ChronoPay’s Scareware Diaries

March 3, 2011

If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.

Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.

Click image for PDF version of timeline. Each entry is clickable and links to supporting documents.

ChronoPay handles Internet bill payments for a variety of major Russian companies, including domestic airlines and utilities. But ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning.

In June 2009, The Washington Post published the results of a six-month investigation into ChronoPay’s high-risk business. At the time, ChronoPay was one of a handful of processors for Pandora Software, the most prevalent brand of rogue software that was besieging consumers at the time. That story drew links between ChronoPay and an entity called Innovagest2000, which was listed as the technical support contact in the end-user license agreements that shipped with nearly all Pandora rogue anti-virus products.

When I confronted ChronoPay’s CEO Pavel Vrublevsky in 2009 about the apparent ties between Innovagest and his company, he insisted that there was no connection, and that his company’s processing services were merely being abused by scammers. But the recently leaked ChronoPay documents paint a very different picture, showing that Innovagest2000 was but one example of a cookie-cutter operation that ChronoPay has  refined and repeated over the last 24 months.

The documents show that Innovagest was a company founded by ChronoPay’s Spanish division, and that ChronoPay paid for everything, from the cost of Innovagest’s incorporation documents to the domain registration, virtual hosting and 1-800 technical and customer support lines for the company.

The same dynamic would play out with other ChronoPay “customers” that specialized in selling rogue anti-virus software. For example, leaked internal documents indicate that ChronoPay employees created two companies in Cyprus that would later be used in processing rogue anti-virus payments: Yioliant Holdings; and the strangely named Flytech Classic Distribution Ltd. ChronoPay emails show that employees also paid for domains software-retail.com and creativity-soft.com, rogue anti-virus peddling domains that were registered in the names and addresses of Yioliant Holdings and Flytech, respectively. Finally, emails also show that ChronoPay paid for the virtual hosting and telephone support for these operations. This accounting document, taken from one of the documents apparently stolen from ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft.com (the amounts in the document are in Russian Rubles, not dollars, and the document has been edited to remove full credit card numbers and victim names).

Further, the purloined documents show these domains were aggressively promoted by external rogue anti-virus affiliate programs, such as Gelezyaka.biz, as well as a rogue anti-virus affiliate program apparently managed in-house by ChronoPay, called “Crusader.”

MEETING IN MOSCOW

Last month, I traveled to Moscow and had a chance to sit down with Vrublevsky at his offices. When I asked him about Innovagest, his tone was much different from the last time we discussed the subject in 2009. This may have had something to do with my already having told him that someone had leaked me his company’s internal documents and emails, which showed how integral ChronoPay was to the rogue anti-virus industry.

“By the time which correlates with your story, we didn’t know too much about spyware, and that Innovagest company that you tracked wasn’t used just for spyware only,” Vrublevsky said. “It was used for a bunch of shit.”

Vrublevsky further said that some of ChronoPay’s customers have in the past secretly sub-let the company’s processing services to other entities, who in turn used it to push through their own shady transactions. He offered, as an example, an entity that I wasn’t previously aware had been a customer of ChronoPay’s: A rogue anti-virus promotion program called TrafficConverter.biz.

Continue reading

Renewal Buddy: Comparison Shopping for Anti-Virus Software

March 2, 2011

The anti-virus industry has long drawn its biggest share of profits from loyal customers, extracting full-price for the software from existing customers seeking license renewals while steeply discounting their products for new users. But a new comparison shopping site makes it simple for renewing customers to take advantage of these introductory deals, or to switch to a competing product for a hefty price reduction.

Launched a month ago, renewalbuddy.com is intended to streamline the process of searching for deals to renew your existing anti-virus product without paying the full renewal price. For example, I have Norton Internet Security installed on one of my Windows 7 machines; I selected that product from the pull-down menu, told it I wanted a 3-user license, and instantly saw an offer for NIS 2011 for $29.99. Had I simply waited until the product was about to expire and followed the prompt from the currently-installed software to renew my license, that renewal would have cost me $62.99, according to Symantec’s site.

True, you can find these deals on your own just by spending a few minutes searching the Web (the $29.99 link offered by this service brought me to an offer on Amazon.com). But my sense is that very few people who pay for anti-virus software ever do this.

“People assume that a renewal license key is somehow different from a new license key, and that’s why most people click on the expiration pop-up and go through the process and end up paying full price for renewals,” said  Graham O’Reilly, renewalbuddy.com’s chief executive and a former sales director of the U.K. division of anti-virus maker AVG Technologies. “What people don’t understand is that a license key is a license key, and that they can just pop it in to the program without having to reinstall it, and it will extend a license in the same way.”

Continue reading

Advertisement

Before You Install Windows 7 Service Pack 1

February 26, 2011

Microsoft is now offering Windows 7 users “Service Pack 1,” a bundle of security updates and minor feature improvements. If you’re thinking about installing this update, read on for a few caveats and tips that may change your mind.

First off, this service pack is mainly a bundle of previously-released security updates. If you are staying up-to-date in security patches, you are not going to gain much by installing this service pack, which contains a few uber-geeky feature improvements that are mostly a bonus for users of Windows Server 2008 R2 — not Windows 7.

My take? I’d say that the main benefit of this service pack for Windows 7 users would be if you were considering re-installing the operating system for some reason. In that case, Service Pack 1 would streamline the process quite a bit. Otherwise, I would urge Windows 7 users who are up-to-date to ignore this offering, at least for now.

If you decide to go forward with this Service Pack, there are several important considerations, particularly if your system has certain hotfixes installed (hotfixes are small patches designed to address specific — not necessarily security — issues). For example, Microsoft says that systems with hotfixes (2406705, 979350 or 983534) will block the installation of the service pack and may experience problems as a result.

Continue reading

Pharma Wars

February 25, 2011

How do you chronicle the struggle for control of an underground empire when neither combatant wants to admit that he is fighting or even that a war is underway? That’s the nature of a business-feud turned turf-war that is playing out right now between the bosses of two of the Internet’s largest illicit pharmacy operations.

On Thursday, I wrote about an anonymous source using the pseudonym “Despduck” who shared a copy of the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet. The database indicates that Glavmed processed in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010.

Despduck first proffered the Glavmed data through a mutual source in the anti-spam community, and claimed that the alleged owner of the pharmacy program, a Russian businessman named Igor Gusev, would soon be charged with illegal business activities. Sure enough, near the end of September 2010, Russian officials announced a criminal investigation into Gusev and his businesses. Shortly after those charges were brought, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other pharmacy networks.

Gusev is now in exile from Russia; he blames his current predicament– and the leak of the Glavmed data — on his former business partner, fellow Muscovite Pavel Vrublevsky. The latter is a founder of Russian e-payment giant ChronoPay, a company Gusev also helped to co-found almost eight years ago (according to incorporation documents I obtained from the Netherlands Chamber of Commerce — where ChronoPay was established — for a time Gusev and Vrublevsky were 50/50 partners in ChronoPay).

As reported in my story earlier this week, tens of thousands of internal documents and emails stolen from ChronoPay and leaked to key individuals suggest that Vrublevsky is managing a competing online pharmacy network called Rx-Promotion. It turns out that the Glavmed database was stolen at about the same time as ChronoPay’s breach.

Vrublevsky denies being the source of the purloined Glavmed/SpamIt database, but the bounty of leaked ChronoPay documents suggests otherwise. Included in the email records are messages sent to and from an inbox that used the display name “Kill Glavmed.” What was the email address tied to that name? “Despduck@gmail.com,” the very same address used to communicate with my anti-spam source.

Continue reading

SpamIt, Glavmed Pharmacy Networks Exposed

February 24, 2011

An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by KrebsOnSecurity.com.

In June 2010, an anonymous source using the assumed name “Despduck” began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet.

Source: M86 Security Labs

If you received an unsolicited email in the past few years pimping male enhancement or erectile dysfunction pills, chances are extremely good that it was sent compliments of a Glavmed/Spamit contractor or “affiliate.” According to M86 Security Labs, the sites advertised in those Glavmed/Spamit emails — best known by their “Canadian Pharmacy” brand name — were by far the most prevalent affiliate brands promoted by spam as of June 2010.

Despduck said he could deliver data on hundreds of thousands of consumers who purchased pills through Glavmed’s sizable stable of online pharma shops, as well as detailed financial records of Glavmed/SpamIt affiliates who earned thousands of dollars of month promoting pharmacy sites using spam and hacked Web sites.

After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.

The database reads like a veritable rogues gallery of the Underweb; In it are the nicknames, ICQ numbers, email addresses and bank account information on some of the Internet’s most notorious hackers and spammers. This huge cache of information shows that over the course of three years, more than 2,500 “affiliates” earned hefty commissions promoting Glavmed’s pharmacy sites.

In total, these promoters would help Glavmed process in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million.

Continue reading

Sold a Lemon in Internet Banking

February 23, 2011

An online bank robbery in which computer crooks stole $63,000 from a Kansas car dealership illustrates the deftness with which cyber thieves are flouting the meager security measures protecting commercial accounts at many banks.

At 7:45 a..m. Monday, Nov. 1, 2010, the controller for Abilene, Kansas based Green Ford Sales, Inc. logged into his account at First Bank Kansas to check the company’s accounts. Seven hours later, he logged back in and submitted a payroll batch for company employees totaling $51,970. The bank’s authentication system sent him an e-mail to confirm the batch details, and the controller approved it.

The controller didn’t know it at the time, but thieves had already compromised his Microsoft Windows PC with a copy of the ZeuS trojan, which allowed them to monitor his computer and log in to the company’s bank account using his machine. Less than an hour after the bookkeeper approved the payroll batch, bank records show, the thieves logged in to Green Ford’s account from the same Internet address normally used by the dealership, using the controller’s correct user name and password.

The attackers cased the joint a bit — checking the transaction history, account summary and balance — and then logged out. They waited until 1:04 p.m. the next day to begin creating their own $63,000 payroll batch, by adding nine new “employees” to the company’s books. The employees added were in fact money mules, willing or unwitting individuals recruited through work-at-home job scams to help crooks launder stolen funds.

Green Ford’s controller never received the confirmation email sent by the bank to verify the second payroll batch initiated by the fraudsters, because the crooks also had control over the controller’s e-mail account.

“They went through and deleted it,” said Green Ford owner Lease Duckwall. “If they had control over his machine, they’d have certainly had control over his email and the password for that, too.”

To me, this attack gets to the heart of why these e-banking thefts continue unabated at banks all over the country every week: An attacker who has compromised an account holder’s PC can control every aspect of what the victim sees or does not see, because that bad guy can then intercept, delete, modify or re-route all communications to and from the infected PC. If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking trojans.

It is difficult to believe that there are still banks that are using nothing more than passwords for online authentication on commercial accounts. Then again, some of the techniques being folded into today’s banking trojans can defeat many of the most advanced client-side authentication mechanisms in use today.

Banks often complain that commercial account takeover victims might have spotted thefts had the customer merely reconciled its accounts at day’s end. But several new malware strains allow attackers to manipulate the balance displayed when the victim logs in to his or her account.

Perhaps the most elegant fraud techniques being built into trojans involve an approach known as “session riding,” where the fraudster in control of a victim PC simply waits until the user logs in, and then silently hijacks that session to move money out of the account.

Amit Klein, chief technology officer at Trusteer, blogged this week about a relatively new strain of malware dubbed OddJob, which hijacks customers’ online banking sessions in real time using their session ID tokens. According to Klein, OddJob keeps online banking sessions open after customers think they have “logged off,” enabling criminals to extract money and commit fraud unnoticed.

All of these developments illustrate the need for some kind of mechanism on the bank’s end for detecting fraudulent transactions, such as building profiles of what constitutes normal customer activity and looking for activity that appears to deviate from that profile. For example, in almost every case I’ve written about, the victim was robbed after thieves logged in and added multiple new names to the payroll. There are most certainly other such markers that are common to victims of commercial account fraud, and banks should be looking out for them. Unfortunately, far too many small to mid-sized banks outsource much of their visibility at the transaction level to third-party service providers, most of whom have been extremely slow to develop and implement solutions that would enable partner banks to flag many warning signs of account takeovers.

Continue reading

Russian Cops Crash Pill Pusher Party

February 21, 2011

I recently returned from a trip to Russia, where I traveled partly to interview a few characters involved in running the world’s biggest illicit online pharmacies. I arrived just days after the real fireworks, when several truckloads of masked officers from Russian drug enforcement bureaus raided a party thrown exclusively for the top moneymakers of Rx-Promotion, a major e-pharmacy program co-owned by one of the men I went to meet.

Chronopay founder Pavel Vrublevsky, at his office in Moscow

Within a few hours of my arrival in Moscow, I called Pavel Vrublevsky, the founder of ChronoPay, Russia’s largest processor of online payments. For years, I had heard that Vrublevsky was known online as “RedEye,” and that Rx-Promotion was using ChronoPay as the core credit card processor. Unlike other rogue Internet pharmacies, Rx-Promotion’s claim to fame is that it is one of the few that sells controlled substances, such as addictive painkillers like Oxycontin, Oxycodone and Codeine over the Internet without requiring a prescription.

Late last summer I came into possession of a mountain of evidence showing that not only is ChronoPay the core credit card processor for Rx-Promotion, but that Vrublevsky also is co-owner of the pharmacy program and  that ChronoPay executives have steered the pharmacy’s activities for some time.

In mid-2010, ChronoPay was hacked, and many of the company’s internal documents were posted on random LiveJournal blogs and other places that were mostly shut down shortly thereafter. But a much larger cache of tens of thousands of ChronoPay e-mails, and thousands of recorded phone calls and documents were siphoned from the company and distributed to a handful of people, including me.

Among the few others who have these documents is Igor Gusev, an early co-founder of ChronoPay and the man now charged by Russian officials as the owner of a competing online pharmacy affiliate program called Glavmed. Gusev is currently trickling out the leaked ChronoPay documents in a Russian language blog about Vrublevsky called Redeye-blog.com, mainly because he believes Vrublevsky was responsible for helping to bring the charges against him.

I told Vrublevsky that I’d also received the cache of stolen data, and as a result he has been calling me almost daily for the past eight months. His goals: To keep tabs on my activities and to learn tidbits about others in his industry. But most of all, Vrublevsky has acknowledged he’s been hoping to feed me tips that would lead to other stories that aren’t about him or what’s in those documents.

Some of what he’s told me has checked out and has indeed been useful. Yet, now that I’ve had time to pore over these documents and emails in detail (almost all of them are in Russian), a much clearer picture of Vrublevsky and his businesses is beginning to emerge.

My analysis indicates that in 2010 alone, Rx-Promotion sold tens of millions of dollars worth of generic prescription drugs (mostly to Americans), including millions of controlled pills that have high resale value on the street, such as Valium, Percocet, Tramadol, and Oxycodone. And yes, buyers are getting more or less what they’re seeking from this program, contrary to popular perception (more soon on how I know that).

I hadn’t told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.

“Duuuuuuuudddde!,” he answers. “It’s 7 a.m. where you are, who died?”

Continue reading

KrebsOnSecurity.com Wins Award

February 18, 2011

KrebsOnSecurity.com was honored at the annual Social Security Blogger Awards at the RSA security conference in San Francisco this week. Judges and voters picked this blog as the one they thought best represents the security industry today.

Among the four other finalists in this category were some fairly big names (in no particular order):

* Threat Post
* CSO Online Blog
* Threat Level (Wired)
* Schneier On Security

This is the second year in a row KrebsOnSecurity.com was recognized at the blogger awards gathering: Last year, it was named the “Best Non-Technical Security Blog“. Thanks to the judges, voters and to all you readers who make the discussion here so much more interesting, informative and worthwhile!

Sophos’s Naked Security blog won for “Most Educational”; Veracode’s Zero Day Labs won for “Best Corporate Security blog”; “Best Podcast” went to Pauldotcom; the Securosis blog earned the “Most Entertaining” award.

Below is a great video from Chris Eng who won the “The single best security blog post of the year” award, with the following text-to-movie clip on what it takes to be an authentic “thought leader” in the information security space:

Java 6 Update 24 Plugs 21 Security Holes

February 17, 2011

A new version of Java fixes at least 21 security flaws in the widely-distributed software bundle. Updates are available for Windows, Linux and Solaris users.

If you’re curious about the security updates included in Java 6 Update 24, see the release notes from Oracle. As I have shown in many stories on this blog, outdated Java installations can give bad guys and malware a foothold on your system, so if you use Java, please keep it updated. If you have Java installed but can’t remember why, you might consider simply uninstalling it altogether (you can always reinstall it later). I only keep Java installed on one system of mine, and I disable the Java plugin from within Mozilla Firefox (Tools, Add-ons, Plugins).

Updates are available from within Java (click the Update tab from the Java entry in the Windows control panel), or from Java.com. Mac users will need to wait until Apple releases a separate update to fix these flaws on OS X because the company maintains its own version of Java (for now, anyway).

Having a Ball with ATM Skimmers

February 16, 2011

On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users.

But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.

The camera was discovered more than a day later by a maintenance worker who was servicing the ATM. The device, pictured below with the boxy housing in which it was discovered, was designed to fit into the corner of the ATM framework and painted to match.

The self-contained camera and box attached to the Bank of America ATM

The ATM pictured on the right below is shown with the card skimmer and video camera attached (click the image for a slightly larger look).

California police say the video camera and skimmer were installed by the person pictured below. The entire scam ran only for about three hours, and was reported about 11 AM. Police recovered both the skimmer and video camera, so no customer or bank losses ensued as a result of the attack. Meanwhile, the crook responsible remains at large.

The image below shows some of the manufacturer’s specs on the “Camball-2” camera that was used in this attack, which retails for around $200 and runs for about 48 hours on motion detection mode.

Here’s a closer look at the relatively crude device attached to the mouth of the card insert slot, designed to steal data recorded on the magnetic stripe on the back of all bank cards. Criminals can then encode the information onto counterfeit cards, and — armed with the victim’s PIN — withdraw money from the victim’s account from ATMs around the world.

The authorities I’ve been interviewing about skimmer scams say the devices are most commonly installed on weekends, when many banks are closed or have limited hours. It’s difficult — once you know about the existence of these fraud devices — not to pull on parts of ATMs to make sure they aren’t compromised. If something comes off of the machine when you yank on it, and the bank is closed or the ATM isn’t attached to a financial institution, it’s probably best just to leave the device at the scene and not try to make off with it. Otherwise, consider the difficulty in explaining your actions should you be confronted by police after walking away. What’s more, in many skimmer cases, the fraudster who placed it there is monitoring the scene from somewhere within viewing distance of the compromised ATM.

It’s easy to be frightened by ATM skimmers, but try not to let these fraud devices spook you away entirely: Stick to machines in well-lit areas, places where you feel relatively safe physically. On top of that, cover your hand when entering your PIN, as many skimmers rely on hidden cameras and can’t steal your account credentials without recording those digits. Also, remember that any losses you may incur from skimmers should be fully reimbursable by your bank (at least in the United States). While the temporary loss of funds may not cover the cost of any checks that bounce because of the incident, these also are losses that your financial institution should cover if they were incurred because of a skimmer incident.

[EPSB]

Have you seen:

Green Skimmers Skimming Green…To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies. In many cases, these anti-skimming tools take the shape of green or blue semi-transparent plastic casings that protrude from the card acceptance slot to prevent would-be thieves from easily attaching skimmers. But in a surprising number of incidents, skimmer scammers have simply crafted their creations to look exactly like the anti-skimming devices.

[/EPSB]