Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.
During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.
On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.
“Dear advertisers: Last week was quite complicated. Well-known force majeure circumstances have led to significant sums of money hanging in the banks, or in processing, making it impossible to pay advertisers on time and in full.”
The disruption appears to be partially due to an international law enforcement push against the fake AV industry. In one recent operation, authorities seized computers and servers in the United States and seven other countries in an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake AV.
There may be another reason for the disruption: On June 23, Russian police arrested Pavel Vrublevsky, the co-founder of Russian online payment giant ChronoPay and a major player in the fake AV market.
Black Market Breakdown
Vrublevsky was arrested for allegedly hiring a hacker to launch denial of service attacks against ChronoPay’s rivals in the payments processing business. His role as a pioneer in the fake AV industry has been well-documented on this blog and elsewhere.
In May, I wrote about evidence showing that ChronoPay employees were involved in pushing MacDefender — fake AV software targeting Mac users. ChronoPay later issued a statement denying it had any involvement in the MacDefender scourge.
But last week, Russian cops who raided ChronoPay’s offices in Moscow found otherwise. According to a source who was involved in the raid, police found mountains of evidence that ChronoPay employees were running technical and customer support for a variety of fake AV programs, including MacDefender. The photograph below was taken by police on the scene who discovered Website support credentials and the call records of 1-800 numbers used to operate the support centers.
Russian investigators also found that ChronoPay computers support the infrastructure of Rx-Promotion, a rogue online pharmacy program that paid spammers millions of dollars to promote Web sites that were pushing knockoff prescription drugs, including addictive painkillers like Vicodin and oxycodone (Rx-Promotion also appears to have closed up shop following Vrublevsky’s arrest).
Group-IB, a Russian computer-forensics firm that has been assisting the police in their investigation of Vrublevsky, said that his arrest and subsequent searches of ChronoPay’s office symbolize the possible interest of Russian law enforcement agencies in stopping the laundering of money earned in selling counterfeit medicines and fake AV.
“If allegations against ChronoPay are true then we should expect significant decrease of revenues received by cyber criminals in the appropriate segments of black market in the near future,” said Maxim Suhanov, a computer-forensics specialist at Group-IB.
Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly. Fake AV is extremely profitable, in large part because it is easily franchised.
Individual affiliates can quickly make a lot of money. Fake AV distribution networks pay affiliates between $25 and $35 each time a victim provides a credit card to pay for the junk software.
More importantly, fake AV affiliates can outsource the majority of their work. Damon McCoy, a researcher at the University of California, Santa Diego, has been studying the fake AV industry. He found that fake AV can be massively profitable when installed via pay-per-install (PPI) programs. PPI networks contract out the deployment of the malware to affiliates who get paid per one thousand installs (the payment rate varies with the geographic locations of the victim PCs).
McCoy said fake AV affiliates can purchase 10,000 installs of their scareware programs very cheaply. “For 10,000 installs, [the PPI networks] will charge you normally about $900, but if you squeeze them a bit they will go down to $750,” McCoy said.
In an analysis of the fake AV industry released last month, McCoy and other UCSD researchers discovered that fake AV affiliates can expect that one out of every 50 people who have fake AV installed on their systems will pay for the software.
“If you do the math, it’s almost like you’re printing money,” McCoy said. “You could pay the PPI networks $75 to get 1,000 fake AV installs. And if you had an average conversion rate of one in 50, making between $25-$35 on each install, that works out to about 20 sales — or conservatively $500 per one thousand installs. So, you pay someone $75 and you can expect to make four or five times your investment. The economics of this market are ridiculously profitable, and it’s easy to see why fake AV is the go-to method today for monetizing botnets.