According to a company analysis, on Sunday 27 February, detection levels for the previously obscure Russian 'Blackhole' exploit kit suddenly spiked to 900,000 globally from a few tens of thousands that would be typical for such kits, before dropping back again.
Unusually, almost 750,000 of these detections were for UK PCs, which offers a baseline for what must have been a sustained attack several times that size against mainstream web servers frequented by users in the country.
Why relatively well-protected UK Internet users was chosen is not clear, but the campaign does appear to have been successful, compromising 600 servers, and serving nine different Java, Adobe and Microsoft exploits, including the . The exploit servers were based overwhelmingly in Estonia with some in the US.
AVG managed to compromise one of the servers used to control the Blackhole attack, which reported a 'load' (execution) rate for bogus antivirus software of nearly eight percent. This only shows the number of machines that ran the Fake AV alerts based on successfully serving any one of the exploits, and not how many of these users fell for the scam and paid up in the end.
However, the criminals running the exploit campaign only care about loads because this is the statistic used to calculate what they are paid - the actual scam AV revenues go to a different set of criminals.
"It is exceptional compared to anything we have seen for some time," said AVG CTO, Yuval Ben-Itzhak on the attack's impressive size.
The UK focus might have had something to do with the criminals' ability to compromise web servers in the country or simply down to their paymaster's preference for being paid in British currency, he said.
The attack hints that Britons might still be falling for fake antivirus scams, still a common attack type despite having been around for several years.
One odd statistic is that the fake AV was loaded on Mac OS systems on 14 occasions, a miniscule number when set against the tens of thousands reported for Windows users, but which might indicate that some success was gained using a cross-platform Java exploit.