Fake Antivirus Declines After June Raids Shut Down Credit Card Payments

Fake antivirus and other scareware programs seem to be on the decline for now as criminals struggle to recover from the raids this summer and ChronoPay CEO's arrest.

After the recent crackdown around the world on companies allegedly distributing scareware programs, the fake security business seems to be in full retreat, according to a recent report.

The number of new fake antivirus, scareware and other rogue software incidents have declined 60 percent since June, Alvin Estevez, CEO of Enigma Software said Aug. 18. The analysis was based on the company's support logs, software detection and support tickets from new customers.

Scareware programs trick users into thinking there is something wrong with the computer and charge money to repair the problem. While the most common type of scareware is the fake antivirus, other types are available, including disk utilities and file management tools.

"It's a million dollar industry," Estevez said.

Law enforcement authorities in the United States, United Kingdom Netherlands, Latvia, Germany, France, Lithuania and Sweden seized over 40 computers to break up a scareware cyber-crime gang in June. The criminals victimized nearly a million individuals and infected over 960,000 computers, netting approximately $72 million, the FBI estimated. The authorities also gained control of five bank accounts used to move money around among the gang members.

A day after the coordinated raids, Russian authorities arrested Pavel Vrublevsky, CEO of ChronoPay, Russia's largest processor of online payments. Vrublevsky was arrested on charges of hiring a hacker to attack ChronoPay's rivals. ChronoPay has been "consistently" involved with handling credit card processing for many of the rogue antivirus or scareware scams, wrote Brian Krebs on his blog Krebs on Security. Vrublevsky has also set up companies on behalf of these scammers, including Rx-Pharmacy, a rogue online pharmacy program, Krebs said.

The combination of the raids and the arrest of Vrublevsky appears to have impacted the ability for the scareware makers and distributors to get paid, Estevez said.

"When they can't get paid by their victims, they shrivel up and go away," said Estevez.

Cyber-criminals infect victims' computers using a using a variety of tricks, such as pop-up windows that claim to have found a virus on the computer, social engineering messages purporting to be from friends, or links in spam. Once the software is on the computer, users are shown a long list of issues, but are told the only way to remove the problem is to fork over money for the cleaning tool. The fake software generally ranges from $49.95 to $129 a copy and the users may see other behavior consistent with malware, such as pop-up windows and slow performance.

While purchasing the fake antivirus does make the scareware stop displaying the warnings, handing over a credit card number to these scams can lead to a whole new set of problems.

Enigma makes Spy Hunter 4, a real-time anti-spyware application designed to detect and remove spyware and malware. Enigma analyzed the logs collected from customers with Spy Hunter installed to determine infection rates as well as to identify new fake AV variants.

McAfee also reported a drastic drop in the number of customers reporting fake antivirus detections after June. The difficulty in processing credit card payments means the developers can't collect money from the victims or pay their distributors their cut for pushing the software out.

Enigma's team said the business effectively has been shut down, "for now," noting that cyber-criminals are flexible and "they'll figure out another way to get their scareware out and to get paid by their victims," according to the post. Enigma expected another cyber-gang will pick up operations and the fake software scams will be back again "sometime soon."