There is plenty of fakery of all sorts in the IT business, and the security sector has seen more than its fair share.
In the 1990s, documentation and binaries passed off as being from security companies were used to carry malicious code. Mass-mailing malware and spammed malicious URLs added fake anti-virus (AV) updates and system patches to the mix. In recent years, criminal gangs have misused search engine optimisation (Black Hat SEO) to lure victims onto websites salted with fake anti-malware and other utilities.
Why do we call this rogue AV? These people are not security developers gone bad, however much they may try to persuade us that there is no difference between them and us. And they do: security labs face a lot of threatened and actual legal action from developers claiming their software is legitimate - such threats tie up significant resources.
This is not just an attack on an industry which is already distrusted (but is generally as honest in real life as you can reasonably expect any commercial enterprise to be) in order to decrease its ability to fight back. By blurring the distinction between the medicine and the disease, the fakers open up channels for further exploitation.
This may be done by mimicking legitimate business processes to enhance their own credibility: for instance, one large purveyor of fake AV expended significant resources on "call centres" addressing critical installation issues such as how you install fake security software when your real AV package insists on detecting it as malware.
If it sounds far-fetched that victims would be so ready to accept that black is white (and vice versa), consider this. Recently, we have become aware of a scam where people are cold-called by a support desk where staffers claim Microsoft affiliation or accreditation. They tell the prospective victim that his or her PC is sending out SOS messages due to malware infection or system errors, and offering to fix the problem and, in many cases, install a "better" security program. The caller helpfully explains how to "confirm" the problem by using the Event Viewer to see how many errors and warnings it reports. Sadly, this always flags enough transient errors to frighten a victim into allowing the caller access to both their PC (using a legitimate remote access service) and their credit card details.
I became aware of the problem because one of the companies concerned was claiming to install a version of one of ESET's products, and colleagues in the UK and Ireland have received a number of helpdesk calls from customers finding that it did not work.
While the company names and websites change frequently as they are identified and, where possible, shut down, the callers and sites can usually be traced back to Kolkata in West Bengal. Though in recent incidents the callers are far more cautious about giving verifiable information. This may be in response to awkward questions asked by inquisitive AV researchers, law enforcement, and the occasional journalist, but there is plenty of scope for more misuse.
Recent reports suggest a shift in tone from persuasion to the sort of bullying often associated with doorstep evangelists. ("Don't blame me when your PC blows up and you can't fix it from Hades!) Unfortunately, such social engineering is not very susceptible to technical countermeasures.
David Harley CISSP is senior research fellow at ESET
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².
This was first published in October 2010