2010年3月29日 星期一

FW: Newsbank: 'Infections found': Inside the great scareware scam

From: Susan Wilhite (MKT-US)
Sent: Tuesday, March 30, 2010 6:04:05 AM
To: Newsbank
Subject: Newsbank: 'Infections found': Inside the great scareware scam
Auto forwarded by a Rule

A post-mortem.


'Infections found': Inside the great scareware scam

§  29 March 2010 by Jim Giles

§  Magazine issue 2753. Subscribe and get 4 free issues.

§  For similar stories, visit the Computer crime Topic Guide

Fake virus scans often look just like the real thing

Fake virus scans often look just like the real thing

ONE day in March 2008, Kent Woerner got a disturbing phone call from a teacher at an elementary school in Beloit, Kansas. An 11-year-old student had triggered a security scan on a computer she was using, revealing that the machine contained pornographic images. Worse still, the images had appeared on-screen as the scan took place.

Woerner, who manages the computer systems for the local school district, jumped in his car and drove to the school. Repeating the scan, he too saw the images, alongside warnings that the machine was infected with viruses and spyware that were surreptitiously monitoring the computer's users. Yet a search of the hard drive revealed nothing untoward. Switching to another machine, Woerner visited the security website that provided the scan, and ran it again. Exactly the same number of pornographic images popped up.

Woerner was smart enough to spot the ruse. This was not a genuine security scan. It was nothing more than an animation designed to dupe the unsuspecting computer user into shelling out $40 or so for software to combat a security problem where none existed. For those who fall for it, such "scareware" spells double trouble: not only are they relieved of their cash, but the software they download has no protective effect, leaving them vulnerable to malicious attack.

Woerner noted the site behind the fake scan, advancedcleaner.com, and got in touch with the Federal Trade Commission (FTC), the US consumer protection agency. He was one of hundreds. As the FTC trawled through the complaints, it became clear that in its complexity, sophistication and sheer brazenness, this was no normal internet scam. "This is one of the largest internet-based frauds the FTC has ever prosecuted," says Ethan Arenson, an attorney at the agency's headquarters in Washington DC. Over in Hamburg, Germany, analysts at the computer security company McAfee were independently coming to a similar conclusion.

It soon become clear that in its complexity, sophistication and sheer brazenness, this was no normal internet scam


The scam is the story of a computer security company called Innovative Marketing (IM) Incorporated. It begins in 2002, when internet entrepreneur Daniel Sundin registered a company of that name in Belize. His choice of business partner alone was reason to be suspicious: Sam Jain, an entrepreneur whose eFront network of websites, which covered everything from gaming to celebrities, had already gone out of business, having allegedly boosted ad revenue by exaggerating visitor numbers.

Right from the start, IM was apparently engaged in some dubious practices. Documents revealed in a 2005 lawsuit brought by the computer security company Symantec allege that IM ran adverts mimicking update alerts from Symantec and other legitimate security firms, but directed users to software sold by Jain. The case cost Jain $3 million in damages.

By the time that deception was uncovered, Jain and Sundin had another in place. Sundin had established an office in Kiev, Ukraine - a city where programming talent is abundant and available for relatively low wages. Developers were asked to produce security software which IM then advertised, using deceptive methods such as the fake scans that had popped up in the Kansas school. One product, WinAntivirus, looked confusingly like Microsoft security software. Another, DriveCleaner, identified 179 visits to adult websites no matter which computer it was installed on. Altogether, the FTC received over 1000 complaints about these and other IM products, including advancedcleaner.com.

Acting on them was another matter. Scareware sellers usually host their products on many different servers, often in Russia and eastern Europe, where law enforcement may not be particularly effective. They also register sites under false names, making identification difficult.

But IM made mistakes. Mistake number one was a lawsuit filed by IM itself. Fraudulent companies do not generally settle internal disputes in court, but in February 2007 IM filed suit in Canada against Marc and Maurice D'Souza, a father-and-son team who, Jain claimed, handled the company's marketing and accounts. Together with other family members, the D'Souzas had allegedly siphoned off an astonishing US$48 million of the company's money. Marc hit back in August that year with his own suit alleging that, among other things, Jain had conspired to force him out of IM and that he should receive $5 million in damages.

Hidden in the claims and counterclaims were incendiary allegations about IM's practices. D'Souza claimed that the company's stellar growth - revenues climbed from $11 million in 2004 to $53 million in 2006 - was based on deceptive practices, including selling antivirus programs that did not detect common threats and registering websites under false names.

Devious twist

"The Canadian lawsuit was the big break," says Arenson. For the first time the full extent of the enterprise became clear to the FTC, and the agency began to appreciate the sophistication of IM's operations. The company had, for instance, set up a series of advertising agencies that placed fake ads on websites. Code within these ads bombarded visitors with fake virus scans.

Zillow, an online estate agent, was one of the victims. In November 2007, an advertising agency called NetMediaGroup, which turned out to be a front for IM, got in touch saying it wanted to run a promotion for SkyAuction, a bona fide travel website, on Zillow's site. The adverts appeared the following month - and the complaints came hot on their heels. When Chad Cohen of Zillow contacted the CEO of SkyAuction, he said he had never heard of NetMediaGroup. Some of the adverts had an extra devious twist, too: viewed from a computer within the website owner's offices, the adverts appeared normal; only users elsewhere received the suspect scans.

Other websites targeted included those of Major League Baseball and the National Hockey League, The Economist magazine and the dating site eHarmony. All this was giving the FTC a picture of how IM worked, but it took another basic mistake - and the work of Dirk Kollberg of McAfee - to uncover the true scale of the operation.

In late 2007 Kollberg was tracking scareware that exploited a recently discovered software vulnerability. It allowed unscrupulous developers to slip in things such as pop-up scans into animated adverts. Kollberg noticed that some of the fake scans the animations delivered came from a server registered to IM. The name stayed with him, as organisations pushing scareware do not usually reveal their identities so readily. When another McAfee expert came across a second link to IM, Kollberg decided to investigate the company's servers more closely.

To his surprise, he found the servers were not password protected. It was a security lapse of breathtaking irony for a company that made its money exploiting the security fears of others. More importantly, it meant Kollberg could access the contents of the servers without breaking any laws.

The insights were immediate, and damning. For a start, it was not just IM's scans that were fake: the software the company was peddling was too, says Kollberg. He did not find a single example that detected an EICAR test file, a standard piece of programming code which antivirus products are supposed to latch onto to prove they are working. The software also lacked a list of virus "signatures", snippets of code taken from known viruses that security software looks for when searching for threats.

But it was the peek into IM's internal workings that was the most revealing. In the claim filed against the D'Souzas, the company had declared 300 employees in Ukraine, 45 in India and another 35 in Argentina. Kollberg's search revealed that had been an understatement: there were also three offices in the US and one in London. A personnel directory on one server listed 650 names.

The real surprise, though, was the extent to which IM looked just like any well-oiled, legitimate software company. Photos on the server showed a professional-looking logo hung up behind a receptionist's desk at the company's headquarters in Kiev. In another, IM employees were playing paintball and volleyball and swimming in a river on what seems to be a company away day.

On a third server, databases detailed hundreds of pieces of IM software and provided a list of server farms used by IM, each with an "abuseability" rating - an estimate, perhaps, of how willing the farm was to host IM's software and its tolerance of the complaints that the software attracted.

IM also had call centres in India and Poland to deal with customer queries. Call recordings found by Kollberg make for depressing listening. Many of IM's customers have limited computer skills, and when some complained of getting virus warnings after installing IM's software, they were told to uninstall other security products first, thus removing their best protection. Others complained of calling back repeatedly and of waiting for promised emails that never arrived. Around 2 million calls were made to the centres in 2008, Kollberg estimates.

Callers to the hotline would be told to uninstall other security products first, removing their best protection


What of the people who worked for the company - how much did they know of what was going on? Former employees are not hard to track down. Many continue to list their experience at IM on LinkedIn, a business-oriented social network. Of the eight who responded to emails and phone calls from New Scientist, three said they either knew about IM's practices while on the payroll or left the company as soon as they found out. Although reluctant to talk on the record, they were frank about the motivations of IM staff.

Paying over the odds

"Our team was perfectly aware that we sold scareware," says a translator who worked for the company in Kiev in 2008. "The manager never made a big mystery of that." The team the translator was part of had 10 staff and 15 freelancers to translate the text of IM's products into 28 languages. "Not everyone was happy about it, but money is money," the translator says. IM was paying around 60 per cent more than similar jobs elsewhere offered.

A mid-level employee, who left three years ago after realising what the company was doing, says that initially IM employed skilled developers to create genuine products. As managers became increasingly concerned with making money, quality declined and the fake scans came into use.

Roughly half the people working there knew the full story, says the employee, but again money talked. "There were a lot of young people working there who did not care about the product. They just took their salaries."

Others dispute that account. Three of the former employees New Scientist spoke to insist that IM sold genuine antivirus products, even if the quality was not always high. Alexiy Orlovsky, now at antivirus firm Zillya, was a product director at IM managing around 50 staff before he left in 2008. He says that the company's software was tested against real viruses. "I can be sure about every product that I supervised," he says, adding that he has never heard of the products Kollberg tested and was not aware of the scareware ads while at the company. He attributes the problems to other companies faking IM products.

Orlovsky also told New Scientist that he had not heard of Jain, Sundin or other senior IM investors. But the FTC recently made public an email between Sundin and a business associate in which Sundin refers to Orlovsky on a first-name basis and provides his contact details. Orlovsky did not reply to a subsequent request to clarify his relationship with Sundin.

Whether it was fake or not, IM's investors were doing well out of the company's software. Figures obtained from the company that processed IM's payments show that the scareware firm had over 4 million customers and a revenue of $163 million between 2004 and 2008. Credit-card records show that Kristy Ross, a romantic partner of Jain's and one of the accused in the FTC court action, led a lifestyle that involved stays in a luxury hotel in the Bahamas, a series of meals costing over $500 each and extravagant shopping sprees, including spends of $30,000 at Harrods in London and $23,000 at the fashion house Louis Vuitton in 2008.

That all came to an end on 3 December 2008. After examining evidence presented by the FTC, a US court froze the assets of everyone it could link to IM. This included Ross and the D'Souzas, who are currently cooperating with the FTC, says Arenson.

Jain and Sundin are another matter. Jain failed to turn up for a court hearing early last year and an international warrant has been put out for his arrest. As for Sundin, New Scientist was able to trace him, via his parents, to Stockholm, Sweden, but he did not return emails or phone calls.

In their absence, in February 2009 the FTC won default judgments against Jain, Sundin and IM for $163,167,539.95 - the precise total that the FTC believes the company brought in. Whether the commission, or the millions of people fooled by IM's scans, will ever receive a cent remains to be seen.

As yet we do not know whether an enterprise the size of IM was a one-off. Scareware has certainly not gone away. The IM story is a salutary reminder that where there is a fast buck to be made, fraudulent operations will often muscle in - and that it pays for all of us to be certain of what we buy.

How to avoid scareware  (sort of good advice, as far as it goes)

• Before buying security software, make sure it comes from a well-known and trusted company. If in doubt, consult a tech-savvy friend

• If a virus warning appears when you are browsing the web, run a search on the company named in the scan. Many scareware companies are quickly identified this way.

• Make sure you have a firewall installed and turned on. A firewall blocks unauthorised traffic between your computer and the internet, and will prevent scareware from installing itself without your knowledge.

• If you think nasties are already lurking on your hard drive, use the free scans provided by reputable companies like McAfee, Symantec and Microsoft.

• Make sure you keep your security software up to date once you have it installed.

Jim Giles is a correspondent in New Scientist's San Francisco office

And while you’re surfing, check this out: a site that monitors deceptive advertising, much of which is Internet stories.






Susan Wilhite | UX Researcher & Trend Community Manager

10101 North De Anza Blvd., Cupertino, CA USA 95014

Office: 408.863.6594