‘Scareware’ - fake antivirus programs which attempt to fool the user into downloading malware, by warning him or her of a “threat” on their PC - is back, with a new, even more annoying trick.

V3 reports that the new strain of scareware reverses a “dropping trend” in fake AV with a new way of making money - blocking the user from using the internet until they pay for the 'product'.

Threatpost says, “Rogue antivirus was once the scourge of the Internet, and while this sort of malware is not entirely extinct, it’s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.”

Scareware: Antivirus that isn't 'anti'

Rogue AV is still found - indeed ESET has been repeatedly ‘honored’ with fake scareware versions of  of its products - but Microsoft reports that in the past 12 months, scareware had fallen out of fashion.

Variants on the tactic are still used, but the classic scareware warning inciting victims to download AV products that are, in fact, malware, is less common.

On Android, ESET researchers discovered a Trojan packaged to look like antimalware products, “This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security.”

Microsoft researcher Daniel Chipiristeanu says, “Lately we're seeing a dropping trend in the telemetry for some of the once most-prevalent rogue families,  It's likely this has happened due to the anti-malware industry's intense targeting of these rogues in our products, and better end-user awareness and security practices.”

Chipiristeanu says that “education” has played a part - but new gangs have simply moved on to new methods to target victims.

Stops you using internet - until you pay

"The big malware "players" are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gapRogue:Win32/Defru has a different and simpler approach on how to trick the user and monetize on it. Basically, it prevents the user from using the internet by showing a fake scan when using different websites."

The malware targets 300 websites, and when a user tries to access them, they instead see the following fake message, “"Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security ® was forced to intervene."

Naturally, the ‘cure’ is to pay, Threatpost says. Thus far, the malware largely targets Russian-speakers.

“An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click "Pay Now". This will lead them to a payment portal called "Payeer" (payeer.com) that will display payment information (see Figure 3). But of course, even if the user pays, the system will not be cleaned,” says Chipiristeanu.

“The user can clean their system by removing the entry value from the "run" registry key, delete the file from disk and delete the added entries from the hosts file. Before paying for a product (either a security product or any other) make a thorough investigation to make sure that it is a legitimate product and it is not fake or a copy of a free one.”