The Symantec Report on Rogue Security Software includes an in-depth analysis of the methods scammers use to distribute rogue security applications. This blog presents some of the highlights of the research into the distribution of these scams.
In the report, the following distribution and advertising trends were observed:
• Ninety-three percent of the top 50 most prevalent rogue security applications were distributed as intentional downloads. This means that victims are tricked into believing they are downloading legitimate security software and subsequently installing the rogue application.
• Seventy-six percent of the top 50 most prevalent rogue security applications were classified as unintentional downloads. This means that the software may be installed unintentionally through drive-by downloads or other means such as false advertising (such as misrepresenting the software as a video codec). This overlaps with intentional downloads because many scams use both distribution methods.
• Ninety-three percent of scams in the top 50 most prevalent rogue security applications were advertised through dedicated websites.
• The second most common advertising method for rogue security software was Web advertisements. However, the volume of advertisements for the top 10 most prevalent rogue applications was greater than the volume of advertisements observed for the remaining 40 of the top 50 scams combined.
• For rogue security application scams to be successful, the rogue software must be advertised to potential victims. The software must also be reliably hosted in a location where it is available for download by potential victims. Lastly, for scammers to profit from the rogue software, their victims must register the software through a reliable payment processing service. In our report, we discuss the tactics that scammers use to overcome these hurdles so that they can successfully distribute and profit from scams.
The following tactics were observed while researching the report:
• GUI templates and cloning techniques are used to help these scams evade detection and be quickly rolled out anew.
• Black hat search engine optimization (SEO) and other Internet marketing techniques are used to place scam websites and advertisements at the top of search engine results.
• Affiliate networks are in place to organize scam distribution and provide incentives for distributors.
• Malicious advertisements for these scams are distributed on legitimate websites.
• Rogue ISPs such as the Russian Business Network are used to host these scams.
• Rogue payment processing services exist to help these scams launder their profits.
For a complete analysis of rogue security software observed by Symantec, please download the Symantec Report on Rogue Security Software.