Lately, we've been tracking SEO attacks directing users to rogue AV sites. We've seen the people behind these attacks poisoning searches for many major world events, and some not-so-major ones as well. So it's kind of amusing — and annoying — to see F-Secure being used as the bait in this kind of thing.
We saw this search result pop up when searching for information about F-Secure:
Clicking on the link takes the user on a redirect path as follows:
After this, the attack follows the usual pattern of warning messages, misleading scan reports and so on:
Just in case it is not obvious, this looks nothing like our products.
Finally, the user is asked to install the following:
Which we detect as Rogue:W32/InternetAntivirus.BG. The detection covers the downloader, the downloaded installer and the main executable.
Nothing really new about this attack. Just a little more personal.