More Scareware indictments

From R&D:

Posted by Tim Cranton
Associate General Counsel, Microsoft Digital Crimes Unit

Today the FBI announced federal indictments returned against three culprits charged with disseminating a major malware scheme believed to have caused $100 million in losses to victims worldwide. The scheme revolved around a form of malware called “scareware,” which falsely persuades consumers that they need to purchase useless and expensive software to protect their computers. Microsoft is proud to have supported the FBI and the U.S. Department of Justice in these cases, which send a clear and important message to cyber-criminals that they will be caught and brought to justice.

The scheme in these indictments was global, complex and sophisticated. The scareware went by various names, including WinFixer – meant to mislead consumers into associating the bogus software with trusted Microsoft products. At one time, WinFixer and its variants are thought to have been responsible for 75 percent of scareware worldwide.

Two of the three defendants indicted in this case are non-U.S. residents, accused of working with an Ohio resident to perpetrate the scheme. This illustrates how cybercrime has become global. Boundaries and jurisdictions are irrelevant to cyber-criminals. The problem can’t be tackled by any single entity working alone; strong cooperation is needed among governments, law enforcement and technology companies.

The Department of Justice and the FBI have put a stake in the ground to protect consumers; at Microsoft, we stand beside them in the fight to make the Internet a safer place.

This is the third legal case that I have commented on this year regarding Microsoft, the first being the Waledac takedown and the second being Microsoft’s victorious lawsuit against Funmobile (a spam-over-IM case, spimming).  This illustrates one of the necessary legs which is important in the fight against the abuse landscape – the legal arena.

Software protection is the end user’s first line of defense.  Without it, it’s almost to function online nowadays.  Spam filters, firewalls and anti-virus protection form the triad of consumer protection so that they can do stuff on the Internet with lower risk of compromise.  Most people don’t know enough about threats and so software is there to protect them without them having to do anything (kind of like a pacemaker, or airbags in vehicles).  Yet so long as cyber criminals are out there, the threats will continue.

People will always be behind the spam/malware space dreaming up new ways to infect others.  And so long as they can continue to do what they do, the problem will remain the same (unless software gets so good at blocking threats it made it unprofitable to them).  Somebody has to write the code to create a worm, someone has to control the botnets, and someone has to write the templates to send the spam.  These things just don’t run themselves, it requires human effort.  Yet if humans are removed from that equation (through prosecution) then there are fewer people to try to (cyber) attack us.  The other way that legal moves like this do is provide a deterrent.  If enough cyber criminals were prosecuted such that it got others to think twice about spamming or writing malware, it might create suitable deterrence such that the threat goes away by itself.  The lucrative spamming career is not quite so lucrative if you can spend time in prison, or even get hit with a multimillion dollar fine.  All those legal expenses will drain you.

So, this represents a step forward.  Certainly there are other spammers who are bigger and badder, but in this game, you really do need to celebrate your victories.