Even the scumbags are paying attention

Windows is plagued by viruses, spyware, and malware of all kinds; one of the most pernicious is the fake security software that exists to trick unwary users into paying for useless crap. Rogue software vendors use fake popups that imitate Windows and bogus reviews to con people into thinking that they have a problem and that this software will solve it.

(Allow me a smug laugh at this point: as a Linux user I get great quality software from validated sources for free, and don’t have a fraction of the problems of the Windows monoculture.)

Anti-Virus-1 is a new example of the genre that seems particularly bad:

The amount of social engineering techniques that Anti-virus-1 uses is the most I have seen so far in a rogue. In this rogue alone, they use fake security alerts, screen savers showing a blue screen crash caused by a spyware and then a fake reboot, Internet Explorer hijacks, and now fake review sites.

It also adds a number of entries to the hosts file to prevent the infectee from visiting legitimate review sites:

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com

It’s gratifying to see Reevoo in there: it’s a measure of success when the evil scammers notice you! Unfortunately for them, they got the wrong domain. Nice try, scumbags, but it’s really www.reevoo.com.

Update: Apparently I misinterpreted their modus operandi: the domains are deliberately wrong. They aren’t trying to prevent people from getting the the real reevoo.com, but to send people to fake reviews on a site that appears to be legitimate. Here’s what the fake site looks like. The design is way out of date, but I expect that most people wouldn’t notice:

Fake reevoo.com

2009-02-19 11:15 UTC. Comments: 4.

Comments

Skip to the comment form

  1. Rob

    Wrote at 2009-02-19 13:06 UTC using Firefox 3.0.6 on Windows Vista:

    A rouge software company used similar techniques on my sisters windows machine (pop ups, blue screen etc..). I cant remember what is was called now, but searching on the internet turned up a great legit software called SUPERAntiSpyware (SAS). At first I thought it was another scam as the software and website look awful but it worked fantastically (just boot into safe mode and run it).

  2. tripu

    Wrote at 2009-02-19 13:19 UTC using Firefox 3.0.6 on Windows XP:

    Outrageous. Is this a legal company actually selling software?
    Maybe we techies should take a sort of Hippocratic Oath? :¬)

  3. David

    Wrote at 2009-02-19 16:49 UTC using Internet Explorer 7.0 on Windows Vista:

    Having a Great Ormond Street Hospital charity banner on the page is a stroke of cynical genius

    By the way, did you know that your humble po-ru site is blocked by NetNanny (don’t ask how I have come to use a NN-enabled computer) on the basis of Adult/Mature and Pornographic content: that must almost be as gratifying as the scamsters paying such attention to Reevoo…

  4. Paul Battley

    Wrote at 2009-02-19 19:26 UTC using Firefox 3.0.5 on Linux:

    I thought the charity banner was a brilliant touch, too, but then I realised what’s happening: they’ve left in the Unanimis advertising script from our page; as it’s running on a different domain, Unanimis just serve up charity ads instead. The same thing happens on our QA and staging servers, and on developer machines.

    I’m proud to be blocked by NetNanny, useless bastards that they are. :-)

Leave a comment

Please read the comment guidelines before posting. Comments are Gravatar-enabled. Your email address will not be published.

To prove that you’re human, type human in the Bot check field.

Trying to post some program output or a long code sample? Please use a paste service and link to it instead.