Purveyors of malware have progressed from exploiting feelings of love to manipulating fear.
Microsoft has released volume 6 of its biannual Security Intelligence Report and one finding stands out: a new category of threat, known as rogue security software or “scareware,” is on the increase. Version 6 of the report covers the second half of 2008 (2H08), the period from the beginning of July through the end of December.
The report said that rogue security software tricks users into paying for malware through fear and annoyance tactics. The annoyance tactic involves continual alerts or warnings, which the victims are told will stop once a payment is made. The fear tactic can be as simple as a pop-up ad telling the victim that the rogue software has detected an infection.
Fear is effective. “Fear is one of the strongest motivators of human behavior,” Microsoft researchers pointed out in the the report. But scareware also plays on rational worries, as well: There are real Internet threats, so this
particular species of malware is taking advantage of survival reflexes that its prey has learned.
“In the world of computer security, fear of malware and other threats is often a useful and beneficial reaction, compelling users to install antivirus software and security updates and to practice safe online behavior,” Microsoft wrote in the report.
“Unfortunately, attackers often use social engineering techniques that create fear in an effort to persuade potential victims to give them money,” the company’s authors wrote. “The clearest example of this is in the rise and spread of rogue security software.”
Victims have a lot to lose and little to gain from the pest, Microsoft added.
“Rogue security software masquerades as legitimate security programs offering protection from malware, spyware, and other threats, but actually uses social engineering to obtain money or sensitive information from victims and offers little or no real protection,” the company said.
Consumers aren’t the only ones suffering as a result: IT departments are also being forced to cope with the upswing in scareware. “Rogue security software generates hundreds of thousands of U.S. dollars a year in ill-gotten profits for its distributors, along with large numbers of IT help desk calls from worried victims,” Microsoft said.
Variants include Win32/FakeXPA, which uses warnings to trap its victims, and Win32/Yektel, which manipulates Web pages after they have been downloaded by Internet Explorer. In a particularly insidious move, it inserts a security warning to any page whose URL contains the phrase “google.” The warning purports to be from Google but in fact contains a malware link.
The variant Win32/FakeSecSen runs a scanner that covers the screen, with a “close” button that has no effect, annoying victims into paying for the malware.
Rogue security software is distributed through traditional malware vectors, such as botnets and spam, and also through Web sites — both standalone malware sites and compromised legitimate sites.
The report doesn’t just describe the problem. It also offers common-sense solutions that will protect many users. For instance, the company recommends that every network have a password and has posted
detailed advice on the subject of creating strong passwords.
Microsoft also urged users to avoid opening attachments or clicking on links in e-mails and IMs that
are received unexpectedly or from an unknown source. It also recommended consumers use a spam filter and a phishing filter for e-mail, as well as a firewall and anti-malware software — and that they keep all of these products up to date.
Additionally, Microsoft said users should avoid clicking on a link to a bank or e-commerce site,. Instead, they should use a bookmarked link.
Microsoft also provides more detailed information on scareware programs on its Rogue
Security Software page, which has advice and screen shots from known
rogue security software infections.