The US Federal Trade Commission (FTC) is celebrating what it calls a “huge victory for consumers”, after an appeal court threw out an attempt to overturn a massive fine imposed on Kristy Ross, a former representative of scareware marketing firm Innovative Marketing Inc. (IMI) which pushed fake security products such as WinFixer and XP Antivirus.
Ross was the last hold-out in the case after several others accepted punishments handed to them by courts, including an $8 million fine imposed on Marc D’Souza, described by the FTC as “one of the key defendants behind the scam”.
The case got under way in late 2008 when the FTC brought an action against the Belize-registered IMI, along with fellow scareware marketer ByteHosting Internet Services, LLC, operating out of Ohio.
The action requested a restraining order preventing the firms, which operated under numerous aliases in many countries, from pretending to have scanned people’s computers and found security problems.
This technique is the go-to trick for scareware scammers, also referred to as “rogue anti-virus”, which usually manifests as a pop-up that warns victims of spurious infections found on their system. They are then offered a cleaning utility for a fee, which is usually around the same price as real consumer-grade security products.
Of course the infection is bogus – the utility is usually nothing more than a flashy front-end that mirrors the standard look and feel of real products – and the fee goes into the pockets of the scammers.
In some cases, more aggressive pop-ups are used, with features that make them hard to close. In other cases the “anti-virus” product actually includes backdoors or other malicious features.
In the case of IMI and ByteHosting, by the time the FTC got their restraining order in place, over a million victims were thought to have been hit by the scam.
After the imposition of the order, a judge imposed contempt-of-court fines of $8000 per day on IMI for failing to cease its scamming operations and cooperate with the court.
The D’Sousa fine was announced in early 2011, but Ross held out until October 2012, denying playing a major part in the scam and claiming she was no more than a low-level employee at IMI.
Courts rejected this claim, finding that as well as personally funding company expenses and overseeing large numbers of employees, she “had a hand in the creation and dissemination of the deceptive ads”, according to court documents.
This led to the imposition of the massive $163 million fine against Ross in October 2012, the size of the fine no doubt in part a punishment for Ross’s not-guilty plea dragging the case on over several years.
Appealing this judgement on several grounds added more than another year to that count, but the appeal has been finally rejected and the huge fine upheld.
The FTC’s tough action against scammers and cybercrooks is designed to both punish wrongdoers and discourage others from following in their footsteps, and this case with its heavy fines may have had a major impact on scareware scams, which were ubiquitous around five years ago but tailed off considerably after the takedown of IMI and ByteHosting.
We still see occasional minor outbreaks though, and the techniques used have evolved into numerous other related scams, including the “FBI Warning” scam which uses bogus popups accusing victims of unspecified digital crimes and threatening exposure and legal action if they do not pay an on-the-spot “fine” to the scammers.
This variant of the scam made headlines a while back in the case of the man who turned himself in to police, admitting to hoarding child-porn images after receiving one of these bogus “warnings”.
Scareware techniques also morphed into ransomware, which steals or encrypts personal files and demands a payment for their safe return, exemplified by the highly-damaging CryptoLocker malware.
We can only hope that future actions by law enforcement and bodies like the FTC will have a similarly disruptive influence on these modern variations on computer scare scams.