Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.
During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.
On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.
“Dear advertisers: Last week was quite complicated. Well-known force majeure circumstances have led to significant sums of money hanging in the banks, or in processing, making it impossible to pay advertisers on time and in full.”
The disruption appears to be partially due to an international law enforcement push against the fake AV industry. In one recent operation, authorities seized computers and servers in the United States and seven other countries in an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake AV.
There may be another reason for the disruption: On June 23, Russian police arrested Pavel Vrublevsky, the co-founder of Russian online payment giant ChronoPay and a major player in the fake AV market.
Black Market Breakdown
Vrublevsky was arrested for allegedly hiring a hacker to launch denial of service attacks against ChronoPay’s rivals in the payments processing business. His role as a pioneer in the fake AV industry has been well-documented on this blog and elsewhere.
In May, I wrote about evidence showing that ChronoPay employees were involved in pushing MacDefender — fake AV software targeting Mac users. ChronoPay later issued a statement denying it had any involvement in the MacDefender scourge.
But last week, Russian cops who raided ChronoPay’s offices in Moscow found otherwise. According to a source who was involved in the raid, police found mountains of evidence that ChronoPay employees were running technical and customer support for a variety of fake AV programs, including MacDefender. The photograph below was taken by police on the scene who discovered Website support credentials and the call records of 1-800 numbers used to operate the support centers.