Skip to content

Scareware: Malicious Scam Pretending to Help You

Fear is one of the strongest human emotions. It’s easy to use fear and panic to make people rush into regrettable decisions. How do cyber attackers use this to steal your personal data? What are some of the things you should be careful about?“Our latest scan has detected a significant number of viruses in your computer! We blocked your device to prevent further spreading.” Such a message can randomly pop up on your screen. It might seem legit – these messages usually have a simple technical design, often similar to designs used by well-known brands. After all, it offers to help you with potential danger which begs the question: Why should you refuse? “If you don’t want to lose your personal data, click here to remove all the viruses now.” Instead of helping you, this scam will do the exact opposite – install viruses on your device. At the very least.

What is scareware?

Scareware is one of the most common types of malware. It works on the basis of user's fear about his or her cybersecurity and convinces them to immediately download or even buy a solution. Sometimes, the software can just be useless and annoying. For example, it could just fill the victim’s browser with ads that just keep on popping up to generate profit for the attacker. This makes the user experience significantly worse.Scareware utilizes the strength of fear and quite commonly operates with false information. The attackers often send out emails claiming they got access to the victim’s webcam and got hold of sensitive picturesor videos. “If you don’t want this video to be shared on the internet, send $2000 to this bank account.” Many users will pay the ransom, especially if the attackers manage to involve some previously stolen information to make the email look even more realistic.

Famous examples of scareware

The first known record of scareware appeared in 1990. It wasn’t meant to steal data or money from users. It was simply meant to scare people in the original sense of the word. It was a program called NightMare and it was designed by Patrick Evans to attack Amiga computers. Every five minutes, the screen would turn into an image of a skull with a bullet hole with blood spilling out of it. Accompanying sound effects made it even spookier.


One of the most infamous cases of scareware started in the year 2010. Visitors of the website Star Tribune, the biggest newspaper in the Minnesota state, were presented fake ads for BestWestern Hotels, which led to websites with malware. Afterward, the victims received Windows support pop-ups selling fake anti-virus for 50 USD, which included even more viruses. The case was closed after eight years when the author of the scheme was arrested. By that time, he had made as much as 250,000 USD.In March of 2019, companies Office Depot and agreed to pay 35 million dollars as a settlement to FTC after it was revealed that they knowingly offered their customers a fake antivirus program using an alert of their devices being in serious danger. In this instance, as in many others, the intent was not to steal money from specific users, but the software was designed to search through people’s devices to find any valuable information about them, which was consequently sold to other companies. This became one of the most famous scareware schemes, partially because it was developed by well-known companies instead of anonymous hackers.

Cryxos trojan on the rise

When analyzing data from all the devices that we protect, we found out that a virus known as trojan Cryxos has been on the rise again. It scares users with pop-up windows claiming that the device has got a virus. It’s usually followed by a telephone number. If the victim calls the number, they get to speak with a “technician” who tries to trick them into paying for tech support. Other times, the “technician” tries to convince the victims to give them remote access to their devices in order to fix the problem. This would naturally only lead to the attacker having full control over the device.Another variant of Cryxos requested the user's email and his password in a seemingly legit service that was supposed to fix his or her device and prevent it from getting blocked. Some users were asked to fill in their phone numbers as well. That is already enough information for the attacker to sell on the dark web or misuse in other ways.

Only in June, we blocked thousands of threats linked to trojan Cryxos.


Scareware has been on the rise for a long time, and it’s clear that it’s not going anywhere. Not only does it allow attackers to blackmail users, but in the more complex forms, it’s capable of straight-up hacking the device and acquiring a large amount of personal data and information. This makes it a significant danger for individuals and for companies as well.