Incidents

Fake Kaspersky Antivirus

Over the weekend, someone wrote to us complaining that Kaspersky Lab was sending spam. Naturally, this came as a bit of a surprise, seeing as how we do nothing of the sort; in fact we do quite the reverse: we combat spam. Of course, we wanted to find out why a user had come to the conclusion that Kaspersky Lab was sending spam to them.

The email that the user complained about had all the hallmarks of a typical online scam: behind the nice pictures reminiscent of Kaspersky Lab’s official advertising there was a link that had absolutely nothing in common with the company’s products. The cybercriminals had done a good job: the email not only looked like an official email from Kaspersky Lab but the “From” field was a good imitation as well.

After clicking the link, a user unwittingly ends up on a website with an offer to buy a program called Best Antivirus Online. It has to be said that the image of the “product box” on the web page was not unlike that of Symantec’s signature design – black font against a predominantly yellow background. To buy the program, the user had to enter their credit card details and email address so they could receive further instructions. We followed these step as part of our investigations, but received no more instructions at the email address we specified. It is quite possible that users could have received more instructions on how to download the fake antivirus at the time the spam was active.

This is not the first time cybercriminals have made use of Kaspersky Lab products. We have noticed on several occasions that the distributors of fake antiviruses have tried to make their “product” interfaces similar to those of KIS or KAV. Spammers distributing offers of cheap software often stress in their emails that Kaspersky Lab’s products are available on their sites at bargain prices.

This level of awareness by the cybercriminals is a clear indication that Kaspersky Lab products are popular and trusted. They are taking advantage of users’ trust in Kaspersky Lab as a social engineering tool, hoping that the familiar green design will lull users into a false sense of security and make them click the malicious link.

It should be noted that not only Kaspersky Lab has attracted the attention of malicious users. A week or so ago, we received similar messages that imitated a mailing from Adobe. The link in the message led to a suspicious-looking “pdf reader”. The site’s template was identical to the template used for Best Antivirus Online, only the color scheme was different. In early October, a similar site was linked to emails with offers to download a new version of iTunes dedicated to Steve Jobs. The color scheme then was completely different, but the site template was the same.

At the time the user wrote to us, Kaspersky Lab products detected both the spam messages and the malicious site distributed in them. But we not only urge users to trust our products but to also be vigilant when surfing the net. And remember: no reputable company would send spam messages!

Fake Kaspersky Antivirus

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox