The Underground Economy of Fake Antivirus Software

  • Brett Stone-GrossEmail author
  • Ryan Abman
  • Richard A. Kemmerer
  • Christopher Kruegel
  • Douglas G. Steigerwald
  • Giovanni Vigna
Conference paper


Fake antivirus (AV) programs have been utilized to defraud millions of computer users into paying as much as one hundred dollars for a phony software license. As a result, fake AV software has evolved into one of the most lucrative criminal operations on the Internet. In this paper, we examine the operations of three large-scale fake AV businesses, lasting from three months to more than two years. More precisely, we present the results of our analysis on a trove of data obtained from several backend servers that the cybercriminals used to drive their scam operations. Our investigations reveal that these three fake AV businesses had earned a combined revenue of more than $130 million dollars. A particular focus of our analysis is on the financial and economic aspects of the scam, which involves legitimate credit card networks as well as more dubious payment processors. In particular, we present an economic model that demonstrates that fake AV companies are actively monitoring the refunds (chargebacks) that customers demand from their credit card providers. When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time.9pc]First author has been considered as the corresponding author. Please check. However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms.


Credit Card Criminal Organization Underground Economy Proxy Node Credit Card Company 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported by the Office of Naval Research (ONR) under Grant N000140911042 and by the National Science Foundation (NSF) under grants CNS-0845559 and CNS-0905537. We would also like to thank the anonymous reviewers for their valuable suggestions and insights.


  1. 1.
    Bayer U, Habibi I, Balzarotti D, Kirda E, Kruegel C (2009) A view on current malware behaviors. In: USENIX workshop on large-scale exploits and emergent threats (LEET), 2009Google Scholar
  2. 2.
    Burstein A (2008) Conducting cybersecurity research legally and ethically. In: USENIX workshop on large-scale exploits and emergent threats (LEET), 2008Google Scholar
  3. 3.
    Christin N, Yanagihara S, Kamataki K (2010) Dissecting one click frauds. In: ACM conference on computer and communications security (CCS), 2010Google Scholar
  4. 4.
    Correll S, Corrons L (2010) The business of rogueware: analysis of the new style of online fraud.
  5. 5.
    Cova M, Kruegel C, Vigna G (2010) Detection and analysis of drive-by-download attacks and malicious javascript code. In: Proceedings of the international world wide web conference (WWW), 2010Google Scholar
  6. 6.
    Cova M, Leita C, Thonnard O, Keromytis A, Dacier M (2010) An analysis of rogue AV campaigns. In: Symposium on recent advances in intrusion detection (RAID), 2010Google Scholar
  7. 7.
    Dhamija R, Tygar J, Hearst M (2006) Why phishing works. In: Conference on human factors in computing systems (CHI), 2006Google Scholar
  8. 8.
    Dittrich D, Bailey M, Dietrich S (2009) Towards community standards for ethical behavior in computer security research. Technical report 2009–1, Stevens CS, April 2009Google Scholar
  9. 9.
    Egelman S, Cranor L, Hong J (2008) You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Conference on human factors in computing systems (CHI), 2008Google Scholar
  10. 10.
    Fossi M, Turner D, Johnson E, Mack T, Adams T, Blackbird J, Low M, McKinney D, Dacier M, Keromytis A, Leita C, Cova M, Overton J, Thonnard O (2009) Symantec report on rogue security software. In: Whitepaper, 2009Google Scholar
  11. 11.
    Franklin J, Paxson V, Perrig A, Savage S (2007) An inquiry into the nature and causes of the wealth of internet miscreants. In: ACM conference on computer and communications security (CCS), 2007Google Scholar
  12. 12.
    Garfinkel S (2008) IRBs and security research: myths, facts and mission creep. In: Proceedings of the USENIX workshop on usability, psychology, and security, 2008Google Scholar
  13. 13.
    Holz T, Engelberth M, Freiling F (2008) Learning more about the underground economy: a case-study of keyloggers and dropzones. Reihe Informatik TR-2008–006, university of Mannheim, 2008Google Scholar
  14. 14.
    Ikinci A, Holz T, Freiling F (2008) Monkey-spider: detecting malicious websites with low-interaction honeyclients. In: Proceedings of Sicherheit, Schutz und Zuverlässigkeit, April 2008Google Scholar
  15. 15.
    International Secure Systems Lab (2010). Anubis: analyzing unknown binaries.
  16. 16.
    Kenneally E, Bailey M, Maughan D (2010) A framework for understanding and applying ethical principles in network and security research. In: Proceedings of the workshop on ethics in computer security research (WECSR), 2010Google Scholar
  17. 17.
  18. 18.
    Krebs B (2009) Massive profits fueling rogue antivirus market. In: Washington post, 2009Google Scholar
  19. 19.
    Krebs B (2009) Virus scanners for virus authors.
  20. 20.
    Krebs B (2010) Following the money, ePassporte edition.
  21. 21.
    Krebs B (2010) Rogue antivirus victims seldom fight back.
  22. 22.
    Ludl C, McAllister S, Kirda E, Kruegel C (2007) On the effectiveness of techniques to detect phishing sites. In: Proceedings of the conference on detection of intrusions and malware & vulnerability assessment (DIMVA), 2007Google Scholar
  23. 23.
    McGrath K, Gupta M (2008) Behind phishing: an examination of phisher modi operandi. In: USENIX workshop on large-scale exploits and emergent threats (LEET), 2008Google Scholar
  24. 24.
    Mick J (2010) Russian anti-spam chief caught spamming.
  25. 25.
    Moore T, Clayton R (2007) An empirical analysis of the current state of phishing attack and defence. In: Workshop on the economics of information security (WEIS), 2007.Google Scholar
  26. 26.
    Pan Y, Ding X (2006) Anomaly based web phishing page detection. In: Annual computer security applications conference (ACSAC), 2006Google Scholar
  27. 27.
    Poulsen K (2009) Conficker doomsday worm sells out for $49.95.
  28. 28.
    Provos N, McNamee D, Mavrommatis P, Wang K, Modadugu N (2007) The ghost in the browser: analysis of web-based malware. In: USENIX workshop on hot topics in understanding botnets (HotBots), 2007Google Scholar
  29. 29.
    Provos N, Mavrommatis P, Rajab M, Monrose F (2008) All your iFRAMEs point to us. In: USENIX security symposium, 2008Google Scholar
  30. 30.
    Rajab M, Ballard L, Mavrommatis P, Provos N, Zhao X (2010) The nocebo effect on the web: an analysis of fake anti-virus distribution. In: USENIX workshop on large-scale exploits and emergent threats (LEET), 2010Google Scholar
  31. 31.
    Rosiello A, Kirda E, Kruegel C, Ferrandi F (2007) A layout-similarity-based approach for detecting phishing pages. In: Security and privacy in communication networks (SecureComm), 2007Google Scholar
  32. 32.
    Samosseiko D (2009) The Partnerka what is it, and why should you care? In: Annual virus bulletin conference, 2009Google Scholar
  33. 33.
    Stone-Gross B, Cova M, Cavallaro L, Gilbert R, Szydlowski M, Kemmerer R, Kruegel C, Vigna G (2009) Your botnet is my botnet: analysis of a botnet takeover. In: ACM conference on computer and communications security (CCS), 2009Google Scholar
  34. 34.
    Stone-Gross B, Moser A, Kruegel C, Kirda E, Almeroth K (2009) FIRE: FInding rogue nEtworks. In: Annual computer security applications conference (ACSAC), 2009Google Scholar
  35. 35.
    Stone-Gross B, Cova M, Kruegel C, Vigna G (2010) Peering through the iFrame. In: IEEE mini-conference on computer communications (INFOCOM), 2010Google Scholar
  36. 36.
    Stone-Gross B, Holz T, Stringhini G, Vigna G (2011) The underground economy of spam: a Botmasters perspective of coordinating large-scale spam campaigns. In: USENIX workshop on large-scale exploits and emergent threats (LEET), 2011Google Scholar
  37. 37.
    TrendMicro (2010) The business of cybercrime a complex business model. Technical report, 2010Google Scholar
  38. 38.
    Villeneuve N, Deibert R, Rohozinski R (2010) KOOBFACE: Inside a crimeware network. InfoWar monitor JR04–2010, The SecDev group, 2010Google Scholar
  39. 39.
    Zhuge J, Holz T, Song JGC, Han X, Zou W (2009) Studying malicious websites and the underground economy on the chinese webGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Brett Stone-Gross
    • 1
    Email author
  • Ryan Abman
    • 1
  • Richard A. Kemmerer
    • 2
  • Christopher Kruegel
    • 1
  • Douglas G. Steigerwald
    • 1
  • Giovanni Vigna
    • 1
  1. 1.Department of Computer ScienceUniversity of CaliforniaSanta BarbaraUSA
  2. 2.Department of EconomicsUniversity of CaliforniaSanta BarbaraUSA

Personalised recommendations