Google links scam Avira users

Posted by   Virus Bulletin on   Jan 21, 2008

Suspect firm advertising via Google found to be specialising in hijacking security brands.

Google searches for Avira and the company's anti-malware product Antivir, a free version of which is available for personal use in the German home market and elsewhere, are producing sponsored links to a subscription-based software download site specialising in providing 'free' security products.

The sponsored links in have tricked many would-be Avira users into paying cash to the sneaky firm, operating at ''. With the new year the firm changed its name in the Google links to 'downloadlink-2008', but maintained its sponsored status and devious tactics, including adding the word 'avira' or 'antivir' to the site title displayed in the Google search results.

Clicking on the sponsored link, rather than the direct links to Avira further down the page, takes users to a site offering subscriptions to a package of security and system maintenance tools. After unchecking several boxes the system can be bypassed to lead eventually to an Antivir page at a separate freeware download site (users of the Firefox NoScript plugin may find this more difficult), but many users have felt tricked into buying the firm's wares in the belief that payment was necessary to access the Avira software.

For non-German speaking users, the same site also provides access to Symantec's online scanning system, which similarly is available free direct from the source rather than via the subscription system. The security package being pushed to visitors here is dubbed 'SpyErazer', an anti-spyware system unknown to many anti-spyware experts, bundled with a selection of system cleaning and back-up tools.

The site is operated by a firm called 'Interactive Brands', registered in Quebec, Canada, which runs several sites selling security products as well as PDF readers, web TV and other online services. Other sites operated by the firm include '' and '', selling copies of Panda products of dubious legitimacy, and '', which defaults to offering sales of Panda to users outside the US.

Several of the firm's sites include an FAQ plundered wholesale from the Grisoft website, which includes references to AVG. The firm has been operating similar sites since at least spring 2007 and AVG, Alwil's avast! and Lavasoft's AdAware are among other free products thought to have been used as lures in the past (see here for a first-hand report from one victim).

Staff at Avira have reported complaints from several hundred users who felt their trust in them, and in Google, had been abused. Their attempts to resolve the issue with Interactive Brands and Google have had no success and legal proceedings against the scammers are under way. Panda has also reported complaints from customers, and is planning legal action to combat the brand hijacking. Google has failed to respond to Virus Bulletin's requests for information on its screening policy for sponsored links, after further complaints were received from our readers.

'This sort of scam is typical of the wild west nature of the internet at the moment,' said John Hawes, Technical Consultant at Virus Bulletin. 'Fraud and crime are running rampant, and the effects of this on public confidence are potentially devastating to the online economy. Google have built themselves a good reputation for security and probity, but by profiting from scams like this they risk seriously denting that reputation. They need to operate a tougher screening policy for their sponsored links, to ensure the sites they promote in their searches are totally above board. Web users also need to increase their vigilance and ensure all purchases are made from legitimate and traceable sources - this case shows that trust is a valuable commodity and should not be given away too freely.'

Readers who have felt themselves defrauded by online scams are encouraged to report suspect sites to their security provider, to the search engine or other site which led them there, to banks in cases of phishing or financial loss, and in serious cases to law enforcement agencies. Virus Bulletin plans to provide a section of links for reporting online fraud and other crimes, and actively supports all efforts to improve and centralise online law enforcement and cybercrime reporting.

Posted on 21 January 2008 by Virus Bulletin



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.