Google: Scareware accounts for 15 percent of all malware
According to Google's Security Team, 15% of the malware domains they detected on the web over the past 13 months was scareware, also known as fake security software. Just how realistic is this percentage?
The analysis is based on 240 million web pages used as a sample
11,000 domains involved in Fake AV distribution discovered based on the sample
Fake AV currently accounts for 15% of all malware Google detects on the web
Fake AV attacks account for 60% of the malware discovered on domains that include trending keywords
Fake AV is responsible for 50% of all malware delivered via Ads
What's the first thing that makes an impression based on these findings? It's the small number of domains they were able to identify, despite the fact that 60% of the domains hijacking trending topics serve scareware, and that 50% of all malware delivered through malvertising is fake AV.
This number is the effect of the active evasive practices applied in order to trick Google's crawlers, by serving them legitimate content, and the malicious one to the unaware end user.
How are cybercriminals tricking Google's crawlers in the first place? In the very same way search engine optimization scammers have been doing since the early days of the Web - through content cloaking, through Google's playbook by using noindex, nofollow, noarchive tags, and through one of the most effective practices used by blackhat SEO campaigners these days - the http referrer:
"var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol."); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++"
Since a crawler isn't using http referrers, and isn't browsing the web using a user agent (How the Koobface Gang Monetizes Mac OS X Traffic; Mac OS X user agent check) that the cybercriminal would like to serve malicious content to, they are easily capable of covering up their tracks, sometimes even from the eyes of the security researcher who's trying to profile their campaigns starting from somewhere in the middle of the URL redirection chain.
Pragmatic tips for preventing scareware infections:
Go through ZDNet's Guide to Scareware Protection, explaining the basics of what scareware is, the tactics used by the cybercriminals to spread it, as well as the main characteristics of the scam. Even better, share the link to the guide with your social circle in an attempt to raise awareness on one of the most prolific monetization tactic cybecriminals use these days.
In 99% cases of the scareware infection attempts, the user is in control of situation. The remaining 1% are the campaigns where scareware is pushed through client-side exploits, or through a botnet the user is unknowingly participating in. Since scareware is relying entirely on the use of social engineering and legitimately looking "You're Infected!" pop-ups, learning the characteristics of the scam would help you to spot and avoid executing the binary it's enticing you to do.
Although perceived as a prank by some, scareware has been converging with ransomware for a while now. Realizing the mess that could take place with a scareware variant locking down your PC, or encrypting key files on it, is logically supposed to increase the end user's vigilance in those cases where their Internet Security Suite doesn't alert them in the first place.
Don't bother attempting to verify the legitimacy of Mega Antivirus Solution 2010, since cybercriminals systematically rebrand the same piece of scareware with a different name. In fact, a common practice these days is to see scareware A using a blackhat SEO campaign by promising to remove scareware B. Use a basic tcp wrapper hosts.deny: ALL approach - automatically assume the worst, and basically check whether the software pretending to be legitimate is actually real.
Google is set to release their complete report at the end of the month. The company is the best position to make an impact in the fight against scareware through the SafeBrowsing project, now an inseparable part of modern browsers. An update will be posted as soon as the research becomes public.