Spyware authors and phishing fraudsters yanked an old scam out of the
playbook Wednesday by directing malicious code at Internet users who may be
prone to typing or spelling deficiencies, according to security researchers.
Finnish security firm F-Secure said they discovered an attack aimed at Web
surfers attempting to land on Google’s homepage, but who may have mistyped the Web address.
Internet users who punch in “Googkle.com” are treated to a host
malicious code, as the computer gets slammed with a heap of the unwanted
software that is automatically downloaded and installed. The malware
includes: Trojan droppers, Trojan downloaders, backdoors, a proxy Trojan and
a spying Trojan. A few adware-related files are also installed, the firm
said.
“Our investigation revealed that the whole infection starts from the
‘googkle.com’ Web site. This Web site, as well as a few related Web sites are
owned by people with Russian names. Also, several malicious files that are
downloaded from these Web sites have Russian texts,” F-Secure said in a
statement.
When “googkle.com” opens in a browser, it shows two popup windows
that are linked to several Web sites, F-Secure said. The first popup reveals
a phishing-style Trojan that requests individuals’ online banking
information. The other deposits phony antivirus alerts on the desktop and
attempts to pull victims into other infected sites.
The phony alert is created by changing an HTML file on the desktop that
allows the user to click on the notice. It leads the victim to
‘topantivirus.biz,’ which in turn provides links to other Web sites,
according to F-Secure.