Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/6/2011
05:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Dissect The Underground Economy Of Fake Antivirus Software

Scareware pushers see more than 2 percent sales conversion, make millions in profit -- and even offer refunds

Fewer than 10 percent of victims who fall for fake antivirus software scams attempt to get a refund for their purchases. And even more surprising: Fake AV firms actually do refund some of their victims.

That's what researchers at the University of California at Santa Barbara (UCSB) found in their recent investigation of three major fake antivirus operations. The three cybercriminal organizations can definitely afford to send the occasional refund to their victims because together these nefarious operations amassed $130 million in revenue, the researchers say.

UCSB researchers detailed in a new report the complex financial operations of these groups, which they studied after getting close to these secretive operations by capturing and studying their malware via honeypots and, ultimately, gaining access to their back-end servers via their hosting providers, which took down the malicious servers after the researchers alerted them to their activities. The researchers were able to capture snapshots of 21 servers. Of those, 17 were proxy nodes and four were back-end servers. They contained website source code, fake AV samples, and databases of AV installations, sales, refunds, and technical support conversations.

"We were interested in the economics of what drives fake antivirus. The economics of the underground [AV] are not well-known," says Brett Stone-Gross, a researcher who co-authored UCSB's report on the fake AV operations, which was a joint venture of the economics and computer science departments at the university. "We are probably the first to do a study on this."

The researchers were able to dig through databases that spanned from March 2008 through August 2010, when they engineered the access to the fake AV organizations' servers from their hosting providers. The server takedowns temporarily took a toll on the fake AV operators: It took one of them down for about nine months, Stone-Gross says. "That was a pretty significant setback for them," he says. "But they all came back online ... they bought new servers, reconfigured all of their proxies," and reconstructed their servers, he says.

The researchers tallied the losses from fake AV victims of the three operations: One firm's victims lost $11 million; the second, $5 million; and the third, $116.9 million. That meant about $45 million per year in income for AV1, $3.8 million for AV2, and $48.4 million for AV3. The AV operators charged their victims $49.95 to 69.95 for six-month licenses, and $79.95 to $89.95 for lifetime licenses.

Their actual conversion rates were between 2.1 to 2.4 percent, the UCSB researchers found. For example, AV1 installed around 8.4 million "trial products" that yielded 189,342 sales to the purported "commercial" version within three months, a 2.4 percent conversion rate. "I thought 2 percent was high," Stone-Gross says. "I was surprised that that many people buy fake AV."

Even more surprising was the refund practices of these criminal organizations. All three of the AV firms studied by UCSB gave out a limited number of refunds in order to appear legitimate. "At first I was surprised: Why would illegitimate businesses give refunds? But looking into it, it makes a lot of sense," Stone-Gross says.

The fake AV firms actually monitor refunds that customers request from their credit-card companies for the phony software. "When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time," according to the UCSB report. "However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms."

So they keep the refunds to a minimum in order to maintain their relationships with credit-card payment processors. AV1 issued 5,660 refunds, or 3 percent of its sales; AV2 issued 11,681 refunds, or 8.5 percent of its sales; and AV3 issued 151,553 refunds, or 7.1 percent of its sales. Most victims even got their credit or chargeback within seven days.

Payment processors play a key role in the fake AV operation. In some cases, these payment processors are well-aware of the fake AV business they are supporting. In one email exchange the UCSB researchers studied, for example, a payment processor told an AV firm to change its product name so it wouldn't end up on Google as fake AV. These go-betweens charge 8 to 20 percent per transaction for their services to "high-risk merchants" that accrue a higher number of chargebacks, Gross-Stone says.

Fake AV operations -- which are often run by organized criminal organizations -- rely heavily on affiliates, or "partnerka" groups out of Eastern Europe, who act as their salespeople and try to infect as many machines as possible. They make big bucks for it, according to UCSB, with commissions of 30 to 80 percent if they get the sale. One affiliate for AV1 took in $1.8 million in two months, for example.

"The affiliates are making millions as well -- these are really the guys driving the business," Stone-Gross says. "The amount of money these [fake AV] guys bring is pretty impressive. Some of these businesses are making close to $50 million a year."

These organizations are highly sophisticated and professional, too. "I saw invoices where they were paying an Indian call center to handle technical support for them. They have contracts with other third party vendors, and they know how to run these operations," Stone-Gross says.

The full report -- "The Underground Economy of Fake Antivirus Software" -- by UCSB researchers Stone-Gross, Ryan Abman Richard A. Kemmerer, Christopher Kruegel, Douglas G. Steigerwald, and Giovanni Vigna is available here for download (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...