FakeAVFakeAV remains a popular technique to lure targets into paying attackers. Most of the instances of FakeAV we have reported earlier were running a fake computer scan in the browser. This time it appeared as a Desktop application.
|FakeAV scan of the computer|
|FakeAV claims to have found threats|
|Some of the malicious behaviors of this FakeAV variant|
PRISM warningThe other malware is interesting. The attacker uses the recent news about PRISM to claim that the victim's computer has been blocked because it accessed illegal pornographic content. The victim has to pay $300 through MoneyPak, a prepaid card service.
|No less than 5 federal agencies are "blocking" your computer!|
|Victim needs to pay up $300 to get his computer back.|
Both malware connect to the same couple of IP addresses over ports 80 and 443 that include: