The government-backed website Startup Britain redirected traffic to a site compromised by fake antivirus software, ZDNet UK has discovered.
Startup Britain redirected traffic to a site compromised by fake antivirus software. Screenshot: Tom Espiner
The site, which launched on Monday, exposed Internet Explorer users to scareware being hosted on a third-party site, Bankling.com. After submitting questions to Startup Britain on Monday, ZDNet UK found the link in question had been removed on Tuesday morning.
UK security company Sophos confirmed the attempted fraud on the site, which is designed to help would-be entrepreneurs. "Startupbritain.org, which is linked to from the 10 Downing Street page — number10.gov.uk, contains links to a WordPress site that automatically puts up a fake antivirus page," said Sophos senior threat researcher Paul Baccas.
Startup Britain users clicking through from the 'Growing' tab to 'A bit of motivation' to 'Warren Buffet' quotes were taken to Bankling.com, an external page hosting fake antivirus programs.
Users were prompted to click 'ok' on the dialogue box, then encouraged to upload a fake antivirus program, which asked users for money to 'clean' the system.
A warning message told users their computer was infected with malware. Screenshot: Tom Espiner
Firefox users were not targeted. Firefox 4 in a secure configuration did not allow users to access the link, while users of Firefox 3.6.9 were not shown the dialogue box.
Fake antivirus page
The bankling.com site redirected users, via pages in the Cocos Islands, to the fake antivirus software page, which was hosted on the Indian top level domain, .in. The Indian site loaded a standard web page displaying a fake system scan, FreeSystemScan.exe, that prompted for remediation.
Startup Britain has linked to a site, and haven't told you that the link leads offsite. If you link to an external site, you should check its veracity and that it's clean.– Paul Baccas, Sophos
"Startup Britain has linked to a site, and haven't told you that the link leads offsite," said Baccas. "If you link to an external site, you should check its veracity and that it's clean. However, we don't know when the site was infected."
Startup Britain and the prime minister's office had not responded to a request for comment at the time of writing. On Tuesday the 'Warren Buffet' link had disappeared from the Startup Britain site.
Paul Mutton, a researcher with UK security company Netcraft, said the scareware was also being hosted in Latvia. "Users could be sent to a different exploit page each time," Mutton told ZDNet UK.
Finnish security company F-Secure said the rogue antivirus appears to be targeting Internet Explorer users in the UK.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.