UPDATE: According to a report in ITPro by Jennifer Scott, Kaspersky have been in touch to confirm that their servers were in fact compromised and the redirection was very real. The breach was made by exploiting “a third party app used for site admin”. The malicious redirection was in place for three and a half hours.
Several reports in Kaspersky user forums seem to indicate that the security software manufacturer was recently compromised by cybercriminals trying to punt fake security software.
Fake anti virus software is most often spread through booby-trapped web pages, designed to show up high in search results for popular or newsworthy terms; for example recently people searching for information about the Stuxnet malware were targeted. This is a technique so established that TrendLabs have been able to develop automated tools to proactively monitor and block these pages as they appear. If true, this compromise of a legitimate download site, particularly a security vendor could represent an important new change of tactics by the scareware pushers.
Kaspersky users in three separate forums; Calendar of Updates, YahooAnswers and Kaspersky’s own Kaspersky Lab forum have complained that links to download Kaspersky’s home user security software from their USA download site were redirecting them to a malicious web page pushing fake AV known as Security Tool. One user posted the below screen capture
According to forum posts Kaspersky have stated that there was no compromise of their servers. Somewhat incongruous then is the post by one forum user going by the handle of Micha, who appears to come from Kaspersky Lab in Japan according to his profile. He posted the following:
Thanks, it should be fixed.
Security vendors have often been the target of both malicious and mischievous hackers and without fail, honesty and transparency have always been the best policy in the aftermath of such an event.
Thanks to Donna for the heads-up.