Warning: Cyber thieves are using fake security alerts to scare you into buying their worthless software. Security experts call it “scareware,” and it’s a growing problem.
These bogus warning messages are designed to look exactly like the real ones you get from your computer. The fraudulent alerts usually say your machine is infected with a virus, spyware or some other form of malware and you need to install special software to remove it.
Click “OK” or visit the Web site listed in the message and you will land on a site that offers a free scan. It will find security threats — it always does — even when there are none on your machine. Of course, you don’t know that.
In order to “remove” the infections you must buy the product being sold on the site for $39 to $49. Take the bait and you can run a program that appears to fix things. But again, it’s just high-tech smoke and mirrors. Nothing is happening.
“If there’s something wrong with your system it would still be there and you would be potentially exposed to other nefarious things coming to you at a later time,” warns Richard Boscovich, a senior attorney with Microsoft’s Internet Safety Enforcement Team.
Internet criminals don’t use only scareware to trick money from people. It’s often an easy way to install Trojan horses — programs that will secretly download more malicious software onto your computer.
An extensive problem
Scareware isn’t new, but the problem is rapidly getting worse.
A just-released “Rogue Security Activity Report” from Fortinet, a network security appliance company, shows millions of attempts a day to sell this useless software. In fact, just two scareware sites tracked by the company — XP Security Center and AntiVirus XP 2008 — accounted for nearly a third of the total malware volume in July and August of 2008.
“You can see the numbers have literally exploded,” says Derek Manky, the Fortinet security research engineer who wrote the report. “And we don’t think they’re going to stop anytime soon.”
How much money is being made this way? No one knows for sure, but Fortinet offers this calculation based on what it believes to be a conservative estimate. If you assume just 10 percent of the people who visit a scareware site buy the software for $49.99, it would generate approximately $1.2 million a month.
On Monday, Washington state sued two Texas corporations doing business as Registry Cleaner XP. According to the lawsuit, the companies use “unfair and deceptive acts or practices” to sell software that does nothing to find or fix computer problems.
The pitch starts with a misleading warning: “CRITICAL ERROR MESSAGE! — REGISTRY DAMAGED AND CORRUPTED.” To fix this problem, the message says, open Internet Explorer and type in the Registry Cleaner XP Web address.
Senior Counsel Paula Selis of Washington state says the site’s free scan is a sham. “The scan runs and it always identifies 43 errors,” Selis notes. “These are fake errors. It doesn’t matter if it’s a completely clean computer or a computer that has 100 errors, it always shows 43.”
To fix these non-existent errors, you need to purchase the company’s software for $39.95. Buy it and run the “fix errors” program and in seconds the Registry Cleaner XP will show it has repaired all the errors. But the lawsuit alleges that software didn’t do a thing because there were no errors on the computer in the first place.
I contacted the company for a comment, but have not heard back from them.
Microsoft takes up the fight
To create the illusion of legitimacy, scareware messages often use the words “Windows” or “XP” or a graphic that looks like the Windows Defender shield. “This tarnishes Microsoft’s reputation and affects our customers,” says Microsoft attorney Boscovich. “It is something we are very, very serious about eliminating.”
Microsoft recently sued several scareware vendors under Washington state’s Computer Spyware Act, which makes it illegal to mislead users into believing software is necessary for security.
“We definitely want to send the message that if you’re out there and you do this to consumers, we’re going to do whatever we can to find you and stop this kind of practice,” Boscovich says.
By the way, this is not just a problem for Microsoft. Some scareware is specifically designed for Apple’s Macintosh products. Earlier this year the Internet security firm Sophos warned about Imunizator and MacSweeper, two scareware programs that target the Mac OS X platform. The bogus alerts falsely claim privacy problems have been discovered.
“Cybercrime against Mac users may be small in comparison to Windows attacks, but it is growing,” writes senior technology consultant Graham Cluley in that Sophos alert.
There is nothing you can do that will completely prevent scareware messages from popping up on your screen.
The best you can do is to keep your operating system, firewall, antivirus and anti-spyware software up to date. You need to make sure your system is set to receive automatic updates. For security software, that means an active (paid) subscription.
And remember how to spot the scam: The warning message tells you to go online to an unfamiliar Web site for a free scan and then you are told to pay money to download software to fix the problem. Before you do anything, stop, close the message window and check it out.