Google links scam Avira users

Posted by   Virus Bulletin on   Jan 21, 2008

Suspect firm advertising via Google found to be specialising in hijacking security brands.

Google searches for Avira and the company's anti-malware product Antivir, a free version of which is available for personal use in the German home market and elsewhere, are producing sponsored links to a subscription-based software download site specialising in providing 'free' security products.

The sponsored links in have tricked many would-be Avira users into paying cash to the sneaky firm, operating at ''. With the new year the firm changed its name in the Google links to 'downloadlink-2008', but maintained its sponsored status and devious tactics, including adding the word 'avira' or 'antivir' to the site title displayed in the Google search results.

Clicking on the sponsored link, rather than the direct links to Avira further down the page, takes users to a site offering subscriptions to a package of security and system maintenance tools. After unchecking several boxes the system can be bypassed to lead eventually to an Antivir page at a separate freeware download site (users of the Firefox NoScript plugin may find this more difficult), but many users have felt tricked into buying the firm's wares in the belief that payment was necessary to access the Avira software.

For non-German speaking users, the same site also provides access to Symantec's online scanning system, which similarly is available free direct from the source rather than via the subscription system. The security package being pushed to visitors here is dubbed 'SpyErazer', an anti-spyware system unknown to many anti-spyware experts, bundled with a selection of system cleaning and back-up tools.

The site is operated by a firm called 'Interactive Brands', registered in Quebec, Canada, which runs several sites selling security products as well as PDF readers, web TV and other online services. Other sites operated by the firm include '' and '', selling copies of Panda products of dubious legitimacy, and '', which defaults to offering sales of Panda to users outside the US.

Several of the firm's sites include an FAQ plundered wholesale from the Grisoft website, which includes references to AVG. The firm has been operating similar sites since at least spring 2007 and AVG, Alwil's avast! and Lavasoft's AdAware are among other free products thought to have been used as lures in the past (see here for a first-hand report from one victim).

Staff at Avira have reported complaints from several hundred users who felt their trust in them, and in Google, had been abused. Their attempts to resolve the issue with Interactive Brands and Google have had no success and legal proceedings against the scammers are under way. Panda has also reported complaints from customers, and is planning legal action to combat the brand hijacking. Google has failed to respond to Virus Bulletin's requests for information on its screening policy for sponsored links, after further complaints were received from our readers.

'This sort of scam is typical of the wild west nature of the internet at the moment,' said John Hawes, Technical Consultant at Virus Bulletin. 'Fraud and crime are running rampant, and the effects of this on public confidence are potentially devastating to the online economy. Google have built themselves a good reputation for security and probity, but by profiting from scams like this they risk seriously denting that reputation. They need to operate a tougher screening policy for their sponsored links, to ensure the sites they promote in their searches are totally above board. Web users also need to increase their vigilance and ensure all purchases are made from legitimate and traceable sources - this case shows that trust is a valuable commodity and should not be given away too freely.'

Readers who have felt themselves defrauded by online scams are encouraged to report suspect sites to their security provider, to the search engine or other site which led them there, to banks in cases of phishing or financial loss, and in serious cases to law enforcement agencies. Virus Bulletin plans to provide a section of links for reporting online fraud and other crimes, and actively supports all efforts to improve and centralise online law enforcement and cybercrime reporting.

Posted on 21 January 2008 by Virus Bulletin



Latest posts:

First 11 partners of VB2019 announced

We are excited to announce the first 11 companies to partner with VB2019, whose support will help ensure a great event.

VB2018 paper: Fake News, Inc.

A former reporter by profession, Andrew Brandt's curiosity was piqued when he came across what appeared at first glance to be the website of a small-town newspaper based in Illinois, but under scrutiny, things didn’t add up. At VB2018 he presented a…

Paper: Alternative communication channel over NTP

In a new paper published today, independent researcher Nikolaos Tsapakis writes about the possibilities of malware using NTP as a covert communication channel and how to stop this.

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.