Scareware is designed to literally ‘scare’ an end user into thinking that their device is infected with a virus and manipulate the victim into downloading or buying unwanted software, and/or steal personal data. One of the ways bad actors distribute Scareware is through malvertising ad campaigns. When an end user visits a website and clicks on an ad, the Scareware is served to them. This usually takes the form of a pop up that features a warning such as ‘Virus Detected’ or ‘Security Warning.’
To demonstrate some of the tactics used by Scareware malvertisers, here are some examples of recent Scareware ad campaigns that AdSecure detected and stopped before they reached end users.
Example 1: Fake Windows Tech Support
This pop up poses as a Windows Defender message faking tech support, it locked the end users browser and featured an alert type siren sound. It tells the end user to call a telephone number posing as Microsoft Support, if the user calls they will be asked to handover password information that the Malvertiser can then use for a future exploitation attack on them.
This is a particularly effective method because it locks the end user's browser, an inexperienced user will not think to restart their device to get out of the browser locker, and the siren noise adds to creating panic for the end user.
Example 2: Fake Microsoft Virus Removal Product Offer
This example is posing as an alert from Microsoft. It blatantly says to the end user that their device is infected with 3 viruses and pushes them to click the ‘Remove viruses now’ button. By clicking the button, it will install an unwanted program or software.
Example 3: Fake Apple examples
Similar to the previous example, these are posing as official messages from Apple.
Example 4: Fake Google examples
This malvertising campaign was targeting end users using a Samsung Galaxy s10+ mobile device, posing as Google. It is interesting to note that there are grammatical errors in English. For example ‘may be at Security Risk’, ‘you may receive a lot of scams’ and ‘calls daily.’ The second example uses the Google logo.
Example 5: Fake Norton
This example poses as Norton Security with three pop ups to induce panic, telling the user that their Norton subscription has expired. An inexperienced user will probably see this as legitimate because Norton is a trusted brand.
Example 6: Fake System Message
Looking like the device’s System is alerting the end user that they need to install an update, again this will install unwanted programs or even malware onto the end users device.
Example 7: Fake VPN offer
This ad targeted mobile users with an ad for a fake VPN offer, once clicked this message appears. This is trying to trick the end user into thinking that they can have a private browsing experience installing this VPN, however clicking the ‘INSTALL’ button will download malware onto the device.
Ironically, ads claiming that end users have a virus and are in need of antivirus software are likely to contain a virus that could harm their device.
Scammers often use the names of well-known companies to gain end user trust. By using texts that incite feelings of panic and fear for the victim, they are hoping that end users will make irrational split-second decisions to click on buttons, or call the cyber criminals.
What are the goals of Scareware ads for Malvertisers?
Malvertisers have a few goals when it comes to using Scareware:
- Selling useless, fake software tools
- Installing damaging malware to gain access to sensitive data
- Trying to obtain end user’s passwords for future attacks
- To download Ransomware, a form of malware that holds the user’s data hostage in exchange for a payout in order to get hold of an end user’s credit card or bank details.
The damage Scareware can do
To the victim: Once an end user has been a victim of a Scareware ad it can be costly. They will have to pay a technician to have the malware removed from their device, or they will have to do a factory reset and a new system install on their device deleting all their files and data. They could become the victim of identity theft if the cyber criminal conned the victim out of a copy of their passport or identity document. The victim will have to change all their passwords and if they have been the victim of monetary exploitation, they will have to cancel credit cards and try to get their bank to refund the money that was conned out of them.
To the publisher website: The end user will never trust the website where the Scareware ad was served and will not revisit. If this happens to multiple victims the website's reputation will be further damaged.
To the ad network: The network that served the Scareware ad on the publishers site will lose the trust of their publisher client for not having stopped the malicious ads before they were served. The publisher may contact other publisher clients on the network about the Scareware campaign, potentially damaging other business relationships. Additionally, security journalists are always looking for new stories about malvertising activity to report on which could further damage the ad network’s reputation.
How to stop Scareware ad campaigns
AdSecure is a complete 360 degree ad security and ad quality solution for publishers and ad networks. AdSecure can detect and stop malvertising campaigns and Scareware is categorized as a Security Violation.
Bad actors try different types of malvertising in order to achieve their goals, for example, looking at 2021 below you can see what the percentage of AdSecure’s Scareware detections were over each quarter:
The Scareware tactic decreased in Q4 compared to the other quarters. Perhaps one of the reasons for this was because of AdSecure’s skill at detecting the Scareware campaigns on it’s clients’ networks. Malvertisers began to realize that Scareware was not an effective way of exploiting end users from the ad networks that used AdSecure as their anti malvertising solution.
See more of how AdSecure helped publishers and ad networks in AdSecure’s 2021 Violations Report.