Banks in Azerbaijan that have courted the shadowy trade in spam-advertised pharmaceuticals now have cornered the market for processing credit card payments for fake antivirus software, new data reveals.
In June, KrebsOnSecurity highlighted research from the University of California, San Diego (UCSD) showing that Azerigazbank, a financial institution in Azerbaijan, was the primary merchant bank for most major online-fraud pharmacy affiliate programs. By the time that research was published, those programs had moved their business to another bank in Azerbaijan, JSCB Bank Standard.
Earlier this month, researchers from the University of California, Santa Barbara (UCSB) revealed that three of the most popular fake AV affiliate services — which pay hackers to foist worthless software on clueless Internet users — processed tens of millions of dollars in payments through Bank Standard and the International Bank of Azerbaijan.
UCSD researcher Damon McCoy has been making targeted “buys” at dozens of fake AV sites, trying to identify their partner banks. The fake AV operations that McCoy follows are distinct from those in the UCSB research; the UCSB team asked that the names of the rogue AV programs they infiltrated not be published, citing ongoing law enforcement investigations.
In late 2010, McCoy began buying rogue antivirus software from fake AV affiliate businesses BestAV and Gagarincash — the latter named after Yuri Gagarin, the Russian cosmonaut who was the first man launched into space. McCoy said both fake AV operations previously used Bank Standard, but within the past month have switched to the International Bank of Azerbaijan.
McCoy also tracked a more elusive fake AV affiliate program that he calls Win7Security, after the program’s most profitable brand of fake AV. McCoy said that for the past several months he’d lost track of Win7Security, and hadn’t seen any of its sites being pimped in the usual places, such as malware-laced banner ads and booby-trapped Web sites that redirect users to fake AV sites.
Recently, I heard from a source that stumbled upon a portion of the customer database for a payment processing firm idpay.com. It’s not clear where this company is based; it claims to have offices in Russia, New York and the United Kingdom, but neither NY nor the UK has any record of that company, and the company did not respond to requests for comment. The idpay.com database indicates that a large number of fake AV Web sites were using idpay.com to process payments (a partial list is here).
McCoy immediately recognized the fake AV brands and payment pages in the idpay.com database as the Win7Security program. After making a test purchase from one of the sites, he confirmed that it was a customer of the International Bank of Azerbaijan.
“These Azerbaijani banks have cornered the market on this stuff,” McCoy said. “The only [widespread fake AV affiliate] program I’ve seen that doesn’t use them is the brand of fake AV pushed by the Liza Moon attacks earlier this year, which used a Ukrainian bank.”
The idpay.com database revealed even bigger fish: Among the companies it processed was rx-partners.com, a major rogue pharmacy affiliate program that pays hackers and spammers to promote its pharmacy sites.
Another interesting client that processes payments through idpay.com is HzMedia Limited. That entity is owned by Igor Gusev, the founder of GlavMed, one of the world’s largest and spammiest rogue Internet pharmacy affiliate programs, according to the charging documents (PDF) accusing him of operating an illegal business. Gusev has fled Russia to avoid facing the criminal charges. Reached by phone, Gusev claimed that his firm was merely processing payments for HzMedia at the time those charges were levied, and that he is not affiliated with HzMedia.
The president of Azerbaijan met last week with NATO officials to discuss ways to promote cyber security, but somehow I doubt that preventing Americans from getting ripped off is high on the country’s priority list. According to the CIA’s World Factbook, Azerbaijan is resource-rich but also quite poor, and is grappling with widespread environmental issues. Corruption is ubiquitous in Azerbaijan, and it serves as a main conduit for drug and human trafficking. Given the volume of major cybercrime payments flowing through Azerbaijani banks, one has to wonder why Visa and MasterCard would allow any Internet-based transactions from consumers in the United States and Europe to these institutions.
Stay tuned for the fourth piece in this series, which will delve even deeper into the links between fake AV and rogue pharmacies. If you missed the first two, check out the top two stories listed beneath “Related Posts” directly below.