Scammers are trying to trick Windows users into paying to fix bogus hard drive errors that have apparently erased important files, a researcher said today.
The con is a variant of "scareware," also called "rogueware," software that pretends to be legitimate but actually is just a sales pitch based on spooking users into panicking. Most scareware masquerades as antivirus software. Users are getting wise to the fake infection messages, so the malware writers created a new message, with a new, authentic-looking popup picture, to scare people into coughing up their money.
Symantec researcher Eoin Ward has found a new kind of scareware that impersonates a hard drive cleanup suite that repairs disk errors and speeds up data access. Dubbed "Trojan.Fakefrag" by Symantec, the fake utility ends up on a Windows PC after its user surfs to a poisoned site -- often because the scammers have manipulated search engines to get links near the top of a results list -- and falls for a download pitch, typically because it's presented as something quite different, like video of a hot news topic.
Fake system or disk cleanup programs aren't new -- Symantec has highlighted the scareware subcategory before -- but this malware goes above and beyond the call of counterfeit duty.
"Trojan.Fakefrag's aim is to increase the likelihood of you purchasing a copy of Windows Recovery by craftily convincing you that your hard drive is failing," said Ward in a company blog Monday, referring to the name of the fake suite that the Trojan cons innocent users into buying.
The malware kicks off the scam by moving all the files in some folders to a temporary location, by hiding others and by making desktop icons disappear. All of that is followed by a message that looks like a valid Windows warning of impending hard drive doom.
"An error occurred while reading system files," the on-screen message reads. "Run a system diagnostic utility to check your hard disk drive for errors."
If the user clicks "OK," the fraudulent "Windows Recovery" application launches, runs a series of sham scans that sound technical and legit, then reports multiple problems, including disk read-write errors. With the hook set, the scammers try to reel in the victim by trying to get them to pay $79.50 for Windows Recovery, which will supposedly fix the make-believe issues. Since the user has just seen his files and icons vanish, he or she is much more likely to fall for the scheme.
"It does a really convincing job of making it appear as though something is wrong," said Ward. "When it 'deletes' files from your desktop, it does so in a very prominent way." No surprise, but the files aren't deleted; they can be found with a quick local search, said Ward. Windows isn't the only operating system targeted by scammers. A couple weeks ago, for example, Intego Security reported finding the first-ever Mac OS X rogueware.
I must take my hat off to some of the malware writers who create these programs. As much as I despise the things they do, I have to admit that they are very intelligent people who can create a very convincing hoax. These men (or women) are masters of psychology, scare tactics, impulsiveness, presentation and marketing, just to name a few. I'm a trained professional who works with infected computers on a regular basis, and sometimes it's very difficult to tell if these scary warnings are real or not. If the warning messages can scare you enough, you will click on "OK" before the slower, more thorough, cautious portion of your brain has time to consider that the warning might be a lie. By then, you're infected.
So what makes the original popup occur? As stated above, the code can be implanted into a webpage or a link to a webpage. It can be disguised as anything, and they can also pay to have their webpage show up on the top of the list of search results on a web search engine such as Google or Yahoo. There have even been clever scammers who have managed to get infected links posted on the MSN homepage for a short period of time, spreading malware to millions of people who clicked on them. A link can claim to be anything from a new diet pill or exercise program, special prices on some highly-prized merchandise, some explosive news story, or something similar. They like to capitalize on current international news by claiming that their link is to a video of the royal wedding, the raid on the Bin Laden compound, devestation from the recent tsunami, hurricane, tornado, earthquake, volcano, or any other natural disaster that users may want to see.
The first moral of this story? Before you click on a link that claims to show a puppy and a kitten sleeping together in a stocking cap, remember this story, and make sure you've got a good backup of all your important data first. Look through my previous blog entry to learn how to properly back up your data.
How about the second moral of the story? After you click on that link, the scary popup probably won't show up right away, because programmers know that your brain might put two and two together in that case. It may not show up for days, but when you do see the scary popup, don't click on "OK". Call for help immediately, and hopefully you can recover before any damage has been done.