"ATTENTION!" says a box that pops up on your screen. "Security Center has detected malware on your computer." You click the scan button, and a few seconds later another screen pops up with the results. Several viruses, going by names like Backdoor:Win32 and Trojan, have been detected on your computer. Not to worry, the pop-up box assures you: For the low, low price of $49.95, you can buy software to delete these viruses.
The aforementioned is an Internet scam. And like so many Internet scams, it's difficult to tell who's behind it. But there's an advantage here, says Richard Boscovich, Microsoft's lead Internet security attorney. Where other "click here" pop-ups might only download a virus onto your computer and steal personal information or record keystrokes, these fraudsters want you to actually buy something. That means there's a money trail.
The Washington Computer Spyware Act makes it illegal to coerce someone to download software. A fake message about a fake virus requiring someone to download fake software to fix it falls into that category. But the law doesn't just make the act illegal; it allows a company like Microsoft to sue people who violate the act, claiming they damage the company's reputation as well as individual computer owners.
Microsoft doesn't know who is behind the messages, which they call scareware, so the lawsuits identify a series of "John Does." Once court proceedings commence, Microsoft will have subpoena power to obtain bank records to locate the account that siphons money from victims' credit cards. "We literally follow the financial trail—almost like a white-collar crime case," Boscovich says.
This sort of action is civil, not criminal. But in going after someone for up to $100,000 per violation, a company like Microsoft can actually act as its own enforcement agency. So far the Redmond software giant has filed seven such cases in the past month. Boscovich says they target the scams that represent themselves as somehow related to Microsoft—things like XPDefender or WinSpywareProtect.
The only catch is getting any money once the John Does are identified, says University of Washington law professor Anita Ramasastry. She explains that when a scam is being run offshore, it's almost impossible to collect a judgment. There are international laws that make it easier to get at someone abroad through the criminal system, but in this case Microsoft is pursuing its suits in civil court—which lacks extradition power.
"If they're based in Russia," Ramasastry says, "what chances do you have of actually being able to deal with them?"
