On October 19, 2009, Symantec released its Report on Rogue Security Software. This report is very short (under 50 pages), yet it is full of extremely useful information on the rise of scareware. As well, Symantec's web site (linked to above) has a huge amount of supplementary information on scareware.

We have been talking about scareware since Daniel McCann's second post on the SmartSwipe blog. So, the facts that scareware is booming and that it is one of the most unethical scams in an internet that is full of scams should not be new.

Mainstream media picked up on one truly startling fact from the report. Symantec tracked 250 different separate pieces of scareware. And, they received reports that these 250 pieces of software had been attempted to be installed roughly 43 million times. 43 million attempted installations in the 12 month period from July 1, 2008 to June 30, 2009. Scareware is truly widespread and thousands of innocent people are falling victim every single day.

However, in my opinion, the most interesting aspect of the Symantec report is the attention the authors paid to the business of scareware. For example, many pieces of scareware are delivered through complex and lucrative affiliate programs. Affiliates can sign up on a distribution site, where they receive all the files and the technical support they need to carry out these scams. When the affiliates are up and running, they get paid for every successful installation. The actual payment varies according to the distributor and the country the software was installed in. So, scareware installed in the United States is worth more (to an affiliate) than scareware that is installed in Mexico.

To entice affiliates, one particular distributor stole a strategy from the world of multi-level marketing and reported exactly how much money its top affiliates made. At one point, its top affiliate was making over $300,000 a month infecting innocent people with useless (and ultimately harmful), fake security products.

Another part of the report goes even deeper into the crime model behind scareware. Many scareware distributors are so sophisticated that they have actually set up their own payment processors to avoid losing money in extra 'chargeback' fees!

All of this creates a very dangerous environment in which one scam can be used to commit many other cases of fraud. Let's pretend that I downloaded some scareware and decided to purchase a full license. The distributor of that product now has:

• software installed on my computer
• my credit card number
• my personal information (such as an active email account, my name, my address and other contact information)

Luckily, as alawys, there is hope on the horizon. While not all lawmakers have caught up to 21st century crime, some states have devised incredibly, strong laws to deal with these kinds of fraudsters. For example, Washington State has a Computer Spyware Act which makes it illegal to entice a user to download software under the (false) premise that it is required for the safe operation of his/her computer. Under this law, Washington State can shut down fraudsters and order them to pay restitution to their victims.

Detailed, on-point legislation like this is a necessary first step for combating cyber-crime. It is a huge step up from the maze of fraud charges and consumer protection statutes that some jurisdictions must navigate to shut down cyber-criminals.