The Office of Information Security wants to warn the campus community about an emerging threat known as scareware, which is a type of malware attack that claims to have found a virus on the victim’s devices and urges them to download what they believe is anti-malware software. In reality, this “anti-malware” software actually contains malware programmed to steal the user’s personal data. This attack is a type of social engineering attack that uses spoofing to increase the urgency of the victim to download the infected software.
Users typically face this scam in the form of a pop-up ad that appears on a user’s screen, with a clear warning that the computer or data has been infected with malware. These are typically difficult to remove from a user’s screen or device. The hackers want the user to struggle with removing the pop-up as much as possible, in hopes that the user will click on it in order to remove it from their screen.
How to Spot Scareware:
- Appears as a pop-up from a legitimate security software provider or your device’s operating system. For example, if you use an Apple device, it may use the Apple name and logo to appear legitimate.
- A key feature of scareware is a heightened sense of urgency that the user must act immediately.
- Scareware ads will use alarming language such as “More than 50 viruses have been found on this device.”
- Users typically struggle to remove the pop-up, and when doing so, can generate more pop-ups
How to Protect Yourself:
- Don’t click anything in the pop-up. This includes attempting to close or “X” out of the pop-up message. The best practice is to close the browser rather than attempt to click on the pop-up ad.
- Close the Browser: Use the Task Manager (Ctrl + Shift + Esc on Windows) or Force Quit (Command + Option + Esc on Mac) to forcefully close your browser and any related programs. Do not try to close the browser normally, as the scareware may prevent it or open new windows.
- Only use software from legitimate, respected, well-known providers.
- Install a pop-up blocker and spam filter to catch most threats, stopping scareware ads and malicious emails before they ever reach your device.
- Only access URLs that begin with HTTPS.
Actions to take If You Believe You Are a Victim:
- Disable internet access from the affected device and disconnect it from any network, as well as Bluetooth.
- Change your passwords immediately starting with your UCSB password.
- Report the incident to UCSB Information Security by following the instructions on this page.
- It is important to know that with Palo Alto Networks at the network edge and Trellix EDR on endpoints, UCSB already blocks many scareware attempts before students and staff ever see them. However, it is still crucial for the campus to know how to react and respond to this type of scam if they encounter it.