Attacks/Breaches
7/6/2011
05:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Researchers Dissect The Underground Economy Of Fake Antivirus Software

Scareware pushers see more than 2 percent sales conversion, make millions in profit -- and even offer refunds

Fewer than 10 percent of victims who fall for fake antivirus software scams attempt to get a refund for their purchases. And even more surprising: Fake AV firms actually do refund some of their victims.

That's what researchers at the University of California at Santa Barbara (UCSB) found in their recent investigation of three major fake antivirus operations. The three cybercriminal organizations can definitely afford to send the occasional refund to their victims because together these nefarious operations amassed $130 million in revenue, the researchers say.

UCSB researchers detailed in a new report the complex financial operations of these groups, which they studied after getting close to these secretive operations by capturing and studying their malware via honeypots and, ultimately, gaining access to their back-end servers via their hosting providers, which took down the malicious servers after the researchers alerted them to their activities. The researchers were able to capture snapshots of 21 servers. Of those, 17 were proxy nodes and four were back-end servers. They contained website source code, fake AV samples, and databases of AV installations, sales, refunds, and technical support conversations.

"We were interested in the economics of what drives fake antivirus. The economics of the underground [AV] are not well-known," says Brett Stone-Gross, a researcher who co-authored UCSB's report on the fake AV operations, which was a joint venture of the economics and computer science departments at the university. "We are probably the first to do a study on this."

The researchers were able to dig through databases that spanned from March 2008 through August 2010, when they engineered the access to the fake AV organizations' servers from their hosting providers. The server takedowns temporarily took a toll on the fake AV operators: It took one of them down for about nine months, Stone-Gross says. "That was a pretty significant setback for them," he says. "But they all came back online ... they bought new servers, reconfigured all of their proxies," and reconstructed their servers, he says.

The researchers tallied the losses from fake AV victims of the three operations: One firm's victims lost $11 million; the second, $5 million; and the third, $116.9 million. That meant about $45 million per year in income for AV1, $3.8 million for AV2, and $48.4 million for AV3. The AV operators charged their victims $49.95 to 69.95 for six-month licenses, and $79.95 to $89.95 for lifetime licenses.

Their actual conversion rates were between 2.1 to 2.4 percent, the UCSB researchers found. For example, AV1 installed around 8.4 million "trial products" that yielded 189,342 sales to the purported "commercial" version within three months, a 2.4 percent conversion rate. "I thought 2 percent was high," Stone-Gross says. "I was surprised that that many people buy fake AV."

Even more surprising was the refund practices of these criminal organizations. All three of the AV firms studied by UCSB gave out a limited number of refunds in order to appear legitimate. "At first I was surprised: Why would illegitimate businesses give refunds? But looking into it, it makes a lot of sense," Stone-Gross says.

The fake AV firms actually monitor refunds that customers request from their credit-card companies for the phony software. "When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time," according to the UCSB report. "However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms."

So they keep the refunds to a minimum in order to maintain their relationships with credit-card payment processors. AV1 issued 5,660 refunds, or 3 percent of its sales; AV2 issued 11,681 refunds, or 8.5 percent of its sales; and AV3 issued 151,553 refunds, or 7.1 percent of its sales. Most victims even got their credit or chargeback within seven days.

Payment processors play a key role in the fake AV operation. In some cases, these payment processors are well-aware of the fake AV business they are supporting. In one email exchange the UCSB researchers studied, for example, a payment processor told an AV firm to change its product name so it wouldn't end up on Google as fake AV. These go-betweens charge 8 to 20 percent per transaction for their services to "high-risk merchants" that accrue a higher number of chargebacks, Gross-Stone says.

Fake AV operations -- which are often run by organized criminal organizations -- rely heavily on affiliates, or "partnerka" groups out of Eastern Europe, who act as their salespeople and try to infect as many machines as possible. They make big bucks for it, according to UCSB, with commissions of 30 to 80 percent if they get the sale. One affiliate for AV1 took in $1.8 million in two months, for example.

"The affiliates are making millions as well -- these are really the guys driving the business," Stone-Gross says. "The amount of money these [fake AV] guys bring is pretty impressive. Some of these businesses are making close to $50 million a year."

These organizations are highly sophisticated and professional, too. "I saw invoices where they were paying an Indian call center to handle technical support for them. They have contracts with other third party vendors, and they know how to run these operations," Stone-Gross says.

The full report -- "The Underground Economy of Fake Antivirus Software" -- by UCSB researchers Stone-Gross, Ryan Abman Richard A. Kemmerer, Christopher Kruegel, Douglas G. Steigerwald, and Giovanni Vigna is available here for download (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web