It has only been a few days since former Philippine president Corazon Aquino died of cardio-respiratory arrest last Saturday (August 1). Cybercriminals are already well on their way to use this event for their own selfish gains.
Cybercriminals use popular and high interest events to further their cause—in this case, spreading fake antivirus software detected by Trend Micro as TROJ_FAKEALRT.FK.
Trend Micro threat analyst Joseph Pacamarra found that searching for details on the former president’s death with the words “corazon aquino’s death” led users to the following malicious sites:
- http://{BLOCKED}-gonzales.redxhost.com/corazon-aquino-death.html
- http://{BLOCKED}sa.20x.cc/corazon-aquino-death.html
- http://{BLOCKED}rank.0adz/corazon-aquino-death.html
- http://{BLOCKED}-1.0adz.com/corazon-aquino-died.html
The cybercriminals used the same .php page (1.php) to redirect users who click the links above. However, this page was hosted on different domains, possibly to avoid detection. The redirections from the above links eventually led to the download of a fake antivirus from the following sites:
- http://{BLOCKED}-pro-antivirus-scan.com/download.php?id=2022
- http://{BLOCKED}-pro-antivirus-scan.com/download/Install-6a1e7ce_2022.exe
- http://{BLOCKED}-pro-antivirus-scan.com/download/Install-74f10_2022.exe
- http://{BLOCKED}-pro-antivirus-scan.com/download/Install-6a75f_2022.exe
 |  |
This is not the first time that news was used to launch blackhat SEO attacks:
- Blackhat SEO Quick to Abuse Farrah Fawcett Death
- Scammers Ride on H1N1 Global Pandemic
- “Solar Eclipse 2009 in America Leads to FAKEAV
Users are advised to rely on legitimate and reputable news sites to avoid being infected. Trend Micro product users are advised to update to the latest CPR version 6.338.03 to stay protected.
Read more: http://blog.trendmicro.com/cory-aquino%e2%80%99s-death-used-to-spread-another-fakeav/#ixzz0NkR6MVRV
Source: Blog.TrendMicro.Com
