The Latest in IT Security

AVG Web threat weekly update – Week 50


1. “YouTube Premium plugin” scams spreading on Facebook

On the Facebook/YouTube scam front this week we came across phony posts that led to the usual survey sites, but also a new and potentially malicious YouTube Premium plugin (for Firefox/Chrome).

The video offered is of an uncommonly well endowed Italian model and TV hostess, Marika Fruscio, suffering a “wardrobe malfunction” during a soccer match. A little web research suggests that incident actually happened. Fruscio’s photos on the Web and Facebook scams seem to be matched like peas and carrots.


Marika Fruscio YouTube Premium plugin scam

In this scam, a user is told he or she must install a YouTube Premium plugin to view a video. The plugin is only offered to Firefox and Chrome users.


Installation of the plugin.


After installing the plugin the user is allowed to see the video.


Also unknown to the user the video has been posted to their wall and their contacts’ walls as well.



Browser plugin security suggestions:


– Always install extensions from known sources. (Chrome – from chrome store, Firefox – from Mozilla add-ons)

– Use add-ons like No-script, No-Ads to avoid such malicious scripts.

– Stay away from scams/spams that promise to provide a gift or money.

– If spam messages are seen on you wall or messages, do not open it. Open the drop down box by the side and click “Report/Mark as spam”.

2. Three drive-by downloads from exploit kits

One way malicious operators can use their exploit kits to make cash is to install rogue security products. Recently we’ve spotted Blackhole exploit kit software installing two rogues, Security Defender and XP AntiSpyware 2012. Like all rogues, they do a fake scan on a potential victim’s machine, display warnings of numerous (phony) serious infections then present a payment screen. Their application, of course, doesn’t “remove” the infections until payment is made.


The rogue scam, which has been going on for five years or more, depends on the distribution of a constant flow of new fake products (to evade detection by legitimate security products) and new victims who cannot recognize a legitimate security product from a fake.


For a good list of current legitimate anti-virus software, see the “about” section of the

VirusTotalweb site: and click on the “credits” tab.


The two rogues are:


Drive by download #1: Security Defender



Drive by download #2: XP AntiSpyware 2012


XP Antispyware also lists many fake certifications in order to win the trust of the user.



Drive by download #3: Ransomware

This piece of ransomware locks up a victim’s machine, claiming (in German) to be a notice from a German music rights management organization. It claims that pirated music has been found on the victim’s machine and demands 50 Euros (about $67 USD) to unlock it.

This malware uses the logo and graphics of the German society for musical performing and mechanical reproduction rights GEMA ( ):


3. Spam leading to exploit kits


Last post we reported on malicious operators using spam that appeared to be from the payment agency NACHA and the Internal Revenue Service to lure victims to their download sites to install exploit kit malcode on their machines. This week we’ve seen the Federal Deposit Insurance Corporation and Better Business Bureau used in a similar way.




Spam email is a constant threat. Internet users should be wary of ANYTHING they receive by email, but especially from banks and other well-known government agencies and institutions. The links in malicious spam emails take victims to web sites where malcode is downloaded onto their machines – called “drive by” downloads. Also, attachments in spam are especially dangerous since they can contain executable malcode.


As a precaution:


– Use common sense. If a spam email contains an offer that is too good to be true, skip it. If it appears to be a notice from a business or organization that you haven’t done business with, skip it. If it contains an alarming warning from a government agency, skip it. If it appears to be a warning from you bank – call your bank.


– Simply don’t click on links in any email – go the bank or organization’s site by typing its URL into your browser’s URL bar.


4. Domain registration scam spam

We recently received the following scam email that looked so genuine at first glance that we actually had several AVG offices check it out. It appears that it was from a scammer trying to sell us registrations with .asia, .cn, .hk and .tw (that’s Asia,China, Hong Kong andTaiwan) country domains similar to ones we use. The email inferred that they were ready to sell the domains to someone else if we didn’t buy.

It’s the Internet version of that timeless scam: selling the Brooklyn Bridge.

Our investigation revealed:

A Web search for “Envot Holding, Inc.” (the company allegedly ready to buy the domains) returns no hits.

The “From:” email address on the spam is a workable email address and the phone and fax numbers match those on the Whois information for (registered inShanghai.) Clearly the scammers want us to call.

One tiny bit of information that is REALLY suspicious though: the domain was registered in August. Somehow one would expect the “department of registrant service inChina” to be a government office and to have been around a lot longer than four months. And at least to be spelled with capitals.

One would also expect a Chinese government agency to employ people who can write decent English.


From: Watson Liu [mailto:[email protected]]

Sent: Monday, December 12, 2011 3:35 AM

Subject: XXXXXXX -Urgent Confirm Registration

Importance: High

(If you are not in charge of this, please forward this urgent email to your President & CEO, thanks.)

Dear President & CEO,

We are the department of registration service in China. we have something need to confirm with you. We formally received an application on December 9, 2011, One company which called “Envot Holding, Inc.” is applying to register as below:

Brand name: XXXXXX

After our initial examination, we found that the brand name being applied is as same as your company’s name and trademark. These days we are dealing with it, hope to get the affirmation from your company. If your company and this “Envot Holding, Inc.” are the same company, there is no need reply to us, we will accept their application and will register these for them immediately.

If your company has no relationships with that company or you did not authorize them, please reply us within 7 workdays, after getting the confirmation, we will handle it according to international domain names registration rule. If we can’t get any information from you within 7 workdays, we will unconditionally approve the application which is submitted by “Envot Holding, Inc.”

Waiting for your reply ASAP Today.

Best Regards,

Watson Liu

Senior Consultant

Tel: +86.21.67222201

Fax: +86.21.67222202




5. Celebrity Facebook Scams

Miley Cyrus and Justin Bieber are currently the top Facebook celebrities used to fool users on Facebook into giving up personal information.

Justin Bieber scam


Miley Cyrus scam




– AVG Threat Research Group

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments