Fake security software "SpywareGuard" and "AntiVirus" are said to be the top two scareware programs out of about 250 fake security programs detected, according to a Symantec report.
Symantec examined evidence of what it could detect online for a six-month period, how it was propagating, and what fake security software programs were costing, says Mark Fossi, editor of the report. "Sometimes it’s sold as a complete security suite," he said, adding, "it mostly does nothing".
Rogue security software is often called scareware because these fake antivirus and registry cleaners can convince the victim to purchase based on flagging screens warning them about threats that don't exist outside the scareware itself.
According to the Symantec report: "There are two prevalent ways in which rogue security software can be installed on a user's computer; either it is downloaded and installed manually by a user after he or she has been tricked into delivering the software as legitimate, or it is knowingly installed onto a user's computer, such as when a user visits a malicious website designed to automatically download and install illegitimate applications."
Some scams even return email messages to the victim with a receipt for purchase that includes a serial number and a valid functioning customer-service phone number.
Distribution networks are rampant in which "affiliates" earn money to ensure the rogue security software is circulated, such as Traffic.Coverter.biz, where affiliates are paid based on numbers of computers they manage to get malware on to enable the sale of fake security software. Affiliates are paid 55 cents for each US computer, 52 cents for a UK computer, 5 cents for Norway or Mexico, but only a penny in many other countries.
SpywareGuard2008, said to be made by Pandora Software, was called the most prevalent rogue security software for the time period investigated, and its price started at $49.95.
Customers often pay for scareware with credit cards, and the report notes, "Since the payment services used are often legitimate, there is constant threat that the payment services provider will discover that its service is used for fraud."
But "scammers also benefit from phishing personal information for users who register rogue applications." This could include the credit card number and payment details that can be sold into the underground economy for further abuse.
About half the servers for scareware are in the United States, the report says, with Germany holding 11% and Ukraine 5%. Other countries are said to include Canada, the United Kingdom, China, Turkey, Netherlands, Italy and Russia, making it very global in scope.