Fat cat cybercriminals are pocketing huge profits through a comparatively low-risk, fast-growing crime peddling bogus security software or so called ‘Scareware’ to unsuspecting internet users. This is according to a new report from Symantec on Rogue Security Software.
A 3rd generation of highly organised criminals, are creating ‘Scareware’ – counterfeit anti-virus software, that unsuspecting users are tricked into downloading when they visit unfamiliar websites – enabling kingpin cybercriminals to net profits of more than 850,000 GBP a year (858,130 GBP). The sophistication of the scam means that 93% of Scareware is intentionally downloaded by internet users convinced they are doing the ‘right’ thing.
Experts say Scareware has gathered momentum precisely because it preys on our fears when using the internet – if we believe we’re open to a security threat then we’re more likely to make a knee-jerk reaction. The ‘scare’ or ‘shock’ aspect of the message seeks to induce a panic response, so users are inclined to quickly click the ‘continue’ or ‘accept’ box and then proceed to payment to fix an urgent issue rather than consider what they are being shown.
- Rogue Security Software also known as ‘scareware’ pretends to be legitimate security software and tricks unsuspecting internet users into downloading counterfeit anti-virus software when they visit unfamiliar websites. These rogue applications provide little or no value and may even install malicious code or reduce the overall security of the computer.
- To date, Symantec has detected 250 separate fake programs being sold for between 20 and 60 GBP. Symantec discovered they were sold via nearly 200,000 websites worldwide, made up of dedicated websites and banner adverts placed by scammers on legitimate websites.
- There are several methods employed to trick users into downloading Rogue Security Software, many of which rely on fear tactics and other social engineering tricks. Rogue Security Software is advertised through a variety of means, including both malicious and legitimate websites such as blogs, forums, social networking sites, and adult sites. While legitimate Web sites are not a party to these scams, they can be compromised to advertise these rogue applications. Rogue security software sites may also appear at the top of search engine indexes if scam creators have seeded the results.
- Rogue Security Software creators design their programs to appear as ‘real’ as possible. They use legitimate-sounding product names; for example, the top five Rogue Security Software applications are SpywareGuard 2008, AntiVirus 2008, AntiVirus 2009, SpywareSecure, and XP AntiVirus. They use advertisements, pop-up windows, and notification icons that mimic legitimate security programs. They use the same fonts, colours, and layouts as trusted security vendor sites. They may use a legitimate online payment service or return a confirmation and receipt email to the user along with a customer service number. They may offer free trials or free system scans
- The sale and distribution of scareware to vendors uses an affiliate-based business model, similar to buying a well-known high street franchise business. Successful scammers are rewarded with big paychecks and luxury prizes. Top affiliates can earn as much nearly 7,000 GBP a month (6,974 GBP) for duping users into installing security risks, including Rogue Security Software programs. The scammer is paid every time he or she tricks a user into installing the Rogue Security Software, and commissions are greater for installs of software.
- The threat from Rogue Security Software is expected to grow over the next 6-12 months and Symantec is warning that people and businesses need to be vigilant.
- Best practices for protection and mitigation as outlined in the report include:
- Avoid following links from emails, as these may be links to spoofed or malicious websites. Instead, manually type in the URL of a known, reputable website.
- Never view, open, or execute email attachments unless the attachment is expected and comes from a known and trusted source. Be suspicious of any emails that are not directly addressed to your email address.
- Be cautious of pop-up windows and banner advertisements that mimic legitimate displays. Suspicious error messages displayed inside the Web browser are often methods rogue security software scams use to lure users into downloading and installing their fake product.
"The findings of our Report on Rogue Security Software make it clear that cybercriminals are willing, eager, and well-equipped to prey on today’s Internet user,” said Stephen Trilling, Senior Vice President, Symantec Security Technology and Response. “To avoid becoming a victim of such predatory practices, Symantec strongly urges Internet users to make sure they are using the latest security protection and always obtain their security software directly from trusted vendors’ websites.
“Scareware creators can scam thousands of people for comparatively small amounts of money all at the same time and make huge aggregate profits,” said Professor David S. Wall - School of Criminal Justice Studies and Information Societies, University of Leeds. “This type of fraud works because the fake security software tricks users into believing they have an immediate threat which only their program can resolve. Ultimately, it's a con. I would advise Internet users to be careful while online and only download from trusted sources."
The Symantec Report on Rogue Security Software, developed by the company’s Security Technology and Response (STAR) organisation, is an in-depth analysis of Rogue Security Software programs. The report includes an overview of how these programs work and how they affect users, including their risk implications, various distribution methods, and innovative attack vectors. It includes a brief discussion of some of the more noteworthy scams as well as an analysis of the prevalence of Rogue Security Software globally. It also includes a discussion on a number of servers that Symantec observed hosting these misleading applications. Except where otherwise noted, the period of observation for this report was from July 1, 2008 to June 30, 2009.