Recently I came into possession of a series of documents showing the financial books of an organization that orchestrates the distribution of rogue anti-virus attacks or “scareware,” programs that hijack victim PCs with misleading security alerts in an effort to frighten the user into purchasing worthless security software. I found many interesting details in this data cache, but one pattern in the data explains why scareware continues to be a major scourge: Relatively few people victimized by it dispute the transaction with their bank.
The documents list the amounts charged to more than 2,000 people around the world (the screen shots show the distribution of victims globally and in the United States). Victims paid anywhere from $50 to $100 for the fake anti-virus software. The file lists the amounts charged, partially obscured credit card numbers, and the names, addresses and e-mails of all victims.
More importantly, they show that only 367 victims — fewer than 20 percent — bothered to contact their bank or the scammers to reverse the fraudulent charges after the fact.
A second wave of attacks apparently conducted by the same malware gang in early April shows that only 163 out of 1,678 victims – fewer than 10 percent — initiated chargebacks or disputed the sales (the geographic distribution of victims of this second wave is not included in the Google Maps graphics shown here).
I interviewed more than a dozen victims of the first scareware attack, which occurred between April 12 and April 15. All said their computers became unusable and that the only way they could figure out how to regain control of the machine was to surrender and purchase the software. In each case, immediately after the victims submitted their payment information, the hijacking program disappeared, leaving no trace of itself, and no hint of any fake security program on the victim’s machine.
Some victims reported receiving a follow-up e-mail thanking them for their purchase, and directing support inquiries to firstname.lastname@example.org. Others never got an e-mail, but only saw a charge on their credit card statement from Browsing Solutions, Moscow. Other victims saw charges from an EBD-Software.com.
None of the victims I was able to track down had successfully reversed the charges with their credit card provider, although a few did have the charges canceled after contacting the phone number listed in the customer support e-mail. Some said they had tried to contact their credit card provider or the scam company but got the runaround and simply gave up; others said they were confused because they were in the process of trying to purchase legitimate anti-virus software when their computers were hijacked.
Raymond Zens, a generator technician from Jamestown, N.D., said he had just typed in a search for Symantec Internet Security when his computer was hijacked. Zens said that at the time he thought he had purchased the protection he was seeking from Symantec. It wasn’t until he was contacted by this reporter this week that he realized the computer wasn’t protected with a real anti-virus product.
Brad Pierson, a clinical social worker from Austin, Texas, knew he’d been scammed but said he declined to contest the charge out of shame.
“The embarrassment and feeling of degradation that goes with that made me want to blow it off,” Pierson said. “I just kind of thought, ‘That’s the price you pay for being had.’ I didn’t try to do anything about it. I was just glad to have my hard drive and data intact after the whole thing.”
Clearly, few of the victims of rogue anti-virus would describe themselves as computer experts or even intermediate computer users. Still, it’s remarkable that so few people would bother to dispute the charges, said Gary Warner, director of research in computer forensics at University of Alabama at Birmingham.
Warner said he was in San Diego for a conference earlier this year and was staying a hotel when he noticed one of the hotel’s business center computers was running a notorious rogue anti-virus product. Warner said that he alerted a hotel staff member to the infection, then watched in amazement as the staffer right-clicked on the program’s icon in the Windows task bar, selected “update,” and then proceeded to run a scan and declare that nothing seemed to be amiss.
“On the one hand, it’s amazing that these [scammers] can make so much money,” Warner said. “But the fact is that they’re able to sell something that’s fraudulent and not have people complain either because they think it’s real or they’re embarrassed to say something. The real crime, of course, is that many of these people also think this worthless product is going to protect them.”
Warner said he believes rogue anti-virus will continue to be a scourge as long as banks do little to identify the merchant accounts associated with these rogue anti-virus companies.
“The other side of this is, maybe people just don’t know how to report this kind of fraud,” Warner said. “Truthfully, who are you going to get to take law enforcement action against these scammers? In each of these situations, you’re looking at victims who each lost between $80 and $100, which isn’t exactly grounds for a big federal investigation.”