Making Millions With Scareware

Wired Magazine - How Two Scammers Built An Empire

If you’ve ever wondered what motivates the creators of malware, you should read a fascinating article by Benjamin Wallace over at Wired.com, “How Two Scammers Built An Empire Hawking Sketchy Software.” It’s the story of a couple of run-of-the-mill scam artists who leveraged scareware into an underworld empire bringing in hundreds of millions of dollars a year.

Scareware is a good term for the windows you may have seen popping up from poisoned web sites, claiming that your computer has been hijacked and pretending to do a scan that identifies awful things that need to be cleaned – then offering to take care of the problem if you will just click the big OK button and enter a credit card number. There are thousands of variations on what happens next. In many of them, your computer is effectively disabled if you click on anything (although the links to enter credit card information always work). If you supply a credit card number – and many people are fooled into it – you’re hosed; the next stop is one of those ugly trips to the bank to cancel the card before the bad guys have a chance to load it up with charges. (And if it even occurs to you to think that your computer will go back to normal after you give up a credit card number, you’re seriously missing the point. These are bad people.)

The Wired article focuses on the duo who were among the first to focus on scareware as a business after realizing its potential after the Blaster worm appeared in 2003. Their company, IMI, began working full-time on poisoning web sites and distributing scareware.

Over the next few years, imitators sprang up. Soon, computer users were besieged by terrifying alerts from all kinds of purported antivirus software vendors. This genre of software, widely called scareware, has become the Internet’s most virulent scourge. By 2009, an average of 35 million computers were being infected by scareware every month, according to a study by software developer Panda Security. “Scareware is still the most promising way of turning compromised machines into cash,” says Dirk Kollberg, a senior threat researcher at security firm Sophos. And until recently, IMI was the Google of scareware, exploding over just a few years from a small group of housebound hackers into an international juggernaut, a sophisticated enterprise with hundreds of employees and offices on four continents. It had telephone support centers in Ohio, Argentina, and India and marketed its products under more than 1,000 different brands and in at least nine languages. From 2002 to 2008, IMI brought in hundreds of millions of dollars in profit.

IMI was taken out of commission in 2009 but by that time the malware business had become so large that its absence barely caused a ripple. There was a brief reprieve this summer after some high-profile arrests but now I’m getting new reports of phony security windows popping up from links in Google searches and from links in dubious email messages and from virus email attachments.

The trick is not the software that makes phony windows appear on your screen. The trick is the social engineering that fools you into thinking you need to do something. If phony security warnings stop being effective, the bad guys will switch to something else. I haven’t seen them but there are reportedly already scareware packages claiming that child porn has been found on your computer (complete with thumbnail images), or listing embarrassing web sites purportedly visited on the computer, with vague threats of “high risk to your career and marriage.” The article points out that social networking is ripe for attack – watch for misleading posts on Facebook or bogus links to real or fictitious gossip items in the news.

Let’s list a few of the Rules For Computer Safety – and let me again encourage you to print them out and tape them to your refrigerator, or your child’s forehead, or wherever they’ll do the most good!

  • If a web site brings something up on your screen that might be malware, turn your computer off with the power button. Get your hands off the mouse and do not click on “OK,” “Cancel,” or the X in the upper right corner! Anything that you click might lower the defenses on the computer and install malware.
  • Antivirus software & UAC will not always protect you against malware if you click OK at the wrong time. The bad guys are liars. They will say anything to get past your defenses, without conscience or remorse. Use your common sense. Read and think before you click OK.
  • Don’t click on links to web sites unless you know exactly where you’re going.
    • Follow links with carefree abandon to and from legitimate sites, but don’t click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.
    • Don’t click on links in email messages unless you deeply trust the judgment of the person who sent the message.
    • Don’t click on links in forwarded messages.
    • Shortened links are becoming popular in Twitter, Facebook, blogs, and social networking sites. You can’t tell where they lead by looking at them. Don’t follow them unless you trust the person who created the link. (Ed Bott has an article today about a URL shortener run by McAfee that turned up in a yucky spam comment. McAfee and the other URL shortening services don’t check the bona fides of a link! Just because a shortened link has “McAfee” in it – http://mcaf.ee – doesn’t make it safe!)
    • Just because something is listed in a Google search doesn’t mean it’s safe. Make a judgment about where you’re going before you click.

Be careful out there!