I’m sure you’ve seen them — those pop-up ads that make scary claims:
YOU MAY BE INFECTED!
CLICK HERE TO CLEAN YOUR SYSTEM NOW!
I just ran across one, a friend hit this site, was convinced he was infected and asked how to remove the infection.
My friend wasn’t infected. It was a fraudlent anti-virus scan with fake results. This is often called "Scareware" and it amounts to using fear to sell products — in fact, many of these products will cause more serious problems when you actually attempt to install their "fix" for these fake infections.
There are a couple types of these cons:
- User is dropped on a fake Anti-virus/Anti-spyware scan that detects "false" infections
- User is told their computer is not running properly, download X software to fix it
- User is told their activities are being monitored and recorded, click here to prevent this
Here is an screen shot that shows one of the scanners apparently finding "errors":
In truth, this computer has none of these errors and this is a simple ploy to get you to install their software. In fact, this type of attack and fraud is so common this particular scanner has it’s own Wikipedia entry: WinFixer
Here are some of the more interesting quotes:
They display false information with regards to a user’s computer,
thereby confusing said user into believing their PC is infected with
viruses, spyware and/or other forms of malware.
On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court. KTVU (Channel 2 in Oakland, CA) carried a special report you can view at http://www.youtube.com/watch?v=zBUZHiKhsog.
The best way to protect yourself from these types of scareware attacks is simple: Only install/buy software from companies that are well respected and that you trust. If you aren’t sure, use Google to do a quick background check on the company and see what it turns up.
Also, ZoneAlarm products with OSFW will protect you. This scareware often attempts to install to this location:
Any process that attempts to write/change this registry key and is not in our SmartDefense Advisor Approved list will create a security alert. The alert below shows me attempting to change the "Run Key" using the Registry Editor: