June 28, 2011

More than half of all sales at the world’s largest rogue Internet pharmacy in the last four years were charged to credit and debit cards issued by the top seven card-issuing banks, new research suggests.

Unlicensed pharmacies create public health risks and confuse consumers who are looking for safe and reliable prescription medicines. Rogue pharma Web sites are primarily advertised with the help of spam, malicious software, and hacked Web sites. Curbing this drug dealing activity would promote both public health and Internet users’ safety.

Recent findings highlight additional levers that policymakers could use to curb sales at rogue online pharmacies, by convincing the card-issuing banks to stop accepting these charges or by enacting legislation similar to that used to squelch online gambling operations.

The figures shown below come from sales data stolen from Glavmed, a Russian affiliate program that pays webmasters to host and promote online pharmacy sites that sell a variety of prescription drugs without requiring a prescription. Last summer, a source sent KrebsOnSecurity a copy of the Glavmed database, which includes credit card numbers and associated buyer information for nearly $70 million worth of sales at Glavmed sites between 2006 and 2010.

I sorted the buyer data by bank identification number (BIN), indicated by the first six digits in each credit or debit card number. My analysis shows that at least 15 percent of all Glavmed purchases — approximately $10.7 million in rogue pill buys — were made with cards issued by Bank of America.

The Glavmed sales using cards issued by the top seven credit card issuers were almost certainly higher than listed in the chart above.  About 12 percent of the Glavmed sales could not be categorized by bank ID number (some card issuers may have been absorbed into larger banks). Hence, the analysis considers only the 88 percent of Glavmed transactions for which the issuing bank was known. More significantly, the figures in this the analysis do not include close to $100 million in sales generated during that same time period by Spamit.com, a now defunct sister program of Glavmed whose members mainly promoted rogue pharmacies via junk e-mail; the leaked database did not contain credit or debit card numbers for those purchase records.

The data help to draw a more complete picture of the financial infrastructure that powers the spam ecosystem. In May, researchers from two University of California campuses published findings from a three-month study of spam markets, during which they spent thousands of dollars buying drugs advertised via spam. The researchers discovered that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by three financial companies — based in Azerbaijan, Denmark and Nevis West Indies. The full paper is available here (PDF).

Glavmed + Spamit revenues 2006-2010.

The data from the Glavmed purchases suggest that the spam ecosystem could be crippled if banks stopped processing payments to a handful of institutions. It also shows that such an effort would require action by relatively few card-issuing banks.

Stefan Savage, one of the authors of the University of California study, said there is no shortage of smaller financial institutions that are willing to take on riskier transactions such as online pharmaceuticals. But he said forcing rogue pharmacies to constantly seek new processing partners could put a serious dent in revenues.

“The issue is that it is not a cheap or quick transaction to set up a new banking relationship,” Savage told me. “You need to meet these guys, Visa or MasterCard needs signed credentials for both you and the bank, and this process can take a week at light speed to set up. So, even if you as a pharmaceutical organization can change processors, you can’t do it overnight. And on the flip side, it would take me seconds to figure out if a pharma organization switched [processing] banks. So, technically, if [card-issuing] banks were willing to adopt a blacklisting approach, there is absolutely no way these pharma outfits could keep up.”

I wondered whether Savage’s proposed approach would work, so I asked Igor Gusev, the founder of Glavmed. Gusev is a fugitive from his native Russia, which last year lodged criminal charges against him and his business. In a phone interview with KrebsOnSecurity, Gusev said putting more concerted pressure on the merchant banks would decimate the rogue pharmacy industry, which tends to coalesce around a handful of processors and switch processors in lockstep when forced to move. For example, since the University of California study was published, the pharmacies featured in the study that were processing at Azerigazbank (AG Bank) in Azerbaijan stopped using AG Bank and moved their business to another institution in that country — Bank Standard.

“They need to put pressure on the card processors which are monsters [that] only regulate on very negative public pressure,” Gusev said. “I think it would be a very powerful strike, and online pharma would be dead within two years if they could somehow switch off the merchants who [are] connected to online pharma.”


54 thoughts on “Banks Hold Key to Killing Rogue Pharmacies

  1. peter

    The link to the PDF is broken, Looks like you forgot http://

    otherwise as always an excellent read

  2. Quinn Ronin

    I’m not pro online pharmacies, in general, and have no interest in Viagra or other recreational drugs, however, I am very aware that the FDA and Big Pharma in the U. S. do a lot of harm promoting products that have very destructive side effects in order to profit.

    Big Pharma exists for one reason only, to benefit it’s shareholders financially, not to improve public health. The FDA exists to protect the interests of Big Pharma, and regulate it, somewhat.

    It also has more lobbyists on Capitol Hill than any other sector, and spends more on lobbying. No wonder Medicare and Medicaid ar bankrupting the country!

    Many extremely effective substances and orphan drugs will never legally be available in the U.S. because they cannot be patented by big pharma. Anyone who claims that a substance treats a disease is subject to FDA procecution and the substance is then labelled a drug, which is illegal since it has not been subjected to the FDA approval process.

    You cannot, for example, claim that baking powder will clear cancer, since it changes the ph of the body from acid to base, even is it’s absolutely true! ;^)

    Naltrexone, an orphan drug approved in Europe for drug and alcohol addition, is an excellent example. At a very low dose it is extremely effective against MS, as well as numerous other ailments, but will never be readily available here. There is no money in it for Big Pharma.

    So, it’s important not to throw the baby out with the bath water by limiting the consumers access to legitimate, but FDA unapprovable drugs from legitimate sources.

    1. Alex

      I agree that American pharma is mostly interested in protecting/securing profits more than health. And the FDA is conplicitbin this and exists to add another level of security/stability to the prfitability of the industry with their political agenda and policy making. This is probably just another situation where they see an opportunity to protect profit under the guise of public safety.

    2. Cherry

      You are absolutely right that some drugs will never be on the American market, or be widespread, because they cannot be patented.

      Lithium, a metal in the periodic table, and a huge breakthrough in treating bipolar disorder (at a time when “treatment” for mental illness was non-existent), was discovered to work wonders in the 1870s. But the US pharma had no interest because there was no money in it. Again, Australian John Cade rediscovered it again in the 1950s, and again US pharma had no interest.

      I agree there are drugs approved in countries that for whatever reason never cross borders, which may suit a certain person and they should be allowed to import it from reputable sources.

      Coming from a country with a reasonably well regulated public pharmaceutical industry, I would strongly argue it’s the United States lawmakers protecting Big Pharma, not the lobbyists. Lobbyists would be unemployed if their tactics didn’t work. The faults of the industry and regulation are squarely at the US regulators’ feet.

  3. Janitor

    Blacklisting banks processing spam-induced sales seems to be a very good idea. One question remains – what entity/organization should be named responsible for maintaining and updating the list?

    Another what-seems-to-be efficient solution would be to put pressure onto the card associations, mainly Visa, MC and AmEx so that they continuously verify member-banks’ compliance with written policies and procedures they actually signed prior to becoming affiliates of each card association.

    Most of the time, low to no verification is carried out by Visa, MC and the likes in regards to pharma sales.

    Hard to tell whether a spam-generated pharma transaction is what it is. Agree. Hard but not impossible.

  4. wut

    Although you make a good point about the banks being able to shutdown such operations, it’s far fetched tbh.

    Banks do not like losing money, therefore they hate spending money on additional technicians nor do they like having their customers not spend money.

    Also combine that with the fact that the operators of pharmacies have countless number of ways to get merchant accounts makes it impossible for banks to keep up with the blacklist.

    Think of it this way:

    If you were the head of a 50+ million dollar operation, would you not spend a few hundred thousand dollars in order to get merchant accounts that aren’t blacklisted?

    1. BrianKrebs Post author

      One point that I did not make, but which I will elaborate on in a related post next week, is that the merchant banks for these pharma outfits almost without exception are the same banks that are processing rogue anti-virus crap. Unlike pharma, rogue AV a product that has a super-high fraud and chargeback rate and is yet another reason that banks should care about blocking transactions destined for these tiny merchant banks.

      1. Not-a-sender

        That’s how freedom disappears. It never happens overnight. It starts from a pretty looking reason – we want to protect our kids from heroin, don’t we? Then it goes a little bit further – gambling is not good, is it? Then you cannot buy antibiotics – in spite of they are not addictive. What did happen with the freedom of choice?

        But, regarding tech part. Bank cannot stop transaction just because they want to. There are Visa rules. Visa set the rules in a way, that doesn’t allow to identify merchant banks so easy. It’s not so hard to do, but it’s expensive. You can find any transaction in your credit card statement and try to figure out – who charged you. If merhcnat descriptor is not quite clear – you will not be able to do it 🙂

        1. Stefan Savage

          I’ll leave aside the issue of freedom, since I can see both sides here. However, on the technical side I believe there is some confusion. You are correct that the descriptor is frequently not a useful identifier. However, the acquiring BIN must be available to the issuer for both authorization and settlement and I’m unaware of a way to hide this. Similarly, the CAID must be exported and the acquirer is responsible for being able to map this back to a MID/TID. Its true that third-party processors or gateway provider are not directly visible in the transaction, but this is why the acquirer is left with responsibility concerning all use of their BIN.

          1. not-a-sender

            Acquiring BIN is available to the issuer indeed. So what’s you suggestion? To ban all transactions from this BIN? MIC/TID – acquirer is responsible to link them – but he’s not responsible to share linking result with the issuer.
            So BoA has two choices here – to process everything from Azeri Bank OR process nothing. Separation would be costly.

          2. not-a-sender

            Acquiring BIN is available to the issuer indeed. So what’s you suggestion? To ban all transactions from this BIN? MIC/TID – acquirer is responsible to link them – but he’s not responsible to share linking result with the issuer.
            So BoA has two choices here – to process everything from Azeri Bank OR process nothing. Separation would be costly.

            1. Stefan Savage

              Not so… issuers are allowed to make finer grain decisions than that (indeed this is how FSA cards work in the US). An issuer could — for example — decide to not process CNP, MCC=5912 transactions from a given BIN (e.g., 412939) so long as that bank is handling transactions for pharmacies shipping prescription drugs into the US (i.e., as demonstrated via test purchases). I suspect that the volume of “legitimate” card-not-present purchasing from US customers of BoA to Bank Standard in Baku for pharmaceuticals is probably… low. Now if a bank allows its customers to play games with MCC then Visa will have more serious issues (and indeed in this case perhaps one should just stop doing business with the BIN until they can clean up their controls)

    2. Nicholas Weaver

      Actually, part of the reason this would probably work is that it ISN’T a lot of money for the banks. Glavmed caused a lot of grief from all the spam, but $10M in processing is only a couple hundred K$ in revenue for BofA between processing fees and the interest on any carried balances.

      So really, having a few more entries in the fraud database (“these transaction types from these BINs should be blocked”) is not a big loss of money, but it is a big hit in PR if the meme is “BofA funds spammers”.

      This technique has already been used to largely (not completely, but significantly) disrupt online gambling from US sources.

      (note, i’m one of the authors of the paper cited…)

  5. george

    I suspect the comments section will show the opinions over this subject a hopelessly divided. On one hand Rogue Pharmacies are inextricably linked with Spam (almost by definition!) and there are undoubtedly sufficient cases of credit card fraud associated with some of those sites. On the other hand, the reason it grown to this level of business are the customers themselves. A significant portion of them consider they are getting a run for their money are satisfied and order again and again. They (RoguePharma) haven’t grown to this size by just taking the money and never sending anything or just sending placebo pills. Perhaps, just perhaps, the solution to this problem is that a few players will cover the (gray) area in between the disposable, totally shoddy, overnight disappearing, roguepharma and the very expensive channels promoted by BigPharma. Once they get large enough and recognizable, they won’t have to advertise (that much) via spam (perhaps they will feel manipulating Google searches to be enough) and will want to maintain certain reputation, screening their suppliers.

    1. Janitor

      Grey pharmacies cannot get “large enough” due to theшк intrinsically illegal nature.

      Thus, they will always seek for an efficient advertising channel, whether it be spam or SEO or blogs, spam being the most cost effective of them all for today.

      This blog entry does not seek an answer on why people purchase from rogue pharma sites.

      As in the aforementioned study by the Californian researchers (http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf), Brian tries to theoretically single out possible institutional anti-spam-induced-sales mechanisms.

      That is by treating the problem at the point where money enters the system. No banking processing => no cash ==> no financial incentives for the pharm-dealers ==> no contracts for the spammers.

  6. Christopher Kunz

    I think the discussion here should not take the actual product into consideration, as it is just an example of what spammers generate revenue from. There is a multitude of other examples like fake watches, advance fee fraud, fake diplomas which are quite clearly useless and almost always border on fraud.

    Therefore, it’s a completely irrelevant point to state that rogue pharmacies have some kind of moral base of existence – IMHO they don’t.

    I’d also like to question the point that “there is a market and they are just servicing it”. Couldn’t it be the other way around – that suppliers of those shoddy products saw the physical market decline due to legal or logicistal problems, and therefore moved on to the much easier online market?

    Regarding the “blacklist” approach – on the short term, this is probably a very good idea. However, we don’t know how long spammers can survive without income (I presume they can survive a while) and in the long term, I think there’s a way around stuff like that.
    There is already a *very* significant amount of meta-spam for “payment agents”, “part-time jobs”, “investment opportunities” etc., which either look for money mules or gullible fraud victims (ideally both in one person). From the top of my head, I can imagine a scenario where pharmacy spammers start looking for “affiliates” with PayPal accounts that act as money mules. For the affiliates, it’d be a relatively safe endeavor (in comparison to money muling for phishing) and the only risk involved is PayPal account closure.

    Sorry if this comment lacks coherence, I just wanted to get a couple ideas and points across.

    One last point about the compliance bit: If we remember that Sony is a very large PCI-compliant organization, and that they got owned very very hard, what practical relevance does that assign to PCI compliance audits? (It’s a genuine, not a rhetorical question.)

  7. Follow the money

    If they can stop funds to WikiLeaks, it should be oh so easy to strangle these scams without batting an eyelid.

    Methinks there are corrupt officials involved. Even if there isn’t, it would make them think twice to accuse them of having some…

    As usual, Brian has homed in on the most obvious way to trace these varmints – follow the money.

  8. Tim Smith

    In any discussion about online pharmacy its important to recognize that legitimate Canadian pharmacies exist, selling top quality, brand name medications upon receipt of a valid prescription. We at the Canadian International Pharmacy Association (CIPA) support efforts to knock the bad guys off their game and to protect online patients who are simply looking to receive their lifesaving medications at fair prices and from a trusted source.

    CIPA also believes the concept of a White List is a better approach to screen for legitimate pharmacies because the rogues have clever ways of popping up with new identities all over the place, making it difficult to keep a black list up to date.

    Reliable sources that offer safety and security online already exist. Its important to make the distinction for the sake of patients who rely on internet to find their medications.

    1. Janitor

      @Tim Smith

      “Reliable sources that offer safety and security online already exist. Its important to make the distinction for the sake of patients who rely on internet to find their medications.”

      Tim’, what are these “reliable sources” you are referring to?

      1. qka

        @Janitor

        Tim Smith is clearly suggesting that you look for members of the Canadian International Pharmacy Association (CIPA). I have no knowledge of CIPA, but it should be easy to determine whether or not they are in fact legitimate, from research on the Internet and communications with Canadian government regulatory bodies.

        @Quinn

        Go sell your “anti-aging” snake oil somewhere else. But thank you for your information about 60 day supplies.

    2. Linda G

      I think that a White List would be much longer and more difficult to identify than a Black List. They must be a great more honest pharmacies than rogue ones.

      1. AlphaCentauri

        Actually, the list of dishonest pharmacies is far longer. Because each domain name can only be spammed for a few hours before they are added to spam filters, there is a constant need for new ones. And remember, these aren’t separate pharmacies with a pharmacist working in each one. They are just domain names for copycat website templates, funneling orders to a backend processor that has hundreds of affiliates. Anyone can run a pharmacy in the world of spam. There are no actual pharmacists involved — just losers with no morals and a desire to make easy money.

    3. MZ

      What you call a “White List”, is called an anti-competitive practice in other places. Thankfully, there laws against it.
      Just a quick economic fact:
      The cost of an active ingredient in a single Viagra pill is $0.01
      The official price for the same pill is $18.00
      No wonder, the Official Pharma wants the market all to itself.

      1. c.cobb

        Your “facts” smell fishy, IMO. Not to mention that meds are sold in varying dosages. Cite your source, please.

        I do find the following link indicating that the U.S. price per pill for Viagra is $16.65 while a generic alternative is available in India for $1.16, but it does not indicate dosages.
        http://www.regaffairs.net/drugs-from-india.html (written Sept, 2009)

        Still, this represents an 83% savings there or, conversely, a 1,435% markup here. And, of course, I know about recouping R&D and approval costs. Pfizer have long since covered their costs on this, yes?

  9. Quinn Ronin

    @Janitor
    One reliable source is IAS, International Anti-Aging Systems, another is Biogenesis AntiAging. No steriods, Viagra, narcotics, or other restricted substances, but a few highly effective products that are very difficult, or impossible, to get in the U.S.

    Overseas pharmacies did not start with cyber-criminals BTW. They started with the aids epidemic and the lack of availability of orphan drugs for aids treatment in the U.S.

    Because of the exorbitant prices of pharmiceuticals in the U.S. compared to other countries, importing from Canada, etc. became very popular, until it cut into big pharma’s profit margin. Then the FDA had to step in to protect them.

    There are a number of important orphan drugs that you can be legally imported (a law was passed because of aids that allowed importing up to 60 days supply, I believe, if the drug if not available in the U.S. and is not on a restricted substance list), Naltrexone, as I mentioned earlier, being one.

  10. AlphaCentauri

    Don’t lump Visa and Mastercard together here. Mastercard stopped processesing payments for Eva Pharmacy (aka Yambo or Bulker.biz) websites years ago. They more recently stopped processing payments for Glavmed and Spamit. Visa continues to process them. Who is responsible for that decision at Visa? It’s not through ignorance, as I and other people I know have attempted to alert them to this issue and were rebuffed.

    Visa and the banks you list above may not consider it their business that these pharmacies are illegal and are shipping product of uncertain quality. (Plenty of shipments have been found to put people’s lives at risk because they have no active ingredient or the wrong dose or even the wrong drug — a deal breaker no matter what you feel about the ethics of extralegal importation of prescription drugs from legitimate Canadian pharmacies.) They may not consider it their business that the fake watches and purses are violating trademarks. They may not consider it their business that the rogue antiviruses are fake or are even malware themselves.

    But I should think they would consider it their business if the domain names are registered with the stolen credit card numbers of their own customers. That much is easily demonstrated. Yet instead of cutting off funds to these scammers who are biting the hand that feeds them, the banks instead respond by having their fraud department call every honest customer who tries to register a domain name. How stupid is that? Do they really want people to trust them to manage anyone else’s money when they can’t do better than that?

    1. MZ

      Registering domains with stolen CC# is plain stupid, because the domain would disappear the moment chargebacks start coming in. It’s only worth doing if you don’t need a domain for more than a few days, e.g. for a botnet C&C
      The way people register domains with fake addresses is by using a prepaid Visa card.

      1. AlphaCentauri

        @MZ: You would think a chargeback would get someone’s attention, but that isn’t the case. I can’t explain it. The domains stay active for months, sometimes even get renewed with someone else’s credit card.

        Even though the banks are now aware of the pattern of fraud and call cardholders to confirm domain registration charges, and even though the people whose names are used in the Eva Pharmacy registrations confirm that their banks reversed the charges, the domain registrations often stay active. I assume the spammers have a backup method of payment, which might excuse the registrar not blocking the registration. But if the banks are running around making all these phone calls, you’d think they’d follow the problem back to the source. Lord knows that I and many other people have offered to show them how.

        1. Follow the money

          The banks haven’t lost enough money yet! If you were losing millions a month, maybe you would be motivated to form an industry taskforce and kill off this activity pronto. Maybe Canadian Pharma spammers, Anonymous and LulzSec have done us a favour and brought cyber terrorism to the notice of the man in the street, and they are now starting to ask the hard questions. When the shareholders start asking how much the annual losses to cyber terrorism are, then those that can will wake up and do something about it. Sadly, until then it just makes good reading in the hallowed security blogs like this one.

  11. Liz D-M

    There is a real need for low-cost medications, and the rogue pharmacies are preying on that need. While lowering the price of medication won’t kill off the rogue pharmacies, it will certainly slow them down.

    1. AlphaCentauri

      Actually, the cost of medications in the scam pharmacies is often higher. These guys aren’t some Robin Hoods trying to help people escape from Big Pharma price controls.

      Remember that regardless of the photos on their websites, all they sell are generic copies, not brand name drugs. If you compare the price they charge to the equivalent *generic* prices at your regular pharmacy, you’d often find the scammers charge far more. They take advantage of people who don’t see doctors to get prescriptions, and who don’t get lab work/physical exams to see if the pills are working.

      Example: Lisinopril 10 mg, 30 tabs
      Walmart, in store: $4
      Drugstore.com, on line: $12.99
      Eva Pharmacy (healthpillspatients.net): $118.50

  12. JS

    I mentioned in an earlier post that most lawful sovereign states do maintain a list for bankers to stop criminal enterprises from being funded internationally or internally.

    USA maintains a Specially Designated National and Blocked Persons List.

    I persist in saying this is not an IT issue but a criminal issue that involves IT.

    A real set of bodies, at BOA and Chase had to have either
    1) been fraudulently bamboozeled into setting up the payment accounts
    2) been bribed to turn a blind eye toward setting up the payment accounts
    3) been under pressure from BOA and Chase managers to make a quota for the bottom line and setup the payment accounts

    If I could fault the most excellent work journalism of Mr. Krebs it is for not pursuing the trail. That trail I’m sure would expose more corruption and greed which allows corruption to thrive than the IT problem of spam. I hope somebody at BOA/Chase wants to talk to you.

    I figure option 3. I’d guess < 8 persons on the banks side resulted in the whole mess. If these bankers said to their counterparts "Hey I got a new client.. you need to meet him…" what a field day for Brian! This is how the sub-prime disaster happened.

    Where is the outrage that 10m USD flowed out unchecked? 10m to Hamas or other domestic criminal organizations would have had a real somebody at these banks appearing before Congress to give an explanation.

    If the banks were accountable for this amount – they likely wrote it off – and instead were fined/payed into a fund the equivalent it could have have fielded 66 IT knowledgeable law enforcement agents (at 150k USD).

    Just a thought… the US is entering an election year will money laundering and criminal fraud be a campaign issue? Fiscal management must also control any wasteful bleeding (from crime) in the economy as well.

    Brian if you want extra credit homework for the weekend watch Middle Men the movie with Luke Wilson and extrapolate into today's international IT savy criminal mess. — its not just Pharma sites. To be honest I was shocked this movie got to be made — it was somebodies catharsis/warning to the rest of us.

    1. Follow the money

      I second the idea: Brian Krebs for Congress!

  13. UGN SafeNetting

    Brian … I hope your post, and the resulting comments fall on more influential eyes than mine have for the past ten years.

    BRAVO for recognizing that one sure way to trap the cybercriminal is to “Follow the Money Trail” … but it’s got to be done very quickly while it’s active and hot.

    The problem is, nobody in the ‘ivory tower’ is listening or even cares to listen. They’re all making too much money off spam. We knew (and forecasted) back at the first introduction of “ecommerce” that it would eventually be abused and exploited for criminal activities. The mantra from the early days of spam fighting has been “Follow the Money Trail” …

    But by the time law enforcement wades through the sea of red tape to sequester a charge account’s owner … the criminal has shut it down and moved on elsewhere.

    If officials don’t act, and act fast … they may as well join the already in progress chorus of legislators and IT officials whistling Dixie.

    🙂

  14. Stefan Savage

    JS, I don’t think there is any claim here that BoA and Chase have set up any particular accounts in support of online pharmacies (in fact I’d be very surprised if you could find a mainstream US bank who would offer merchant services for such businesses) but rather that the money funding such pharmacies ultimately comes primarily from US customers whose payment cards are issued by these banks. So this is perhaps less a statement of blame than the emphasis that a small number of US banks have the capability to intervene.

    Now from on the issuing side I suspect that the bank position (not unfairly) is that this isn’t their job. These are not fraudulent transactions (in the sense that their customers provide payments willingly and receive a product in return) and the charge-back rates — at least for pharma — appear to be low. The government could take issue here (since this is an issue of US law after all) but there are concerns, as seen in some previous arguments in this thread, that there is a slippery slope here. To paraphrase the argument, “If we further expand the use of payments as an instrument of public policy then what will the unintended consequences be?” These are the realities of putting together a policy action here. However, note that there are precedents both for government intervention (e.g., online gambling) and voluntary action on the part of issuers (e.g., cigarettes); although anecdotal evidence suggests that the first was more successful than the later (none will be perfect).

    I think the big point here is that this is something which is technically feasible (i.e., could be done if we had the will and decided it as worth the energy/risk). And not just for spam. In general “advertising-based” e-crime (pharma, replica, software, fakeav, diplomas, etc) relies on the customer willingly paying for a good. While there are alternatives to Visa/MC, none of them have the footprint to even vaguely compete for the US consumer market (which ultimately funds most of this activity).

    1. JS

      Stefan Savage,

      Your points are well taken and well expressed. My historical experience gets blended with current situations. I tend to focus on the back end where as the report focused on the front end.

      I agree the “consumer” is the key to why a con is successful or not. For as many warnings and speeches; ultimately a good chunk of consumers fall for the con thinking they got a good deal, or can live it up a little on the edgy side, or stick it to the man (to avoid taxes, etc).

      I think the larger point I had hoped to make is that such criminal enterprises steadily erode the conscience and then taint legitimate businesses when the $$’s roll in.

      Mainstream banking did and continue to get in ethically complicated situations such as sub-prime and derivatives and other schemes under the guise of sharp business practices… community building ethics is generally waning throughout all the world.

      Apathy in business ethics is actually worse than active corruption.

      It would be interesting if a similar study is conducted for adult internet sites. Having personal history with the tragedies of abused persons IMHO its not a victimless industry. The money goes places and leaves a trail of people in its wake. The front end payment funds the back end of recruitment and delivery of humans for consumption.

      In this case many persons manufacture, package, ship the “pharmaceutical good.” Overseeing them is who? An altruistic / beneficial employer that treats their “employees” justly? I’m sure there are some real & just companies such as the Canadian pharmacies but others … who knows.

      Indeed governments have intervened as in narco, alcohol, weapons, prostitution, gambling, and dual purpose tech on the front end using filters in the banking system to enforce public policy.

      However recently Fast and Furious and a few other failed public protection programs show the back end of production & chain of fulfillment (realization) should also be considered when forming and executing public policy.

  15. Akkurat

    “The researchers discovered that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by three financial companies — based in Azerbaijan, Denmark and Nevis West Indies. The full paper is available here (PDF).”
    Shouldn’t the second one be Latvia, for the branch owned by a Norwegian and not a Danish bank?

    See the PDF page 11 or
    http://www.f-secure.com/weblog/archives/00002164.html

  16. UGN Safenet

    FOLLOW THE MONEY TRAIL …

    BUT FIRST : a gentle reminder of what this is really all about. MONEY. A million dollars in illegal transactions nets the bank as much as $112,000 in ‘legal’ profits — off the top. It’s the easiest, lowest maintenance profit they make.

    Would YOU want to shut down that kind of revenue stream?

    Did you think the banks aren’t fully aware of their role in all this? Would they be any more liable if handling the transactions for child slave markets, drug cartel arms traffic or terrorist logistics? Of course not. (And don’t forget, Phishing is Al Qaeda’s number ONE recommended method of fund raising!) The banks merely shrug their shoulders and say “business is business.”

    A NINE BILLION dollar (2009) industry (that’s $9,000,000,000.00) probably makes cybercrime among the bank’s BEST CUSTOMERS.

    Bottom line: credit card transactions for anything spam-advertised are a means to an end, NOT the end.

    Finding out where the money eventually goes is the key role the banks need to play. And it’s not just about counterfeit drugs … it applies to counterfeit designer products, gambling and sex sites as well as most of the other online scams from Russian brides to “Scareware”. (http://bit.ly/l67ytM)

    * Busting the counterfeiters
    * Revoking charge card access to rogue ISPs and rogue registrars (A roster of only about 50)

    UP THE FOOD CHAIN

    The ISPs and registrars — and yes, ICANN itself — who perpetuate cybercrime cartels online are the key facilitators. They make it possible for the cartels to “kite” hundreds to thousands of domains without ever paying for them. (http://bit.ly/lIIaFU)

    But why can’t something be done about them? MONEY. They OWN the industry.

    As one poster said previously, the cybercriminals need domains in bulk because they are usually blocked after a few hours of spamming. Without a ready supply of domains, parked or hosted on sympathetic ISPs, we wouldn’t be having this conversation.

    Since March, we’ve tracked one crime cartel in Russia who has been sending at a rate of one spam email about every six (12) minutes. In a month’s time they’ll use several hundred different domains. Not only are they attempting to ‘sell’ product, but each ‘customer’ provides them with a new identity to set up new accounts and new domains elsewhere.

    Here’s the bottom line : THE MONEY TRAIL is made possible by AMERICAN BANKS.

    While the criminals are for the most part untouchable, beyond U.S. borders — the banks are not. They COULD be the key — if they would.

    You can discuss the minutiae of charge card accounts and transactions until dooms-day. But that minutiae really has little to do with the message in Brian’s article.

    Brian gets it.

    1. xAdmin

      “Here’s the bottom line : THE MONEY TRAIL is made possible by AMERICAN BANKS.”

      No, it’s lower down the food chain, as in the consumers (credit card users) who are choosing to purchase said goods from rogue pharmacies. Without them, the whole thing would dry up. It’s all about supply and demand. There are a great many things, good and bad, that exist based on this simple principle. Let’s not forget the responsibility of the individual and how that plays into the ecosystem. Frankly, I’d rather have it this way and have the freedom of choice along with the required responsibility than the opposite.

      1. AlphaCentauri

        Yes, the American customers are choosing extralegal means of obtaining meds. But there are online pharmacies that are really in Canada, which really have trust seals from CIPA or PharmacyChecker instead of posting counterfeit ones, and which sell drugs that really have been approved for sale in Canada by the Canadian government regulators. These sites we’re talking about are just scamming people who can’t tell the difference between a Canadian pharmacy and a Russian scam affiliate program. It’s not realistic to expect people who are being defrauded to be the ones changing the system.

  17. Mike

    I have to say the idea of using banks as a tool of law enforcement is very disquieting. I understand the appeal of this approach, but as we have already seen banks and payment processors will QUITE HAPPILY cut off funding to organizations they merely do not like regardless of whether they are illegal or not (Wikileaks).

    Banks already have so much power. It’s a very bad idea for them to start developing political opinions. And, because they are just private companies, the problem is – where is the due process? It’d be very easy for governments to lean on these organizations privately to block payments and there’d be no good way to find out what had happened.

    So this is why I believe the trend should be towards banks having less power, not more.

    The underlying problem here is not banks. The problem is countries which do not crack down on illegal operations. Throwing up our hands and saying, we can’t deal with the Russians so let’s go down the VERY DANGEROUS road of trying to fight crime by blocking payments, is defeatist. Russia wants to join the WTO, no? You reported yourself on how the Russian DEA raided the rx-promotion golden bar party. So why not do things the old fashioned way and let the police do their jobs. And if countries are not taking this crime seriously, use the usual methods to encourage them.

    1. AlphaCentauri

      If a car dealer buys a car that turns out to be stolen, it’s unfortunate that he was victimized. But if he routinely buys cars that are stolen, he’s considered a fence and is considered equally guilty of the crime as the car thief.

      It’s not some alarming new concept that entities share legal responsibility when they knowingly assist in turning crimes into cash. It’s actually a pretty good example of how powerful banks are that no one has questioned their involvement in internet crime before.

      1. Mike

        The key part is “knowingly”.

        How do you, as a bank, know if your customer is a criminal or not? Right, you can’t know that for sure – it’s not your job to investigate this anyway, it’s law enforcements job (or should be). Yes, I know AML law tries to change this. It doesn’t work. Trying to turn financial institutions, lawyers, estate agents, etc into extensions of law enforcement is doomed to failure as this article (and many others) illustrate.

        For the car dealer example, how deeply is he supposed to probe each customer selling him cars? There’s no right answer to this. If they’re trivially and obviously stolen, he has a moral and legal responsibility to not buy them. If he doesn’t know where they come from, and the seller has some reasonable story, why should he pay a private investigator to dig deeper?

        The responsibility for stopping these pharmacy operations lies with Russian law enforcement and judicial system – period. Otherwise you lose all kinds of important protections like due process, the right to appeal, etc.

        1. AlphaCentauri

          If the scam pharmacies and fake AV products made any effort to hide what they’re doing, that would be a valid argument. But they’re totally open about it, because they’ve been allowed to pretty much operate without hindrance.

          There are lots of resources to provide banks with evidence of which operations are scams, but Stephen has proven it can be done within minutes with resources that are completely within the banks’ control.

          If Western banks start to crack down and the scammers have to be more careful about who they send spam to or which sites they hack, if the banks in Eastern Europe processing the requests started being more careful about who they dealt with, yes it would be a valid argument. But the number of people getting ripped off would also be markedly reduced. I’d take that trade off.

          And none of this is about legal due process. No one is being charged with any crimes as a result of the banks’ changing their policies. They just don’t get to enlist Western banks as their servants to steal money from Westerners and give it to criminals in Russia. They’re free to accept money whatever other way they choose, without the implied endorsement of well known brands like Visa and Mastercard. And if anyone feels they have been unjustly denied their merchant accounts, all they have to do is appeal it. The criminals won’t bother, as it might require showing up at the local Visa office in person with identification — something legitimate businesses expect to do in at least some cases when setting up financial accounts.

          1. UGN Safenetting

            A perfectly valid solution. Thanks for posting that.

            All those who believe there’s nothing to be done have forgotten that VISA, MasterCard and American Express are all headquartered in the U.S. … they are U.S. companies. They could EASILY require at least postal correspondence to reinstate merchant accounts.

            If I were running any of those companies, the first thing I would do is put a HOLD on ALL of the pharma accounts as they are discovered. It would take a whole staff of ONE to effectively run that effort.

            Once word got around, and hit the press … you’d find “legit” merchants closing down their criminal buddies for fear of losing the merchant account.

            Then HOLD the account unti the owner appears in person, or provides WRITTEN information pretaining to the account. After a year, unclaimed account funds would be absorbed to cover future cybercrime fighting efforts.

            A Win/Win/Win solution.

  18. CloudLiam

    “Banks already have so much power. It’s a very bad idea for them to start developing political opinions.”

    You’ve got to be kidding, right? There never was and never will be a time when banks don’t have “political opinions,” especially now.

  19. Lee Graczyk

    RxRights, a national coalition of individuals and organizations dedicated to promoting and protecting American consumer access to sources of safe, affordable prescription drugs, is also concerned about unlicensed, rogue online pharmacies. On our website, we offer tips on ways to tell if an online pharmacy is legitimate, some of which include checking to make sure that it always requires a valid prescription and that a licensed pharmacist is available to consult with patients. For more information, visit http://www.RxRights.org.

  20. UGN Safenetting

    > It’s not some alarming new concept that entities
    > share legal responsibility when they knowingly
    > assist in turning crimes into cash.

    Agreed with Brian, this is so true!

    It’s called “aiding and abetting”

    TITLE 18 OF THE FEDERAL CODE :

    “(a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal.”

    That goes for the Registrar, the ISP, the ISP’s provider, and ICANN.

    And, that’s truly the bottom line.

  21. Philip

    I’m pretty sure all of the banks listed have two dozen fraud investigators on their payroll who know full well what is going on, but have been told by their higher-ups to shut up because the pill pushers generate easy income for the credit card companies. “Pecunia non olet” is 2000+ years old as a concept, and while money itself doesn’t stink, the concept sure does.

    1. Stefan Savage

      I’d be very surprised were this true.

      First, as I mentioned before, these sales are not “fraud” per se and hence aren’t going to normally be prioritized by issuing banks at all (from there standpoint there are no costs and no customer complaints… what is the problem?)

      Second, this just isn’t that much money. So Brian’s posts suggest that the big programs are pulling in, say, 10-20M per year in revenue (I suspect Eva is a bit more actually, but not dramatically). Lets say the interchange on these is two and half basis points (about in line for international card-not-present transactions) so this is perhaps 250-500k per program to the issuer. Sure there are a bunch of programs, but this is a heavy tail business and the big programs dominate the advertising. Bottom line, I don’t see how any issuer is getting rich on this stuff (as a fraction of payment revenue).

      Now on the acquiring side there is a great deal more money made (high-risk merchant fees can be quite a bit higher), the banks are smaller (so it can be a higher fraction of revenue) and I can believe that in some cases may be some nods and winks going on. However, its not clear even that all the acquirers have detailed knowledge of these activities since they may just have imperfect controls for monitoring partner processors merchants or they may even just be sponsoring the BIN (so-called “rent-a-BIN”) for a payment provider who is themselves complicit.

      However, I think the more interesting question is not blame per se (blame is cheap) but the extent to which such institutions have any appetite for taking action once these activities are identified to them.

Comments are closed.