Scareware attacks spreading to Twitter, Google and legit media websites

privacycenter_twittered_crop2My USA TODAY cover story on the proliferation of scareware – and the ostentatious profits earned by top scareware affiliates — has struck a nerve.

Readers’ comments include musings about why banks and credit card companies don’t do more to police the online payment systems they supply for use by scareware traffickers. Some consumers bedeviled by obnoxious scareware promos are beginning to wonder why big media websites and the online advertising  agencies don’t do more to curtail ordinary-looking online ads, many of which carry invisible triggers for  scareware promos.

LastWatchdog believes these are all valid questions. It’s up to consumers, equipped with some knowledge,  to demand answers.

My cover story recounts how a steadily-growing, highly-lucrative criminal industry has evolved into a major  driver of  cybercrime.  At the top of the heap are 10 to 12 murky scareware distribution groups that run highly-efficient  “affliliate” programs.

TrafficConverter.Biz was one of the most active and visible. It was shut down last November, thanks in large part to bold investigative reports by Washington Post security blogger extraordinaire,  Brian Krebs.  It’s a safe bet that TrafficConverter.Biz has reconstituted under a new name and is back in operation. The money to be made is just too good.

How top-level suppliers orchestrate affiliate campaigns

Hypponen

Hypponen

I got the idea to illuminate how the nuts-and-bolts of the scareware industry work after speaking off-the-cuff with F-Secure researchers Mikko Hypponen and Patrik Runald at the RSA security conference last April.

We discussed how the top level suppliers, like TrafficConverter, produce the fake dialogue boxes that appear on your computer and that try to scare you into spending $30-80 to buy fake protection. They also supply the Visa, MasterCard and PayPal payment mechanisms that enable consumers to pay them. And, finally, the top-level groups supply the “product” that is delivered to the duped purchaser: fake scanners, bogus cleanup tools and worthless antivirus /antispyware protection.

In some cases, the fake software you buy may actually provide you with some nominal protection. But mostly for your $30 to $80 the only thing you get is temporary relief from the obnoxious dialogue boxes, and misleading hard drive scans.

The  top level suppliers  compensate productive affiliates handsomely. Hypponen showed me this  screen shot of a contest held by TrafficConverter.Biz offering a $36,000 Lexus to the affiliate who sold the most fake AV. He believes the winner took home the car.

trafficconficker_lexuscontest_crop

“The TrafficConverter gang is obviously continuing their operations, looking at the amount of their rogue samples we keep getting,” says Hypponen.  “But we haven’t found their new website.”

LastWatchdog also reviewed some impressive undercover work by Finjan CTO Yuval Ben-Itzhak and SecureWorks’ ace virus hunter Joe Stewart that details  how top affiliates routinely earn six-figure weekly incomes. Yes, weekly!

You can see Finjan’s report on affiliate compensation schemes here and SecureWorks’ report here.

SEO scareware attacks

Finjan infiltrated a gang that specialized in “search engine optimization” attacks. In an SEO caper, the bad guys create web pages and fill them with words and phrases that are likely search queries, such as “NBA finals” or “American Idol winner.”

Next they hack into a popular, legit website and insert a tiny, almost invisible copy of their web page on as many pages of the  high-traffic site as they can.  Then they sit back and rely on SEO technology to do the rest.

SEO automates the process by which search engines rank web pages and prioritize search results, based on relevance. When the legit site turns up as the no. 1 or no. 2 search result for the popular search query, the hackers’ corrupted link turns up as no. 4 or no. 6. Anyone who clicks on this link will get a fake security pitch.

PandaLabs recently infiltrated another gang of SEO hackers out to spread scareware and tallied up the malicious links they managed to insert into Google search results.

seoattack_google_450pxPandaLabs counted 16,000 malicious links appearing in search results for the search query “YouTube;” 10,500 bad links for “France Airline Crash”; 8,930 bad links for “Microsoft Project Natal”; 3,380 bad links for “E3″; 2,900 bad links for “Eminem MTV Awards Bruno Incident”; and 2,850 bad links for “Sony.”

The SEO hacking group infiltrated by Finjan got paid $172,800 — 9.6 cents for each of the 1.8 million corrupted links people clicked on, says Ben-Izthak. Only a tiny fraction those clicks resulted in the purchase of a fake $50 program. Still, the total revenue generated was $193,320. After paying the affiliate, the top-level supplier pocketed $20,520.

Google spokesman Andrew Kovacs says the search giant works hard to preserve the integrity of search results. “We make constant improvements to our systems,” says Kovacs. “This issue is not specific to one company, and we encourage people to be vigilant about checking the URLs (web links) of the websites they visit.”

Scareware affiliates earn big bucks

Stewart

Stewart

The top-level groups typically work with one hundred or more affiliates, who can earn commissions many different ways. Last fall, SecureWorks researcher Stewart infiltrated a Russian group known as the Baka Software gang. He accessed documentation showing one affiliate earned $146,525 in ten days by spreading promotions for a worthless program, called Antivirus XP 2008, to more than 154,000 people, and closing sales to 2,772 of them. Another record showed five top Baka Software affiliates earning weekly commissions averaging $107,604.

Top-level scareware distributors continue to operate with impunity, mainly based in Russia. And new affiliates crop up everyday, full of fresh ideas to spread increasingly invasive promotions. “Bakasoftware is just one of many affiliate programs,” says Stewart. “The sheer amounts of money involved in installing just one rogue program are mind-boggling.”

Botnets are integrally involved. Botnets allow the automation and scaling up of all of these shenanigans. Some affiliates are major botnet controllers, who deploy their botnets some of the time to spread scareware. Some are specialists who lease botnets to spread scareware.

St. Petersburg connection

All of this got me thinking about how the thriving scareware industry is really the natural progression what Andrej Sporaw set into motion when he was tooling around St. Petersburg in 2004-2005 in his black Mercedes S600 running iframecash.biz website, one of the original top-level scareware distributors. You can read about Sporaw’s exploits in this excerpt from my award-winning book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity.

Sporaw was one of the first to offer commissions to anyone who helped him spread the SpySheriff fake antivirus program. Freelancer hackers began to taint legitimate Web sites so that pop-up ads for SpySheriff would launch on the PC of anyone who visited a corrupted web page.

Ben-Itzhak

Ben-Itzhak

I’ve always wondered if Sporaw, who must be in his late 20s by now, stayed active. It would make sense that he is a leader of top-level group today. Finjan’s Ben-Itzhak, who tracked Sporaw in his iframecash.biz days, says there is little evidence connecting Sproraw to the SEO hackers.

“The look & feel of the command and control server is different. The location of the server is in Ukraine and not Russia. As I do not want to speculate without having simple evidences to support my claims, I cannot conclude that these are the same people. Affiliations like these are very popular on the web today, there is a high chance that these are two different groups,” he says.

Granted, but the SEO hackers operate more like affiliates. And my suspicion is that Sporaw, if he’s still active, would be heading up one of the main top-level groups.

Cutting-edge Twitter scareware attacks

Fast forward to June 2009. Last week, PandaLabs threat researcher Sean-Paul Correll logged on to his Twitter profile page and noticed “phish” was one of the Top 10 “trending topics” being Tweeted about by Twitterers.

It seems a music fan figured out a way to use an iPhone to stream music from the floor of the Phish concert in Wantagh, New York, generating a ton of Tweets. Correll clicked to a webpage listing real-time Tweets about this cultural milestone — and immediately spotted a suspicious one. It suggested clicking to a Web link to view a “phishtube” video on YouTube.

You guessed it: the Tweeted link was tainted.

phishtube_tweet_crop Click on it and you’d be prompted to download a fake Adobe Flash player update. Click on the fake update, and you’d get sucked into a promotion for worthless “Privacy Center” antivirus protection.

Correll wondered how many of the other Top 10 trending topics might be similarly corrupted. He quickly discovered all Top 10 trending topics included Tweets with links to the same scareware promotion. “They were targeting every trending topic on Twitter,” says Correll.

Correll didn’t have to use any fancy forensic techniques to figure this out. He simply used the free search and sorting tools Twitter makes available to everyone, and some common sense. He tallied the number of different Twitter accounts sending out the bad links, discovering about 50 different accounts sending out more than 3,000 Tweets with scareware links. Each malicious Tweet keyed off of a Top 10 trending topic.

‘Assumed goodness’

This particular attack shut down two days later. But Correll notes that Twitter has made it child’s play for anyone with a modicum of tech savvy to replicate it.

It’s free and simple to create one, a dozen or 100 new Twitter accounts, which can then be used to broadcast malicious Tweets. What’s more, Twitter makes it very easy to automate the process of sending out malicious Tweets. “It’s pretty trivial to make something that interfaces with Twitter,” says Correll. “It doesn’t take a lot of knowledge.”

The attackers probably created a simple program, called a script, that automatically kept track of the top trending topics and then dispersed malicious Tweets with slightly differing text corresponding to each hot topic.

The bad guys thus were able to leverage the high trust quotient associated with fast-changing Tweets. “Sites like Twitter work in real time and create open dialogues with everyone in the world,” says Correll. “People tend to trust the links they see on Twitter because they view it as real-time communication. They assume goodness.”

Crippling machines to cash in

In fact, scareware promotions can be very bad, indeed. In a similar Twitter attack tracked by Kaspersky Lab virus hunter, Roel Schouwenberg, the bad guys created new Twitter accounts and began broadcasting Tweets declaring “Best video” with a web link .

Clicking on the link launched a sequence that replicated the message to everyone on the victim’s friends list. Schouwenberg says anyone who clicked on http://juste.ru got directed to a particularly egregious promotion. It shut down — and locked out — all other software programs, and insisted on purchase of a two-year license, for $49.95, to unlock the programs. A lifetime license cost $79.95. Here’s a screen shot of a similar lock-out attack:

filefix_scareware-copy“They’re beginning to cripple machines to make it more likely that you will pay up,” he says.

Risk vs. reward

A few scareware affiliates have been slowed by regulators. Last year, Microsoft and the Washington State Attorney General Rob McKenna  filed several lawsuits against companies for allegedly marketing fake security products. And the Federal Trade Commission last December obtained restraining orders prohibiting Innovative Marketing and ByteHosting Internet Services, which the FTC says tricked more than one million consumers into buying WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, all worthless.

While affiliates risk encounters with law enforcement, the top-level suppliers are cagey. Most shape agreements with affiliates to deflect liability, and supply rudimentary protection upon payment. That way they can argue that they are selling providing something of value, says Dan Hubbard, chief technical officer of Websense Security Lab.

“The legal boundaries are gray at best,” says Hubbard. “They may not be breaking any laws based on where they operate from.”

It took a few days to get Twitter to respond. But spokeswoman Jenna Sampson did finally send me an email acknowledging Twitter was aware of the attacks tracked by PandaLabs and Kaspersky. She noted that the company keeps users abreast of cyber threats at its Status blog.

“We take the security of our users extremely seriously and are very open with them when we discover new threats,” says Sampson. “We share the information with them, and have a team that proactively mines for threats and shuts them down immediately.”

Maybe so. But LastWatchdog believes that a USA TODAY reader commenting today’s cover story may have summarized it best: “Scareware is the very definition of terrorism for the 21st Century. Soon many will be pondering getting rid of their Internet access completely. It is almost to that point now. Whether you pay bills online or bank online do you really know that the website you are visiting is actually legit?”

–Byron Acohido