Scareware

Last updated March 15, 2024

Dialog from SpySheriff, designed to scare users into installing the rogue software SpySheriffPopUp.png — Dialog from SpySheriff, designed to scare users into installing the rogue software

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software.^[1] Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.^[2] Usually the virus is fictional and the software is non-functional or malware itself.^[3] According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008.^[4] In the first half of 2009, the APWG identified a 585% increase in scareware programs.^[5]

Scam scareware

Internet security writers use the term "scareware" to describe software products that produce frivolous and alarming warnings or threat notices, most typically for fictitious or useless commercial firewall and registry cleaner software. This class of program tries to increase its perceived value by bombarding the user with constant warning messages that do not increase its effectiveness in any way. Software is packaged with a look and feel that mimics legitimate security software in order to deceive consumers.^[6]

Some websites display pop-up advertisement windows or banners with text such as: "Your computer may be infected with harmful spyware programs.^[7] Immediate removal may be required. To scan, click 'Yes' below." These websites can go as far as saying that a user's job, career, or marriage would be at risk. Products with advertisements such as these are often considered scareware. Serious scareware applications qualify as rogue software.

Some scareware is not affiliated with any other installed programs. A user can encounter a pop-up on a website indicating that their PC is infected.^[8] In some scenarios, it is possible to become infected with scareware even if the user attempts to cancel the notification. These popups are specially designed to look like they come from the user's operating system when they are actually a webpage.

A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.^[9]

Starting on March 29, 2011, more than 1.5 million web sites around the world have been infected by the LizaMoon SQL injection attack spread by scareware.^[10]^[11]

Research by Google discovered that scareware was using some of its servers to check for internet connectivity. The data suggested that up to a million machines were infected with scareware.^[12] The company has placed a warning in the search results for users whose computers appear to be infected.

Another example of scareware is Smart Fortress. This site scares the victim into thinking they have many viruses on their computer and asks them to buy a professional service.^[13]

Spyware

Some forms of spyware also qualify as scareware because they change the user's desktop background, install icons in the computer's notification area (under Microsoft Windows), and claiming that some kind of spyware has infected the user's computer and that the scareware application will help to remove the infection. In some cases, scareware trojans have replaced the desktop of the victim with large, yellow text reading "Warning! You have spyware!" or a box containing similar text, and have even forced the screensaver to change to "bugs" crawling across the screen.^[14] Winwebsec is the term usually used to address the malware that attacks the users of Windows operating system and produces fake claims similar to that of genuine anti-malware software.^[15]

SpySheriff exemplifies spyware and scareware: it purports to remove spyware, but is actually a piece of spyware itself, often accompanying SmitFraud infections.^[16] Other antispyware scareware may be promoted using a phishing scam.

Uninstallation of security software

Another approach is to trick users into uninstalling legitimate antivirus software, such as Microsoft Security Essentials, or disabling their firewall.^[17] Since antivirus programs typically include protection against being tampered with or disabled by other software, scareware may use social engineering to convince the user to disable programs which would otherwise prevent the malware from working.

Legal action

In 2005, Microsoft and Washington state successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million over charges of using scareware pop-ups.^[18] Washington's attorney general has also brought lawsuits against Securelink Networks, SoftwareOnline.com,^[19] High Falls Media, and the makers of Quick Shield.^[20]

In October 2008, Microsoft and the Washington attorney general filed a lawsuit against two Texas firms, Branch Software and Alpha Red, producers of the Registry Cleaner XP scareware.^[21] The lawsuit alleges that the company sent incessant pop-ups resembling system warnings to consumers' personal computers stating "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED", before instructing users to visit a web site to download Registry Cleaner XP at a cost of $39.95.

On December 2, 2008, the U.S. Federal Trade Commission ("FTC") filed a Complaint in federal court against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, as well as individuals Sam Jain, Daniel Sundin, James Reno, Marc D’Souza, and Kristy Ross. The Complaint also listed Maurice D’Souza as a Relief Defendant, alleged that he held proceeds of wrongful conduct but not accusing him of violating any law. The FTC alleged that the other Defendants violated the FTC Act by deceptively marketing software, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. According to the complaint, the Defendants falsely represented that scans of a consumer's computer showed that it had been compromised or infected and then offered to sell software to fix the alleged problems.^[22]^[23]^[24]

Prank software

Another type of scareware involves software designed to literally scare the user through the use of unanticipated shocking images, sounds or video.

An early program of this type is NightMare, a program distributed on the Fish Disks for the Amiga computer (Fish #448) in 1991. When NightMare executes, it lies dormant for an extended and random period of time, finally changing the entire screen of the computer to an image of a skull while playing a horrifying shriek on the audio channels.^[25]
Anxiety-based scareware puts users in situations where there are no positive outcomes. For example, a small program can present a dialog box saying "Erase everything on hard drive?" with two buttons, both labeled "OK". Regardless of which button is chosen, nothing is destroyed.^[26]
This tactic was used in an advertisement campaign by Sir-Tech in 1997 to advertise Virus: The Game . When the file is run, a full screen representation of the desktop appears. The software then begins simulating deletion of the Windows folder. When this process is complete, a message is slowly typed on screen saying "Thank God this is only a game." A screen with the purchase information appears on screen and then returns to the desktop. No damage is done to the computer during the advertisement.^{[ citation needed ]}

Detection

Recent research has also introduced a new detection technology designed to identify scareware social engineering attacks with enhanced resilience. This approach targets the visual images presented to end users, which is a layer that attackers cannot easily obscure.^[27]

Notes

↑ "What is Malware? | IBM". www.ibm.com. Retrieved 2023-12-06.
↑ "Millions tricked by 'scareware'". BBC News. 2009-10-19. Retrieved 2009-10-20.
↑ 'Scareware' scams trick searchers. BBC News (2009-03-23). Retrieved on 2009-03-23.
↑ "Scareware scammers adopt cold call tactics". The Register. 2009-04-10. Retrieved 2009-04-12.
↑ Phishing Activity Trends Report: 1st Half 2009
↑ John Leydon (2009-10-20). "Scareware Mr Bigs enjoy 'low risk' crime bonanza". The Register. Retrieved 2009-10-21.
↑ Carine Febre (2014-10-20). "Fake Warning Example". Carine Febre. Retrieved 2014-11-21.
↑ JM Hipolito (2009-06-04). "Air France Flight 447 Search Results Lead to Rogue Antivirus". Trend Micro . Retrieved 2009-06-06.
↑ Moheeb Abu Rajab and Luca Ballard (2010-04-13). "The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution" (PDF). Retrieved 2010-11-18.{{cite journal}}: Cite journal requires |journal= (help)
↑ "Mass 'scareware' attack hits 1.5M websites, still spreading". On Deadline. April 1, 2011.
↑ "Malicious Web attack hits a million site addresses". Reuters.com. April 1, 2011. Archived from the original on November 11, 2014. Retrieved July 1, 2017.
↑ "Google to Warn PC Virus Victims via Search Site". BBC News . 2011-07-21. Retrieved 2011-07-22.
↑ "Smart Fortress 2012". Kaspersky Lab Technical Support. February 29, 2012. Archived from the original on 2017-01-28.
↑ "bugs on the screen". Microsoft TechNet.^{[ permanent dead link ]}
↑ Vincentas (11 July 2013). "Scareware in SpyWareLoop.com". Spyware Loop. Archived from the original on 8 November 2014. Retrieved 27 July 2013.
↑ spywarewarrior.com filed under "Brave Sentry."
↑ theregister.co.uk
↑ Etengoff, Aharon (2008-09-29). "Washington and Microsoft target spammers". The Inquirer. Archived from the original on 2008-10-02. Retrieved 2008-10-04.
↑ "Attorney General's Office Sues, Settles with Washington-based SoftwareOnline.com | Washington State". www.atg.wa.gov. Retrieved 2021-12-21.
↑ Tarun (2008-09-29). "Microsoft to sue scareware security vendors". Lunarsoft. Retrieved 2009-09-24. [...] the Washington attorney general (AG) [...] has also brought lawsuits against companies such as Securelink Networks and High Falls Media, and the makers of a product called QuickShield, all of whom were accused of marketing their products using deceptive techniques such as fake alert messages.
↑ "Fighting the scourge of scareware". BBC News. 2008-10-01. Retrieved 2008-10-02.
↑ "Win software". Federal Trade Commission.
↑ "Wanted by the FBI - SHAILESHKUMAR P. JAIN". FBI.
↑ "D'Souza Final Order" (PDF). Federal Trade Commission.
↑ Contents of disk #448. Amiga-stuff.com - see DISK 448.
↑ Dark Drive Prank
↑ Seifert, Christian; Stokes, Jack W.; Colcernian, Christina; Platt, John C.; Lu, Long (2013). Robust scareware image detection. pp. 2920–2924. doi:10.1109/ICASSP.2013.6638192. ISBN 978-1-4799-0356-6 . Retrieved 2024-02-09.

External links

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a "pay-per-click" basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, a full screen, a video, a pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

A registry cleaner is a class of third-party utility software designed for the Microsoft Windows operating system, whose purpose is to remove redundant items from the Windows Registry.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

AntiVirus Gold is rogue software developed by ICommerce Solutions S.A. that poses as a legitimate antivirus program. It attempts to persuade users to buy the software by displaying ads and other nagware. It is believed that the name of the program is an attempt at social engineering to confuse people about the legitimate program AVG Anti-Virus.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

PC Tools, formerly known as WinGuides.com, was a software company acquired by Symantec in 2008; the new owner eventually discontinued the PC Tools name. Company headquarters were in Australia, with offices in Luxembourg, the United States, United Kingdom, Ireland and Ukraine. The company had previously developed and distributed security and optimization software for the Mac OS X and Microsoft Windows platforms.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

Ultimate Defender is a rogue antivirus program published by Nous-Tech Solutions Ltd. The program is considered malware due to its difficult uninstallation and deceptive operation. It is commonly installed by the Vundo trojan.

VirusHeat is malware that disguises itself as a legitimate anti-virus program. VirusHeat tricks users into buying the full version of the program through repeated false alerts and popups, purporting to alert the user that there is a system error or they are infected, and must buy the full version to remove. It was launched on February 8, 2008.

MonaRonaDona is a browser hijacker that uses unique tactics through popups or alert messages stating that you are infected with a virus. It uses this message to send users on a hunt for a MonaRonaDona remedy only to run into other malicious websites.

Microsoft Security Essentials (MSE) was an antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge. It replaces Windows Live OneCare, a discontinued commercial subscription-based AV service, and the free Windows Defender, which only protected users from spyware until Windows 8.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

AV Security Suite is a type of rogue security software, commonly categorized as scareware and malware, which masquerades as a legitimate virus scanner on the victim's Microsoft Windows system. While it is predominantly observed on Windows platforms, it may adopt alternative names on other operating systems to better integrate itself within their interfaces, thereby enhancing its deceptive nature. In the task manager, the program typically appears as a series of seemingly random characters followed by identifiers such as "tssd.exe" or "shdw.exe," a tactic aimed at complicating detection and removal efforts.

Internet Security Essentials, also InternetSecurityEssentials, is rogue security software pretending to protect the computer against malware and viruses. It is one of several clones belonging to the "FakeVimes" family of fake antivirus malware.

Winwebsec is a category of malware that targets the users of Windows operating systems and produces fake claims as genuine anti-malware software, then demands payment to provide fixes to fictitious problems.

ByteDefender also known as ByteDefender Security 2010 is a scareware rogue malware application on Windows that masquerades as a legitimate antivirus program. It uses a false system scanner that produces large deposits of malware and it attempts to scare the users to purchase the full version of the rogue software for the removal of nonexistent and/or unnecessary spyware items. The name of this antispyware program is used to confuse the user looking for the legitimate Bitdefender before downloading the software.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "What is Malware? | IBM". www.ibm.com. Retrieved 2023-12-06.

[2] "Millions tricked by 'scareware'". BBC News. 2009-10-19. Retrieved 2009-10-20.

[BBC1-3] 'Scareware' scams trick searchers. BBC News (2009-03-23). Retrieved on 2009-03-23.

[4] "Scareware scammers adopt cold call tactics". The Register. 2009-04-10. Retrieved 2009-04-12.

[5] Phishing Activity Trends Report: 1st Half 2009

[6] John Leydon (2009-10-20). "Scareware Mr Bigs enjoy 'low risk' crime bonanza". The Register. Retrieved 2009-10-21.

[7] Carine Febre (2014-10-20). "Fake Warning Example". Carine Febre. Retrieved 2014-11-21.

[8] JM Hipolito (2009-06-04). "Air France Flight 447 Search Results Lead to Rogue Antivirus". Trend Micro . Retrieved 2009-06-06.

[9] Moheeb Abu Rajab and Luca Ballard (2010-04-13). "The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution" (PDF). Retrieved 2010-11-18.{{cite journal}}: Cite journal requires |journal= (help)

[10] "Mass 'scareware' attack hits 1.5M websites, still spreading". On Deadline. April 1, 2011.

[11] "Malicious Web attack hits a million site addresses". Reuters.com. April 1, 2011. Archived from the original on November 11, 2014. Retrieved July 1, 2017.

[12] "Google to Warn PC Virus Victims via Search Site". BBC News . 2011-07-21. Retrieved 2011-07-22.

[13] "Smart Fortress 2012". Kaspersky Lab Technical Support. February 29, 2012. Archived from the original on 2017-01-28.

[14] "bugs on the screen". Microsoft TechNet.^{[ permanent dead link ]}

[AAA-15] Vincentas (11 July 2013). "Scareware in SpyWareLoop.com". Spyware Loop. Archived from the original on 8 November 2014. Retrieved 27 July 2013.

[16] spywarewarrior.com filed under "Brave Sentry."

[17] theregister.co.uk

[18] Etengoff, Aharon (2008-09-29). "Washington and Microsoft target spammers". The Inquirer. Archived from the original on 2008-10-02. Retrieved 2008-10-04.

[19] "Attorney General's Office Sues, Settles with Washington-based SoftwareOnline.com | Washington State". www.atg.wa.gov. Retrieved 2021-12-21.

[20] Tarun (2008-09-29). "Microsoft to sue scareware security vendors". Lunarsoft. Retrieved 2009-09-24. [...] the Washington attorney general (AG) [...] has also brought lawsuits against companies such as Securelink Networks and High Falls Media, and the makers of a product called QuickShield, all of whom were accused of marketing their products using deceptive techniques such as fake alert messages.

[21] "Fighting the scourge of scareware". BBC News. 2008-10-01. Retrieved 2008-10-02.

[22] "Win software". Federal Trade Commission.

[23] "Wanted by the FBI - SHAILESHKUMAR P. JAIN". FBI.

[24] "D'Souza Final Order" (PDF). Federal Trade Commission.

[25] Contents of disk #448. Amiga-stuff.com - see DISK 448.

[26] Dark Drive Prank

[27] Seifert, Christian; Stokes, Jack W.; Colcernian, Christina; Platt, John C.; Lu, Long (2013). Robust scareware image detection. pp. 2920–2924. doi:10.1109/ICASSP.2013.6638192. ISBN 978-1-4799-0356-6 . Retrieved 2024-02-09.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Hacktivism Insecure direct object reference Keystroke loggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection Site isolation

v t e Software distribution
Licenses	Beerware Floating licensing Free and open-source Free Open source Freely redistributable License-free Proprietary Public domain Source-available
Compensation models	Adware Commercial software Retail software Crippleware Crowdfunding Freemium Freeware Pay what you want Careware Donationware Open-core model Postcardware Shareware Nagware Trialware
Delivery methods	Digital distribution File sharing On-premises Pre-installed Product bundling Retail software Sneakernet Software as a service
Deceptive and/or illicit	Unwanted software bundling Malware Spyware Trojan horse Worm Ransomware Scareware Shovelware Vaporware list
Software release life cycle	Abandonware End-of-life Long-term support Software maintenance Software maintainer Software publisher
Copy protection	Digital rights management Software protection dongle License manager Product activation Product key Software copyright Software license server Software patent Torrent poisoning

v t e Malware topics
Infectious malware	Comparison of computer viruses Computer virus Computer worm List of computer worms Timeline of computer viruses and worms
Concealment	Backdoor Clickjacking Man-in-the-browser Man-in-the-middle Rootkit Trojan horse Zombie computer
Malware for profit	Adware Botnet Crimeware Fleeceware Form grabbing Fraudulent dialer Malbot Keystroke logging Privacy-invasive software Ransomware Rogue security software Scareware Spyware Web threats
By operating system	Android malware Classic Mac OS viruses iOS malware Linux malware MacOS malware Macro virus Mobile malware Palm OS viruses HyperCard viruses
Protection	Anti-keylogger Antivirus software Browser security Data loss prevention software Defensive computing Firewall Internet security Intrusion detection system Mobile security Network security
Countermeasures	Computer and network surveillance Honeypot Operation: Bot Roast