Three Indicted In Scareware Scam That Netted $100M

alphadogg writes "Three men are facing federal fraud charges for allegedly raking in more than $100 million while running an illegal 'scareware' business called Innovative Marketing that tricked victims into installing bogus software. The company's products generated so many consumer complaints that in 2008 the FTC brought a civil action against Innovative Marketing and call center partner Byte Hosting, effectively putting them out of business. On Wednesday, a grand jury in Chicago handed down criminal charges, meaning the three men now face jail time if convicted." One of the men indicted is in Ohio and the others are believed to be in Ukraine and Sweden. Microsoft's Digital Crimes Unit helped out with the case.

Finally.

[Lord Kano]

These guys can kiss the baby.

LK

Re:

[Anonymous Coward]

Having spent time on a lot of sites, slashdot trolls are still some of my favorites just because they are restricted to text so you get these wonderful monologues of fail in the middle of semi rational discussions. I'll drink a beer to you tonight AC.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Do you do online banking on these machines afterwards?

Re:Fake AVs

[armanox]

Have you tried recently? More recent versions disable safe mode, have no uninstaller, and can keep me busy for an entire day.

Re:

[sv_libertarian]

I took one off a friend's computer, and the AVG boot disc (linux based) scanned everything, but it still didn't kill it all. No safe mode, but I got lucky, it was a slow loading virus, and I was able to kill it in the task manager before it could block the antivirus software, and redirect web traffic. Then the AVG was able to work. I once again made my pitch for installing linux to no avail...

Re:

[lambent]

why would they bother installing linux, since they have a friend who is skilled and willing enough to clean it up for them?

i've been down this road too many times. i have now been forced to never offer "clean up" support for friends and family. it makes me sad, but it's the only way they learn : (

Re:

[spidercoz]

I've done that. Cleaned up a friend's mom's pc once, explained to her that it was because she kept going to those stupid crap game sites that popped up all over a few years ago, I forget which, the big one. Anyway, got it cleaned up, put noscript on and blacklisted the site. Couple months later found out she had disabled noscript and completely ignored everything I told her. Surprise surprise, the machine was trashed. Told her she's on her own. The work I did would've easily been $100 at a shop and sh

Re:

[Ihmhi]

The mistake you make is doing it for free.

Family owes me a favor. Friends and co-workers pay.

Would you honestly ask your buddy who's a landscaper to "do you a favor" and mow your lawn for free? How many landscapers would say yes?

Re:

[sv_libertarian]

Actually I didn't do it for free. He gave me a killer deal on two .22 handguns, and a .22 rifle for my trouble.

Re:

[sv_libertarian]

in retrospect that sounds so bad...

Re:

[gcatullus]

Same issue I've seen with redirecting of web traffic it was crazy - I figured that it would only effect firefox and IE on the machine, but it even effected a new install of chrome. Browser looked fine until you googled microsoft, avg, trend micro, etc. Just plain nasty

Re:

[the_bard17]

Just a heads up, if they've got a router. I've seen a few bits of malware that log into a router using default credentials, then point it to a custom DNS server. It was fun finding that out after a fresh reinstall...

Re:

[oh-dark-thirty]

I've had good luck using combofix on variants of this malware. It works about 90% of the time to at least beat it into submission, I can then manually remove any remnants.

Re:

[flappinbooger]

they are getting tougher, that's for sure. But there are still tricks to get rid of them. The problem is the friends they bring with....

Re:

[Pax681]

yup cleaned a machine 2 weeks ago with it on.

i imagine i'll be back at that customer again very soon..lol his urge to spank the monkey of dodgy free porn sites is greater than his need for a clean running machine

Re:

[Peach Rings]

I had a run-in recently from a drive-by malware install (curse you Chrome!). It immediately disabled task manager and locked me out of regedit and msconfig, and icons began to fill my desktop as I gazed on in horror... I couldn't install MalwareBytes because the malware killed the installer process immediately. I couldn't even download anything with an ad-aware-like filename since the request was hijacked and I got a scareware page instead.

A reboot into safe mode failed. Luckily, I had Process Explorer [microsoft.com] on a

Re:Fake AVs

[pnewhook]

I had the same thing and luckily I had Process Explorer installed..

I'd be quite happy if the verdict came down to just shoot them. Seriously. I'm tired of this crap constantly trying to infect my computer and the crap emails I get every day. I'm careful and have only been infected twice ever, and the spam filters take care of most of the email, but seriously - how much effort is spent creating and then creating prevention for this crap??

Once convicted, summarily shoot them.

Re:

[Peach Rings]

Uh any convictions of particular criminals won't stop the flow, and shouldn't be depended on to stop the flow. In other words, there's no point in prosecuting them. The problem is a technical one not a legal one.

Re:

[pnewhook]

That's like saying there will always be murderers, so there's no point in trying to convict them. You should try and stop getting killed instead.

Re:

[Ihmhi]

I have no idea what Process Explorer is, but considering the parent and grandparent post I'm sure as hell going to be looking into it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[game kid]

PE is a beauty. The only thing it really misses is Task Manager's Up Time clock (Performance tab), which appears to be the only way in Windows to get the total system up time exclusive of standbys and hibernates. (Other methods, and I've tried many, just count time from boot. Let me know if I missed one.)

If that makes it to PE, I'd happily let even malware delete taskmgr.

Re:Fake AVs

[Xoltri]

Instead of using kill process tree you can use suspend process. That way it won't relaunch itself or other related processes. Then you can kill them all without having to click really really fast.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Peach Rings]

Oh, right that happened too. I had to right-click Process Explorer and hit Run As... and run it as myself.

Re:

[sjames]

Let's face it, if somehow malicious code found a way to be executed as root on my linux system, there are no tools on earth short of going over the entire filesystem in a different OS with a text editor that can save you.

Just boot the rescue disk, that's what it's there for.

Of course, I wouldn't praise XP too strongly, since the same holes that let you kill the malware (you think) are what let the malware in in the first place.

Re:

[RockDoctor]

and very fast clicking, since the processes restart each other when you kill them.

Ah, the old "Robin Hood"/ "Friar Tuck" trick. That's so 1970s.

Re:

[s122604]

Yep, I spent last weekend getting one of these fake av's off my wife's spare laptop ( an old p4 that refuses to die)..

I got the main scareware off easily, but Malwarebytes, MSE, and a few other programs could not get rid of the underlying Aleuron.h root kit

end result, gave up , blew up the xp home and didn't reinstall, its now an ubuntu machine exclusively..

Re:

[Lumpy]

bartPE cd.. I can remove it in 10 minutes.

Then install and run a good anti malware scanner and walk away...

Upgrade your tool set, it's silly to fight with these things.

Re:

[Mister Whirly]

Exactly. If you are trying to clean an infected Windows machine while running infected Windows, you are doing it wrong. BartPE or any of the bootable Live CDs are your friend. In particular, UBCD4Win works wonders and has saved me hours of frustration in the past. And I deal with at least 2 infected comupters a month of all different types of malware/virus/trojan/rootkit problems. So far have not needed to start over from scratch once. Once you learn the newest tricks the malware authors are using, it is pr

Re:

[oddaddresstrap]

Indeed, the new ones are bad. However, this has worked for me:
Take the drive out and put it into a fully-updated Windows box as a second drive, then run updated MS Security Essentials and updated MalwareBytes against it. It takes a while to run full scans, but it seems to work ("seems" being the operative word).

Re:

[s122604]

Fail on that: Malwarebytes and MSE both can find Aleuron.h file, indicative of a particular flavor of root kit. They both find it, but they cannot remove it.

I googled around and the consensus was, "eh, just rebuild"

not saying its not possible, just not easy....

Re:

[oddaddresstrap]

Not to say you're not right, but what would prevent MSE and/or MWB from removing it? We're scanning a non-boot drive from a clean machine with no malicious code running.

Re:

[Whyte Panther]

Because I would absolutely trust an unstaller app provided with a malware "virus scanner". I think I'll cut out it's heart by my self, thank you very much.

Re:

[spidercoz]

lol, dead on, man

Re:

[Anonymous Coward]

One word.... "Combofix"

Seems to remove it everytime I use it.

Re:

[oh-dark-thirty]

X2

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DDLKermit007]

Man there's a new one that I'm seeing on the bench recently that does all that, and disables anything including explorer, and task manager from running. Offline drive scans don't catch it, and I've yet to figure out where the hell it's stored (not in the usual random user's folder). I can find a whole ton of it's copies, but never the original file. I've had to wipe so many damn machines because of that one. At least with explorer running you can force a few things to happen that'll help with it's location

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Pax681]

was just chatting to a friend about this and he then sent me this as a very effective removal tool

http://download.cnet.com/Remove-Fake-Antivirus/3000-2239_4-10915342.html [cnet.com]

Re:

[gcatullus]

Not all of them are so easy, yes google is your friend, but many times the googled answer has been reinstall windows, which is easy I suppose except for having the person dig up all their software cds and licenses.

Re:

[Lumpy]

And is a good lesson to teach that user.

you chose to use Microsoft, you get to pay the piper......

My wifes Ubuntu box crashed when its hard drive failed... I recovered her user directory to another drive and reinstallation of all software was easy...

Same for my mac.. I can install a fresh OS and not haveto reinstall any of my apps.

Re:

[kryliss]

On machines that I deal with regularly, I do a full install, update and patch, install all needed drivers, Turn off swap space, defrag, clear out all cache and temp files, then do a full ghost of the drive. Data such as music an pictures are kept on a separate partition/drive. The ghost usually takes about 10 minutes to restore.

Re:

[psiclops]

umm yeah, except when i had one i had redirected my web traffic making it near-impossible to google search from the infected machine.

Great news

[Zedrick]

...but hopefully only the beginning. Let's hope "Microsoft's Digital Crimes Unit" can help take down Symantec next.

Re:

[dwiget001]

It would be real news of "Microsoft's Digital Crimes Unit" took down -- Microsoft!!!

Re:

[Kjella]

Well, we already heard they have a guy to take out IE6. I think WinME is already fairly dead, but if they could put a bounty on Vista's head too... WinXP and Win7 are actually nice products, Microsoft remind me a bit of Intel. They may hit their Itanics, but they keep coming back with a vengance.

Re:

[maxume]

Whichever Microsoft group it is that puts together Security Essentials is working on that too.

Symantec and Norton

[mangu]

You beat me to it. Symantec may have done some good stuff, but that was over twenty years ago. Same with Norton but, after they merged together, "scareware" seems the most appropriate name for what they have been doing.

I liked the "pink shirt" book, though, was of great use to me in the 1980s.

 

Re:

[virtualonliner]

Symantec (and McAfee) is much worse. For starters, it's not inobtrusive like other scareware.

Re:

[Xoltri]

Symantec and McAfee are partially responsible for this problem. They were the ones that got users used to whipping out their credit cards when their computer told them their antivirus subscription was over and needed to be renewed. No longer was it good enough to go to the store and buy a boxed antivirus solution with free lifetime updates. Now they wanted money from you every year.

Now grandma gets a popup about how her xp antivirus needs her credit card information. She doesn't know the difference

Re:

[corerunner]

mod parent up

Re:

[maxume]

Hopefully AntiMalWareBytes is a typo and not an additional source of your problems, the name of the popular malware removal tool is Malwarebytes' Anti-Malware.

Re:

[RPGonAS400]

Yes - I was just typing off the top of my head and got it wrong.

Re:

[spidercoz]

No, it doesn't. No one anti-crapware app is sufficient. And my personal experience w/ Malwarebytes hasn't impressed me much. You usually need at least a couple scanners to run in succession, along with using process explorer and autoruns to get a good cleaning.

Re:

[Mashiki]

Generally you need two. Malwarebytes is good for a newbie however and will catch almost anything, it's actually what I install on customer machines and then schedual an automated run for it. The other I'd suggest is Spybot S&D, besides having a nice host file it checks against known malware. I know some people like prevx, but I find it mediocre at the best.

Re:

[KahabutDieDrake]

HAHA, I just reformatted yesterday because of that garbage. It didn't seem worth the effort of digging it out, especially as good as it is at defeating any attempt to do so. So I just ghosted to a good install and moved on. I'm going through some log files right now to see if I can figure out where it came from, so I can block the domain/IP. It's not looking good so far.

Re:

[Lumpy]

install a blocking hosts file and privoxy. It stops 99% of all that crap. dont leave it up to the browser adblocking... stop it before it can even get to the browser.

Re:

[s122604]

Ok, I'll take one for the "knows a lot less about this stuff than my friends/relatives think I do" team

How do you do this?

Is it something you install locally, or on your router/firewall?

Re:

[Jaysyn]

Download & setup Privoxy.

http://sourceforge.net/projects/ijbswa/files/ [sourceforge.net]
http://www.privoxy.org/user-manual/quickstart.html [privoxy.org]

Grab a decent HOSTS file & stick it in your %SystemRoot%\system32\drivers\etc\

Alternatively, you can install Spybot & let it's Immunize function generate a HOSTS file for you.

Re:

[h4rr4r]

Format the machines and start again. I cannot understand why windows folks bother with this. If the install has been infected you can never trust it again, wipe and start over.

Equivalent to 38 murders

[mrnobo1024]

According to the Department of Transportation, one human life is worth $2,600,000 [dot.gov], meaning that the damage of this scam was approximately equal to that of 38 deaths. To put this in perspective, the Manson family almost earned death penalties for only 27. I hope the judge takes this into account when deciding sentencing.

Re:

[jank1887]

wow. loved reading that.

"This study presents a figure of $2.2 million (in 1988 dollars) as the recommended value to use in benefit-cost analyses as the willingness-to-pay to avert a fatality...The GDP implicit price deflator increased about 18 percent from its average value in 1988 through 1993. Therefore, the 1988 figure of $2.2 million dollars wasincreased 18 percent to yield a 1994 figure of $2.6 million dollars."

awesome.

Re:

[Seth Kriticos]

The article you point to writes about 1994 Dollars. Based on the CPI (consumer price index), that would be equivalent of 3,179,729.73 today's dollars.

Dividing the 100M by this amount yields around 31.45 fatalities. Still better than the Manson family, I guess..

Re:

[hellop2]

Well, based on my own price index, which I call the 20-Ounce Coke Index, the value of a human is worth about $6.3 million.

Why?

Because the price of a 20-ounce Coca Cola in 1994 was $0.59. Today it is $1.69. Which is a factor of about 2.865, because 0.59 * 2.865 = 1.69.

So $2,200,000 * 2.865 = $6,303,000.

Re:

[fustakrakich]

Wonderful! Except nobody died... murder and fraud are two different things. I hope the judge takes this into account when deciding sentencing.

Re:

[spidercoz]

lolwut? you're saying these douchebag scammers are on the same level as mass murderers? dude, get a fucking grip

Damn govm't interference

[bill_kress]

If they would just wait for the free market to kick in, this would be solved once and for all!

Re:

[Fuzzums]

Free Market already took care of the nice cinema in my town.
I'm sure Free Market also has a nice solution for scareware.

Re:

[BillX]

One of the guys is in Ukraine; civilian nukes can't travel that far :-(

Re:

[morgan_greywolf]

I agree. There's no such thing as 'digital crime': fraud is fraud, whether it's committed online or not.

This is why...

[smooth wombat]

I tell everyone, both at work and the few who know I work in the IT field, that whenever you are asked if you to install something, the answer is always no. I don't care if it tells you your computer will explode and burn your house down, the answer is no. I don't care if it tells you that 1 million babies will be killed if you don't install the software. The answer is still no.

No, no, no, no, no!

Of course not making them admin helps in this regard, but malware can still find a way to install itself so the answer is always no when asked if you want to install "Ultimate Web Cleaner Deluxe Plus!".

Re:

[Runaway1956]

"Ultimate Web Cleaner Deluxe Plus!"

Does it run on Debian? I'd really like to clean my webs. Can you give me a link? ;^)

Re:

[Xoltri]

Not using an admin account is not a defense to these xp antivirus programs. It installs itself to the users profile so even if they are using a limited user account it still puts an icon in the system tray, changes the wallpaper and popups up messages about how they are infected and need to provide credit card details. So don't count on that any longer as a defense, at least not in Windows XP at least.

Re:

[cyberjock1980]

Yes, but I predict the future "no" will also install it. There's nothing that says if you click "no" it won't install anyway. For most programs, if you click "no" you'd expect some kind of EXIT command. Us sane programmers have a GUI that works as we intend. There's no reason why malware/spyware won't have a "yes" and "no" button that does the same thing, right? If I wanted to force you to install a software program, I'd make sure that if you click no it still performs the yes function.

Re:

[spidercoz]

real problem is all the buttons do the same fucking thing, that's why it's a SCAM

Finally

[Adrian Lopez]

The law does something good for a change. Hope they get convicted.

Scareware claiming viruses on my Linux computer

[Rick17JJ]

On several occasions over the years, I have encountered scareware which said that viruses and spyware had been detected on my Linux computer. Each time that was while I was browsing the Internet while using Linux at home. I had never heard of any Linux viruses actually circulating in the wild, so I was skeptical that they had actually detected both viruses and spyware on my computer.

On each of those occasions, it offered to scan my hard drive for viruses and spyware. Despite trying to say no and/or close their web page the advertisement reappeared and pretended to start scanning my hard drive. It said that it was scanning my drive C, with a progress bar showing that a scan was supposedly in progress. That seemed bogus, because drive letters are not used in Linux for designating hard drives or partitons.

I had a firewall enabled in both my DSL router and on my computer, with all the incoming ports and most of outgoing ports closed. So, I doubted that it was actually quite that easy to effortlessly scan my hard drive, like that.

After about 60 seconds of scanning my hard drive, they announced that several several viruses and several types of spyware had been found on drive C and also in my registry. Linux does not have a drive C and also does not have a registry, so again that seemed bogus. They then recommended that I purchase their anti-virus product to solve the problem. Not having actually noticed that I was using a Linux instead of Windows, they did not offer me a Linux version.

On at least one of those encounters with scareware over the years, it even tried to download their antivirus program to my computer just after I again tried to close the tab (or possibly a pop-up). Firefox then asked me what program it should use to open a Windows executable file. It also gave me the alternative of choosing where to save the file, or canceling the download. Of course, I did not even consider trying to download the program and see if I could get it to run under WINE.

After the most recent scareware encounter, I immediately installed the NoScript and AdBlock plug-ins for Firefox. I did that on both my Linux computer and my Windows computer. I had finally had enough of scripts and advertisements. Now, when I encounter an occasional trusted web page which requires scripting enabled, I right-click on the icon in the lower right to either temporarily or permanently allow scripts for just that web page. I am not a computer expert, but my guess is that without scripting enabled, I would probably have less trouble closing the advertisement without it instantly reappearing again.

Re:

[S77IM]

If you browse using Firefox with NoScript and AdBlock on Linux behind a two user-configured firewalls and are somewhat up-to-date on the state of Linux viruses, then yes, you are a computer expert.

  -- 77IM

Re:

[Jaysyn]

Yeah, I was thinking the same thing. I'm lucky if my friends even know what a firewall is & I've given up trying to get them to use NoScript. I just charge them to clean their PCs now.

Re:

[Rick17JJ]

What I meant, is that for me computers are just a hobby, not an occupation. However, I have had several computer courses and computer networking courses in the past, but have never turned it into an occupation and have not stayed up to date with some of the technology changes.

Even so, I realize that my skills are way beyond what the average computer user has, so I hesitated in saying that I was not an expert.

I also noticed the URL where the scareware advertisement was coming from. Just as an experiment, I

Re:

[spidercoz]

it took all that for you to decide it was bullshit?

Re:

[Mashiki]

That's the reason why most malware succeeds. It fools people into believing that it's something else. Human stupidity is a great thing, it leads to technological expansions, and it also leads to self-destructive behavior.

Re:

[Rick17JJ]

Well, it really did not take that long to decide it was total bullshit, but despite trying repeatedly to close the tab, it kept reappearing in my browser and continuing on. So, I was busy trying to figure out how to get my browser to stop showing the scareware advertisement. At the same time, I was noticing with some amusement the incorrect information and impossible claims that it was making. The first time it happened, I had never even heard of scareware, so I was kind of curious, yet nervous about the ag

Re:

[SheeEttin]

Right. What you were seeing was just a simulation/mockup of a virus scanner program within your browser (i.e. probably rendered with GIFs and/or Javascript), usually themed to look like the default Windows XP theme. After announcing it "found viruses", it tries to download the installer. It does this the same way every other file is downloaded, by changing the location (i.e. the page you're viewing) to the binary. This is the same behavior you get when clicking a link to a file the browser doesn't know how

Re:

[sjames]

Some of those are actually fairly amusing to watch when you're running Linux. They do a fairly good job of making the browser window look like an XP desktop running a virus scanner (which of course, finds tons of viruses).

Almost worth it

[ArchieBunker]

$100 Million split 3 ways? Now you're talking values that make a few years of jail time worth it. That or take the money and run to another country.

Re:

[JSBiff]

Maybe if they blew it all on coke and hookers. If they bought real estate, boats, or other valuable assets, the government will probably seize them (at least in the case of the guy in the U.S. - the guys in the other country might get away with their share of the money).

Re:

[tepples]

Maybe if they blew it all on coke and hookers.

How much Coca-Cola and how many Hercules Hooks could 100 million USD buy?

I have succesfully used this defense

[Hognoxious]

Reno said he was a young and naïve businessmen who was taken advantage of by Innovative Marketing. "I made some mistakes, of course," he said, "however they kept us in the dark on a lot of their operation."

I have successfully used this defense. When I was six, we put doggy doodoo in Fatty Postlebridge's coat pockets. It was the other two, they maked me done it, waaagh, 's not fair!