UK Internet users were on the receiving end of a large drive-by web attack at the end of February, which attempted to push fake antivirus at least 750,000 times on a single day alone, security company AVG has said. UK Internet users were on the receiving end of a large drive-by web attack at the end of February, which attempted to push fake antivirus at least 750,000 times on a single day alone, security company AVG has said.According to a company analysis, on Sunday 27 February, detection levels for the previously obscure Russian ‘Blackhole’ exploit kit suddenly spiked to 900,000 globally from a few tens of thousands that would be typical for such kits, before dropping back again.Unusually, almost 750,000 of these detections were for UK PCs, which offers a baseline for what must have been a sustained attack several times that size against mainstream web servers frequented by users in the country.Why relatively well-protected UK Internet users was chosen is not clear, but the campaign does appear to have been successful, compromising 600 servers, and serving nine different Java, Adobe and Microsoft exploits, including the MS-MDAC flaw from 2006. The exploit servers were based overwhelmingly in Estonia with some in the US. AVG managed to compromise one of the servers used to control the Blackhole attack, which reported a ‘load’ (execution) rate for bogus antivirus software of nearly eight percent. This only shows the number of machines that ran the Fake AV alerts based on successfully serving any one of the exploits, and not how many of these users fell for the scam and paid up in the end.However, the criminals running the exploit campaign only care about loads because this is the statistic used to calculate what they are paid – the actual scam AV revenues go to a different set of criminals. “It is exceptional compared to anything we have seen for some time,” said AVG CTO, Yuval Ben-Itzhak on the attack’s impressive size.The UK focus might have had something to do with the criminals’ ability to compromise web servers in the country or simply down to their paymaster’s preference for being paid in British currency, he said.The attack hints that Britons might still be falling for fake antivirus scams, still a common attack type despite having been around for several years.One odd statistic is that the fake AV was loaded on Mac OS systems on 14 occasions, a miniscule number when set against the tens of thousands reported for Windows users, but which might indicate that some success was gained using a cross-platform Java exploit. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe