I recently needed to look at some Alexa data related to their tracking of the top web domains visited for a side project that I was working on.
During my investigation of their data, I found it interesting to see a number of suspicious / malicious domains included in their daily top 1M list.
In this first blog section, I want to show that FakeAV / scareware malware has infiltrated the top websites according to Alexa. To begin with, there are 150 domains in the top list that contain the string "virus." This illustrates the popularity and the potential profitability of distributing software that cleans (or claims to clean) infected systems.
It could be inferred then, that there are a lot of systems on the Internet that users are trying to clean and/or protect from infection. Unfortunately, looking at the domains / sites in the list, it is difficult to determine if the wares being peddled on the site are legitimate or malicious. From my experience, most legit A/V products don't include the word "virus" within their domain name. The volume and sometimes "pushy" nature of anti-virus related sites further adds to the confusion of what are real or fake / malicious. Many of these sites appear to be affiliate sites (whether authorized or not), but there are malicious sites sprinkled in the results as well...
For example, a top scareware site in Alexa is hxxp://antivirus-defender.ru/. This site shows the typical scareware scanning screen (in Russian):
But with one twist- after the fake scanning is completed to scare the victim to purchase / download / install the wares, they are presented with a screen to enter a code that they purchase over SMS in order to download:
This translates to English as:
Unlike other scareware campaigns where the install is allowed first, and then pop-ups and warnings entice the victim to pay- this campaign preempts payment before installation and payment is done over SMS, which is a bit unique.
There are a handful of other malicious A/V sites within the Alexa results as well- e.g., antivirus-scanonline.com (is listed in Alexa and Google Safe Browsing) and virus-scanonline.com (a known malware site which is now dead). Looking up other key strings within Alexa, such as "scann", uncovered a few more malicious results: onlinescannerxp.com, best-guardinscanner.in, thebestscan-scanner.com, best-scan-scanner.in, smart-securityscanner.net, etc.
FakeAV was just one example of malware within the Alexa list. Doing SURBL and Google SafeBrowsing lookups of the Alexa domains showed a number of other results. For example, the domain freefilesoft.net is listed at position number 3378 in Alexa, but is also listed in SURBL.
It appears to offer up a Fake Codec that installs Adware.Hotbar software:
In the next section I will analyze the results from my scans of the top 1M sites and identify other threats / drive-by-downloads that are included within the most popular sites according to Alexa.