Posts Tagged: chronopay


3
Jun 14

Ne’er-Do-Well News, Volume I

It’s been a while since a new category debuted on this blog, and it occurred to me that I didn’t have a catch-all designation for random ne’er-do-well news. Alas, the inaugural entry for Ne’er-Do-Well News looks at three recent unrelated developments: The availability of remote access iPhone apps written by a programmer perhaps best known for developing crimeware; the return to prison of a young hacker who earned notoriety after simultaneously hacking Paris Hilton’s cell phone and data broker LexisNexis; and the release of Pavel Vrublevsky from a Russian prison more than a year before his sentence was to expire.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

A year ago, this blog featured a series of articles that sought to track down the developers of the Styx-Crypt exploit kit, a crimeware package being sold to help bad guys booby-trap compromised Web sites with malware. Earlier this week, I learned that a leading developer of Styx-Crypt — a Ukrainian man named Max Gavryuk — also is selling his own line of remote administration tools curiously called “Zeus Terminal,” available via the Apple iTunes store.

News of the app family came via a Twitter follower who  asked to remain anonymous, but who said two of the apps by this author were recently pulled from Apple’s iTunes store, including Zeus Terminal and Zeus Terminal Lite. It’s unclear why the apps were yanked or by whom, but the developer appears to have two other remote access apps for sale on iTunes, including ZeusTerm and ZeusTerm HD.

Incidentally, the support page listed for these apps – zeus-terminal[dot]com — no longer appears to be active (if, indeed it ever was), but the developer lists as his other home page reality7solutions[dot]com, which as this blog has reported was intricately tied to the Styx-Crypt development team.

This wouldn’t be the first time a crimeware author segued into building apps for the iPhone and iPad: In January 2012, as part of my Pharma Wars series, I wrote about clues that strongly suggested the Srizbi/Reactor spam botnet was developed and sold by a guy who left the spam business to build OOO Gameprom, a company that has developed dozens of games available in the iTunes store.

Continue reading →


2
Aug 13

Pavel Vrublevsky Sentenced to 2.5 Years

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to two-and-half years in a Russian penal colony this week after being found guilty of hiring botmasters to attack a rival payment processing firm.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing. Source: Novayagazeta.ru

Vrublevsky was accused of hiring Igor and Dmitri Artimovich in 2010 to use their Festi spam botnet to attack Assist, a competing payments firm. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company millions of dollars.

According to Russian prosecutors, Vrublevsky directed ChronoPay’s chief security officer Maxim Permyakov to pay $20,000 and hire the Artimovich brothers to launch the attacks. The Artimovich brothers also were found guilty and sentenced to 2.5 years. Permyakov received a slightly lighter sentence of two years after reportedly assisting investigators in the case.

Earlier this year, I signed a deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia. Those charges stem from Gusev’s alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Continue reading →


5
Jun 13

Vrublevsky Arrested for Witness Intimidation

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor.

Pavel Vrublevsky's Facebook profile photo.

Pavel Vrublevsky’s Facebook profile photo.

Vrublevsky is on trial for allegedly hiring two brothers — Igor and Dmitri Artimovich — to use their Festi spam botnet to attack Assist, a competing payments processor. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company at least USD $1 million.

Vrublevsky was imprisoned for six months in 2011 pending his trial, but was released at the end of that year after admitting to his role in the attack. Later, he recanted his jailhouse admission of guilt. Today, he was re-arrested after admitting to phoning a witness in his ongoing trial and offering “financial assistance.” The witness told prosecutors he felt pressured and threatened by the offer.

Two months ago, I signed a book deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

I found this development noteworthy because I, too, was offered financial assistance by Vrublevsky, an offer that very much seemed to me like a threat. In mid-2010, after thousands of emails, documents and hundreds of hours of recorded phonecalls from ChronoPay were leaked to  this author, Vrublevsky began calling me at least once a day from his offices in Moscow. This continued for more than six months. In one conversation from May 2010 , Vrublevsky offered to fly me to Moscow so that I could see firsthand that he had “only a very remote relationship with this case.”

Continue reading →


3
Dec 12

Vrublevsky Sues Kaspersky

The co-founder and owner of ChronoPay, one of Russia’s largest e-payment providers, is suing Russian security firm Kaspersky Lab, alleging that the latter published defamatory blog posts about him in connection with his ongoing cybercrime trial.

ChronoPay founder Pavel Vrublevsky, at his office in Moscow

Pavel O. Vrublevsky, is on trial in Moscow for allegedly hiring the curator of the Festi spam botnet to attack one of ChronoPay’s rival payment processors. He spent six months in prison last year after admitting to his part in the attack on Assist, a company that processed payments for Russian airline Aeroflot.

The events leading up to that crime are the subject of my Pharma Wars series, which documents an expensive and labyrinthine grudge match between Vrublevsky and the other co-founder of ChronoPay: Igor Gusevthe alleged proprietor of GlavMed and SpamIt, sister organizations that until recently were the largest sources of spam touting rogue Internet pharmacies. For his part, Vrublevsky has been identified as the co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion. 

Kaspersky blogger Tatyana Nikitina has covered Vrublevsky’s trial, which has been marked by prosecutorial miscues, allegations of official corruption, and the passage of new Russian laws that actually reduce the penalties for some of Vrublevsky’s alleged offenses. In her latest blog post, “The Vrublevsky Case is Ruined,” Nikitina laments yet another regressive milestone in the trial: The dismissal of claims by Aeroflot that it suffered almost $5 million losses as a result of the cyberattack.

Late last month, Vrublevsky’s lawyers fired back, filing a $5 million defamation lawsuit against Kaspersky Lab, charging that its publications contained untrue and defamatory information. In the suit, Vrublevsky argues that Kaspersky is not only trying to discredit him and influence the judicial process, but that Kaspersky is hardly a disinterested party. He noted that Assist was using Kaspersky’s DDoS protection services at the time of the attack, which Assist said took its services offline for a week.

Continue reading →


13
Jun 12

Who Is the ‘Festi’ Botmaster?

Pavel Vrublevsky, the co-founder of Russian payment processor ChronoPay, is set to appear before a judge this week in a criminal case in which he is accused of hiring a botmaster to attack a competitor. Prosecutors believe that the man Vrublevsky hired in that attack was the curator of the Festi botnet, a spam-spewing machine that also has been implicated in a number of high-profile denial-of-service assaults.

Igor Artimovich

Vrublevsky spent six months in prison last year for his alleged role in an attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors.

Investigators with the Russian Federal Security Service (FSB) last summer arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky.

As I wrote in last year’s piece, the allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured below) allegedly used to coordinate the DDoS attack against Assist.

Group-IB’s evidence suggested Artimovich had used a botnet he called Topol-Mailer to launch the attacks, but Topol-Mailer is more commonly known as Festi, one of the world’s largest and most active spam botnets. As detailed by researchers at NOD32 Antivirus makers ESET, Festi was built not just for spam, but to serve as a very powerful tool for launching distributed denial of service (DDoS) attacks, digital sieges which use hacked machines to flood targets with so much meaningless traffic that they can no longer accommodate legitimate visitors.

“Topol Mailer” botnet interface allegedly used by Artimovich.

Group-IB said Artimovich’s botnet was repeatedly used to attack several rogue pharmacy programs that were competing with Rx-Promotion, a rogue Internet pharmacy affiliate program long rumored to have been co-founded by Vrublevsky (security firm Dell SecureWorks chronicled those attacks last year).

Artimovich allegedly used the nickname Engel on Spamdot.biz, an online forum owned by the co-founders of SpamIt and GlavMed, sister rogue pharmacy operations that competed directly with Rx-promotion. In the screen shot below right, Engel can be seen communicating with Spamdot member and SpamIt affiliate “Docent.” That was the nickname used by Oleg Nikolaenko, a 24-year-old Russian man arrested in Las Vegas in Nov. 2010  charged with operating the Mega-D botnet. Continue reading →


3
Apr 12

Gateline.net Was Key Rogue Pharma Processor

It was mid November 2011. I was shivering on the upper deck of an aging cruise ship docked at the harbor in downtown Rotterdam. Inside, a big-band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on a long-running turf war between two of the largest sponsors of spam.

Promenade of SS Rotterdam. Copyright: Peter Jaspers

The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but in a private setting. Stepping out the night air, a woman from the conference approached, formally presented the three men behind her, and then hurried back inside to the warmth of the reception.

A middle-aged stocky fellow introduced as the senior FSB officer spoke in Russian, while a younger gentleman translated into English. They asked did I know anything about a company in Moscow called “Onelia“? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cyber criminal enterprises.

Later that evening, back at my hotel room, I searched online for details about the company, but came up dry. I considered asking some of my best sources in Russia what they knew about Onelia. But a voice inside my head warned that the FSB agents may have been hoping I’d do just that, and that they would then be able to divine who my sources were when those individuals began making inquiries about a mysterious (and probably fictitious) firm called Onelia.

My paranoia got the best of me, and I shelved the information. That is, until just the other day, when I discovered that Onelia (turns out it is more commonly spelled Oneliya) was the name of the limited liability company behind Gateline.net, the credit card processor that processed tens of thousands of customer transactions for SpamIt and Rx-Promotion. These two programs, the subject of my Pharma Wars series, paid millions of dollars to the most notorious spammers on the planet, hiring them to blast junk email advertising thousands of rogue Internet pharmacies over a four-year period.

WHO IS ‘SHAMAN’?

Gateline.net states that the company’s services are used by firms across a variety of industries, including those in tourism, airline tickets, mobile phones, and virtual currencies. But according to payment and affiliate records leaked from both SpamIt and Rx-Promotion, Gateline also was used to process a majority of the rogue pharmacy site purchases that were promoted by spammers working for the two programs. Continue reading →


1
Feb 12

Who’s Behind the World’s Largest Spam Botnet?

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released -  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!” Continue reading →


17
Nov 11

Pharma Wars: The Price of (in)Justice

I spoke this week at Govcert 2011, a security conference in Rotterdam.  The talk drew heavily on material from my Pharma Wars series, about the alleged proprietors of two competing rogue Internet pharmacies who sought to destroy the others’ reputation and business and ended up succeeding on both counts. Here is the latest installment.

For those who haven’t been following along, I’ve put together a cheat sheet on the main players, the back story and the conflict. Click here to skip this section.

Actors

Pavel Vrublevsky: Co-founder and Former chief executive officer of ChronoPay, until recently a major processor of electronic payments in Russia. Vrublevsky has been accused of running an illegal business, a rogue Internet pharmacy affiliate program called Rx-Promotion, and is currently in prison awaiting trial on unrelated cybercrime charges. Known to business partners as “Red” or “RedEye.”

Igor Gusev: Co-founded ChronoPay with Vrublevsky in 2003. Had a falling out with Vrublevsky in 2005, left ChronoPay and started the Internet pharmacy affiliate programs GlavMed and SpamIt. The latter was closed in Sept. 2010, and Gusev has been charged with running an illegal business. He is still at large.

Dmitry Stupin: Gusev’s right-hand man. Helped to build SpamIt and GlavMed. The logs below are from a set of logs leaked to several download sites that contain thousands of conversations between Stupin and Gusev. The logs were obtained shortly after the police detained Stupin as part of the criminal investigation into Gusev.

Conflict: Two former business partners-turned-competitors try to sabotage each others’ business and to get the other arrested.

The Conversation

The conversation below takes place between Feb. 21 and 23, 2010, and is a chat log between Gusev and Stupin. Gusev already knows there are plans to file criminal charges against him, which indeed come just seven months after this conversation was recorded. The two are discussing plans to pay more than $1.5 million to politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Several attendees at Govcert 2011 asked about the likelihood of Vrublevsky serving time, if convicted. This chat may provide a clue. In the middle of the following conversation, Gusev says he has secured promises that if arrested, Vrublevsky “would remain in prison and would not be able to pay his way out,” Gusev wrote. “He is going to lose a large portion of his business and will be left with no money to fight the war.”

Continue reading →


1
Nov 11

Jailed ChronoPay Co-Founder Denied Bail

A Moscow court on Monday denied bail for Pavel Vrublevsky, a Russian businessman who was charged earlier this year with hiring hackers to launch costly online attacks against his rivals. The denial came even after Vrublevsky apparently admitted his role in the attacks, according to Russian news outlets.

Vrublevsky in 2004

Vrublevsky, 32, is probably best known as the co-founder of ChronoPay, a large online payment processor in Russia. He was arrested in June after Russian investigators secured the confession of a man who said he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. The former ChronoPay executive reportedly wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Aeroflot’s processing systems faltered for several days in the face of the attack, an outage that Aeroflot says cost the company about a million dollars a day.

Vrublevsky’s lawyers asked the court to release him pending a trial in December — offering to pay 30 million rubles (~ USD $1 million) — but the court denied the request.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay last year indicate Vrublevsky co-ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Vrublevsky and Gusev have been locked in an increasingly heated and public battle to ruin the others’ business, a saga that I have chronicled in an ongoing series: Pharma Wars.

Continue reading →


12
Sep 11

Pharma Wars: Paying for Prosecution

In June 2011, Russian authorities arrested Pavel Vrublevsky, co-founder of ChronoPay, Russia’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals. New evidence suggests that Vrublevsky’s arrest was the product of a bribe paid by Igor Gusev, the other co-founder of ChronoPay and a man wanted by Russian police as a spam kingpin.

Igor Gusev, in an undated photo taken at a family birthday celebration.

Two years after forming ChronoPay in 2003, Gusev and Vrublevsky parted ways. Not long after that breakup, Gusev would launch Glavmed and its sister program SpamIt, affiliate operations that paid the world’s most notorious spammers millions of dollars to promote rogue Internet pharmacies. Not to be outdone, Vrublevsky started his own rogue pharmacy program, Rx-Promotion, in 2007, contracting with some of the same spammers who were working at Gusev’s businesses.

By 2009, the former partners were actively trying to scuttle each others’ businesses. Vrublevsky allegedly paid hackers to break into and leak the contact and earnings data from GlavMed/SpamIt. He also reportedly paid a man named Igor “Engel” Artimovich to launch a volley of distributed denial-of-service (DDoS) attacks against SpamIt.

Gusev told me he long suspected Artimovich was involved in the attacks, and that he had information that Vrublevsky hired Artimovich to attack ChronoPay’s rivals while they were locked in a competition for a lucrative contract to process online payments for Aeroflot, Russia’s biggest airline.

Last month, hundreds of chat conversations apparently between Gusev and his right-hand man, Dmitry Stupin, were leaked online. They indicate that Gusev may have caused Vrublevsky’s arrest by paying Russian law enforcement investigators to go after Artimovich.

Over the past year, Gusev has insisted in numerous phone interviews that the increasingly public conflict between him and Vrublevsky was not a “war,” but more of a personal spat. But if the chat below is accurate, Gusev most certainly viewed the conflict as a war all along.

The following is from a leaked chat, allegedly between Gusev and Stupin, dated Sept. 26, 2010. The two men had already decided to close SpamIt, and were considering whether to do the same with GlavMed. “Red,” mentioned twice in the discussion below, is a reference to Vrublevsky, also known as “RedEye.”

Gusev: $2k from HzMedia to China – it’s mine. We also need to send additional money for salaries plus double bonus to Misha (Michael). I have already paid $50k for Engel’s case (20к – forensics, $30к – to speed up the starting of the criminal case)

Stupin: Why have you paid for Engel’s case ? I was even against paying for the Red’s case. Why pay for Engel’s?  What is the point?

Gusev: To my mind, you do not fully understand what’s been going on for the last year. Paul has a plan to either throw me into jail or end me. His intentions are totally clear. There are only two choices: 1 – do nothing, and pay nothing to nobody, and at the end either go to jail or keep hiding until all the resources are exhausted; 2 – do the same thing, as he is doing, with the same goal.

Continue reading →