I wonder how much longer rogue AV will ride the wave of major news? Having recently blogged about Rogue AV riding the US Midterm Elections wave, we spotted further activity on what appeared to be blank pages from the Black Hat SEO we noticed yesterday. Websense customers are continually being protected against this attack through our Advanced Classification Engine.
In line with what we noticed previously, these blank pages were being prepared for what we can only assume is a major assault today, being election day itself. This particular attack is browser-aware, as the threats are specific to the browser being used.
Using the same source as yesterday's Black Hat SEO campaign, the links within the page are now fully primed to become active and ready to serve the malicious content. The main differences from what we noticed in the previous attack are that no URL is provided in the "script : if (navigator:userAgent.indexOf("MSIE")<0)var url= "http:" part, and in addition the parking page is now active. However, when the link is clicked, the user is still not redirected to the intended malicious site.
Let's start off with the first of the malicious candidates in the rogue AV election Adobe Flash update. This is specific to Internet Explorer 8, and when the link is activated, the unsuspecting user gets a prompt to install fake Macromedia Flash Components, claiming this is required to view the web site.
The second malicious component, which masquerades as a Firefox update message, is - as can be guessed - specific to Firefox browser users.
As shown above, the user again gets prompted to update Flash player, but this time specific to Firefox.
With all other browsers, we notice it just redirects to the same site for the rogue AV download page we noticed yesterday.
As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update and Firefox Flash update was about 27.9% as confirmed by VirusTotal.