Throughout the last two years, scareware (fake security software), quickly emerged as the single most profitable monetization strategy for cybercriminals to take advantage of. Due to the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands of dollars in the process.
Not surprisingly, Q3 of 2009 was prone to mark the peak of the scareware business model, whose affiliate program revenue sharing scheme is not only attracting new cybercriminals due to its high pay-out rates, but also, is directly driving innovation within the cybercrime underground acting as a reliable financial incentive.
This end user-friendly guide aims to educate the Internet user on what scareware is, the risks posed by installing it, how it looks like, its delivery channels, and most importantly, how to recognize, avoid and report it to the security community taking into consideration the fact that 99% of the current releases rely on social engineering tactics.
What is scareware?Basically, scareware, also known as rogueware or put in simple terms, fake security software, is a legitimately looking application that is delivered to the end user through illegal traffic acquisition tactics starting from compromised web sites (Sony PlayStation’s site SQL injected, redirecting to rogue security software), malvertising (MSN Norway serving Flash exploits through malvertising; Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews; Ukrainian "Fan Club" Features Malvertisement at NYTimes.com), or blackhat search engine optimization (9/11 related keywords hijacked to serve scareware; The most dangerous celebrities to search for in 2009; The Web's most dangerous keywords to search for), to ultimately attempt to trick the user into believing their computer is already infected with malware, and that purchasing the application will help them get rid of it.
Upon execution, certain scareware releases will not only prevent legitimate security software from loading, but it will also prevent it from reaching its update locations in an attempt to ensure that the end user will not be able to get the latest signatures database. Moreover, it will also attempt to make its removal a time-consuming process by blocking system tools and third-party applications from executing.
There have also been cases where scareware with elements of ransomware has been encrypting an infected user's files, demanding a purchase in order to decrypt them, as well as a single reported incident where a scareware domains was also embedded with client-side exploits.
For the time being, scareware releases are exclusively targeting Microsoft Windows users.
The characteristics of scareware - pattern recognition for a scam
Due to the fact that the scareware campaigns maintained by partners in the affiliate network use a standard template distributed to all of them, scareware sites all share a very common set of deceptive advertising practices, which can easily help you spot them before making a purchase.
For instance, the majority of scareware sites attempt to build more authenticity into their propositions by using "non-clickable" icons of reputable technology web sites and performance evaluating services, such as PC Magazine Editors' Choice award, Microsoft Certified Partner, ICSA Labs Certified, Westcoast Labs Certified, Certified by Softpedia, CNET Editors' Choice, as well as ZDNet Reviews -- the real ZDNet Reviews are unaware of the scareware's existence.
Yet another popular social engineering tactic are the fake comparative review templates, basically showing a chart where the scareware outperforms software offered by some of the leading security companies.
Since the end user who's about to conduct an impulsive purchasing decision, doesn't have the till to double check these claims, the attached screenshot indicates how three different scareware brands (Virus Shield 2009, Windows Security Suite and Malware Destructor 2009) are all using the same template claiming their superiority over legitimate security software.
The diverse list of tactics leads us to the ubiquitous fear-driven social engineering tactic of simulating a real-time antivirus scanning in progress dialog, which in reality is nothing else but a static script, with anecdotal cases where Mac users are presented with a Windows-like My Documents folder window.
The scanner's results are static, fake and have absolutely no access to your hard drive, therefore the claims that "You're Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected" should be considered as a fear mongering tactic.
Legitimate online malware scanners offered for free by their vendors include, but are not limited to:
- TrendMicro's Housecall
- Kaspersky's Online Malware Scanner
- F-Secure's Online Malware Scanner
- ESET's Online Malware Scanner
- BitDefender's Online Malware Scanner
- PandaSecurity's Cloud Antivirus
- McAfee's Online Malware Scanner
- Rising's Online Malware Scanner
- Dr. Web's Online Malware Scanner
- Symantec's Online Malware Scanner
- CA's Online Malware Scanner
Among the key characteristics of scareware remain the professional site layout, as well as the persistent re-branding of the template in an attempt to shift the end user's attention from the previous brand's increasingly bad reputation across the web. Combined, these characteristics result in an efficient social engineering driven scam that continues tricking thousands of victims on a daily basis.
The delivery channels and traffic hijacking tactics of scareware campaignsThere's a high probability that your last encounter with scareware came totally out of blue. Despite the tact that cybecriminals are always looking for new push and pull strategies for their malware releases, there are several tactics currently representing the most popular delivery channels for scareware. Let's review some of them.
- Blackhat search engine optimization (SEO) - blackhat search engine optimization remains the traffic acquisition method of choice for the majority of cybercriminals looks for quick ways to hijacking as much traffic as possible using real-time events as themes for their campaigns. This tactic consists of hundreds of thousands of hijacked keywords parked on domains maintained by the criminals. Upon visiting any them, the now tricked into believing the site is serving legitimate content end user, is automatically redirected to a simulated real-time antivirus scanning screen. The relevance of the themes is automatically syndicated from public services such as Google Trends in order to ensure that the window of opportunity for a particular event is hijacked for the purpose of serving scareware. It's important to point out that each and every campaign relies on the end user's gullibility into manually downloading and executing the scareware compared to drive-by attacks where the infection will take place automatically through the use of client-side vulnerabilities.
- Systematic abuse of social networks/Web 2.0 services - there hasn't been a single social network or Web 2.0 service that hasn't been abused for scareware serving purposes. From Twitter, Scribd and LinkedIn to Digg and Google Video, the systematic abuse of these services through the automatic registration of hundreds of accounts by outsourcing the CAPTCHA-recognition process, remains an active asset in the arsenal of the scareware campaigner
- Malvertising (malicious advertising) - malvertising is the practice of serving malicious ads on legitimate and high profile sites in an attempt to exploit the end user's trust in their ability to filter out such ads. Notable cases where scareware windows pop-up out of the blue include - Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews, Digg, MSNBC and Newsweek scareware campaign through malvertising
- Pushed by some of the most prolific botnets such as Conficker and Koobface - The Koobface botnet gang which I've been tracking over the past couple of months, is not only among the most active blackhat SEO cybercrime enterprises online -- at least for the time being -- but there have been cases where they've been directly installing scareware on Koobface infected hosts. Despite its current idleness, the Conficker botnet gang has already made three attempts to monetize the millions of infected hosts, by reselling access to them to two different gangs, but has also attempted to install scareware on them
Some of most recent and still ongoing blackhat SEO campaigns include - 9/11 related keywords hijacked to serve scareware; Federal forms themed blackhat SEO campaign serving scareware and News Items Themed Blackhat SEO Campaign Still Active
Now that you know what scareware is and how it reaches you, it's time to review some of practical ways for recognizing, avoiding and reporting it to the security community for further analysis.
Recognizing, avoiding and reporting scareware
Recognizing the bad apples and flagging them
Due to the dynamic and constant re-branding of known scareware releases, maintaining a list of brands to recognize, avoid and be suspicious about is highly impractical.
However, the most logical approach in that case would be to maintain a list of legitimate antivirus software vendors in an attempt to raise more suspicion on those who are not within the list. One such list is maintained by the CCSS (Common Computing Security Standards Forum), and for the time being includes the following vendors:
AhnLab (V3) Antiy Labs (Antiy-AVL) Aladdin (eSafe) ALWIL (Avast! Antivirus) Authentium (Command Antivirus) AVG Technologies (AVG) Avira (AntiVir) Cat Computer Services (Quick Heal) ClamAV (ClamAV) Comodo (Comodo) CA Inc. (Vet) Doctor Web, Ltd. (DrWeb) Emsi Software GmbH (a-squared) Eset Software (ESET NOD32) Fortinet (Fortinet) FRISK Software (F-Prot) F-Secure (F-Secure) G DATA Software (GData) Hacksoft (The Hacker) Hauri (ViRobot) Ikarus Software (Ikarus) INCA Internet (nProtect) K7 Computing (K7AntiVirus) Kaspersky Lab (AVP) McAfee (VirusScan) Microsoft (Malware Protection) Norman (Norman Antivirus) Panda Security (Panda Platinum) PC Tools (PCTools) Prevx (Prevx1) Rising Antivirus (Rising) Secure Computing (SecureWeb) BitDefender GmbH (BitDefender) Sophos (SAV) Sunbelt Software (Antivirus) Symantec (Norton Antivirus) VirusBlokAda (VBA32) Trend Micro (TrendMicro) VirusBuster (VirusBuster)
An alternative list of legitimate antivirus software providers is also maintained by the VirusTotal service.
If you're serious about security and care about your data, you wouldn't trust your computer's integrity to an application called Doctor Antivirus 2008, Spyware Preventer 2009, Power Antivirus, Total Virus Protection, Malware Destructor 2009, Cleaner 2009, Smart Antivirus 2009, Antivirus VIP or Advanced Antivirus 2009, would you?
Another practical step in recognizing scareware, is to research the potentially malicious domain in question by either using Google.com, or an investigative search engine maintained by Google's Anti-Malvertising.com project. The search engine is using a database of sites maintaining lists of scareware related domains, and greatly increases the probability of seeing the suspicious domain in the results.
Keeping in mind that the end user has full control of the scareware window that popped-up on their screen -- despite its modest resistance when attempting to close it down -- downloading a copy of it, and once making sure you're not going to execute it, submit it to a multiple antivirus scanning service such as VirusTotal.com to further ensure its real nature, may in fact help protect millions of users across the globe against this particular release since the service shares the malware binaries across multiple vendors.
The file submitted on the attached screenshot may not be detected by your antivirus vendor as scareware, but has already been flagged as scareware by several other.
Avoiding and preventing the scareware campaign
As in real-life virus outbreak, prevention is always better than the cure. In terms of scareware, handy Firefox-friendly add-ons such as NoScript -- which you can see in action against an ongoing scareware campaign -- can undermine the effectiveness of any scareware campaign, delivered through any of the distribution channels already discussed.
In a fraudulent scheme relying exclusively on social engineering tactics, fear in particular, and a business model that's largely driven by the end user's lack of awareness on this nearly perfect social engineering scam, vigilance, absence of gullibility and common sense suspicion remain your best protection.
- Consider going through the "The ultimate guide to scareware protection" gallery
Have you been a victim of scareware, or has a scareware brand ever popped-up on your screen while browsing a legitimate web site? What do you think is the main reason why thousands of users purchase fake security software on a daily basis? Their lack of awareness on the fraud scheme, or gullibility by default?