“Warning!!! Your computer contains various signs of viruses and malware programs. Your system requires immediate anti virus check. Click to perform a quick and free scan of your PC”

You have? Well you’re not alone.
 
I want to share with you some research carried out by one of my colleagues in TrendLabs, Bob McArdle. I can’t mention any names for fear of prejudicing ongoing investigations, but to be honest the names are irrelevant as they change so often anyway. Over the course of a year one criminal gang, let’s just call them Company X, made over $180 million US dollars by selling malware to their victims in at least 30 different countries around the globe.
 
You would be forgiven for asking why people would pay for malicious software and the answer is of course, they had no idea it was malicious in the first place.
 
The gang creates very convincing looking fake security programs designed to fool the victim into believing that their computer is badly infected. These scareware programs are then distributed by creating web pages designed to rank very highly in search engine results for popular current search terms or newsworthy events. As soon as the malicious search result is clicked a pop-up message like the above appears and the infection chain begins.
 
Here is a video of one such scam in action related to this incident I blogged about a while ago.
 

 
So how did they make so much money? Well firstly while the scan on offer might be free, the bogus results always show the machine to be very badly infected when in fact no scan at all has taken place. The worried user is then prompted to pay for the full version of the “security” software so that the non-existent malware can be cleaned up. So now, you have given your credit card details to criminals, downloaded malware onto your PC and paid somewhere between $50 – $100 US dollars for the privilege. This game is a volume one – if the gang can redirect 100,000 searches and only 1% of them pay for the product – they net $50,000 US for a day’s work.
 
The second part of the business model involves these machines that the criminals have now infected. As the infected user surfs the web, the malicious software quietly replaces all of the ads the user sees with ads belonging to one of the gang’s affiliates, most often pushing fake pharmaceuticals and the like. The gang get a kickback of two or three cents every single time an advertisement is replaced. Logs from one of the gang’s servers showed about a million ads replaced per day, netting them another $25,000 US per day, and this was only one of the gang’s botnets. So that’s $25K per botnet, per day.
 
The third part of Company X’s business model revolved around customer support strangely enough. Company X’s biggest problem of course, was credit card refunds. Customers who realised that they had been scammed would contact their card provider demanding a refund. After a while the credit card provider would refuse to do business with Company X and Company X would need to create another fake subsidiary company, complete with Fake IDs for all of their directors. To combat this, these criminals decided to invest heavily in call centres – setting up call centres in the US, Asia and Eastern Europe.
 
You see the Rogue AV would regularly ask the users to update their version, paying a small fee to do so – and would annoy the user with pop-ups until they did so. A lot of customers complied, however others rang the support line demanding the product be fixed. Each Rogue AV had a couple of settings that could be altered so that the users would never be prompted for updates again – the staff at the call centres simply stepped the users through to this point, all for the modest fee of $20 for the phone call.
 
Think before you click, not all security software is created equal.

NYTimes Twitter posting

 

In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”. From some online discussion it looks as though the problem may have been ongoing for upwards of 24 hours.

 

The pop-up window itself, (screen shot captured by quick-witted reader of All Things Digital) was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course.

Image courtesy of All Things Digital

 

The malicious software being punted in this case, is similar to what we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog.

 

In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS.

 
Here’s a really simple tip to remember. If you *ever* see a browser pop-up window that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache and to be on the safe side, run a real scanner like HouseCall. To be more fully protected in future, make sure you install an antimalware program that will also block malicious URLs, rather than simply looking for malicious files.

 

UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here.

 

UPDATE: The fake AV program being pushed in this attack was called Personal Antivirus and is very much a classic piece of scareware.

 

On install the application will start “scanning” your machine for problems. On a completely fresh installation of Windows Vista, it supposedly detected 38 threats.

 

Of course none of these imaginary threats can be removed until you pay to activate you copy of this useless software, not only giving away your cash but also of course all your credit card and personal details at the same time, double-whammy for the cybercrooks.

 

If you choose not to activate the software immediately you will then be served at random intervals with fake messages informing you of yet more detected problems, when you hit the “Block” button, you are again prompted to pay for the software, and so it continues…

 

For cleanup, use HouseCall or any other reputable security software, a helpful list of what is real (as opposed to FakeAV) can be found here.

 

If the software you are being punted isn’t on the list, then do not install it.