Scareware takes advantage of the principle that a little knowledge is a dangerous thing, writes GORDON SMITH
FAKE ANTI-VIRUS software is now the leading earner for cybercriminals, a security expert has said. Sometimes called scareware, it’s designed to trick unsuspecting people into thinking their computer is infected with a virus and offers to clean their PC for a fee.
“The biggest moneymaker on the internet used to be porn. Today it’s the pop-up virus scam. Some gangs are making a million per week,” said Ed Gibson, formerly with the FBI and Microsoft, now a director at PricewaterhouseCoopers in the US.
Scareware can appear when a person receives a spam e-mail encouraging them to click on a link and the software is downloaded without their knowledge. In other cases, search results for popular subjects such as recent news events are “poisoned” so that links appearing near the top actually lead to sites hosting malicious software.
Typically, a message pops up on the person’s screen telling them their computer is infected and they have to download software to fix the problem. Costing anywhere between $30 and $50 (€21 and €35), the software is designed to look like a genuine anti-virus product and appears to scan the machine and fix the problem. Even Apple Macs, long considered to be immune to most computer viruses, are now being targeted by attackers, and fake anti-virus is their weapon of choice.
Scareware takes advantage of the principle that a little knowledge is a dangerous thing: it relies on people having some awareness that they need to protect their PCs from threats, and the likelihood that some will instinctively respond to a prompt to remove any virus without checking whether the claim is bogus.
Gibson said this, rather than technical flaws, remained the real weak link in most systems. “To people in Ireland and businesses in Ireland, the biggest threat is social engineering because applications and operating systems are so secure. That’s why we’re seeing continued reaffirmed efforts at social engineering you and me.”
His assessment was backed up by Robert McArdle, senior anti-virus researcher with Trend Micro. The security software company recently investigated fake AV tools designed specifically for the Mac operating system and uncovered 300 million redirected hits from 116 million unique users logging on to sites hosting the scam.
“We didn’t have access to the financial database part so we don’t know how many paid [the fee] but if only 1 per cent of these pay the $49.95 for the fake AV [anti-virus], it is $50 million for the bad guys in a single month.”
Security researchers are often wary of publishing exact figures particular gangs are earning because it could alert specific groups that their systems have been infiltrated by investigators. What’s not in doubt is that the problem is growing. Microsoft’s most recent security intelligence report revealed that in the second half of 2010, Microsoft security products cleaned fake anti-virus on 7.8 million computers worldwide.
Tackling the problem in a borderless environment like the internet is not easy because it needs co-operation between multiple jurisdictions. The Budapest Convention on Cybercrime is expected to be ratified in Ireland shortly, and this has provisions for harmonising law between countries and allowing for greater co-operation in tackling the problem. However, critics have questioned whether legislation can keep pace with the internet, as well as the absence of Russia and China among the signatories.
For now, authorities are left to try and stop the problem at certain choke points. Gibson visited Dublin recently to speak at a conference of the Information Systems Security Association’s Irish chapter. He told The Irish Times that in many cases, the obstacle to organised crime groups making more money from fake anti-virus is not the threat of being caught by law enforcement but the difficulty in recruiting people to withdraw the money physically from compromised bank accounts and send it to the criminals.
Gibson warned that the recession could make people more susceptible to falling for e-mail scams purporting to offer easy money for work as money mules. “That’s the only holdup on [gangs] making more money. They can’t find enough people to say ‘yes, I’ll take money in and wire transfer it out’. But in this economic climate that we have, it’s very easy to say ‘I can make a few extra euros by saying I’ll do this’.”
Another choke point is certain companies that register internet domain names, where suspicions should be raised over buying patterns which suggest criminal activity. Gibson questioned if the vetting process even requires registrars to check whether the name and address of the person buying an internet domain is genuine.
“We know that certain organised groups are continuing to buy up domain names by the hundreds if not the thousands. I wonder how that can be done, when a domain name registrar gets a request to register xyzabc1, xyzabc2, xyzabc3,” he said.
Cybercriminals can easily change what a person sees in their browser, so that the web address of a phishing site or a fake anti-virus page appears the same but the actual site behind it changes. Even if the authorities succeed in shutting down a site in one domain, scammers can quickly move to the next domain to evade detection, running it on a different computer in another location. “They’re buying those kinds of domains and if you shut one down, you get another that pops immediately back up,” said Gibson, who likened law enforcement’s attempts at stopping this to “playing whack-a-mole for the longest time”.
Prof Fred Piper, of Royal Holloway University of London’s Information Security Group, was the keynote speaker at the conference. A 30-year veteran of security in academia and the private sector, he said security awareness initiatives still struggled to give the kind of clear messages to educate people that road safety campaigns do. “The challenge is to establish a security culture where everyone accepts that security is important and that security is their responsibility,” he said.
Robert McArdle, of Trend Micro, took up Piper’s theme. “The big problem with security people is that we always turn up to conferences like this and we talk to each other, and people on the street have absolutely no idea. It would be better to go in and if you’re talking about malware or the threat landscape, go to a school and tell it to the sixth-years who are on Facebook. That’s going to have a bigger impact than me telling you something you already know at a security conference. And that’s not just in Ireland, that’s global,” he said.
“I know I work for an anti-virus company, but for a consumer, going online without protection is like driving without a safety belt. It’s madness, and for the sake of [saving] €30 a year. People don’t think in terms of having a few grand in their bank account and next month when they get hacked, that’s gone.”
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)