FBI hits Latvian scareware peddlers who infected 1 million

The FBI targeted two operations, one of which cost victims $72 million, the FBI said

The U.S. Federal Bureau of Investigation has taken aim at two Latvian gangs that allegedly made tens of millions of dollars by sneaking fake virus warnings onto victims' computers and then charging them to clean up the mess.

It's called scareware, and it's become a big problem for Internet users. According to the FBI, one of the groups infected 960,000 computers, costing users $72 million. A second group made about $2 million by placing fake ads on the Minneapolis Star Tribune's website.

Two people were arrested Tuesday in Rezekne, Latvia, in connection with that second group. They are Peteris Sahurovs, 22, and Marina Maslobojeva, 23. Both face wire fraud and computer fraud charges in the U.S.

Scareware works by displaying a pop-up message on the victim's screen with a fake but scary-looking virus warning. The warning pesters the victim until they pay money to the criminals -- sometimes more than $100 -- for what they think will be antivirus software to fix the problem. Paying the money usually makes the warnings go away, but handing over a credit card number to an unknown party can lead to credit card fraud and other problems.

The FBI, along with law enforcement agencies in the U.K., the Netherlands, Latvia, Germany, France, Lithuania and Sweden, seized 22 computers in the U.S. and 25 more overseas. They also worked with Latvian police to seize bank accounts belonging to the alleged scammers.

One of those raids was conducted Tuesday at a Reston, Virginia data center operated by DigitalOne, according to a source familiar with the situation.

Court filings related to the $72 million scam are sealed, but the indictment against the second group -- which includes Sahurovs and Maslobojeva -- describes a sophisticated operation.

According to prosecutors, the two would approach publishers pretending to represent legitimate companies. In the case of the Minneapolis Star Tribune, they allegedly claimed to be Lisa Polowski, a senior media buyer with an agency called RevolTech Marketing. Saying they wanted to place ads for Best Western hotels on Startribune.com they allegedly started running an ad campaign that ran legitimate Best Western ads for the first two days. On the first Sunday of the campaign, the ads abruptly switched and started downloading malicious software onto visitors' computers, prosecutors said.

"Visitors to the Startribune.com website began experiencing slow system performance, unwanted pop-ups, and total system failure," the Department of Justice said in the indictment. The pop-ups were incessant, trying to scare visitors to by a $49.95 fake security program called Antivirus Soft.

The next day, the Star Tribune pulled the plug on ad networks on its website.

Other Web publishers have had similar problems. Late last year, criminals snuck similar ads on Google and Microsoft's ad networks, causing malicious advertisements to pop up all over the Internet.

Legitimate software companies do not bombard their users with pop-up messages, so when this happens, users should immediately "kill" their browsers (in Windows, this can be done in the Task Manager, which pops up when ctrl-alt-del are pressed simultaneously). Running the computer in user-level mode, instead of admin mode will also prevent the scareware problem, said Roger Thompson, chief research officer with antivirus vendor AVG. "Most operating systems are pretty safe if you do that," he said in an instant message interview. "Use the user-level account most of the time and only log in as admin if you need to upgrade."

Despite the FBI arrests, scareware products are still going to be a problem because so many people are involved in pushing these fake products, Thompson said. "The problem is that they keep teaching other people how to work the scam," he said. "They create real companies and hire programmers and marketers...and then they get shut down, but they've taught 100 other people how it works."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Copyright © 2011 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon