July 13, 2011

Banks in Azerbaijan that have courted the shadowy trade in spam-advertised pharmaceuticals now have cornered the market for processing credit card payments for fake antivirus software, new data reveals.

In June, KrebsOnSecurity highlighted research from the University of California, San Diego (UCSD) showing that Azerigazbank, a financial institution in Azerbaijan, was the primary merchant bank for most major online-fraud pharmacy affiliate programs. By the time that research was published, those programs had moved their business to another bank in Azerbaijan, JSCB Bank Standard.

Earlier this month, researchers from the University of California, Santa Barbara (UCSB) revealed that three of the most popular fake AV affiliate services — which pay hackers to foist worthless software on clueless Internet users — processed tens of millions of dollars in payments through Bank Standard and the International Bank of Azerbaijan.

UCSD researcher Damon McCoy has been making targeted “buys” at dozens of fake AV sites, trying to identify their partner banks. The fake AV operations that McCoy follows are distinct from those in the UCSB research; the UCSB team asked that the names of the rogue AV programs they infiltrated not be published, citing ongoing law enforcement investigations.

A popular fraud forum features a banner ad recruiting affiliates for BestAV

In late 2010, McCoy began buying rogue antivirus software from fake AV affiliate businesses BestAV and Gagarincash — the latter named after Yuri Gagarin, the Russian cosmonaut who was the first man launched into space. McCoy said both fake AV operations previously used Bank Standard, but within the past month have switched to the International Bank of Azerbaijan.

McCoy also tracked a more elusive fake AV affiliate program that he calls Win7Security, after the program’s most profitable brand of fake AV. McCoy said that for the past several months he’d lost track of Win7Security, and hadn’t seen any of its sites being pimped in the usual places, such as malware-laced banner ads and booby-trapped Web sites that redirect users to fake AV sites.

Recently, I heard from a source that stumbled upon a portion of the customer database for a payment processing firm  idpay.com. It’s not clear where this company is based; it claims to have offices in Russia, New York and the United Kingdom, but neither NY nor the UK has any record of that company, and the company did not respond to requests for comment. The idpay.com database indicates that a large number of fake AV Web sites were using idpay.com to process payments (a partial list is here).

McCoy immediately recognized the fake AV brands and payment pages in the idpay.com database as the Win7Security program. After making a test purchase from one of the sites, he confirmed that it was a customer of the International Bank of Azerbaijan.

“These Azerbaijani banks have cornered the market on this stuff,” McCoy said. “The only [widespread fake AV affiliate] program I’ve seen that doesn’t use them is the brand of fake AV pushed by the Liza Moon attacks earlier this year, which used a Ukrainian bank.”

The idpay.com database revealed even bigger fish: Among the companies it processed was rx-partners.com, a major rogue pharmacy affiliate program that pays hackers and spammers to promote its pharmacy sites.

Another interesting client that processes payments through idpay.com is HzMedia Limited. That entity is owned by Igor Gusev, the founder of GlavMed, one of the world’s largest and spammiest rogue Internet pharmacy affiliate programs, according to the charging documents (PDF) accusing him of operating an illegal business. Gusev has fled Russia to avoid facing the criminal charges. Reached by phone, Gusev claimed that his firm was merely processing payments for HzMedia at the time those charges were levied, and that he is not affiliated with HzMedia.

The president of Azerbaijan met last week with NATO officials to discuss ways to promote cyber security, but somehow I doubt that preventing Americans from getting ripped off is high on the country’s priority list. According to the CIA’s World Factbook, Azerbaijan is resource-rich but also quite poor, and is grappling with widespread environmental issues. Corruption is ubiquitous in Azerbaijan, and it serves as a main conduit for drug and human trafficking. Given the volume of major cybercrime payments flowing through Azerbaijani banks, one has to wonder why Visa and MasterCard would allow any Internet-based transactions from consumers in the United States and Europe to these institutions.

Stay tuned for the fourth piece in this series, which will delve even deeper into the links between fake AV and rogue pharmacies. If you missed the first two, check out the top two stories listed beneath “Related Posts” directly below.

13 thoughts on “Azeri Banks Corner Fake AV, Pharma Market

  1. KFritz

    The cartoon character fr/ the fraud forum is great–a little hip-hop bling, a little South Park, and a Red Star in the hat.

      1. KFritz

        Thanks. Sweet guy that BadB! It was good that he was arrested, but a google search turned up nothing on a conviction. What’s his status? And is it my imagination that google searches, now more than ever, turn up the latest sales pitches that the entry produces , a lot of dreck, and not much useful info? Just askin’.

          1. Jonny Bravo

            Hi Brian, great article once again 🙂

            Could you please elaborate on what exactly happened with his trial? i am suprised he has served his time this quick as he was a big criminal from what ive read.

            Maybe he paid his way out?

            Please give us a follow up article 🙂

            1. AlphaCentauri

              I would assume he is cooperating with investigators and perhaps even working undercover to pursue other carders. Whether his assistance works out any better than that of Albert Gonzalez is another question…

  2. Christopher Kunz

    VISA and MasterCard are companies, and as such will offer their services in every market that promises revenue. And markets with a small, but rich upper class (like the drug barons in Azerbaijan, I imagine) are quite attractive. Small amount of customers (= little infrastructure needed), big revenue.

  3. Oper207

    Gee I wonder whats next , keep them running brian . The element of surprise great work brian.

  4. Bart

    Brian, please forgive the OT, but could you discuss how smart phones can be hacked from afar?

    1. Gary

      There was a “tutorial” on this a few days ago on a cable news network featuring Amit Ghosh (sp?). I think it was CNN

  5. lyecdevf

    I am not surprised to hear that pharmacy is working with hackers. The only thing that they are interested is money and not the health of people.

  6. Alex Pro

    Hey bro, its not a news. All know these guys operated thru some bank in AZ. These bank so stupid, not their failure, believe me. They are new in the biz and anyone could scam them easy. you don’t even know what means AZ banks. you will be surprised, lol 🙂 I bet they never knew what the do )

Comments are closed.