We perform a study of Fake AV networks advertised via search engine optimization. We use a high interaction fetcher to repeatedly evaluate the networks by querying landing pages that redirect to Fake AV distribution sites. We identify several distinct Fake AV distribution networks, and we show that each network exhibits distinct updating behaviours. We propose optimizations for crawlers that explore Fake AV networks to leverage the strong fan-in property of these networks and, where possible, the periodic update behaviour of the network elements. We evaluate these optimizations and show that they can be used to drastically reduce the number of visits to the network, which in turn reduces the likelihood of being blacklisted.
↧