Who killed the fake-antivirus business?

Who killed the fake-antivirus business?

Summary: The fake-antivirus business was a big money-maker in the first half of this year. Then, at the end of June, fake-AV products practically disappeared from the web. Was it technology, or does traditional law enforcement deserve the credit?


The fake-antivirus business went from boom to bust in record time.

Early this year, the bad guys were making money hand over fist with scareware and rogue security products. Then, suddenly, the business dried up.

The event that caused the sudden plunge? A high-profile bust by Russian authorities. On June 23, a network of web sites that were distributing fake antivirus software for Windows PCs and Macs suddenly went offline when the head of the company that processed payments for the group was busted.

The effect on the fake-AV industry was dramatic, according to Enigma Software Group:

Aside from the FBI cracking down on international “scareware” rings in 12 countries, Russian police arrested Pavel Vrublevsky, co-founder of Chrono­Pay, Russia’s biggest processor of online payments and a lead player in several fake AV scams. The combination of these two events [led] to a dramatic decline in fake anti-spyware and anti-virus software. On our end, we’ve seen a drastic drop in scan logs from new users, support logs, detections, and support tickets from new customers. Basically, we’ve witnessed a 60% decline in new fake AVs, scareware, and rogue anti-virus incidents.

Independent security researcher Brian Krebs also noted a "huge decline" in the fake-AV racket. According to Krebs, McAfee reported "a dramatic drop in the number of customers reporting scareware detections in recent weeks… McAfee has tracked more than a 60 percent decrease in the number of customers dealing with fake AV since late May."

The Enigma Software report included a fascinating set of graphics that used data from Google Trends to monitor consumer searches for known fake-AV products. In theory, those searches represent interest by victims in how to remove the threats they've encountered. A spike in searches means more infections in the wild; a drop means the malware distributors are seeing less success.

I decided to use the same methodology to track the progress of this underground market from a slightly different angle. Starting with a similar set of Google Trends data, I came up with this chart, which tracks fake AV products for Windows XP and Windows 7 and adds Mac Defender to the mix:

Fake AV software trends 2011

That picture shows the ebbs and flows of an entire underground market. The green and purple lines on the left represent a pair of fake Windows AV products (XP Antispyware 2011 and Win 7 Antispyware 2011) that emerged in February and peaked at the beginning of April. They were replaced with 2012 versions (light blue and yellow) at the beginning of June, giving the market a new jolt of activity.

I've annotated that chart with a few key dates:

  • May 19: Mac Defender search activity peaks. That's the date a leaked Apple document emerges, in which the company orders support professionals not to acknowledge infections or attempt to remove them.
  • May 31: A month after the Mac Defender attack began, Apple finally releases a security update that downloads antivirus definitions daily. By that time, though, the threat had nearly run its course. Apple's response really was late.
  • June 23: An international law enforcement effort shuts down the payment infrastructure for the Mac and Windows fake-AV industry. The effect is dramatic: business drops precipitously and has remained down since them.

The moral of the story is clear: technological solutions have some effect, but nothing gets rid of a gang of criminals like a series of well-coordinated worldwide police raids.

Sadly, this break in the action is probably nothing more than a brief interruption. Sooner or later—probably sooner—a new gang will be along to start up where the previous one left off. But for now, at least, the quiet is welcome.

Related posts:

Topics: Windows, Apple, Hardware, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Scams are always temporary

    I think that it is obvious that a scam are hit and run process. They scam can only last for a short period of time, then the scammer must move on to a newer scam.

    The only reason why the Nigirian scam still works after 10+ years of warnings is because the scammers keep changing it and people are still greedy enough to fall for it.
    • RE: Who killed the fake-antivirus business?


      The same reason people still forward emails about Cell Phone numbers going to public telemarketers and fake amber alerts. People are too lazy to find out the truth or take responsibility for their own security.
      • RE: Who killed the fake-antivirus business?

        @bobiroc Bingo... these things wouldn't happen if people weren't idiots that believed deleting win32 would somehow speed up their computer.
    • RE: Who killed the fake-antivirus business?


      Very important subject. Thank you and I subscribe you. <br>
      <a href="http://www.tuttube.net">tuttube</a> - <a href="http://www.tuttube.net/videolari/diziizle">dizi izle</a> - <a href="http://www.tuttube.net/videolari/filmizle">film izle</a>
  • RE: Who killed the fake-antivirus business?

    Perhaps they are swimming with the fishes.
    • RE: Who killed the fake-antivirus business?

      @Richard B

      that would be nice ........
      da philster
  • This is Ed Bott at his best

    Nice work.
    Dietrich T. Schmitz *Your
    • RE: Who killed the fake-antivirus business?

      @Dietrich T. Schmitz * Your Linux Advocate <br><br>I fear you may be right, Dietrich... This may be Ed at his best.<br><br>Ed has reported that fake AV has practically disappeared from the web even though his article quotes Enigma and McAfee as only reporting a 60% drop. While a dramatic decrease, it hardly warrants saying that fake AV has "practically disappeared". <br><br>His own research shows a much greater drop than his sources but still is a far cry from "practically disappeared". Also, his research is flawed because he only tracked the search trends on removal of five fake AV products which have only existed for a short period and only represent a few of the multitudes of fake AV malware out there. His drawn conclusion is unwarranted based on both cited figures and original research.<br><br>A better analysis of his Google trend data reveals a much different conclusion. <br><br>XP and WIN7 antispyware 2011 only appeared in February and were hardly affected by the June 23rd bust. Their disappearance from the trend data seems rather abrupt since the line just stops somewhere near their median point in mid June without ever falling to zero. It is unlikely the queries on removal would have dropped immediately once the website went down. Win7 antispyware appeared to be on the rise when the line just stops several days shy of the web site being taken offline. If they did, in fact, decline in June, it is likely due to the emergence of the 2012 versions which appeared late May. The overall trend data for both versions of 2011 malware shows introduction in February a peak at end of March and a leveling off near half peak from April to mid June where trend data is unavailable beyond that. <br><br>In late May, the introduction of the 2012 versions saw a much more rapid rise than the 2011 versions and a peak nearly twice as high for both the WIN7 and XP variants. After the initial drop in early June th falling trend did continue and the June 23rd bust is only mildly apparent; by the end of June, they both leveled off about the same as their 2011 counterparts. Both were showing a slight rise from July to August and the end of the trend history. Hardly at all indicative of a disappearance of fake AV. <br><br>The Mac Defender malware showed the sharpest rise, highest peak, and sharpest decline, all before the June 23rd bust. It had a small peak and was declining again days before the June 23rd date. It too leveled off in July, following a similar trend line to Win7, except that it saw a slight decrease in August before leveling to the end of the trend history.<br><br>I don't know what Ed is trying to sell here or why, but there is no news here. It seems that the fake AV is doing just as well as historical trend data suggests it should. There is an initial rise (which apparently was higher for Mac Defender and the 2012 versions of Ed's limited sample group) followed by a drop, as antimalware products caught up with their detection and removal of those particular threats. If anything, the trend data suggests that the malware writers were more successful recently and that Win7 is neither more secure now than what it was six months ago, nor is it especially more secure from these types of threats than WinXP. Keep in mind the XP install base is much larger than Win7 still, therefore the XP trend data is necessarily going to be higher than the Win7. Also, keep in mind that on Windows many people get these infections without user intervention and so they did not necessarily elect to install the fake AV.<br><br>While the information provided is useful, Ed's editorializing on the facts draws false and misleading conclusions as usual.
  • RE: Who killed the fake-antivirus business?

    They'll be back.... Unfortunately. Thankfully, by now, most modern browsers and OSs prevent the installation of this crap.
    The one and only, Cylon Centurion
  • RE: Who killed the fake-antivirus business?

    These things rely on user ignorance. Perhaps the media frenzy about malware on the Mac actually helped put the spotlight on socially engineered attacks.
  • RE: Who killed the fake-antivirus business?

    These fake AV programs were a good source of side money and while I am happy to see them go and I hope that the security software companies and other companies like OS makers and credit card companies continue the fight to stop these.
  • RE: Who killed the fake-antivirus business?

    I've seen Chronopay before, in the context of malware finances. Similarly, a handful of financial institutions process payments for the fake pharmacies. Getting regulators to crack down on the financial processors involved in malware is the way to do it - we're just too obsessed with a technical solution!
    • RE: Who killed the fake-antivirus business?

      @mary.branscombe Breaking the money chain and seizing the profits is the best way to stop the scammers.<br><br>I've always wondered why the feds haven't developed a quick "trap and trace" mechanism for online scams. It should be simple: an agent uses a special credit card number in a scam, then the credit card processor traces the transaction and shuts down the receiving account and seizes the existing funds. It should only take seconds in today's automated world.
      terry flores
      • Because they make more money when merchants are scammed!

        @terry flores - Yes! It seems so simple, doesn't it? It's the old Watergate adage - follow the money. In the age of the internet, it should be easier than it's ever been.<br><br>The reason that the merchant banks don't go after the scammers is because it would cost them dearly to do so.<br><br>Aside from the cost of the manpower to chase down these criminals, they would lose all the fraudulent sales! When someone uses a purloined credit card to make a purchase of a legitimate product, the merchant bank still gets their fee, and the merchant ends up being cheated.<br><br>If the merchant banks put a stop to the fraudulent use of credit cards, they would lose probably tens (maybe hundreds?) of millions of dollars in fees!<br><br>If you made the merchant banks liable for the fraudulent sales that they negligently authorize, credit card fraud would completely evaporate in the span of a couple months!
  • Message has been deleted.

    • RE: Who killed the fake-antivirus business?

      @JakeMathews This is just TOO rich, in a column talking about the end of a scam, a scam comment! CLASSIC!
    • RE: Who killed the fake-antivirus business?

      @JakeMathews what's an i-pad?
    • RE: Who killed the fake-antivirus business?


      I'll order just as soon as that 20% of the multi-million dollar transfer from overseas comes through. Any day now!
  • &quot;But for now, at least, the quiet is welcome.

    It's not quiet elsewhere, though, in Microsoft land. Why aren't we hearing anything about the Morto worm? More here:


    Microsoft's alert level for Morto is currently 'severe'. Quiet?
    Rabid Howler Monkey
    • I've been following it

      @Rabid Howler Monkey

      It's yet another Trojan that preys on weak passwords. I might write something up, but basically anyone who uses the steps in my online security program is extremely unlikely to be affected.

      More details here:

      Ed Bott