[AI] Infections found: Inside the great scareware scam
ilovecold at gmail.com
Thu Jul 15 17:51:51 EDT 2010
How a pair of brazen scammers made a cool $163 million from our
online security fears - and how the law finally shut them down
by Jim Giles
ONE day in March 2008, Kent Woerner got a disturbing phone call from a
teacher at an elementary school in Beloit, Kansas. An 11-year-old
student had triggered a security scan on a computer she was using,
revealing that the machine contained pornographic images. Worse still,
the images had appeared on-screen as the scan took place.
Woerner, who manages the computer systems for the local school
district, jumped in his car and drove to the school. Repeating the
scan, he too saw the images, alongside warnings that the machine was
infected with viruses and spyware that were surreptitiously
monitoring the computer's users. Yet a search of the hard drive
revealed nothing untoward. Switching to another machine, Woerner
visited the security website that provided the scan, and ran it again.
Exactly the same number of pornographic images popped up.
Woerner was smart enough to spot the ruse. This was not a genuine
security scan. It was nothing more than an animation designed to dupe
the unsuspecting computer user into shelling out $40 or so for
software to combat a security problem where none existed. For those
who fall for it, such "scareware" spells double trouble: not only are
they relieved of their cash, but the software they download has no
protective effect, leaving them vulnerable to malicious attack.
Woerner noted the site behind the fake scan, advancedcleaner.com,
and got in touch with the Federal Trade Commission (FTC), the US
consumer protection agency. He was one of hundreds. As the FTC trawled
through the complaints, it became clear that in its complexity,
sophistication and sheer brazenness, this was no normal internet scam.
"This is one of the largest internet-based frauds the FTC has ever
prosecuted," says Ethan Arenson, an attorney at the agency's
headquarters in Washington DC. Over in Hamburg, Germany, analysts at
the computer security company McAfee were independently coming to
a similar conclusion.
It soon become clear that in its complexity, sophistication and sheer
brazenness, this was no normal internet scam
The scam is the story of a computer security company called Innovative
Marketing (IM) Incorporated. It begins in 2002, when internet
entrepreneur Daniel Sundin registered a company of that name in
Belize. His choice of business partner alone was reason to be
suspicious: Sam Jain, an entrepreneur whose eFront network of
websites, which covered everything from gaming to celebrities, had
already gone out of business, having allegedly boosted ad revenue by
exaggerating visitor numbers.
Right from the start, IM was apparently engaged in some dubious
practices. Documents revealed in a 2005 lawsuit brought by the
computer security company Symantec allege that IM ran adverts
mimicking update alerts from Symantec and other legitimate security
firms, but directed users to software sold by Jain. The case cost Jain
$3 million in damages.
By the time that deception was uncovered, Jain and Sundin had another
in place. Sundin had established an office in Kiev, Ukraine - a city
where programming talent is abundant and available for relatively low
wages. Developers were asked to produce security software which IM
then advertised, using deceptive methods such as the fake scans that
had popped up in the Kansas school. One product, WinAntivirus, looked
confusingly like Microsoft security software. Another, DriveCleaner,
identified 179 visits to adult websites no matter which computer it
was installed on. Altogether, the FTC received over 1000 complaints
about these and other IM products, including advancedcleaner.com.
Acting on them was another matter. Scareware sellers usually host
their products on many different servers, often in Russia and eastern
Europe, where law enforcement may not be particularly effective. They
also register sites under false names, making identification
But IM made mistakes. Mistake number one was a lawsuit filed by IM
itself. Fraudulent companies do not generally settle internal disputes
in court, but in February 2007 IM filed suit in Canada against Marc
and Maurice D'Souza, a father-and-son team who, Jain claimed, handled
the company's marketing and accounts. Together with other family
members, the D'Souzas had allegedly siphoned off an astonishing US$48
million of the company's money. Marc hit back in August that year with
his own suit alleging that, among other things, Jain had conspired to
force him out of IM and that he should receive $5 million in damages.
Hidden in the claims and counterclaims were incendiary allegations
about IM's practices. D'Souza claimed that the company's stellar
growth - revenues climbed from $11 million in 2004 to $53 million in
2006 - was based on deceptive practices, including selling antivirus
programs that did not detect common threats and registering websites
under false names.
"The Canadian lawsuit was the big break," says Arenson. For the first
time the full extent of the enterprise became clear to the FTC, and
the agency began to appreciate the sophistication of IM's operations.
The company had, for instance, set up a series of advertising agencies
that placed fake ads on websites. Code within these ads bombarded
visitors with fake virus scans.
Zillow, an online estate agent, was one of the victims. In November
2007, an advertising agency called NetMediaGroup, which turned out to
be a front for IM, got in touch saying it wanted to run a promotion
for SkyAuction, a bona fide travel website, on Zillow's site. The
adverts appeared the following month - and the complaints came hot on
their heels. When Chad Cohen of Zillow contacted the CEO of
SkyAuction, he said he had never heard of NetMediaGroup. Some of the
adverts had an extra devious twist, too: viewed from a computer within
the website owner's offices, the adverts appeared normal; only users
elsewhere received the suspect scans.
Other websites targeted included those of Major League Baseball and
the National Hockey League, The Economist magazine and the dating site
eHarmony. All this was giving the FTC a picture of how IM worked, but
it took another basic mistake - and the work of Dirk Kollberg of
McAfee - to uncover the true scale of the operation.
In late 2007 Kollberg was tracking scareware that exploited a recently
discovered software vulnerability. It allowed unscrupulous developers
to slip in things such as pop-up scans into animated adverts. Kollberg
noticed that some of the fake scans the animations delivered came from
a server registered to IM. The name stayed with him, as organisations
pushing scareware do not usually reveal their identities so readily.
When another McAfee expert came across a second link to IM, Kollberg
decided to investigate the company's servers more closely.
To his surprise, he found the servers were not password protected. It
was a security lapse of breathtaking irony for a company that made its
money exploiting the security fears of others. More importantly, it
meant Kollberg could access the contents of the servers without
breaking any laws.
The insights were immediate, and damning. For a start, it was not just
IM's scans that were fake: the software the company was peddling was
too, says Kollberg. He did not find a single example that detected an
EICAR test file, a standard piece of programming code which antivirus
products are supposed to latch onto to prove they are working. The
software also lacked a list of virus "signatures", snippets of code
taken from known viruses that security software looks for when
searching for threats.
But it was the peek into IM's internal workings that was the most
revealing. In the claim filed against the D'Souzas, the company had
declared 300 employees in Ukraine, 45 in India and another 35 in
Argentina. Kollberg's search revealed that had been an understatement:
there were also three offices in the US and one in London. A personnel
directory on one server listed 650 names.
The real surprise, though, was the extent to which IM looked just like
any well-oiled, legitimate software company. Photos on the server
showed a professional-looking logo hung up behind a receptionist's
desk at the company's headquarters in Kiev. In another, IM employees
were playing paintball and volleyball and swimming in a river on what
seems to be a company away day.
On a third server, databases detailed hundreds of pieces of IM
software and provided a list of server farms used by IM, each with an
"abuseability" rating - an estimate, perhaps, of how willing the farm
was to host IM's software and its tolerance of the complaints that the
IM also had call centres in India and Poland to deal with customer
queries. Call recordings found by Kollberg make for depressing
listening. Many of IM's customers have limited computer skills, and
when some complained of getting virus warnings after installing IM's
software, they were told to uninstall other security products first,
thus removing their best protection. Others complained of calling back
repeatedly and of waiting for promised emails that never arrived.
Around 2 million calls were made to the centres in 2008, Kollberg
Callers to the hotline would be told to uninstall other security
products first, removing their best protection
What of the people who worked for the company - how much did they know
of what was going on? Former employees are not hard to track down.
Many continue to list their experience at IM on LinkedIn, a
business-oriented social network. Of the eight who responded to emails
and phone calls from New Scientist, three said they either knew about
IM's practices while on the payroll or left the company as soon as
they found out. Although reluctant to talk on the record, they were
frank about the motivations of IM staff.
Paying over the odds
"Our team was perfectly aware that we sold scareware," says a
translator who worked for the company in Kiev in 2008. "The manager
never made a big mystery of that." The team the translator was part of
had 10 staff and 15 freelancers to translate the text of IM's products
into 28 languages. "Not everyone was happy about it, but money is
money," the translator says. IM was paying around 60 per cent more
than similar jobs elsewhere offered.
A mid-level employee, who left three years ago after realising what
the company was doing, says that initially IM employed skilled
developers to create genuine products. As managers became increasingly
concerned with making money, quality declined and the fake scans came
Roughly half the people working there knew the full story, says the
employee, but again money talked. "There were a lot of young people
working there who did not care about the product. They just took their
Others dispute that account. Three of the former employees New
Scientist spoke to insist that IM sold genuine antivirus products,
even if the quality was not always high. Alexiy Orlovsky, now at
antivirus firm Zillya, was a product director at IM managing around 50
staff before he left in 2008. He says that the company's software was
tested against real viruses. "I can be sure about every product that I
supervised," he says, adding that he has never heard of the products
Kollberg tested and was not aware of the scareware ads while at the
company. He attributes the problems to other companies faking IM
Orlovsky also told New Scientist that he had not heard of Jain, Sundin
or other senior IM investors. But the FTC recently made public an
email between Sundin and a business associate in which Sundin refers
to Orlovsky on a first-name basis and provides his contact details.
Orlovsky did not reply to a subsequent request to clarify his
relationship with Sundin.
Whether it was fake or not, IM's investors were doing well out of the
company's software. Figures obtained from the company that processed
IM's payments show that the scareware firm had over 4 million
customers and a revenue of $163 million between 2004 and 2008.
Credit-card records show that Kristy Ross, a romantic partner of
Jain's and one of the accused in the FTC court action, led a lifestyle
that involved stays in a luxury hotel in the Bahamas, a series of
meals costing over $500 each and extravagant shopping sprees,
including spends of $30,000 at Harrods in London and $23,000 at the
fashion house Louis Vuitton in 2008.
That all came to an end on 3 December 2008. After examining evidence
presented by the FTC, a US court froze the assets of everyone it could
link to IM. This included Ross and the D'Souzas, who are currently
cooperating with the FTC, says Arenson.
Jain and Sundin are another matter. Jain failed to turn up for a court
hearing early last year and an international warrant has been put out
for his arrest. As for Sundin, New Scientist was able to trace him,
via his parents, to Stockholm, Sweden, but he did not return emails or
In their absence, in February 2009 the FTC won default judgments
against Jain, Sundin and IM for $163,167,539.95 - the precise total
that the FTC believes the company brought in. Whether the commission,
or the millions of people fooled by IM's scans, will ever receive a
cent remains to be seen.
As yet we do not know whether an enterprise the size of IM was a
one-off. Scareware has certainly not gone away. The IM story is a
salutary reminder that where there is a fast buck to be made,
fraudulent operations will often muscle in - and that it pays for all
of us to be certain of what we buy.
How to avoid scareware
* o Before buying security software, make sure it comes from a
well-known and trusted company. If in doubt, consult a tech-savvy
* o If a virus warning appears when you are browsing the web, run a
search on the company named in the scan. Many scareware companies
are quickly identified this way.
* o Make sure you have a firewall installed and turned on. A
firewall blocks unauthorised traffic between your computer and the
internet, and will prevent scareware from installing itself
without your knowledge.
* o If you think nasties are already lurking on your hard drive, use
the free scans provided by reputable companies like McAfee,
Symantec and Microsoft.
* o Make sure you keep your security software up to date once you
have it installed.
Jim Giles is a correspondent in New Scientist's San Francisco office
Technical telepathy: 09969636745
Saints are not always saints; sinners are not always sinners.
More information about the AccessIndia