APRIL 15, 2009
False Security: 'Scareware' Spreads
By JOSEPH DE AVILA
WSJ
While surfing the Web in December, Keren Brophy got a message on her computer screen telling her to update her antivirus software. The pop-up message looked similar to Windows security warnings she'd routinely received. She paid $49.99 for a program called Antivirus 2009 from a company calling itself Meyrocorp and thought she was safe. A few days after she installed the software, Ms. Brophy's computer wouldn't boot up properly and soon was unusable; she noticed the desktop icon for the software she'd bought had disappeared. She had to wipe her hard drive clean to get the computer working again. Hoping for a refund, she sent email to Meyrocorp but got only automated replies. "I never got a dime back from them," says Ms. Brophy, a 37-year-old restaurant hostess from North Port, Fla. Meyrocorp couldn't be located for comment.
What started out as a small-scale racket to defraud computer users is becoming big business. Rogue antivirus programs -- also known as "scareware" -- had a banner year in 2008. A recent report published by Microsoft Corp. found that scareware infections increased 48% in the second half of 2008 compared with the previous six months, hitting nearly 8 million. One program turned up on 4.4 million unique computers, a 66.6% increase over the first half of the year, according to the report. The Anti-Phishing Working Group, an industry association, said the number of scareware programs more than tripled from July to December 2008, to hit 9,287. Experts expect attacks by scareware purveyors to climb higher this year. "The reason is because they are making an awful lot of money," says Dave Marcus, director of security research and communications at McAfee Inc.'s McAfee Avert Labs.
In a common scenario, a user visits a legitimate Web site and is redirected to an unrelated site claiming to sell antivirus software; there, what appears to be a scan for malicious software, or "malware," begins. The fake scan concludes that the user's computer has a malware infection and says to fix it the user must pay a fee, often about $50, to download antivirus software. What the user usually gets is a form of malware that actually does infect the computer. "It's essentially a program that tricks you into buying it," Mr. Marcus says. "The end game is to get you to pay the fee." Security experts say scareware distributors often work with the programmers who write the bad software; the distributors get paid per download, earning in some cases hundreds of thousand of dollars a year. Fraud isn't the only risk. If a user's Web browser and operating system aren't current and secure, they are vulnerable, even if the user never agrees to a download. Often, just clicking on a fake warning or visiting a fake antivirus Web site is enough.
(snip)
In December 2008, the Federal Trade Commission sought and received a temporary restraining order from a federal court in Maryland against two affiliated companies that allegedly worked to trick consumers into purchasing and installing scareware. The complaint named Innovative Marketing Inc., of Belize, and ByteHosting Internet Services, of Cincinnati, alleging they sold programs with names like WinAntivirus, DriveCleaner and XP Antivirus. According to the FTC, the companies allegedly placed ads on legitimate Web sites that directed users to bogus antivirus Web sites. The FTC says it believes the alleged scam involved more than a million consumers and netted the companies more than $100 million. The Maryland court has frozen the companies' assets. Innovative Marketing couldn't be located for comment, and the company hasn't been represented by legal counsel in court. Christian Jenkins, partner at the Cincinnati law firm Minnillo & Jenkins who is representing ByteHosting, declined to comment on the case.
(snip)
Another tactic is to game search engines. Scareware distributors often scour the Web for popular search terms, says Luis Corrons, technical director for Panda Labs, a division of Panda Security. Then they get their fake antivirus sites to the top of the search results. For example, some have been buying up Internet domain names related to the Conficker worm, hoping computer users looking to remove the worm will stumble on the fake sites, says Jose Nazario, manager of security research at Arbor Networks, a Chelmsford, Mass., network-security company.
(snip)
http://online.wsj.com/article/SB123976230407519659.html (subscription)
Printed in The Wall Street Journal, page D1