To sell bogus goods, many of those sites rely on hundreds of "affiliate networks," which are essentially contractors that find ways to direct Web users to the bad sites, wrote Dmitry Samosseiko, a Sophos analyst. He made a presentation this week at the Virus Bulletin security conference in Geneva.
Affiliate networks have been around for a long time and there are many legitimate ones. But "the majority of the most powerful and controversial affiliate networks are based in Russia," Samosseiko wrote.
In Russian, the networks are known as "partnerka" and focus exclusively on promoting the dark corners of the Web. Essentially, someone who wants to become part of an affiliate signs up on a password-protected forum, most of which now are low profile and require an invitation. Once vetted, the new contractor is given a set of Web sites to promote.
One way to do so is to infect computers with malware either through spam or other means. The malware can tamper with a computer's DNS (Domain Name Server) settings in order to direct the user to a fake Google search engine site, which meshes real search results with ones that lead to, for example, a site selling fake antivirus software.
Another trick is called black hat SEO (search engine optimization). It involves creating a Web site, then using a variety of tricks mostly forbidden by search engines to get those Web sites high in search rankings. Methods include incorporating the most recently used search terms, often listed by search engines such as Google's Trends, into a Web site.
These affiliated "doorway" Web sites will redirect users to a dodgy Web page. A referring site can earn a commission if, for example, a person buys something.
The trick for someone selling a product is to "choose a partnerka with a high conversion rate to ensure that the generated revenue will be greater than the cost of traffic itself," Samosseiko wrote.
It's an insidious, yet profitable, scheme. Sophos was able to get a peek at one of the more popular partnerka called RefreshStats. That Web site enlists partners to create Web sites that implore people to download a codec, or a piece of software required to play video. Inevitably, the codec is a fake, and the PC is usually infected with fake antivirus software.
Samosseiko wrote that Sophos was able to see an administrator interface for RefreshStats that showed how much different contractors were making from the scheme. One particular contractor earned US$6,456 in August 2008. Another affiliate, called Topsale, offers up to a $25 commission for every sale of a fake antivirus product.
Samosseiko writes in his conclusion that there are hopeful signs that law enforcement and researchers can take down the rogue affiliates. But by all measures it doesn't seem that the industry is slowing down.
A recent report from security vendor Panda Security said that as many as 35 million computers worldwide may be infected with fake antivirus programs each month.
The company has collected an astounding 200,000 samples of different rogue antivirus products, about 80 percent of which are copies or are slight alterations of 10 basic families of fake products, said Luis Corrons, director of PandaLabs.
"We were seeing more and more users were being infected," Corrons said.