Once the first computer viruses, worms, and other malware had appeared on the scene, it was not long before software vendors, like McAfee and Norton, began to provide users with anti-virus software as a defense. And then it wasn’t too long before the first scareware appeared to take advantage of that environment. In one classic incarnation, scareware (which is essentially a “social engineering” attack) presented a message to the user, frequently in a pop-up window from a dodgy web site, saying that the user’s computer was infected with some dire virus. The message would go on to say that terrible things were bound to happen; however, the user could return to serenity if (s)he purchased a special anti-virus program, which by lucky coincidence could be accomplished by simply clicking a link in the message. The claimed infection was, of course, generally non-existent, and the anti-virus software worthless. (It might erase some anodyne system file as “proof” that the infection had been removed.)
Usually, this was just a means of extracting money from gullible users, although it was always possible that the “anti-virus” software was the real malware. If the user can be induced to install some arbitrary bit of software, the game is essentially over as far as defending the system goes.
This past week, Ars Technica reported that the US Federal Trade Commission [FTC] had filed six lawsuits in US District Court against 14 companies and 17 individuals the FTC says have been engaged in a similar scareware scam, with a twist: the initial approach was decidedly low-tech, via a telephone call.
By cold-calling victims and claiming to be from companies like Microsoft, Dell, and McAfee, the scammers directed users to a harmless error log on their computers and told them it was a sign of a serious infection, the FTC said. The alleged scammers went on to charge anywhere between $49 and $450 to “fix” the consumers’ computers.
The callers claimed that routine warning or error messages in system log files indicated a grave malware infection, which they, by lucky chance, could fix. (The means are different, but the basic idea of the scam is preserved.) The FTC says that one company went so far as to purchase Google search ads, which showed up in searches for terms like “McAfee” or “anti-virus support”.
As with most of the original scareware scams, these callers apparently only wanted the money paid for their non-existent “services”, but the potential for something considerably worse is still there.
The basic lesson here is very simple, and applies to areas other than technology, too: don’t trust unsolicited phone calls, or E-mails, or …
Update Sunday, October 7, 16:30 EDT
Steve Bellovin, the FTC’s new Chief Technologist, has an excellent article on this case posted at the Tech@FTC blog.