Not long ago, I was surfing the website of a popular local publication, reading stories and other items that interested me, when a new page suddenly appeared with an official-looking notice that said, “Attention! It is recommended that you download Flash Player to continue. To learn more, click OK.”
“Wait a minute,” I thought. “I already have Flash Player installed. In fact, I have the latest version of Flash Player installed, because I make sure it is always kept up to date.”
Just to confirm that my version of Flash Player was indeed the latest one available, I visited the makers of Flash Player, Adobe.com, where the latest versions may be found. I compared the number of the version I had installed with the latest version number shown on their website. Sure enough, I already had the latest version of Flash Player installed.
I knew then that what I was seeing was a con designed to trick me into installing a fake update which, in turn, would install computer viruses and other assorted bogus programs.
Not long after that, another official-looking “alert” popped up, telling me it was urgent that I download and install the latest version of Firefox, my favorite browser. I knew this one was fake, as neither Mozilla nor Firefox will interrupt a users session like this. Firefox updates itself automatically, and does not require that you download anything to accomplish that task.
Next, I sent an email to those in charge of the offending website and warned them they were infecting people’s computers with fake Flash Player and Firefox updates. I then decided to use one of my “test” computers, revisit the website and see what would happen to someone who actually installed the fake updates.
After clicking on a few news stories at the suspect website, the fake Flash Player update appeared again. This time, I clicked “OK,” saved the file to my hard drive, gave it a good double-click and sat back in amazement as something called “Flash Player Pro” proceeded to trash my computer.
To start with, the Flash Player Pro “setup wizard” downloaded a crazy package of junk software with names like Whitesmoke Community Toolbar, Conduit Search Protect, the GetSavin browser plugin, GetSavin popup ads, GetSavin Toolbar, GetSavin spyware, and hijacked my browser’s homepage, changing it to “Conduit.” It then installed the “Download Terms”
app toolbar, PC Utilities Pro, PC Optimizer Pro, VAFPlayer and the DefaultTab Search Toolbar. While some of these are not viruses per se, they are all bogus programs designed to ultimately separate you from your hard-earned cash. Some of them installed without warning, some did not.
Then, the bogus “PC Optimizer Pro” program started a fake virus and registry scan, looking for alleged problems.
After displaying a ridiculously long list of alleged problems that had been found, it told me to click “Fix Now,” which opened a web page asking me to “register” before it would fix any of the so-called problems it had found. Of course, the registration process involved a credit card number, so I decided I’d had enough and bailed out.
Installing the fake Firefox update yeilded similar results.
Sadly, the offending website owners, who I tipped off to the problem, were ignoring my warning that they were infecting visitors to their site. A week passed. Meanwhile, I started getting calls from local customers who had visited the same website but, not suspecting their friendly local website could be hacked to serve up malicious software, were horrified to learn their computers had been compromised, infected and rendered useless. Their computers needed to be repaired, which was not an inexpensive thing to do.
It took additional, more tersely-worded email warnings to make the hacked website’s owners pay attention and clean up their act, which they finally, almost a month later, did. This adventure made me wonder: should websites be held accountable if they are hacked and start infecting visitors, causing them to spend money repairing their computers? Better security practices employed by the website’s owners could have prevented the problem, but were not used. Who should be held responsible? What do you think?