An Analysis of Rogue AV Campaigns

Cova, Marco; Leita, Corrado; Thonnard, Olivier; Keromytis, Angelos D.; Daciér, Marc

doi:10.1007/978-3-642-15512-3_23

Cited by 41 publications

(32 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Various security vendors have reported on potential revenue from scareware operations based on the number of infections that they observed [4,37]. Cova et al presented an analysis of the rogue antivirus structure and indirectly tried to measure the number of victims and profits based on poorly configured web servers used by several fake AV groups [6]. They estimated the conversion rate of infections to sales at 1.36%, which is slightly lower than the rates that we observed.…”

Section: Related Workmentioning

confidence: 53%

The Underground Economy of Fake Antivirus Software

Stone-Gross

Abman

Kemmerer

et al. 2012

Economics of Information Security and Privacy III

View full text Add to dashboard Cite

Fake antivirus (AV) programs have been utilized to defraud millions of computer users into paying as much as one hundred dollars for a phony software license. As a result, fake AV software has evolved into one of the most lucrative criminal operations on the Internet. In this paper, we examine the operations of three large-scale fake AV businesses, lasting from three months to more than two years. More precisely, we present the results of our analysis on a trove of data obtained from several backend servers that the cybercriminals used to drive their scam operations. Our investigations reveal that these three fake AV businesses had earned a combined revenue of more than $130 million dollars.A particular focus of our analysis is on the financial and economic aspects of the scam, which involves legitimate credit card networks as well as more dubious payment processors. In particular, we present an economic model that demonstrates that fake AV companies are actively monitoring the refunds (chargebacks) that customers demand from their credit card providers. When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time. However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms.

show abstract

Section: Related Workmentioning

confidence: 53%

The Underground Economy of Fake Antivirus Software

Stone-Gross

Abman

Kemmerer

et al. 2012

Economics of Information Security and Privacy III

View full text Add to dashboard Cite

show abstract

“…DOMAntiPhish [33] alerts the user whenever she visits a phishing site with a layout similar to a trusted website. All these solutions help in preventing that the user is deceived in trusting a site similar to a known site she used in the past, but they do not prevent against other categories of scams, such as fake pharmacies and rogue antiviruses [7,39]. In contrast, our system is able to track advanced, previously unseen phishing attacks.…”

Section: Related Workmentioning

confidence: 99%

Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection

Corbetta

Invernizzi

Kruegel

et al. 2014

Research in Attacks, Intrusions and Defenses

View full text Add to dashboard Cite

Abstract. With JavaScript and images at their disposal, web authors can create content that is immediately understandable to a person, but is beyond the direct analysis capability of computer programs, including security tools. Conversely, information can be deceiving for humans even if unable to fool a program. In this paper, we explore the discrepancies between user perception and program perception, using content obfuscation and counterfeit "seal" images as two simple but representative case studies. In a dataset of 149,700 pages we found that benign pages rarely engage in these practices, while uncovering hundreds of malicious pages that would be missed by traditional malware detectors. We envision that this type of heuristics could be a valuable addition to existing detection systems. To show this, we have implemented a proofof-concept detector that, based solely on a similarity score computed on our metrics, can already achieve a high precision (95%) and a good recall (73%).

show abstract

“…For example, prior work has studied the infrastructure used to support Rogue AV campaigns [11], fast-flux service networks [17], online scam infrastructure [18], command and control (C&C) networks [7], C&C migration [1], drop-zone infrastructure [15], and pay-per install infrastructure [6]. We consider a campaign to be a collection of domain names and IP addresses that serve a single malicious purpose and are associated with the same threat type, e.g., botnet C&C, drop-zones, etc.…”

Section: Related Workmentioning

confidence: 99%

Connected Colors: Unveiling the Structure of Criminal Networks

Nadji

Antonakakis²,

Perdisci

et al. 2013

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. In this paper we study the structure of criminal networks, groups of related malicious infrastructures that work in concert to provide hosting for criminal activities. We develop a method to construct a graph of relationships between malicious hosts and identify the underlying criminal networks, using historic assignments in the DNS. We also develop methods to analyze these networks to identify general structural trends and devise strategies for effective remediation through takedowns. We then apply these graph construction and analysis algorithms to study the general threat landscape, as well as four cases of sophisticated criminal networks. Our results indicate that in many cases, criminal networks can be taken down by de-registering as few as five domain names, removing critical communication links. In cases of sophisticated criminal networks, we show that our analysis techniques can identify hosts that are critical to the network's functionality and estimate the impact of performing network takedowns in remediating the threats. In one case, disabling 20% of a criminal network's hosts would reduce the overall volume of successful DNS lookups to the criminal network by as much as 70%. This measure can be interpreted as an estimate of the decrease in the number of potential victims reaching the criminal network that would be caused by such a takedown strategy.

show abstract

An Analysis of Rogue AV Campaigns

Cited by 41 publications

References 19 publications

The Underground Economy of Fake Antivirus Software

The Underground Economy of Fake Antivirus Software

Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection

Connected Colors: Unveiling the Structure of Criminal Networks

Contact Info

Product

Resources

About