Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Hackers Scam Thousands with Bogus Anti-Spyware Offers



 By: Brian Prince
2007-11-09
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Hackers are scamming users with ads on legitimate high-traffic news, entertainment and job Web sites.

Want some anti-spyware? How about a Trojan with that?

That is not a literal sales pitch, but the end result of a multistep scam involving rogue anti-spyware that researchers at SecureWorks are warning Web surfers about. Though tricking users into downloading Trojans via bogus anti-spyware is nothing new, security researchers said the magnitude of the scam makes it problematic.

"Rogue anti-spyware scams have been in circulation for several years," said Don Jackson, a security researcher at Atlanta-based SecureWorks. "However, they were typically one-off-type scams. We have never seen a malicious campaign using rogue anti-spyware of this magnitude before .... SecureWorks has personally seen 10 different content providers affected by this campaign and our outside sources tell us that they have worked with another 20 or so, but we suspect it is affecting dozens of Web sites."

Resource Library:
According to officials at SecureWorks, the plot works this way: A victim browses a legitimate, high-traffic Web site with legitimate-looking ads often served by third-party advertising platforms like Google and Yahoo. When the victim clicks on the page or takes some other action on the page, a pop-up appears warning of a security problem on the victims computer.

The pop-up offers fake anti-spyware for sale for amounts ranging from $19.95 to $79.95 in exchange for credit card information. Once purchased, the bogus product either downloads a rootkit or a Trojan such as Zlob that steals personal information over time. The scammers make money from both the sale of the fake product as well as the victims credit card information and access to the Trojan or rootkit-infected computer, researchers said.

The hackers are utilizing the Russian Business Network services and other hosting services for the scam, SecureWorks officials found, and content providers the company has worked with reported that incidents of the scam shot up dramatically in October.

"There are a variety of kits for sale on the Internet [that] will allow a hacker to do a turnkey setup of a site selling anti-spyware, such as SpyShredder, which is one of about 40 different rogue anti-spyware products being used in this latest scam," Jackson said. "The hackers are setting up the fake anti-spyware Web sites and then they are buying advertising direct from the legitimate Web sites or the advertising agencies that represent these Web sites."

The hackers then inject those ads randomly with malicious code to send a pop-up alert, such as, "You have encountered a piece of spyware on your machine or you have been hacked, download SpyShredder to clean it off your machine now." The visitor does not need to click on the ad, merely visit the page hosting it and perform any action.

Since the malicious code is served up at random, an ad wont deliver the alert every time, making it difficult for Web site owners to detect which ad is bad and which is good, Jackson said.

Click here to read more about the biggest spam scam ever.

Forrester Research analyst Chenxi Wang said it is difficult generally for Web sites to scrutinize their advertisers, in part because they sometimes dont know who their advertisers are.

"[Some Web sites use] Google or Yahoos automatic algorithms to place relevant ads, but they do not deal with the advertisers personally, so they typically would not scrutinize the advertisers," she explained. "Google and Yahoo can do some vetting to a certain extent, but there is no tool that is sophisticated enough to understand the intention/behavior of arbitrary programs. Therefore its not possible for them to determine definitively whether some ads have malware behind [them] or not."

Adding that any Web site that runs ads is at risk for this scam, SecureWorks officials recommended that Web sites, ad companies and ad aggregators protect themselves by consistently monitoring the ads on their site or the ads they are placing. Web sites should enforce strict content guidelines for their advertisers and follow stringent rules as to who they sell their ads to, making sure the buyer is legitimate.

Researchers also suggest Web surfers avoid downloading any anti-spyware software that is not a well-known product.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Hackers Scam Thousands with Bogus Anti-Spyware Offers
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}kw6DىCO-ȖĶ<={I)CR _zPsoOAPBP(|CgowD.}hcr g%Sg{>D{{|!P`I-*_rdxCrJԲ|W7RՇnc3P/W`W0QY|%x_'Щ=ѩ:€dB$itL|ϨTS_ƾQ/?6GuLbhC⌲IlG5tCܢ%yH#Ǣu)p#(DsX[t>r@_2pS6BT!|DJk4ًшqGws{/ !X]jk#2hj9:W{7v+!6^;r9ȹ3z$:匝/8Gd`jI:@*"4CÑcPp,ǃ) TQ3#}jZ3u-3G@ؾ!# 3EuL_FB?$f…05g?LG`B'lǦ" 'm_j| tn93{xDfnrdHU o~c> c xz`:vxtTa_dY f42Mٰ5T:Ԫr\ˇJQTyxx?y-Ӟ=89np?O?w/irxٽj_HQPww@ږVa(.ۧ7nG:[A\`'H H~W&R*rP8&ȇ Ԙ|5 P%կFxXX+(.c#-bv=ӧ0F_8rrn򳹥uk\ߴ-kܴ[g>_ekfy3?b Jg3B~7 VgkUs%gl}n _Gt@C0\6:}Uo~`Kk'ޮCǩEXCyCm0Mߑҡ~Df9}nI?\OIN©,7{M0o-Yn]H.)ލT,>JAf~ siR2!r* ?n^S;G7ۯzxxf-M>Ŀ G/<@'X])p3Z&j9T23=jMH89k 3!RBʼIK _{@@ZR~nV(nS%EI7#DD vx0r!DKI88c{.Ӱt1?vwެ,U*մ[ӢKsq}i5IsV؂)3G#вnZ 7MGR>MǍUJfz\ʡV1p-~~2dLm,5,LHYA^gA`:)~Ч1>ҡ9m'!|БdmxZ.s3ЍIXn`vthQ{4ڭ,%_bH}xS껵v&ztmP`9ImLJ.??6 { G`p&{xk =`D+wK@bLTE}vAC@XzC X.Gs 6GT[MKx G3RP sZ( W^`y" 9 EEKy3@ $hO`źm_I~ޑvZ*&RP*m=!ԑtጝZ*=h3aGe-n^ $ d6g2+IMi{0V-&D7r"e.G WKᙖ6ZlY,*ǚvX§c&F#0a 3G == 3̴K0:i`2Ґ(eNa9=sYn;At랒9:\f3|fZ1k`Baw4dufB7 ƉiLH|Bz0-qڛ8uVw]ˤDL)^HIRЙj!@9z٧l)>3-[I%7˺{_No6ҁ~iXZ @-ei ,a-VXt jQWt(:АT um:bXGJG!1~h/a2(&nw߱}|sö &TY9φ?>2ei;aՒhxK;ʸA:`@ELl5K׳թw@4="/INMdr gG ǏiФ0T]2agRhjUMas(zq |X0b=9ߛ8[%5n/.{K Yky]ؑRB|vjN (|p4'Z>pdZ`/R7:twұj )݅I ,䧒\R ~$[b"ud\6˰@k9gs|eLZմlxTa4Z0b&QajX[ ⚪T}ff{/R.4F (dyD4@/q8bk lBs}rq@l#RaM݌5m"uy@VIJXhQ6{_4MOOm(}gnLZ޼ ?~דBoɧ3;pi%uQby.A!/r}&&q3cX_dUM+%0u238ڃF28c=[ ٔ|{.R 5:=Fp=Нt;'q7s?LWEnCϡRD7PUL xg4sDcK6VNMlE;<6Xi<vH̼~jÄsn驔rgH*@:erฦ[;iJo3郦2I*"E6[ pe l&SbR/փ `Ac#g0(Gܱ)~ (zC9m^>SPU]HmP*jIIz, :,h7xџVPVW`Zd&\%\{3i0(Q󩋗afD}R/)3nQ/ ~egm>Q?F&7 u5Yx\YsXҌd;}X^5uH"HeNV*\U%P-HjYtn:0ȘُYD[n:L&2O%ss]`_`Onη{ܝׇ}`>L;H墦Ak R;vO+a>&ri#uL)je!EO*'-JpX8YH/s>P9ۻBlpIj‰ +~?l)ɁXXD>Diz\{e">ZPf/MGFDcc2Խ}VU'O(0h_pǭ;dU]uv1g +f[I)3xW mvw~D >\e¼zG;vݹ:|L[(M@?^-{Zj\/0C~W?H槏7OWM}GQ^ٷgP K1rcF1>`d˙]=/boft0lg^hy+ 8$aN׹p.7WKߧ ?wL.W-)^s-< rLpBj\?^(d0 szj܄ 6b ` xѤ@"cxH/ ^!m Be\:7 g^|%V}Xxr!sdQ6h4&lS뷽G8 Z`! ob!|J<APc{ r H)'4 v%:\b/:H4VB 0FG_TJi)4z'u3xlvn)5+E_ѫſF½}i T t6~OWK0NvfAdQ+F+9ǭϤsq@H߉ NAv}hq_,c92 7?%x -Mu>nSoqJh"g:A;6?m[ħ{, /䎑<=;SL%Q([4viQE%eє9rtJ1SBt+(2H P,O&e=lI1 iKBih%bbVHGZo{ݸڞm ybXýK3BǝJ$sgKe  KqkP i"+ `->ϓgԢᬖ^}+ ɏxR̅0Of Ӯz/гOnw5?{l&<)ǣAlu9obXKgnnהŞ`4 ݥR8o;i{}¶"CWq j[:Y+`*1$XhHNm d_~EVe.tՕ^t2<>:k ,Fu d3tTo4hAhfl3O7C]j~l_s1Ak~=Ϥ2]a^R=n /o}VZtC.q@)n&^--^\RK>\+Uk@< b]_ I{Oz[N آwgf7#Ÿ@!{ze']Nȿil.Ƕs$;grxH l;mmݭnM M A;"J <%N->[4 2UCnK_:Z1iE0pDa '$\}5 ߊ;bE Imi|o(~?N83{K4lZSgל7&/6o)~ \(o.BӞ Na_}x2.mE>zQc%Fm?^ϗIO 4˼G YsrRX' iRȊL0GoRv7m߯?>} x RO.CDJоcǗkޝ7>`<;p,rF KMJ_A`Hϩ\rZ$U.ut ҀNtsl#Sk"+&n*lP|ۚ=QwYF0 OPYJ{Qx9XH^>_&~?rM%kku}F㽄)Znˎ1D\Nl<>L\'Gd(΀,S3Z)+X=&NI(}gIL}Nl0{_B4gAWAgiVu,yzr ܟՄKLz@-X rF[#mXi겎C4}$fcL?ˌ?-:*bbL?;-t_;n9]b%^,xDdIJ]G)l^ۃH;S>RːbB0nQ/y I 2hE^+%W+GEQ@~4,*6?xw?ȮH-FL[}%$v ~+ZV,kJb% {eCEŴR0%r^j7>SFs~maޓE1bx&Š*.=D)ДLx}$C6T._I`U~#URK2^{o2gP$v՗>gK“v ̥f@? cZA@-foNRT`m[V)8tXt xԗ1fxdHwsr#Ltf  @|{:D DԟV Wܖ/pNjc v¤s= :ˑ`9TjrUR jrBW#0yF7gϦEH]PN&g*V']? _3"!&ϢjF9Xo@]8W^܃ɗmeI' ?R[,K߽fsffQ jVcꇕ_kf}"}וa.`5&&su񵣇'cB$rGA[bZA](N6]vx7aF-`UځJHg`9 S9rKhpf%IP] Ӻz`5ega 5ޞJX[h.u% ʬkm*_HzxO!=tL8_?D/ŵ?\ `ootB8HuwԟPv{Ry:d`7a526aLCj Y.KZ.|s? pʳm_~}_As\$+J0pf֐d6g GKc , vC7S ;&2w$E} k}da҃Hj֙ pkhu|IoD}y%{ѷӯ#r, +lyEΫߑs rc[") NB//|Б[3fg1Ġ/DMl߽ s ۩IYLʹm Z1ߦE0PCnE{ܷ?E݃~Oe`{vxh/SVgZ?6 X ךY~^HckE.Z7| 3LK?c"/7?e)E)T0; _(opb䭼d?߾݋ ߙSh{0&cHƵpSo\Dq'H|Ad7D  U({*Dz'v/!j\Dq0-gcWF%5z J 0hCX^q5L<0&hF꨺MmMj@ja`K$bl\M'p.$XD PaCc8wQ!5HFpxAiLʃxSZB=sj41!^r>&ƘKjxVQՒ|Rӊ,w)]dDo=01ꮐ֘1h*B ǯ9=Q5B]RU BInl1zy -gCy^Š{y <7/={y K6/LxQ8Ow| 􄼥 -J4sW'j"h?tn>Ԙ <-* ;,SKy+^RzA;Э%x k#b2zވ5#Y$Z `Oh$~bH]-RWld""v" qŎy?4u۽hz.zx dpܙ6 ^[<yS]q hs>(4xJa01K+;3r'vѻ 2˰1 wKy–s\vf+{\o|J"ķ5|$rE8!iN'?O7W]P)`#}~f6L-Ǭ D"c*41GJ[!}ɹeMZfBE< ,i0! YC) Q?bq縍H Ř!&"7L۰flFLNPPbAmЃ(i_31Fnŷn(l;b21#|>O~9ǀk̎2 $Ü]ΰ*@[`g* }n D(Ĕv767p>9oYiJ :\ypƧx} t@x,dj,yǥ}-AG,G71=` ?ET&nK ibyL ]ǒ 4B1h6A20=cm|?݉i2{}bRU+J)|U3ʰLXUK)^I ;ees =M蕴B^Ȉq~{~@|LBz،\{ݾ1C 9ܐ9iHI}kwIs} \MGݩ;'U}LrN.{08SDnu#VԼVxqxQQ3Q~7O6坌r&Р(?g@ |OPi}y;W?o/o7sv3gWvF?u3ʿ@">vˌ/3Y\f2?/?/3e*P93(ˌr߫ʐ+@;dN~kQ&7.??}P9g BmV9mBf_ryrָƅ)IFy)W?REV SV9,2&c˼$=)>w滤Ixմ] &JR7[O'ikr(%s<2g!gs=* ͱ#{"ys"X5½p'֯eybnAz[G$ZQ =P.v;)nדWpKSG0%nsOkr>u"[~|^Yylߣx߇ߊD,5{ e%Hi_0\fcz!J1 4c֭dKo1BDO"Уc/ʵ5^ʘE,d 'âȗጽNۯX ā` pTB P}oq =s XI.?û6VI2hؐCXKlɜ]k'bB']WLO,O@ f+gQ6]V=ȾwF=Cb6Sx x-7:]A.+M&Dr&ߢ)tO T/AD[eGY?gqǭd<@T6߱ hxz|r[ {w{N#Kz>p^E`iBOzuEǻw$ " n+QgLZDAY znuy+qeg77%C9GړLia l JD#iZ#P<틒ՍP;kuo2& 6LG4 hF2`ưz< :1@ EY/vY{N6 )4Mϫ΢R4=szn%()%y+L9(م0U7VAgL=SY,> N_dvO~{Wpͱ|#$n>K:[S1U)ւ_6/gwd&%}YQ v.ymhFz%$t:_[=$sDs݅ ߠ(b/<% *qqHj(tI`S &)^' ,ML[ U|ٱsp ť;:ƍd2- 3 0 <ձ]w O`7@#>Ƌrd{Go^kJ:Ɛ=-)0p,\f@6C|eKox7[iO_d%\#d<l[ +"ۂ K-ô6u¥"UXJMX,8. ktn9Q /9BlAt [=] v<=v7sg'+_2qN`WH؂{!]R>ŔK ]'[٧3й?-{ס/ e;m"],c 0У,*059 q얢UnDl`aA0n,ـ&@/lr=Vc:pSz4 / XGڢZ ®":q`x];ѽ!\]e#FP1Wov$п9alX ^|޹MwϏp`2[u_{0^7϶p2$82epCikVI{{a0&iE-㨤t`C v_ʉ~ph;?҈>A wVǰYF!&ۅ7O80Ux|-h\}{ݘ_;i9LgѸ:"?X=<,KVw;֐]@νE5FElT$bB]Ay,O~҃!gn耵]݄6y8 ]Ll&j1Bi6e1}t1yLXBL 9U|tGYEL`&;]+N%t&ж?f82acT 1L(`,RYגWv!Z~΋|E>WNENE<<Sf )E|1GǩW3.rW=aMd}h-]7{o,sՓ/G<|P q\O(QF2x;ZQ|ڹ`g`/=i)/Z(KsxslA0}Fپ|/ ~} Wha<y&FkkV*wN㛼VtƢI:*P)V []jv[W셳Qbm٦4*d.%rR⊫_fTNƇ̚J܄;66BKFslx61XXu&