A new adware family changes the contact details of legitimate security companies in search results to promote tech support scams.
Dubbed Crusader, the adware is often installed as part of nuisanceware and free software bundles, downloading itself as a free browser extension for Chrome, a Firefox add-on, and Internet Explorer Browser Helper Object.
When executed, the malware requests permissions to read and change the information on websites you visit, and should the user grant permission, their entire internet traffic is at risk of exploit or manipulation. As described by Catalin Cimpanu, Crusader pulls instructions from a configuration file downloaded after a user is infected, as well as on PC boot-up. The file has been discovered in a server based in India, of which the operator can instruct the malware to show popup adverts, insert banner ads on top of websites, replace existing banners, and redirect users to specific URLs.
Should a user input specific keywords into a search engine, for example, "Quickbook support," Crusader will display pop-ups or adverts leading to fraudulent or malicious domains dictated by the operator. An example extract of the configuration file directs Crusader to open a new window to amazingdeals.online every time the user attempts to access the legitimate UK Amazon domain.
One of the most interesting aspects of Crusader, however, is the range of settings which prompt Crusader to spy on and replace the contact numbers for a number of security product developers and technology firms.
Should a victim type "Dell support number" or "Norton support number," then these keywords are picked up and the phone numbers are replaced with details leading to call centers where operators will pretend to be from these companies -- potentially leading to the 'representatives' persuading victims to hand over account and bank details, or even install additional malware on their system.
There is no limit to how many redirects and rewrites Crusader can perform in this way. "This is both a self-defense mechanism and a marketing tool," expert says. "We presume more options could be added to target other antivirus vendors." Crusader appears to still be in the testing and development stage due to the malware's code containing multiple references to "demo," as well as placeholder settings.
If you often download free software, which comes in a bundle format, you need to be aware that nuisanceware and adware may be part of the deal. In order to support free software, developers will often strike deals with third-party software providers to create downloadable bundles, but you should always check to see what it is you are agreeing too -- and uninstall or refuse to download any extension or software add-on which looks suspicious.
