|
Scareware: malware masquerading as security software
Cyber criminals are employing persuasive online scare tactics
to convince users to purchase rogue software that pretends to be legitimate
security software. These applications provide little or no value and may even
install malicious code or reduce the overall security of a computer. By Nivedan
Prakash
 A
rogue security software program is a variety of malware that misleads by purporting
to be a piece of useful software while actually doing the exact opposite of
what it claims to do. These programs are also known as scareware and they pretend
to be legitimate security software such as antivirus scanners. However, these
programs provide little or no protection and, in fact, may actually install
the very malicious code that they purport to defend against.
Scareware it is a huge business and it accounts for nearly 80% of what we see
every day. It provides limited or no security, generates erroneous or misleading
alerts, or attempts to lure users into participating in fraudulent transactions.
Rogue security software is a form of computer malware that deceives or misleads
users into paying for the fake or simulated removal of malware. In recent times,
it has become a growing and serious security threat in desktop computing.
Some forms of spyware and adware also use scareware tactics
to infect ignorant users. Some rogue security software, moreover, infects a
user’s computer through the mechanism of a drive-by download which exploits
security vulnerabilities in widely used software like Web browsers, PDF viewers,
or e-mail clients and installs itself without any manual interaction at all.
This makes it a worrisome threat as the user may be unaware that the system
has been compromised unless anti-virus software is being used that also offers
Internet security.
|
 "Rogue
security software weakens the security posture in various ways—by
reporting a virus even though a computer could actually be
clean. The software might also fail to report viruses when a computer
is infected or lure you into making a fraudulent transaction"
- Bhavin Turakhia
Founder, CEO and Chairman, Directi
|
|
 "Criminals
are using SEO techniques that drive many users to visit compromised Web
pages inserted by the criminals on legitimate Web sites. Once the user
visits the compromised Web page an animated image is shown to the user
indicating a disk scan and identified viruses"
- Yuval Ben-Itzhak
Senior Vice President of Engineering, AVG Technologies
|
The unique feature of scareware is that it often fools a user
into initiating the infection following scareware instructions and paying cybercriminals
(for activating system optimization to give an example). Cyber criminals don’t
even need to look for a system’s or installed AV solution’s vulnerabilities
when the user contributes to his system’s own destruction.
Distribution of scareware
Cyber criminals are employing increasingly persuasive online
scare tactics to convince users to purchase rogue security software. In fact,
they are using fear and anxiety to trick users into purchasing and installing
rogue security software. For example, they may tell the user that if a certain
ad is flashing, the user’s PC likely faces the risk of infection.
The rogue software may persistently urge users to address this risk immediately
by following a link where the computer can be scanned, where they can buy protection
software, or where the threat can be removed. Users who purchase and install
rogue security software are lulled into a false sense of security while being
exposed to increased risk from malicious software as well as fraud, including
identity theft.
Shantanu Ghosh, VP – India Product Operations, Symantec, pointed out, “The
motive behind conning people to buy or download scareware is no different from
the usual motives of cyber criminals i.e. to make money. The initial monetary
loss to consumers who download these rogue products ranges from $30 to $100.
However, the costs associated to regain one’s identity could be far greater.
Not only can these rogue security programs cheat the user out of money, but
the personal details and credit card information provided during the purchase
can be used in additional fraud or sold on black market forums resulting in
identify theft.”
Of late, malware distributors have been utilizing SEO poisoning
techniques by pushing infected URLs to the top of search engine results about
recent news events. People looking for articles on how to clean an infected
computer on a search engine may encounter results that, upon being clicked,
are instead redirected through a series of sites before arriving at a landing
page that says that their machine is infected and pushes them to download a
‘trial’ of the rogue program.
“Criminals are using techniques known as SEO poisoning
to be ranked high on search engines results. These techniques drive many users
to visit a compromised Web page inserted by the criminals on legitimate Web
sites. Once the user is on the compromised Web page an animated image is shown
indicating a disk scan and identified viruses. The user/victim is then convinced
to download and install the software on to his PC; however, in order to remove
the reported threats the user is asked to pay,” added Yuval Ben-Itzhak,
Senior Vice President of Engineering, AVG Technologies.
Crooks are profiting from a highly organized pay-for-performance
business model that pays scammers for selling rogue security software, thereby
making it a business model.
|
 "To
prevent scareware attacks, the most basic rule is still to avoid clicking
on any URL and executing any file that came from someone whom you do not
know. Users should also be encouraged to install security software to
safeguard their data and it is always advisable for users to employ common
sense"
- Abhinav Karnwal
Product Marketing Manager, APEC, Trend Micro
|
|
 "The
main motive is to swindle a user into paying for free, dummy or
malicious software that not only
provides the user with a false sense
of security but also sometimes acts
as the intermediary to download
malicious software and infect the user’s computer or to use the computer
for criminal activities"
- Govind Rammurthy
CEO and MD, eScan
|
Meanwhile, rogue security software has come to be designed
for a profit motive, either more or less legal (forced advertising) or criminal.
Profit is a primary motivation for creators and distributors of rogue security
software scams.
According to Govind Rammurthy, CEO and MD, eScan, the primary
motive is to swindle a user into paying for free, dummy or malicious software
that not only provides the user with a false sense of security but also sometimes
acts as the intermediary to download malicious software and infect the user’s
computer or use the computer for criminal activities.
“Financial motivation is what drives cyber criminals to continue infecting
users with scareware. Once infected, they can steal personal information from
you and instruct your computer to perform certain malicious actions for the
cyber criminals. The method used for infection is not particularly sophisticated
and it relies heavily on social engineering to fool the user into installing
it and to hand over credit card details for purchasing the application,”
asserted Chia Wing Fei, Senior Security Response Manager, F-Secure APAC.
Weakening security posture
Rogue security software weakens a PC’s security posture,
making it vulnerable to additional threats. The scareware does so by social
engineering, exploiting certain vulnerabilities that haven’t been patched
and exist in a computer’s operating system or the applications that have
been installed, or even by poisoned search results that users click on.
Moreover, the scareware will not attempt to detect malware
that is trying to infect a system. Also, the personal information stored by
the user on his computer will be sent to the malware writers who can use it
to commit fraud or hijack a user’s identity.
The rogue security software also weakens a PC’s security by advising a
user to disable legitimate security software in order to register the bogus
product, or by preventing the user from accessing legitimate security Web sites
or preventing a genuine anti-virus product from being used or installed on a
computer.
Bhavin Turakhia - Founder, CEO and Chairman, Directi, is
of the view that rogue security software weakens the security posture in various
ways. It does this by reporting a virus even though a computer is clean. The
software might also fail to report viruses when a computer is infected. Additional
threats a user could face are many: getting lured into a fraudulent transaction
(for example, upgrading to a non-existent paid version of a program); using
social engineering to steal your personal information; launching pop-up windows
with false or misleading alerts; slowing a computer or corrupting files; disabling
Windows updates or disabling updates to legitimate anti-virus software; and
lastly, preventing the user from visiting anti-virus vendors’ Web sites.
Additionally, scareware often has a digital signature which indicates, to an
anti-virus solution installed on the computer, that a file is legitimate. If
something suspicious occurred after that, for example ports being opened or
drivers installed, it would attract the attention of security software. That
is why fake anti-virus tools which pretend to be legitimate try to avoid this.
All in all, this is a serious threat only as long as users
are unaware of it. Once awareness spreads, scareware will find its fangs blunted
and it will no longer be anything more than a nuisance.
| The phenomenon of rogue security software is a new
one and the best way to tackle such malicious software is to be aware of
the threat that they pose and act accordingly.
Symantec suggests that users ensure that their
browsers are set to block pop-ups, only use reputable software for free
scans and check with reputable retailers or Web sites to be sure that
the product is genuine; only invest in proven, trusted security software;
keep your security software up to date; computer owners should ensure
all users of the machine (friends and family) are aware of the genuine
security software installed on the machine, and be advised to avoid any
other software.
Vyacheslav Zakorzhevsky, Senior Malware Analyst
– Heuristic Detection Group, Kaspersky, said, “The only way
to protect users against scareware is to raise awareness about this problem.
If you find an unknown anti-virus program on your computer, check whether
the vendor has an official site and technical support. If it doesn't,
it is definitely a rogue anti-virus. Legitimate programs designed to combat
malware will never first scan a computer and then demand money for activation.
Ignore any messages warning you of infection that appear randomly while
you’re browsing the Internet. Don't click on pop-up windows even
if they aren't blocked by the browser security or other security solutions.”
According to Abhinav Karnwal, Product Marketing
Manager, APEC, Trend Micro, it is important to raise awareness about scareware
amongst users. To prevent scareware attacks, the most basic rule is still
to avoid clicking any URL and executing any file that came from someone
whom one does not know. Users should also be encouraged to install security
software to safeguard their data and it is always advisable for users
to employ common sense.
On should also ensure that all security patches
are up-to-date and applied to all vulnerable applications in a timely
manner; when making online purchases, don’t give your credit card
details to unsecured sites. Another precaution to aid in determining if
the site you are visiting is secure is by looking for ‘https://’
in the browser’s address bar, and the little padlock symbol at the
bottom right of the browser’s status bar. Also check the site’s
certificate; and use an Internet security solution that combines anti-virus,
firewall, intrusion detection and vulnerability management.
Meanwhile, as per industry estimates, one could
see the propagators of rogue security software scams take their efforts
to the next level, even by hijacking users’ computers, rendering
them useless and holding them to ransom. A less drastic next step, however,
would be software that is not explicitly malicious, but dubious at best.
|
nivedan.prakash@expressindia.com
|
