Microsoft has issued a warning about a new malware called the MSIL/Zeven that uses scareware and social-engineering techniques to secure the credit card details of users. This malware is unique in that it detects the currently used browser before launching tailored security warning pages that are virtually indistinguishable from legitimate ones, with the "helpful" option to download the appropriate antivirus software.
A user that goes on to download the offered "Windows 7 antivirus" is essentially installing a copy of the MSIL/Zeven. The rogue software appears to be equipped with all the features inherent in antivirus scanners, such as the ability of scanning for virus, updating malware definitions and configuring various security and privacy settings. The truth is that everything is just eye candy only - none of it actually works.
As you might expect, the installed Win7 AV will promptly "find" a malware, and users will then be told of the need to purchase an "upgraded" version to remove it. Needless to say, nothing useful is purchased; the entire operation revolves tricking the hapless user into giving out credit card information.
As noted by this blog entry on the Microsoft Malware Protection Center:
As usual with rogue scanners, although it "found" malicious files, it claims it cannot delete them unless you update. That implies that you need to pay for the full version, which has the ability to download updates. However, these files are totally bogus; no such files exist in the user's computer.
Microsoft did not elaborate on the security vulnerability used by MSIL/Zeven in the first place, though users should ensure that they use an antivirus solution and keep their definitions updated.
This malware is particularly insidious in the way it borrows the UI design of legitimate products such as Microsoft Security Essentials to gain the trust of users and obtain a higher percentage of conversions. While there is nothing novel in the modus operandi here, the copying of legitimate application warning dialogs and adopting the design of actual websites throws a social-engineering angle to this threat.
Indeed, I believe that the above combination has the potential of successfully tricking computer users who might be savvier. The truth is that companies are failing in their social-engineering security, and it has become imperative that more resources be dedicated toward briefing employees on new attack vectors, and also teaching them relevant skills to be more "Internet smart."