Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Reducing Squid Odor |
| Micromorts »
February 7, 2011
Scareware: How Crime Pays
Scareware is fraudulent software that uses deceptive advertising to trick users into believing they're infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn't real, and the software they buy is fake, too. It's all a scam.
Here's one scareware operator who sold "more than 1 million software products" at "$39.95 or more," and now has to pay $8.2 million to settle a Federal Trade Commission complaint.
Seems to me that $40 per customer, minus $8.20 to pay off the FTC, is still a pretty good revenue model. Their operating costs can't be very high, since the software doesn't actually do anything. Yes, a court ordered them to close down their business, but certainly there are other creative entrepreneurs that can recognize a business opportunity when they see it.
Posted on February 7, 2011 at 8:45 AM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Plenty of gullible people out there. Although I often wonder if some of the malware and viruses aren't coming from the very folks who sell legitimate anti-virus/anti-malware programs. Got to keep business booming, you know.
When I worked technical support at a call center, I'd get at least one or two calls about this sort of scareware a shift, and in two years I can only recall one customer who'd actually bought into it. We didn't have a script for the issue, so I got to improvise- and I always told them they had one infection- the scareware- and ran them through some basic antivirus drill.
The part that always tickled me was the scareware that fiddled with browsers so that it redirected to fake tech sites lauding the scareware programs.
I ran across something like this with a friend's PC, so I was trying to diagnose the problem remotely.
The software running on XP would take over the whole shell session, leaving non-expert eyes no choice but to make the purchase. Even for me, in remote and unknowing of this type of "attack", it was impossible to understand what was going on.
When I got to see myself what was going on, I must say I was almost confused by the apparent Microsoft new product. Yet ALT-F4 did it's job
So there is some level of quality being made into it; I am not surprised to see so many purchases of such scareware / fakeware product.
But common sense says those guys should lose everything, definitely not get away with a simple fine.
Not sure it could be considered a proceed of crime, though.
So, their revenue model is no different than the banks the feds bailed out ...
There are dozens of similar programs, and (like most spam scams) only need one out of a thousand people to make a tidy profit. But the software's security theater works . . . as a selling point.
Bruce, how about taking your term 'security theater' to the next level? A series on legitimate AV or AM software, contrasted to not-so-legitimate; and the parallels between those and physical security rules in our TSA (and other government) efforts at security and 'security'?
I'll show an even better revenue model to anyone who will send me $10.00 US.
I was amused the first time a web page told me my registry was corrupt. I was surfing on my Ubuntu box at the time.
Good lord! That's the most exciting new idea I've heard in years! It's so simple. it's brilliant! Well, if that revenue model of yours isn't worth ten dollars I'd like to know what is.
The only trouble is, you gave me the revenue model before I'd given you the ten dollars. And that's not good business.
I can understand why people get away with most cyber crimes, difficult to find/prosecute, yadda yadda...but when they have the perp, there's no excuse!
Fine should be at least double the stolen revenue, with half going to the victims, and some punitive jail time should be included.
Just think if RIAA cases worked this way...lets see...24 songs, times $.99...total damages = ~ $24, you are ordered to pay $5.
Bruce, scareware & fake AV are more prevalent than ever. I did an article on Fake AV - just the 70+ Y2010 variants - and I also collected the mediation links for these at http://securityskeptic.typepad.com/...
Just because they collected $40 doesn't mean they made that much in profit: there's advertisement, hosting, processing fees that increase the cost.
One more question is whether anything was actually collected. Regardless of punitive damages the defendant might simply default...
I ran into a fairly sophisticated version of this in the past month on a family pc. It disabled the valid McAfee and Microsoft AV software, disabled Internet access unless you used IE, would close Task Manager or any other program you tried to run an instant after you ran it.
All in all, it took several frustrating hours for me to get rid of software someone dreamed up as a way of making a living.
"I often wonder if some of the malware and viruses aren't coming from the very folks who sel aren't coming from the very folks who sell legitimate anti-virus/anti-malware programs. Got to keep business booming, you know. egitimate anti-virus/anti-malware programs."
Let's put it this way with something like 500 new viruses a day according to some of the AV vendors I can see why a lot of people might think that way.
@Bruce K. Marshall
That's not just scareware ... that's a rootkit. Quite a bit more sophisticated that the average scam.
You mean those are fake?!!
I find it interesting that the complaint and the case were grounded in the claim of false advertising, rather than distributing malware or a virus.
It wouldn't take much of a change for the software to actually scan the registry or some such, even with false (or sloppy) results. Yet such a simple change would probably strengthen the defense's case. After all, the FTC is not arguing intent, but the functionality of the software. Consent also appears to be a main point in the complaint.
Reminds me of the "American greetings" issue - software that behaved like a virus in several ways, except that the user had to click ok on a popup to allow it to operate. That gave the creator leverage against the antivirus companies, who chose not to detect American Greetings as a virus.
It seems to me that it is easy for an attacker to shift part of the focus from a purely technical attack to social engineering. In essence, if you get the user to digitally agree with you, then the technical action of the software is mitigated. Kind of like a car salesman selling a lemon. And hybrid attacks are common these days.
It just goes to show that there need to be better standards for how software should behave, and the developers must be accountable.
@mcb - depends. If they pretend to be Microsoft messages telling you that you need to buy a $40 virus cleaner because you have a virus then yes they are fake.
If they really are from Microsoft telling you that you need to buy a $200 new operating system because the new one is more secure against viruses then those aren't fakes.
@Francois: "I find it interesting that the complaint and the case were grounded in the claim of false advertising, rather than distributing malware or a virus...."
These particular persons did not distribute malware. Their popup internet ads did not cause harm to any computers. They simply lied about the presence of malware and sold an application that did nothing except pretend to remove malware. This is false advertising, not anything else.
Similar scams involved the installation of actual malware followed by requests to purchase anti-malware utilities. Perpetrators of those scams can be charged with malware distribution, damage to property, and false advertising.
@Francois: - these are the ones that popup a copy of a windows message box and claim you have a virus which they will fix.
If they said 'you MIGHT be infected' buy our program to check then presumably they would be in the clear - just like any other anti-virus maker. None of them are prosecuted for false positives.
"You mean those are fake?!!"
The last time I said that without thinking I got my face slapped ;)
I might not call it malware, exactly, but I would not call it benign. It's a fine line, which is indeed my point.
If you are asserting that the complaint does not say they are distributing malware, you are correct. If you say they are not under prosecution from anyone else for distributing malware, you are probably right.
However if you are asserting they are not actually distributing malware, I think there is room for discussion. The complaint is not just about the ads but the software itself.
You could say the intent was not malicious, but only deceptive, and you could say the same about the software. I would argue that the deceptive aspect alone implies malware. I would also argue that AV companies should classify the applications as low-level malware.
Thank you for supporting my point.
I for one am quite happy with this sort of stuff because it gets me (at least) a quality meal and some fine wine every time I get called over by friends or relatives faced with such a problem. I make them happy, they give me food, respect and appreciation. Sometimes they even take my advice and get rid of Windows. You hardly ever get that on the job.
@ Dr T
"This is false advertising, not anything else."
In the US, it is fraud as well. The main definition of fraud is that a person or vendor lied to a customer to sell a good and which caused a financial loss for that customer. Many people have been convicted of fraud for confidence crime, which is essentially what they did. Many corporations have been fined for this as well.
I don't see why the government is just treating this as false advertising rather than shutting down the company and pressing fraud charges against the owners. I must be missing something that would shed light on this.
@Nick P - I'm guessing that false advertising is an easy conviction while extortion, fraud, etc would take more proving, more cost the prosecutor and a less certain win.
It would be better for the consumer long term - but even the law only cares about the next quarter's number.
How is this any worse than homeopathy, horoscopes, and various religiosity of the pay-for-salvation kind?
Please tell me how these parasites don't get life without parole or worse? These and those that prey on the elderly.
I love these scams. it keeps life entertaining and gives me something to laugh about.
Two days ago I had a call on my mobile and the guy at the other end is screaming something in Mandarin,I stopped him and said that I didn't speak Mandarin so he repeats the message in broken English .
The message was
"I have stolen you boy and I'll harm her if you don't send money now to this bank account", for effect there was this child screaming Ba ba ba in the background.
He got completely pi**ed off when I started to laugh, and couldn't understand why, so I politely explained that my boy does not speak Mandarin and never calls me Baba!
Face it, these attacks, cyber or otherwise, are a tax on the gullible.
> Face it, these attacks, cyber or otherwise, are a tax
> on the gullible.
Mmmm... any tax is a tax on the gullible. If people weren't so gullible en mass, there would be no taxes.
I don't understand US courts:
* People actually lost $40 million and the bad guy has to pay only $8.2 million to settle the case.
* People download stuff which they never would have bought in the first place and the companies cry about "possible revenue" loss.
Someone near to me had this problem.
It completely took over the computer..Task manager wouldn't work, the desktop wallpaper was some threatening message to "Pay up, you have spyware!", installed AV program was compromised. The computer was useless at that point.
After trying several solutions?
MalwareBytes Anti-Malware killed it in Safe Mode. Superantispyware didnt find it, neither did Comodo Internet Security. I dont think Spybot caught it either.
"a tax on the gullible"
I love that way of phrasing it. It seems that most malware infections I've read about or dealt with were a "tax on the gullible." Unfortunately, the gullible have the purchasing power to buy PC's that can be used in DDOS and other attacks against the less gullible. This makes me wonder about what a person said in the past: people should be required to pass a test and get a license for a PC, like they do when driving a car. The rationale is that they were just too dangerous to other people on the "road" (now read: info super highway).
The counterpoint? How many people drive daily the way they did during the driving test? Or remember anything significant on the written test? Yeah, maybe a computer license won't help that much...
Install Ubuntu 10.04.1 LTS... Solved.... Namaste...
And anyone moaning about end-user learning curve, support etc etc should try it once first...
NB: Obviously only for home comps, not work...
"If they really are from Microsoft telling you that you need to buy a $200 new operating system because the new one is more secure against viruses then those aren't fakes."
Oh, I don't listen to Microsoft ever since I forwarded that email to my entire address book and Bill Gates never sent me my check.
@CHK: You've just given me a great idea. I'm going to start selling Homeopathic Anti-Virus Software! Each disk will include a real computer virus, potentized by diluting it 100,000,000-to-1. The software itself will be perfectly safe; statistically, the 10MB executable will contain less than a single bit of the original virus. But the dilution will contain the virus's vital energy and inoculate your PC. Look for Serpentis Lubricum brand AV software soon!
Ah, the UNIX haters handbook! A great testament to how much time has been wasted on UNIX. And after a billion $ of investment some of these problems are STILL in UNIX\Linux. It's a fail by design and poorly architected.
@Chelloveck - there's no need for that if you pay for my service which will align your computer in a more harmonious direction to promote the flow of positive fluffiness through it's circuits.
My mom got hit by fake AV malware not too long ago. When I tell non-IT people about this, most of them seem to have no idea that fake AV malware has been a huge trend for the last few years. Most of them have never heard of such a thing.
Here's one instance where I wish the mainstream press would cover an IT issue... instead of trying to terrify people over a Chinese-led cyberocalypse or sexting or whatever the threat du jour is, I wish we could see a front-page article telling people to watch out for fake AV... that might actually help some people.
FWIW, I'm running ubuntu 10;04 on a medium sized network, even using it for day trading my life savings. Zero successful attacks so far in any version going back to 7.04. This is not to say it can't be attacked. It's attacked second by second if my logs are telling me the truth.
But only windows (running in virtual box on a linux host) has actually ever succumbed to an attack, and that several times. I wouldn't run it if it weren't the only way to support some old physics hardware I have. In fact, some of the attacks come in the form of Microsoft updates designed to ruin non MS software in the name of security, since rolling those updates back restores functionality again.
I don't use noscript, I do use adblock, and I have flash (but don't use adobe reader). I don't surf to weird places much, and kind of pay attention to any flaws I hear about and take care of updates.
I've had to pull the virtual plug on the windows virtual boxes to keep them running, though.
No network access for your promiscuous opsys butt.
No particular axe to grind here, but I will say this. I'm the neighborhood IT guy and if you run linux, I charge zero, and do very little work in support of it, 90% of which is cameras with bad SD cards or printers out of ink -- zero in the main box/opsys.
And, like Dirk, I get free meals and other considerations for doing it, works out nice for all.
If they have windows, I have to charge and do a lot of extra education to keep them free of trouble, which at least slows down the rate of their inevitable eventual need for a total wipe and re-install of everything. Boy does the whining go up when they find that they'll have to find and re-download all the cutsie malware that caused the trouble in the first place if they want their mouse pointer to look like a kitten or something similarly ignorant.
Those are just facts. Yes, Linux can surely be cracked, but the reality is, no one does it in the wild very much. In a lot of computer-years of experience (including ones owned by computer illiterate people) this is simply how the truth rolls out. And the so called re-training issue is more or less a non-starter -- no problems there. I've had to train some how to work with images, and in that case, it didn't matter what the opsys was, they just didn't know anything at all. So, some training, no re-training at all, zero, nada.
I had to laugh on that linux haters thing (have to read it through, to get all the laughs). Like how to make your computer run as slow as an IBM PC.
Yeah, right, try adding the required AV software to a windows box -- slower than that, while ubuntu is fast enough to run that *and* windows in a virtual box at the same time, both fast -- because with no network access for windows, no av software there either.
@ Doug Coulter
Nice points. I do prefer Enterprise Linux distro's in business and sometimes on personal machines. Most of the benefits you've mentioned are due to the obscurity of desktop Linux, much like Mac's worrying little about wild malware. It's definitely safer at the moment, which is why I'm running a hardened Ubuntu. (Probably switching to Fedora or a custom kernel, soon, for improved security and more mature codebase.) But since you mainly mentioned Linux's positives and Window's negatives, let me take the other approach.
"Yeah, right, try adding the required AV software to a Windows box"
Try adding all those API hooks and stuff to a Linux box and running virtual windows. My WinXP GUI was much faster than the Ubuntu system that replaced it and easier to configure. Win7 was faster too on the same box, even while running an Ubuntu browser VM. I guess it depends on your configuration.
As for support, I'm surprised you get zero support costs. If you install and configure their apps, and they only use a few basic apps, the support cost is minimal. However, I get calls from friends regularly about software just doing weird stuff on Linux it doesn't do on Windows. Dropbox asking to reinstall just because a partition is on automount. Occasional frozen and damaged GUI due to graphics drivers. Last month Ubuntu 9.04 randomly killed by ext4 filesystem and I couldn't recover it. Lost a little data. Then, there's weird stuff like random failures of multimedia, hardware issues, etc. Windows 7 and Mac OS X few of these problems, esp. thanks to strong vendor support. Only bland enterprise distro's meet this level of stability, although you do still have the wild malware issue on Win7 boxes (less than before, though).
"I had to laugh on that linux haters thing (have to read it through, to get all the laughs)"
I did too. I was shocked when I found that we were still trying to solve some of the problems that UNIX had 17 years ago. Here's a few: harder to use; inconsistency; buggy programs; bloated, clunky and slower GUI than others; pipes/scripts over real programming; large TCB; security and configuration issues with basic services. Compare that to the ultra-reliable, nearly virus-proof Multic's OS. Compare that to the then-available NextStep platform: easy-to-use; very reliable; fast GUI; tons apps that work; fewer configuration issues. The LISP machines took a while to load, but virtually never crashed and the OS/apps could be debugged and modified *while the system was running*. Mainframe class OS's have still proven more reliable in operation than UNIX servers, some running 30 years without a loss of service.
Today's OS researchers have pushed things even further. QNX is basically UNIX with a tiny kernel mode TCB, decomposition into servers (makes POLA easier), and self-healing capabilities (MINIX has that too). EROS, Polaris and CapDesk approaches use capabilities to reliably enforce POLA in a way lay people can use. INTEGRITY's design makes exploiting the kernel or starving kernel or apps of resources nearly impossible. PikeOS can simultaneously and securely run C++, Ada, Java, POSIX, or Linux applications with techniques to prevent resource starvation or security flaws. SourceT uses Itanium's compartmentalization and a reverse stack (like Multics) to make virus's and data leaks relatively harmless. The recent use of RTOS's as hypervisors prevents and contains many attacks with little additional burden on the user.
So, I think the UNIX hater's handbook was right. I mean, many problems were eliminated or made better. But look how much effort it took to fix a fundamentally flawed system and bolt-on security and reliability. The other systems are more secure/reliable by design and encourage a development approach that reduces the privileges of applications and doesn't place a large security burden on the user. Most of it is invisible and just works. Most Linux distro's can't say the same with a lot of confidence even after a decade of investment and improvement. Something's gotta be wrong there... just sayin'...
@ Doug Coulter
On a lighter note, there was certainly some funny stuff in there. I figured I'd post my favorite one so everyone could get a good laugh on it. It's a false confession of sorts that feels like it could have been true, like all good April Fools jokes.
In an announcement that has stunned the computer industry, Ken Thompson, Dennis Ritchie, and Brian Kernighan admitted that the Unix operating system and C programming language created by them is an elaborate April Fools prank kept alive for more than 20 years. Speaking at the recent UnixWorld Software Development Forum, Thompson revealed the following:
“In 1969, AT&T had just terminated their work with the GE/AT&T Multics project. Brian and I had just started working with an early release of Pascal from Professor Nichlaus Wirth’s ETH labs in Switzerland, and we were impressed with its elegant simplicity and power. Dennis had just finished reading Bored of the Rings, a hilarious National Lampoon parody of the great Tolkien Lord of the Rings trilogy. As a lark, we decided to do parodies of the Multics environment and Pascal. Dennis and I were responsible for the operating environment. We looked at Multics and designed the new system to be as complex and cryptic as possible to maximize casual users’ frustration levels, calling it Unix as a parody of Multics, as well as other more risque allusions.
“Then Dennis and Brian worked on a truly warped version of Pascal, called “A.” When we found others were actually trying to create real programs with A, we quickly added additional cryptic features and evolved into B, BCPL, and finally C. We stopped when we got a clean compile on the following syntax:
“To think that modern programmers would try to use a language that allowed such a statement was beyond our comprehension! We actually thought of selling this to the Soviets to set their computer science progress back 20 or more years. Imagine our surprise when AT&T and other U.S. corporations actually began trying to use Unix and C! It has taken them 20 years to develop enough expertise to generate even marginally useful applications using this 1960s technological parody, but we are impressed with the tenacity (if not common sense) of the general Unix and C programmer.
“In any event, Brian, Dennis, and I have been working exclusively in Lisp on the Apple Macintosh for the past few years and feel really guilty about the chaos, confusion, and truly bad programming that has resulted from our silly prank so long ago.”
The most important avenue by which to target scareware authors is enhanced consumer protection and financial controls, to inhibit their business model, ensure prompt takedown and/or prosecution for violators, and limit non-reversible funds transfers to unvetted offshore beneficiaries in order to virtually extend the jurisdiction protected.
The enhanced financial controls can also fix spam, fraud, malware, online gambling, 419 scams, online/DDoS extortion rackets, and many other crimes, in addition to removing an advantage that offshore companies located in more lenient states have over companies subject to U.S. regulations.
Coupled with technological protection measures, such as a trusted tamper-proof recovery mode which can be activated to easily regain control of the system.
One method I imagine could be done for the exiting base of PCs is a bootable CD from a trusted source, such as Microsoft. The CD contains a tiny stub loader which never executes any code on local storage. Once the disc is booted, it looks for a network connection, downloads the latest signed instructions from the OS vendor, and restores the OS to pristine condition.
I can't WAIT until I get a Cr-48 notebook.
I think there's more to Linux being attack resistant than just security by obscurity, as many linux boxes are high value targets after all. Things like file system permissions built in. And chroot...
But recently, the "gui-ness" has gone to things like automounting and autothumbnailing which will provide new attack vectors just like it did in windows. Luckily, that's easy to turn off.
I note interestingly that the Unix haters book made quite a few comparisons to Unix of the DEC and Sun days to much more modern opsys, probably from a lack of historical knowledge. Me, I started on PDP-8's before *any* of this, and have watched it all along. All of it. Many of the whines are no longer true, at any rate, or only true if you're into doing things the old, hard way (and auto flagellation). So easy to forget that things like garbage collection weren't acceptably fast for the older slower machines, and caused problems of their own -- computer goes off on a demented error of it's own doing that while real time deadlines get missed. And interpreted languages of any kind were all far too slow for anything that needed real work.
A funny -- I employed an older guy here (and that means really older, as I'm no spring chicken) who was an absolute whiz at every scripting language, every shell, sed, awk, you name it. He was constantly astonished how much quicker I could do things with the gui we now have than he could and he wasn't slow at all. Just stuck on the old ways of doing things. I mean, things like if I want to modify permissions or something on a big list of files in a directory but not all, say. A click on a sort header followed by a shift/mouse drag and a right click to invoke some script, bam, rather than trying to figure out a regular expression to just change the permissions on a set of files, wow.
But just the other day, I wrote some GTK+ perl code that would run on linux or windows -- no changes whatsoever required. The C version of that did need recompilation on windows to work, using of all things, gcc on windows (so still free). All used the same gui files generated from glade. So all that incompatibility whine is toast if the programmer is any good.
I programmed drivers for windows from 9x up, so I've seen the internals from the steamy, smelly underside (as well as tracing into the system dlls), including the use of SoftIce. It's not real pretty in there to say the least.
I guess we should be grateful not one of the opsys makers had a clue how to use all that nice virtualization stuff built into the cpus for the opsys and internal real security, or things like virtual box wouldn't be so easy to do. But we might then have opsys that worked right and not need those sandboxes either -- tradeoff in design there I guess.
I also write (tiny, simple) opsys myself for embedded cpu's, btw, so I know just a little about the topic. You can download them free on my site.
QNX was cool. I never wound up using it, but it was cool anyway. At that point, I was doing things that required writing my own systems with a different set of things at the top of the trade-off list. Being able to use a 1/2 size cpu in a volume app meant nothing much off the shelf was efficient enough for my customers, and this was real money involved.
Most of the folks I support didn't need *re* training, they just needed *training* at all. So that gave me a leg up on the situation -- I didn't teach them how to do dumb things that break the machines, and made them hard to break anyway by configuring them correctly for the intended use. Thing is, under linux it's a good bit harder to install software by accident off some random web site, and most of the stuff you can get kinda works, or at least isn't deliberately malware.
Synaptic (or the new software center in ubuntu) makes this pretty easy for even the dumber users to manage. Of course, since there's a lot of half baked stuff out there, sometimes it doesn't do them any good, as most won't do a big learning curve to figure out someones bizarre idea of a new revolutionary UI scheme that's intuitive only to the developer. I handle that by just giving them a good set of basic stuff that's easy to learn for the uses they need it for -- OO, Gimp, VLC and a couple of others. Some have gone over 5 years and never seen a command line (even when I'm there fixing something -- not so much need anymore). When they need more, they call me and I tell them what to type into synaptic or software center and push the go button -- problem solved.
We all know that 99% of the issues with multimedia on linux have nothing to do with linux, but with license fees and odd ways of avoiding them. I have a cheat sheet on how to get it all working on a new install that makes it pretty simple, and it seems very reliable after that, no support calls anyway -- and one household is using their box for a media center as much as anything.
I've had the pleasure of wiping many windows boxes and putting Ubuntu on them. Not one has run slower yet, all are faster, even when replacing xP, which was one of the better ones (9x was actually quicker within its mem/disk sizing limits, and smoother multi threading, but...all those other problems). And oops, Vista...enough said.
Haven't had the chance to compare win7, because none of them have gotten new boxes with the windows tax (I build them from parts) -- the ones I put together long ago still are so fast they don't feel the need to upgrade, and most will play a movie in linux, and one in XP (in virtual box) at the same time, no issues, only the fact that the sound is mixed from both in the same outputs because none have multichannel sound cards and I'm too lazy to set that up.
Not to try to steal eyeballs from here, but anyone who wants a clue who I am and what I do might want to take a look at
Or the parent site, which is older stuff (just skip the /forums). Security is about the only thing we don't mention there, as here is where you go for that one! Or Groklaw for things legal. We do science instead.
On a serious note, IMHO scareware on PC's is yesterdays problem. Think about how much larger the problem space will become when scareware morphs to Mobile and TV platforms.
Every TV chipset developer at the moment is working on "fully integrated IPTV" which includes all sorts of script function support and mixed IP and TV display functions. Imagine the havoc you can reek with some already confused elderly person watching "home shopping network" when targeted adds convince them they will buy the displayed necklace if they are the first to do send a $5 micropayment to your account. Imagine HSN trying to explain how the add substitution of mailing address / conditions had occurred using some TV virus (assuming they even understood what had happened)
Every Mobile chipset is working on including some sort of integrated payment system, add scareware to this and you have real potential for highly automated widespread mico-fraud.
Well I never thought one harmless comment would generate so much flak...
But I stick to my original point, if you are an average home desktop user, Ubuntu will
- Meet most of your needs
- Be more stable and virus-free via the default install then any Win setup (obviously not including virtualisation setups)
And I have read the UHG, some very deserved hates in there, but I don't think they invalidate what I've said above...
And, while this may sound a lot like MS, I must say
Security Vulnerability =/> Virus Infection
(that's the 'does not imply' symbol up there, I think ;-)
Although a technical audience may see a clear difference, to the non-technical audience the scam seems barely different from software that says you should pay now or you will be infected. And it is nearly impossible to for a user to confirm that the software (e.g. anti-virus) is doing anything.
@ Davi Ottenheimer,
"And it is nearly impossible to for a user to confirm that the software (e.g. anti-virus) is doing anything."
Because you left the word "benificial" of the end of your statment...
It is very easy to prove the quite significant negative impact anti-malware software has on most users machines, often with little more than a stop watch.
Some people have shown that actually some malware makes less of an impact on the users machine than the anti-malware software. In that once past the anti-malware it turns it off and installs appropriate patches to prevent other malware using the same attack vectors...
Also with some AV companies claiming to currently detect something like 500 new virus types a day it is easy to see that not only is traditional AV software falling well behind the curve but the "definition files" where getting so large that by the time you had downloaded them you had been infected...
I dread to think just how much bandwidth and time is chewed up not just by the malware but by the anti-malware as well. And to put it into context what it's effective carbon footprint is...
@ Doug Coulter
Now Id definitely go for it if i had a cheat sheet as good as wat u claimed. So u posted it in ur forums? Ill definitely check it out. Anything to reduce the tech support calls from friends and family. ;)
I bet u didnt expect it. But it all turned out well. Several people contributed a bunch of useful tips and tidbits. I think it has to do with the kind of people who blog here. I think it would have become a religious flame war on a more mainstream blog. We try to stick to the facts. Makes for a more productive blog.
I've seen this problem quite a bit out in the field over the last couple of years, as I did contract work for AT&T ConnecTech. The worst infection that I saw last year went something like this:
1. Install fake anti-malware software through an unknown vector. Kill the ability of the user to get on the Internet until they "upgrade" from the trial version
2. User was an elderly lady who was pretty computer illiterate, and she paid for the upgrade. It didn't remove the infection of course (since the software was the infection) so she called the tech support number for the product.
3. User was charged tech support fees by the hour for them to "troubleshoot" with her. These fees were not cheap. She finally gave up on them and called AT&T about it.
4. AT&T charges her by the hour to send me out. AT&T collects an up front fee of 2 hours, knowing that severe spyware infections will probably take longer than that to clean. In that sense they aren't any better than the malware creators, especially since they send out contracted local techs with no vetting of their qualifications to clean up infections. By the time I'm called in I'm usually the 2nd or 3rd tech to visit, and the user is paying by the hour for every trip. That was the case here. I was tech #2. By this point the user was out several hundred dollars between buying malware, paying for fake tech support, paying for incompetent AT&T support, and paying for me to come out.
5. The fake anti-malware was not just scareware, it was malware in its own right. It opened her PC wide up to further infection.
I cleaned up the infection. It ended up taking me two trips and a total of about 6 hours, 4 of which I did on my own dime because I felt sorry for her, but at least she could get on the Internet and chat with her grandkids again when I was done.
And what could be done about the fake software that she bought and paid for tech support for? Nothing. They cleaned her out for a couple of hundred bucks and I couldn't even find out where they were located. I tried calling the number that she had but it no longer worked. She said they all had foreign accents but she wasn't sure from where. I figured with a business strategy that bold they weren't operating out of any place that would prosecute them, so I didn't spend a lot of time trying to track them down.
People are getting smart with this scareware junk. All they have to do is get it on your machine then they can make the unsavvy user pay for it AND pay for tech support for it by the hour. The money just keeps coming in until the user finally realizes something is wrong. But that's OK with them, because as long as the scareware / malware is on your PC they can keep using it for ID theft, bots, or whatever they want. And they have absolutely no fear of getting caught. It's a cash cow.
Just for my own understanding, with an elderly user why would you even bother to try and clean the machine?
I know on my families computers I just re-format the disk and do a fresh install, or buy a new disk ($50) and install on that, then reload their private files (mainly pictures) off the old disk. It is not like they have any special unique software or databases on their PC's.
People here have gone over most of the comments I'd have on the topic except one.
Take a look at Symantec or McAfee's "security scan" products. These are downloads marketed as "free antivirus" by both companies, that will scan the system and tell you what infections you have. Then when you click the "Fix Now" button, they take you to a website to buy the maker's anti-virus product.
Add in the fact that these are often being piggy-backed on other downloads with an an opt-in checkbox defaulted to checked (I'm looking at you adobe reader), and they really look a heck of a lot like the scareware products being discussed here.
When the "good guys" are using identical tactics to the "bad guys", it's not surprising that the average clueless user could be suckered in. Better yet, both of these "security scan" products appeared, to my knowledge, *after* the scareware wave started ~4 years ago. Sounds like the marketing departments at Symantec and McAfee had a great idea fall in their laps.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.