The nocebo effect on the web: an analysis of fake anti-virus distribution

Authors:
Moheeb Abu Rajab;Lucas Ballard;Panayiotis Mavrommatis;Niels Provos;Xin Zhao
Affiliations:
Google Inc.;Google Inc.;Google Inc.;Google Inc.;Google Inc.
Venue:
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Year:
2010

Citing 3
Cited 9

A framework for detection and measurement of phishing attacks

Proceedings of the 2007 ACM workshop on Recurring malcode
All your iFRAMEs point to Us

SS'08 Proceedings of the 17th conference on Security symposium
Cybercrime 2.0: When the Cloud Turns Dark

Queue - Web Security

An analysis of rogue AV campaigns

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
deSEO: combating search-result poisoning

SEC'11 Proceedings of the 20th USENIX conference on Security
Fashion crimes: trending-term exploitation on the web

Proceedings of the 18th ACM conference on Computer and communications security
SURF: detecting and measuring search poisoning

Proceedings of the 18th ACM conference on Computer and communications security
Cloak and dagger: dynamics of web search cloaking

Proceedings of the 18th ACM conference on Computer and communications security
Tracking DDoS attacks: insights into the business of disrupting the web

LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs

Proceedings of the 2012 ACM conference on Computer and communications security
Manufacturing compromise: the emergence of exploit-as-a-service

Proceedings of the 2012 ACM conference on Computer and communications security
Exploiting visual appearance to cluster and detect rogue software

Proceedings of the 28th Annual ACM Symposium on Applied Computing

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a study of Fake Anti-Virus attacks on the web. Fake AV software masquerades as a legitimate security product with the goal of deceiving victims into paying registration fees to seemingly remove malware from their computers. Our analysis of 240 million web pages collected by Google's malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution. We show that the Fake AV threat is rising in prevalence, both absolutely, and relative to other forms of web-based malware. Fake AV currently accounts for 15% of all malware we detect on the web. Our investigation reveals several characteristics that distinguish Fake AVs from other forms of web-based malware and shows how these characteristics have changed over time. For instance, Fake AV attacks occur frequently via web sites likely to reach more users including spam web sites and on-line Ads. These attacks account for 60% of the malware discovered on domains that include trending keywords. As of this writing, Fake AV is responsible for 50% of all malware delivered via Ads, which represents a fivefold increase from just a year ago.