Scareware plague continues despite $163,175,539.95 bust

Scareware has become such an indomitable economic force that the take down of perhaps the largest, most vertically-integrated scareware purveyor, Innovative Marketing, has had a negligible deterrent effect.

Innovative Marketing operated from 2004 through mid-2008.

A fake warning

Court records show that Innovative Marketing fooled computer users into paying for fake antivirus programs worth at least $163,167,539.95. That’s the amount the Federal Trade Commission documented as having been bank-deposited  by this criminal enterprise.

Last month, the U.S. Department of Justice indicted Bjorn Daniel Sundin, 31, a U.S. citizen believed to be living in the Ukraine, Shaileshkumar P. Jain, 40, of Sweden, and James Reno, 26, of Amelia, Ohio, named as Innovative Marketing’s top executives.

Reno is described in court records as the technical genius behind the operation, Sundin as the CEO and Jain as the COO. The USDOJ is specifically going after a $100 million chunk of that cash believed to be sitting in a bank in Kiev, Ukraine.

Sustainable business model

So what has happened as the noose has tightened around this gang’s collective necks? Online promotions for scareware has actually increased 10 fold in the first three months of this year as compared to mid-2008 when U.S. regulators dismantled the firm, says McAfee researcher Francois Paget.

Source: McAfee

Panda Security reports similar findings. In 2008, PandaLabs identified a total of 92,215 scareware samples. In the first quarter of of 2009 that number soared to 111,086 — more samples in three months than in the previous 12 months put together. In the second quarter of 2009 PandaLabs identified 374,204.

Underscoring the continued steady rise of scareware, Microsoft’s free Malicious Software Removal Tool cleaned scareware off 7.8 million PCs in the second half of 2009, up from 5.3 million computers in the first six months of last year.

“Scareware continues to flourish because it’s a highly profitable and sustainable business model,” says Sean-Paul Correll, researcher at Panda Security. “Innovative Marketing is the only company to be taken down and it obviously hasn’t stopped the threat yet.”

The roots of this booming cybercriminal industry can be traced back to 2005 and the escapades of Andrej Sporaw and iframeCASH.biz. Sporaw developed a system for recruiting “affiliates” to infect webpages to serve up pop-up ads for which they got paid.

Vertical -integrated scare campaigns

Fast forward half a decade: Ukraine-based Innovative Marketing employed hundreds of employees collaborating as part of a multi-faceted, vertically-integrated operation to scare hundreds of thousands of victims into paying $30 to $70 for such software, according to court records.

Innovative Marketing created dummy ad agencies to place innocuous-looking ads for corporate entities like Major League Baseball, Priceline, Career Builder, the National Association of Realtors and E-Harmony. The scammers actually had no affiliations with, nor permission from, the corporations to do this.

Clicking on such an ad triggered a fake scan showing the PC to be infested with viruses. A pitch followed to buy a bogus clean-up and worthless antivirus protection.

Variations of this ruse continue to infest the Internet orchestrated by “new, more discreet entities,” says McAfee researcher Paget. Current scareware scams revolve around:

–Blackmail. Some scareware, referred to as “ransomware,” will lock out access to the victim’s computer until the victim pays $70 for a “license key” to regain access.

“The majority of rogues we see today essentially blackmail the computer user by disabling key Windows features, such as the registry editor or the command line — tools that could permit a savvy user to remove the rogue antivirus him- or herself,” says Webroot researcher James Reid.

Some scareware proactively disables certain program features in  popular browser, messaging and even antiviurs programs designed to block malicious programs. “Essentially, the computer is being held hostage by the rogue,” says Reid.

–Search results. Tainted webpages are crafted to turn up high in the search results rankings for Google queries about celebrities and big news events. Clicking on the tainted link triggers the fake scan and promotion.

“This is black hat SEO — essentially, the criminals obtain stolen Web site credentials, then use those passwords to upload Web pages which display one set of information — usually it’s a page full of ‘hot’ keywordsto search engine spiders/web crawlers, ie, the Google bot, and exhibit completely different behavior,” says Webroot researcher Andrew Brandt

Usually, javascript gets launched which begins the whole “fakealert” behavior described as Brandt describes here.

–Social networks. High trust and rapid bursts of communications in Facebook and Twitter make social networks ideal for getting members to click on tainted weblinks that trigger scareware.

“Quite simply, the scareware industry is booming,” says Roel Schouwenberg, senior researcher at Kasperky Lab.

Consumers tend to trust authoritative messages, as well as messages perceived to be from social network friends.  Criminals can easily manipulate Twitter and Facebook accounts to spread tainted links that triggger scareware promos to unwitting users.

“Legitimate antivirus suites have had a hard time blocking these things effectively,” says Schouenberg. “Unless there are some big arrests – or fear for arrests – I don’t see the situation changing.”

Tighter merchant banking controls needed

While criminal cleverness and consumer gullibility are two major drivers, the fact remains that Innovative Marketing managed to obtain approval for  at least $163 million worth of credit card transactions, at $30 to 70 a pop. This suggests that scareware purveyors are taking full advantage of global merchant banking system that’s loosely policed, when it comes to online transactions.

Says Brandt: “If the world can demand that Swiss banks reveal the names of customers living in countries other than Switzerland who might be violating tax laws in their home countries, then the world should also be able to demand that ISPs, payment processors, and the whole network of services and businesses that support the scareware industry be held to account for the damage they share responsibility for perpetuating.”

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone