Google: Scareware accounts for 15 percent of all malware

Google: Scareware accounts for 15 percent of all malware

Summary: According to Google's Security Team, 15% of the malware domains they detected on the web over the past 13 months was scareware, also known as fake security software. Just how realistic is this percentage?


In an upcoming research entitled "The Nocebo Effect on the Web: An Analysis of Fake AV distribution", Google's Security Team is about to release the results from their 13 month study into the growth of fake security software, also known as scareware or Fake AV.

A preview of their findings:

  • The analysis is based on 240 million web pages used as a sample
  • 11,000 domains involved in Fake AV distribution discovered based on the sample
  • Fake AV currently accounts for 15% of all malware Google detects on the web
  • Fake AV attacks account for 60% of the malware discovered on domains that include trending keywords
  • Fake AV is responsible for 50% of all malware delivered via Ads

What's the first thing that makes an impression based on these findings? It's the small number of domains they were able to identify, despite the fact that 60% of the domains hijacking trending topics serve scareware, and that 50% of all malware delivered through malvertising is fake AV.

This number is the effect of the active evasive practices  applied in order to trick Google's crawlers, by serving them legitimate content, and the malicious one to the unaware end user.

Cybercriminals have been abusing Google Trends (Cybercriminals syndicating Google Trends keywords to serve malware; Syndicating Google Trends Keywords for Blackhat SEO) for scareware or malware serving purposes for years.

The same, although in smaller proportions, has been taking place through legitimate ad networks (Malware-infected WinRAR distributed through Google AdWords; Scareware Campaign Using Google Sponsored Links), with malvertising (the practice of serving malicious content through legitimate ad networks) already trending.

How are cybercriminals tricking Google's crawlers in the first place? In the very same way search engine optimization scammers have been doing since the early days of the Web - through content cloaking, through Google's playbook by using noindex, nofollow, noarchive tags, and through one of the most effective practices used by blackhat SEO campaigners these days - the http referrer:

  • "var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol."); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++"

Since a crawler isn't using http referrers, and isn't browsing the web using a user agent (How the Koobface Gang Monetizes Mac OS X Traffic; Mac OS X user agent check) that the cybercriminal would like to serve malicious content to, they are easily capable of covering up their tracks, sometimes even from the eyes of the security researcher who's trying to profile their campaigns starting from somewhere in the middle of the URL redirection chain.

Pragmatic tips for preventing scareware infections:

  • Go through ZDNet's Guide to Scareware Protection, explaining the basics of what scareware is, the tactics used by the cybercriminals to spread it, as well as the main characteristics of the scam. Even better, share the link to the guide with your social circle in an attempt to raise awareness on one of the most prolific monetization tactic cybecriminals use these days.
  • In 99% cases of the scareware infection attempts, the user is in control of situation. The remaining 1% are the campaigns where scareware is pushed through client-side exploits, or through a botnet the user is unknowingly participating in. Since scareware is relying entirely on the use of social engineering and legitimately looking "You're Infected!" pop-ups, learning the characteristics of the scam would help you to spot and avoid executing the binary it's enticing you to do.
  • Although perceived as a prank by some, scareware has been converging with ransomware for a while now. Realizing the mess that could take place with a scareware variant locking down your PC, or encrypting key files on it, is logically supposed to increase the end user's vigilance in those cases where their Internet Security Suite doesn't alert them in the first place.
  • Don't bother attempting to verify the legitimacy of Mega Antivirus Solution 2010, since cybercriminals systematically rebrand the same piece of scareware with a different name. In fact, a common practice these days is to see scareware A using a blackhat SEO campaign by promising to remove scareware B. Use a basic tcp wrapper hosts.deny: ALL approach - automatically assume the worst, and basically check whether the software pretending to be legitimate is actually real.
  • Browsing the Web in a sandboxed environment, using least privilege accounts, and ensuring you are free of client-side exploitable flaws will mitigate a huge percentage of the risk.

Google is set to release their complete report at the end of the month. The company is the best position to make an impact in the fight against scareware through the SafeBrowsing project, now an inseparable part of modern browsers. An update will be posted as soon as the research becomes public.

Topics: Security, Browser, Google, Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is all I have been seeing lately

    The sad part is many of these computers do have a security software installed which is typically the McAfee Security Center given free by some ISPs. The McAfee suite is almost always disabled by the scareware or infection and then the problem compounds itself.

    Now this is decent side job money for me but something needs to be done. The pop ups are very convincing and the average computer user does not know the difference. The antivirus companies need to step up and start offering better protection for such things.
    • There is so much scareware everywhere on the Internet, in fact, that even..

      ..your own computer has already been infected!
      You remove the nasty scareware before it steals your identity and drains your credit card accounts, buy Scareware Destroyer Pro today!

      Limited time offer; buy one get one free! So you can install it twice on the same computer without paying extra!!
  • RE: Google: Scareware accounts for 15 percent of all malware

    I agree with Bobiroc's comment above. In my nearing 30
    years of using PC's, I've only ever been bitten by two
    virii/trojans/malware, and both were in the past 2
    years, one was 'Windows Antivirus 2008' and the other
    was Windows Antispyware 2010', (which was pretty
    nasty, disabled all other security on my system, and
    made itself the default 'shell' for opening all
    programs...but I hand cleaned it within 4 minutes).

    The most troubling thing here is NOT one of my
    security programs, (Malwarebytes, Superantispyware,
    Avast) noticed or warned me of the incoming threats.
    Both installed via different known but unpatched at
    that time Adobe Acrobat flaws, (I did have one near
    infection a few months back that installed via a Sun
    Java flaw, but I caught that one in time).

    So as the article states above, I now recommend
    EVERYONE use their browsers/email programs in a
    sandbox. I use a program called 'Sandboxie', it's
    free, and it works VERY well. It's been at least 4 or
    5 years since I really felt 'secure' on the Net, but
    Sandboxie has helped there.

    And one more recommendation: Ditch Adobe stuff. At
    least until they take their hits on the nose and
    finally realize they gotta tighten that stuff up
    before people completely lose faith in them. If you
    must run Flash or Acrobat, I would force it to run in
    either a virtual machine, or a sandboxed browser. My
    current opinion is that Adobe's web addons are the
    most dangerous things most people have installed on
    their computers as far as infection risk is concerned.
    • Have had good luck with this program


      While it is not a scanner or anything it does install and blacklist known malware processes and websites. It is free as long as you manually update and I have been installing it on every side job I do and for the most part those have been infected computers.
  • Nice synopsis

    The scariest part of scareware and its myriad of bogus stripes is the crucial variable that sits in front of the screen. If we could only figure out a way - social engineer, as it were, the neurons behind the reflex impulse - to get the user to THINK before CLICKING.

    Then mandatorily stamp or label every computer and monitor with the following admonition: [b]WARNING! ONCE CONNECTED TO THE INTERNET, TRUST NOBODY, NOT EVEN YOURSELF![/b]

    And hope springs eternal, alas.

      Why should I trust you? You're probably lying. I should probably trust everyone, in fact. Oh sh--, paradox!
      • Self pwnd to trust

        You're catching on. ;)
  • RE: Google: Scareware accounts for 15 percent of all malware

    So what just reload and think how stupid these jersk are.
    • Ya, these stupid jersk.

      [b] [/b]
  • RE: Google: Scareware accounts for 15 percent of all malware

    How do you get them off? I clicked the X to get rid of it and that put it on my computer.
    • Linux

      [b] [/b]
    • Don't Click...Period

      I assume your question means, "Once they appear, how do you dismiss them without accepting them?"

      That starts with recognizing what they are in the first place. It sounds like you're at least partway there, but in order to go the rest of the way you have to realize that they're not going to give you ANY click that's benign. No matter where you click, they gotcha.

      Since they usually lock up the browser until the pop-up or drop-down is dismissed, and since you can't dismiss it without clicking, and since clicking is what you DON'T want to do, then obviously when one appears, you're done with that browsing session. Simply force-quit the browser...and stay away from that URL next time. You'll lose your browsing session, but that's all you'll lose.
      • Or just use an OS and browser that are unaffected by this crap.

        Or press Ctrl+F4.
  • RE: Google: Scareware accounts for 15 percent of all malware

    Well done! Thank you very much for professional templates and community edition
    <a href="">sesli sohbet</a> <a href="">sesli chat</a>