Follow the Money: The Economics of Fake Anti-virus

Danny Bradbury traces the branches of the fake anti-virus tree
Danny Bradbury traces the branches of the fake anti-virus tree

 It’s a snowy day in a sleepy Ohio backwater. A grandmother starts up her two-month-old PC, which was a Christmas present from her children. As she surfs to the card game site where she regularly plays Rummy with faceless but friendly users across the US, an alert appears. Her machine has been infected by a virus, and it will delete her data unless she pays for it to be cleaned. Panicking, she enters her credit card number, without realizing that she’d been infected by the very thing that she’s trusting to fix her problems. She has just been duped by a fake anti-virus scam.

Fake anti-virus schemes covertly install the software using traditional attacks, such as drive-by downloads that manipulate an exploit in web browsers. Once the software is on the machine, it dupes the user – claiming to have identified vulnerabilities – and asking for the user to purchase it to initiate a fix.

Evolving Threats

Fake anti-virus software has evolved considerably over the years, says Chester Wisniewiski, senior security advisor at Sophos. He remembers seeing fake anti-virus software appearing in the early 2000s, using logos that mimicked the red shield icon used in Windows security alerts. “That fit into what people knew to be security and Microsoft, as far as color and look went”, he says.

The economic benefit from fake anti-virus scams feeds the quality of the product. “As they gain an economic advantage from it, they can invest in graphic designers to improve the UI [user interface], and do translations into different native languages”, Wisniewiski observes.

Consequently, products appear with more sophisticated animations that fool users into thinking that the system is being scanned for viruses. This in turn makes the product more plausible, which fuels sales.

Distribution Mechanisms

How do these products get distributed? One of the most popular approaches is the affiliate model, which is common among Russian fake anti-virus groups, where they are known as ‘partnerka’. The writers of the fake anti-virus products commission the partnerka to distribute it, which makes it possible to dramatically ramp up the number of installations.

Each party is then also able to maintain plausible deniability about the other’s methods; the malware company can claim ignorance over the affiliate’s methods, while the affiliate can disavow the functionality of the software. 

Affiliates will use a range of techniques, including blackhat search engine optimization (‘SEO poisoning’). Stuffing search engine results with links to rogue anti-virus software will send unwitting visitors to websites that infect computers with the fake anti-virus software. Spam and even website advertising are other common methods used by partnerka to distribute the product.

The partnerka are structured hierarchically, says Wisniewski, with affiliates commissioning each other for additional sales. “They’re run like Amway”, he says. “Someone at the top gets 50% of everything. Then you have to recruit under you.”

Share and Share Alike

Fake anti-virus firms use the same partnerka that many other criminals do. Brett Stone-Gross, principal cyber-threat researcher at internet analytics firm Neustar, is also the author of a University of California Santa Barbara academic paper on the economics of fake anti-virus. He compared the partnerka used by several fake anti-virus groups with those used by the Spamit/Glavmed Canadian pharmacy crime gang.

“There’s a 43% overlap of affiliates between them and the rogue anti-virus guys”, Stone-Gross says.

Others see fake anti-virus as the final part of a chain of exploits and scams targeting a victim. “I always think of it as getting hold of a piggybank”, says Kevin Haley, director of security technology and response at Symantec. “You shake it and get every nickel, dime, and penny out of it. Then, the last thing you’re going to do is scam their money with fake anti-virus programs. This has been very successful for the criminals behind it, and so we see a lot of it.”

Revenue Models

Stephen Oakes, special agent with the FBI, identifies two revenue models associated with the partnerka: profit sharing and pay-per install.

Each has its strengths and weaknesses. “With profit sharing, not only does the installation have to be successful, but the victim also has to go through the step of purchasing the rogue anti-virus”, he points out.

The affiliates’ alternative is to charge for each installation of the fake anti-virus software, rather than taking a percentage of revenue from users that fall for the scam and make a payment with their credit card.

A pay-per-install model makes it easier for the affiliate to calculate potential profit, and it also makes it less risky to earn more money by installing several different products – such as spyware and malware – along with the fake anti-virus. Because they get their money up-front based on the install, they don’t have to worry about trashing the target computer with too many malware infections before the user pays up.

“If you’re operating on a profit-sharing model, you have to ensure that the computer you infect maintains the functionality of the system”, Oakes explains. “If you’re being paid per install, you don’t care about what happens to the computer afterwards.”

Processing Payments

Just as the partnerka supporting the fake anti-virus industry serve multiple customers, so do another critical group of players in the value chain: the payment processors. These are the groups that process payments from victims. They channel payments made via the legitimate credit card companies into merchant accounts created for the fake anti-virus writers.

“There are several dozen small payment processors that handle these transactions. Those are responsible for the majority of the fraud”, says Stone-Gross.

The relationship between fake anti-virus firms and payment processors is complex. On the one hand, at least some of the processors are aware of and encourage the fake anti-virus business because of the revenue that it generates. But they will block merchant accounts if customers initiate chargebacks on too many transactions.

Avoiding Chargebacks

A chargeback occurs when a customer, realizing that they have been duped, instructs the credit card company to reverse the transaction. If a processor sees too many chargebacks, they will block the offending merchant account, and Stone-Gross explains that it is difficult for criminal companies to get new bank account details so that they can set up a new merchant account with the processor.

The fake anti-virus companies have tricks to mitigate that problem. “They dilute the number of chargebacks. If they have 50 different merchant accounts, it reduces what it looks like to the payment processor, or even to the credit card company”, he says.

You’d think that every customer would eventually initiate a chargeback for the rogue software when they realize that it’s a fake, but less than 10% do. One way for fake anti-virus companies to minimize the potential for chargebacks is to convince the target that they are using a legitimate product, for at least long enough to make a chargeback untenable.

Fake anti-virus companies will sometimes set up bogus technical support operations to try and convince customers that they are being assisted. “One of them paid $6–7000 per month for technical support, but that is far better than dealing with a number of chargebacks and refunds”, Stone-Gross points out.

Choking Off the Processors

One pivotal fake anti-virus payment processor has traditionally been ChronoPay, a Russian operation operated by Pavel Vrublevsky. This company was associated with criminal activity for years, but it wasn’t until it launched a DDoS attack against a competitor that the Russian government took action.

Wisniewski says that in addition to operating a payment processor, Vrublevsky also ran his own fake anti-virus venture. “He was arrested on June 22, 2011, and on June 23, all the Mac anti-virus activity disappeared and we never heard of it again”, he says. “So, it looks like he was behind that.”

Aside from targeting the fake anti-virus companies themselves, taking down the payment processors seems to be the best way to put a chokehold on fake anti-virus scammers.

Even more effective would be to block the payment processors by engaging the legitimate credit card companies more directly, adds Stone-Gross. “They have to do business with a credit card company. If Visa, Mastercard or Amex were more vigilant at analyzing the transactions that are pushed through these payment processors, they would detect a lot of the fraud.” Sadly, he was unable to get a response from the credit card companies.

An Antidote to Fake Anti-virus?

Will fake anti-virus ever end? Infection activity fluctuates from month to month. This is due to new groups getting involved, and deploying new, innovative infection methods, notes Symantec’s Haley, who says that he’s currently seeing 100,000–200,000 infections per day.

Wisniewski says that whenever a figure like Vrublevsky disappears, there will be a big dip in activity. Someone else, however, inevitably steps in a few months later to pick up the slack. Overall, he says that activity halved in 2011 compared to the previous year, but he still highlights fake anti-virus as the most popular form of scam.

The victims are still the ones that can afford it the least. They’re the weak, and the non-computer savvy. Among them are the elderly, who already have a tendency to worry. “It’s the death of a thousand cuts”, says Wisniewski. The perpetrators are making hundreds of millions of dollars, all from relatively small amounts of money.

“To my grandma, $79 is a big deal”, he concludes. “The vulnerable people are the ones that get hit, just as with every crime.’

What’s Hot on Infosecurity Magazine?