Thursday, June 16, 2011

The Underground Economy of Fake Antivirus Software

Last night I made my way through the paper: The Underground Economy of Fake Antivirus Software, by a team of researchers from the University of California, Santa Barbara. Although any regular reader of Brian Krebs's weblog will find that they already know a lot of this material, the paper is well-written and fast-paced.

In fact (dare I say it? this is a refereed computer science paper, after all!), the paper is exciting and suspenseful, almost heart-racing.

Unless you've been catatonic for the last decade, you're undoubtedly familiar with the basics of these operations; like most IT professionals, you probably get called in about once a week to untangle your neighbor or other associate from the mess they've stepped in. The paper sums it up succinctly:

The most common form of scareware is fake antivirus (AV) software, also known as "rogue security software." More specifically, a fake AV program impersonates an antivirus scanner and displays misleading or fraudulent alerts in an attempt to dupe a victim into purchasing a license for a commercial version that is capable of removing nonexistent security threats.

So, what did the Santa Barbara team do? Well, they:

have been able to acquire backend servers for several multi-million dollar criminal operations selling fake AV products.


Since we have access to the servers used by these criminal organizations, we are able to directly analyze the tools that are used to create the fake AV products, including programs that assist perpetrators in controlling the malware's behavior and brand names, as well as custom packers that obfuscate the malware to evade detection by legitimate antivirus products.

And what is it that they learned? Well, (quoting again):

  • the modus operandi of the criminals

  • the amount of money involved

  • the victims who purchase the software

  • the affiliate networks that promote the campaigns

  • the flow of money from the victims's credit cards, to the payment processors, to the bank accounts controlled by the criminals.

That is, basically, everything.

As they put it:

This unprecedented access allowed us to obtain ground truth about the type and sophistication of the techniques used to lure victims into paying for scareware, as well as the amount of transactions performed, including refunds and chargebacks.

One of the most chilling sections of the paper is the part where the authors explore the fuzzy, vague, blurred line between modern organized crime, and the core operations of the modern Internet:

An interesting facet of fake AV sales is the process in which credit card transactions are handled. In particular, payment processors (also known as payment service providers) are an integral part of every sale. Without these processors, fake AV operations would not be able to accept credit card payments. This would make it not only harder for a victim to purchase the product (i.e., they would have to use an alternative form of payment, such as cash, check, or money order), but it would also likely raise red flags that the software may be fraudulent. Note that payment processors must maintain a degree of legitimacy, or they risk losing the ability to accept major credit cards.


Perhaps the most notorious payment service provider is Chronopay, which ... has long been associated with processing transactions for various forms of online criminal organizations ... [H]owever ... also provides legitimate services to large organizations such as [ an amazing list of top-shelf names follows ]

I'm not kidding about this paper. You'll think you're reading something from Ludlum or LeCarre, but you're not. This is real life, in the modern world, on the Internet.

No comments:

Post a Comment