Scareware Fraud, Part Two

In part one, we defined scareware and its prevalence. In part two, we examine specific ways fraudsters lure victims, how to avoid infection, and legislation of this latest evolution of malware.

As Mark Saltillo worked on his computer, a message with a professional-looking security logo popped up, warning of corrupt files in his "My Documents" folder. The pop-up instructed him to download OnPoint Fix, which ended up encrypting his files so he couldn't read them. Multiple dialogue boxes then directed him to OnPoint Fix's website, and he used his debit card to buy the software's $75 fix. Days later, he checked his bank balance and discovered his account was empty. OnPoint Fix is one of many rogue security software packages, posing as "file repair applications," that not only infect computers but steal debit and credit card numbers. Saltillo was the latest victim of one of many forms of scareware.

Though this case study is fictional, as we discussed in part one, scareware fraud is a real, growing threat to all Internet users. Scareware fraudsters con millions of dollars from unsuspecting victims each year by taking advantage of their natural fears about online security. 

In part two, we will examine critical aspects of the scareware fraud problem, including (1) ways victims can encounter it and what happens when they click on contaminated links, (2) how to fix it, (3) methods to defend against it and (4) legislation to control it.

How can typical users protect themselves from these scareware scammers? The first step, of course, is to know the enemy.

HOW DO YOU TYPICALLY ENCOUNTER SCAREWARE?

According to a June 10, 2009, USA Today article by Bryon Acohido, "Scareware's Pitches for Fake Security Show up in Odd Places," scareware typically reaches the consumer through online advertisements, Internet search results, and social networks such as Facebook, YouTube and Twitter.

Online Advertisements: Ads are by far the most common methods of exposure and infection. According to the security software company Symantec, in the 2009 report, "Symantec Report on Rogue Security Software – July 08-July 09," web advertising was used in 52 percent of the attempted rogue security software scams. The Federal Trade Commission (FTC), in the article "Free Security Scan Could Cost Time and Money," from the December 2008 FTC Consumer Alert, explains that scammers buy legitimate-looking ads on reputable websites, which redirect unsuspecting visitors to other websites that perform fake security scans. Barrages of pop-up messages follow, which pressure users to download disguised malware. Of course, ubiquitous advertisements are difficult to avoid.

Internet Search Results: Scammers seek to manipulate search engines so that top results are actually links to fraudsters' sites. Savvy scammers take advantage of current interests by targeting common search patterns, such as the release dates of popular movies.¹ The entry on the search page gives the impression that the tainted link is the perfect response to a query, but the user clicks on it and is snared. The target page is most likely blank or full of irrelevant nonsense. Clicking on the bad link usually triggers the appearance of an attack, which attempts to trick the viewer into downloading and/or purchasing fake security software in order to stop the attack.

Social Networks: Scammers often make entries and post comments on social sites such as YouTube or Twitter that lure users to follow fraudulent links, which unleash malware. Recently, a tainted link installed a program that locked up computers. Users had to buy a two-year license for $49.95 to unlock the other apps. A lifetime license cost $79.95, according to Acohido's USA Today article.

Fraudsters often use the common practice of shortened URLs on social sites to trick victims. According to Fred Langa, on www.windowssecrets.com, shortened URLs "are convenient and save space, but they can also be used to hide the identity of malicious sites."² (A provider will make a web page available via an abbreviated URL in addition to the original longer address.) For example, a scammer will tweet about a "best video" with a web link. Victims click on the link, which send messages to everyone on the victims' friends lists and launches scareware promos.³

In another method of attack, which one of the authors of this article has experienced, the malicious software bundles itself with legitimate software or uses a virus such as the Conficker to enable installation.⁴ For example, some viruses hijack users' browsers and redirect them to the fake security software's website whenever they try to visit selected sites about computer security. Users attempt to download a supposed legitimate security product only to end up further infecting their computers. Often, the false site looks legitimate enough that the users are unaware of the substitutions. The actual attack can occur via downloaded software, email links and other methods because it often uses other software as a starting point for infection.

TRICKS OF THE TRADE

Common scareware tricks that lure victims include: 

• Ads that promise to delete viruses or spyware, protect privacy, improve computer function and remove harmful files or clean registries. 
• Alerts about malicious software or illegal pornography on computers. 
• Invitations to download free software for a security scan or to improve computer systems. 
• Pop-ups that claim security software is out of date, and computers are in immediate danger.
• An unfamiliar website that claims to have performed a security scan and prompts the user to download new software.⁵ 

Users click on any of these triggers and the scareware loops are put into motion. Scanner windows appear with red-letter warnings listing embedded viruses. Dialogue boxes lead users to scammers' websites, but it all boils down to sales pitches that are almost impossible to refuse because they feel trapped: Buy the software, and the users get fake fixes; ignore the warnings, and the offers never stop.⁶

NEXT STEPS AFTER INFECTION

The FTC advises users who suspect scareware infections to not click "No" or "Cancel" on the warning box or even the "x" at the top right corner of the screen, which can activate the scareware. The FTC recommends users to shut down their browsers by pressing Ctrl + Alt + Delete to open the Task Manager and clicking "End Task." Mac users press Command + Option + Q + Esc to "Force Quit." Users who receive sales pitches should search for software names before buying.⁷ (The FTC keeps record of scareware attacks. Victims should visit www.ftccomplaintassistant.gov/ to file complaints.)

Though no federal laws forbid scareware, many types of spyware and malware are illegal in some states. Victims should contact states' attorneys general offices. The National Association of Attorneys Generals provides contact information. 

Deleting scareware infections is difficult at best. Methods for uninstalling fake security programs vary according to specific programs. Generally, a Google search (on an uninfected computer) for a product often provides detailed instructions on removing the program and fixing any associated issues. However, victims should contact reputable computer technicians. Often, formatting and reinstalling computer systems might be the only way to root out infections. Clearly, prevention is the best cure.

DEFENSE MECHANISMS

Like most other scams, the best way to prevent scareware is to follow basic common sense. Legitimate anti-virus software companies never use pop-ups, nor do they scan for viruses without permission.⁸ Here are some pointers to follow:

• Use only a legitimate antivirus/anti-spyware product that you trust. 
• Read emails in plain text without graphics. The Spartan appearance circumvents fraudware by displaying the suspicious HTML links. 
• Never open file attachments from strangers or anyone offering software services. Immediately delete e-mail offers that includes attachments; they are probably scams. 
• Be skeptical of any online offers, and be ready to quit out of browsers immediately by pressing ALT+F4 for PCs (Command+Q for Macs) to stop scareware from downloading.⁹ 

Keep operating systems and security software up to date. Reputable security software providers and Microsoft periodically send "patches" for the newest infections.

Use ad or pop-up blockers because scareware infections often are delivered via advertisements. Most modern browsers come with built-in ad blockers or offer them as add-on features. Consult browser help files.

FREE CAN BE GOOD

Security programs do not have to be expensive. In fact, some of the best security tools are absolutely free:

Microsoft Security Essentials: This effective and reliable anti-virus and anti-malware program has received good reviews. It provides both active and passive scanning and works with Windows 7, XP Service Pack 2 and Vista. Security Essentials provides protection without affecting computer performance.¹⁰ However, users need to be sure they are downloading the genuine product; scammers have created tainted duplicates.¹¹ (Read part one of this article in the March/April issue.)

Spybot Search and Destroy: This popular and long-lived free anti-spyware program uses on-demand scans to detect and remove spyware, malware, Trojans and many other dangerous programs. It can also block dangerous sites.¹²

Spyware Blaster: This program uses passive methods to help prevent installation of malware.¹³

These programs, in combination with good browsing habits and common sense, can provide basic protection. Check out www.onguardonline.gov, a site operated by numerous U.S. federal agencies and the technology industry, to find the latest methods to secure computers and protect personal information.

LEGISLATION TO HELP CONTROL SCAREWARE FRAUD

Despite the prevalence and seriousness of this scam, international legislation to control scareware and other types of spyware is unclear in many countries. According to Mark Rasch, former head of the computer crimes unit at the U.S. Department of Justice, the U.S., Western Europe, Japan and Singapore are the most aggressive in prosecuting Internet crimes. Though international cooperation is getting better, the sheer amount of malware far exceeds countries' abilities to fight it.¹⁴ The worldwide recession has caused many government agencies to cut or freeze their budgets, which has hampered the efforts of law enforcement agencies to work together.

No established laws¹⁵ or bills dealing specifically with spyware and scareware are before the U.S. Congress. States from Colorado to Connecticut, New Mexico to North Dakota have made little to no efforts to regulate spyware of any type.¹⁶ 

Some states have made attempts to regulate it with varying success: Alabama, Arkansas, Arizona, Delaware, Hawaii, Illinois, Iowa, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New Hampshire, New York, Texas, Vermont, Virginia and Washington. The laws range from very weak to reasonably strong and target everything from specific spyware to more general Internet fraud.¹⁷

Some individual states have a reasonably good record of enforcing anti-spyware laws, but nationally it's more hit or miss. Most states either assign fines and fees or allow the wronged party to seek damages in civil court. A few states, including Iowa, Alabama, Illinois and New York, assign criminal penalties to some breaches of the law.¹⁸

Although the language of the laws differ from state to state among this group, the intent is similar to that expressed by Washington State Legislature bills H.B. 1012 (Regulating Computer Spyware – 2005-06)¹⁹ and H.B. 2879 (Modifying Provisions Regulating Spyware – 2007-08),²⁰ which make it illegal to use malware.²¹ 

In 2007, Washington State Attorney General Rob McKenna made use of the 2005 Computer Spyware Act (H.B.1012 – Regulating Computer Spyware – 2005-06) to bring a lawsuit against three different companies for colluding to market each other's "registry-cleaner [a type of scareware] programs through the use of deceptive free scans."²² They sent fake Net Send messages (a Windows command that informs users of service outages) to consumers' computers to convince them to buy malware. Doing so forced victims to download unnecessary and ineffective security programs.

The Scheme

McKenna outlined the following case in a Feb. 7, 2007, press release. The defendants used scareware messages that were meant to alarm the user, such as "WARNING! WINDOWS REQUIRES IMMEDIATE ATTENTION. WINDOWS HAS DETECTED CRITICAL SYSTEM ERRORS." In typical scareware fashion, the messages then directed computer users to websites to download software meant to fix the errors. These websites redirected users to the fraudsters' pages, where free trial versions of the supposed fixes awaited.

As in any scareware fraud, subsequent computer scans uncovered fake infected files. The users were then told that, to fix the errors, they had to buy software for $29.95 and up.

"Users were given the option to decline installation of an unrelated search toolbar called Twikibar that is bundled with the trial version of Registry Doc," according to Assistant Attorney Katherine Tassi, as quoted in a Washington State Office of the Attorney General release. "We found that even when a user didn't want to install Twikibar, the program installed itself and automatically changed the computer's Internet browser home page." With no clear way to uninstall the toolbar, fraudsters violated Washington's Computer Spyware Act.

This lawsuit is noteworthy because it targeted not only the owners and creators of the deceptive programs but also the affiliate marketers. Product sellers pay affiliate marketers to drive consumers to their websites, but neither can escape liability, according to McKenna. Indeed, in an earlier case against a company accused of violating Washington's Computer Spyware Act, ²³ McKenna not only prosecuted the offending company — Secure Computer — but also a New York man for allegedly allowing his name to be used as an alias for the company to make it harder for investigators to identify the real culprits.²⁴

EDUCATE YOUR CLIENTS AND COMMUNITIES

Online fraudsters continuously devise sophisticated, lucrative Internet scams — scareware is one of the worst. Malware is not diminishing because many consumers lack the sophistication to counteract it. We have a responsibility to train ourselves so we can educate our clients and communities.

Robert E. Holtfreter, Ph.D., CFE, CICA, is a distinguished professor of accounting and research.

Tiffany McLeod is a former student of Holtfreter's fraud examination course. She graduated from Central Washington University in June 2010.

1. Byron Acohido, "Beware of Twilight scareware turning up in Google search results," TechnologyLive, June 30, 2010. 

2. Fred Langa, "Avoid the Security Risk of Shortened URL's," Nov. 25, 2010. 

3. Op. Cit. Byron Acohido, June 10, 2009.  

4. Elinor Mills, "Conficker also installs fake antivirus software," CNET News, April 10, 2009. 

5. Federal Trade Commission, "Free Security Scan Could Cost Time and Money," FTC Consumer Alert, December 2008. 

 6. Bryon Acohido, "Scareware's pitches for fake security show up in odd places,' USA Today, June 10, 2009. 

7. Op. Cit., Federal Trade Commission. 

8. Larry Barrett, "Focus 09: Anatomy of a Scare-ware Scam," Oct. 8, 2009. 

9. Paul Gil, "What is Scare-ware?" About Com: Internet for Beginners, February 2010. 

10. Microsoft, "Help protect your PC with Microsoft Security Essentials." 

11. F-secure, "Microsoft Security Essentials is Fake," from "News From The Lab," Oct. 22, 2010. 

12. Spybot – Search & Destroy. 

13. JavaCool Software SpywareBlaster, from JavaCool Software. 

14. Jim Finkle, "Inside a global cybercrime ring," Reuters, March 24, 2010. 

15. Tim Mammadov, "Spyware Laws."  

16. National Conference of State Legislatures.  

17. Benjamin Edelman, " 'Spyware': Research, Testing, Legislation, and Suits," Feb. 2, 2010. 

18. Op. Cit., Benjamin Edelman. 

19. State of Washington, HB 1012 - 2005-06. 

20. State of Washington, HB 2879 - 2007-08 . 

21. State of Washington 59th Legislature, "ENGROSSED SUBSTITUTE HOUSE BILL 1012," Washington State Legislature, March 9, 2005, Sec. 2(5).

22. Washington State Office of the Attorney General, "McKenna Announces Fifth Computer Spyware Case; Washington Sues Three Internet Affiliate Advertisers," Feb. 7, 2007. 

23. Op. Cit., State of Washington, HB 1012 - 2005-06. 

24. Washington State Office of the Attorney General, "McKenna Announces New York Man Second to Settle in State's First Spyware Case – Defendant's name allegedly used as an alias in business transactions," May 8, 2006. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.