The agitation in the voice on the phone shook me from sleep early Saturday morning: My Uncle the surgeon had a computer problem and he was concerned enough to call. He explained he had been trying to view pictures of a newly renovated base in South Korea when all of a sudden McAfee popped up and did a scan, revealing 28 viruses. But for some reason the new module McAfee wanted him to install wasn’t working because the site wouldn’t accept either of his credit card numbers.
Most security professionals don’t need any further information to know what happened and that it wasn’t the McAfee installation firing these apparent anti-virus (AV) alerts. Instead this was a web dialogue with animations masquerading as the Windows My Computer screen and an AV dialogue. Accepting the download lead to a malicious software installation and payment screen, a scam commonly referred to as scareware. Scareware is software sold or downloaded by creating a perception of a threat to the user, playing off that user’s fear and anxiety of viruses and spyware infecting his or her computer.The real McAfee estimates that worldwide scareware scams have raked in profits of more than $300 million annually, with a meteoric growth rate of 660% for infections over the past two years. The number of scareware product variants was about 142 in 2004, there have been 110 new variants tracked in just the first two months of 2010.
The software, originally spread through classic methods such as spam, has moved on to more sophisticated attacks by providing links to infected web sites through popular social media content such as Twitter, YouTube, and Facebook, by feeding a corrupted advertisement into an ad network for web sites, and by poisoning search results called Search Engine Optimization (SEO) poisoning.
This last attack, SEO poisoning, was what infected my Uncle: a web search was poisoned with results from compromised legitimate web sites. By creating content with popular terms and linking back to it from legitimate ranked sites, the rules search engines like Google use to prioritize results are subverted. The video below demonstrates the effect with search results that showed up the first page of Google results shortly after the earthquake in Haiti:
This rogue anti-virus/spyware software is distributed through a complex network involving around fifty known companies at the top building and distributing software to affiliates who earn rewards for successful sales. The companies at the top of this scheme operate at times with such impunity that their executives are bold enough to have professional profiles on the business networking site LinkedIn.
In October of 2008 one of these networks was mapped out when a hacker named Neon broke into a computer housing accounting information for a Russian company called Bakasoftware. This company provided access to solicited affiliates through an online control panel providing varied methods of infecting computers. Affiliates could earn from 58% to 90% commission on sales of the rogue software.
At times creative bonuses are involved: one contest by a site called TrafficConverter.Biz offered a $36,000 Lexus to the top affiliate. In 2008, the top five affiliates in the Russian Baka Software Gang averaged weekly commissions of $107,604 according to documentation found by researcher Joe Stewart. When the Federal Trade Commission obtained a court order to stop Belize’s Innovative Marketing from selling rogue software, the firm had made approximately $180 million dollars in a year through four million customers who purchased the software thinking it was real. There is probably no better metaphor though than the high end Mercedes sedan once displayed on scam web site iframeCASH.biz, known to be similar to the model driven by its founder and scareware pioneer, St. Petersburg’s Andrej Sporaw.
My Uncle was mildly embarrassed by the entire episode, but should not be, because the techniques used to propagate these scams have become so advanced that the educated and computer savvy among us are not immune. The software replicated the logos, the look and feel of the anti-virus he knew he had installed. The sophistication of these schemes has risen alongside the profit available to be made. He was under the impression of many Internet users: as long as he had his anti-virus software installed, kept Windows updated, didn’t open strange e-mails, and stayed away from strange web sites he would be safe using the Internet. When legitimate web sites are compromised with scripts launching fake AV dialogues, these rules do not apply. Such methods have led to an estimated one million victims of scareware per day worldwide.
Fortunately in my Uncle’s case he was able to cancel the credit cards involved and clean up the PC before experiencing any problems. Others have had their PC’s hijacked with the rogue software preventing updates to legitimate software, locking up the PC, preventing un-installation, installing malware, and generating a constant stream of pop ups in the web browser.
How do you avoid the scam? Remember that no legitimate anti-virus company will perform an unsolicited scan of your computer and ask for payment to correct issues identified. Close out of the browser when you see such a dialog come up. Run scans with your legitimate anti-virus and anti-spyware solutions on your PC (remember though that these installations are designed to work around anti-virus before you get too frustrated). Finally consult with a colleague who has experience in dealing with information security problems.
Information technology folks are usually willing to help, they know that when you work in technology you will always be your own family’s private help desk, a little like how the family doctor is always stuck giving everyone medical advice.
Filed Under: Scareware