Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/6/2011
05:56 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Dissect The Underground Economy Of Fake Antivirus Software

Scareware pushers see more than 2 percent sales conversion, make millions in profit -- and even offer refunds

Fewer than 10 percent of victims who fall for fake antivirus software scams attempt to get a refund for their purchases. And even more surprising: Fake AV firms actually do refund some of their victims.

That's what researchers at the University of California at Santa Barbara (UCSB) found in their recent investigation of three major fake antivirus operations. The three cybercriminal organizations can definitely afford to send the occasional refund to their victims because together these nefarious operations amassed $130 million in revenue, the researchers say.

UCSB researchers detailed in a new report the complex financial operations of these groups, which they studied after getting close to these secretive operations by capturing and studying their malware via honeypots and, ultimately, gaining access to their back-end servers via their hosting providers, which took down the malicious servers after the researchers alerted them to their activities. The researchers were able to capture snapshots of 21 servers. Of those, 17 were proxy nodes and four were back-end servers. They contained website source code, fake AV samples, and databases of AV installations, sales, refunds, and technical support conversations.

"We were interested in the economics of what drives fake antivirus. The economics of the underground [AV] are not well-known," says Brett Stone-Gross, a researcher who co-authored UCSB's report on the fake AV operations, which was a joint venture of the economics and computer science departments at the university. "We are probably the first to do a study on this."

The researchers were able to dig through databases that spanned from March 2008 through August 2010, when they engineered the access to the fake AV organizations' servers from their hosting providers. The server takedowns temporarily took a toll on the fake AV operators: It took one of them down for about nine months, Stone-Gross says. "That was a pretty significant setback for them," he says. "But they all came back online ... they bought new servers, reconfigured all of their proxies," and reconstructed their servers, he says.

The researchers tallied the losses from fake AV victims of the three operations: One firm's victims lost $11 million; the second, $5 million; and the third, $116.9 million. That meant about $45 million per year in income for AV1, $3.8 million for AV2, and $48.4 million for AV3. The AV operators charged their victims $49.95 to 69.95 for six-month licenses, and $79.95 to $89.95 for lifetime licenses.

Their actual conversion rates were between 2.1 to 2.4 percent, the UCSB researchers found. For example, AV1 installed around 8.4 million "trial products" that yielded 189,342 sales to the purported "commercial" version within three months, a 2.4 percent conversion rate. "I thought 2 percent was high," Stone-Gross says. "I was surprised that that many people buy fake AV."

Even more surprising was the refund practices of these criminal organizations. All three of the AV firms studied by UCSB gave out a limited number of refunds in order to appear legitimate. "At first I was surprised: Why would illegitimate businesses give refunds? But looking into it, it makes a lot of sense," Stone-Gross says.

The fake AV firms actually monitor refunds that customers request from their credit-card companies for the phony software. "When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time," according to the UCSB report. "However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms."

So they keep the refunds to a minimum in order to maintain their relationships with credit-card payment processors. AV1 issued 5,660 refunds, or 3 percent of its sales; AV2 issued 11,681 refunds, or 8.5 percent of its sales; and AV3 issued 151,553 refunds, or 7.1 percent of its sales. Most victims even got their credit or chargeback within seven days.

Payment processors play a key role in the fake AV operation. In some cases, these payment processors are well-aware of the fake AV business they are supporting. In one email exchange the UCSB researchers studied, for example, a payment processor told an AV firm to change its product name so it wouldn't end up on Google as fake AV. These go-betweens charge 8 to 20 percent per transaction for their services to "high-risk merchants" that accrue a higher number of chargebacks, Gross-Stone says.

Fake AV operations -- which are often run by organized criminal organizations -- rely heavily on affiliates, or "partnerka" groups out of Eastern Europe, who act as their salespeople and try to infect as many machines as possible. They make big bucks for it, according to UCSB, with commissions of 30 to 80 percent if they get the sale. One affiliate for AV1 took in $1.8 million in two months, for example.

"The affiliates are making millions as well -- these are really the guys driving the business," Stone-Gross says. "The amount of money these [fake AV] guys bring is pretty impressive. Some of these businesses are making close to $50 million a year."

These organizations are highly sophisticated and professional, too. "I saw invoices where they were paying an Indian call center to handle technical support for them. They have contracts with other third party vendors, and they know how to run these operations," Stone-Gross says.

The full report -- "The Underground Economy of Fake Antivirus Software" -- by UCSB researchers Stone-Gross, Ryan Abman Richard A. Kemmerer, Christopher Kruegel, Douglas G. Steigerwald, and Giovanni Vigna is available here for download (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29512
PUBLISHED: 2021-05-14
TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read ...
CVE-2021-29554
PUBLISHED: 2021-05-14
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.DenseCountSparseOutput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/t...
CVE-2021-32817
PUBLISHED: 2021-05-14
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is...
CVE-2021-32818
PUBLISHED: 2021-05-14
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application tha...
CVE-2021-32819
PUBLISHED: 2021-05-14
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream...