Obviously it’s all a huge scam but there are people out there who might be frightened enough to fall for it. This isn’t a new scam. It seems to come up again every few years. Fear is something scammers love to use against their victims. That’s the reason fake anti-virus, anti-spyware, and registry cleaner malware is so popular. Scare someone into thinking their system is infected with tons of malware and only your program can clean it up and they just may be willing to hand over $30. This type of scam has been going on for hundreds of years. Remember the snake oil salesmen of old? They’ve got a new type of snake oil and a new platform to hawk it on, but it’s the same old scam at heart.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Spam Campaign Features Extortion

The fake antivirus programs are known as scareware because of their technique of performing a fake antivirus scan on the computer, scaring the user by alerting them to virus infections that don’t really exist, and then offering to sell the victim software to remove the non-existent infections and protect from them in future.

The victim gives up credit card details for software ranging from $30 up to $100, but the real outcome is that their computer falls under the control of the spammer to grow their botnet.

Security analysts estimate that many tens of millions of computers have been taken over by spammers using these tactics.  Conservative estimates at the low end of the fake antivirus pricing suggest this could be a $1.2 billion industry for spammers and malware authors around the world.

As the criminals rake in these profits and computer users fall victim to such schemes every day there are calls for more to be done by Microsoft to protect their customers who are running Windows operating systems.  Microsoft has taken some recent steps such as offering a $250,000 reward for information that leads to the arrest and conviction of the Conficker authors.  More recently they released their free consumer malware protection called Microsoft Security Essentials.

However some commentators think that further steps are needed.  It is suggested that a whitelist of safe security products and vendors be created and included with Microsoft Windows so that it can detect fake antivirus software and prevent users from installing it.

This move would be welcome by many consumers and IT professionals but not necessarily by the security vendors themselves.  New vendors and products may be stalled by any certification process that would be required to be added to the whitelist.

Some existing vendors already have a frosty relationship with Microsoft as the software maker continually encroaches on their market territory with features such as Windows Firewall and Microsoft Security Essentials.  Any bottlenecks in the process would certainly bring claims of anti-competitiveness down on Microsoft.

Finally there are the costs.  Vendors will not incur additional costs in their software development and release process without passing that on to consumers.  Although the argument could be made that even an additional cost to consumers may be far less than what is currently being ripped off from victims by the spammers today.

At the very least, keeping those profits out of the hands of criminals would be a positive outcome.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Fake Antivirus Software a $1.2 Billion Industry

A phony Windows alert is used to defeat CAPTCHA.

A new variant of one of the Internet’s most widespread pieces of malware, Koobface, has surfaced in the wild, according to academic security researchers. In this latest twist on a familiar theme, the worm’s authors have added new ways to siphon cash into their coffers through click fraud and scareware.

University of Alabama, Birmingham, researchers discovered the variant of the worm, which first appeared in 2008 and since that time has infected an estimated 2.9 million machines, during their continuing study of the abhorrent application aimed at victimizing members of social networking and blogging sites.

As is typical with this kind of scheme, it starts with spam. Unlike the common cookie cutter junk sprayed across the Net into inboxes, pitches from Koobface have a devious similarity to a genuine message from a Facebook friend. One of the suspect subject lines identified by White Hats is, “Wow! Are you realy in this video?” Since the message contains the name of a Facebook friend, a recipient’s inclination is to click on the link in the missive’s body. A close examination of the link, though, will reveal that it contains a colon.  Colons in Web addresses usually mean redirection to another URL. Facebook links don’t do that.

In addition to suckering innocents through email, the worm will also post its poison link to a Facebook user’s wall with a comment such as, “Look at this video I caught of you!”

Clicking on the link will send the Black Hat’s target to a bogus but visually authentic Facebook page. To calm any anxiety a guppy may have when arriving at the page, not only is the friend’s name displayed there, but also their picture clipped from their Facebook profile page. Once connected to the perfidious page a number of things can happen.

• A message may pop up saying a new version of Adobe Flash is needed to view the video and showing a download button. Clicking the button downloads the malware, which has the filename setup.exe and will run on computers operating under Windows 98, ME, NY, 2000, XP and Server 2003.
• A message may pop up saying your computer is infected with a virus and showing a download button for anti-virus software. Clicking the button downloads the malware.
  When the messages pop up, a target may get cold feet and decide to bolt from the scene. In some versions of the malware, though, it’s already too late. Once connected to the infectious page, the pernicious program will automatically pollute its target.

After infecting a machine, the black app will use the unit to perform various villainous activities.

It will monitor browsing activities. When a target logs in to a social networking site, it will snatch that information and use it to send spam with unseemly URLs to the victim’s friends.

Some variants will scan cookies stored on a machine looking for logins to places like MySpace, Hi5 Networks, MyYearbook and Bebo. It will deploy the logins to enter the websites. After breaking into the sites, it identifies a user’s friends and sends an HTTP POST to an outlaw server that dispatches spam to them.

It will also attempt to create phony accounts at Net stops like Tweeter, Facebook and Blogspot. That requires a bit of clever manipulation.

These days most websites guard against spam exploitation by something called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). It uses a graphic of some distressed letters and requests a keyboard jock to type the letters into a form. Automated systems, like spambots, can’t read the letters, but human eyeballs, theoretically, can. Sometimes the letters are so distressed that not even the human eye can make them out.

When Koobface encounters a CAPTCHA challenge, it uses social engineering to bypass it. The malware sends a pop up to one of its infected machines. The pop up looks like a genuine Windows system alert. The alert contains the CAPTCHA graphic from the site in which the app noir wants to set up an account with the instructions, “Enter both words below, separated by a space.” To prompt the target to act expeditiously, there’s a countdown timer below the CAPTCHA graphic with the warning, “Time before shutdown.” A user, fearful of an involuntary interruption in their work, quickly types in the letters. The malware then takes what’s been typed, fills in the CAPTCHA form at the target site and sets up a new account without the user any wiser to what happened behind the scenes.

In addition to stealing personal information from infected users, the malware also has some cash grab components.

It will pop up a scare screen informing the user that their machine is infected and they should immediately buy some phony anti-virus software to cure the problem. Not only can cash be collected from the sale, but the user’s credit card number can also be snatched.

The sinister software will also compromise Google search results to facilitate click fraud. When the user performs a search, the results look genuine. The links, however, actually lead to Web sites that pay webmasters for referring users to the sites.

Koobface has been very successful so no doubt malmasters will continue to introduce variants in the future.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Koobface varient in the wild

Many of the URLs are unusual, often with several numbers and from Polish domains. When the searcher clicks on the link, they go to a web page where they become a victim of a drive-by download, which is designed to cause the victim’s computer to generate pop-up ads and issue a security warning. The warning tells the victim they have a virus, and must purchase a security program.

The combination of Polish domains and automotive results is what caught my eye on this issue. Curious Polish domains concerning automotive care are no stranger to me. A Google search on my name will serve up hundreds of articles and links to my books, as well as links to Polish web sites that talk about automotive repair. But, in my case, it’s not scareware, it’s just because my last name is strikingly similar to the Polish word used for an auto body repair shop. 

But aside from that curiosity, the bogus URLs are a real threat, and one of the only web site spam attacks out there that actually target a specific brand. So if you’re looking for a part for an old Ford Galaxie, and you see a link from a Polish domain, it can be one of two things. It may really be someone in Poland that has a legitimate web site to sell car parts. You may even be directed to a “blacharstwo,” or an auto body repair shop. Maybe one of my relatives. But more than likely, it’s part of a scareware scam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers gaming Google, beware of strange Polish domains in search results