Malware spammers adopt rogue-AV scare tactics to spread infections

Free malicious software removal tool is the malware.

Criminals are spoofing the email addresses of several well-known antivirus vendors to trick victims into downloading a malicious file that will supposedly remove a non-existent infection purportedly causing their systems to send out infected email.

US security firm Websense said Wednesday it had blocked 2700 emails fitting this description in the past day, describing it as a “low-volume” campaign.

The brands in the batch of malicious spam WebSense detected included Symantec, Sophos, F-Secure, Verisign, and Secure Root. The spoofed email addresses were: scanner@symantec.com, scanonline@f-secure.com, symantec@verisign.com, scan@sophos.com, symantec@sophos.com, virusscan@secureroot.com, and noreply@verisign.com.

Like other scareware ruses, recipients are encouraged to click on a link that directs them to download a malicious executable file after a supposed security scan indicates their computers are infected with the non-existent worm, W32.Swizzor.C-WORM.

The spam’s authors claim the link will lead victims to a free malicious software removal tool from the vendor.

The subject header of the spam in the case Websense highlights is: “[Symantec] - Your e-mail account may be blocked”.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts