October 18, 2012

New research suggests that companies behind some of America’s best known consumer brands may be far more effective at fighting cybercrime than any efforts to enact more stringent computer security and anti-piracy laws.

Recent legislative proposals in the United States — such as the Stop Online Piracy Act —  have sought to combat online trafficking in copyrighted intellectual property and counterfeit goods by granting Internet service providers and authorities broader powers to prosecute offenders, and by imposing stronger criminal penalties for such activity. But recent data collected by academic researchers suggests that brand holders already have the tools to quash much of this activity.

Over the past two years, a team of academic researchers made hundreds of “test buys” at Web sites from 40 different shady businesses peddling knockoff prescription drugs, counterfeit software and fake antivirus products. The researchers, from George Mason University, the International Computer Science Institute, and the University of California, San Diego, posed as buyers for these products, which tend to be promoted primarily via hacked Web sites, junk email and computer viruses.

Test buys showed relationships between 40 affiliate programs and 25 banks, although a majority of the transactions filtered through a handful of banks in Azerbaijan, China, Georgia, Latvia, and Mauritius.

The test buys were intended to reveal relationships between the shadowy merchants and the banks that process credit and debit card transactions for these businesses. Following the money trail showed that a majority of the purchases were processed by just 12 banks in a handful of countries, including Azerbaijan, China, Georgia, Latvia, and Mauritius.

The researchers said they submitted the test buy results to a database run by the International AntiCounterfeiting Coalition, (IACC), a Washington, D.C.-based non-profit organization devoted to combating product counterfeiting and piracy. Several pharmacy and software vendors and IACC members whose trademarks were infringed in those transactions (the researchers said non-disclosure agreements prohibit them from naming the brands) used the data to lodge complaints with Visa (only Visa-branded debit cards were used to make the test buys).

Contracts between the banks and Visa and MasterCard stipulate that merchants are prohibiting from selling goods and services that are illegal in the country into which those goods or services are being sold. The credit card associations have a standard process for accepting complaints about such transactions, in which they warn the online merchant’s bank (including a notice of potential fines for noncompliance). After a complaint about such activity, the merchant’s bank conducts its investigation, and may choose to contest the issue if they believe it is in error. But if the bank decides not to challenge the complaint, then they will need to take action to prevent future such transactions, or else face an escalating series of fines from the card associations.

The researchers noticed that in case after case, merchant accounts that were used in fraudulent activity for some extended period of time before they filed a complaint with the IACC generally stopped being used within one month after a complaint was lodged. Neither Visa nor the IACC responded to requests for comment on this story.

Stefan Savage, a professor at UCSD’s Department of Computer Science and Engineering, said the data suggests that the private sector can have a major impact on cybercrime merely by going after the funding for these operations.

It doesn’t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities.  If you can purchase a product, then there’s a record of it and that record points back to the merchant account getting the money,” Savage said. “Visa and MasterCard frown on sales of illegal purchases made on their networks and will act appropriately on complaints from brandholders based on undercover purchases.”

Savage said it doesn’t take concerted action by all of the affected brands to have a major impact on the rogue businesses that incentivize this type of commerce. On the contrary, he said one software brandholder pursued the merchant banks tied to all of the group’s test buys for its products with such a ferocity and swiftness that it virtually shut down the market for pirated brand name software [a.k.a “OEM”] overnight.

“This vendor went after everything. They did it so quickly — and not only for their own products — that it all but shut down the entire OEM ecosystem,” Savage said. “A couple of [OEM affiliate programs] survived by getting rid of that company’s brand, but in the beginning, when people had no clue what’s going on, it shut down the entire business for everyone.”


The researchers note that in mid-2011, Visa made a series of changes to their operating regulations that seem designed to specifically target on-line pharmacies and sellers of counterfeit goods. First, sales of goods categorized as pharmaceutical-related were explicitly classified as “high risk” (along with gambling and various kinds of direct marketing services), and acquirers issuing new contracts for high-risk e-commerce merchants required significantly more due diligence (including $100M in equity capital and good standing in risk management programs). Also, the new documents explicitly call out examples of illegal transactions including “Unlawful sale of prescription drugs,” and “Sale of counterfeit or trademark-infringing products or services,” among others. Finally, these changes include more aggressive fine schedules for noncompliance.

Some of the best evidence of the success of the test buys+complaints strategy comes directly from the folks operating the affiliate programs that reward spammers and miscreants for promoting fake antivirus, pirated software and dodgy pill sites. In June 2012, a leader of one popular pharmacy affiliate program posted a lengthy message to gofuckbiz.com, a Russian language forum that caters to a variety of such affiliate programs. In that discussion thread, which is now some 234 pages long, the affiliate program manager explains to a number of mystified forum members why the pharmacy programs have had so much trouble maintaining reliable credit card processing.

A pharmacy program administrator explains the effects of the complaints to Visa.

“In May 2011, Visa initiated a new program, the so-called “Global Brand Protection Program. How this would turn out for banks and merchants no one knew at the time, so at the time nothing much changed — everything kept working as before,” the program manager explained. “After several months, Visa begins to act, and beginning in November 2011, fines of $25,000 USD on every domain containing brands Viagra, Cialis and/or Levitra or other copyrighted medications began raining down on merchants.”

The manager continued:

“All affiliate programs have come under fire. Today, all sizable affiliate programs have paid more than hundreds of thousands in fines under this program. Banks also come under fire, and although in most cases they can cover their financial losses at the expense of merchants — provided their turnover is sufficient — Visa’s audits, reputation risks, and other hassles complicate their work. That is why some banks have completely refused to do business [and] some have greatly reduced the volume of ‘pharma’ payments, some have ‘overinsured’ themselves in one way or another, leading to practically zero approval rates. Some (banks) continue to work, but today their number is very limited.”

Another affiliate of a rogue pharmacy program put the situation in far less delicate terms, observing: “Right now most affiliate programs have a mass of declines, cancels and pendings, and it doesn’t depend much on the program IMHO, there is a general sad picture, fucking Visa is burning us with napalm.”


Damon McCoy, assistant professor at GMU’s Computer Science Department, said many pharmacy, scareware and OEM software affiliate programs have responded by putting in place security measures to screen out test buys. For example, some rogue pharmacy programs — such as RxPayouts — have begun requiring buyers to send scans or faxes of their drivers licenses and physical credit cards. Others have decided only to process payments for existing customers.

But both security measures can be self-defeating, for customers and affiliates alike. The researchers note that RxPayouts’ photo ID requirement for new customers (enacted in January 2012) caused an uproar among affiliates. According to the researchers, one affiliate wrote in response, “This new rule is killing me, my conversion rate for new customers have dropped to [zero]. As soon as my new customers find out they have to fax their customer service a Photo-ID, they cancel their order.”

But McCoy said the new requirements also serve to insulate affiliate programs from another potential source of headache and trouble: rogue affiliates who join the program merely to reap the commissions for orders placed with stolen credit cards.

“Originally, the affiliate programs were doing this to defend against the carders, and in the past if there was a chargeback for a purchase, the affiliate program ate that chargeback cost,” McCoy said. “Now, if a chargeback comes through, they’ll take that charge out of the affiliate’s subsequent earnings.”

The researchers observed that pharmacy affiliate programs also have responded recently by replacing brand name drugs with their generic equivalents (e.g., Sildenafil Citrate instead of Viagra, Tadalafil instead of Cialis, etc). The operators of these programs argue to their affiliates that such actions will eliminate the brand and trademark issues and thus undermine the ability of brandholders to shutdown both individual sites as well as the associated merchant accounts.

Whether this last step will allow banks that cater to such businesses to continue to do so undisturbed by the credit card networks remains to be seen, according to the program affiliate manager quoted above, who posted to gofuckbiz.com.

“What this will lead to in the end, time will tell, either everyone will stop using well-known brand names, which are so well know to buyers, and will start using the Indian generic names or names of active ingredients, or will continue to compete in this mad race of who will outsmart whom.”

A copy of the research paper is available here (PDF).

31 thoughts on “Rogue Pharma, Fake AV Vendors Feel Credit Card Crunch

  1. JCitizen

    Oh Boo Hoo!

    The rip offs will be calling this the crash of 2012? HA! 😀 !

    Very good article, BTW, Brian! Thanks!

  2. Aleksey

    I think it is obvious to anyone who gave it a thought that the payment processing is the weakest link in the profit-driven cybercrime. The payment systems like VISA and MC are not interested in processing this crap and are trying to do the right thing. If banks were diligent and not complicit in processing illegal stuff, the spammers would have no chance and would be driven to marginal payment vehicles like BitCoin or LibertyReserve, which would virtually close down “the biz”.

    1. JCitizen

      Gosh! Then they’d have to *gasp* – go legit!! They shudders the thought! HA!

      1. AlphaCentauri

        Or else they’d have to limit their customer base to people who are fully aware they are not dealing with legitimate pharmacies. I have a lot more problems with them scamming desperate people into thinking they are getting real medication from a real pharmacy in Canada.

        BTW, if you know anyone who really is sick an uninsured, there is a website to find federal clinics that work on a sliding scale:

        1. JCitizen

          Sure! I’m one of them!! That is why you will never see me give up the fight to defeat these criminals! I can’t stand to see my friends ripped off by substandard drugs in this way.

          Besides the fact that I just plain hate online criminality!


    2. Shadowplay

      Shut down the “payment processing” and shut down any crime, cyber- or not

    3. Nick P

      In the wars of the past, one of the main tactics was to go after the opponents supply chain. The supply chain gives them what they need in terms of resources. Cut it off, their army begins to wither. Crooks usually need middlemen to get paid. Just substitute “middlemen” for “supply chain” and the old strategy still pays off.

      1. JCitizen

        Logistics is always a logical argument, but plain old economics always wins hands down. Without the money the system collapses! The house of cards falls!

        This is what caused the fall of the Союз Советских Социалистических Республик; the US is next if we don’t wake up and smell the coffee!

  3. Uzzi

    I’ll never understand why the U.S. customs don’t have “test buys” and undercover investigations like the europeans have… and industrial associations could stop illegal transactions on the level of active ingredients instead of leaving that to their members at infringement of trademarks…

    …but it’s fascinating that those crybabies tear a thread of 234+ pages length. 😀

    1. Nick P

      Yeah I was a little shocked about the 200+ page thread myself. I’ve actually (fully) read insanely long threads on the likes of Binrev & mailing list archives. Most of them never went over 30+ pages. People eventually just said, “Dude, there’s more to life than talking about this crap.” Then, they moved on. These guys were like the “little engine that could” of online cry babies.

      1. SeymourB

        I’m sure the reason they’re having such long rants is because it means they may be in serious trouble if the money stops. Job prospects in some countries is even worse than it is in the western world, and many of these guys have “projects” on the side that require paying off authorities to avoid prosecution. Once the cash dries up, their entire world collapses.

        1. JCitizen

          Like I said – “Boo Hoo!” I cries a river for them fools! :_|

    2. Stefan Savage

      Well, to be fair…. This is not a thread that is uniquely about the topic of payment processing problems. Rather it is the long-lived thread on the Club-first private affiliate program (updates, questions, complaints, etc). It just so happens that a variety of conversations have occurred on this thread including some that span the niche.

  4. markez

    are you aware the ‘legal’ brands are actually killing people due to high prices? generic drugs are SAME quality [doesnt matter what tv says] but cheaper due to not using brands. you shouldnt be after generics but after big brands making people die.

    other thing: peopel know they buy generics. if visa or whatever stops sales, then people will get educated about bitcoin or liberrtyreserve just to get what they need. that is why visa or MC cannot block such tranasactions because all will happe nis they will loose fees that someobdy else takes.

    you fight wrong people. make pharmacies stop their crazy % on sales just due to brand patent and there wont be counterfeits of this number

    1. JCitizen

      I don’t doubt change is coming from the big pharma companies(the legit ones), but please – why would anyone, with a lick of sense trust an outsider!

      I don’t even trust the FDA in the US with half the stuff that they approve for our consumption!

    2. Uzzi

      Sorry, markez, are you stupid? – You could simply mix your pharmaceuticals yourself for a cheaper price instead of trusting in counterfeit so called generic drugs of some asian backyard workshop sold over the internet by organized crime. (At least you are an outstanding logician… you won’t cook yourself some “Krokodil” just because it’s users swear it helps every disease? http://en.wikipedia.org/wiki/Desomorphine)

      … Counterfeit Drug Problem in America

      Fake Medicines Mafia…

      The fight against counterfeit drugs

      Fake Online Pharmacy selling Counterfeit Drugs …

      1. markez

        Do not eat what medias give you. IF there really was deaths or so by Generics you would hear of more than 1-2 people it would be thousands. Also cooking drugs at home is as illegal as in Asia.
        Pharmacies work because most of them sell GOOD drugs and get repetive customers unlike companies that just steal due to braning.
        Dont get fooled of YT vids you shown, nobody dies of generic drugs they are as good as normal ones. Imagine 1000s sales a day of generics and dying of people. Within month around 100k would die aroudn the world but.. they dont!

        1. Stefan

          Because its illegal they wouldnt do it? I would say you fail at logic …

  5. JCitizen

    The whole world should at least charge the big pharma companies with a royalties for all the research dollars we across the world pay them, out of government coffers, for developing all these “wonder” drugs. Seems like plain sense to me!

    Besides the fact that US associations need to consolidate to negotiate for better prices.( I know – the US congress needs to wake-up)

    I’m not totally on the side of these corporations – there is always two sides to every argument!

    1. Uzzi

      Real problem of the U.S. (also true to lowest life expectancy of all developed countries with more than -10 years to top…) seems to still be the health care system: 17% of GDP spent by the U.S. on health care compared with the 9% of GDP spent by much of the rest of the world. – Hopefully that mitigates as the system develops, probably like always depending on how long it will take for a stable majority to understand and resist propagandistic manipulations…

      1. JCitizen

        I cannot refute your data, but I do know that every economic expert in the world agrees that Europe’s problems are a result of Socialist support of health care.

        I propose that privately owned associations would be more successful. We already do that with GREAT success in the US in the service market – as in power, internet, and phone service! These are non-profit organizations, but my family has already benefited from the estate of my mother after she passed away, and our phone/telco association paid out the profit of the estate. We own telephone, internet, satellite, and cable TV service; notice I way WE own it! And we show up to the meetings and vote for our proxies, and have a say in day to day operations too!

        Foreigners may be ahead of us in technical education, but they are FAR behind in economical education. Believe me – I love and respect the peoples of the world, but nobody beats the USA!

        1. Stefan

          Economical education in the US? Are you joking? I guess you mean how to use plastic and accumulate debt? JFYI German private savings could pay off the entire debt of the EU.

          1. JCitizen

            I believe we should be teaching the same personal finance classes we use in freshmen college, to middle school students at grade 7! None of these concepts are unattainable for young people.

            Certain economic interests have been blocking this education since the 1920s, but we can’t do without it, and be competitive, and keep our head above hot water(financially).

            I truly believe the next big change in thinking about economics will be the working man’s ownership of the place he/she works, and the change of medical care to non-profits. It is the only way to bring back the middle class, and control medical costs, which are completely out of control now.

            Instead of the dictatorship of the proletariat, it will be the ownership of the proletariat. To make good decisions, these concepts will have to be introduced early in life, and ingrained at the secondary school level.

  6. Audrey

    I did a quick Google search about RxPayOuts and their back office is CartAdmin. On a affiliate forum I read CashAdmin sent a letter to their affiliates which quick to the point that they went out of business and could not pay their affiliates their remaining commissions. That same forum also said RxPayOuts has not paid commissions since early August after being the most reliable paying online pharmacy affiliate program in the business. When those affiliates contacted RxPayOuts by phone the reps keep saying wait a few more days we have no idea when they will pay you. I wonder if CartAdmin is the same as CashAdmin or a different business? You would think if they intended to screw people over that they would quit answering the phones and take the website down like CashAdmin did…. This seems to have all started way back when ePassPorte,run by Chris Mallick, went the way of the wind and people did not get the money they had in their ATM account…..

    1. Stefan Savage

      Rxpayouts is the same as rxcashcow. CashAdmin is a separate program. Both are basically shut down.

      In general, the economics for pharma programs is not great. Net revenues are only 10-20% of gross. and account shutdown means either fines or holdback losses which cut into that. Moreover, affiliates will flee to other programs if you don’t have stable processing. Since the top 10% of affiliates are bringing in the lions share (75-85%) of revenue losing those affiliates can be a disproportionate loss. Finally, discount rates on new merchant accounts for online pharma have been going through the roof (basically doubling). Its a tough business right now.

      However, pharma historically has been a better turnover business than most (excepting FakeAV) so it wouldn’t surprise me if the remaining programs claw back commission rates (which are 40-50%) to make it more profitable for them. If affiliates don’t have anywhere better to go then they’ll swallow it. That of course assumes that the whole ecosystem doesn’t shutdown as the brand holders get more serious about going after merchant accounts.

  7. Benya Crick

    As conventional avenues for merchant services become increasingly unavailable, presumably we’ll begin to see wholesale displacement to virtual currencies. It would be interesting to know why rogue pharma’s “attempt to continue their businesses using alternative payment mechanisms including PayPal and, most recently, Bitcoin … has not been successful”.

    1. Stefan Savage

      The main reason I don’t expect a successful move away from Visa/MC is that alternative payments are unfamiliar to US consumers who make up the bulk of the demand for these products/services. When we looked at Glavmed transactions earlier in the year, 96% of all revenue was transacted via Visa/MC/Amex. We’ve seen programs try other things when they lose Visa: COD in the states, eCheck (ACH), Paypal, Western Union, Moneybookers, and event Bitcoin. But for general niches these end up being poor substitutes for Visa/MC because US consumers just won’t use them and sales go down by an order of magnitude.

      Now, there are exceptions. High-fear sales (e.g., ransomware) or high-demand sales (like Oxycodone). In the first case consumers can be sufficiently worried about their personal liability that they’re willing to do something very unfamiliar (e.g., go get a paysafecard at their supermarket). In the later case, consumers are driven seekers and can be willing to entertain a wider variety of options to get what they want. Thus, online gambling is still eminently fundable without Visa/MC if you’re sufficiently interested to find out how (but losing Visa/MC eliminated the revenue from all the casual US gamblers).

  8. AlphaCentauri

    Markez, how do you propose to gather data about people who suffer harm from substandard drugs?

    In many cases, these are people who don’t go to their doctors. The generic drugs being sold online are MORE expensive than the ones sold in local pharmacies — but they are sold without prescriptions. So if those drugs are ineffective, but the person taking them doesn’t get cholesterol levels or blood pressure checks, he won’t know he’s taking worthless pills.

    And most of drugs for chronic diseases like diabetes and high blood pressure are to prevent long term consequences. You would need to do a long term study to know if there were more people getting strokes or going on dialysis. How would you do a study of people who -don’t- go to doctors?

    If those people do suffer consequences despite buying drugs for their condition on line, it’s not going to be detected. As far as anyone knows, they weren’t taking drugs. They had no prescriptions, saw no doctors, and bought the drugs illegally. No one will know they were paying for ineffective drugs instead of just not taking any at all.

    And if the drugs they take are toxic, again, who will know? Do you imagine that every person who dies gets an extensive post mortem exam like Michael Jackson’s? Mostly, the medical examiner’s office calls the person’s last physician for a history, finds out he had diabetes and heart disease and never kept appointments or took medications, and signs the death certificate as death due to natural causes. There could be thousands of deaths among people with known chronic diseases, and no one would notice it.

  9. john

    >Visa is burning us with napalm.
    Wrong translation. Should be “Visa burns with napalm”.
    “Burns with napalm” is an idiom. It usually used when one talks about someone doing something fascinating (joke or crasyness, but sometimes it could be something else).
    Like for example “Monty Python burn with napalm in their latest movie”, or “[username] burns with napalm” in reply to a crasy forum post.

  10. Bob

    I’m a retired American living in the Philippines. Drugs from big pharma are expensive here. Name brand generics such as Teva and Apotex are unavailable. Locally manufactured generics are available, but not cheap and anyway the raw ingredients are imported. From where — who knows.

    Buying from mail order pharmacies is an economic necessity. I think you may be a bit to0 blanket in your condemnation of these pharmacies. I am getting drugs from the major Indian pharmaceutical firms such as Cipla and Intex. Generally I can tell if the drug is working. It’s pretty easy with blood pressure drugs. I trust drugs from a big Indian pharma more than I trust a Philippine generic and it will cost me half the price.

    Is this ideal — no. Do I wish I could have American or European big pharma drugs? Of course, but it’s just not possible. They would cost ten times as much and may well be manufactured in India or China where the vast majority of raw pharmaceutical ingredients are made. My genuine Lipitor is made in Turkey.

    One of the on-line pharmacies I have dealt with cannot accept credit cards, only EFT payments. Despite the concerns, they are promptly shipping me drugs from Cipla, Intas and so forth. To have all these outfits hounded out of existence will not help me or others who depend on them.

Comments are closed.