Microsoft declares war on 'scareware'

Ads for bogus security software are popping up everywhere. Microsoft and the FTC are fighting back, but jaded old geeks need to do their part, too.

A couple weeks back the digital version of the New York Times found itself hip deep in manure when it got tricked into serving up "scareware" ads to unsuspecting readers.

You know the scam. You're merrily surfing the Web when suddenly a window pops up: "Your computer is infected with malware, but if you send us $49.95 we'll clean it right up for you." Of course, there is never any malware. Nothing happens save for the bank draft. And then they'll scam you again in a few months with ads for another bogus product.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Usually these ads are the result of a malware infection itself, or something that sites serve up when you cruise the Net's dark and dirty underbelly -- or so I've heard, as I've never been there myself ;). Inserting them into the ad servers of a trusted site, though, was a stroke of malevolent genius.

According to the Times' Ashlee Vance, an ad for the "Personal Antivirus" scanner showed up inside readers' browsers instead of the legit ad the Times thought it had sold:

The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.

I'm sure the readers of the Times thought they were safe from such shenanigans, which only makes the scareware ads more effective. Ironically, the Times' veteran tech reporter John Markoff reported on this very phenomenon a year ago; he estimated a single vendor could make $5 million a year scaring people into paying for faux anti-virus software.

Late last week Microsoft filed suit against five advertisers who've abused the MSN ad network in an attempt to scare the wallets out of unsuspecting users. Per IDG News' Robert McMillan:

The company is suing DirectAd Solutions, Soft Solutions,, and ITmeter, saying that these companies have used ads to "distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users," according to a blog posting by Tim Cranton, associate general counsel with Microsoft.

The FTC is also getting into the act, freezing the assets of well-known makers of security fauxware.

Of course, suing the bastards and actually catching them are two different things. According to Web sleuths Click Forensics, the New York Times scareware crew are part of a botnet operating out of the Bahamas. That botnet is in turn controlled by an entity known as "the Ukranian Fan Club," says security researcher Dancho Danchev (in my next life, I want a name like Dancho Danchev).

At this point we don't know if the MSN five are related to this operation or another gang of cybercrooks, but we do know if they're pros they've taken steps to cover their tracks.

It's easy to blame vendors for making browsers so damned porous they became an overwhelmingly tempting target. (Microsoft, your Windows Mobile phone is buzzing.) But you have to pin some of the blame on the victims who fall for these scams.

When you're a jaded old techie like me it's easy to forget that, by and large, people believe what they see on screen. When their computer tells them they've got a virus, they swallow it hook, line, and Visa.

More and more I am starting to think new PCs should come with some kind of driving test: Answer these 10 questions correctly or you can't log onto the Net. The idea wouldn't be to punish users, but to educate them. At the very least we'd know they'd been introduced to the concept of scareware, even if we know some of them will go ahead and pay the money anyway.

Meanwhile, it's up to us jaded geeks to educate the general populace by telling our friends and colleagues not to fall for this stuff. And, of course, to avoid becoming victims ourselves.

What do you think? Should users have to pass a computer driving test? If so, what questions do you think should be on it? Post yours below or e-mail me:


Copyright © 2009 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!