Finjan: Bogus Anti-virus Is Big Business

In a new cyber-crime report, security vendor Finjan found a traffic management server that showed a ring of cyber-crooks redirected 1.8 million users to a site that installed rogue anti-virus over the course of two weeks, raking in an average of $10,800 a day. There are several groups involved in similar schemes, Finjan reports.

The stock market may be struggling, but the market for purveyors of rogue anti-virus is going strong.

In a report, researchers at Finjan offered a peek into the inner-workings of the market for rogue anti-virus. The company focused on a group of cyber-crooks running a rogueware affiliate network that hauled in an average of $10,800 a day in profits.

The affiliate network is divided into two teams, one responsible for compromising legitimate Websites and injecting Web pages with popular keywords and typos. These pages redirect users to Websites owned by Team B, which tries to install the rogue AV on the user's desktop.

"Team B pays Team A for every user Team A manage to redirect to Team B Website," explained Finjan CTO Yuval Ben-Itzhak.

The profits can be impressive. A look at a traffic management server based in the Ukraine found 1.8 million users were redirected to the rogue anti-virus software site during a 16-day period. The installation rates varied from 7 percent to as high as 12 percent. Some 1.79 percent of the victims who installed the AV paid $50 for the fake software, with 58 to 90 percent flowing back to the network.

The group behind this operation relied heavily on search engine optimization (SEO). Fellow security vendors Symantec and McAfee have found similar SEO-poisoning techniques being used in malware campaigns, and said the trend has been increasing since the beginning of the year.

To further improve their chances of placing high in a search, the hackers inserted SEO targeted pages to compromised Websites. According to Finjan, the injected pages were actually PHP scripts dynamically generating search keywords with typos and popular terms. The script is based on a parameter passed in the URL, hxxp://[compromised-domain]/talk/page.php?id=1503. Each of the dynamically generated pages was linked to other dynamically generated pages to increase the probability the search engine would index even more keywords for the compromised sites.

The end result was users searching for popular keywords (with or without typos) on search engines were sometimes directed to a malicious page that tried to install the rogueware on their PCs.

"In the last two months we have seen these SEO techniques a lot," Ben-Itzhak said. "It is happening on legit Websites that were compromised and fill the Web page with keywords. These pages trick the search engine spider."

"I believe there are a few dozen groups doing that today," the CTO continued. "Having the great numbers they make, the number of groups increase and their techniques are improving."