[Updated after further investigation.]

For the past few days, I've been seeing spam to one of my accounts offering me various bits of software. Nothing unusual about that, of course, but this one was better constructed than usual, and consistent, and I made a mental note to look more closely when I'm a little less busy. Over Easter, perhaps. :-/

Today's really caught my eye, though: it was linking to a product called  Antivirus 2009. Now there's a familiar name... Sure enough, the link redirects to what looks like a classic fake anti-malware site. Quite carefully done, too.

There's a page that explains why the product is better than AVG. (Sorry, Larry B., it's their claim, not mine!) If you try to download it, it asks you to fill in a form with your name and email address. Then it asks you for credit card details, and as my alter ego on this occasion doesn't have a credit card, I didn't go any further. That's a monthly bill I don't want to explain to Accounting.

There are a couple of interesting features to this though.

  1. When I went back to those other mails, one was apparently for a PDF manager, and the other for Open Office, the open source office software. The PDF manager is hosted on the same site as the "antivirus" package, but the Open Office site has a name similar to the real site, but one suggesting that it's hosted in the now-defunct Soviet Union (.su domain). The procedure for downloading is the same, so I haven't seen the binaries.
  2. The email is not fancy, but it's consistent. The sender address is gmail, and while the real address doesn't change, the identifier does, according to the type of product being pushed. Something like this: PDF sales [badman@badsite.org];  AV sales [badman@badsite.org]. And there's an unsubscribe link, which I haven't tried. The English doesn't have any glaring spelling or grammatical errors, unlike much spam. Of course, since I've just made this public, the format and content may change dramatically and suddenly. Not all our readers are good guys...
  3. The use of the credit card form so early in the proceedings makes it a little more difficult to follow up on stuff like this.

As I mentioned earlier, I turned this over to people better-resourced for investigations like this. No, I don't mean the BBC...

The responses I've had back and some further probing on my ownsuggest a group simply trying to make money by selling free software, or access to software that may or not be free. In other words, the scam is the credit card form, rather than an organized attempt to seed malware. Further investigation has turned up links to pages that spoof real antispyware vendors. I guess if you're happy to make money by pretending to provide software, including security software, you're not going to be concerned about whether it's real or fake software you're spoofing.

David Harley
Director of Malware Intelligence