Scareware - Not a just a fashion statement anymore

04/05/2010 16:01

Scareware is the latest type of malware (MALicious softWARE) labeled by the media, not my poor sense of style. These are nasty little messages try to frighten you into browsing infected websites, installing infected software, and even giving up your credit card numbers. We have discussed this type of malware before, but since we are seeing an upswing in it recently, we thought we'd touch on it again.

As our computers become more resilient to traditional methods of infection, we have seen an increasing number of bugs that bypass a computer's security by fooling you into allowing them in. This type of infection is spreading through social networking website apps, paid advertisements on legitimate websites, or even bogus search engine entries that take you to infected sites. This Scareware is actually comprised of elements from a few types of malware.

Infection stage 1: Social Engineering, aka the classic "con" - Everyone is concerned about viruses, so the infected website displays a pop-up window that looks like a real warning from your operating system or your antivirus software. This message states something along the lines of "something evil was found, click here to remove it". Clicking it, or anything else in the message, bypasses your automated security systems because YOU are allowing access. If you open the front door and let a thief into your house, your perimeter alarm system won't do much good. The click sends you to the next stage of infection: Trojan Horse.

TIP: the key combination "Alt + TAB" will allow you to switch to the message window without clicking on it, then "ALT + F4" can be used to close the window. This can stop the infection before it takes root.

Infection stage 2: the Trojan Horse - By clicking, and then ignoring any legitimate warnings that pop up, you are granting the Scareware access to your computer to install a Trojan Horse program. As in Homer's classic tale, a Trojan Horse pretends to be something you want, and then disgorges a horde of nasties when you aren't looking. In this case, the application installs and shows you a screen that pretends to scan for viruses, conveniently finding some. In the background, however, it can be doing all sorts things: from searching for and uploading personal information, to adding your computer to a Botnet (https://en.wikipedia.org/wiki/Botnet) depending on the strain of Scareware contracted. Generally, the next stage of infection follows at this point: Ransom.
 
Infection stage 3: Ransom - After "scanning" your computer, this bug then has the gall to ask for your credit card in order to "clean" the fake infection it found. Once you enter your credit card number, they have won. Apparently this has been extremely profitable for someone; there have been reports that some strains include a link to a chat session with live people to answer any questions and allay any concerns (https://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222900276).
 
So what can we do about it?
 
First, know thy computer. Specifically, be familiar with your computer's security systems, and what legitimate messages look like. For example, if you're running anti-malware from Trend Micro or Symantec, messages from "Windows Anti-Virus 2010" should not be trusted. If you're facing a message and aren't sure if it's legitimate, open your real anti-malware program and see if you have any alerts that correspond to the message.
 
Second, know what to do if you do get a suspicious message. DO NOT CLICK ON IT, even to close it. Try the following key combinations: "Alt + TAB" will allow you to switch to the message window without clicking on it, then "ALT + F4" can be used to close the window. This may also be a good time to contact you computer support team. I'm sure they would much rather answer your question then spend the next few days trying to repair or rebuild your computer. Have them take a look at it and determine whether it's legitimate.
 
If all else fails, you can always save your data and just turn the computer off. This should effectively close the message without activating it. Once the message is closed, a full anti-malware scan with your real software would be in order, as well as a once over from your computer support team.
 
What if you've already clicked? Contact your computer support team immediately and let them know what happened. These people are your computer's doctor, so be honest about what happened even if you're kicking yourself for it. They'll figure it out eventually anyway, so being honest just saves time. Be prepared; we've only been able to clean about 60% of infected systems, and the rest had to be wiped and reinstalled.
 
What if you entered a credit card number? Contact the card issuer immediately and let them know that you think the number was compromised. They will most likely issue you a new card and monitor the old number for any suspicious activity. Since I'm not in the credit card business, your honesty is up to you.
 
Finally, while this type of bug attempts to bypass your existing security by tricking you into allowing it in, that doesn't mean that your security systems should be neglected. Think of your anti-malware, software firewall, and other security software as an inoculation: it doesn't guarantee you won't get infected, but it greatly reduces the chance of it happening, and the severity of the infection if it does.
 
For more information:
 https://www.fbi.gov/pressrel/pressrel09/popup121109.htm
 https://www.viruslist.com/en/analysis?pubid=204792090
 https://www.theregister.co.uk/2010/02/15/smut_social_networking_spam_scam/
 https://www.pcworld.com/article/188147/fake_antivirus_scam_hits_facebook.html