Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/6/2011
05:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Dissect The Underground Economy Of Fake Antivirus Software

Scareware pushers see more than 2 percent sales conversion, make millions in profit -- and even offer refunds

Fewer than 10 percent of victims who fall for fake antivirus software scams attempt to get a refund for their purchases. And even more surprising: Fake AV firms actually do refund some of their victims.

That's what researchers at the University of California at Santa Barbara (UCSB) found in their recent investigation of three major fake antivirus operations. The three cybercriminal organizations can definitely afford to send the occasional refund to their victims because together these nefarious operations amassed $130 million in revenue, the researchers say.

UCSB researchers detailed in a new report the complex financial operations of these groups, which they studied after getting close to these secretive operations by capturing and studying their malware via honeypots and, ultimately, gaining access to their back-end servers via their hosting providers, which took down the malicious servers after the researchers alerted them to their activities. The researchers were able to capture snapshots of 21 servers. Of those, 17 were proxy nodes and four were back-end servers. They contained website source code, fake AV samples, and databases of AV installations, sales, refunds, and technical support conversations.

"We were interested in the economics of what drives fake antivirus. The economics of the underground [AV] are not well-known," says Brett Stone-Gross, a researcher who co-authored UCSB's report on the fake AV operations, which was a joint venture of the economics and computer science departments at the university. "We are probably the first to do a study on this."

The researchers were able to dig through databases that spanned from March 2008 through August 2010, when they engineered the access to the fake AV organizations' servers from their hosting providers. The server takedowns temporarily took a toll on the fake AV operators: It took one of them down for about nine months, Stone-Gross says. "That was a pretty significant setback for them," he says. "But they all came back online ... they bought new servers, reconfigured all of their proxies," and reconstructed their servers, he says.

The researchers tallied the losses from fake AV victims of the three operations: One firm's victims lost $11 million; the second, $5 million; and the third, $116.9 million. That meant about $45 million per year in income for AV1, $3.8 million for AV2, and $48.4 million for AV3. The AV operators charged their victims $49.95 to 69.95 for six-month licenses, and $79.95 to $89.95 for lifetime licenses.

Their actual conversion rates were between 2.1 to 2.4 percent, the UCSB researchers found. For example, AV1 installed around 8.4 million "trial products" that yielded 189,342 sales to the purported "commercial" version within three months, a 2.4 percent conversion rate. "I thought 2 percent was high," Stone-Gross says. "I was surprised that that many people buy fake AV."

Even more surprising was the refund practices of these criminal organizations. All three of the AV firms studied by UCSB gave out a limited number of refunds in order to appear legitimate. "At first I was surprised: Why would illegitimate businesses give refunds? But looking into it, it makes a lot of sense," Stone-Gross says.

The fake AV firms actually monitor refunds that customers request from their credit-card companies for the phony software. "When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time," according to the UCSB report. "However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms."

So they keep the refunds to a minimum in order to maintain their relationships with credit-card payment processors. AV1 issued 5,660 refunds, or 3 percent of its sales; AV2 issued 11,681 refunds, or 8.5 percent of its sales; and AV3 issued 151,553 refunds, or 7.1 percent of its sales. Most victims even got their credit or chargeback within seven days.

Payment processors play a key role in the fake AV operation. In some cases, these payment processors are well-aware of the fake AV business they are supporting. In one email exchange the UCSB researchers studied, for example, a payment processor told an AV firm to change its product name so it wouldn't end up on Google as fake AV. These go-betweens charge 8 to 20 percent per transaction for their services to "high-risk merchants" that accrue a higher number of chargebacks, Gross-Stone says.

Fake AV operations -- which are often run by organized criminal organizations -- rely heavily on affiliates, or "partnerka" groups out of Eastern Europe, who act as their salespeople and try to infect as many machines as possible. They make big bucks for it, according to UCSB, with commissions of 30 to 80 percent if they get the sale. One affiliate for AV1 took in $1.8 million in two months, for example.

"The affiliates are making millions as well -- these are really the guys driving the business," Stone-Gross says. "The amount of money these [fake AV] guys bring is pretty impressive. Some of these businesses are making close to $50 million a year."

These organizations are highly sophisticated and professional, too. "I saw invoices where they were paying an Indian call center to handle technical support for them. They have contracts with other third party vendors, and they know how to run these operations," Stone-Gross says.

The full report -- "The Underground Economy of Fake Antivirus Software" -- by UCSB researchers Stone-Gross, Ryan Abman Richard A. Kemmerer, Christopher Kruegel, Douglas G. Steigerwald, and Giovanni Vigna is available here for download (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...