Microsoft has just released the sixth edition of the Microsoft Security Intelligence Report (SIR). There’s a ton of information in the 180 or so pages of the latest SIR on security trends, but probably the most interesting aspect of the report for those concerned about privacy is the section on Rogue Security Software, aka scareware.
The SIR outlines how cybercriminals are increasingly using social engineering techniques to mislead victims into unwittingly providing personal information online. Education programs led by the industry and governments, along with increased media attention on social engineering attacks, have helped raise public awareness of these threats. Unfortunately, cybercriminals are using scareware, to take advantage of the increased awareness of security threats by tricking people. This is posing a real threat to consumer safety and privacy online, and it is critical that people know how to protect themselves.
“Scareware” masquerades as legitimate security programs that offer protection from malware, spyware, and other threats, but uses social engineering to obtain money or sensitive information from victims while offering poor or nonexistent protection. The scareware may in fact be malicious software itself, and installing it on a computer can lead to theft of sensitive information and infections from additional malicious software. Typically, a scareware program displays false or misleading alerts about infections or vulnerabilities on the victim’s computer and offers to fix the supposed problems for a price. Victims of such social engineering attacks often have their privacy compromised through theft of personal information, which often leads to unauthorized financial transactions and identity theft. Additionally, the growing alarm of such attacks threatens consumer trust in online commerce and the digital lifestyle.
The SIR found that the global prevalence of scareware has increased significantly over the past eighteen months. Of the top 25 families detected on computers worldwide by Microsoft security products, seven had some connection to scareware. Scareware families are also among the top threats detected on computers in many countries throughout the world. Additionally, three of the top 10 threats detected worldwide in 2H08 disseminate scareware. Win32/FakeXPA, Win32/Yektel and Win32/FakeSecSen are all in the worldwide top 10; none was in the top 25 threats in H1 2008. Together, these three families accounted for nearly 2 million computers cleaned in 2H08.
Protecting consumers from this growing threat requires a combination of technology protections, increased consumer education, strong, effective cyber policy and efforts by law enforcement to uphold those policies. Microsoft has also responded to the increasing threat posed by scareware with a three part effort: by implementing technical countermeasures; by developing a strategy to send a strong deterrent message to the people who produce and sell the software; and by providing customer guidance, support, and tools on how to distinguish real security software from scareware.
Microsoft’s Internet Safety Enforcement Team (ISET) has long advocated using private legal causes of action as a tool to combat online malfeasance, and has used such methods against spammers with a fair amount of success by partnering with government, law enforcement, and industry partners worldwide. When the threat of scareware emerged, ISET reached out to this same group of partners to begin developing a statutory framework upon which to base an effective civil enforcement program, and to promote awareness of the scareware threat among consumers. The legal cases that have resulted from this effort send a strong message to groups peddling fraudulent products on the Web.
Microsoft strongly encourages consumers to learn how to protect themselves from scareware by visiting www.microsoft.com/protect and to contact their local law enforcement and consumer protection agencies to encourage them to take action against people who distribute scareware.