Users Still Making Life Easy for Scareware Crews

Scareware and rogue AV programs have enjoyed a very good run in the last few years, making millions of dollars for their creators and generally making life miserable for victims. And while there’s been some innovation recently in the mechanisms attackers use to keep the programs resident on infected machines, researchers say that for the most part, users’ lack of security savvy and laziness about updating their PCs essentially obviates the need for the use of novel techniques to make these scams work.

Scareware and rogue AV programs have enjoyed a very good run in the last few years, making millions of dollars for their creators and generally making life miserable for victims. And while there’s been some innovation recently in the mechanisms attackers use to keep the programs resident on infected machines, researchers say that for the most part, users’ lack of security savvy and laziness about updating their PCs essentially obviates the need for the use of novel techniques to make these scams work.

In other words, life is good for the bad guys.

The tactics that scareware crews use to spread their useless garbage have remained fairly consistent for most of the last four or five years. They generally include black hat SEO techniques that take advantage of current news topics or celebrity scandals, as well as iFrame exploits and Flash banner ads on legitimate sites. And despite a ton of publicity around these techniques and a lot of awareness efforts from security companies about the problem, their effectiveness has not diminished at all over time.

The scareware programs themselves haven’t changed all that much either, experts say, although they have added some features to make them more difficult to find and remove from infected machines.

“Most of their exploitation, shellcode, encryption and evasion
technologies remain uninspired and fairly static. And a good portion of
malware distribution relies on very simple uses of technology, not the
creation of new technology, ‘social engineering.’ Basically, the abuse
of an environment that helps fool a user into running an executable on
their system that they should not trust,” Kaspersky Lab researcher Kurt Baumgartner said in a blog post analyzing the current state of scareware attacks. “What does this tell us? For the most part, effectively delivering
malware to end user systems still works with simpler, less expensive,
means.”

The end result of all of this is that users are still making life too easy for the scareware crews. In the face of malicious attacks and rational advice on how to defend against those threats, many users still continue to ignore that advice.

“It could still be a rational rejection of security advice – users gamble
that the efforts of expending the effort to keep informed and their
systems up to date are not worth the risk infection/complete compromise
(although when you work with owners of infected systems, the “rational”
rejection doesn’t seem quite so rational any longer),” Baumgartner wrote.

Suggested articles

Discussion

  • Adam Richard on

    "And a good portion of malware distribution relies on very simple uses of technology, not the creation of new technology, 'social engineering.'"

    "The end result of all of this is that users are still making life too easy for the scareware crews. In the face of malicious attacks and rational advice on how to defend against those threats, many users still continue to ignore that advice."

    How ironic to see this piece written by you a couple of weeks only after I contacted you about a significant new social engineering trend that I suspect is going to be used more and more in the future by rogue anti-malware makers, and which was not targeted at users, but at news outlets, including this very same mailing list, ThreatPost.  You politely dismissed me as this "was not the kind of story you cover", despite the fact that it also involved ThreatPost.  But I guess that unlike Baumgartner, I don't work for Kaspersky, and that in the end, it's still easier to just blame the end users than to look closer at reports that a marginally-legitimate company manages to social engineer its way onto a ThreatPost article, and by extension that portion of "users" that trust ThreatPosts article as being reliable.

    I finished writing my article and it's currently going through proofreading stage as I type this.  I mention this, just in case you'd be interested this time to actually take a look at it.

    You have my coordinates.

  • JK on

    I would think to say that warning users to be more aware, to learn more to protect themselves is a good thing, and sheds more necessary awareness of the fact that users on the whole don't know enough.  Vulnerabilities should be pointed out, whether in software, on websites, or yes... in users. 

    Were you suggesting that Kaspersky was the "marginally-legitimate" company doing the social engineering into.. this article, on the site where it says The "Kaspersky Lab Security News Service" at the top left of the page? 

    It seems "they" social engineered "their" way into "their" article on "their" website.

    Besides, relax - you are probably right that these guys are going to target media orgs, but they're certainly not going to need to use complex infection techniques to do it, which was Kurt's other point.

  • Adam Richard on

    No, I'm not implying that Kasperksy was the "marginally-legitimate" company doing the social engineering.  It's another "company", much less known and reputable from its past confirmed history.

    The social engineering I was referring to is the ways in which this so-called company have managed to revamp their image, and through some snow-balling effect of media tidbits collected about them, some of which not really relevant either, they seemingly managed to have re-virginized their reputation, to a point where one of this shadowy company's media spin tidbits made it past everyone's filter at Kaspersky (ThreatPost) and passed on to the mailing list as a genuine piece of info, which IMHO just proves how efficient the social engineering was, as I hold Kaspersky's staff in the highest regards in terms of competence in InfoSec.

    My finger is not pointing at Kaspersky directly, I was simply trying to notify them of this issue and the significant importance I believe it holds, and possibly following up on it.  To no avail so far, but it's OK.  I've got other horses to beat on, and found another palce to submit my article, after breaking it down into a multi-part series.

    Thanks for showing interest on this, JK.

  • Adam Richard on

    The irony I was referring to was the fact that this article blames the users for falling into the Scareware makers' trap, while even the people at ThreatPost fell for one such scheme, as did many major media outlets.

    Just to clear up my original comment.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.