Threat Analysis

Hackers Scam Thousands of PC Users Through Online Ads Touting Rogue Anti-Spyware

  • Date: November 6, 2007
  • Author: Don Jackson

SecureWorks reported today that hackers using Russian Business Network (RBN) services, among other hosting services, have successfully scammed thousands of victims with a new and complex multi-step scam involving rogue anti-spyware. Reported incidents of the scam have increased 1000 percent in the last month. Complaints of the scam can be found on sites, such as castlecops,

How the Hacker Scam Works

  1. Victim browses a legitimate, high-traffic website where a legitimate-appearing ad is hosted
  2. Victim clicks on the page or takes some other action on the page and this initiates a pop-up warning about a suspicious problem on the victim's computer.
  3. The pop-up in the previous step starts a "sales process" where a bogus anti-spyware solution is offered and sold to the victim for amounts ranging from $19.95 to $79.95 in exchange for credit card info, etc. Bogus antispyware names used in this offer include: Spy-shredder, AntiVirGear, MalwareAlarm and 40 other more obscure names.
  4. The "antispyware solution" purchased either downloads a trojan, such as Zlob, that retrieves other information from the victim over time or a rootkit, allowing remote control of the victim's computer.
  5. The scammer behind the bogus antispyware solution makes money from the sale of the "solution" but is mostly interested in selling the credit card numbers for money and selling access to the trojan and rootkit infected computers. Once access to the infected computers is purchased, the criminals can mine the stolen data and commit the fraud themselves or sell it to a third party. The scammers are also selling computing resources for money.

The new scam is dependent on a high degree of collaboration among a number of Internet criminals for the full "supply chain" to benefit to the greatest possible extent from the scam. The hackers behind the "badvertising" scam are randomly injecting the ads with the malicious code, making it very difficult for the website owner to predict which ads are malicious and which ads are safe.

Playing in the Gray Area of the Law

SecureWorks believes that the hackers are particularly attracted to this scam because the scammers initiating the download of the rogue antispyware are able to hide in a gray area of the law by providing supposed "antispyware demo software." Providing demos of antispyware isn't actually a criminal offense and the companies providing the rogue antispyware are registered in locations that protect them from any civil liability such as Bahamas, Ceylon, and Seychelles (Victoria). Additionally, they are not technically violating any of the terms of their hosting providers.

Money Made for each Install of the Rogue Antispyware

There are many ways to make money with this scam. First, the hackers can sell the stolen credit card numbers or billing data. They can also sell access to the trojan infected or backdoor accessed computer. The infected computers can be turned into a proxy bot on demand. They can also make a small commission on each new infected computer or bot. They can also make money off the advertising/traffic fraud.

Damage to Legitimate Websites

The damage to legitimate websites can be compounded because they are unwillingly associated with the scam, causing legitimate websites not to work and driving visitors away. Also, the Adware installed through this scam often replaces ad on web sites with scammer's own ads, which causes a loss of potential revenue for the advertiser.

Some of the replaced ads are often pornographic, offer counterfeit drugs, or promote work at home scams.

How to Protect from the Badvertising Scam

SecureWorks has protections in place for its clients. However, any website that runs ads is at risk for this scam, including job sites, news and information sites, and TV and popular entertainment sites.

SecureWorks recommends that websites, ad companies, and ad aggregators protect themselves from this scam by consistently monitoring the ads on their site or the ads they are placing. Websites must enforce strict content guidelines for their advertisers to follow and they themselves must follow stringent rules as to who they sell their ads to, making sure the buyer is legitimate.

The best way for computer users to protect themselves from this threat is to avoid downloading any antispyware software that is not a legitimate or well-known antispyware solution.

Back to more Threat Analyses and Advisories


See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.