Given their financial motivations, the distributors of rogue security software scams need to affect a broad number of potential victims. Getting the program onto a victim’s computer is a critical step in rogue security software scams and the scammers use a variety of techniques to do so. While some rogue security software programs rely on just a few specific techniques to achieve this, many of them incorporate multiple techniques to improve the odds of success. The distribution techniques for rogue security software programs can be simplified into two groups: installation methods and advertising methods.
The installation methods for rogue security software can either be intentional or unintentional. Scammers who persuade victims that they need the rogue software to address security concerns lure the victims into downloading the software intentionally. This is a common approach to rogue security software installation that was used by 93 percent of the top rogue security software scam attempts observed during a one-year period from July 2008 to June 2009, and discussed in the just published Symantec Report on Rogue Security Software. During the same period, 76 percent of the observed scam attempts used unintentional downloads to get the misleading applications installed onto victims’ computers. An unintentional (or, intrusive) download occurs when malicious code is downloaded onto a computer without the interaction or knowledge of the victims, such as in drive-by download attacks.
The methods used to advertise rogue security software can be simplified as either dedicated websites or Web advertisements. Dedicated websites persuade victims that the software is legitimate by presenting information such as software capabilities, testimonials, and software awards—all of which are false. The goal of a dedicated website is usually to get the victim download the software intentionally; however, these sites are also used to launch intrusive installations. Of the top rogue security software scams analyzed by Symantec, 93 percent had a dedicated website. Web advertising methods consist of pop-up ads, banner ads, and postings on forums and social networking sites. These advertisements typically prey on users’ fears of malicious code, with claims such as, “If this ad is flashing, your computer may be at risk or infected,” and will urge users to follow a link that will provide the software to remove the threats. The goal behind these websites is to have a user intentionally download the software but, like dedicated websites, they can also function as a launching point for intrusive installations. Fifty-two percent of the top rogue security software scams observed by Symantec used web advertisements.
Dedicated rogue security software website
As mentioned, many rogue security software programs incorporate multiple techniques for each method of installation and advertisement. This can result in very effective scams that reach a broad number of potential victims. To date, Symantec has detected over 250 distinct rogue security software programs. From July 2008 to June 2009, Symantec received over 43 million reports of attempted scams using these misleading applications.
For a complete analysis of rogue security software observed by Symantec, please see the Symantec Report on Rogue Security Software.