InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity Feb 2010
Tech Trend

How Scareware Fakes Security Threats?

The never ending unethical marketing practices using malicious software by hackers have taken its toll on us. Scareware is one such malicious software that is frequently used by cyber-criminals with the intention to cheat the users. This article gives an insight into scareware malware and its working concept.

Scareware has become the scourge of the Internet. Those deceptive promotions crafted to panic you into spending $30 to $80 for worthless antivirus protection can hit you just about anywhere you turn on the web. They arrive as booby-trapped web-links in e-mail and social network messages. They lurk hidden, and set to activate, when you click to popular, legitimate websites. And now scareware purveyors are embedding triggers in places you wouldn't expect: on advertisements displayed at mainstream media websites; amid search results from Google, Yahoo Search and Windows Live search; alongside comments posted on YouTube videos; and most recently, in "tweets" circulating on Twitter.

Scareware is becoming a dominating force. There are hundreds of criminals using every tactic they can think of to push these programs. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 583% increase in scareware programs.

Scareware: The Concept

Scareware comprises several classes of scam software, often with limited or no benefit, sold to consumers via certain unethical marketing practices. The selling approach is designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics.

A tactic frequently used by criminals involves convincing users that a virus has infected their computer, then suggesting that they download (and pay for) anti-virus software to remove it. Usually the virus is entirely fictional and the software is non-functional or malware itself.

How Scareware Works

In the first instance, an advertisement appears on the web-page, trying to convince the unsuspecting user that his computer is at risk and he has download the anti-virus to clean it. Once the user clicks on the advertisement, a software trigger gets activated and you'll get caught in an unnerving loop impossible to abort. A scanner window will appear with red-letter warnings listing viruses purportedly infesting your hard drive. A series of dialogue boxes will follow giving you choices that all lead to the same screen: a sales pitch. Make the purchase, and you get a bogus inoculation. Try to cancel it, and you'll get repeated offers. It's like stepping into quicksand. The more you try to get out of it, the deeper you sink.

In brief, the scareware trickery ensnares internet users in the following steps

  1. Criminals buy blocks of advertisement space on websites, intermittently slipping in a tainted advertisement.

  2. Just visiting a webpage with a tainted ad causes a fake warning box to appear.

  3. Clicking "OK" or "Cancel" launches the same thing: a "free scan."

After you've been lured into a fake "free" scan of your PC:

  • The bogus scan will purport to find a virus infestation.

  • Ensuing boxes steer the user to activate "Personal Antivirus," on left.

  • The activation prompts take the user to a shopping cart.

  • Declining to place an order triggers endless fake scans.

How it all began

Scareware has been a prominent part of the Internet since 2004, when a cybergang based in St. Petersburg, Russia, launched the iframecash.biz website and began offering commissions to anyone who helped them spread the SpySheriff fake antivirus program. Hackers began to taint legitimate websites so that pop-up ads for SpySheriff would launch on the PC of anyone who visited a corrupted web-page.

That simple arrangement has evolved into a steadily growing industry that marked a banner year in 2008. According to The Anti-Phishing Working Group, by the end of 2008, more than 9,200 different types of scareware programs were circulating on the Internet, up from 2,800 at midyear.

Security experts say that the scareware programmers are indeed very innovative and they're constantly looking for newer and easier ways to make money.

Scareware Delivery Options

The scarewares are delivered to the un-suspecting users through various websites. One can only wonder at the destructive creativity of these scareware creators and their malicious codes.

The cutting-edge scareware marketing campaigns are being delivered via:

YouTube and Twitter: The scareware creaters signed up for a handful of new YouTube or Twitter accounts. In the case of YouTube, crooks in 2009 used about a dozen new accounts to begin posting comments on 30,000 videos. The comments enticed users to click on a link that triggered a scareware promotion.

In a variation of this ploy, crooks in late May 2009 created new Twitter accounts and began broadcasting tweets declaring "Best video" with a Web link of http://juste.ru. Clicking on the link launched a sequence that replicated the message to everyone on the victim's friends list, then launched a scareware promo.

Search results: The crooks create malicious web-pages and fill them with words and phrases that are likely to be popular search queries, such as "American Idol winner" or "NCAA tournament bracket,". In the next stage, they insert tiny copies of their bad links on popular, legitimate websites that don't do a thorough job of preventing such hacks.

Search Engine Optimization (SEO) then takes over. SEO is the technology that determines the relevance of web links to search queries. By embedding a malicious link on a popular website, the hackers imbue their web-page with high relevance. So when the legitimate website turns up as the No. 1 or No. 2 result for a popular search query, their bad link turns up as the No. 4 or No. 6 result. Anyone who clicks on the bad link gets a scareware pitch.

Online ads: The bad guys purchase blocks of advertisement space on popular websites through a legitimate advertisement agency. In the next phase, they instruct the advertising agency to begin posting innocuous advertisements. To avoid detection, they only sporadically feed a corrupted ad into the mix. The bad ad looks safe, but carries instructions to route anyone who clicks to a scareware pitch. This is one of the most common attacks we see every day.

Amazing Bounty

Powerful incentives drive scareware creators. Security researchers say the industry is run by no more than a dozen or so top-level suppliers orchestrating the activity of several hundred "affiliate" distributors.

The top-level groups supply bogus scanners and cleanup tools - actual software - and collect payments and pay commissions. Bonuses can be generous. Researchers said that one top supplier, for instance, last year ran a contest offering a $36,000 Lexus sedan to the top-selling affiliate. The top-level groups incentives the affiliates and don't get their hands dirty. If they get any complaints, they can just blame the affiliate.

Top-level groups typically work with 100 or more affiliates, who can earn commissions many different ways. In 2008, a researcher infiltrated a Russian group known as the Baka Software gang. He accessed documentation showing one affiliate earned $146,525 in 10 days by spreading promotions for a worthless program, called Antivirus XP 2008, to more than 154,000 people, and closing sales to 2,772 of them. Another record showed five top Baka Software affiliates earning weekly commissions averaging $107,604.

Security researchers say that the top-level suppliers continue to operate with impunity, mainly based in Russia. And new affiliates crop up every day, full of fresh ideas to spread increasingly invasive promotions. Researchers say that the sheer amounts of money involved in installing just one rogue program are mind-boggling.

How to Deal with Scareware

To avoid being targeted by scareware, employ a pop-up blocker configured to block third-party sites. If you are using Windows XP SP2, upgrade to SP3 or disable Windows Messenger (versus Windows Live messenger), as this can be an entry point for malicious scripts. If you want to use an online scanner, look for recommendations from reputable sources on the internet. Better yet, download a reliable scanner and use it from your hard drive.

If you have come across a scareware, the following simple steps can be followed:

  • If you see a warning box that looks fake: Hit Ctrl-Alt-Del to access Task Manager, click to applications, scroll to the dialogue box, and click "end task." This will force the warning box to close.

  • If you don't abort at this stage, it will be very difficult to stop the attack. You can try running reliable online virus scanners from the net, or cleanup tools from the anti-virus software you use.

A Brief Conclusion

Security experts predict that as scareware continues to escalate, public pressure for relief from deceptive promotions will increase. Security researchers say that more public-awareness campaigns and tighter controls are needed to curtail the scareware. Customers trust is at risk and as always it is the end-users who suffer.

—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specialising in Computer System Security. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media