Scareware Fraud

It’s better to be safe than sorry, the saying goes. But sometimes the promise of safety lures unsuspecting victims into more danger. Certified Fraud Examiners need to know about scareware, the latest evolution in the malware market. 

Sarah Jinn is an intelligent, young professional who, like most of us, uses computers daily at work and at home. She is proficient with the Internet and is well aware of common Web-based scams such as phishing and spam schemes. However, recently Sarah received a warning notice while browsing the Internet that her computer was infected with a dangerous virus. The notice included a suggestion that she download a free trial version of a new software security suite to remove the virus. She did so, but the suite didn’t fix the problem. Instead, Sarah discovered the trial version of the security suite couldn’t remove the virus until she bought the full version.

In the meantime, she started getting bombarded with online advertisements and security warning pop-up windows informing her that her computer’s data wasn’t secure. Moreover, several of her favorite software programs stopped running correctly. Frustrated, Sarah decided to pay the $40 subscription fee to get a full version of the security suite. Unfortunately, her computer continued to malfunction, even with the full version installed.

This is the beginning of a typical scareware scam. While Sarah’s case is fictional, it is based on the experiences of real victims, including family members of one of the coauthors of this article. In addition to gaining access to the victim’s credit card information during the security suite purchase, scareware hackers also can gain access to a victim’s personal files and habits once the program is installed on the targeted computer. The scammers then can steal identities, transfer money from bank accounts, make fraudulent charges on credit cards and much more. In worst-case scenarios, scareware scams can have devastating repercussions for years to come.

WHAT IS SCAREWARE FRAUD? 

What exactly is scareware fraud, and why is it so dangerous? According to Whatis.com, “Scareware is a type of malware designed to trick victims into purchasing useless and potentially dangerous software.”¹ Scareware also is known as “rogue scanner” software or “fraud-ware.”² According to the U.S. Federal Trade Commission (FTC), it is “a type of malware that uses fear to achieve some sort of user action. Usually, scareware is used to exhort money from the user, but this is not always the case. Sometimes, frightening the user into downloading the software is the end goal.”³

Scareware frightens victims into taking action by sending false warnings that their computers are at risk and then offering a malicious program disguised as the perfect anti-virus solution.⁴

The malicious programs typically display as pop-up warnings resembling Windows operating system messages. These messages purport to be anti-virus or anti-spyware programs, firewall applications or registry cleaners. The messages typically say that a large number of problems — such as infected files — have been found on the computer and prompts the user to purchase software to fix the problems. In reality, no problems were detected, and the suggested software purchase might actually contain real malware. If the user falls for the scam, he will lose the money he paid for the useless software, and he might also make his computer unusable.⁵

What happens when the victim is convinced by the frightening scareware message on his computer screen and then, using a credit card, purchases and downloads the fraudulent anti-virus program from the con man? According to Larry Barrett, an Internet.com reporter, “once the transaction is processed, the warning or ‘nag-ware’ goes away and everything appears to be fine. But all the application did was remove the malicious warning code and, more than likely, turn your PC or mobile device into another botnet or drone to distribute more ‘dire’ warnings to other suspecting victims.”⁶ Additionally, the victim’s use of a credit card to purchase the software undoubtedly will lead to additional problems, including identity theft.

HOW WIDESPREAD IS SCAREWARE FRAUD?

According to the 2009 Consumer Sentinel Network Data Book, published by the FTC, Internet services ranked third and accounted for 6 percent of all reported fraud complaints. Of those reported complaints, more than 7 percent were directly related to spyware, adware and malware, which includes scareware.⁷ When considering these statistics, it is important to keep in mind that most victims do not report the attacks directly to the FTC or to any other law enforcement agency. As such, these statistics are significantly understated.

The creators of scareware scams are quite successful at tricking their victims. Paul Gil, a certified computer instructor and professional project manager, mentions that “these fake screens are often very convincing and will fool 80 percent of the users who see them. … Scareware and rogue scanners have become a multimillion-dollar scam business, and thousands of users fall for this online scam every month.”⁸

In an interview with computer security columnist Brian Krebs of The Washington Post, George Stathakopoulos, who is general manager of Microsoft’s Trustworthy Computing Group, Microsoft Product Security, and the Security Engineering and Communications Group, stated that “these rogue products can snare even experienced computer users.”⁹ In his discussion of the problem, Gil says that “preying on people’s fear and lack of technical knowledge, scareware products will bilk a person for $19.95, just by displaying a bogus screen of a virus attack.”¹⁰

TYPES OF SCAREWARE PROGRAMS

Scareware software programs include two main types: fake security software (also called rogue security software) and ransomware.

Fake Security Software

In a 2010 Google study, fake anti-virus software was ranked as the most common type of scareware, accounting for 15 percent of all malware detected.¹¹ According to SC Magazine writer Daniel Long, “Aside from the inconvenience and potential damage they can cause for a user, fake security products are especially dangerous because they trick the victim into believing that they are protected from viruses and malware when, in fact, the opposite is true.”¹²

Along with extorting money from you, these programs might also install click trackers, key loggers, Trojans and ad-servers onto your computer.¹³ Long explains that “[s]uch malicious software is [then] used to collect and send personal data about the victim to a third party for use in fraudulent schemes, such as identity theft or banking fraud.”¹⁴ Additionally, they often prevent legitimate virus and malware protection from working properly. Perhaps the most annoying aspect of these deceptive programs is the lengths to which they will go to in order to prevent you from uninstalling them.¹⁵

Fake security products are often quite sophisticated. To fool the potential victim, not only does the fake software attempt to blend into the user’s current system, but it often has a name similar to legitimate security products. For example, in Figure 1 (below), you can see how the fake security software screen design and name emulate the legitimate version or even improve upon it — making it look more legitimate than the real thing.

[Figure 1 is no longer available. — Ed.]

To familiarize yourself with some of the more innovative and convincing names of current scareware products, visit Paul Sylvester’s list on his blog. For an even more detailed list, along with screenshots of the various deceptive products and instructions on how to remove specific infections, visit 411-spyware.com.

Fraudsters have many ways of keeping their products fresh and relevant. According to Symantec, “rogue security software programs are often rebranded or cloned versions of previous developed programs. Cloning is often done because the original version has been exposed by legitimate security vendors. Cloning is, therefore, fueled by the hope that one or more of the clones will escape detection. This process sometimes involves nothing more than changing out the name, logos and images of a program while the program itself remains unchanged.”¹⁷

Microsoft has been diligent in helping its Windows customers rid their computers of the malicious software. According to Krebs at The Washington Post, Microsoft in the last six months of 2008 removed from Windows computers with the use of its valid malicious software removal tool (MSRT) seven of the top 25 malicious software families.

The malicious software was disguised under such names as AntiVirus2008, XPAntivirus, SpyWareSecure and WinFixer. The top-ranked malware program, known as Redmond’s MSRT, was “killed” during Microsoft’s focused effort in 2008. Redmond’s was a Trojan Horse program (Win32Renos) that downloaded the initial scareware installer program onto victim computers.¹⁸ This malware was removed “from more than 4.4 million Windows systems, an increase of more than 66 percent [in number of instances of malware removed] over the first half of 2008,” according to Krebs.¹⁹

Fake security software isn’t only a threat to those systems running Microsoft Windows. Mac OS users are also at risk, as demonstrated by scareware such as the Troj/MacSwp-B (also known as the MacSweep from Imunizator), which “tries to scare Mac users into purchasing unnecessary software by claiming that privacy issues have been discovered on the computer,” according to MacDailyNews.²⁰

Ransomware

These types of scareware programs use fear to exhort money from victims. Instead of pretending to be security software, these programs might accuse the user of committing a crime or threaten to remove a user’s access to a program or file if a fee is not paid.

For example, one ransomware program targets those who use “bittorrent,” or peer-to-peer programs. Once the program infects the computer, it pretends to scan for copyright violations. It then displays a professional-looking pop-up screen, informing the victim that stolen material was found on the computer. (See Figure 2 below.) The victim is given the choice of challenging the finding in court or settling the matter instantly by paying a $400 fine. If the victim refuses to pay up, the program continues to pop up every time the computer is restarted; it then locks up the victim’s desktop until they give in and pay the alleged fine.²¹ 

[Figure 2 is no longer available. — Ed.] 

Ransomware holds personal files hostage often by encrypting them to render them inaccessible to the rightful owner. The software then demands that the victim pay a fee or purchase a product to unlock the hijacked files.²³ While currently not as common as fake security software, ransomware is a growing portion of the overall scareware threat.

A VERY PROFITABLE VENTURE 

Scareware fraud schemes are profitable, which make the creation and distribution of these malicious programs a serious business. Symantec found that many of these scams “appear to be run by highly organized groups or individuals who maintain an effective distribution network bolstered by multi-level marketing efforts.”²⁴

Fraudulent software company Innovative Marketing, before its recent demise, set the tone for others to follow. USA TODAY reporter Byron Acohido wrote that court records showed Innovative Marketing bilked $163,167,539.95 with its scareware scam. The Ukraine-based company, which had hundreds of employees, charged victims $30 to $70 for its fraudulent software.²⁵

A 12-month investigation by McAfee’s Avert Labs revealed the fraudulent operation was “as highly organized as any Fortune 500 company trading on the New York Stock Exchange.”²⁶ Scams such as these use complex advertising and distribution strategies to hoodwink their victims.” They also generate remarkable profit margins for the con artists. Scareware products, which retail from between $30 to $100, are most often “modular and comprised of re-usable components,” reducing “the time required to develop and deploy new scams.” This allows “different skills to be outsourced, such as the design of templates and social engineering angles.”²⁷

Some scareware companies go so as far as to create customer call centers in hopes of preventing dissatisfied customers from requesting refunds on their credit cards. This “help” often involves leading the victims to unwittingly disable their legitimate security software. Dirk Kollberg, a researcher for McAfee Inc., “Spent hours listening to digitized audio recordings of customer service calls.”²⁸ He observed that most customers were happy by the end of the call.²⁹

As shown in Figure 3 (below), individuals who market this deceptive software are highly motivated, because they are often paid up to 55 cents per installation. They also get bonuses for reaching specific goals, “such as a 10 percent bonus for more than 500 installations per day and a 20 percent bonus for over 2,500 installations per day.”³⁰ That only covers the immediate financial rewards for the direct distributors; it does not include the money the company owners earn through subscription fees.

[Figure 3 is no longer available. — Ed.] 

Acohido reported that “powerful incentives undergird scareware. Security researchers say the industry is run by no more than a dozen or so top-level suppliers orchestrating the activity of several hundred ‘affiliate’ distributors. The top-level groups supply bogus scanners and cleanup tools — actual software — and collect payments and pay commissions. Bonuses can be generous. One top supplier, for instance, recently ran a contest offering a $36,000 Lexus sedan to the top-selling affiliate, says F-Secure senior researcher Mikko Hypponen. Top-level groups typically work with 100 or more affiliates, who can earn commissions many different ways. Last fall [in 2008], SecureWorks researcher [Joe] Stewart infiltrated a Russian group known as the Baka Software gang. He accessed documentation showing one affiliate earned $146,525 in 10 days by spreading promotions for a worthless program called Antivirus XP 2008 to more than 154,000 people and closing sales to 2,772 of them. Another record showed five top Baka Software affiliates earning weekly commissions averaging $107,604.”³¹

With mindboggling profits like this, it is no wonder that scareware fraud is a worldwide threat. In the words of Panda Security researcher Sean-Paul Correll, “Scareware continues to flourish because it’s a highly profitable and sustainable business model. … Innovative Marketing is the only company to be taken down, and it obviously hasn’t stopped the threat yet.”³²

THE INNOVATIVE MARKETING CASE

The mastermind behind Innovative Marketing was Shaileshkumar “Sam” Jain. The U.S. Department of Justice charged Jain and two key partners in 2008 with operating a mammoth scareware ring. The FTC, which prosecuted, won its case against Jain and his partners and put them out of business. Unfortunately, Jain fled the United States after posting bond; he is thought to be living in the Ukraine.

According to IDG News Service reporter Robert McMillan, Innovative Marketing operated under business names such as Burns Ads and NetmediaGroup, purchasing online advertising³³ for “corporate entities like Major League Baseball, Priceline, Career Builder, the National Association of Realtors and eHarmony.”³⁴ Unwitting consumers would click on these ads of well-known companies and then receive frightening pop-up messages about security breaches and come-on offers for fake anti-virus software. Of course, these well-known brands had no idea they were being used as pawns in the scam. Innovative Marketing generated more than $163 million in revenue in less than a year with this scheme.

According to Barrett, McAfee researchers investigated the portal servers of Innovative Marketing, along with the use of other public information. What they found gives us some insight into the thoroughness of Innovative Marketing’s operations.³⁵

Innovative Marketing used more than 34 different production servers in less than six months and used as many as six different servers at a time to infect, advertise and sell their illicit wares. In 10 days, the company received more than 4 million download requests, meaning that at least 4 million people tried to buy the worthless applications.

Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes, making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they have moved on to new addresses.

It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers who were calling via VoIP connections. Believe it or not, the company recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers who exited were “happy” when the calls concluded.

Because it needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs’ pertinent data, including price and location. Most telling, there was a column that rated each ISP’s “abuseability,” i.e., whether or not the ISP would play ball and not ask questions.

The company added a whopping 4.5 million order IDs, or new purchases, in 11 months in 2009. With most of the phony applications selling for $39.95, that’s more than $180 million in less than a year.

Even though Innovative Marketing has been shut down, similar organizations have emerged to continue this horrendous fraud.

FRAUD RUN LIKE A BUSINESS

Scareware is a serious fraud, which is bilking consumers worldwide out of millions of dollars. The organizations that are operating this scheme are run like Fortune 500 companies. They have a vast distribution system, and they train and pay their employees well to market their product efficiently.

Part two of this analysis will discuss 1) the various ways individuals encounter scareware scams and what happens when they click on contaminated links, 2) what to do when encountering the scam, 3) how to defend against it, and 4) what is being done by various states and the federal government to help control it.

Robert E. Holtfreter, Ph.D., CFE, CICA, is a distinguished professor of accounting and research.

Tiffany McLeod is a former student in Holtfreter’s fraud examination course. She graduated from Central Washington University in June 2010.

1 Whatis.com. “Scare-ware.”

2 Gil, Paul. “What is Scare-ware?” About.com. “Internet for Beginners.” February 2010.

3 Federal Trade Commission. “Free Security Scan Could Cost Time and Money.” FTC Consumer Alert. December 2008.

4 Gil, Paul. op. cit.

5 Whatis.com. “Scare-ware.” op.cit.

6 Barrett, Larry. “Focus 09: Anatomy of a Scareware Scam.” Internet.com, Oct. 8, 2009.

7 Federal Trade Commission. “Consumer Sentinel Network Data Book for Jan – Dec 2009.” February 2010.

8 Gil, Paul. op. cit.

9 Krebs, Brian. “Microsoft: Dramatic Rise in ‘Scareware’ Infections.” Security Fix column – Brian Krebs on Computer Security. The Washington Post. April 8, 2009.

10 Gil, Paul. op. cit.

11 Google Inc., “The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution.” Google Inc., 2010.

12 Long, Daniel, “Fake Antivirus: 5 Software Titles You Should Definitely NOT Install.” SC Magazine, Oct. 6, 2009.

13 “Symantec Report on Rogue Security Software – July 08 – June 09.” October 2009.

14 Long, Daniel, op. cit.

15 Symantec, op. cit.

16 www.bleepingcomputer.com/virus-removal/remove-security-essentials-2010; www.addictivetips.com/windows-tips/microsoft-security-essentials-review-with-screenshots/.

17 Symantec, op. cit.

18 Krebs, Brian. op. cit.

19 Ibid.

20 MacDailyNews.com. “Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users.” March 29, 2008.

21 Danchev, Dancho. “Copyright Violation Alert Ransomware in the Wild.” ZDNet Zero Day Blog. April 12, 2010.

22 Ibid. 

23 Lanford, Audri & Jim. “Ransomware: How to Protect Yourself – Internet ScamBusters #182.” www.Scambusters.org.

24 Symantec. op. cit.

25 Acohido, Bryon. “Scare-ware Ads Proliferate across Internet.” USA TODAY. June 7, 2010.

26 Barrett, Larry. “Focus 09: Anatomy of a Scare-ware Scam.” InternetNews.com. Oct. 8, 2009.

27 Symantec. op. cit.

28 Finkle, Jim. “Inside a Global Cybercrime Ring.” Reuters. March 24, 2010.

29 Ibid.

30 Symantec. op. cit.

31 Acohido, Bryon. “Scareware’s Pitches for Fake Security Show Up in Odd Places.” USA TODAY. June 10, 2009.

32 Acohido, Byron. “Scareware Plague Continues Despite $163,175,539.95 Bust.” The Last Watchdog. June 7, 2010.

33 McMillan, Robert. “$100 Million ‘Scareware’ CEO was Already a Fugitive.” Network World. May 28, 2010.

34 Acohido, Byron. op. cit.

35 Barrett, Larry. op. cit.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.