The appeal of the bogus antivirus software—often called “scareware”—is rooted in fear. This fraud doesn’t rely on convincing the victim of something preposterous—for example, that a Nigerian prince needs help relocating his money. Instead, the delivery is calibrated to capitalize on the real warnings we’ve all gotten. “People who don’t know exactly what’s going on—and have been [told], ‘Run your antivirus protection, brush your cyber-teeth every day’—are going to be driven to try to respond to that,” says Vint Cerf, a coinventor of the Internet’s original protocols, who is now chief Internet evangelist at Google. The attacks generally come from countries where cyber-crime laws are lax (or unenforced) and treaties obligating coöperation with other nations are not in effect. Many criminal gangs operate networks from Eastern Europe in particular. (Some malware checks to see whether a potential victim’s computer is set for Eastern European locales or has a Russian-language keyboard, whereupon it will gracefully exit.)
At large: Shaileshkumar Jain (above left) and Bjorn Daniel Sundin (right) have been charged with wire fraud and hit with a $163 million judgment after allegedly bilking consumers by selling fake antivirus products through their now-defunct company Innovative Marketing, which was based in Kiev.
It’s easy to see why the fake-antivirus scam is so popular among criminals. The payoff is immediate and the profits large. Someone who steals other kinds of digital booty, like credit card numbers or passwords, must take extra steps to cash in. But a fake antivirus product puts money right into the crook’s pocket. For example, in 2008 the U.S. Federal Trade Commission sued principals of Innovative Marketing, which was incorporated in Belize and at the time maintained offices near Kiev, Ukraine. The FTC said the company hauled in more than $163 million from 2004 to 2008 by tricking consumers into clicking to download fake software with such clever titles as Winfixer, WinAntivirus, Drivecleaner, SystemDoctor, and XP Antivirus 2008. Last year a federal judge in Maryland levied a judgment in that amount against company principals Shaileshkumar “Sam” Jain and Bjorn Daniel Sundin, who were later hit with wire-fraud indictments in federal court in Chicago. They remain at large. A third defendant, James Reno of Amelia, Ohio—who had settled with the FTC—was also indicted; he is accused of running a call center where operators tried to fend off people who complained, though the staff also sometimes provided refunds to irate customers in order to stay off the radar of credit card companies. His attorney did not return messages left by Technology Review.
The damage wrought by this organization may have been even worse than the FTC alleged. A researcher for the security company McAfee was able to determine that Innovative Marketing had some 600 employees and 34 servers disseminating malware, most of them operating from a traditional office complex in Kiev. The corporate empire included divisions that handled credit card payments, the call center in Ohio, and several adult websites that did double duty as vectors for the fake antivirus software. McAfee noted that Innovative Marketing logged 4.5 million orders during an 11-month period in 2008; at $35 per order, the annual revenue apparently neared $180 million. That’s better than the $150 million that Twitter will pull in this year, according to an estimate by the market research firm eMarketer.
Innovative Marketing no longer exists. But that hasn’t slowed the worldwide fake-antivirus business. “There have been multiple malware gangs working rogue antivirus scams consistently over the past five years,” says Eric Howes, research analyst at GFI Software, in Clearwater, Florida. To keep the operations humming, purveyors of this and other forms of malware adapt a business technique used by companies like Amazon: the affiliate model. Just as anyone’s website can include a link to an Amazon purchase form and collect a fee for any sales, antivirus scammers enlist third parties known as affiliates, who can get a fee for each installation—that is, each time someone opens the door to malware by clicking on the false warning—plus a commission on each resulting “sale” of the phony product. One distributor, Avprofit.com, promised on its website that it would pay between $300 and $750 for every 1,000 installations in the United States, Canada, Great Britain, or Australia, where the chance is higher of encountering victims who can afford to pay what the fake warnings demand. Experience required: Avprofit sought hackers with “minimum average 250 installs per day.”