Royal pain: A poisoned picture of Princess Diana came up as high as third in Google Image searches for “royal wedding coverage” on the spring day that her son Prince William got married.
Not long after Prince William and Kate Middleton exchanged vows on April 29, a 1981 wedding portrait of the groom’s late mother, Princess Diana, appeared as one of the top three images for people typing the most popular search term on Google that morning: “royal wedding coverage.” But the link was a trip wire. Fraud artists had finagled a malicious website through Google’s algorithm. The link led to a hacked page on a Web comic book called Kiwiblitz.com, which redirected the browser to another site—one with a domain name from an obscure Australian island territory and hosted in Sweden. That site displayed a realistic-looking program called “XP Anti-Spyware” that issued bogus warnings—Your Computer Is Infected! A few clicks led to a purported solution, for $59.95: a download of a fix that didn’t actually exist.
Chalk up another success for what’s generally known as the “fake antivirus” scam. Federal investigators and security experts estimate that its various iterations have extracted at least $1 billion from victims in the past several years, and it has become the most visible manifestation of an overall rise in malicious software, or “malware,” distributed online (see charts below). The damage goes beyond the theft of cash: even if you don’t pull out your wallet, sometimes merely clicking on the bogus come-ons can deliver other forms of malware that may steal your passwords or conscript your computer into a remotely controlled gang called a botnet. Because it generally relies on fooling people into voluntarily installing malware—a strategy called a social-engineering attack—it can wind up infecting even well-maintained machines, both PCs and Macs. “As a human-level act of deception, it is just classically beautiful,” says David Clark, a research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory, who was the Internet’s chief protocol architect in the 1980s.
This threat is a product of nimble technology and a business model that rewards innovation. Con artists have rendered thousands of variants on the fake-antivirus lure in dozens of languages, devised automated means of infecting ordinary websites, and dreamed up many “vectors,” or methods of delivering Web links bearing their nefarious payload. Gamed search results are only one method. Online ads are another vector, as are spam e-mails, links on social networks, and even robo-calls via Skype or telephone advising people to visit websites that belch up the attack. “It’s a really dominant threat to computer users that has persisted over time and continues to evolve and grow,” says Maxim Weinstein, director of StopBadware, a nonprofit in Cambridge, Massachusetts, that helps websites rid themselves of malware hacks and pushes to shut down malicious sites. The success of the scam exposes the flat-footedness of many of the Internet’s major players, which have been unable to coördinate a strategy for dealing with it.
There have been victims in at least 60 countries. “I spent hours cleaning up a system that got infected because an employee clicked on one of these warnings,” says Brian D’Arcangelo, information technology technician at Lynn Community Health Center, in Lynn, Massachusetts. “It’s happening with greater frequency here.” A jewelry maker in Toronto—who wanted only his last name, Moser, used—found his Windows PC locked down with blinking warnings last year after he searched for items related to his trade, so he went ahead and bought the “solution” for $79.95. He had to get the computer cleaned. Searches for terms as mundane as “balloons” have led to attack sites. Apple forums have been lighting up with pleas from customers seeking to extricate themselves from scams like one urging them to buy nonexistent “Mac Defender” software. The mother of Melissa Hathaway, who served as President Obama’s cybersecurity adviser in 2009, clicked to install a fake antivirus product last December. Computer security experts warn that many victims don’t even realize they’ve been scammed.