The operators of malicious networks are continuously monetizing their activities by propagating rogue security software that use scare tactics to trick unsuspecting users into installing and purchasing fake antivirus software, aka FAKEAV.
Although there has been a decline in the FAKEAV volume as a result of the increasing pressure on payment processors that handle credit card transactions for FAKEAV providers, FAKEAV distribution is likely to increase once new connections are made to cooperative payment processors. The money generated through this malicious activity is enormous and those behind the distribution of FAKEAV are continually trying to stay one step ahead of law enforcers and of the security community.
Today, Trend Micro released a research paper that focuses on how FAKEAV affiliate networks operate, what propagation strategies they use, and how much they earn from their malicious activities.
The complexity of these affiliate networks poses significant challenges to law enforcement agencies and to the security industry. Unlike direct fraud such as stealing money from compromised bank accounts, the damage that FAKEAV infections inflict is considerable in the aggregate, the amount of criminal activity conducted in any one jurisdiction and against any particular victim is still small. As a result, many smaller malicious operations connected with FAKEAV affiliates are able to avoid scrutiny.
FAKEAV Affiliates Business Model
Through careful monitoring of the servers used by FAKEAV suppliers, we were able to obtain records from two FAKEAV affiliate networks—BeeCoin and MoneyBeat. We found that these FAKEAV suppliers were actually midtier providers that simply aggregated the malicious links and the malware provided by top-tier FAKEAV affiliates and make these available to those with limited underground connections. Between January and June 2011, BeeCoin and its affiliates were able to install FAKEAV on more than 214,000 systems. Moreover, one in every 44 people that installed the malware actually purchased the full version of the rogue software, allowing BeeCoin to earn US$123,475.
However, we found that BeeCoin itself is actually an affiliate of a very well-known FAKEAV provider—Baka Software. In 2008, Baka Software provided the rogue antivirus software, Antivirus XP 2008, that was actively propagated by a variety of affiliates. BeeCoin maintains a number of relationships with FAKEAV providers. In addition to Baka Software, BeeCoin provides FAKEAV that originates from two additional FAKEAV providers—PrivatCoin and SoftCash.
PrivatCoin supplies FAKEAV to a number of malicious operations, including KOOBFACE and blackhat SEO campaigns. SoftCash is a particularly interesting affiliate because in addition to Windows versions of rogue antivirus software, it also provides versions that run on Mac OS X.
Top-tier affiliate networks such as Baka Software and payment processors such as ChronoPay provide botnet operators and other malicious actors with the infrastructure and the capability to monetize their activities. Intermediary providers like BeeCoin further shield these malicious actors’ activities while allowing them to further “crowdsource” the propagation of malicious software.
“Meta” FAKEAV Affiliates—Key Component of the FAKEAV Business Model
The emergence of these meta FAKEAV affiliates makes access to rogue antivirus software easier for cybercriminals with fewer underground connections and further obscures the operations of high-level FAKEAV affiliate networks. It also demonstrates that the propagation of FAKEAV is so profitable that there is room for yet another middleman in the operation.
Through the exposure of the relationships among FAKEAV affiliate networks, botnets, and other malicious activities, we hope that the security community and that law enforcement agencies can better understand the challenges that this malicious monetization strategy poses for traditional defenses and investigations.
For more details on FAKEAV affiliate networks and business model, you may read on the research paper “Targeting the Source: FAKEAV Affiliate Networks”.