Finjan's Malicious Code Research Center came across a traffic management server in Ukraine used by underground online scammers to keep track of how many redirects their rogue antivirus sites get from legitimate sites that have been compromised.
Typically, rogue antivirus software displays a message saying that the PC is infected and offering antivirus software for sale. In a successful attack, the scammers end up with the victim's credit card information and don't bother to install any legitimate software.
Members of the "affiliate network" who compromise legitimate Web sites get US$0.096 for each successful re-direct, Finjan said in its latest Cybercrime Intelligence Report. There were 1.8 million unique users redirected to the rogue antivirus software during 16 consecutive days Finjan was monitoring the network, or about US$10,800 for each day, the researchers calculated.
Finjan also discovered that between 7 percent and 12 percent of people end up installing the rogue antivirus software and 1.79 percent of them paid US$50 for it.
Finjan researchers said they weren't certain how the legitimate Web sites were compromised. Once the sites were compromised, the scammers made heavy use of search engine optimization techniques to get those sites ranked high in search results by dynamically generating search keywords with typos and popular terms that people might use, Finjan said.
Lured by the high ranking on search engines, visitors end up on the compromised sites and are immediately redirected to pages that try to install rogue antivirus software on their computers.