By Andrew Brandt
Spammers hawking “fun videos” have been worming their way into Google Groups, the global message board Google built on the skeleton of the old Usenet network. Only, the pages the spammers point victims to, which don’t actually contain videos, come with a nasty surprise: Rogue antivirus apps.
The attacks began late last year, but have been increasing in frequency through the holidays, and haven’t abated in the new year. The users sending out the spam messages all use free Gmail accounts (one even named his spam account Santa Claus), and have been requesting access to both open-membership and closed-membership Groups, the latter of which require an administrator’s approval. Once added to a group’s member list, the spam accounts post brief messages (an example shown at left) with a link.
The URLs originate from a number of link-shortening services, but they all work the same way: Each shortened link points to a different, unique subdomain of the Utah-based free Web hosting service 150m.com. Those pages contain a single line of code which redirects the browser to one of several servers with Chinese domain names. Those servers, in turn, redirect the browser to the website hosting the rogue antivirus installer. The shortlinks and Chinese websites only remain viable for a day or two, at most.
The page a victim finally sees is a Youtube-esque fake video player (shown above); A browser popup appears which tells the user that an ActiveX control is required, and pushes down an executable application file. This happens regardless of the browser you visit with; presumably, the rogue AV distributors don’t know or care that you can only use ActiveX plug-ins with IE.
As you can probably imagine, the executable installer actually pulls down a rogue antivirus with the name Personal Security on its labeling and branding. The particular version of the rogue warns victims about the same bogus list of threats.
Interestingly, the program contains text descriptions of these fake infections in English, French, and German. But the rogue’s international flavor doesn’t make it any more difficult for us to get rid of it. Internal lines of code actually refer to the product as Antivirus 2009, a well known threat that’s handily deleted.
Usenet, in its heyday, was a hotbed of spam, so it’s not particularly remarkable that Google Groups has become a spam magnet as well. What is surprising, however, is that the spammers all use Gmail. If you haven’t signed up for a Gmail account recently, you might not realize that Google has instituted a policy requiring new users to provide a mobile phone number where the company texts a code needed to activate the account. That begs the question: Why hasn’t anyone tracked the malicious activity back to the owner of the phone(s) used to create those accounts?