FTC Sets $163 Million Fine For “Scareware” Business

Max Smolaks,
Cybersecurity, Hack © Anatema Shutterstock 2012

Selling solutions to non-existing security problems is not OK

A US federal court has imposed a $163 million (£101m) fine on the operators of a “scareware” business that tricked computer users into thinking their machines were infected with malware, and then sold them a “fix”.

The tough punishment was issued by the Federal Trade Commission (FTC), the US consumer protection agency. The main defendant, Kristy Ross, was also permanently prohibited from selling security software and “any other software that interferes with consumers’ computer use”.

It is thought that Ross and two co-founders of the offending companies – Sam Jain and Daniel Sundin – will be jointly liable for the fine.

False advertising

The “scareware” operation was discovered by the FTC back in 2008, as part of the efforts to safeguard consumers from spyware and malware. Ross and six other defendants were accused of deceiving over a million customers by selling them security software to combat the non-existent infection, discovered by the “system scanners” made by the same group of companies.

Cybersecurity, Hack © Lightspring Shutterstock 2012The culprits would place flash banners on trusted, popular websites, displaying something that looked like a running anti-virus scanner. It would inevitably find a host of viruses, spyware, and illegal pornography on a user’s computer, and offer to buy security software designed to “fix” any and all problems.

The banners were placed on behalf of legitimate organisations without their consent, and looked perfectly normal to the advertising agencies thanks to some clever coding.

The solutions would usually come under generic names, such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, and cost from $40 to $60 (£24 – £37). Naturally, none of them actually offered any sort of protection against malware.

The two companies charged in the case – Innovative Marketing and ByteHosting Internet Services – operated using a variety of aliases and maintained several offices, including one in Kiev, Ukraine. According to the FTC, Innovative Marketing took in around $60 million (£37m) in revenue between 2000 and 2008, when the first legal action was brought.

Under a settlement announced in 2011, defendant Marc D’Souza and his father, Maurice D’Souza, were already ordered to give up $8.2 million (£5m) they earned through the scheme.

According to ArsTechnica, Ross argued she was just an employee of the company, was not a “control person” and did not have “requisite knowledge of the misconduct”. However, the court decided otherwise.

To avoid such scams, the FTC advised computer users to always keep their anti-virus and firewall solutions updated and switched on, and not click on any links within pop-ups. “If you’re faced with any of the warning signs of a scareware scam or suspect a problem, shut down your browser,” read an advisory from the FTC.

Doing some basic research before installing any software is also a good approach: “If you get an offer, check out the program by entering the name in a search engine. The results can help you determine if the program is on the up-and-up.”

Last year, the FBI arrested members of two cyber-crime gangs who may have netted more than $74 million (£46m) using the same “scareware” method.

How well do you know Internet security? Try our quiz and find out!