Spoofed warning page includes a download link attempting to trick users with a phony browser update.
Security researchers at F-Secure and Websense have discovered cybercriminals pitching rogue antivirus software using a spoofed version of attack warning pages used in Firefox and Google Chrome designed to block users from visiting malicious websites.
The phony attack page includes a download link that purports to be a browser update, but instead downloads rogue antivirus software, according to F-Secure.
According to F-Secure:
If your scripts are enabled, you don’t even need to click on the “Download Updates!” button. It will just offer the rogue AV to you.
It then refuses to let the user cancel the download.
In addition, Websense researchers found an iFrame that installs the Phoenix exploit kit from a different domain. Phoenix is used by cybercriminals pimping rogue AV to harvest data on infected machines and dupe the end user into buying the antivirus software. The kit consists of nine exploits for browser vulnerabilities, Java flaws, Flash errors and Adobe Reader bugs.