Scareware and rogue AV programs have enjoyed a very good run in the last few years, making millions of dollars for their creators and generally making life miserable for victims. And while there’s been some innovation recently in the mechanisms attackers use to keep the programs resident on infected machines, researchers say that for the most part, users’ lack of security savvy and laziness about updating their PCs essentially obviates the need for the use of novel techniques to make these scams work.
In other words, life is good for the bad guys.
The tactics that scareware crews use to spread their useless garbage have remained fairly consistent for most of the last four or five years. They generally include black hat SEO techniques that take advantage of current news topics or celebrity scandals, as well as iFrame exploits and Flash banner ads on legitimate sites. And despite a ton of publicity around these techniques and a lot of awareness efforts from security companies about the problem, their effectiveness has not diminished at all over time.
The scareware programs themselves haven’t changed all that much either, experts say, although they have added some features to make them more difficult to find and remove from infected machines.
“Most of their exploitation, shellcode, encryption and evasion
technologies remain uninspired and fairly static. And a good portion of
malware distribution relies on very simple uses of technology, not the
creation of new technology, ‘social engineering.’ Basically, the abuse
of an environment that helps fool a user into running an executable on
their system that they should not trust,” Kaspersky Lab researcher Kurt Baumgartner said in a blog post analyzing the current state of scareware attacks. “What does this tell us? For the most part, effectively delivering
malware to end user systems still works with simpler, less expensive,
means.”
The end result of all of this is that users are still making life too easy for the scareware crews. In the face of malicious attacks and rational advice on how to defend against those threats, many users still continue to ignore that advice.
“It could still be a rational rejection of security advice – users gamble
that the efforts of expending the effort to keep informed and their
systems up to date are not worth the risk infection/complete compromise
(although when you work with owners of infected systems, the “rational”
rejection doesn’t seem quite so rational any longer),” Baumgartner wrote.