Posts Tagged: fake AV


17
Oct 11

Software Pirate Cracks Cybercriminal Wares

Make enough friends in the Internet security community and it becomes clear that many of the folks involved in defending computers and networks against malicious hackers got started in security by engaging in online illegal activity of one sort or another. These gradual mindset shifts are sometimes motivated by ethical, karmic or personal safety reasons, but just as often grey- and black hat hackers gravitate toward the defensive side simply because it is more intellectually challenging.

I first encountered 20-year-old French hacker Steven K. a few months ago while working on a series about the fake antivirus industry. I spent several hours reading accounts of his efforts to frustrate and highlight cybercriminal activity, and took time to follow the many links on his blog, XyliBox, a variant of his hacker alias, “Xylitol.” It turns out that Xylitol, currently unemployed and living with his parents, is something of a major player in the software piracy or “warez” scene, which seeks to crack the copy protection technology built into many computer games and commercial software programs.

As a founding member of redcrew.astalavista.ms (this site may be flagged by some antivirus software as malicious), Xylitol spent several years devising and releasing “cracks,” software patches that allow people to use popular commercial software titles without paying for a license. Cracks are frequently bundled with backdoors, Trojans and other nasties, but Xylitol claims his group never tainted its releases; he says this malicious activity is most often carried out by those who re-purpose and redistribute the pristine patches for their own (commercial and criminal) uses.

But about a year ago, Xylitol began shifting his focus to reverse engineering malware creation kits being marketed and sold on underground cybercrime forums. In October 2010, he began releasing cracked copies of the the bot builder for the SpyEye Trojan, a crimeware kit that sells for several thousand dollars. Each time the SpyEye author released an update, Xylitol would crack it and re-release a free version. This continued for at least a dozen updates in the past year.

The cracked SpyEye releases have been met with a mix of praise and scorn from the security industry; the free releases no doubt frustrated the moneymaking capabilities of the SpyEye author, but they also led to the public distribution of a malware kit that had previously been much harder to come by.

In an instant message chat, Xylitol said he still cracks the occasional commercial software title, just for old time’s sake.

“Sometimes for the old memories, but I’m more into malware cracking now,” he wrote. “It’s more fun.”

Since Nov. 2010, Xylitol and some of his associates have been locked in a daily battle with Russian scareware and ransomware gangs. Scareware programs hijack PCs with incessant and misleading security warnings in a bid to frighten users into paying for the worthless software. Paying customers are given a license key eliminates the annoying security warnings. Ransomware is even more devious: It encrypts the victim’s personal files — pictures, documents, movies and music files — with a custom encryption key. Victims who want their files back usually have little recourse but to pay a fee via text message to receive a code that unlocks the encrypted files.

Xylitol and his pals have been busy over the past year cracking and publishing the license keys needed to free computers snared by scareware and ransomware. For months, these guys have been taking on a Russian ransomeware group called the WinAd gang, releasing the ransomware codes on a daily basis, often just hours after the WinAd gang began pushing out new ransomware variants.

Continue reading →


4
Aug 11

Huge Decline in Fake AV Following Credit Card Processing Shakeup

On Wednesday I wrote that many of the top fake antivirus distribution programs had ceased operations, citing difficulty in processing credit card transactions from victims. Others are starting to see the result of this shakeup: Security firm McAfee says it has witnessed a dramatic drop in the number of customers reporting scareware detections in recent weeks.

Image courtesy McAfee

McAfee has tracked more than a 60 percent decrease in the number of customers dealing with fake AV since late May. “From McAfee’s vantage point, we are seeing a significant decline in detections reported from customers as well as the discovery of new FakeAV variants,” said Craig Schmugar, a security threat researcher for McAfee.

These extortion scams persist because criminal hackers get paid between $25-35 each time a victim relents and provides a credit card number. If fake AV distributors can’t get paid for spreading the scam software, they’ll find some other way to make money.

Fake AV bombards victim PCs with misleading alerts about security threats and hijacks the machine until the user pays for bogus security software or figures out how to remove it. For better or worse, it is likely that the dearth of credit card processors serving the fake AV industry has eliminated the first option for many people dealing with infections.


3
Aug 11

Fake Antivirus Industry Down, But Not Out

Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.

A notice to BestAV affiliates

On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.

“Dear advertisers: Last week was quite complicated. Well-known force majeure circumstances have led to significant sums of money hanging in the banks, or in processing, making it impossible to pay advertisers on time and in full.”

The disruption appears to be partially due to an international law enforcement push against the fake AV industry. In one recent operation, authorities seized computers and servers in the United States and seven other countries in an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake AV.

There may be another reason for the disruption: On June 23, Russian police arrested Pavel Vrublevsky, the co-founder of Russian online payment giant ChronoPay and a major player in the fake AV market.

Black Market Breakdown

ChronoPay employees wait outside as Moscow police search the premises.

Vrublevsky was arrested for allegedly hiring a hacker to launch denial of service attacks against ChronoPay’s rivals in the payments processing business. His role as a pioneer in the fake AV industry has been well-documented on this blog and elsewhere.

In May, I wrote about evidence showing that ChronoPay employees were involved in pushing MacDefender — fake AV software targeting Mac users. ChronoPay later issued a statement denying it had any involvement in the MacDefender scourge.

But last week, Russian cops who raided ChronoPay’s offices in Moscow found otherwise. According to a source who was involved in the raid, police found mountains of evidence that ChronoPay employees were running technical and customer support for a variety of fake AV programs, including MacDefender. The photograph below was taken by police on the scene who discovered Website support credentials and the call records of 1-800 numbers used to operate the support centers.

Continue reading →


26
Jul 11

Spam & Fake AV: Like Ham & Eggs

An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years.

I recently highlighted the financial links among the organizations responsible for promoting fake antivirus products and spam-advertised pharmacies; all were relying on a few banks in Azerbaijan to process credit card payments.

In this segment, I’ll look at the personnel overlap between the fake AV and pharma industries. The data is drawn from two places: a study done by researchers at the University of California, Santa Barbara (UCSB) that examined three of the most popular fake AV affiliate services which pay hackers to foist worthless software on clueless Internet users; and the leaked Glavmed/Spamit affiliate database, which includes the financial and contact information for many of the world’s top spammers and hackers.

UCSB researcher Brett Stone-Gross and I compared the ICQ instant message numbers belonging to affiliates from Glavmed/Spamit with the ICQ numbers used by affiliates of the largest of the fake AV programs measured by his research team. The result? 417 out of 998 affiliates who were registered with the fake AV distribution service — a whopping 42.2 percent — also were registered pharma spammers with Glavmed/Spamit.

Continue reading →


19
Jul 11

Google: Your Computer Appears to Be Infected

Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Screenshot of the image Google is displaying to notify users of infected PCs.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

Continue reading →


6
Jul 11

Which Banks Are Enabling Fake AV Scams?

Fake antivirus scams and rogue Internet pharmacies relentlessly seek customers who are willing to trade their credit card numbers for a remedy. Banks and financial institutions become partners in crime when they process payments to fraudsters.

Published research has shown that rogue Internet pharmacies and spam would be much less prevalent and profitable if a few top U.S. financial institutions stopped processing payments for dodgy overseas banks. This is also true for fake antivirus scams, which use misleading security alerts to frighten people into purchasing worthless security software.

Researchers from the University of California, Santa Barbara spent several months infiltrating three of the most popular fake antivirus (fake AV) “affiliate” networks, organized criminal operations that pay hackers to deploy the bunk software. The researchers uncovered a peculiar credit card processing pattern that was common to these scams; a pattern that Visa and MasterCard could use to detect and blacklist fake AV processors.

The pattern reflects each fake AV program’s desire to minimize the threat from “chargebacks,” which occur when consumers dispute a charge. The fake AV networks the UCSB team infiltrated tried to steer unhappy buyers to live customer support agents who could be reached via a toll-free number or online chat. When customers requested a refund, the fake AV firm either ignored the request or granted a refund. If the firm ignored the request, then the buyer could still contact their credit card provider to obtain satisfaction by initiating a chargeback; the credit card network grants a refund to the buyer and then forcibly collects the funds from the firm by reversing the charge.

Excessive chargebacks (more than 2-3 percent of sales) generally raise red flags at Visa and MasterCard, which employ a sliding scale of financial penalties for firms that generate too many chargebacks. But the fake AV companies also don’t want to issue refunds voluntarily if they think a customer won’t take the next step of requesting a chargeback.

The UCSB team found that the fake AV operations sought to maximize profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor’s chargeback limits. Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds. Consider the following diagram, from the researchers’ report, which shows a direct and very close correlation between increased chargebacks and heightened refund rates.

The researchers found that fraudsters offered more refunds (dotted line) as chargebacks (red) spiked.

Continue reading →