Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands of dollars in the process.
Not surprisingly, Q3 of 2009 was prone to mark the peak of the scareware business model, whose affiliate program revenue sharing scheme is not only attracting new cybercriminals due to its high pay-out rates, but also, is directly driving innovation within the cybercrime underground acting as a reliable financial incentive.
This end user-friendly guide aims to educate the Internet user on what scareware is, the risks posed by installing it, how it looks like, its delivery channels, and most importantly, how to recognize, avoid and report it to the security community taking into consideration the fact that 99% of the current releases rely on social engineering tactics.
Upon execution, certain scareware releases will not only prevent legitimate security software from loading, but it will also prevent it from reaching its update locations in an attempt to ensure that the end user will not be able to get the latest signatures database. Moreover, it will also attempt to make its removal a time-consuming process by blocking system tools and third-party applications from executing.
There have also been cases where scareware with elements of ransomware has been encrypting an infected user's files, demanding a purchase in order to decrypt them, as well as a single reported incident where a scareware domains was also embedded with client-side exploits.
For the time being, scareware releases are exclusively targeting Microsoft Windows users.
Due to the fact that the scareware campaigns maintained by partners in the affiliate network use a standard template distributed to all of them, scareware sites all share a very common set of deceptive advertising practices, which can easily help you spot them before making a purchase.
For instance, the majority of scareware sites attempt to build more authenticity into their propositions by using "non-clickable" icons of reputable technology web sites and performance evaluating services, such as PC Magazine Editors' Choice award, Microsoft Certified Partner, ICSA Labs Certified, Westcoast Labs Certified, Certified by Softpedia, CNET Editors' Choice, as well as ZDNet Reviews -- the real ZDNet Reviews are unaware of the scareware's existence.
Since the end user who's about to conduct an impulsive purchasing decision, doesn't have the till to double check these claims, the attached screenshot indicates how three different scareware brands (Virus Shield 2009, Windows Security Suite and Malware Destructor 2009) are all using the same template claiming their superiority over legitimate security software.
The scanner's results are static, fake and have absolutely no access to your hard drive, therefore the claims that "You're Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected" should be considered as a fear mongering tactic.
Legitimate online malware scanners offered for free by their vendors include, but are not limited to:
Among the key characteristics of scareware remain the professional site layout, as well as the persistent re-branding of the template in an attempt to shift the end user's attention from the previous brand's increasingly bad reputation across the web. Combined, these characteristics result in an efficient social engineering driven scam that continues tricking thousands of victims on a daily basis.
Some of most recent and still ongoing blackhat SEO campaigns include - 9/11 related keywords hijacked to serve scareware; Federal forms themed blackhat SEO campaign serving scareware and News Items Themed Blackhat SEO Campaign Still Active
Now that you know what scareware is and how it reaches you, it's time to review some of practical ways for recognizing, avoiding and reporting it to the security community for further analysis.
Recognizing the bad apples and flagging them
Due to the dynamic and constant re-branding of known scareware releases, maintaining a list of brands to recognize, avoid and be suspicious about is highly impractical.
However, the most logical approach in that case would be to maintain a list of legitimate antivirus software vendors in an attempt to raise more suspicion on those who are not within the list. One such list is maintained by the CCSS (Common Computing Security Standards Forum), and for the time being includes the following vendors:
AhnLab (V3) Antiy Labs (Antiy-AVL) Aladdin (eSafe) ALWIL (Avast! Antivirus) Authentium (Command Antivirus) AVG Technologies (AVG) Avira (AntiVir) Cat Computer Services (Quick Heal) ClamAV (ClamAV) Comodo (Comodo) CA Inc. (Vet) Doctor Web, Ltd. (DrWeb) Emsi Software GmbH (a-squared) Eset Software (ESET NOD32) Fortinet (Fortinet) FRISK Software (F-Prot) F-Secure (F-Secure) G DATA Software (GData) Hacksoft (The Hacker) Hauri (ViRobot) Ikarus Software (Ikarus) INCA Internet (nProtect) K7 Computing (K7AntiVirus) Kaspersky Lab (AVP) McAfee (VirusScan) Microsoft (Malware Protection) Norman (Norman Antivirus) Panda Security (Panda Platinum) PC Tools (PCTools) Prevx (Prevx1) Rising Antivirus (Rising) Secure Computing (SecureWeb) BitDefender GmbH (BitDefender) Sophos (SAV) Sunbelt Software (Antivirus) Symantec (Norton Antivirus) VirusBlokAda (VBA32) Trend Micro (TrendMicro) VirusBuster (VirusBuster)
An alternative list of legitimate antivirus software providers is also maintained by the VirusTotal service.
If you're serious about security and care about your data, you wouldn't trust your computer's integrity to an application called Doctor Antivirus 2008, Spyware Preventer 2009, Power Antivirus, Total Virus Protection, Malware Destructor 2009, Cleaner 2009, Smart Antivirus 2009, Antivirus VIP or Advanced Antivirus 2009, would you?
Another practical step in recognizing scareware, is to research the potentially malicious domain in question by either using Google.com, or an investigative search engine maintained by Google's Anti-Malvertising.com project. The search engine is using a database of sites maintaining lists of scareware related domains, and greatly increases the probability of seeing the suspicious domain in the results.VirusTotal.com to further ensure its real nature, may in fact help protect millions of users across the globe against this particular release since the service shares the malware binaries across multiple vendors.
The file submitted on the attached screenshot may not be detected by your antivirus vendor as scareware, but has already been flagged as scareware by several other.
Avoiding and preventing the scareware campaign
As in real-life virus outbreak, prevention is always better than the cure. In terms of scareware, handy Firefox-friendly add-ons such as NoScript -- which you can see in action against an ongoing scareware campaign -- can undermine the effectiveness of any scareware campaign, delivered through any of the distribution channels already discussed.
In a fraudulent scheme relying exclusively on social engineering tactics, fear in particular, and a business model that's largely driven by the end user's lack of awareness on this nearly perfect social engineering scam, vigilance, absence of gullibility and common sense suspicion remain your best protection.
Have you been a victim of scareware, or has a scareware brand ever popped-up on your screen while browsing a legitimate web site? What do you think is the main reason why thousands of users purchase fake security software on a daily basis? Their lack of awareness on the fraud scheme, or gullibility by default?