The operation targeted international cyber crime rings that caused more than $74 million in total losses to more than one million computer users through the sale of fake security software, also known as scareware.

Police seized 22 computers and servers in the United States that were involved in running a scareware scheme. In addition, 25 computers and servers overseas were taken down as part of the same initiative, including equipment in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.

The scareware scam used a host of tricks to get consumers to infect their computers with malware. Once the scareware was downloaded, victims were notified their computers were infected with a range of malicious software, and badgered into purchasing the fake antivirus software to resolve the nonexistent problem.

A second international crime ring disrupted by Operation Trident Tribunal used online advertising to spread its scareware products, a tactic known as malvertising. Peteris Sahurovs, 22, and Marina Maslobojeva, 23, were arrested in Latvia and  charged on suspicions they created malvertisements that caused users’ computers to “freeze up” and then generate a series of pop-ups in an attempt to trick users into buying bogus antivirus software.

Users’ computers “unfroze” if the users paid the defendants for the fake antivirus software, but the malicious software remained on their computers. Those who failed to purchase the fake antivirus software soon discovered they could not access any information on files on their computers.

“Scareware is just another tactic that cyber criminals are using to take money from citizens and businesses around the world,” said Assistant Director Gordon M. Snow of the FBI’s cyber division. “This operation targeted a sophisticated business enterprise that had the capacity to steal millions. Cyber threats are a global problem, and no single country working alone can be effective against these crimes. The FBI thanks the participating foreign law enforcement agencies for their ongoing partnership and commitment in disrupting this threat.”

“We’ve seen this trend before with hot news stories,” said Graham Cluley, senior technology consultant at Sophos. “Cyber criminals take advantage of popular search terms to direct browsers to bogus security sites and trick them in to handing over credit card details, or into downloading further dangerous software on to their computers.”

According to Sophos, the criminals convince users their computers is in danger, tricking them into downloading bogus software. Once the computer is infected with fake anti-virus, the software will continue to flood users with warning messages, encouraging them to pay for threats to be removed.

“People mustn’t be distracted by the latest photo of the happy couple when clicking through to links,” Cluley said. “We all need to be on our guard when browsing unknown and untrustworthy sites.”

In a blackhat SEO attack, cyber crooks place links to malicious sites in the search results for popular terms, such as latest horror flicks to arrive in theaters. Once users click on the link and access the site, they become vulnerable to infection by Trojans and other malware, which often come in the form of scareware or rogueware.

Halloween-themed phishing attacks were also a popular tactic among cyber criminals this recent holiday. In this case, crooks tried to lure users into disclosing personal data; purchasing fraudulent or illegal products; or simply clicking a link, which earns the crooks money through pay-per-click systems.

Image: Sergey Galushko

Nearly two billion Internet users are vulnerable to scams and cyber assaults, in particular what a security company calls “crimeware-as-a-service” carried out by organized cyber criminals.

In a newly released report by CA Technologies, researchers  noted how Trojans are today the most common category of new threats, accounting for 73 percent of total threat infections reported worldwide. But more importantly, 96 percent of discovered Trojans were components of an emerging underground trend towards organized cyber crime, or “Crimeware-as-a-Service.”

“Crimeware isn’t new, but the extent to which a services model has now been adopted is amazing,” said Don DeBolt, director of threat research, Internet Security, CA Technologies. “This new method of malware distribution makes it more challenging to identify and remediate. Fortunately, security professionals and developers are diligent about staying one step ahead of these cyber criminals.”

Crimeware is primarily created to target data and identity theft to access user’s online banking services, shopping transactions, and other Internet services. Cyber criminals use a variety of techniques to steal confidential data through crimeware, including installing keystroke loggers to collect sensitive data. A crimeware program can also redirect users’ web browser to a bogus website controlled by the cyber criminals. Additionally, crimeware can enable cyber criminals to remotely hack into networks and systems to gain control and/or steal information.

In addition to crimeware, another notable threat this year is scareware, also known as fake anti-virus software. Called scareware because they scare consumers into buying purchasing anti-virus programs, this type of scam has become one of the fastest-growing types of online frauds,the FBI said in July. Instead of removing the “virus,” the programs often do either nothing at all, or they install malware onto computers and infect them.

While many viruses work to surreptitiously disable security software, this new technique relies on social engineering to convince users to disable or delete products themselves. If a user fails to follow the rouge software’s advice, the program attempts to delete security products from Microsoft, AVG, Zone Labs and Norton.

“In this example, a warning is displayed that the Symantec  antivirus software is “uncertified” and will hamper the computer’s performance,” according to Symantec. “The user is left with no other option than clicking OK, which initiates the uninstall process. Even if the user clicks the “close” button, the uninstaller of the antivirus product still executes.”

Called scareware because they scare consumers into buying bogus anti-virus programs, this type of scam has become one of the fastest-growing types of online frauds, according to the FBI. Instead of removing the supposed virus, the programs often do either nothing at all or they install malware onto computers.

Panda Security estimates scareware brings in some $34 million a month in revenue for industrious cyber gangs. Perfect example: the Ukraine-based company Innovative Market. In May, the company was charged with running a $100+ million scareware business that scammed Internet users in more than 60 countries. According to the indictment, proceeds from the sales of the scareware were deposited into bank accounts controlled by the scammers and their accomplices throughout the world and then transferred to European accounts.

To reach victims en masse, cyber criminals often employ botnets to push out their scareware. They will also pose as legitimate Internet security companies and buy ads on other websites—called “malvertising”—but when consumers click on the ads to purchase the products, they are redirected to websites controlled by the scammers.

Although any day or time is good enough for scammers to plug their bogus products, holidays and popular events are common occasions exploited by cyber criminals. Most recently, scammers poisoned Fourth of July web queries, according to USA Today. And with the ongoing “Twilight” hysteria, scammers know how to work the popularity of the series to their advantage by tainting “Twilight”-related search results with malicious links that trigger programs promoting fake anti-virus protection.

The World Cup has also proven to be another recent popular topic for scammers to abuse. According to PandaLabs, scareware called MySecurityEngine was being pushed through FIFA-related search terms. The fake software changed the desktop setting of the victim to display fake security alerts and take over the browser to direct the user to useless sites. It also installed malicious files and downloaded itself automatically onto the victim’s computer, making it hard to remove the malware.

To protect consumers from scareware, the FBI urges the use of a legitimate, up-to-date anti-virus program.

The charges allege a Cincinnati-area man and two other men believed to be living overseas deceived Internet users into believing their computers were infected with malware or had other critical errors. To solve the problem, the defendants convinced them to purchase bogus scareware software products.

Björn Daniel Sundin and Shaileshkumar P. Jain ran Innovative Marketing, Inc., a company posing as a vendor of anti-virus and computer performance/repair software. Jain, who served as IM’s chief executive officer, is a U.S. citizen and is believed to be living in Ukraine. Sundin, who acted as the company’s chief technology officer and chief operating officer, is a Swedish citizen and is believed to be in Sweden.

The third defendant, James Reno of Ohio, ran the former Byte Hosting Internet Services, which operated call centers that provided technical and billing support to victim consumers on behalf of IM. Reno is expected to present himself for arraignment at a later date in U.S. District Court in Chicago.

Sundin, Jain et al allegedly created at least seven bogus advertising agencies that contacted multiple victim companies claiming to be advertising brokers acting on behalf of known legitimate entities that wanted to place online ads on the victim companies’ websites, when in fact the ads were unauthorized. The victim companies allegedly were defrauded of at least $85,000 in unpaid fees promised by the fictitious ad agencies.

The Internet ads placed on victim’s websites contained hidden code that hijacked the browsers of individual victims, redirecting their computers to websites controlled by Sundin, Jain and others, the indictment alleges. The victims were then prompted with a series of error messages claiming their computer was experiencing a critical error and the victim needed to purchase an IM-distributed software product to remedy the problem.

After being directed to an IM scareware website, the indictment alleges three events typically occurred: the site appeared to be a warning message from the computer user’s operating system, prompting the user to click on a box to address an purported error; the site displayed an image that gave the false appearance that the computer was being scanned for various errors or viruses; and the site prompted the victim user to download a free trial version of an IM product, falsely promising the software could repair the nonexistent critical errors.

Sundin and Jain were each charged with 24 counts of wire fraud, and Reno with 12 counts of wire fraud. All three were charged with one count each of conspiracy to commit computer fraud and computer fraud. The indictment also seeks forfeiture of approximately $100 million and any money held in a bank account in Kiev.

According to Computerworld, this type of scam is a new one in the world of “ransomware”–the practice of holding hostage a computer system or the data it contains, and then extorting money from its rightful owner.

Trend Micro researchers in Japan and the U.K. analyzed the attack and found the cyber criminals planted a Trojan onto a Japanese file-sharing service. The malware posed as installers for adult games in the pornographic Hentai genre.

The installer asked personal questions, including name, date of birth and game passwords, as well as collected information from the computer such as screenshots of Internet Explorer’s bookmarks. The information was later posted to a website used by criminals to extort 1,500 yen (roughly $16) from victims by promising to remove the potentially embarrassing content.

Victims received an email from a company called Romancing Inc., which claimed they were infringing on copyrights. For a fee, Romancing Inc. would remove that information and resolve the copyright infringement.

According to Japanese media reports, 5,500 people in the Nagasaki area alone admitted to downloading the malicious file, Computerworld reports.

The hackers also built in a second extortion attempt by adding three MP3 files to victims’ computers. Those files were offered for sale on another site for as much as 58 million yen, or $630,000.

“You can’t listen to those files,” Rik Ferguson, a senior security researcher with Trend Micro’s U.K. office, told Computerworld. “The second extortion attempt would claim, ‘Look, you downloaded these files too, and look how expensive they are.’”

According to the latest security report from Symantec, 92 percent of adult phishing scams, which took place in January, occurred over social networking sites. Often, after a victim enters their information into the phishing site, they are redirected to a scareware scam rather than pornography.

Scareware is a malicious program that masquerades as anti-virus software. It often claims a computer is infected with a significant number of viruses and the program needs to be downloaded immediately to clean the computer.