Scareware gangs have been using pretty much the same tactics since the dawn of time. Or at least since 2005. They compromise Web sites, use them as jumping off points for pop-up boxes that aim to terrify the citizenry into thinking their PCs are infected and downloading fake security software. But now, at least some of the crews are shifting their techniques to a much more subtle trick that waits for the victims to try to watch a video and then pounces.
Most scareware programs rely on Web-based pop-ups that appear when a victim visits a site that has been compromised. The user sees a dialog box that typically looks a lot like the Windows security center interface informing him that his machine is full of scary sounding malware. Which it may actually be, but that’s beside the point. The goal, of course, is to get the unwitting victim to click on the dialog box and install whatever rogue AV tool they’re pushing and then get him to pony up for the license fee.
Now, researchers at GFI Labs have come across a new breed of rogue AV that takes a less direct route to the victim’s wallet. This attack, which is related to the FakeVimes family of scareware that Google recently began warning users about, installs some files on users’ machines, but doesn’t immediately start demanding payment in return for fictitious security services. Instead, it waits for a victim to try to play a Web video, and then unleashes its ingenious scam.
The scareware shows the victim an error message saying that his codec version is too old and can’t play the video. Similar messages appear if the victim tries to download a video and play it locally or stream it from the Web. Eventually, the victim is presented with a screen informing him that he should purchase the “Video Codec Suite” for the low, low price of $35.95.
“Call it a hunch, but I think the best optional extra here is to run in
the opposite direction from this particular fiasco. Of course, it makes
sense for the people behind these attacks to start mixing things up a
little – FakeVimes has been all over the news recently, and not in a ‘We
love you, FakeVimes’ kind of fashion,” GFI’s Christopher Boyd wrote in a post on the new rogue AV attack.
Even with its old timey tactics and predictable methods, scareware is still quite a profitable scam for the crews deploying it. The costs are low, the revenue is high and victims continue to fall for it.