The Federal Bureau of Investigation (FBI) says fake antivirus programs have raked in more than $150 million for scammers.
This software can appear almost anywhere on the web. Typically, the scam starts with an aggressive pop-up advertisement that looks like some sort of virus scan.
Often it’s nearly impossible to get rid of the pop-up windows. Of course, the scan turns up problems, and the pop-up windows say the only way to get rid of them is to pull out a credit card and pay.
This is always a bad idea. At best, the software is subpar. At worst, it “could result in viruses, Trojans and/or keyloggers being installed on the user’s computer”, the IC3 said in its warning. The IC3 is run in partnership with the National White Collar Crime Center.
“The assertive tactics of the scareware [have] caused significant losses to users,” the IC3 said. “The FBI is aware of an estimated loss to victims in excess of $150 million.”
The IC3 says that users who see these unexpected antivirus pop-up warnings should shut down their browsers or their computers immediately and then run an antivirus scan to see what’s going on.
Scareware on legit sites
Scareware peddlers have pushed their ads on legitimate ad networks.
The New York Times was tricked into running rogue antivirus ads in September by a scammer pretending to work for Vonage. Sometimes, the scammers simply hack into websites and use attack code to put their software on the victim’s computer.
Last month, webcams sold by Office Depot contained links to a hacked website that tried to download rogue antivirus.
Most recently, Adam Thomas, an analyst from Sunbelt Software in Clearwater, Fla. came across a new social engineering technique used to mislead people into buying a rogue security product, DefenseLab.
It does the usual scare-ware stuff: a fake scan and fake “Windows Security Center” alert.
Then the software “directs the potential victim to a Microsoft Support page, but injects html code into the page in his or her browser to make it appear as though Microsoft is suggesting the purchase of the rogue,” writes Smith.
It’s a real Microsoft support site, but it’s the malware already running on users’ infected computers that injects the threat warning and the endorsement of the antivirus software, according to a blog by Matt Kelchner, a researcher at Sunbelt Software.
The scam is intended to prod users into clicking a “Fix It” button that leads them to a site where they can buy the antivirus software.
This twist is an extension of an ongoing scareware epidemic.
Malicious software is downloaded to victims’ machines and pops up warnings that the computer has been scanned and found to be infected. It then pops up windows urging them to buy antivirus software that can get rid of the problem.
The problem reportedly does go away, but experts say that doesn’t mean the virus that created it is removed and won’t cause more problems later.
Similar Trojans have been around for years and are among the “cash cows” identified by Cisco in its annual report on cybercrime. Other variants of these Trojans have encrypted files on victims’ computers and basically held them for ransom.
If users want to decrypt them, they have to fork over $40 to buy antimalware forced on them by the malware.
The criminals behind the malware also poison Google search results so when victims search for ways to remove the malware, sites for buying the bogus antivirus software come up first.