Kaspersky Hack Redirected Users To Fake AV Site

Kaspersky Lab admits that people attempting to buy its security products were redirected to a scareware site

Hackers have caused serious embarrassment for a major security technology company. Kaspersky Lab’s Website was hacked over the weekend, sending customers, looking for security software, to an external download page pushing counterfeit software.

When users tried to download software from Kaspersky on October 17, they were redirected to a malware site that tricked users into downloading a fake antivirus application called Security Tool. Once executed, Security Tool displays pop-ups reporting to have found a number of vulnerabilities and threats to scare users into buying what it says is a full version in order to fix these problems.

Two Days Of Denials

Users posted reports of the attack on various online forums but said Kaspersky denied any kind of a breach had happened, even after a post from someone thought to be a Kaspersky Japan employee said the issue was fixed.

The company finally admitted to IT Pro on October 19 that it had been hacked, saying the redirection to the scareware site had lasted only 3.5 hours. When the company was notified, it took the affected server offline within 10 minutes, Kaspersky told IT Pro.

“Currently the server is secure and fully back online and Kaspersky products are available for download,” the company said.

Affected Kaspersky users posted about the hacked site on three different forums: security-oriented Calendar of Updates, Yahoo Answers and Kaspersky’s own Kaspersky Lab forum. Kaspersky either did not respond to queries or denied there was a problem on the site.

On the Kaspersky Labs forum, a user called to report the breach but said Kaspersky blamed the victim, suggesting the user must have clicked on a phishing link or mistyped the URL and landed on a fake site. When the user pointed out the redirect still happened when clicking on the download link in an order confirmation email from seven months ago, the company said, “That email was probably a fake email.”

The poster complained, “Now, Kaspersky didn’t want to help my father and wanted money to help him clean up the infection they caused.”

Third-Party Application Problem

Kaspersky is staying quiet on the details of how the hackers got control but said it was a bug in a “third-party application used for site admin” on the kasperskyusa.com Website, according to Trend Micro’s CounterMeasures security blog.

Fake antivirus software is commonly spread via phishing scams and pages created specifically to appear high in search results. However, “this compromise of a legitimate download site, particularly a security vendor, could represent an important new change of tactics by the scareware pushers,” Rik Ferguson wrote on CounterMeasures.

Users were more angry about Kaspersky’s silence and refusal to admit to a problem than to the hack itself. While they’d recognised the scareware tactic immediately, less security-savvy users could have been duped and installed the software. Kaspersky’s silence provided those users with no guidance as to what to do next.

On the Calendar of Updates forum, a concerned user wrote, “Not sure what more I could do. I would like a bit of transparency but I guess that no security company will come out and admit that their own Website got hacked.”

“Security vendors have often been the target both of malicious and mischievous hackers and, without fail, honesty and transparency have always been the best policy in the aftermath of such an event,” wrote Ferguson.

This is not Kaspersky’s first breach. In early 2009, an update to Kaspersky’s support site created a security hole in the database that exposed customer email addresses and product activation codes via a SQL injection attack. The hacker informed Kaspersky and the bug was fixed immediately.

Various Kaspersky international sites have been defaced at least 36 times since 2000, according to ZDNet’s Zero Day security blog.