Symantec Reveals Rogue Antivirus Pulling Massive Profits

Symantec took a look at the underground market for rogue security software in a new report. Some of the sales affiliates make staggering profits, with the top earners averaging $23,000 a week during Symantec's 12-month study.

Symantec shined the light on the massive profits pulled in by rogue security software scams on the Web.

Such software, often referred to as "scareware," has gotten more attention in the past year as scammers continue to enjoy success tricking users into shelling out big bucks. In a report titled "Report on Rogue Security Software," Symantec officials uncovered that sales affiliates were pulling in staggering amounts of money.

Creators of rogue security software typically use an affiliate-based, pay-per-install distribution model, Symantec noted. Among the distribution sites studied by Symantec, the affiliates were paid $0.55 per installation by users in the United States; $0.52 for installations by users in the U.K. and Canada; and $0.50 for installations by users in Australia.

While seemingly small, these amounts can translate into huge profits. According to the study, the top 10 sales affiliates for the distribution site averaged $23,000 per week in earnings during the 12-month study period of the report.

"Scareware creators can scam thousands of people for comparatively small amounts of money all at the same time and make huge aggregate profits," said David Wall, a professor at the Centre for Criminal Justice Studies at the University of Leeds, in a statement. "This type of fraud works because the fake security software tricks users into believing they have an immediate threat which only their program can resolve. Ultimately, it's a con."

The per-installation-price varies from country to country based on the likelihood that users from that country will pay for the fake software. According to the report, 61 percent of the top 50 reported rogue applications were attempted on users in North America; 31 percent occurred in the Europe, Middle East and Africa region; 6 percent occurred in the Asia-Pacific/Japan region; and 2 percent in the Latin America region.

The higher percentage of rogue security software scams in the top two regions is likely due to the fact that the majority of malicious activity in general is also in the North America and Europe/Middle East/Africa regions, Symantec said.

Many times, rogue antivirus scams begin with spam e-mails and a bit of social engineering.

"Spam is an easy way to advertise rogue security software programs because it is relatively quick and inexpensive to send a large number of email messages, especially if a spammer uses a botnet to do the work," according to the report. "For example, in 2008, spam for AntiVirus XP 2008 was sent out from botnets such as Peacomm, Srizbi, Rustock, and Ozdok. Email addresses suitable for spam are inexpensive, costing as little as $0.33/MB (with one MB containing as many as 40,000 email addresses)."

Cyber-scammers also use search engine optimization techniques to poison results so that users are lured to malicious sites, Symantec noted. The programs are also advertised on both legitimate and malicious Websites, the report states.

The study is based on data collected between July 2008 and June 2009. During that timeframe, the top five rogue security applications in order of prevalence were SpywareGuard 2008, AntiVirus 2008, AntiVirus 2009, SpywareSecure and XP AntiVirus.

"The findings of our Report on Rogue Security Software make it clear that cybercriminals are willing, eager, and well-equipped to prey on today's Internet user," said Stephen Trilling, senior vice president for Symantec Security Technology and Response, in a statement. "To avoid becoming a victim of such predatory practices, Symantec strongly urges Internet users to make sure they are using the latest security protection and always obtain their security software directly from trusted vendors' websites."