False Pop-Up Warning Messages:
Dont be fooled by these messages

OK. You know your computer, and everyone is concerned with safety. You are browsing the Internet and suddenly you get a message that your system was detected to be infected with some malady. Do you wish to clean it? Of course you would, if the problem was real. The issue is that there are many pop-up messages that warn your machine is infected and offer the promise of remediation when these false warnings are actually a way for your system to become infected.

Users Being Duped
It is really a simple process. A pop-up window says you are infected and offers you the chance to have your machine protected. Anyone who ever had an infection or knew someone who did and lost data from their computer would of course want to preserve their machine. That is what these malicious pop-ups want you to think. A recent study from the North Carolina State University Psychology Department determined that you simply cant count on most users to do the right thing when theyre faced with fake pop-up warning windows. The research proved what many in IT departments nationwide would have said if asked the question.

About The Study
The study looked at whether visual design cues, i.e. the entire box being an active click and not just the OK button, differences in the window for the pop-up, etc. in a malicious warning message would give it away as a phony. The study determined that most users can't detect the cues. When presented with a fake message that their system was compromised with infection of some kind the participants in the study were fooled by phony system error messages 63 percent of the time. That means that they chose the OK button in the message box, rather than closing it or minimizing it, according to the study. Only 27 percent of the participants closed out the warning box.

What was the difference?
The study used four types of pop-ups; a real Windows XP pop-up and the three fake ones. While they all looked much the same, there were differences. The error text in all four messages were the same; The instruction at 0x77f41d24 referenced memory at 0x595c2a4c. The memory could not be read. Click OK to terminate program. There were differences though, even if they were subtle. The first false warning message had a visible minimize button and changed the cursor to a hand icon when the mouse hovered over it. This would not happen with a normal error message. The second warning had the same features, plus a flashing background from black to white. The third false message displayed a minimize button, the Internet browser status bar, and changed the cursor to a hand icon when hovering over the OK button.

What were the parameters?
According to the study published by the North Carolina State University Psychology Department, over 40 undergraduates participated in the study. They were using Windows XP Service Pack 2, a MySQL database which was used to collect participant responses, and a specially designed Internet browser simulator. The participants were not told the actual purpose of the study, but were told to rate 20 health-related Websites for clutter and readability on the page via an online rating scale. During their evaluation of those sites, the subjects were presented with the four types of error messages. When the study was completed, the researchers conducted a post-study survey of the participants. They found that even though most of those who participated were aware of the existence of fake pop-up warning windows, they were still duped. About 12 percent of participants said they clicked on the OK button in the pop-up because the text told them to do so, and 23 percent say they always click on OK whenever they receive an error message and over 40 percent of participants said they clicked OK because they wanted to get rid of the box Getting hit with multiple warnings didnt do much to improve their ability to distinguish the bad warning messages from the real ones, with the majority of participants fell for the false error messages over and over and over!

Is This Done in the Wild?
Yes, it is. Have you ever gotten a pop-up that says your system has a virus or other Malware and click here to clean it? If you have and your company does not have a device in place like a WebGate from Mi5, then you have been the subject of a false report. These reports often use the same techniques as the old social engineering attempts to penetrate your system. These pop-ups make you think they are doing you a favor. An example is Vista Antivirus 2008, also known as Vista Antivirus 2008. Vista Antivirus XP 2008 and Vitae Antivirus 2008 are clones of Windows Antivirus 2008 which is a rogue anti-spyware program. This family of products is usually installed by a Trojan infection which may slip into your system through a security hole. Once installed, the program begins displaying pop-ups and alert messages of imaginary infections or threats to get you to purchase the full program.

What can be done?
Read and pay attention. If you are in the IT department, pass along the differences between real and fake messages to your company. There are a lot of malicious programmers out there who would like nothing better than to add your machine(s) to the pool of those infected with their errant code. Watch for information about this and other topics here and on security web sites. If you have questions or comments about this article or if there is anything new on the subject, contact me. I would be happy to respond!
 

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE and a member of the Network Professional Association. The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents 2008 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden