The scam is spreading through malicious links abusing the goo.gl URL shortening service. According to Kaspersky Lab, the malicious links redirect users to different domains with a ‘m28sx.html’ page. That HTML page redirects users to a static domain with a Ukrainian top-level domain. From there, blogged Kaspersky Lab Senior Malware Researcher Nicolas Brulez, the domain redirects the user to an IP address pushing fake anti-virus.
“Once you are on this website,” Brulez blogged, “you will get [a] warning that your machine is running suspicious applications and you are encouraged to scan it…The user is invited to remove all the threats from their computer, and will download a fake Anti Virus [sic] application called “Security Shield”.”
It can be trouble when you don’t know where the link you’re clicking will take you, but it’s even worse trouble to let any random website “scan” your computer and install software to help you “fix” whatever it found.