Editing Scareware

{{Short description|Malware designed to elicit fear, shock, or anxiety}}
{{Distinguish|Careware|Shareware}}
<!-- no apparent distinction between [[Rogue security software]] and [[Rogueware]], and both already covered completely by [[Scareware]] (see 2nd para of lead there). No benefit to the reader to split hairs. -->
[[File:Scareware example popup.webp|thumb|right|An example of a scareware popup]]
'''Scareware''' is a form of [[malware]] which uses [[Social engineering (security)|social engineering]] to cause [[Acute stress reaction|shock]], [[anxiety]], or the perception of a threat in order to manipulate users into buying [[Potentially unwanted program|unwanted software]]<ref>{{Cite web |title=What is Malware? {{!}} IBM |url=https://www.ibm.com/topics/malware |access-date=2023-12-06 |website=www.ibm.com |date=14 April 2022 |language=en-us |archive-date=2023-12-07 |archive-url=https://web.archive.org/web/20231207180144/https://www.ibm.com/topics/malware |url-status=live }}</ref> (or other products). Scareware is part of a class of [[Malware|malicious software]] that includes [[rogue security software]], [[ransomware]] and other scam [[software]] that tricks users into believing their computer is infected with a [[Computer virus|virus]], then suggests that they download and pay for [[Rogue security software|fake antivirus software]] to remove it.<ref>{{cite news|url=http://news.bbc.co.uk/2/hi/technology/8313678.stm|title=Millions tricked by 'scareware'|work=BBC News|date=2009-10-19|access-date=2009-10-20|archive-date=2018-06-22|archive-url=https://web.archive.org/web/20180622204958/http://news.bbc.co.uk/2/hi/technology/8313678.stm|url-status=live}}</ref> Usually the virus is fictional and the software is non-functional or [[malware]] itself.<ref name=BBC1>[http://news.bbc.co.uk/1/hi/technology/7955358.stm 'Scareware' scams trick searchers] {{Webarchive|url=https://web.archive.org/web/20170810133116/http://news.bbc.co.uk/1/hi/technology/7955358.stm |date=2017-08-10 }}. [[BBC News]] (2009-03-23). Retrieved on 2009-03-23.</ref> According to the [[Anti-Phishing Working Group]], the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008.<ref>{{cite web|url=https://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam/|website=The Register|date=2009-04-10|access-date=2009-04-12|title=Scareware scammers adopt cold call tactics|archive-date=2018-02-10|archive-url=https://web.archive.org/web/20180210235110/http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam/|url-status=live}}</ref> In the first half of 2009, the APWG identified a 585% increase in scareware programs.<ref>{{Cite web |url=http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf |title=Phishing Activity Trends Report: 1st Half 2009 |access-date=2009-10-05 |archive-date=2012-04-15 |archive-url=https://web.archive.org/web/20120415044716/http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf |url-status=live }}</ref>

The "scareware" label can also apply to any application or virus which pranks users with intent to cause anxiety or panic.

== Scam scareware ==
Internet security writers use the term "scareware" to describe software products that produce frivolous and alarming warnings or threat notices, most typically for fictitious or useless commercial [[firewall (computing)|firewall]] and [[registry cleaner]] software.  This class of program tries to increase its perceived value by bombarding the user with constant warning messages that do not increase its effectiveness in any way.  Software is packaged with a look and feel that mimics legitimate security software in order to deceive consumers.<ref>{{cite web|url=https://www.theregister.co.uk/2009/10/20/scareware_psychology/|title=Scareware Mr Bigs enjoy 'low risk' crime bonanza|author=John Leydon|date=2009-10-20|access-date=2009-10-21|website=The Register|archive-date=2017-08-10|archive-url=https://web.archive.org/web/20170810135209/https://www.theregister.co.uk/2009/10/20/scareware_psychology/|url-status=live}}</ref>

Some websites display pop-up advertisement windows or banners with text such as: "Your computer may be infected with harmful spyware programs.<ref>{{cite web|url=http://www.2-removevirus.com/remove-warning-your-computer-may-be-infected/|title=Fake Warning Example|author=Carine Febre|date=2014-10-20|access-date=2014-11-21|publisher=Carine Febre|archive-date=2017-04-10|archive-url=https://web.archive.org/web/20170410212259/http://www.2-removevirus.com/remove-warning-your-computer-may-be-infected/|url-status=usurped}}</ref>  Immediate removal may be required. To scan, click 'Yes' below." These websites can go as far as saying that a user's job, career, or marriage would be at risk. Products with advertisements such as these are often considered scareware. Serious scareware applications qualify as [[rogue software]].

Some scareware is not affiliated with any other installed programs. A user can encounter a pop-up on a website indicating that their PC is infected.<ref>{{cite web|url=http://blog.trendmicro.com/search-results-for-air-france-flight-447-lead-to-rogue-antivirus/|title=Air France Flight 447 Search Results Lead to Rogue Antivirus|author=JM Hipolito|publisher=[[Trend Micro]]|date=2009-06-04|access-date=2009-06-06|archive-date=2012-02-17|archive-url=https://web.archive.org/web/20120217223931/http://blog.trendmicro.com/search-results-for-air-france-flight-447-lead-to-rogue-antivirus/|url-status=live}}</ref> In some scenarios, it is possible to become infected with scareware even if the user attempts to cancel the notification.
These popups are specially designed to look like they come from the user's operating system when they are actually a webpage.

A 2010 study by [[Google]] found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.<ref>{{cite journal|url=http://krebsonsecurity.com/wp-content/uploads/2010/04/leet10.pdf|date=2010-04-13|access-date=2010-11-18|author=Moheeb Abu Rajab and Luca Ballard|title=The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution|archive-date=2019-02-20|archive-url=https://web.archive.org/web/20190220081957/https://krebsonsecurity.com/wp-content/uploads/2010/04/leet10.pdf|url-status=live}}</ref>

Starting on March 29, 2011, more than 1.5 million [[web sites]] around the world have been infected by the [[LizaMoon]] [[SQL injection]] attack spread by scareware.<ref>{{cite web |title=Mass 'scareware' attack hits 1.5M websites, still spreading |date=April 1, 2011 |work=On Deadline |url=http://content.usatoday.com/communities/ondeadline/post/2011/04/mass-scareware-attack-hits-15m-websites-so-far/1 |access-date=April 2, 2011 |archive-date=July 8, 2012 |archive-url=https://archive.today/20120708164453/http://content.usatoday.com/communities/ondeadline/post/2011/04/mass-scareware-attack-hits-15m-websites-so-far/1 |url-status=live }}</ref><ref>{{cite web |title=Malicious Web attack hits a million site addresses |date=April 1, 2011 |work=Reuters.com |url=https://www.reuters.com/article/2011/04/01/hackers-idUSN0116927520110401 |access-date=July 1, 2017 |archive-date=November 11, 2014 |archive-url=https://web.archive.org/web/20141111012809/http://www.reuters.com/article/2011/04/01/hackers-idUSN0116927520110401 |url-status=dead }}</ref>

Research by Google discovered that scareware was using some of its servers to check for internet connectivity.  The data suggested that up to a million machines were infected with scareware.<ref>{{cite news|url=https://www.bbc.co.uk/news/technology-14232577|work=[[BBC News]]|title=Google to Warn PC Virus Victims via Search Site|access-date=2011-07-22|date=2011-07-21|archive-date=2016-07-21|archive-url=https://web.archive.org/web/20160721055338/http://www.bbc.co.uk/news/technology-14232577|url-status=live}}</ref>  The company has placed a warning in the search results for users whose computers appear to be infected.

Another example of scareware is Smart Fortress. This site scares the victim into thinking they have many viruses on their computer and asks them to buy a professional service.<ref>{{cite web|url=http://support.kaspersky.com/us/viruses/rogue?qid=208286259|title=Smart Fortress 2012|website=Kaspersky Lab Technical Support|date=February 29, 2012|url-status=dead|archive-url=https://web.archive.org/web/20170128191536/http://support.kaspersky.com/us/viruses/rogue?qid=208286259|archive-date=2017-01-28}}</ref>

=== Spyware ===
Some forms of [[spyware]] also qualify as scareware because they change the user's desktop background, install icons in the computer's [[notification area]] (under [[Microsoft Windows]]), and claiming that some kind of spyware has infected the user's computer and that the scareware application will help to remove the infection. In some cases, scareware trojans have replaced the desktop of the victim with large, yellow text reading "Warning! You have spyware!" or a box containing similar text, and have even forced the screensaver to change to "bugs" crawling across the screen.<ref>{{cite web|title=bugs on the screen|url=https://social.technet.microsoft.com/Forums/en-US/8a460e01-b72b-4843-a1d1-f25a5d7016b7/bugs-on-the-screen|website=Microsoft TechNet}}{{Dead link|date=February 2022 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> Winwebsec is the term usually used to address the malware that attacks the users of Windows operating system and produces fake claims similar to that of genuine anti-malware software.<ref name=AAA>{{cite news |url= http://www.spywareloop.com/news/scareware |archive-url= https://web.archive.org/web/20141108171211/http://www.spywareloop.com/news/scareware |url-status= dead |archive-date= 8 November 2014 |title= Scareware in SpyWareLoop.com|author=  Vincentas |newspaper=Spyware Loop |date=11 July 2013 |access-date=27 July 2013}}</ref>

[[SpySheriff]] exemplifies spyware and scareware: it purports to remove spyware, but is actually a piece of spyware itself, often accompanying [[SmitFraud]] infections.<ref>[http://www.spywarewarrior.com/rogue_anti-spyware.htm spywarewarrior.com] {{Webarchive|url=https://web.archive.org/web/20180922003408/http://www.spywarewarrior.com/rogue_anti-spyware.htm |date=2018-09-22 }} filed under "Brave Sentry."</ref> Other antispyware scareware may be promoted using a [[phishing]] scam.

==Uninstallation of security software==
Another approach is to trick users into uninstalling legitimate antivirus software, such as Microsoft Security Essentials, or disabling their [[Firewall (computing)|firewall]].<ref>{{Cite web |url=https://www.theregister.co.uk/2010/08/20/social_engineering_scareware/ |title=theregister.co.uk |website=[[The Register]] |access-date=2017-08-10 |archive-date=2017-08-10 |archive-url=https://web.archive.org/web/20170810142313/https://www.theregister.co.uk/2010/08/20/social_engineering_scareware/ |url-status=live }}</ref> Since antivirus programs typically include protection against being tampered with or disabled by other software, scareware may use social engineering to convince the user to disable programs which would otherwise prevent the malware from working.

==Legal action==
In 2005, [[Microsoft]] and [[Washington (state)|Washington state]] successfully sued Secure Computer (makers of [[Spyware Cleaner]]) for $1&nbsp;million over charges of using scareware pop-ups.<ref>{{cite web|url=http://www.theinquirer.net/gb/inquirer/news/2008/09/29/washington-microsoft-target|date=2008-09-29|author=Etengoff, Aharon|publisher=[[The Inquirer]]|access-date=2008-10-04|title=Washington and Microsoft target spammers|archive-date=2008-10-02|archive-url=https://web.archive.org/web/20081002040143/http://www.theinquirer.net/gb/inquirer/news/2008/09/29/washington-microsoft-target|url-status=dead}}</ref>
Washington's attorney general has also brought lawsuits against Securelink Networks, [[Softwareonline.com]],<ref>{{Cite web|title=Attorney General's Office Sues, Settles with Washington-based SoftwareOnline.com {{!}} Washington State|url=https://www.atg.wa.gov/news/news-releases/attorney-general-s-office-sues-settles-washington-based-softwareonlinecom|access-date=2021-12-21|website=www.atg.wa.gov|archive-date=2021-12-08|archive-url=https://web.archive.org/web/20211208024611/https://www.atg.wa.gov/news/news-releases/attorney-general-s-office-sues-settles-washington-based-softwareonlinecom|url-status=live}}</ref> High Falls Media, and the makers of Quick Shield.<ref>{{cite web
 |author       = Tarun
 |title        = Microsoft to sue scareware security vendors
 |url          = https://www.lunarsoft.net/featured/microsoft-to-sue-scareware-security-vendors
 |work         = Lunarsoft
 |date         = 2008-09-29
 |access-date  = 2009-09-24
 |quote        = [...] the Washington attorney general (AG) [...] has also brought lawsuits against companies such as Securelink Networks and High Falls Media, and the makers of a product called QuickShield, all of whom were accused of marketing their products using deceptive techniques such as fake alert messages.
 |archive-date = 2010-06-20
 |archive-url  = https://web.archive.org/web/20100620105714/http://www.lunarsoft.net/news/1-frontpage/378-microsoft-to-sue-scareware-security-vendors
 |url-status   = live
}}</ref>

In October 2008, [[Microsoft]] and the [[Washington (state)|Washington]] [[attorney general]] filed a lawsuit against two Texas firms, Branch Software and Alpha Red, producers of the [[Registry Cleaner XP]] scareware.<ref>{{cite news|url=http://news.bbc.co.uk/2/hi/technology/7645420.stm|title=Fighting the scourge of scareware|date=2008-10-01|access-date=2008-10-02|work=BBC News|archive-date=2018-02-12|archive-url=https://web.archive.org/web/20180212202628/http://news.bbc.co.uk/2/hi/technology/7645420.stm|url-status=live}}</ref>
The lawsuit alleges that the company sent incessant pop-ups resembling system warnings to consumers' personal computers stating "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED", before instructing users to visit a web site to download Registry Cleaner XP at a cost of $39.95.

On December 2, 2008, the U.S. [[Federal Trade Commission]] ("FTC") filed a Complaint in federal court against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, as well as individuals  [[Sam Jain]], Daniel Sundin, James Reno, Marc D’Souza, and Kristy Ross.  The Complaint also listed Maurice D’Souza as a Relief Defendant, alleged that he held proceeds of wrongful conduct but not accusing him of violating any law.  The FTC alleged that the other Defendants violated the FTC Act by deceptively marketing software, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.  According to the complaint, the Defendants falsely represented that scans of a consumer's computer showed that it had been compromised or infected and then offered to sell software to fix the alleged problems.<ref>{{cite news|url=http://www.ftc.gov/os/caselist/0723137/index.shtm|publisher=Federal Trade Commission|title=Win software|access-date=2012-03-15|archive-date=2013-09-19|archive-url=https://web.archive.org/web/20130919223741/http://ftc.gov/os/caselist/0723137/index.shtm|url-status=live}}</ref><ref>{{cite news|url=https://www.fbi.gov/wanted/cyber/shaileshkumar-p.-jain/view|publisher=FBI|title=Wanted by the FBI - SHAILESHKUMAR P. JAIN|access-date=2016-07-28|archive-date=2017-06-27|archive-url=https://web.archive.org/web/20170627023044/https://www.fbi.gov/wanted/cyber/shaileshkumar-p.-jain/view|url-status=live}}</ref><ref>{{cite news|url=http://www.ftc.gov/os/caselist/0723137/110127innovativemktgorder.pdf|publisher=Federal Trade Commission|title=D'Souza Final Order|access-date=2012-03-15|archive-date=2012-10-16|archive-url=https://web.archive.org/web/20121016214651/http://www.ftc.gov/os/caselist/0723137/110127innovativemktgorder.pdf|url-status=live}}</ref>

== Prank software ==
Another type of scareware involves software designed to literally scare the user through the use of unanticipated shocking images, sounds or video.

* An early program of this type is [[NightMare (scareware)|NightMare]], a program distributed on the [[Fred Fish|Fish Disks]] for the [[Amiga]] computer (Fish #448) in 1991. When NightMare executes, it lies dormant for an extended and random period of time, finally changing the entire screen of the computer to an image of a skull while playing a horrifying shriek on the audio channels.<ref>[http://www.amiga-stuff.com/pd/fish.html Contents of disk #448] {{Webarchive|url=https://web.archive.org/web/20180918191203/http://www.amiga-stuff.com/pd/fish.html |date=2018-09-18 }}. Amiga-stuff.com - see DISK 448.</ref>
* Anxiety-based scareware puts users in situations where there are no positive outcomes.  For example, a small program can present a [[dialog box]] saying "Erase everything on hard drive?" with two buttons, both labeled "OK".  Regardless of which button is chosen, nothing is destroyed.<ref>{{Cite web |url=http://www.freetheflash.com/downloads/dark-drive.php |title=Dark Drive Prank |access-date=2010-02-18 |archive-date=2018-07-24 |archive-url=https://web.archive.org/web/20180724055425/http://www.freetheflash.com/downloads/dark-drive.php |url-status=live }}</ref>
* This tactic was used in an advertisement campaign by [[Sir-Tech]] in 1997 to advertise ''[[Virus: The Game]]''. When the file is run, a full screen representation of the desktop appears. The software then begins simulating deletion of the [[Microsoft Windows|Windows]] folder. When this process is complete, a message is slowly typed on screen saying "Thank God this is only a game." A screen with the purchase information appears on screen and then returns to the desktop. No damage is done to the computer during the advertisement.{{Citation needed|date=December 2019}}

== Detection ==
Research in the 2020s has also introduced a new detection technology designed to identify scareware [[Social engineering (security)|social engineering]] attacks with enhanced resilience. This approach targets the visual images presented to end users, which is a layer that attackers cannot easily obscure.<ref>{{Cite book |title=Robust scareware image detection |url=https://ieeexplore.ieee.org/document/6638192 |access-date=2024-02-09 |date=2013 |doi=10.1109/ICASSP.2013.6638192 |last1=Seifert |first1=Christian |last2=Stokes |first2=Jack W. |last3=Colcernian |first3=Christina |last4=Platt |first4=John C. |last5=Lu |first5=Long |pages=2920–2924 |isbn=978-1-4799-0356-6 |archive-date=2024-04-12 |archive-url=https://web.archive.org/web/20240412152652/https://ieeexplore.ieee.org/document/6638192/ |url-status=live }}</ref>

==See also==
* [[Computer security]]
* [[Ransomware]]
* [[Rogue security software]]
* [[Tapsnake]]

== Notes ==
{{reflist|3}}

==Further reading==
*{{cite journal|url=http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7a827fbd-c2a1-48bc-9e85-6b805d3e7e26|title=The Modern Rogue – Malware With a Face|first=Hamish|last=O’Dea|publisher=[[Microsoft]]|location=Australia|date=2009-10-16}}

==External links==
{{Commons category}}
*{{youTube|nRgkFt0NLsw|Demonstration of scareware}}
*[http://blogs.technet.com/b/markrussinovich/archive/2011/03/14/3412374.aspx The Case of the Unusable System]
*[https://arstechnica.com/gadgets/2013/01/yes-that-pc-cleanup-app-you-saw-on-cable-tv-at-3am-is-a-scam/ Yes, that PC cleanup app you saw on TV at 3 a.m. is a waste]

{{Information security}}
{{software distribution}}
{{Malware}}

[[Category:Types of malware]]
[[Category:False advertising]]
[[Category:Cybercrime]]
[[Category:Social engineering (security)]]