Rogue Anti-Virus Victims Rarely Fight Back

krebsonsecurity writes "One big reason why rogue anti-virus continues to make major bucks for scam artists: relatively few victims ever ask their credit card company or bank to reverse the charges for the phony security software — even when the victims don't even receive the worthless software they were promised. I recently found several caches of data for affiliates of a rogue anti-virus distribution program, and the data showed that in one set of attacks only 367 out of more than 2,000 scammed disputed the charge. A second rogue anti-virus campaign scammed more than 1,600 people, and yet fewer than 10 percent fought the charges."

potential reason to not dispute a charge

[Anonymous Coward]

I recently had a $10 charge from a company I'd never heard of. Slightly different than this story, it was not from a rogue antivirus, but just a plain-old unauthorized charge (out of the blue). I called my bank to dispute it, but they said I'd need to change my charge number if I disputed it. I decided I'd rather eat the $10 charge, than deal with the hassle of updating my card number (and updating everything that auto-bills it).

When working for Dell...

[Aliotroph]

I always encouraged customers to call their credit card company's fraud number as soon as they were done with me if I learned they purchased one of those scams. How many followed up I don't know.

My friend's dad also bought a rogue antivirus one day. He refused to believe it was fake. We quietly removed it and decided to let him deal with the consequences of giving his card number to con artists. Some people are just too much effort.

"Buyer Beware"

[mcrbids]

Mostly people think that if they get scammed, that they were stupid or suckers and don't want to admit that they were duped. Calling the Credit Card company to reverse a charge for $40 is embarrassing, and they would rather just pay the "sucker tax" than go thru the effort, confusion, and embarrassment of disputing a charge.

And this is true in those cases where they even know they can dispute a charge - how many card holders even know that they can do this? I probably had a card for at least 5 years before I found this out, and I would consider myself somewhat more informed than the average consumer.

Re:Too busy

[gcatullus]

They can't "just" reverse it because the customers' cards weren't stolen, the customers initiated the transaction, and they received the "merchandise".

If anytime a customer felt wronged by a company he could just reverse the charges, it would be chaos. This is no different than using a credit card at a casino and losing your money there. Or using your credit card at a psychic, and being upset when you don't meet a tall dark stranger.

Taken to absurdity, this would be like trying to reverse the charges for buying Norton AV, when you do get infected.

These are all valid charges - now the customers should have spent a few hundred dollars more and taken their pcs to someone who could disinfect them, and spend a hundred or so more to buy proper av software. But this way they spent $80.

Re:Too busy

[painandgreed]

That's probably because people are too busy or too lazy. I would vote most as lazy, but probably busy to see the Cc to see whether they were scammed, if they are smart enough to realize that they have been scammed in the first place.

Probably more like too ashamed. If they don't figure it out pretty quick, when they eventually get somebody like me to see why their problem is not going away or explain to them that they bought snake oil, they are usually too embarrassed to do anything more. I know I have lost my money before to an outright (non-internet) con and a large reason I didn't go try and get it back was for feeling stupid for falling for it to begin with. Actually, now I don't actually miss that money and look at it as $20 well spent. Every time since then that somebody comes up to me and proposes something I think is a con (several times, the exact same scam), I can remember back to that $20 I lost in college, laugh and dismiss them without feeling bad (which is a prime motivator they use many times). Many times when I explain to people what has happened, I tell them to think about that money any time they are asked to pay for any transaction they didn't initiate to begin with and not fall for it again. Sure, that let's those people get to keep the money, but even if they did get it back and shut that person down. There would just be another and there are always more people to scam. Most internet scams were scams long before the internet and run via snail mail or even going door to door. It's probably better for them to lose that money once in a lesson that they will never repeat, than feel safe that they can get that money back otherwise.

I work at a computer repair shop

[Anonymous Coward]

We see a lot of customers coming in with fake antivirus installed on their machines, and the customers sincerely believed they were purchasing a valid piece of software. I think the largest problem when I see people encountering this scenario, is that typically:

1.) They don't realize they've actually been scammed. Pop ups start appearing on their computer, and they receive an offer to purchase "antivirus" and fix the problem. They now think they're protected, but continue to have problems.

2.) They tried calling Visa/MC/Discover and couldn't convey why they were charged for a bogus product. Some of the "EULA" agreements that come with these fake antivirus products actually state in the fine print that the software product does nothing. People click "OK" on anything, and legally agreed to pay for a piece of software that doesn't do anything.

3.) Don't know how / Don't care. Whatever. Take the computer into a shop and have someone fix it, hopefully $60 of fake antivirus is enough to jog my memory into being a little more careful on the internet.

I've even see plenty of customers willingly disabling antivirus / firewall products because they are "inconvenient" when trying to do other things on the computer. Fake antivirus and antimalware really is quite a genius scam, but it doesn't surprise me that a lot of people lose to it, and rarely ask for their money back. Some of these people don't even know what malware IS.

Why scam?

[hendrikboom]

What puzzles me is why the scammers don't download onto their "customer"'s machine one of the open-source, free antivirus programs. Then the customer can't complain that they got nothing. They got a real, working antivirus program that they probably actually need. Or are the scammers determined to do nothing that could be called legit?

Re:The scammers are good at avoiding chargebacks

[gcatullus]

Visa/Mastercard are the cartel bosses, but the credit card processing is being done by ISOs such as First Data, RBS Lynk, etc. Anyone with 20 grand or so can get registered as a merchant processor and start trying to sell merchant processing. Depending on how big a portfolio of business you write, you can get better rates from the credit card networks. Then you can go out and sell a "cost plus" deal that is alledgedly tied to interchange fees. But you can hide a percent in obtuse statements and a couple of points here and there. Then you are making an easy percent just for the privelege of connecting a merchant with a credit card network Credit Card processing actually makes the rogue antivirus software business look ethical.

related-

[Trailer Trash]

I once read an article about a guy who "sold" penis enlargement pills through spamming. I put "sold" in double quotes because he said he never shipped a product, and didn't even have any to ship if he wanted to. His reason? "Who's going to call their credit card company and tell them they didn't get their penis enlargement pills that they ordered?"

While not at the same level, I'd hazard a guess that it's the same here.

Many aren't smart enough. Or rather,

[aussersterne]

they don't understand enough about technology / computing to figure it out. I've helped several people with Windows reinstalls (just did it again this weekend, in fact, on a really nice, new Dell laptop that this person was ready to trash and replace after just a year) who fell for this sort of thing and fully thought that through the magic of internets and computers, their "purchase" had done SOMETHING for their computer, but it just wasn't enough to outweigh the terrible destruction already wrought by Teh V1rus!

In this particular case, the person got a fakeAV popup that installed malware that generated popups. This caused him to start searching his email for "antivirus," remembering a SPAM he'd seen, and he ended up with AV fakeware Cc: charges. He didn't actually realize this, assuming that the AV fakeware had silently, invisibly done its best but the original virus was "too strong" (two pieces of malware now spitting popups at an alarming rate and disabling various things) and he went out into Googleland looking for fixes, all of which were no doubt too technical for him and all of which he attempted to follow to a 'T' deleting a bunch of random files from C:\WINDOWS\SYSTEM and C:\WINDOWS\SYSTEM32 in the process and borking his system entirely.

When he came to me saying "So-and-so tells me you can fix computers, so I thought I'd bring mine to you before I throw it out, it's been completely destroyed by a virus..." he was sure that it was all down to the horrible virus he'd "caught" and that he'd been valiantly battling it for a week, rather than single handedly destroying his own Windows install at a record pace.

It was too f'ed up for system rescue, so I just wiped and reinstalled. He was AMAZED that I brought it back to life, and in just an hour or so. He was sure that I was the absolute best virus fighter in the universe. Told me I should go work for the Best Buy Geek Squad (uhh, thanks...) because they need people like me.

It's not that he's a total idiot, but computing in anything but buzzwords and marketing soundbytes remains a specialized set of skills that take time and study (and an awareness of where the right resources can be found) to develop. Most non-geeks just assume it's all due to Teh V1rus!, and the press and their coverage do little to add nuance to this notion, not to mention manufacturers and retailers that are only happy to sell the same person the same system every six months for a fresh $1k after they "got got by Teh V1rus!"

Re:Too busy

[Cylix]

That is a bit too many steps in my case.

I had a hotel toss me out for some issues. We had a bit of a disagreement regarding noise and my suggestion was to move either my room or my neighbor. Well they wanted to be smug about the whole thing and that is fine. However, you don't get to keep my money and throw me out.

Douche-bag night manager decided he would be really clever and charge my card regardless. I noticed the charge a few days later and called up my credit card provider. Turns out they had several instances already just like mine. They said they would reverse the issue and told me to have a nice day.

Literally it was a minute call to initiate a reverse. The hotel itself wasn't exactly cheap either and I suspect senior douchiness had pulled this scammed many times.

Re:Too busy

[Runaway1956]

I hear the runaround thing. I was looking at one of those federal grant sites some time ago. Had to pay $1 or so to get access to some stuff, so I paid. I THOUGHT that I had read everything, I paid the small fee, downloaded some documents, read them decided the place wasn't what I was looking for. The following month, I had a charge of about $40 on my card.

The credit card company refused to halt the transaction! Utter asswipes! They claim to be concerned with security, but when a customer calls in to say, "I'm being ripped off!", they do nothing.

I got better response from the scammers when I called them. One call was all it took for them to agree NOT to charge me any more.

Re:I work at a computer repair shop

[bendodge]

Hmm, I also work at a local PC repair shop, and I disagree with your assessment of all anti-malware software. Malwarebyte's real-time protection has done wonders for some of my customers. The porno-watchers come in more frequently than anyone else, and one guy in particular was in literally every month. Since selling him a $25 MBAM license we haven't seen him since. Now, that may not appear good for business, but I think that what's good for the customer is usually good for business in the long run.

Now, I agree most anti-malware software is junk. Ad-Aware, Webroot, etc are all quite antiquated, but MBAM is relatively new and is still at the edge of the arms race. When coupled with the latest NOD32, I can usually keep a family PC clean for least a year or more. The problem is when people disable it manually...

Re:Many aren't smart enough. Or rather,

[Anonymous Coward]

Yup, mod parent up. I work for a consumer security software vendor. A large percentage of our user base is composed of what most here on Slashdot would deem to be 'blithering idiots' when it comes to computers. In order to serve this large and (unfortunately) influential demographic, we purposely dumb down the main UI to the point that it's virtually devoid of any useful information beyond "green - good; red - bad". We figure if the user is smart enough to click on something that says "Settings" they've already identified themselves as part of a more sophisticated market segment. I kid you not.

We rarely hear anything positive from users who've been protected from an attack, generally because they don't notice that anything bad was thwarted, but we often get emotionally charged feedback blaming us when some zero-day grayware anti-virus product (grayware because they often utilize ClamAV engine to appear legit) gets installed on their system -- usually with the user's explicit permission. Imagine something along the lines of 'THIS IS THE WORST PIECE OF CRAP PRODUCT EVAR WHY DOES IT SUCK SO BAD I HATE YOU AND NOW YOU MADE ME MISS MY FAVORITE TV SHOW TO FIX MY COMPUTER. I HATE YOU.'

Anyway, given what I've learned first hand about the masses of computer users out there, I would find it extremely plausible that the type of individual who goes so far as to give up his or her credit card details at the mere sight of a rogue av pop-up is actually quite likely not to have the necessary faculties to have the charges reversed -- whether that's due to their inability to recognize they've been scammed in the first place, inattention to telltale signs of fraud on their credit card bill, inability to navigate their bank's automated phone system, lack of perseverance to follow through or otherwise.

Oh and before you reply that it's our job to protect the idiots from whatever is out there, so they should never be left in a position to get infected with rogue av... believe me this game of cat and mouse we play with the bad guys has gotten extremely tricky. Behavioral techniques don't work well when the program does nothing malicious code-wise, but instead merely social engineers it's way to your credit card. It's gotten to the point that we're basically mistrusting any .exe we haven't seen before because it protects the masses from polymorphic zero-days, and social engineering scams -- though you might be able to imagine what developers think about that functionality (of course they're usually in the clueful market segment and can disable it.)