Microsoft has uncovered a fresh wave of malware campaigns that block web users from surfing the internet using bogus threat alert messages.
Antivirus researcher at Microsoft Daniel Chipiristeanu discovered the campaigns while investigating rogue antivirus infection rates.
“Lately we’re seeing a dropping trend in the telemetry for some of the once most-prevalent rogue [antivirus] families, such as Win32/Winwebsec, Win32/OneScan, Win32/FakeXPA, Win32/FakePAV,” he said in a blog post.
“However, since the big malware ‘players’ are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gap.”
Chipiristeanu highlighted one of the campaigns as particularly malicious, as it uses fake antivirus malware to hamper its victims’ ability to browse the internet.
“In the past we’ve regularly seen rogues use the hosts file [sic] to block access to a legitimate security product’s websites to deny users protection against the threat,” read the post.
“Rogue:Win32/Defru has a different and simpler approach on how to trick the user and monetise on it. Basically, it prevents the user from using the internet by showing a fake scan when using different websites.”
He added that the bogus threat page includes a scam alert masquerading as a message from an antivirus vendor requesting the victim pay to have their system cleaned.
“An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click ‘Pay Now’. This will lead them to a payment portal called ‘Payeer‘ (payeer.com) that will display payment information,” read the post. “But of course, even if the user pays, the system will not be cleaned.”
Service disruption and lockouts are an increasingly common tactic in cyber criminals’ scams. Ransomware takes a similar but more damaging approach to extort payment from its victims by locking infected systems to a custom lock screen.
Many of the lock screens include a bogus message masquerading as a ‘fine’ payment message from a legitimate law-enforcement agency.
The attacks have proven worryingly successful in recent months. Damballa revealed earlier in August that the infamous Kovter police ransomware is infecting nearly 44,000 devices per day, earning criminals as much as $1,000 per successful attack.