A rise in fake antivirus offerings on Web sites around the globe shows that scammers are
increasingly turning to social engineering to get malware on computers rather than exploiting holes in
software, a Google study to be released on Tuesday indicates.

Fake antivirus--false pop-up warnings designed to scare money out of computer users--represents
15 percent of all malware that Google detects on Web sites, according to 13-month analysis the
company conducted between January 2009 and February 2010.

That's a five-fold increase from when the company first started its analysis, Niels Provos, a principal
software engineer at Google, said in an interview.

Meanwhile, fake antivirus scams represent half of all malware delivered via advertisements, which is
becoming a problem for high-profile sites that rely on their advertisers and ad networks to distribute
clean ads.

Google analyzed 240 million Web pages and uncovered more than 11,000 domains involved in fake
antivirus distribution for the study, which Google is set to unveil at the Usenix Workshop on
Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif.

Researchers also found that over the course of the study, domains used for distributing the malware
were online for shorter and shorter periods of time in the face of Google's Safe Browsing
technology. Used in Chrome and Firefox, Safe Browsing helps alert Web browsers to sites hosting
malware, Provos said.

"As early as 2003, malware authors prompted users to download fake AV software by sending
messages via a vulnerability in the Microsoft Messenger service. We observed the first form of fake
AV attack involving Web sites, e.g. Malwarealarm.com, in our systems on March 3, 2007," the report
says. "At that time, fake AV attacks employed simple JavaScript to display an alert that asked users
to download a fake AV executable."

"More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the
Windows user interface," the report continues. "In some cases, the fake AV detects even the
operating system version running on the target machine and adjusts its interface to match."

Fake antivirus is easy money for scammers, Provos said.

"Once it is installed on the user system, it's difficult to uninstall, you can't run Windows updates
anymore or install other antivirus products, and you must install the [operating] system," rending it
unusable until it is cleaned up, he said.

Provos said when encountering a fake antivirus message, Web surfers should close the browser and
restart the program. People who are duped by the scam may have to get professional help in
cleaning up the computer, he said. They should also monitor their credit card accounts because
scammers can use the credit card information for identity fraud.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a
foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News
Service, and the Associated Press.
Google: Fake antivirus is 15 percent of all malware