171.124 www.reviews.riverstreams.co.uk O1 - Hosts: 126.96.36.199 reviews.riverstreams.co.uk O1 - Hosts: 188.8.131.52 www.reviews.techradar.com
And whereas modifying the HOSTS file is a bit of a noisy approach to hijack traffic, given the fact that end user managed to get -- ironically -- infected with a non-existent security software on their way to protect themselves from security threats, there's a high chance that this HOSTS modification will remain undetected.
- Go through related rogue security software posts: Sony PlayStation’s site SQL injected, redirecting to rogue security software; Fake Antivirus XP pops-up at Cleveland.com; Google sponsored links spreading (scareware) rogue AV
This "visual social engineering" approach is perhaps one of the key success factors for the rise of rogue security software. From the real-time scanning applets showing how badly affected a visitor is, to the bogus software rewards and awards the application has already won by using , vendors of rogue security software know the value of "what you see is what you get", or at least we want you think so.
From a psychological perspective, the rise of rogue security software demonstrantes the end user's impulsive decision making based on the oldest known motivation factor - fear which in 2009 is transformed into fear of losing data. And while in the past cybercriminals used to brandjack legitimate security software, today's revenue-sharing affiliate based model for spreading rogue security software is in fact building new brands that despite their short product cycle are already affecting hundreds of thousands of users.