My name is Crystal Hansen and this
is a class project on the article, “The Underground Economy of Fake Antivirus
Software", an investigative report on a type of scareware in the form of
fake anti-virus software. This article
was a collaborative effort between the Dept. of Computer Science and the Dept.
of Economics at the University of California, Santa Barbara, with funding and
grants from the Office of Naval Research, the National Science Foundation, and
by Secure Business Austria.
The majority of their investigation
revolved around the financial aspects of three fraudulent anti-virus companies that
were surprisingly sophisticated in their methods. This would have to be so, though, wouldn’t
it, for the venture to be lucrative and stay lucrative. These companies could not be revealed by name
due to ongoing investigations that I’m sure will result in some criminal
charges. Unfortunately, not all involved
are likely to be caught, and if there’s still a market for fraud, more will
“pop up” to take the places of ones that get shut down. I do believe that additional research,
education of computer users, vigilant credit card companies, and more
sophisticated FREE anti-virus and browser plug-ins will see this tapering
off. Thanks, in part, to this
article.
The researchers obtained access to three major fraudulent anti-virus companies’ back-servers by utilizing ANUBIS to analyze unique signatures used by fake AV software. Anyone can go to https://anubis.iseclab.org/ and get any suspicious Windows or Android program analyzed for malware. Give them a URL and receive a report on exactly what it does in Internet Explorer. Some pages contain malicious scripts, but we will get to that in a bit. The researchers found similar signatures in fake AV software. They then contacted the servers these companies were using, submitted their evidence, and were gladly handed over information that was further analyzed and went into the making of this one-of-a-kind article.
The researchers obtained access to three major fraudulent anti-virus companies’ back-servers by utilizing ANUBIS to analyze unique signatures used by fake AV software. Anyone can go to https://anubis.iseclab.org/ and get any suspicious Windows or Android program analyzed for malware. Give them a URL and receive a report on exactly what it does in Internet Explorer. Some pages contain malicious scripts, but we will get to that in a bit. The researchers found similar signatures in fake AV software. They then contacted the servers these companies were using, submitted their evidence, and were gladly handed over information that was further analyzed and went into the making of this one-of-a-kind article.
The internet can be a dangerous and
costly place for the uninformed and trusting.
These people are often target victims for tech-savvy
cybercriminals. I’ve often wondered why
someone would bother to make a virus, send spam, or want to shut down, modify,
or disrupt anyone else’s computer. When
it’s not just a prank, it’s all about the money. To make it work, though, you need the cooperation
of other unscrupulous services (some, partially legitimate businesses), and people. I’ll try to highlight a few of the concepts,
and add my own thoughts as well.
First, what IS a fake
anti-virus program? It’s malware that,
once on your machine, sends multiple notifications of various virus
detections. The only virus is this rogue
security software itself. I’ve actually
come across one of these on a friend’s laptop.
I considered it a virus and ended up reverting to factory condition,
wiping everything. It went a little
something like this: When you boot up, a
lower-right message pop-up that appeared to be from Windows (she was running
Vista), would say that a virus was detected and a scan must be run. Here’s an example from the article that
closely resembles what I saw:
Now, since I didn’t know much at the time, and she had
brought it to me saying she had a virus, I ran the program. It pretended to scan, but all other
anti-virus programs and even Firefox, the internet, were locked down and
unusable. This is what’s called a DoS
attack (denial-of-service), but its purpose was to keep me from looking up the
program or using a real anti-virus to get rid of this fake AV. I do not know how she got it, and I don’t recall
it asking for money, but I was too busy trying to get rid of it to notice. There are numerous ways a program like this
one can slither its way onto your computer.
Conversely, there are very simple things you can do (or not do) to
prevent this.
Some
nefarious websites will display “pop-ups” that look much like the above picture,
or maybe a simple clickable text box.
They will claim your computer is infected and if you click, the fake AV
is executed and installed on your computer.
This is “social-engineering” and scareware is an apt name for it. It’s aimed at users who are concerned about
viruses and privacy, but uninformed and so, vulnerable.
A
slightly more concerning method is a “drive-by-download”, where script in the
webpage is designed to install the fake software without your knowledge. (That is what I was referring to when discussing Anubis.) This technique exploits vulnerabilities in
your web browser or a plug-in, so it’s a very good idea – in fact, it’s a MUST
– that you make sure your browser is updated, as well as any plug-ins. Do not use Internet Explorer to surf the
web. Use it only to download Chrome or
Firefox and set that as your default browser.
In their study of scam victims, the majority were using Internet
Explorer 7. The manipulation of search
engine results using Blackhat SEO’s and TDS to get a person to their page with
the malicious script isn’t an issue if you use an anti-virus that gives you a
level of safety icon next to each search result. The SEO's are designed to get pages filled with popular search terms to rank higher on your search engine list. Once clicked, TDS will redirect you to their pages. Botnets are yet another way, but if your
computer is already a zombie (bot – part of the bot-network and under someone
else’s control through a “back-door”, remotely), then a fake AV is maybe the least of
your worries. Unless you’re desperate
enough to fix your machine that you DO pay for it. I imagine that happens a lot more than I’d
like and it IS listed as a large source of revenue.
If you
take nothing else from my post, please let it be this: ignore ads. All of them.
On the sides, top, or bottom of your screen, at the top of your email
inbox, the 1st or 2nd option in a google search – ignore
it. Background noise. You will see things that you’ve been looking
for online, because of cookies, and these may be legitimate ads, but ignore it
anyway. Do not click on any ads for free
porn, games, or singles near you – just don’t do it. Some of these ads are links to these fake
AV’s, or worse.
The one thing that did surprise
me at first was that people were actually willing to pay for these anti-viruses
that had just shown up on their computer.
The revenue will stun you. Then I
thought of who these people probably were, and I got angry. Not at them, but at how downright awful
people can be to each other and the lengths they’ll go to in perpetrating
theft. These are charts of the revenue
made by these three large fraudulent companies in the time-span that the
authors had access to their back-servers.
The money is in exponential USD:
This
brings us to what keeps them in business.
Once a customer realizes that they’ve been scammed, they generally get
very angry and want their money back.
Makes sense, right? All three
offered “customer service” and “tech support”, in an effort to look like a
legitimate business, and to perhaps dissuade upset people from getting a
chargeback issued from their credit card.
Chargebacks
are bad for business. These questionable
businesses use payment processors (also questionable, but with a fraction of
legitimacy) to handle credit card transactions.
If a company is getting too many in too short of a time period, then
major credit cards will stop doing business with them. This is not in any fraudster’s best
interest. So, rather, the fake AVs more
apt to issue refunds. It may seem counterintuitive
for someone tricking you out of your money to just give it back, but in
reality, it makes good (or bad, depending on how you look at it) business
sense. Below is another chart depicting
the three companies’ rates of chargebacks vs refunds:
Notice how much higher that dashed blue line is compared to the red, and how they seem to correspond. To stay afloat, they have to keep their amount of chargebacks under a certain limit, by tempering them with refunds. Nevertheless, the article reports that less than 10% of victims actually sought refunds. The payment processors can charge a high commission for their part in this risky business. If the fake AV company goes down, they’re liable to be left handing out the refunds themselves.
Fake AV
companies must open many bank accounts under what’s known as Shell companies
(about as real as their anti-virus programs), and rotate the deposit and
withdrawal from each, so as to avoid suspicion.
Here is a flow-chart model of the structure and movement of funds that
might make it clearer:
More
involved than you thought, right? I
suspect this is how most nefarious internet based scams work. There are more of them out there and of
different types.
Technological
and information literacy is CRUCIAL to protecting yourself. If you know or have an older relative
unfamiliar with their new computer, set it up for them and explain the ways
firewalls and pop-up blockers work.
Explain about the ads and not to click or open attachments, or run
programs that they didn’t install. Aside
from a reputable anti-virus, that is.
There are many free ones out there, and with a little googling, you can
find a good one. I’m not going to be a
shill for the one I use. Read reviews,
do your research. Just because the
option is there to upgrade for a fee, doesn’t mean you have to do it. If the program is nagging you too much,
choose another. Don’t expect that
Windows Defender will be enough. Still,
don’t run two downloaded AVs at the same time.
You won’t be doubly protected; they’ll just get in each other’s way and
report quarantined files, or updated virus lists. Have your AV auto-update, as often as
possible. It shouldn’t slow your
machine down; runs in the background.
That is
all the advice I have for now on this subject.
You don’t have to be a victim.
Stay safe out there!
Works Cited
Stone-Gross, Brett, et al. "The Underground Economy of Fake Antivirus Software."
Department of Computer Science and
Department of Economics,
University of California, Santa Barbara
(2011): n. pag. Web. 24 Sept 2015.
<http://www.cs.ucsb.edu/~chris/research/doc/weis11_fakeav.pdf>.
