As prevalence of rogue antivirus attacks intensify, Microsoft takes legal action against 'malvertisers'

Microsoft has taken a hard line on malicious online advertisers -- also known as "malvertisers" -- by filing five lawsuits against the suspected fraudsters in what the software giant claims are the first-ever legal moves against malvertising. The software giant's suits came on the heels of a rogue antivirus attack on the high-profile New York Times' Website, where what was purported to be a Vonage ad on the Grey Lady turned out to be malware that served readers fake warnings that their computers were infected, along with a link to "antivirus software" they must purchase to clean them up.

This type of rogueware is becoming more efficient and lucrative, and cybercriminals are pumping out new versions in rapid-fire. According to recent research by PandaLabs, 374,000 new versions of rogueware samples were released in this year's second quarter -- and that number is expected to nearly double to 637,000 by the end of the third quarter. And according to PandaLabs, rogueware is now making the bad guys in excess of $400 million a year.

But can legal action really curb rogue AV and malvertising, especially if the perpetrators are hiding behind phony company names and aliases?

"Honestly, I don't expect it to slow down cybercriminals all that much. If they were scared, they wouldn't be creating and distributing the malware for profit," says Sean-Paul Correll, threat researcher & security evangelist for Panda. "It's definitely going to be an uphill battle for Microsoft and any future litigation seekers."

Microsoft isn't deterred, however. "Although we don't yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits," blogged Microsoft's associate general counsel Tim Cranton late last week. "The lawsuits allege that individuals using the business names 'Soft Solutions,' 'Direct Ad,' 'qiweroqw.com,' 'ITmeter INC.,' and 'ote2008.info' used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users."

The software vendor filed its lawsuits in King County Superior Court in Seattle, and is seeking damages and injunctions due to "unjust enrichment and for intentional interference with contractual relationships and business expectancies," Microsoft wrote in its legal filings.

Microsoft says its own investigators have uncovered "a number of leads" that could be used to subpoena service providers, companies, or people with knowledge of the real identities of the fraudsters.

Some rogue AV programs even "clean" a victim's machine so they appear legitimate, at least until the victim's credit-card transaction goes through, according to PandaLabs. And the bad guys are automatically generating new, unique samples of this code that AV engines won't recognize. The distributors of these applications are typically in Eastern Europe, and can make commissions of 50 to 90 percent, according to researchers.

Researchers at Click Forensics, meanwhile, are drawing a connection between The New York Times' rogueware and the so-called "Bahama Botnet." In a blog posting last week, Click Forensics researchers said the NYTimes.com scam phoned back to a phony "Windows protection" domain with the same IP address as a computer associated with the botnet, as well as a similar Ukrainian scam.

"Visitors to the NYTimes.com site were greeted with a pop-up informing them their computer was infected and directed to an authentic-looking site where they could install a program called Personal Antivirus. Users duped into purchasing this phony software were then infected with a Trojan that gave control of their computer to an unknown third party that we now know to be part of a gang in the Ukraine," according to Click Forensics.

A Microsoft spokesperson says the New York Times incident underscores that "this kind fo threat is not limited to Microsoft networks," but to everyone who relies on online advertising.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights