Phoney Anti-Spyware Software Lures Unsuspecting Users

Like the most dangerous and devious phishing attacks, this one is based on a Web site. Users enticed here face a fake portrayal of Microsoft's Windows Security Center.

The bogus site displays such factual information as the user's IP address, the browser being used, operating system, and country of origin. Along with that, however, the page claims that an attacker "has gained access to your computer and is collecting the information about the sites you've visited and the files contained in the folder 'My Documents.'" A pop-up also alleges that the PC has been infected with a rogue .dll -- a piece of spyware dubbed "W32.Sinnaka.a" -- that's collecting private data.

It's all a lie, said Patrick Hinojosa, the chief technology officer of Panda Software.

There's no such online edition of Windows Security Center -- that's actually an on-disk utility in Windows XP -- nor is there any legit malware by the name of Sinnaka.a.

id
unit-1659132512259
type
Sponsored post

But the scam is only beginning, said Hinojosa. Unlike other phishing fraudsters, these aren't after identities or even bank account numbers. Instead, they're trying to scare users enough that they click on one of the four links to purported anti-spyware tools with names like Spy Trooper, PS Guard, World AntiSpy, and Raze Spyware.

Users who click on a links to download one of these programs is told to register the program for a small fee: $10.

The fake site was slick enough to fool even Hinojosa for a moment. "I wasn't paying attention, and when I looked back at the JPEG [image screenshot] of the bogus site, I thought at first it was actually the Windows Security Center screen on my desktop," he admitted. "I had to look at it twice to tell it wasn't. This is certainly something that would fool most people. I could see my wife looking at this, and giving me a call telling me that our home computer was infected."

The four "anti-spyware" programs touted at the site aren't new to real researchers. Spy Trooper, for instance, is simply a renamed version of SpyDemolisher/SpySheriff/SpywareNo. All four are on Spyware Warrior's "Rogue/Suspect Anti-Spyware" list.

The ploy, of course, is to spook users with a bogus infection alert -- backed up by an interface that looks official -- then get them to reach for the first piece of software they see.

"Most phishing don't come via e-mail anymore," said Hinojosa, "not in the typical way we're used to, where a bank or PayPal says that you need to reactivate an account. Most come via a remote control Trojan or some kind of Web site scam, like this one."

Spam is still used to get traffic to a site -- including this one -- he added, but "the e-mail is up-front that it's selling something or directing you to a service site. Nothing up to that point is quote, unquote wrong in users' minds. They're on guard against the traditional phishing, but not this."

A cousin to "ransom-ware" -- the term some have slapped on malicious code that infects a PC, then demands money in return for cleaning up the machine or unlocking suddenly-encrypted -- this technique isn't new. The Federal Trade Commission (FTC) has been busy during 2005, in fact, with lawsuits quashing other bogus anti-spyware schemes.

In August, the FTC announced a settlementh Advertising.com, a subsidiary of AOL, which stipulated that the SpyBlaster program would disclose it came with adware. Earlier in the year, the FTC moved against Spyware Assassin and SpyKiller 2005

Even with FTC crack-downs, however, the bogus spyware approach won&t vanish. It's too lucrative.

"We're going to see a lot more like this," said Hinojosa. "Like mushrooms after a rain."