FOCUS 09: Anatomy of a Scareware Scam
Page 1 of 1
LAS VEGAS-- Scareware, those applications embedded in unsolicited e-mails or hidden away in corrupted banner pop-up ads warning users that their PCs are under attack and require the software hawked in the warning, is big business.
So big that federal and state law enforcement officials as well as legitimate software companies and independent security experts can't even begin to quantify just how many people and exactly how many millions of dollars are lost each year to this growing online threat.
What is known is that scareware racketeers such as Innovative Marketing are clever, relentless and, as a year-long investigation conducted by McAfee's Avert Labs recently discovered, as highly organized as any Fortune 500 company trading on the New York Stock Exchange.
Perhaps the only saving grace, researchers are quick to add, is that they appear to be as careless about protecting their secret sauce as they are dedicated to defrauding millions of PC users to the tune of $39.95 a whack.
During a breakout session here Wednesday at McAfee's FOCUS 09 security conference, Dirk Kollberg, malware research lead at Avert Labs, gave attendees a unique behind-the-scenes look at how Innovative Marketing went about stealing millions of dollars from unsuspecting victims over the course of 11 months.
For those unfamiliar how scareware works, here's a typical scenario: A person opens a malicious e-mail or clicks on an infected banner ad and a frightening pop-up ad emerges, telling them their machine is infected. Contained with this same warning is a come-on offering the right antivirus software to fix the problem. Give us your credit card number and you'll be safe.
Once the transaction is processed, the warning or "nagware" application goes away and everything appears to be fine. But all the application did was remove the malicious warning code and, more than likely, turned your PC or mobile device into another botnet or drone to distribute more "dire" warnings to other unsuspecting victims.
The infamous Conficker worm, along with infecting millions of machines, was also used as a tool to recruit and harvest more computers to push even more elaborate scareware.
Kollberg and other McAfee researchers last year embarked on their own little investigation, culling the Internet for publicly available data on Innovative Marketing Inc., one of two notorious scareware purveyors targeted by the Federal Trade Commission for allegedly tricking consumers into purchasing and installing scareware sold under names such as "WinAntivirus," "DriveCleaner" and "XP Antivirus."
Using more than 63 gigabytes of information culled from querying the company's own portal servers and other publicly available data, Kollberg and his team unearthed some astonishing operational details including the following:
- Innovative Marketing used more than 34 different production servers in less than six months and used as many as six different servers at a time to infect, advertise and sell their illicit wares.
- In one 10-day stretch, the company received more than 4 million download requests, meaning that at least 4 million people tried to buy the worthless applications.
- Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes, making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they've moved on to new addresses.
- It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers calling via VoIP connections to buy, remove or question the need for the unnecessary scareware. And, believe it or not, they recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers exited were "happy" when the call concluded.
- Because they needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs pertinent data including price, location and, most telling, a column that rate the ISPs "abuseability"essentially an assessment of which ISPs would play ball and not ask questions as they went about their business.
- The company added a whopping 4.5 million order IDs, essentially new purchases, in 11 months last year. With most of the phony applications selling for $39.95, that's more than $180 million in less than a year.
"Most users don't know what to do," Kollberg said. "They don't understand that the scareware only disables the warning screens. What's worse is that with this infrastructure established, they can do even more [evil] like hosting malicious porn sites and other unnecessary subscriptions."
One bright spot, Kollberg said, was that after going through all Innovative Marketing's data, McAfee researchers never found a single credit card number. He added that all the information acquired in this research endeavor has been turned over to the FBI, the FTC and authorities in several countries including Germany.
While the FTC was successful in receiving a temporary restraining order for Innovative Marketing, based in Belize, and ByteHosting Internet Services in Cincinnati, Ohio, Kollberg said the same tactics, peripherals and products have re-emerged in the past year only this time the product is known as "PC Antispyware 2010."
Just last month, Microsoft filed a lawsuit against five so-called "malvertisers" in Seattle in its attempt to thwart the onslaught of malicious ads stashed atop Google search results or tucked away in seemingly innocuous online advertisements.
A Microsoft report released earlier this year found that scareware infections surged up 48 percent in the second half of 2008 compared to the prior six months, with more than 8 million people either infected or conned into buying the counterfeit AV software.
McAfee and other antivirus software vendors advise users to beware of any pop-up ads alerting you to a virus infection because legitimate AV companies don't use ads to inform users they are infected. Also, be wary of any programs that scan for viruses automatically without requiring permission.
But the question remains: If Innovative Marketing was so well-organized and thorough in its efforts to fleece so many people, how could it have been so sloppy about protecting its internal data from Kollberg and any other curious soul with an Internet browser?
"I have no idea," Kollberg said. "I guess maybe the kind of people who are working within an organization like this might not have the highest integrity to protect or go out of their way to not share their data. Who knows?"