Hackers exploit McAfee false alarm to spread scareware attack, Sophos reports

Sophos Press Release

System administrators at risk of infection from fake anti-virus traps

IT security and control firm Sophos is warning that hackers are exploiting a problem with McAfee's anti-virus product that has caused hundreds of thousands of computers around the world to repeatedly reboot themselves, effectively becoming inoperable.

McAfee accidentally issued a detection update yesterday which mistakenly detected a harmless Windows file, svchost.exe, as "W32/Wecorl.a", and caused critical problems on affected PCs.

Hackers, however, are compounding the problem by using blackhat SEO (search engine optimisation) techniques to create webpages stuffed with content which appears to be related to McAfee's false alarm problem - but are really designed to infect visiting computers.

Sophos has identified malicious webpages which appear on the first page of Google results if users search for phrases associated with McAfee's false positive.

McAfee false positive problem exploited by hackers

"It's bad enough if many of the computers in your company are out of action because of a faulty security update, but it's even worse if you infect your network by Googling for a fix," explained Graham Cluley, senior technology consultant for Sophos. "These poisoned pages are appearing on the very first page of search engine results, making it likely that many will click on them. If you visit the links you may see pop-up warnings telling you about security issues with your computer. The warnings are fake and designed to trick you into downloading dangerous software, which could result in hackers gaining control of your corporate computers or the theft of your credit card details."

In the past, hackers have used the same techniques to infect users hunting for information about Sandra Bullock's marriage problems, Tiger Woods' car crash, and the death of celebrities such as Michael Jackson and Natasha Richardson.

"SEO poisoning is one of the fastest-growing areas of cybercrime today," explained Cluley. "The hackers know that users turn to search engines when they are looking for the latest news on a breaking story, and are lying in wait to infect the unwary."

Sophos recommends that businesses protect their users by running a web security solution which scans every webpage and link clicked upon for malware and criminal activity.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.