Winfixer Defrauds Ordinary Folks, Says Attorney

A California attorney claims he has unraveled part of the mystery behind a questionable software program and is prepared to go to court.

Attorney Joseph M. Bochner filed a class-action civil suit last September in California Superior Court in Santa Clara County against two men the suit alleges are behind Winfixer, a purported security software. The lawsuit names Marc J. Cohen of Florida, and was amended last week to include James Reno of Ohio as an additional defendant, Bochner said. It seeks compensation and a halt to the distribution of Winfixer, among other remedies.

The suit was filed on behalf of Beatrice Ochoa, a mother of two who paid US$39.95 for Winfixer after it badgered her with repeated pop-up warnings that her computer had security threats. The program eventually rendered her computer’s hard drive unusable, Bochner said. The suit counts another 100 anonymous victims.

"All of these people are being defrauded, and they’re just ordinary folks," Bochner said. "They buy a computer, they surf the Internet, they’re not doing anything unreasonable, and suddenly they’re defrauded."

Indecision over whether Winfixer is a legitimate product may be the reason it still pervades the Internet. Winfixer has been a moving target for security experts, at times going by the names ErrorSafe, WinAntiSpyware, WinAntiVirus, SystemDoctor and DriveCleaner.

Security software from vendors such as Sophos and Symantec will detect it, but give users the option of whether they want to remove it. Sophos calls it "adware" that hypes security threats and then implores users to buy the software.

Microsoft, however, pulled no punches last month when Winfixer ads began showing up on its instant-messaging program, calling it "malware," a shorter term for "malicious software." Experts have also seen it install itself on computers via security vulnerabilities in browsers or OSes.

However, the lawsuit could face hurdles in court. Websites are frequently registered under false names or under stolen identities, and the real owners can be difficult to trace, said Sandi Hardmeier, a computer security authority who writes about Winfixer on her blog "Spyware Sucks."

Proving the link to the alleged perpetrators and their connections to Winfixer all the way through to the effects on Ochoa’s computer will be very difficult, she said.

"Forensics is everything," she said.

Bochner acknowledged it’s hard work to track down fraudsters who use the Internet’s anonymity to commit crimes, but the criminals are real people who can be located. Bochner said he has compelling documentation to link the defendants named in the suit to Winfixer.

By researching IP addresses that hosted the versions of Winfixer and their owners, Bochner alleges he has uncovered a fraud based in the United States that has escaped law enforcement scrutiny.

Reno ran a Web hosting company called ByteHosting Internet Service with a postal address in Amelia, Ohio. Bochner said at one time, a support number for Winfixer also rang through to ByteHosting, which led in part to Reno being added to the suit.

Reno, along with other codefendants and ByteHosting, was sued by Symantec in 2004 for allegedly creating pop-up ads that told consumers their Symantec software was about to expire. The ads then directed users to fake software that looked similar to Symantec products. Court records show Reno and Symantec reached a confidential settlement in December 2004.

Cohen was named for his connections with, a now-defunct travel website, Bochner said. At one time, the Winfixer software would hijack the user’s browser and suddenly show, he said.

Efforts to reach Cohen and Reno for comment were unsuccessful on Wednesday and Thursday. However, Cohen’s attorney, Judy Silverstein, appeared on a San Francisco TV news program on Feb. 26 regarding Winfixer and her client.

Silverstein said, "[Cohen’s] position is he’s done nothing wrong. He’s done nothing improper or illegal, and he’s had no ownership interested in those websites."

Bochner said he has turned over some of his research to law enforcement agencies such as the U.S. FBI and Secret Service along with California authorities.

While researching IP addresses that linked to Winfixer, Bochner said he suddenly came upon a database detailing sales of Winfixer and the other versions of the programs.

The multi-gigabyte database—apparently left unsecured and open to the Internet—contained names, addresses, credit-card numbers, transaction amounts and the version of Winfixer that was sold, he said. For example, on Jan. 20, 2006, the data showed 2,351 sales to users worldwide, with an average transaction amount of $40, Bochner said.

The database covers transactions made from January 2005 through January 2006. One of the records shows a transaction made by someone who lives across the street from his law office, Bochner said. The data, while incomplete, allows a view of the fraud ring’s broad reach and scope, he said.

"I think this is far larger than anyone has ever expected," Bochner said. "It’s not inconceivable that these people have made $150 million or more over the last few years."

-Jeremy Kirk, IDG News Service

Copyright © 2007 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022