NEWS FROM THE LAB - Wednesday, December 5, 2012

Finnish Website Attack via Rogue Ad Posted by Sean @ 12:46 GMT

Finland has a rather small population in which F-Secure has a relatively large market share. (Natch.) And every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory.

Here's a graph of malware detections (as in preventions) that occurred in Finland from November 24th to November 27th.

Finland cloud statistics, Nov.24-Nov.27

And this is a graph of the same from December 1st to December 4th.

Finland cloud statistcs, Dec.1-Dec.4

Why is there such a dramatic difference?

An advertising network used by one of Finland's most popular websites, suomi24.fi, was compromised during the December time period. And according to Suomi24, all of that malware traffic was pushed by a single ad from a third-party advertiser's network.

Just one ad.

This is what our customers using our Browsing Protection feature would have seen:

F-Secure Browsing Protection block

And if the site blocking wasn't enabled, this is the antivirus notification:

F-Secure antivirus block

What was blocked? — Rogue Antivirus. As in fake security software.

Here's one version:

Fake Microsoft Security Essentials scan

And here's another:

Rogue's fake scan

These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front.

Rogue asking for payment

Payment up front? That's generally a good sign there's something amiss.