Rogues Impersonate Google, Firefox Security Alerts

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090807_warningIn the past week, we’ve begun to see new fakealerts — those disturbingly effective, entirely bogus “virus warning” messages — that appear to impersonate the appearance and text of legitimate warning dialogs you might see while surfing with the Firefox browser, or searching Google. The dialog, in a stern, red dialog box on a gray background, reads “Warning! Visiting this site may harm your computer!” — a dialog that appears to be designed to evoke the look of a Google’s Safe Browsing advisory as displayed in Firefox.

Cast as a kind of split between a warning message and a clickwrap agreement, the text of the dialog box reads “This web site probably contains malicious software program, which can cause damage to your computer or perform actions without your permission. Your computer may be infected after visiting such web site. We recommend you to install (or activate) antivirus security software.”

At the bottom of the dialog box, two buttons, labeled “Continue Unprotected” and “Get security software” are preceded by the sentence “I do realize that visiting this site can cause harm to my computer.” I’d give them points for honesty, but I’d rather not give them points for anything.

Nothing happens when you click the “Continue Unprotected” button, and I’ll give you one guess what happens next when you click the “Get security software” button.

The apparently Ukrainian operators of this scam are using the domain name as their base of operations. Security enthusiasts might have noticed that this domain is confusingly similar to, or the less well known, both of which provide, as a free service, feeds of URLs known to host malware in order to help others block those domains, and for research.

A legitimate Google Safe Browsing alert message

A legitimate Google Safe Browsing alert message

Beyond the dialog box, you’re presented with a page for something called Personal Antivirus which, if you couldn’t guess, is a rogue security product. Unlike most rogues, however, you’re not given the opportunity to download a demo version, free scan, or some other example of software smoke-and-mirrors. You’re merely presented with a page that offers the software for purchase at the low, low price of $59.95 (a savings of $33.30 off the already extortionate price for absolutely useless software).


The page even alerts you that “you have an exclusive 40% discount, since US citizens are our most frequent buyers.” Be still my beating heart. And in case you worried that you’d be billed for updates, the page also reassures you that “This is a one-time charge. Your credit card will never be rebilled and you will receive UPGRADES FOR FREE!” (emphasis scumbag)

Clicking the buy button on that page takes you to the order form, where the plot thickens. Somehow, the one-year license, listed at $59.95, with no other “purchases,” totals up to “79.9” at the bottom of the form.


The form also reassuringly features a graphic of a padlock and the words “secure payments” in the upper right corner, because everyone knows that pictures of padlocks — even in the absence of a secure HTTP connection or any semblance of legitimacy — means everything is just hunky-dory. Now fork over your Mastercard.


The bottom of the order form also states that “Your IP address is logged for fraud prevention” and “Fraud will be prosecuted to the fullest extent of the law.” The extent of which, in this case, does not reach to Ukraine, where the scam artists reside and spend their days counting the cash rolling in.

wordpress blog stats

13 thoughts on “Rogues Impersonate Google, Firefox Security Alerts

  1. was on my computer this a.m after my computer updated, went to facebook, and was chatting and entering things and all of the sudden I got a message saying there was a trojan 32 worm critical to my computer, need to add or download personal antivirus never asked me to purchase it, or for my credit card, I have webroot antivirus and norton 360 am I protected against any danger of anyone getting into my computer passwords, accounts etc? Please advise if you can

    • You’ve been hit with a fakealert. I’d recommend that you update your antivirus definitions/signatures and perform a full sweep of your system. If I were you, I would reflexively distrust whatever “antivirus” product the fakealert is pushing.

  2. I has the same msg encouraging me to download Personal Antivirus. Fortunately, when asked the Cox Cable tech said to ignore the msg and definitely not download the software because it has been carrying a virus.

    Thanks for posting this for others to see, too.

    • While not technically entirely accurate, I’m glad to hear that ISPs like Cox Cable, who serve a significant chunk of the home broadband market in the US, are warning their customers away from rogue antivirus products.

  3. Thank you for the information. I have Webroot and just up dated to the new verion. I began to see this personal antivirus message a couple of days ago and finally came to the conclusion it was a scam. I ran webroot and my computer is clean, but please tell me how to get these messages off my computer. I keep getting those pop-up messages and there is a personal antivirus icon on my desktop. Thanks.

    • Unfortunately, try as we might, it’s difficult to keep up with every single variant of this spy. We’ll have someone in our support organization contact you, though if this happens in the future, you should probably just go there first.

  4. Glad to know you guys are aware of this antivirus scam. Also getting this personal antivirus message and pop-ups, I was told this is a worm, are you sure there is no danger to my computer?. I have deleted the icons, but how do I get the pop-ups to stops, and get rid the little shield in bottom right hand corner?

    • We’ve observed this fakealert being downloaded by the Koobface worm, but the fakealert’s components aren’t, technically, a worm. But I think that’s splitting hairs. Perform a full sweep with updated definitions, just to be sure.

  5. i downloaded a program called Alpha AV it downloaded without my even clicking it when i went on twitter and when i click uninstall it will not uninstall please help i want to know how to get rid of it without erasing all my computer files and i cant buy antivirus programs

  6. I got a rogue security product called Active Security and the shield in the bottom right corner looked like something from a Windows product with the same colors. There is actually a program in the Startup list by the same name.

  7. I already have norton 360 and did a full sweep and that exact red dialog box keeps appearing and when i click on the box to continue unprotected, it keeps coming back- How do i get rid of it? Any help is much appreciated

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s