Slashdot Mirror
FTC Kills Scareware Scam That Duped Over 1M Users
coondoggie writes "The Federal Trade Commission today got a court to at least temporarily halt a massive 'scareware' scheme, which falsely claimed that scans had detected viruses, spyware, and pornography on consumers' computers.
According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of Innovative Marketing, Inc. and ByteHosting Internet Services, LLC to preserve the possibility of providing consumers with monetary redress, the FTC stated."
At the computer store where I work in Waterloo, Ontario, Canada, we see at least 3-4 computers each week with these rogue anti-virus and anti-spyware applications. These programs are a real pain to deal with, both for our customers and for our computer store as well, since the programs are often difficult to remove and take up a lot of time that would otherwise be used to help our customers find solutions that make them more productive.
However, given the fact that new versions of these programs are being developed on a regular basis (for example, as of late we are seeing a new rogue program called Trusted AntiVirus), and the fact that the organizations behind them are often located offshore and in multiple jurisdictions, I wonder how much a dent this judgement will make into the scammers' operations. Hopefully, at least, this will be a start.
Part of the problem, of course, is user education. We have users that receive warning messages that tell them that this program is possibly a virus, and ask them if they would like to run the program anyway. Many users that do not know any better will run the program even though the warning is telling them this may not be a good idea. Helping the user understand what the legitimate warnings are on the system tends to reduce the problem.
These are the good old days you'll be telling your children about. Make them worthwhile.
Click here to fix it, we promise.
My university has seen so many students (and even staff!) with variants of this.
One of my users managed to get it on a fully patched XP machine that I somehow forgot to install Symantec on (yeah, stupid), with basic User privileges.
Of course, I've seen it a million other times too, but those people were all running with admin privileges.
Boot Windows, Linux, and ESX over the network for free.
You've got a virus!
Pay me or I won't tell you what it is!
The sad thing is that people fall for it.
I've actually had the following conversation:
"What antivirus program was that?"
"Oh let me see here... [Horrible Trendy Name]"
"When did you install it?"
"I don't know."
I told him to call his credit card issuer.
Though, as if that's not enough, my neighbor recently couldn't understand how a dialog that, after analyzing basically indicated his computer was "too secure" wasn't a bad thing.
Boot Windows, Linux, and ESX over the network for free.
Sure these might just be "scamware"... but I beat them at their own game by installing all 5 of the mentioned programs. The combined power is sure to be effective even if one alone is not!
Turn off the $$$ - the credit card companies know that payments to certain entities are for scam crap just from the number of complaints, but they still do nothing because, let's face it, a million sales @ $30 a pop == $30,000,000. 3.5% of that is over a million bucks. It's not in their immediate financial interest to turn off the tap.
According to these guys, my Mac is infected with Windows XP viruses. Ok, now I'm not that gullible, but the sad part is that there are plenty of people that are and believe whatever they read. Of course these are the same people that send birthday cards to little whats-his-name who wants to be in the Guinness's Book of World Records.
At one level I'm sympathetic, but at another I think that people need to learn to be more than a little skeptical on the internet. So instead of getting money returned to the people that purchased this junk, how about using it to fund advertising programs that politely ask "How can you be so stupid?" (Obviously not saying it like that.) Education is the only thing that will change this in the long run. Otherwise they'll just fall for whatever the next trick is that comes along.
The FTC is supposed stop and punish fraudsters. This is their job. I can't understand why it has taken this long.
Finally! We usually have to get someone sentenced on trumped-up charges to get our weekly execution, because nobody ever responds to the call for volunteers.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I find that interesting. My laptop is almost 10 years old, with a PII 233 Mhz chip and maxed out at 96Meg of RAM, but I have Linux running on it. And, I've never had the slightest difficulty connecting it to the Internet or surfing the web. Either you have some very weird hardware or you haven't tried very hard.
Good, inexpensive web hosting
I believe this is called Windows Live OneCare, right?
That's because the Linux community has collectively decided that *you* don't deserve to run it, so we put in special code to keep you off the 'net. It's better for everybody this way.
If I go to stopsign.com it will detect all sorts of Windows nastyware on my Linux box.
They have ads on Direct TV.....
I am the unwilling control for my Origin.
...and if all you want to do is surf the web, sure, Linux or even an old WebTV box is just dandy. Problem is, people are used to doing more with their computer. That's where Linux leaves most people with the feeling of holding a wet fish.
you KNOW no amount of protection is going to be enough - you're gonna catch SOMETHING.
I know your trolling, but it's worth pointing out this is dead wrong. I'm using Windows with no anti-virus/spyware programs and the firewall built into my DSL Router. The one and only time I've personally had a virus was in 1997, when my then idiot girlfriend downloaded and executed an IRC script. The best defence is knowledge. Period. There is no OS in the world that is secure with ignorance behind the keyboard. Sure, Linux offers a huge huge security advantage because of it's obscurity, but that's a double edged sword that points back to my first point. People want more out of their PC, and I can't blame them. You want protection? Start with you. Those who rely on others first are usually the ones to get screwed first.
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
...The only reason you see a "click here if this is inappropriate" on any website is so they can cover their own ass and prevent getting sued...
Actually, there's another reason. If you click on anything at all, they can record your address in their web journals and tick a box labeled "This person is a potential mark". It's one of the reasons why I close these bogus displays by going around and closing them from the operating system. I do not trust any button or other clickable control presented to me from any window that I didn't specifically ask to see. Even the little X in the top right corner, they can emulate those controls with controls of their own, and can record the fact that you've paid them a bit of attention. And for such people, the less attention you pay them the better.
Do not mock my vision of impractical footwear
In an unrelated story, the FTC has invested in some extremely large ovens in an effort to reduce the nation's dependence on foreign energy sources. They claim the new fuel is actually self-perpetuating and that "There is an unlimited supply here at home."
Well you may not have problems with your hardware, but that doesn't mean others don't. Since we're giving personal anecdotes, I'll give you mine.
To give you an idea of my computer skills, I've installed Linux on three of my computers over the last 5 years, though I never really used it too much. I'm "fluent" with Windows. I have some experience with C++, so using the shell and so forth doesn't bother me too much. I'm not a developer or anytihng like that though. In other words, I'm pretty much the "best-case" inexperienced user.
That said, every time I tried to install Linux, I ALWAYS have problems. The first time it took me literally two days of frustration before it was in a usuable state. I define usable as "being able to reliably hit the power button, boot with no problems, log in, and surf the internet". It would take too long to go through all the problems I had.
More recently, I just installed Linux on my laptop two days ago, and it took me over four hours to get my wireless internet to work correctly. I figured out how to use ndiswrapper on one of my previous installs, but it didn't solve the problem this time around. Eventually I figured out the problem had to do with the order of drivers being loaded. That's right, to surf the internet I had to learn about crap like modprobe, how to run scripts at startup, etc. All the sysadmins here probably think it's easy, but it's nearly impossible for inexperienced users like me to learn. The worst part was finding a well written bug report on the ubuntu tracker which listed my exact problem, but was closed with the reason "This is a well known problem, just google it"... like I hadn't been doing that for hours.
Anyway, my point is that even though Linux is mostly awesome and everything mostly "just works", there are still some stuff that doesn't. You can blame broadcom or whoever for the problems, but if those few things still exist and are frustrating enough to turn off a dedicated and best-case-inexperienced user, then it still needs more work if you want everyone to use it.
You mean there's anti-virus software that will find pornography on my computer? Will it show it to me as well? :D
I wonder if the Sam Jain referenced in the article is the same Sam Jain behind efront. There was plenty of good reading on fuckedcompany.com way back then when the ICQ logs were released on the net.
134340: I am not a number. I am a free planet!
Here he demonstrates those math skills he was talking about.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
How am I supposed to put food on my table if people don't have the opportunity to destroy their systems with a single click anymore? My computer repair business is doomed. Doomed, I say!
I am not left-handed, either!
On several occasions have run across aggressive annoying advertisements which popped-up claiming to have detected viruses and spyware on my computer. On each occasion, I was using Linux and browsing the Internet with Firefox. I normally do not get pop-ups when using Firefox, but some scareware advertisers do still know how to make pop-ups appear.
Earlier this year, I had just installed a brand new copy of Kubuntu Linux on a brand new hard disk in my computer. It did not (and still does not) have Windows or any Microsoft products installed on it. I had also installed a firewall and had it behind a router which also had a firewall with all ports closed to the outside world. I had even installed all the latest security updates.
If I remember correctly, this is roughly what happened next. A day or two later, as I was browsing the Internet with Firefox, an ad popped up saying that they had detected several types of viruses and spyware running on my computer. It then asked if I want to have my hard disk scanned for viruses. I closed the advertisement without giving permission. Then another pop-up, with a progress bar, appeared, which claimed that it as scanning drive C: for viruses. I thought, that was odd, since Linux computers do not have a drive C. Before long, a pop-up appeared which said that Microsoft had detected references to viruses and spyware in my registry. That also seemed odd, since Linux does not even have a registry. Furthermore, I thought, what was a Microsoft pop-up doing on my Linux computer. Besides, at least last that I have heard, there still have not yet been any Linux viruses successfully circulating in the wild.
Finally, they asked me to click on a link and purchase their product, so that my computer could be disinfected. At no point in the process of supposedly scanning my hard disk without permission, did they seem to notice or comment on the fact that I was using Linux.
I'm amazed that it's taken this long for something to be done about this. I'm also amazed at the magical protective perception field around them. They're not just scams, they're viruses. If they were written by some 14 year old in their parents basement, heavily armed goons would sweep in and drag them off to jail to face felony charges for unauthorized access to a computer, distributing a virus, etc. The protection racket they're running using their viruses is icing on the cake.
The fact is, these are viruses and they're not just spread by people voluntarily downloading programs they believe to be anti-virus software due to scary pop-ups. These things use exploits in windows and web browsers to infect peoples system whether or not they choose to install them, then they generate messages that can truthfully claim that the computer is infected with a virus. Having endured hell working in tech support I've seen plenty of infections by this crap.
So, on the one hand, it's good that someone is finally doing something. On the other hand, where the hell are the criminal charges? Why is it the FTC doing something and not the FBI? Because the criminal scum behind this throw on the trappings of a business they become sacrosanct and get civil actions where the rest of us mere mortals would be put away for life. What the freaking hell!
Is the FTC going to crack down on politicians now too? This is fantastic!
If this is the same scam that I've seen lately, have a little sympathy for the end user. The ad generates a nasty dialog box that can only be killed by forcing the browser to quit. The alternative is to "agree" to let them scan your PC. I'm paranoid enough about browser security bugs that there is no way in Hell that I would agree to that. The fact that their ad can create such a dialog box seems like a browser bug to me. Have you stopped beating your wife [Y/N]?
Mea navis aericumbens anguillis abundat
Out of interest, since you're running no AV/spyware scanners - how do you KNOW you're not and haven't been infected? I've seen all sorts of nasties that install and run silently. Including ones that don't require social engineering to install.
Firewalls protect against direct attacks, but they don't stop iffy attachments such as the latest .wri exploit, or exploits in the browser (and firefox isn't entirely immune either, though it's a lot safer than IE)
Linux offers a huge security advantage because it's better designed. Apache is still more popular than IIS, and has a had tiny, tiny amount of the exploits than IIS has had over the years, though IIS has improved a lot lately.
Even if I accept your premise that all you need is knowledge to protect your systems, which I don't, expecting all users to be expert technicians simply to browse the internet is unrealistic. Some measures to protect themselves, sure - but specialization requires time, and non-IT people rather need to spend that learning other things.
Equally, people may well not have the time to learn how to use linux, which is fair enough. Based on the criteria that many have for linux, windows isn't ready for the desktop either. If linux had 90% market share and everybody used it already, windows would be struggling hard to get any users.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
How the heck can this be modded as Troll? Really, people, for most users, computers are simply tools, like VCRs and we expect everything to run out of the box (like it is when you just go to a store and pay and you get a computer which you can use for games and movies and internets - surprise, it's probably running Windows XP/Vista). Some people really don't have the time to tweak their operating system just to watch some movies or use their webcam on Yahoo! Messenger, etc. I have paid for two distros and - no surprise - they didn't work out of the box like Windows did. I just install Windows, put in a CD, click a button, reboot and my computer's ready for use. Until Linux will have the same simplicity for the users, it doesn't have a chance.
This is not trolling, this is fact for people that are too busy doing other things instead of turning into geeks.
Windows isn't really the problem[1].
If these millions of people were running Ubuntu they'd still be infected by malware.
Why? Because these people thought the malware was _good_ software. They would do whatever seems reasonable to them to install it. If it means downloading and executing something, or even entering an admin password, they would do it.
There have been windows viruses that spread via password protected zip files - victims would have to enter the password in the email to unzip the zipfile, then launch it. Many did.
The authorities should just be more active in prosecuting such cases of fraud. Because that's what the scareware scam is - mass fraud. Such scammers cause far more harm than that silly Brit who hacked into US military computers to look for evidence of UFOs.
Once you start jailing scammers the amount of spam we get will be less - because there's a fair bit of scam spam too.
[1] Linux isn't much more secure than Windows XP SP3. Fact is Windows XP SP3 provides better sandboxing than many Linux distros. When you launch some new unsigned program, Windows often prompts you to say that the program is trying to make outbound network connections. Ubuntu, Suse don't do that by default. They have apparmor and SELinux but if the average sysadmin finds them a pain to deal with, they're not suitable for even the more knowledgeable users.
I have made suggestions to Ubuntu and Suse to try to make sandboxing better (better than windows and anything out there that I'm aware of), but I don't see very much progress happening.