Rogues, Part 3

This is the third and last part in a three part series.  You can find Part 1 here and Part 2 here.

In Part 1 (and 2), I detailed the definition of “rogue” that we were going to use (perhaps more appropriately termed “scareware”, nevertheless the term “rogue” is often used by the unwashed masses), and also gave a legal caution for any comments to these articles (and if you wish to make comments, I definitely would suggest you read that section in Part 1 BEFORE you make the comment.) Part 2, being very LATE in publishing, was simply an expansion and clarification of Part 1.

Now, here in Part 3 we’ll take a look at how these beasts are distributed, what some of the detections REALLY mean, and what to do if you’re duped by one of these things.

DISTRIBUTION AND IDENTIFICATION:

SEARCHES

These things frequently show up as “Sponsored Links” (now called “ads”) on Google Searches with keywords like “PC Cleaner” (I’m using that phrase as generic NOT a title):

Coupla’ things on the search results shown above.

Keep in mind that ads, what used to be called “Sponsored Links”, are PAID results. Google, in many cases, does NOT screen the results for scareware and such . . . they just flat out accept the ad revenue and it’s up to the user to make their own determination.

Now I’m not indicting ALL ads. Indeed, some ads are legitimate and benign. But your antenna should go up when you see a paid ad result. Exercise caution.

For example, the first result, “PC Cleaner Exposed”, portrays itself as a review of registry cleaners. Now I’ve not visited this link, so I can’t say whether or not it’s legitimate.

But the catch phrase: “Don’t buy . . . blah, blah, blah . . . until you read this” is a frequently used clause to introduce PAID reviews and may be interpreted as a red flag for more scrutiny.

Paraphrased from something I found on asknerd.net years ago:

The issue lies in the abundance of spam-review sites which are nothing more then websites promoting a specific title under the guise of an official “review” site. Their main goal is to send the novice to the site they are promoting and getting that novice to buy the title they are promoting – if you do, they get up to a 70% cut of the sale. In other words, their reviews are given in return for a price – and are not anything but thinly veiled sales pitches. For example, if you do a search for the term ” Paid Survey ” or ” Registry Repair ” you’ll notice that the paid listings all include sites that say ” read our review ” or ” warning, don’t download anything until you read this…”

Again, I have no idea if the result shown above is a scam review site, but I would read the reviews with a critical eye.

You’ll see the phrase “Free Scan” in a lot of the results too. That’s another tactic commonly used to hook you in. Now there ARE legitimate free scans, most notably some of the mainstream antivirus companies offer free on line scans. For example, Trend Micro maintains one called “Housecall”, Panda has one called “ActiveScan”, and there are many others, most legit.

Nevertheless, that “Free Scan” button should raise a red flag too, particularly when you find it in a random location on a page where you are pursuing something else. (No, this button doesn’t lead to a nasty . . . it’s just an image and you can click on it to enlarge it like other images):

“Speed up your PC” is another frequent red flag and is often a marketing ploy. I mean, who wouldn’t want to speed up their PC?!

Frequently, these “Speed up your PC” things are accompanied by a generic meter:

That meter image is designed to entice the novice by portraying graphically just how “good” this thing will work. These slick marketers are no slouches.

Another place you’ll find these things marketed is . . .

TV COMMERCIALS

Look at the line underneath the third search result, “Clean —— PC – Just try our free scan | —–.com”:

Think about this for a second. The average cost of a 30 second commercial spot on a national network is . . . get this . . . $120,000 to $140,000 dollars (US). And depending on the show using the advertisement, the cost can be much much more.

So these guys are making the money to support TV ad campaigns.

Now I’m all for capitalism, but c’mon. The revenue stream for these guys is based on duping novices.

A common defense they use for this: “We’re pursuing a business model that others are using”. Yeah, right, like that justifies a scam just because others are using that “business model”.

Typically, there’s a guy that begins the TV spot by asking something like “Is your computer slow?”. He goes on to say that this is “PROBABLY” caused by “adware, spyware, viruses, malicious code . . . “, etc. By the time he’s done he’s convinced you that 1) your computer IS slow, and 2) this is undoubtedly caused by malware, and finally 3) the product he’s advertising (and he gives the URL) can remove these things and thus make your PC faster. He’s followed then by users giving testimonials.

What he fails to mention is that it’s going to cost you to use that title. All he says is that you can get that:

Now malware CAN slow down your PC, but it’s anything but certain that malware is the cause or that you even have an infection. There are a lot of other things that can slow down a PC, but of course he doesn’t mention that.

(A simple scan with your LEGITIMATE antivirus program, or one of the many LEGITIMATE and FREE on line antivirus scanners will likely tell you if you have an infection.)

For example, temp files, temporary internet files, cookies, an inadequate page file, just plain clutter, too many programs starting up with the OS “automagically” (in which case you’ll see that your systray down in the lower right corner is full of icons), or inadequate physical memory, may cause your PC to be slow.

Normal and routine housecleaning and maintenance can eliminate a lot of these, and indeed “speed up your PC” at no cost since these utilities are either included in the OS, or are available for free.

And something that a lot of machines suffer from is . . . inadequate physical memory. In fact, for the price of a 512 MB memory stick (they can be found for $40 dollars or less), you may very well recognize a dramatic improvement in performance.

That one simple item, adding more physical memory, solves a lot of “slowdown” issues.

And judging by how long these ads have been around . . . I’ve seen them for several years now . . . these ad campaigns are bringing in revenue. Enough to pay for the ads and a hefty profit too.

PRINT MEDIA

A lot of the popular computer magazines have the same policy as search engines on these things: They don’t necessarily scrutinize the title for scareware attributes, they just accept the ad revenue. It’s up to the user to judge whether or not the title is fraudulent.

These “rogue” peddlers rely on the common reaction: “If it’s on TV or in a PRINT journal, it must be true.” That anemic guy on late night infomercials advertising colon cleansers relies on the same dynamic.

DETECTIONS

OK . . . now let’s look at one particular method of scare tactics these things use. It’s the “Empty Key” issue.

Here’s one that is a good example:

Now, look at this article: Structure of the Registry

And look at the first image it displays:

Notice the top line in the right pane states: Default – value not set .

Empty keys are simply “place holders” to maintain structural integrity, NOT “critical” errors.

But these clowns add these “critical errors” to their tally of the “total” (no wonder we have 2,010 critical errors!) as a tactic to get the novice to buy their product.

Another tactic frequently used is False Positives (“F/P”). Now this can be a slippery slope. The technical definition of F/P means the item detected isn’t even there in reality, and these guys do that sometimes.

But F/P can also mean that they are detecting a “critical error” when in fact it’s NOT a critical error. Their claim in a court: The item WAS there, so according to the technical definition it’s not a F/P (see above). Very similar to their claim that these things are not rogues according to the technical definition.

Semantics? Probably, but these guys are slick and know how to spin to their advantage.

Another tactic is that annoying javascript “do you really want to exit?” clause:

Now that is a common marketing tactic used by other titles, some legitimate but still annoying, but here is a twist on it that these rogue peddlers frequently use:

Coupla’ things on this one.

First of all, you’ll notice that the symbols “[#]” are in the title bar. That’s because I frequently run these beasts in my sandbox, and the “[#] symbols indicate that.

But here’s the essence of this creative tactic. When you go to exit this thing, a “warning” notice of those “critical erros” pops up. You can “X” it out but it will pop up again if you try to exit the scan program.

Well . . . if you click on “Alert Settings” in small print down in the lower right corner, it will take you to this gem:

Notice the first two default selections. The thing will always start up with Windows (not unusual for a lot of software, but this setting is obscure and a noob might not find it), and even if you uncheck the first box, those SCAREWARE warnings will keep popping up when you try to exit as long as the second box is checked.

So a noob would get in an endless loop in this thing (thinking it was impossible to exit WITHOUT “fixing”) and out of frustration click on the “fix” button.

Slick . . . and criminal as far as I’m concerned.

And here’s another one:

This one goes so far as to tell you that if you don’t use their “Fix”, “your computer performance WILL (my emphasis) be affected.” Desperate to get you hooked?

CONCLUSION:

So what do you do if you are duped by one of these?

First of all, if hitting that “Fix” button takes you to a web page like this:

That’s a pretty good indication you are getting scammed.

Notice a coupla’ things on this.

They very nicely (~sarcasm~) have checked by default that you will add to your order $14.89 for their “AntiiVirus/Anti-Spyware” package, and ALSO $9.89 for their “handy” backup CD, for a total order of $44.67.

Now all this alone can be defended as a “business model”, and though it’s dubious it is actually pretty common even with legit titles.

And while the “Billing Information” request for your personally identifiable information (“PII”), is normal and even necessary to process a credit card order, the whole thing wreaks of scam when coupled with the fact that you got there because you hit the “Fix” button on a “Free Scan.”

My advice: GET THE HECK OUT OF THERE, close your browser if you have to, uninstall that beast with something like Revouninstaller (so you can dig all their nonsense out of your registry) and right away do a scan for malware. Definitely DO NOT give these jokers ANY of your personal information, and CERTAINLY don’t give them your CC account number.

An entire criminal industry (mostly offshore, but the U.S. Mob is in on this too) has sprung up with this crap. Gangs of criminals are raking in millions. Some of these rings have been busted by the FBI in co-operation with foreign enforcement agencies, but there are still plenty out there.

There are even a few US Software Corporations presenting these scams . . . and one of them was the one I got my “threatening legal notice” from (see Part 1.)

Your best defense . . . just flat out DON’T do one of these “Free Scans” unless you know for sure it’s a legitimate one, like from a mainstream anti-virus company as I pointed out earlier.