Security vendors are warning of a wave of ’scareware’ attacks that use false Conficker alerts to trick victims into installing fake antivirus software on their computers.

The fake antivirus programs are known as scareware because of their technique of performing a fake antivirus scan on the computer, scaring the user by alerting them to virus infections that don’t really exist, and then offering to sell the victim software to remove the non-existent infections and protect from them in future.

The victim gives up credit card details for software ranging from $30 up to $100, but the real outcome is that their computer falls under the control of the spammer to grow their botnet.

Security analysts estimate that many tens of millions of computers have been taken over by spammers using these tactics.  Conservative estimates at the low end of the fake antivirus pricing suggest this could be a $1.2 billion industry for spammers and malware authors around the world. Continue reading Fake Antivirus Software a .2 Billion Industry»

A phony Windows alert is used to defeat CAPTCHA.

A new variant of one of the Internet’s most widespread pieces of malware, Koobface, has surfaced in the wild, according to academic security researchers. In this latest twist on a familiar theme, the worm’s authors have added new ways to siphon cash into their coffers through click fraud and scareware.

University of Alabama, Birmingham, researchers discovered the variant of the worm, which first appeared in 2008 and since that time has infected an estimated 2.9 million machines, during their continuing study of the abhorrent application aimed at victimizing members of social networking and blogging sites.

As is typical with this kind of scheme, it starts with spam. Unlike the common cookie cutter junk sprayed across the Net into inboxes, pitches from Koobface have a devious similarity to a genuine message from a Facebook friend. One of the suspect subject lines identified by White Hats is, “Wow! Are you realy in this video?” Since the message contains the name of a Facebook friend, a recipient’s inclination is to click on the link in the missive’s body. A close examination of the link, though, will reveal that it contains a colon.  Colons in Web addresses usually mean redirection to another URL. Facebook links don’t do that.

Continue reading New Koobface varient in the wild»

Next time you do an Internet search to find a part for your old classic Ford, be careful what links you click on. Recent reports highlight an interesting technique for sending out spam ads by gaming the Google search engine. The spam operators target people using the Google search engine to search for Ford and Nissan parts. After a search is conducted, the results are full of spammy sites that won’t sell you a carburetor, but will download malware onto your computer and try to sell you a bogus anti-virus program. 

Many of the URLs are unusual, often with several numbers and from Polish domains. When the searcher clicks on the link, they go to a web page where they become a victim of a drive-by download, which is designed to cause the victim’s computer to generate pop-up ads and issue a security warning. The warning tells the victim they have a virus, and must purchase a security program.

The combination of Polish domains and automotive results is what caught my eye on this issue. Curious Polish domains concerning automotive care are no stranger to me. A Google search on my name will serve up hundreds of articles and links to my books, as well as links to Polish web sites that talk about automotive repair. But, in my case, it’s not scareware, it’s just because my last name is strikingly similar to the Polish word used for an auto body repair shop. 

But aside from that curiosity, the bogus URLs are a real threat, and one of the only web site spam attacks out there that actually target a specific brand. So if you’re looking for a part for an old Ford Galaxie, and you see a link from a Polish domain, it can be one of two things. It may really be someone in Poland that has a legitimate web site to sell car parts. You may even be directed to a “blacharstwo,” or an auto body repair shop. Maybe one of my relatives. But more than likely, it’s part of a scareware scam.