Threats

Scare Tactics

By Robert Lemos

Molly Redden just finished her 10-page English paper when a pop-up dialog box leapt to the front of her screen: "Alert! Your system is infected," it warned.

A sophomore at Georgetown University, Redden had been working late on a Saturday night, finishing up a paper for the next week's class. Now, a window listing dozens of viruses covered her desktop, and a dialog box asked her if she wanted to proceed with removal. She clicked "Yes."

Yet when the software asked her to pay $49.95 to clean her computer, she knew something was wrong.

"I didn't enter my credit-card number -- it was immediately clear that it was a virus," she says.

Welcome to the world of rogue security software.

Sometimes called "scareware," the online scam uses pop-up advertisements to frighten computer users into buying a fake security program to clean their systems of fictitious threats. In reality, the program does little or, in the worst cases, infects the user's computer with malicious software, such as programs that record the user names and passwords of a victim's financial accounts.

It's a racket that has become increasingly popular in the past year. The number of rogue security programs took off late last year, jumping to more than 9,000 in December, from around 2,500 in prior months, according to a report released by the Anti-Phishing Working Group in March. And Microsoft found that of the top 25 threats it detected on computers worldwide in the second half of 2008, a third had some connection to rogue security software.

$150,000 in ten days

The popularity is driven by sky-high profits for the groups that create the software and their affiliates who find ways of tricking consumers into buying the programs.

An investigation into one group of scammers by security firm Finjan found that, over a 16-day period, 1.8 million people were directed to a website selling fake security software. The people who helped direct potential victims to the site, known as affiliates, made a total of more than $10,800 a day, according to data found on a server used to manage the scam.

In another investigation carried out by security firm SecureWorks, a Russian group of fraudsters known as Baka Software -- the makers of the fake security program that infected Redden's computer -- paid one affiliate more than $150,000 for installing the software on almost 155,000 computers in a ten day period.

Other researchers have confirmed that cybercriminals can make six-figure incomes on a monthly, and sometimes weekly, basis using scareware tactics.

"Scareware is fast money," says Bulgarian researcher Dancho Danchev, who has extensively studied cybercrime. "(It's) a win-win situation for cybercriminals capable of converting the traffic that they hijack into hard cash."

Fear and trust

The programs take advantage of people's fear of the Internet and their trust of consumer security software. Each rogue security program looks like legitimate software, selecting color schemes similar to Windows, a trusted logo, or a name that resembles the security applications sold by major security companies, such as Symantec and McAfee.

Antivirus XP 2008, the program that infected Redden's computer, contains graphics similar to Microsoft's security programs. Others take names that resemble popular security software, such as Antivirus 360, which apes Symantec's Norton 360 product, and MS Antivirus, which uses the common abbreviation for Microsoft.

"Legitimate antivirus and antispyware programs have familiar, relatively consistent user interfaces and behaviors that have evolved over a number of years and that users tend to trust," Microsoft noted in its latest Security Intelligence Report, which the company releases twice a year. "Rogue security software authors have long attempted to exploit this trust by giving their programs generic, anodyne names, like 'Antivirus 2009,' and making them resemble genuine security software in many ways."

Moreover, scareware will pop up in the least expected places: on trusted sites, in major search engines, such as Google, and on social networks, such as Twitter and Facebook. Affiliates use search-engine optimization techniques so that certain popular keyword searches will result in a link to a website hosting the fraudulent advertisements to appear on the first page of results.

Sometimes, affiliates are able to get the links included in advertisements on legitimate sites. The rogue software will use features of your Web browser -- such as hypertext markup language (HTML) and Javascript -- to create pop-up windows that appear to be scanning your system. Click on the ad, and you are brought a malicious site that infects your computer.

Attacking the threat

Security firms and the consumer watchdogs are not ignoring the threats.

Last September, Microsoft and the attorney general's office for the state of Washington sued the unknown makers of several scareware programs, including Antivirus 2009, MalwareCore, Registry Cleaner XP, Scan & Repair, and WinSpywareProtect.

In December, the Federal Trade Commission sued three men and their companies -- which used a variety of names including Innovative Marketing, BillingNow, Synergy Software, and WinSolutions FZ -- for using deceptive scareware and causing injury to consumers. More than one million consumers purchased the fake products for $39.95 or more, according to the court filings.

Finding the companies that profit from the fraudulent software is difficult, however. In the case brought by Microsoft and the attorney general of Washington state, most of the defendants are listed as "John Doe" because the attorneys do not yet know their identities.

The best way to avoid getting infected is to educate yourself. Among your efforts should include:

1. Keep your systems patched

2. Learn how to recognize a real alert from your computer’s security software

3. Use a browser plug-in that detects malicious sites (try plug-ins like Symantec's Phishing Protection, Finjan's SecureBrowsing, or McAfee's SiteAdvisor)

"We're getting the word out about this," says Rowan Trollope, senior vice president of Symantec’s consumer products group. "The solution here is education -- know your security software, know what it looks like, and don't fall for something that looks similar. Most of these criminals aren't very smart or savvy, and the scareware they create is easy to spot."

The Federal Trade Commission has published a Consumer Alert that gives tips to computer users.

Those victims whose computers become infected with fake security software will have to undergo an arduous process to clean the nooks and crannies of their systems of the telltale codes left behind by the programs. Redden, the Georgetown University student, spent 14 hours, she estimates, cleaning her computer of the software. The process was made more difficult by cybercriminals that blocked access to sites that have tools and information about how to clean malicious software from computers.

"If I tried to download something, it would stop me, so I had to get off the Internet," Redden says. "It was pretty arduous."