Tricking users into downloading rogue AV is an age-old cybercriminal tactic that still works. Hence the continuous rise in the number of rogue AV pushed to unwitting scam victims up to this day. In fact, the FBI just recently warned the public about the threat that rogue AV software poses, saying this has resulted in more than US$150 million in losses to victims.
The earliest rogue AV ploys relied on scareware tactics that resorted to warning users of supposed infections. The shift toward a more profit-driven threat landscape, however, also prompted cybercriminals to employ more devious and cunning techniques. Today, they often use search engine optimization (SEO) techniques that infected users just by visiting certain sites, seemingly mimicking the manner by which real-time antivirus products protect systems.
Some rogue AV employ “ransomware” tactics. They encrypt files, taking them hostage so users cannot use them. To recover the files, a user has to download a paid version of the program but just like its predecessors, this is all just a scam. In reality, however, the paid version of the program fixes the problem that it created in the first place but only after the user has been forced to pay up.
Cybercriminals use several social engineering techniques to spread rogue AV among computer users. Spammed messages containing URLs that lead to sites where rogue AV can be downloaded are very common. Some, however, are more imaginative, rigging search engine results with links to downloadable, seemingly legitimate antivirus applications.
Another ingenious social engineering ploy to spread rogue AV involves the use of codecs. As several media files require codecs for playback, users who want to stream videos are often victimized by downloading rogue AV posing as video codecs. Celebrity deaths (e.g., Corazon Aquino) and tragic events (e.g., tropical storms) have also become unwitting participants in rogue AV scams.
Social networking sites such as Twitter and Facebook have also become unwilling sources of rogue AV, thanks to the KOOBFACE botnet’s dedicated FAKEAV installer component.
TrendLabs has observed that rogue AV authors, sellers, and resellers now employ enhanced social engineering tactics, taking advantage of trendy topics in popular search engines. They have also been found to use GeoIP tracking. These attacks employ similar techniques as blackhat SEO campaigns albeit in a more targeted sense.
Cybercriminals will really stop at nothing just to further their profiteering schemes. And though users have been warned time and again of staying away from links that come from unknown users—whether in emails or tweets—it seems curiosity will still get the better of them, allowing cybercriminals to continue infecting them with the great mass of available rogue AV on the Web.
Fortunately, Trend Micro Smart Protection Network protects users against all these kinds of rogue AV and other similar malware threats.