A Sunbelt researcher has had the “fortune” of having a relative fall for the scam, which gave him the opportunity to take a peak at the process following the acquisition of the rogue solution.
Upon paying up, the victim received the following “order confirmation”:
Three completely different domains are given to the user: one will feature in your credit card statement, one where you go to download the solution, and one for the “Help center”:
The researcher made a point of looking up some information regarding the domains, and most of them involve a certain Taras Frinov and are well-known peddlers of fake AV.
The interface of the rogue software looks practically the sam before and after the activation of the “full” version. The only difference is that when the customer performs a scan with the full version, the solution provides results that say that the computer is completely clean of malware.
When the user updates the definitions, the software downloads the Clam AV database. The solution even allows the user to deinstall it without putting roadblocks in front of him.
All in all, the illusion is not good enough to fool an expert, but the casual user can be fooled into thinking that nothing suspicious is happening.