I hate to say this - but maybe it's time to change how we advertise?
We need to add somebody somewhere to screen ads, one-by-one, for this stuff.
Doesn't have to be the people hosting the website, but it *should* be somebody independent of the advertising firm.
Or take a zero-tolerance policy towards this stuff: "We find you've been showing this stuff to our customers, and we shut you out and find somebody else."
"the majority of scareware sites attempt to build more authenticity into their propositions by using 'non-clickable' icons of reputable technology web sites and performance evaluating services"
Which is why I pretty much consider these icons to be 100% useless. Stuff like COMODO's "hacker proof" icon are useless because they are 100% spoofable.
If you really need a good way to gain the trust of customers, use an extended validation certificate.
Zero Day
Ryan Naraine and Dancho DanchevThe ultimate guide to scareware protection
Summary
Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands [...]
Topics
Blogger Info
Ryan Naraine
Biography
Ryan Naraine
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.
Dancho Danchev
Biography
Dancho Danchev
Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands of dollars in the process.
Not surprisingly, Q3 of 2009 was prone to mark the peak of the scareware business model, whose affiliate program revenue sharing scheme is not only attracting new cybercriminals due to its high pay-out rates, but also, is directly driving innovation within the cybercrime underground acting as a reliable financial incentive.
This end user-friendly guide aims to educate the Internet user on what scareware is, the risks posed by installing it, how it looks like, its delivery channels, and most importantly, how to recognize, avoid and report it to the security community taking into consideration the fact that 99% of the current releases rely on social engineering tactics.
What is scareware?
Basically, scareware, also known as rogueware or put in simple terms, fake security software, is a legitimately looking application that is delivered to the end user through illegal traffic acquisition tactics starting from compromised web sites (Sony PlayStation’s site SQL injected, redirecting to rogue security software), malvertising (MSN Norway serving Flash exploits through malvertising; Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews; Ukrainian “Fan Club” Features Malvertisement at NYTimes.com), or blackhat search engine optimization (9/11 related keywords hijacked to serve scareware; The most dangerous celebrities to search for in 2009; The Web’s most dangerous keywords to search for), to ultimately attempt to trick the user into believing their computer is already infected with malware, and that purchasing the application will help them get rid of it.
Upon execution, certain scareware releases will not only prevent legitimate security software from loading, but it will also prevent it from reaching its update locations in an attempt to ensure that the end user will not be able to get the latest signatures database. Moreover, it will also attempt to make its removal a time-consuming process by blocking system tools and third-party applications from executing.
There have also been cases where scareware with elements of ransomware has been encrypting an infected user’s files, demanding a purchase in order to decrypt them, as well as a single reported incident where a scareware domains was also embedded with client-side exploits.
For the time being, scareware releases are exclusively targeting Microsoft Windows users.
The characteristics of scareware - pattern recognition for a scam
Due to the fact that the scareware campaigns maintained by partners in the affiliate network use a standard template distributed to all of them, scareware sites all share a very common set of deceptive advertising practices, which can easily help you spot them before making a purchase.
For instance, the majority of scareware sites attempt to build more authenticity into their propositions by using “non-clickable” icons of reputable technology web sites and performance evaluating services, such as PC Magazine Editors’ Choice award, Microsoft Certified Partner, ICSA Labs Certified, Westcoast Labs Certified, Certified by Softpedia, CNET Editors’ Choice, as well as ZDNet Reviews — the real ZDNet Reviews are unaware of the scareware’s existence.
Next –>
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.
Disclosure
Dancho Danchev
More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.
Biography
Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis.
More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
More from “Zero Day”
Related Discussions on TechRepublic
Did you know you can take part in these discussions with your ZDNet membership?Talkback Most Recent of 50 Talkback(s)
-
CobraA109/13/2009 07:40 PM -
The bad guys are creative
I've actively hunted scareware in the wild. As the article says, it's a standard scareware tactic to claim that the system is infected, with an animated or scripted "scanner" showing the supposed infections.
I read a blog entry discussing a new twist: the scareware plants bogus files, then fires up a copy of ClamAV, gives it a bogus virus-definition file, and has ClamAV detect the planted files using the bogus definitions! Well, you have to give them credit for originality...
Here's the blog, for those who are interested:
http://blogs.technet.com/mmpc/archive/2009/08/11/win32-fakerean-and-msrt.aspx
This sort of thing is certainly a plague. My preferred defense against scareware is to make my users non-Admins and make their user profiles a no-execute zone, by one means or another. An ounce of prevention...
yeah.
The only thing I'd expect to accomplish by user education alone, is to teach the user how to break out of an endless-loop scenario by forcibly killing the browser using Task Manager (on Windows, that is). The average Zero Day reader will know scareware when they see it, but that's more than I'd expect of any given employee in the enterprise, especially with the bad guys closely imitating the appearance of legitimate products such as the Windows Security Center, Windows Defender, and others.
mechBgon(Edited: 09/13/2009 09:38 PM) -
Oh, and how ironic. Hey Dancho...
What's this in the Sponsored Links, to the right of the TalkBacks? A link to "Anti-Virus Live 2009," huh? (click the first TalkBack, titled "Time to change advertising?")
VirusTotal scan result for the setup.exe file:
http://www.virustotal.com/analisis/1bc37518e080723b39a21d295a1f8042a0679c452287648ebce1b43bb6c03617-1252836866
Not cool. How about you guys clean up your act here.
edit: just for fun, I installed the bogusware on a VM and had it scan a folder containing 2336 malware samples, all over a year old. It detected 57 (Kaspersky, by comparison, detects over 2200 of them). Interestingly enough, all of the malware that *was* detected by the bogusware is malware I collected from the RBN. Make of that what you will...mechBgon(Edited: 09/13/2009 10:32 PM) -
ROFLMAO!
LOL! Very funny.
Grayson Peddie09/14/2009 05:31 AM -
There *is* a problem on Macs too
Great summary of the situation Dancho, but I have to disagree with your assertion that this is only a problem for Windows users.
Remember MacSweeper which infected online ads on British TV websites ( http://www.sophos.com/pressoffice/news/articles/2008/02/poisoned-adverts.html ), and there's also Imunizator ( http://www.sophos.com/pressoffice/news/articles/2008/03/imunizator.html )
I agree the problem is much bigger on Windows, but that doesn't mean that Mac users haven't been targeted too.
GrahamCluley09/13/2009 10:19 PM -
How is this a OS X or Windows problem?
MS and Apple can`t control what POS software every idiot writes, this is not their fault.
This is a "stupid user" case, not a platform case or a security hole. It just poses as a antivirus software.
NeoGeneration(Edited: 09/14/2009 07:25 AM) -
os
if you don't have a need for antivirus software you can't be a target of
scareware. so it is os related at the end. windows user: "i need antivirus
software. so why not take this one?". apple user: "i don't need antivirus
software, so what the hell are they talking about?"
simple as that.
elllroy(Edited: 09/14/2009 08:56 AM) -
happened to me once. make that twice.
I went to a website once and got some kind of virus infection warning that show a scanner and the My Computer page from Windows XP. I looked at it a moment and knew something wasn't right. It wasn't until I backed out of that webpage that I realised the My Computer page did not show the USB disks I use and I was using Ubuntu 9.04. I was reacting to basic fear entrenched by years of using computers online.
So, I went back to the website and studied the warning and artwork closer. I must admit that I am not the usual computer user but I forgot that I was using Linux and got a Windows page with a warning. I can see how and why less experienced surfers could and would fall for these tricks. I won't ridicule anyone who falls for it because years ago my wife did and I did not realise it until she had input the debit card info and the bank paid it. I knew it was more my fault because I did not question her when she said our AOL account was past due and and about to be cut off. After all, the master account was in my name and I did not warn her about the danger.
Live, Learn and Teach.
Paul
pfyearwood09/14/2009 02:18 PM -
WRONG!!!
What is SIMPLE is your attitude! Apple is just as open as MS the only difference is that the malware creators want their bogus software to run on as many computers as they can, and what with Apple having a very SMALL mediocre user base the malware authors don't see enough of a profit for such a small user base.
Apples are however a *niche* which IS being filled by some malware creators. It is true that some PC users don't know much about their systems BUT!!! almost NO apple users know ANYTHING about their systems.
Apple recently patched over 30 holes (Vhttp://blogs.zdnet.com/security/?p=4276&tag=nl.e550 ) in OSX and that is just the ones which they wanted to make public. Apple security is more of a case of * Security by Obscurity * rather then any inherent safety in apple's OS
dinosoft@...09/14/2009 02:18 PM -
Time to switch to decaf Dino?
Your post was obviously well thought out and pondered, one can see that you put a lot of effort into it. To bad you didn't read his post first, you might not have had all that egg on your face. Your post is obviously a serious and researched response to someone, just not the one you replied to, since you missed the point entirely.
914four09/15/2009 06:52 PM -
Really, Dino?
If Apple has such crap security like you insist, why is it that your
company doesn't make a mac version of your privacy/security
software?
Oh that's right... because ITS ALREADY BUILT IN.
I love people like you that post about all of these security holes that
Apple patches and then don't include the SEVERITY level of the
patches issued. Without severity, you cannot simply assume that
every patch allows malicious behavior or a breach of security.
Go back to writing your Windows software, and have a nice day.
gary@...09/15/2009 08:23 PM -
Oh it is not a problem for Macs
The spin attempt of your message is not credible. This is a Windows problem, period/
gertruded11/17/2009 02:57 PM -
Oh how ironic - I cannot take ZDNet recommendations seriously any more.
I quote, with date of dsplay on ZDNET, one of the worst offenders. The East European culprits are hardly able to write or speak English.
DEFENZA AntiSpyware 1 (Windows)
Tags: Threat, Defenza, Spyware, Adware & Malware, Spyware..., Cyberthreats, Viruses And Worms, Microsoft Windows, Security, Operating Systems, Software
Software downloads 2006-08-25.
Don't let this one tempt you even it is recommended on ZDNet.
pdalton@...09/13/2009 10:25 PM -
There's no preventing stupid.
Why anyone would believe an "out-of-the-blue" AV/Malware warning, originating inside their browser, is beyond me.
James T. Kirk09/14/2009 06:31 AM -
That's easy to say...
When you have the experience to back it up. But if you are someone who's new to computing, or are not advanced or knowledgeable with how a computer operates, then it's quite easy to fall victim to these scams. Even I was almost caught by a pop-up window that was basically a graphic screen shot of Windows Explorer set at the My Computer view. Luckily I recognized that the names I assigned to my hard drive weren't there, and I became suspicious. However, I could have easily fallen victim were I not paying close attention.
"Good judgment comes from experience. Experience comes from bad judgment."
- A quote attributed to various and sundry people including, but not limited to, Will Roger, Rita Mae Brown, and Christian Slater (of all people).
NCWeber09/14/2009 08:09 AM
Talkback - Tell Us What You Think
Get it the way you want it
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- vSphere: New Features and BenefitsVirtualization of servers is one of the hottest topics in today's IT ... (Global Knowledge) Download Now
- Ten Things You Should Know about Windows 7There's a lot to Windows 7 - as one might expect, in a 17GB operating ... (Global Knowledge) Download Now
- The Scoop on the New CCNA and CCNP SpecializationsThere has been a lot of interest among students lately on the details ... (Global Knowledge) Download Now
