Earlier today I warned you about a third-party Facebook application called “Error Check System” that has been moving in mysterious ways on the social network.
Naturally, a lot of people will have been searching for information about “Error Check System” and if you were to enter the name of the application into Google you would probably see results something like this:
If you click on that first result you’ll be taken to a webpage which appears to contain links about “Error Check System”, but also contains code that loads an obfuscated script from another website.
That encrypted script checks to see whether you have arrived via search engine. If you haven’t, it displays a fake 404 page not found message. But if it does believe you have arrived via a search engine like Google it will redirect your browser to another website which initiates a fake anti-virus scan.
The fake scan is designed to scare you into believing that your computer is infested with malware, and tries to frighten you into making some bad decisions.
Sophos detects the malware the fake anti-virus product attempts to install as Sus/FakeAV-A and Troj/FakeAV-LL.
The worry is that in many people’s rush to find out more about the suspicious application’s behaviour on Facebook they may well run straight into a scareware author’s trap.
But there’s another interesting question that should be asked (thanks to @itf for suggesting this). Is it possible that the original Facebook application was actually a red herring, and the real dangerous payload came from people Googling for information?
The jury’s still out – but it’s interesting isn’t it?
