The frequency of attacks that distribute fake antivirus software, a long-time pillar of the underground economy, has decreased considerably in recent months. However, security researchers warn that the industry is not yet dead and new versions of attacks continue to be released.
According to a new report from antivirus vendor Kaspersky Lab, the rate of fake antivirus attacks in June was somewhere between 50,000 and 60,000 per day, but their frequency has dropped to under 10,000 a day.
The impressive drop is the result of several factors, including law enforcement efforts, improvements in search engine filtering algorithms, and actions undertaken by the security community to disrupt cybercriminal distribution networks.
"This decline is related to some good job done by the law enforcement and security industry in this field, shutting down some of the networks they were using," said Luis Corrons, technical director of Panda Security's threat research laboratory.
His opinion is shared by Sean Sullivan, a senior security advisor at Finnish antivirus vendor F-Secure. "They were shut down and an investigation was launched," he said referring to recent international law enforcement actions that targeted major scareware operations.
Seizing scareware servers and equipment
Back in June, authorities in Russia arrested Pavel Vrublevsky, the co-founder of Russian payment processor ChronoPay, who has long been suspected of running one of the biggest fake antivirus affiliate programs.
At around the same time, authorities in the U.S., Ukraine and several other countries seized computer servers and other equipment used for scareware distribution, some believed to be linked to the infamous Conficker worm.
However, according to Bogdan Botezatu, a researcher with antivirus company BitDefender, this is not the only reason for the changes seen on the scareware market. "The decline in Fake AV attacks is probably related to the fact that search engines have improved their filtering algorithms in order to prevent poisoned search results from showing on top," he said.
"We have been closely monitoring this issue in intervals where specific searches spiked (such as the death of Gaddafi or the alleged death or President Barrack Obama) and we didn't see any attacks involving rogue AV," the researcher added.
Black hat search engine optimisation (BHSEO), or search-result poisoning attacks, leverage the page rank of legitimate, but compromised, websites to push malicious links at the top of search results. This has been one of the primary methods of getting users to fake antivirus websites for a long time.
Gangs may have moved onto Facebook scams instead
Botezatu believes that some scareware gangs have already moved to something else, like the Facebook survey scams, which require less investment and are easier to maintain. However, Botezatu and Corrons agree that this fortunate turn of events is only temporary.
In fact, Kaspersky Lab's Vyacheslav Zakorzhevsky warns that new scareware variants and even new affiliate programs have already appeared. "New versions of this type of malware continue to emerge. [...] We discovered an affiliate program called 'Money Racing AV'," he announced Thursday in a post on the company's blog.
Even if the risk of encountering such threats is now lower and the methods of distribution are limited, users should continue to scrutinise unexpected security alerts for legitimacy. "Don't pay for any solution arriving unannounced over the Internet and make sure you install a genuine security product," Zakorzhevsky stressed.