As a veteran of the IT security industry I was recently asked for tips on how to recognize and avoidscareware. This problem came to light not long ago when law enforcement agencies in the United States and seven other nations seized computers running a scareware scheme that tricked consumers into spending more than $72 million on fake anti-virus software.
Scareware has long been a scourge for both end-users and IT professionals, so what can be done to combat it? Simply put, if you see a pop-up telling you that your system is infected and it needs to be repaired immediately (“Click Yes to Start or No to Skip”) then, unfortunately, your computer has already been infected. The tipoff is if the name of the “repair” program and its look and feel does not match the anti-virus/anti-malware program you already own.
But what if you don’t have anti-virus/anti-malware software and suddenly see a Good Samaritan pop-up message offering to help you? In reality, this helpful-sounding message warning you of the “problem” and requesting (really demanding) that you pay for “helpful” software has already infected your system.
How Scareware Infections Work
The scareware infection methodology is very dangerous and starts when you click legitimate-looking web page results from major search engines like Google and Bing (yes, they index infected sites). The problem for consumers is that the infection is two phase. In the first phase your machine is infected quietly. Later it starts up and tries to “help you”….out of your money.
The truth is that once your machine is infected (you can’t decline the disinfection option…everything you do causes the machine to be further infected), you can’t do anything except put it in the hands of a professional to extract the infection.
In the case of the international scareware ring mentioned previously, the government came down hard on these criminals because the infection they’ve been spreading is very difficult to detect and remove and inhibits the ability to install and/or run disinfection software. The criminal operation also involved the compromise of many web sites, the mass syndication of web advertisements that contain infections, and the poisoning of search engine search results to link to infected sites.
The bottom line is that this was a very sophisticated, sustained mass attack resulting in infections that only the most sophisticated IT technicians can remove. In many cases, even when IT professionals with advanced training attempted a fix, the infected machines ended up being completely erased/ reformatted because the malware is so prevalent and complex.
What Can Be Done About Scareware
It’s virtually impossible to prevent scareware infections without having exactly the right types of countermeasures installed prior to encountering the threat. Upgrading to Windows 7 doesn’t help; having the latest security updates doesn’t help; and these infections can already get past many of the anti-virus/anti-malware products on the market. Consequently, the only way to stop this type of attack is to put all of these criminals in jail and shut down the systems used to shake down consumers.
I have personally seen the damage done by these types of infections on a few friends’ and colleagues’ computers and so I know how difficult it is to detect and deactivate what these criminals have created (and I have patents on deactivation technology). Make no mistake, these are not hackers working in the basement of their parents’ houses. These are hardened criminals with sophisticated computer science skills and substantial resources. Only government level cooperation can stop them…consumers are helpless.
The best strategy for consumers is a harsh one: don’t use Google or any other search engine. Only go to known sites. But, even then, if the mainstream sites you visit have infected advertisements on them (which could happen at any time), your machine is toast.
Yes, this is a bad situation and it’s getting worse. Whatever punishment these criminals receive will be insufficient for the massive damage and distress they’ve created worldwide.
How are you protecting your systems from scareware? Share your thoughts in the comments below. You can also follow me on Twitter: @liebsoft.