Yuri Gagarin: pretty awesome.
Yuri Gagarin poisoned search results: not so awesome.
The number one image search result in Google for Yuri is currently using the lure of a rather nice image hosted on Imagebucket to bounce them from thetouristsguide(dot)com to various rogue antivirus websites.
Click to Enlarge
Click to Enlarge
Click to Enlarge
Yesterday, the site involved was protecttunexpscanvirus(dot)com – they’re now using copyprotectwinxpscan(dot)com and htmlprotectwinxpscan(dot)com, and this is likely to change again. The file they’re serving up is AntiSpy 2011 – here’s a sample report from VirusTotal (18/40). It’s worth noting that the VirusTotal results will keep changing as they keep uploading new versions of these scareware files.
Constant battle and all that.
Some other URLs to keep an eye on, or simply fire into the heart of the Sun:
inspectagainantivir(dot)com
protectwinscannerprogramming(dot)com
protestersantivirusxp(dot)com
scanagainantivirusengine(dot)com
scanwinantiagency(dot)com
slidescannerantivxp(dot)com
protecttunexpvirusnow(dot)com
protectvirussafexpnow(dot)com
protectvirusxpdriversnow(dot)com
protectyoudistinctrpcscan(dot)com
protectyoujavarpcscan(dot)com
Yesterday the server of choice was having a nice old time of it in Trinidad and Tobago, but just like the URLs you can bet they’ll keep chopping and changing the servers too. Be warned: there are a number of other rogue AV redirects there in the search results, so you might just want to read about how awesome Yuri was instead of hunting for pictures. His 50th Anniversary ensures scammers will be filling up his results with garbage for a few weeks to come…
Christopher Boyd (Thanks to an anonymous tipster for sending this through).