Fake AV: .ru sites used for redirections

By | February 29, 2012

Source: Zscaler Research

Fake AV page

In this article “This past month, I’ve seen an increase in hijacked sites redirecting to a Fake AV page. These attacks typically involves three separate phases:

  1. The hijacked website redirects users coming from a Google search to an external domain.
  2. A website redirects users to the Fake AV page or to a harmless site (mostly bing.com andgoogle.com) depending upon the referer in step #1. This page adds a cookie using JavaScript, and reads it immediately, to make sure the page was accessed by a real browser that supports both JavaScript and cookies.
  3. The fake AV page is delivered.”

Leave a Reply