January 23, 2012

The number of so-called "paid archives" detected by Dr.Web anti-virus software as Trojan.SmsSend is steadily increasing each month. This comes as no surprise since attackers do not need to be skilled programmers to create that kind of malware. Many sites offer so-called "affiliate programs" that thoughtfully provide ready-made solutions — special "design templates" to help you build your own Trojan.SmsSend within a few minutes. The volume of this clandestine market is truly enormous: attackers earn tens of thousands of dollars per month on distributing paid archives. Doctor Web, a Russian information security vendor, is ready to share exclusive information with users on how this mechanism works and advise how to avoid financial losses from the attackers’ activities.

Trojan.SmsSend is normally an executable file that poses as an installer of a useful program. When you try to open such an archive, the computer screen displays the installation window of the corresponding application, and then the program requests that a paid SMS message be sent to a number specified by the attackers. Only then can the installation proceed. In some cases, allegedly in order to activate the program, the user is asked to enter the mobile phone number and then the code obtained in a reply SMS message. By doing this, the victim agrees to the terms of a subscription to a paid service, for which his or her account will be debited monthly. The trick is that such "paid archives" either do not contain the promised application, or the application can be easily downloaded for free from the official developer's website.

Despite the seeming simplicity and obviousness of this fraudulent scheme, the market for such "services" is truly vast. More and more unsophisticated users are responding to offers of web criminals by sending paid SMS for what they could be getting for free. Doctor Web specialists have managed to ascertain the volume of the revenue brought in by malware distributors. Thus, one partner program that is widely advertised in various underground forums and websites, from where it continually attracts new members, promises distributors of Trojan.SmsSend up to $200 a day for sending one-time paid messages to premium numbers. The leaders of this illegal market, occupying the top ten of the most active Trojan distributors, earn $850 to $7,740 a month, the average being $2,678.50.

Revenues obtained from online fraud victim subscriptions to paid services are significantly higher; they can range from $3,000 to $22,000 per attacker monthly, with an average of $8,295.50. One should understand that for online attackers who earn such sums by deceiving Internet users, this activity is their main source of income, and it occupies all their spare time. Moreover, they are well aware that what they are doing is a crime, the responsibility for which is outlined in Article 273 of the Criminal Code of the Russian Federation ("The creation, use and distribution of malicious computer programs").

Trojan.SmsSend viruses are also distributed in a variety of ways that include fake file-sharing websites, web pages specially created to mimic the interface of the Internet resources of official developers of various programmes, e-mail spam, specialist forums, or mass messaging over ICQ protocol. In addition, online fraudsters actively use adnets such as Yandex.Direct and Google AdSense, place contextual advertising in social networks, and are not afraid to send links to malware from previously hacked accounts.

Users can easily avoid such dangers and prevent themselves from falling prey to online scams, if they will just spend a little more time searching for the official site of the manufacturer of the program they are planning to download. In most cases, they will be able to get it absolutely free, and that way, they certainly won’t pay a dime for an archive that contains nothing useful. Well, and if you did fall victim to network attackers, nothing prevents you from submitting a corresponding statement to the police.

Doctor Web is planning a campaign against attackers who use short service numbers when distributing malware. Information on such numbers will be rapidly shared with mobile operators to assist their technical services in deciding whether to terminate individual numbers used in fraudulent schemes.