We’ve seen reports that imply that spammers, cybercriminals and other assorted bad guys don’t really make that much money, and at the same time, we’ve seen reports that put staggering dollar amounts on the total losses suffered by companies each year. There is very little doubt that losses can run high, and that the threats must be taken seriously. But just how much money are these guys making? Are they nickel-and-dime hustlers, or are they major con artists in the same league as Bernie Madoff? My guess is that the most successful of them are keeping their cards close to their vests and we’ll never know.

A new report however shed a little light on a rogueware affiliate network. According to reports, some cyber-criminals compromise web sites, insert redirecting code to take visitors to a site that peddles fake antivirus software, and then attracts victims using standard search engine optimization marketing techniques. During a study period of 16 days, the providers were able to rake in more than $10,000 a day, and over 1.8 million people were redirected to the bogus site over the study period. With affiliates getting 9.6 cents per click, that makes for about $172,000 of payouts. However, my guess is that there are thousands of affiliates out there sharing that pot, and it’s the masterminds behind the bogus antivirus software that are really getting rich.

While the back-office folks compromise the web sites and create the redirects, another group of affiliate marketers focus on using the SEO techniques to get victims to the pages so they can be tricked into installing the bogus security software.

What this means to network security is that there are potentially thousands of people out there every day, using these techniques to try to trick your people both in the office and at home into thinking their computers are infected with some nonexistent virus, and only they can fix it. We would hope that in an office environment, the employee that receives such a message would call in one of the IT guys, who would recognize the scam. But with so many employees working from home and on the road, often on their own computers, the risk runs much higher that the antivirus scam would penetrate a home computer being used for business, and those annoying “you’ve been infected” messages may start popping up in the office as those computers get synchronized with the office desktops.