FBI Busts 'Scareware' Gang That Bilked Victims Of More Than $100 Million

http://darkreading.com/insiderthreat/security/antivirus/showArticle.jhtml?articleID=225200545

Global cybercrime scheme yielded sales of more than 1 million phony software purchases from victims in 60 countries

May 28, 2010 | 11:03 AM
By U.S. Department of Justice Federal Bureau of Investigation

CHICAGO -- An international cybercrime scheme caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million, according to a federal indictment returned here against a Cincinnati area man and two other men believed to be living abroad. The charges allege that the defendants, through fake advertisements placed on various legitimate companies' websites, deceived Internet users into falsely believing that their computers were infected with "malware" or had other critical errors to induce them to purchase "scareware" software products that had limited or no ability to remedy the purported, but nonexistent, defects. The alleged scheme is widely regarded as one of the fastest-growing and most prevalent types of Internet fraud.

Two defendants, Bjorn Daniel Sundin, and Shaileshkumar P. Jain, with others owned and operated Innovative Marketing, Inc. (IM), a company registered in Belize that purported to sell anti-virus and computer performance/repair software through the internet and that operated a subsidiary called Innovative Marketing Ukraine, located in Kiev. The company appeared to close down last year after the U.S. Federal Trade Commission filed a federal lawsuit in Maryland seeking to end the allegedly fraudulent practices.

Jain, 40, who performed the functions of IM's chief executive officer, is a U.S. citizen and is believed to be living in Ukraine. Sundin, 31, who performed the duties of IM's chief technology officer and chief operating officer, is a Swedish citizen and is believed to be in Sweden.

The third defendant, James Reno, 26, of Amelia, Ohio, with others owned and operated the former Byte Hosting Internet Services, which operated call centers that provided technical and billing support to victim consumers on behalf of IM. Reno is expected to present himself for arraignment at a later date in U.S. District Court in Chicago.

snip

Reno allegedly aided and abetted Sudin, Jain and others in creating and operating the fictitious ad agencies by providing support as a technical adviser for the computer servers and networks used to facilitate their operation. The fictitious ad agencies included "BurnAds," "UniqAds," "Infyte," "NetMediaGroup," and "ForceUp," according to the indictment.

After the defendants caused a victim to be directed to an IM scareware website they controlled, the indictment alleges that the following events typically occurred:

# the IM scareware site appeared not to be a website at all, but rather a warning message from the computer user's operating system, falsely informing the user of an error and prompting the user to click on a box to address the purported error. Further error message prompts occurred regardless of whether the user clicked the box agreeing to or declining to proceed or attempted to close the error message window;

# the IM scareware displayed an animated graphic image that gave the fake appearance that the computer was being scanned for various errors or viruses. Bogus results falsely showed that critical errors were detected by the fake scan; and

# the IM scareware website then prompted the victim user to download a free trial version of an IM product, falsely promising that the software could repair the nonexistent critical errors.

As a result of the browser hijacking, multiple fraudulent scans, and false error messages the defendants and others allegedly deceived victims into purchasing the full paid versions of IM software products, such as "Malware Alarm," "Antivirus 2008," and "VirusRemover 2008." At times, the defendants defrauded victims into purchasing multiple products through a deceptive order screen that kept hidden certain pre-checked option boxes which, when checked, increased the total number of products being purchased, the indictment alleges.

The proceeds of these sales, typically by credit card, were allegedly deposited into bank accounts controlled by the defendants and others throughout the world, and then were transferred to additional bank accounts located in Europe.

The defendants and others allegedly used Byte Hosting to deflect complaints from victims who purchased IM software products. Knowing the products to be fraudulent and distributed and sold under false pretenses, Reno and others caused call center representatives to be instructed to lie to customers about the products and persuade them to remove legitimate pre-existing anti-virus software, the indictment alleges. To persuade the Byte Hosting call center representatives to continue their employment, Reno and others falsely informed them that they were not involved in a fraud scheme because United States law did not apply to IM and its business practices because IM was based overseas. The call center employees were authorized to provide refunds to discourage victims from notifying their credit card companies or law enforcement that they were deceived into purchasing the fraudulent software products, according to the indictment.

Individuals who believe they are victims and want to receive information about the criminal prosecution may call a toll-free hotline, 866-364-2621, ext. 1, for periodic updates.

It is fraud, pure and simple. And it wouldn't let you use your own computer or even anti-virus programs to get rid of it. I hope they throw the book at these guys.

Code inserted in a malicious PDF file using a vulnerability in Adobe Reader, one of the most vulnerable programs known to mankind (not to mention it's voracious resource appetite) alongside Micro$oft'$ Internet ExPLODEr. I dumped Adobe Reader in favor of Foxit not long after.

While I'm glad to see these companies being prosecuted, the line between them and those companies that legitimately scan your computer for problems and then demand payment before even giving you a legitimate report as to what those problems are is very fine. Further, legitimate companies market their products in such a way so as to lead to a false sense of security, which only encourages bad behavior on the part of computer users and makes the job of malware distributors that much easier. You see the results with stories like this.

This is just going to get worse, not better.

There is no program that defends against the main culprit: Human Error 1.0

Worst virus there is. In frustration, I told an acquaintance whom I kept trying to help with his constant malware infections that this is what he had, and no one could fix it. Never told him what it meant either.

(Problem Exists Between Keyboard and Chair, for those unaware)