We’ve monitored the Rogueware threat landscape for quite some time over here at PandaLabs. Every day we see new domain names, product names, and various fake scan HTML templates. The Rogueware threat landscape hardly ever changes in a significant way, but today we came across something interesting. As you may know, most (if not all) of these threats are created in Eastern European countries such as Ukraine and Russia. This pretty much means that the cyber criminals will not deliberately try to infect users in those countries. In fact, some older Rogueware samples were programmed to quit after detecting the Russian keyboard layout. Well, until now that is…
Today we came across a Rogueware site completely constructed in Russian. The site claims to protect computers and social networking profiles against spam, phishing, viruses, and hacking attempts.
Here is what the site looks like:
Here is a Google translate version of the page:
After clicking on the download button, we see several features that we can subscribe to (all checked by default). We are then presented with a brief fake scan, followed by a prompt asking us to select our geographic location (Russia by default). Once 1 of 4 mobile providers are selected, a special premium SMS number appears with instructions on retrieving the product activation code. The cost for the SMS activation is 300 Rubles or just about $10 USD.
Google translate of the SMS prompt:
So, what’s the deal? Why are these cyber criminals targeting their own countrymen when they purposely tried to avoid it in the past? My guess is that they are not making as much money as they used to. Antivirus companies are improving detection and more users are becoming aware of the threat, therefore less victims are converting and the cyber criminals must be struggling to make what they used to. Last year we estimated that cyber criminals behind Rogueware threats were making up to 34 million dollars per month, but who knows how much they are making now? It definitely seems like a new low to me.