Google links scam Avira users

Posted by   Virus Bulletin on   Jan 21, 2008

Suspect firm advertising via Google found to be specialising in hijacking security brands.

Google searches for Avira and the company's anti-malware product Antivir, a free version of which is available for personal use in the German home market and elsewhere, are producing sponsored links to a subscription-based software download site specialising in providing 'free' security products.

The sponsored links in Google.de have tricked many would-be Avira users into paying cash to the sneaky firm, operating at 'downloadlink-2007.com'. With the new year the firm changed its name in the Google links to 'downloadlink-2008', but maintained its sponsored status and devious tactics, including adding the word 'avira' or 'antivir' to the site title displayed in the Google search results.

Clicking on the sponsored link, rather than the direct links to Avira further down the page, takes users to a site offering subscriptions to a package of security and system maintenance tools. After unchecking several boxes the system can be bypassed to lead eventually to an Antivir page at a separate freeware download site (users of the Firefox NoScript plugin may find this more difficult), but many users have felt tricked into buying the firm's wares in the belief that payment was necessary to access the Avira software.

For non-German speaking users, the same site also provides access to Symantec's online scanning system, which similarly is available free direct from the source rather than via the subscription system. The security package being pushed to visitors here is dubbed 'SpyErazer', an anti-spyware system unknown to many anti-spyware experts, bundled with a selection of system cleaning and back-up tools.

The site is operated by a firm called 'Interactive Brands', registered in Quebec, Canada, which runs several sites selling security products as well as PDF readers, web TV and other online services. Other sites operated by the firm include 'panda-internet-security.com' and 'download-panda-antivirus.com', selling copies of Panda products of dubious legitimacy, and 'Mcafee-antivirus-2007.com', which defaults to offering sales of Panda to users outside the US.

Several of the firm's sites include an FAQ plundered wholesale from the Grisoft website, which includes references to AVG. The firm has been operating similar sites since at least spring 2007 and AVG, Alwil's avast! and Lavasoft's AdAware are among other free products thought to have been used as lures in the past (see here for a first-hand report from one victim).

Staff at Avira have reported complaints from several hundred users who felt their trust in them, and in Google, had been abused. Their attempts to resolve the issue with Interactive Brands and Google have had no success and legal proceedings against the scammers are under way. Panda has also reported complaints from customers, and is planning legal action to combat the brand hijacking. Google has failed to respond to Virus Bulletin's requests for information on its screening policy for sponsored links, after further complaints were received from our readers.

'This sort of scam is typical of the wild west nature of the internet at the moment,' said John Hawes, Technical Consultant at Virus Bulletin. 'Fraud and crime are running rampant, and the effects of this on public confidence are potentially devastating to the online economy. Google have built themselves a good reputation for security and probity, but by profiting from scams like this they risk seriously denting that reputation. They need to operate a tougher screening policy for their sponsored links, to ensure the sites they promote in their searches are totally above board. Web users also need to increase their vigilance and ensure all purchases are made from legitimate and traceable sources - this case shows that trust is a valuable commodity and should not be given away too freely.'

Readers who have felt themselves defrauded by online scams are encouraged to report suspect sites to their security provider, to the search engine or other site which led them there, to banks in cases of phishing or financial loss, and in serious cases to law enforcement agencies. Virus Bulletin plans to provide a section of links for reporting online fraud and other crimes, and actively supports all efforts to improve and centralise online law enforcement and cybercrime reporting.

Posted on 21 January 2008 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 London - join us for the most international threat intelligence conference!

VB calls on organisations and individuals involved in threat intelligence from around the world to participate in next year's Virus Bulletin conference.

VB2018 paper: Tracking Mirai variants

Today, we publish the VB2018 paper by Qihoo 360 researchers Ya Liu and Hui Wang, on extracting data from variants of the Mirai botnet to classify and track variants.

VB2018 paper: Hide'n'Seek: an adaptive peer-to-peer IoT botnet

2018 has seen an increase in the variety of botnets living on the Internet of Things - such as Hide'N'Seek, which is notable for its use of peer-to-peer for command-and-control communication. Today, we publish the VB2018 paper by Bitdefender…

New paper: Botception: botnet distributes script with bot capabilities

In a new paper, Avast researchers Jan Sirmer and Adolf Streda look at how a spam campaign sent via the Necurs botnet was delivering the Flawed Ammyy RAT. As well as publishing the paper, we have also released the video of the reseachers' VB2018…

VB2018 video: Behind the scenes of the SamSam investigation

Today we have published the video of the VB2018 presentation by Andrew Brandt (Sophos) on the SamSam ransomware, which became hot news following the indictment of its two suspected authors yesterday.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.