Google links scam Avira users

Posted by   Virus Bulletin on   Jan 21, 2008

Suspect firm advertising via Google found to be specialising in hijacking security brands.

Google searches for Avira and the company's anti-malware product Antivir, a free version of which is available for personal use in the German home market and elsewhere, are producing sponsored links to a subscription-based software download site specialising in providing 'free' security products.

The sponsored links in have tricked many would-be Avira users into paying cash to the sneaky firm, operating at ''. With the new year the firm changed its name in the Google links to 'downloadlink-2008', but maintained its sponsored status and devious tactics, including adding the word 'avira' or 'antivir' to the site title displayed in the Google search results.

Clicking on the sponsored link, rather than the direct links to Avira further down the page, takes users to a site offering subscriptions to a package of security and system maintenance tools. After unchecking several boxes the system can be bypassed to lead eventually to an Antivir page at a separate freeware download site (users of the Firefox NoScript plugin may find this more difficult), but many users have felt tricked into buying the firm's wares in the belief that payment was necessary to access the Avira software.

For non-German speaking users, the same site also provides access to Symantec's online scanning system, which similarly is available free direct from the source rather than via the subscription system. The security package being pushed to visitors here is dubbed 'SpyErazer', an anti-spyware system unknown to many anti-spyware experts, bundled with a selection of system cleaning and back-up tools.

The site is operated by a firm called 'Interactive Brands', registered in Quebec, Canada, which runs several sites selling security products as well as PDF readers, web TV and other online services. Other sites operated by the firm include '' and '', selling copies of Panda products of dubious legitimacy, and '', which defaults to offering sales of Panda to users outside the US.

Several of the firm's sites include an FAQ plundered wholesale from the Grisoft website, which includes references to AVG. The firm has been operating similar sites since at least spring 2007 and AVG, Alwil's avast! and Lavasoft's AdAware are among other free products thought to have been used as lures in the past (see here for a first-hand report from one victim).

Staff at Avira have reported complaints from several hundred users who felt their trust in them, and in Google, had been abused. Their attempts to resolve the issue with Interactive Brands and Google have had no success and legal proceedings against the scammers are under way. Panda has also reported complaints from customers, and is planning legal action to combat the brand hijacking. Google has failed to respond to Virus Bulletin's requests for information on its screening policy for sponsored links, after further complaints were received from our readers.

'This sort of scam is typical of the wild west nature of the internet at the moment,' said John Hawes, Technical Consultant at Virus Bulletin. 'Fraud and crime are running rampant, and the effects of this on public confidence are potentially devastating to the online economy. Google have built themselves a good reputation for security and probity, but by profiting from scams like this they risk seriously denting that reputation. They need to operate a tougher screening policy for their sponsored links, to ensure the sites they promote in their searches are totally above board. Web users also need to increase their vigilance and ensure all purchases are made from legitimate and traceable sources - this case shows that trust is a valuable commodity and should not be given away too freely.'

Readers who have felt themselves defrauded by online scams are encouraged to report suspect sites to their security provider, to the search engine or other site which led them there, to banks in cases of phishing or financial loss, and in serious cases to law enforcement agencies. Virus Bulletin plans to provide a section of links for reporting online fraud and other crimes, and actively supports all efforts to improve and centralise online law enforcement and cybercrime reporting.

Posted on 21 January 2008 by Virus Bulletin



Latest posts:

VB2018 paper: The modality of mortality in domain names

Domains play a crucial role in most cyber attacks, from the very advanced to the very mundane. Today, we publish a VB2018 paper by Paul Vixie (Farsight Security) who undertook the first systematic study into the lifetimes of newly registered domains.…

VB2018 paper: Analysing compiled binaries using logic

Constraint programming is a lesser-known technique that is becoming increasingly popular among malware analysts. In a paper presented at VB2018 Thaís Moreira Hamasaki presented an overview of the technique and explained how it can be applied to the…

Virus Bulletin encourages experienced speakers and newcomers alike to submit proposals for VB2019

With a little less than a month before the deadline of the call for papers for VB2019, Virus Bulletin encourages submissions from experienced speakers and newcomers alike.

VB2018 paper: Internet balkanization: why are we raising borders online?

At VB2018 in Montreal, Ixia researcher Stefan Tanase presented a thought-provoking paper on the current state of the Internet and the worrying tendency towards raising borders and restricting the flow of information. Today we publish both his paper…

The malspam security products miss: banking and email phishing, Emotet and Bushaloader

The set-up of the VBSpam test lab gives us a unique insight into the kinds of emails that are more likely to bypass email filters. This week we look at the malspam that was missed: banking and email phishing, Emotet and Bushaloader.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.