News

Phony Alerts, Social Engineering Schemes Used to Spread Malware

Users receive phony security warnings from software spread by affiliates competing for prizes, payouts

• By James E. Powell
• 10/19/2009

Ghosts and goblins won’t be the only thing scaring users this Halloween. Symantec Corp.’s Report on Rogue Security Software reveals a frightening explanation of how cybercriminals profit from a highly organized series of affiliates that are rewarded for sales of “bogus security programs to users caught off-guard by persuasive online scare tactics.” Using misleading messages, such “scareware” poses as authentic security software and displays warning messages about security threats on the user’s system. In fact, these programs typically install malicious code -- exactly the programs the alerts are pretending to be warning users about.

“The creators of rogue security software typically use an affiliate-based pay-per-install model to distribute their misleading applications,” Symantec’s report notes. “Through this model, affiliates can earn between $0.01 and $0.55 for every successful installation. The highest prices are paid for installations by users in the U.S. first, followed by the U.K., Canada, and Australia." The rewards vary by country and may be based on the “likelihood of a user in that country paying for either a subscription to or a fully registered version of the rogue security software.”

The rogue software is advertised on “both malicious and legitimate Web sites such as blogs, forums, social networking sites, and adult sites.” Of the 50 most-reported rogue security applications Symantec watched, nearly two-thirds (61 percent) of the scams targeted North American users; 31 percent were found in Europe, the Middle East, and Africa; 6 percent occurred in Asia-Pacific (including Japan); and 2 percent targeted Latin American users.

Affiliates may participate in incentive programs that offer bonuses for meeting installation levels or “VIP points and prizes” including electronics and automobiles. Symantec says that “top affiliates of rogue security distribution site TrafficConverter.biz reportedly earned as much as $332,000 a month in commissions for installing and selling security risks, including rogue security software,” Symantec estimates..

Fear, Anxiety, and Doubt Convince Users to Buy Harmful Solutions

Many of the techniques used to dupe users into downloading and installing rogue software solutions; many, Symantec says, rely on “fear tactics and other social engineering tricks.” The ads prey on fears about malicious code and recommend that users click on a link to scan their computers; the ad may also offer software that will remove the (bogus) threat. Symantec says the ads are designed to be credible, mimicking the behavior of security software programs.

The solution provider takes several measures to appear genuine.  “Some malicious sites actually use legitimate online payment services to process credit card transactions and others return an e-mail message to the victim with a receipt for purchase -- complete with serial number and customer service number.” The programs are priced between $30 and $100, but that’s just the beginning of the cost to the user. The user’s personal information and credit card data is often used in other fraudulent activity -- it may be sold on the black market or used to steal a user’s identity.

Symantec says it has detected over 250 programs have been reported; Symantec has detected more than 250 distinct rogue security software programs during the period studied (July 1, 2008 to June 30, 2009). The top five rogue security applications are SpywareGuard 2008, AntiVirus 2008, AntiVirus 2009, SpywareSecure, and XP AntiVirus.  The rogue software are frequently variations of existing programs; cloning helps elude detection by genuine security software that recognizes the original. "This process sometimes involves nothing more than changing out the name, logos, and images of a program while the program itself remains unchanged. Scam creators will also frequently change their domain registration information and company name to elude being detected or profiled by security researchers or authorities," Symantec reports.

Once the malware is installed, the user may be instructed to “lower the security posture of a computer” while, in fact, the programs claim to strengthen security. “For example, the malware may instruct the user to lower or disable any existing security settings while registering the bogus software or prevent the user from accessing legitimate security websites after installation. This, in turn, leaves users exposed to the very threats the rogue software promised to protect against,” Symantec says.

The report offers an appendix with suggestions for how to protect users from such rogue security software, including investing in (and installing) a trusted security program from reputable vendors “whose products are sold in legitimate retail and online stores.”