Cybercriminals are trying to trick Windows users into paying £88 ($143) by claiming that they're running a counterfeit copy of the operating system, a security expert said today.

The scam, a kind dubbed "ransomware" for the way criminals try to extort money, poses as a message from Microsoft that alleges Windows is pirated. In reality, the user is infected with malware acquired after following instructions received in malicious email messages or through peer-to-peer (P2P) networks.

"This is not the first time cybercriminals have tried to pose as Microsoft in order to gain enough credibility so users are fooled and will pay money, said Luis Corrons, the technical director of Panda Security's lab. "But this time they are getting a bit greedy."

Previous ransomware attempts that leverage Microsoft's brand have demanded only $15 to $20 (a maximum of £12.50), said Corrons. In April, for example, Finnish antivirus vendor F-Secure reported a similar Windows activation scam that racked up charges by keeping users on hold to a high-priced long-distance number.

The malware and subsequent scam is being primarily pitched to German-language speakers, said Corrons.

Another prevalent scam affecting Windows users in Europe and Southeast Asia is the ongoing Microsoft support scam where users are cold-called by a company claiming to be Microsoft, who convince the user to have a security check on their computer, then remote-access the PC, show the user fake security alerts (malware they have just installed) and then offer to sell them anti-virus software.

The "black" screen of death

To enhance the believability of the scheme, the malware displays Microsoft's logo and the notorious black screen that Microsoft forces on counterfeit copies of Windows when its validation software recognizes a counterfeit.

According to Corrons, the on-screen instructions claim that unless the victim pays the ransom, all data on the machine will be lost. Local prosecutors will be notified unless payment is made within 48 hours, the scam adds.

"They have played two cards here," said Corrons, "saying they are Microsoft and that [prosecutors] are aware of the situation."

Both claims are fake, Corrons added. "After two days, nothing happens. You can still use your computer [and] no files are deleted," he said.

Payments must be made through one of two payment services relatively unknown in the US, but more widely used in Europe: Ukash and Paysafecard.

Panda has obtained the activation code that the scammers eventually send to paying customers. Like legitimate Windows activation codes, it's a 25-character alpha-numeric string: QRT5T-5FJQE-53BGX-T9HHJ-W53YT

"For all of you [who] wouldn't like to pay anything to these bastards, this is the code you can use to deactivate it," said Corrons.