Over the past year, I have been working with various individuals and companies that have encountered or clicked on instances of “scareware” while browsing the internet. According to IBM, Scareware can be defined as: “a type of social engineering scam that uses fear to trick people into downloading malware, losing money, or handing over personal data.” Unlike other forms of attack, scareware, by definition, attempts to scare the user into believing that something is wrong, allowing an attacker to socially engineer or manipulate the situation to extort money or install actual malware on a user’s system.
Scareware is not a new tactic, as the earliest examples of scareware were seen in the year 1990. The original scareware program, created by Patrick Evans, was called NightMare. NightMare was designed to scare the user by flickering an image of a skull with a bullet hole and sound effects. However, as time progressed, these simplistic programs evolved and are now typically used for malicious purposes.
Over the past year, I have encountered two primary versions of scareware, both of which rely on social engineering. The first was the most surprising as it came from an advertisement on a news website. The user had been scrolling through a news article and saw one of those “learn more” buttons that can be found in the middle of articles. Inevitably, they ended up clicking on it and were greeted with an HTML-based scareware that started blasting the message that their computer had been infected and they needed to call support now! Obviously, I was able to intercept this before the user was coerced by social engineering into giving money to a company that would fix a non-existent issue on their computer. However, the most surprising thing that came out of this was not that the “learn more” button went to scareware, but rather that large media platforms allow this deceptive advertisement placement despite the FTC code and regulations prohibiting this behavior.
The second instance of scareware I have seen this year also attempted to inform the user that their computer was infected. However, rather than trying to coerce the user into calling a scam number, it wanted the user to install a program to “protect their computer.” Thankfully, the user discovered something suspicious about this, as Google Chrome was displaying these notifications, not Windows Defender. Thus, we were able to remove the malicious cookies that had been placed in the user’s browser.
Scareware is unlikely to disappear anytime soon. We must train those whom we are professionally responsible for and those we love to avoid these scams. Always take a second to reanalyze the situation and act on reason instead of emotion, as is the intention of the bad actor. Beyond this, all companies that serve online advertisements should be put under further scrutiny by federal and national entities to protect the average users and consumers of this digital age.