Fake Security Software Steals $34 Million Monthly

Ignorance may be bliss, but it can also be expensive. Insufficiently knowledgeable computer users are downloading and paying for fake security software in increasing numbers, creating massive revenue for cybercriminals.

"More and more people are acclimating to the Internet and they feel they can make these important security decisions," said Sean-Paul Correll, security evangelist and threat researcher for Panda Security. "They don't feel the need to call their tech-savvy grandson."

Fake security software, also known as "rogueware," is a form of malware that attempts to convince people that their computers are infected with malware.

Following the exploitation of a vulnerability or a visit to a malicious Web site, rogueware will weasel its way onto a computer and then purport to find malware on the system in question. It will offer to remediate the problem once the victim enters a credit card number to pay for the "security software." But payment typically does not cure the infection.

"Cyber-criminals no longer need to steal users' information in order to make their money; instead, they simply need to find ways to get users to part with their cash voluntarily," says a report released by Panda Security on Wednesday.

According to Panda, the rogueware business took off in 2008 and has continued to surge. At the end of 2008, the company said that it had detected almost 55,000 rogueware samples. By the end of Q3 this year, Panda expects to identify more than 637,000 new rogueware samples, an increase of more than tenfold in less than a year.

Rogueware cybercriminals spread their fake software through social media by manipulating search engines to get their links to the top of search results lists, by inserting links into comments on Digg.com, by tweeting their links on Twitter, and by exploiting vulnerabilities in blog software and on Facebook.

Panda estimates that 35 million computers are infected by rogueware every month, affecting perhaps half that number of actual users.

Such large numbers, Panda claims, lead to substantial revenue. The company estimates that cybercriminals are earning about $34 million per month from rogueware, which typically sells for between $49.95 and $79.95.

"They're making an insane amount of money," insists Correll.

This claim isn't merely speculation. According to Correll, a hacker known by the name "NeoN" infiltrated rogueware manufacturer Bakasoftware in September 2008 by exploiting an SQL vulnerability on the group's Web site. NeoN copied a spreadsheet of payments to Baka's affiliates. The numbers show that the malware group's top affiliate earned $81,388.61 in a period of only six days.

"That's almost $5,000,000 per year and it's an astronomical number considering that this projection is just for one of many affiliates in Baka's roster, not to mention that the rogueware business has grown about four times the size it was in 2008 (in terms of sample volume)," Panda's report states.