According to a company analysis, on Sunday 27 February, detection levels for the previously obscure Russian 'Blackhole' exploit kit suddenly spiked to 900,000 globally from a few tens of thousands that would be typical for such kits, before dropping back again.
Unusually, almost 750,000 of these detections were for UK PCs, which offers a baseline for what must have been a sustained attack several times that size against mainstream web servers frequented by users in the country.
Why relatively well-protected UK Internet users was chosen is not clear, but the campaign does appear to have been successful, compromising 600 servers, and serving nine different Java, Adobe and Microsoft exploits, including the . The exploit servers were based overwhelmingly in Estonia with some in the US.
AVG managed to compromise one of the servers used to control the Blackhole attack, which reported a 'load' (execution) rate for bogus antivirus software of nearly eight percent. This only shows the number of machines that ran the Fake AV alerts based on successfully serving any one of the exploits, and not how many of these users fell for the scam and paid up in the end.
However, the criminals running the exploit campaign only care about loads because this is the statistic used to calculate what they are paid - the actual scam AV revenues go to a different set of criminals.