Scareware
Encyclopedia
Scareware comprises several classes of scam software with malicious payloads
, or of limited or no benefit, that are sold to consumers via certain unethical marketing
practices. The selling approach uses social engineering
to cause shock, anxiety
, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware
and adware
also use scareware tactics.
A tactic frequently used by criminals involves convincing users that a virus
has infected their computer, then suggesting that they download (and pay for) fake antivirus software to remove it. Usually the virus is entirely fictional and the software is non-functional or malware
itself. According to the Anti-Phishing Working Group
, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.
The "scareware" label can also apply to any application or virus (not necessarily sold as above) which pranks users with intent to cause anxiety or panic.
software. This class of program tries to increase its perceived value by bombarding the user with constant warning messages that do not increase its effectiveness in any way. Software is packaged with a look and feel that mimics legitimate security software in order to deceive consumers.
Some websites display pop-up advertisement windows or banners with text such as: "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." These websites can go as far as saying that a user's job, career, or marriage would be at risk. Products using advertisements such as these are often considered scareware. Serious scareware applications qualify as rogue software
.
In recent findings some scareware is not affiliated with any other installed programs. A user can encounter a pop-up on a website indicating that their PC is infected. In some scenarios it is possible to become infected with scareware even if the user attempts to cancel the notification.
These popups are especially designed to look like they come from the user's operating system when they are actually a webpage.
In 2005, Microsoft
and Washington State
successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million over charges of using scareware pop-ups.
Washington's attorney general has also brought lawsuits against Securelink Networks, High Falls Media and the makers of Quick Shield.
In October 2008, Microsoft
and the Washington attorney general
filed a lawsuit against two Texas firms, Branch Software and Alpha Red, producers of the Registry Cleaner XP scareware.
The lawsuit alleges that the company sent incessant pop-ups resembling system warnings to consumers' personal computers stating "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED", before instructing users to visit a web site to download Registry Cleaner XP at a cost of $39.95.
On June 25, 2009, the Federal Trade Commission
in the United States reached a settlement with two defendants in a case involving a massive “scareware” scheme. The two defendants settled charges of deceptive advertising and forfeited more than $100,000 in assets. According to the Federal Trade Commission, the two settling defendants were part of a massive deceptive advertising scheme that tricked more than a million consumers into buying “rogue” computer security products, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The scheme allegedly relied on deceptive advertisements featuring bogus computer “scans” that falsely claimed to detect viruses, spyware, and illegal pornography on consumers’ computers. The settlement imposed a judgment of nearly $1.9 million against the two Cincinnati-based defendants, James Reno and ByteHosting Internet Services, LLC. This amount represents the gross revenues these two settling defendants realized from the alleged scam. The settlement prohibits James Reno and ByteHosting from using deceptive “scareware” advertising tactics and from installing malicious programs on consumers’ computers. The settlement also permanently bars Reno and ByteHosting from ever again doing business with their co-defendants. The settlement does not affect the FTC’s ongoing case against the remaining defendants in the suit. According to the complaint, the two companies charged in the case – Innovative Marketing, Inc. and ByteHosting Internet Services, LLC – operate using a variety of aliases and maintain offices in various countries. Innovative Marketing, incorporated as a company in Belize
, maintains offices in Kiev
, Ukraine. ByteHosting Internet Services is based in Cincinnati, Ohio. The complaint alleges that these two companies, along with individuals Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno, violated the FTC Act by misrepresenting that they conducted scans of consumers’ computers and detected a variety of security or privacy issues, including viruses, spyware, system errors, and pornography. The complaint also names a sixth individual, Maurice D’Souza, as a relief defendant
who received proceeds from the scheme.
A 2010 study by Google
found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.
Starting on March 29, 2011, more than 1.5 million web sites around the world have been infected by the LizaMoon
SQL injection
attack spread by scareware.
Research by Google discovered that scareware was using some of its servers to check for internet connectivity. The data suggested that up to a million machines were infected with scareware. The company replaced has placed a warning in the search results of users whose computers appear to be infected.
also qualify as scareware because they change the user's desktop background, install icons in the computer's notification area (under Microsoft Windows
), and generally make a nuisance of themselves, claiming that some kind of spyware has infected the user's computer and that the scareware application will help to remove the infection. In some cases, scareware trojans have replaced the desktop of the victim with large, yellow text reading "Warning! You have spyware!" or a box containing similar text, and have even forced the screensaver to change to "bugs" crawling across the screen.
SpySheriff
, exemplifies spyware/scareware: it purports to remove spyware, but is actually a piece of spyware in itself, often accompanying SmitFraud
infections. Other AntiSpyware Scareware, may be promoted using a Vishing
scam.
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
, or of limited or no benefit, that are sold to consumers via certain unethical marketing
Marketing ethics
Marketing ethics is the area of applied ethics which deals with the moral principles behind the operation and regulation of marketing. Some areas of marketing ethics overlap with media ethics....
practices. The selling approach uses social engineering
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
to cause shock, anxiety
Anxiety
Anxiety is a psychological and physiological state characterized by somatic, emotional, cognitive, and behavioral components. The root meaning of the word anxiety is 'to vex or trouble'; in either presence or absence of psychological stress, anxiety can create feelings of fear, worry, uneasiness,...
, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
and adware
Adware
Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during...
also use scareware tactics.
A tactic frequently used by criminals involves convincing users that a virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
has infected their computer, then suggesting that they download (and pay for) fake antivirus software to remove it. Usually the virus is entirely fictional and the software is non-functional or malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
itself. According to the Anti-Phishing Working Group
Anti-Phishing Working Group
The Anti-Phishing Working Group is an international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications...
, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.
The "scareware" label can also apply to any application or virus (not necessarily sold as above) which pranks users with intent to cause anxiety or panic.
Scam scareware
Internet Security bloggers/writers use the term "scareware" to describe software products that produce frivolous and alarming warnings or threat notices, most typically for fictitious or useless commercial firewall and registry cleanerRegistry cleaner
A registry cleaner is a type of software utility designed for the Microsoft Windows operating system, the purpose of which is to remove redundant or unwanted items from the Windows registry....
software. This class of program tries to increase its perceived value by bombarding the user with constant warning messages that do not increase its effectiveness in any way. Software is packaged with a look and feel that mimics legitimate security software in order to deceive consumers.
Some websites display pop-up advertisement windows or banners with text such as: "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." These websites can go as far as saying that a user's job, career, or marriage would be at risk. Products using advertisements such as these are often considered scareware. Serious scareware applications qualify as rogue software
Rogue software
Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware...
.
In recent findings some scareware is not affiliated with any other installed programs. A user can encounter a pop-up on a website indicating that their PC is infected. In some scenarios it is possible to become infected with scareware even if the user attempts to cancel the notification.
These popups are especially designed to look like they come from the user's operating system when they are actually a webpage.
In 2005, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
and Washington State
Washington State
Washington State may refer to:* Washington , often referred to as "Washington state" to differentiate it from Washington, D.C., the capital of the United States* Washington State University, a land-grant college in that state- See also :...
successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million over charges of using scareware pop-ups.
Washington's attorney general has also brought lawsuits against Securelink Networks, High Falls Media and the makers of Quick Shield.
In October 2008, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
and the Washington attorney general
Attorney General
In most common law jurisdictions, the attorney general, or attorney-general, is the main legal advisor to the government, and in some jurisdictions he or she may also have executive responsibility for law enforcement or responsibility for public prosecutions.The term is used to refer to any person...
filed a lawsuit against two Texas firms, Branch Software and Alpha Red, producers of the Registry Cleaner XP scareware.
The lawsuit alleges that the company sent incessant pop-ups resembling system warnings to consumers' personal computers stating "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED", before instructing users to visit a web site to download Registry Cleaner XP at a cost of $39.95.
On June 25, 2009, the Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
in the United States reached a settlement with two defendants in a case involving a massive “scareware” scheme. The two defendants settled charges of deceptive advertising and forfeited more than $100,000 in assets. According to the Federal Trade Commission, the two settling defendants were part of a massive deceptive advertising scheme that tricked more than a million consumers into buying “rogue” computer security products, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The scheme allegedly relied on deceptive advertisements featuring bogus computer “scans” that falsely claimed to detect viruses, spyware, and illegal pornography on consumers’ computers. The settlement imposed a judgment of nearly $1.9 million against the two Cincinnati-based defendants, James Reno and ByteHosting Internet Services, LLC. This amount represents the gross revenues these two settling defendants realized from the alleged scam. The settlement prohibits James Reno and ByteHosting from using deceptive “scareware” advertising tactics and from installing malicious programs on consumers’ computers. The settlement also permanently bars Reno and ByteHosting from ever again doing business with their co-defendants. The settlement does not affect the FTC’s ongoing case against the remaining defendants in the suit. According to the complaint, the two companies charged in the case – Innovative Marketing, Inc. and ByteHosting Internet Services, LLC – operate using a variety of aliases and maintain offices in various countries. Innovative Marketing, incorporated as a company in Belize
Belize
Belize is a constitutional monarchy and the northernmost country in Central America. Belize has a diverse society, comprising many cultures and languages. Even though Kriol and Spanish are spoken among the population, Belize is the only country in Central America where English is the official...
, maintains offices in Kiev
Kiev
Kiev or Kyiv is the capital and the largest city of Ukraine, located in the north central part of the country on the Dnieper River. The population as of the 2001 census was 2,611,300. However, higher numbers have been cited in the press....
, Ukraine. ByteHosting Internet Services is based in Cincinnati, Ohio. The complaint alleges that these two companies, along with individuals Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno, violated the FTC Act by misrepresenting that they conducted scans of consumers’ computers and detected a variety of security or privacy issues, including viruses, spyware, system errors, and pornography. The complaint also names a sixth individual, Maurice D’Souza, as a relief defendant
Relief Defendant
In the US, and possibly other Common Law countries, a "relief defendant" or "nominal defendant" is a person named in civil litigation who is not accused of wrong-doing. However, it is alleged that the relief defendant has received property originally obtained illegally, and to which the relief...
who received proceeds from the scheme.
A 2010 study by Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.
Starting on March 29, 2011, more than 1.5 million web sites around the world have been infected by the LizaMoon
LizaMoon
LizaMoon is a piece of malware that infected thousands of websites beginning in September, 2010. It is an SQL injection attack that spreads scareware encouraging users to install needless and rogue "anti-virus software"...
SQL injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
attack spread by scareware.
Research by Google discovered that scareware was using some of its servers to check for internet connectivity. The data suggested that up to a million machines were infected with scareware. The company replaced has placed a warning in the search results of users whose computers appear to be infected.
Spyware
Some forms of spywareSpyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
also qualify as scareware because they change the user's desktop background, install icons in the computer's notification area (under Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
), and generally make a nuisance of themselves, claiming that some kind of spyware has infected the user's computer and that the scareware application will help to remove the infection. In some cases, scareware trojans have replaced the desktop of the victim with large, yellow text reading "Warning! You have spyware!" or a box containing similar text, and have even forced the screensaver to change to "bugs" crawling across the screen.
SpySheriff
SpySheriff
SpySheriff is malware that disguises itself as an anti-spyware program. SpySheriff is also known as Brave Sentry, Pest Trap, SpyTrooper, and SpywareNo. The program attempts to trick the user of an infected computer into buying the program by repeatedly informing them of false threats to their system...
, exemplifies spyware/scareware: it purports to remove spyware, but is actually a piece of spyware in itself, often accompanying SmitFraud
SmitFraud
SmitFraud or W32/SmitFraud.A is a type of spyware that installs itself into a computer via adware, without the user's knowledge. Most of the time, it installs itself after a computer user installs a spurious codec, such as BrainCodec, PCodec or VideoKeyCodec...
infections. Other AntiSpyware Scareware, may be promoted using a Vishing
Vishing
Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP , to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and...
scam.
Uninstallation of security software
Another approach is to trick users into uninstalling legitimate antivirus software, such as Microsoft Security Essentials, or disabling their firewall.Prank software
Another type of scareware involves software designed to literally scare the user through the use of unanticipated shocking images, sounds or video.- The first program of this type is generally credited to be NightMareNightMare (scareware)NightMare is a scareware program distributed on the Fish Disks for the Amiga computer . It is generally credited to be the first scareware program of its type....
, a program distributed on the Fish DisksFred FishFred Fish was a computer programmer notable for work on the GNU Debugger and his series of Fish disks of freeware for the Amiga. He was a pioneering spirit pervasive in the Amiga community...
for the AmigaAmigaThe Amiga is a family of personal computers that was sold by Commodore in the 1980s and 1990s. The first model was launched in 1985 as a high-end home computer and became popular for its graphical, audio and multi-tasking abilities...
computer (Fish #448) in 1991. When NightMare executes, it lies dormant for an extended (and random) period of time, finally changing the entire screen of the computer to an image of a skull while playing a horrifying shriek on the audio channels.
- Anxiety-based scareware puts users in situations where there are no positive outcomes. For example, a small program can present a dialog boxDialog boxIn a graphical user interface of computers, a dialog box is a type of window used to enable reciprocal communication or "dialog" between a computer and its user. It may communicate information to the user, prompt the user for a response, or both...
saying "Erase everything on hard drive?" with two buttons, both labeled "OK". Regardless of which button is chosen, nothing is destroyed other than the user's composure.
- This tactic was used in an advertisement campaign by Sir-TechSir-TechSir-Tech Software, Inc. was a United States-based video game developer and publisher founded by Robert Woodhead and Norman Sirotek. While the original company closed its doors in 2001, its Canadian counterpart Sir-Tech Canada continued to operate up until late 2003.Sir-Tech is best known for the...
in 1997 to advertise Virus: The GameVirus: The GameVirus: The Game is a strategy/action video game by Sir-Tech. The game levels take place in the user's 'hard drive'. The objective is to battle against 'viruses' that invade the user's directory structure and files. The game and its advertisement included warnings reminding the player that "it's...
. When the file is run, a full screen representation of the desktop appears. The software then begins simulating deletion of the Windows folder. When this process is complete, a message is slowly typed on screen saying "Thank God this is only a game." A screen with the purchase information appears on screen and then returns to the desktop. No damage is done to the computer during the advertisement.