Malware spammers adopt rogue-AV scare tactics to spread infections

Criminals are spoofing the email addresses of several well-known antivirus vendors to trick victims into downloading a malicious file that will supposedly remove a non-existent infection purportedly causing their systems to send out infected email.

US security firm Websense said Wednesday it had blocked 2700 emails fitting this description in the past day, describing it as a “low-volume” campaign.

The brands in the batch of malicious spam WebSense detected included Symantec, Sophos, F-Secure, Verisign, and Secure Root. The spoofed email addresses were: scanner@symantec.com, scanonline@f-secure.com, symantec@verisign.com, scan@sophos.com, symantec@sophos.com, virusscan@secureroot.com, and noreply@verisign.com.

Like other scareware ruses, recipients are encouraged to click on a link that directs them to download a malicious executable file after a supposed security scan indicates their computers are infected with the non-existent worm, W32.Swizzor.C-WORM.

The spam’s authors claim the link will lead victims to a free malicious software removal tool from the vendor.

The subject header of the spam in the case Websense highlights is: “[Symantec] - Your e-mail account may be blocked”.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet