Posts Tagged: scareware

Aug 13

Pavel Vrublevsky Sentenced to 2.5 Years

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to two-and-half years in a Russian penal colony this week after being found guilty of hiring botmasters to attack a rival payment processing firm.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing. Source:

Vrublevsky was accused of hiring Igor and Dmitri Artimovich in 2010 to use their Festi spam botnet to attack Assist, a competing payments firm. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company millions of dollars.

According to Russian prosecutors, Vrublevsky directed ChronoPay’s chief security officer Maxim Permyakov to pay $20,000 and hire the Artimovich brothers to launch the attacks. The Artimovich brothers also were found guilty and sentenced to 2.5 years. Permyakov received a slightly lighter sentence of two years after reportedly assisting investigators in the case.

Earlier this year, I signed a deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia. Those charges stem from Gusev’s alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Continue reading →

May 12

OpenX Promises Fix for Rogue Ads Bug

Hackers are actively exploiting a dangerous security vulnerability in OpenX — an online ad-serving solution for Web sites — to run booby-trapped ads that serve malware and browser exploits across countless Web sites that depend on the solution.

Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software.

OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts.

Continue reading →

Nov 11

Attempted Malvertising on

Members of an exclusive underground hacker forum recently sought to plant malware on, by paying to run tainted advertisements through the site’s advertising network — Federated Media. The attack was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of “malvertising.”

Last week, I listed the various ways this blog and its author has been “honored” over the past few years by the cybercrime community, but I neglected to mention one recent incident: On May 27, 2011, several hackers who belong to a closely guarded English-language criminal forum called sought to fraudulently place a rogue ad on The ad was made to appear as though it was advertising BitDefender antivirus software. Instead, it was designed to load a malicious domain: sophakevans. co. cc, a site that has been associated with pushing fake antivirus or “scareware.”

The miscreants agreed to pay at least $272 for up to 10,000 impressions of the ad to be run on my site. Fortunately, I have the opportunity to review ads that come through Federated’s system. What’s more, Federated blocked the ad before it was even tagged for approval.

Darkode members plot to purchase a rogue ad on They failed.

I learned about this little stunt roughly at the same time it was being planned; Much to the constant annoyance of the site administrators, I secretly had gained access to Darkode and was able to take this screen shot of the discussion. The incident came just a few weeks after I Tweeted evidence of my presence on Darkode by posting screenshots of the forum. The main administrator of Darkode, a hacker who uses the nickname “Mafi,” didn’t appreciate that, and promised he and his friends had something fun planned for me. I guess this was it. Interestingly, Mafi also is admin at and is the developer of the Crimepack exploit kit.

Continue reading →

Oct 11

Software Pirate Cracks Cybercriminal Wares

Make enough friends in the Internet security community and it becomes clear that many of the folks involved in defending computers and networks against malicious hackers got started in security by engaging in online illegal activity of one sort or another. These gradual mindset shifts are sometimes motivated by ethical, karmic or personal safety reasons, but just as often grey- and black hat hackers gravitate toward the defensive side simply because it is more intellectually challenging.

I first encountered 20-year-old French hacker Steven K. a few months ago while working on a series about the fake antivirus industry. I spent several hours reading accounts of his efforts to frustrate and highlight cybercriminal activity, and took time to follow the many links on his blog, XyliBox, a variant of his hacker alias, “Xylitol.” It turns out that Xylitol, currently unemployed and living with his parents, is something of a major player in the software piracy or “warez” scene, which seeks to crack the copy protection technology built into many computer games and commercial software programs.

As a founding member of (this site may be flagged by some antivirus software as malicious), Xylitol spent several years devising and releasing “cracks,” software patches that allow people to use popular commercial software titles without paying for a license. Cracks are frequently bundled with backdoors, Trojans and other nasties, but Xylitol claims his group never tainted its releases; he says this malicious activity is most often carried out by those who re-purpose and redistribute the pristine patches for their own (commercial and criminal) uses.

But about a year ago, Xylitol began shifting his focus to reverse engineering malware creation kits being marketed and sold on underground cybercrime forums. In October 2010, he began releasing cracked copies of the the bot builder for the SpyEye Trojan, a crimeware kit that sells for several thousand dollars. Each time the SpyEye author released an update, Xylitol would crack it and re-release a free version. This continued for at least a dozen updates in the past year.

The cracked SpyEye releases have been met with a mix of praise and scorn from the security industry; the free releases no doubt frustrated the moneymaking capabilities of the SpyEye author, but they also led to the public distribution of a malware kit that had previously been much harder to come by.

In an instant message chat, Xylitol said he still cracks the occasional commercial software title, just for old time’s sake.

“Sometimes for the old memories, but I’m more into malware cracking now,” he wrote. “It’s more fun.”

Since Nov. 2010, Xylitol and some of his associates have been locked in a daily battle with Russian scareware and ransomware gangs. Scareware programs hijack PCs with incessant and misleading security warnings in a bid to frighten users into paying for the worthless software. Paying customers are given a license key eliminates the annoying security warnings. Ransomware is even more devious: It encrypts the victim’s personal files — pictures, documents, movies and music files — with a custom encryption key. Victims who want their files back usually have little recourse but to pay a fee via text message to receive a code that unlocks the encrypted files.

Xylitol and his pals have been busy over the past year cracking and publishing the license keys needed to free computers snared by scareware and ransomware. For months, these guys have been taking on a Russian ransomeware group called the WinAd gang, releasing the ransomware codes on a daily basis, often just hours after the WinAd gang began pushing out new ransomware variants.

Continue reading →

Aug 11

Huge Decline in Fake AV Following Credit Card Processing Shakeup

On Wednesday I wrote that many of the top fake antivirus distribution programs had ceased operations, citing difficulty in processing credit card transactions from victims. Others are starting to see the result of this shakeup: Security firm McAfee says it has witnessed a dramatic drop in the number of customers reporting scareware detections in recent weeks.

Image courtesy McAfee

McAfee has tracked more than a 60 percent decrease in the number of customers dealing with fake AV since late May. “From McAfee’s vantage point, we are seeing a significant decline in detections reported from customers as well as the discovery of new FakeAV variants,” said Craig Schmugar, a security threat researcher for McAfee.

These extortion scams persist because criminal hackers get paid between $25-35 each time a victim relents and provides a credit card number. If fake AV distributors can’t get paid for spreading the scam software, they’ll find some other way to make money.

Fake AV bombards victim PCs with misleading alerts about security threats and hijacks the machine until the user pays for bogus security software or figures out how to remove it. For better or worse, it is likely that the dearth of credit card processors serving the fake AV industry has eliminated the first option for many people dealing with infections.

Jun 11

ChronoPay Co-Founder Arrested

Russian authorities on Thursday arrested Pavel Vrublevsky, co-founder of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals.

An undated photo of Vrublevsky

Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.

Russian state-run news organizations are reporting that Vrublevsky was arrested on June 23. Financial Times reporter Joe Menn writes that Vrublevsky was ordered held without bail and a hearing was set for a month’s time.

Continue reading →

Apr 10

Fake Anti-virus Peddlers Outmaneuvering Legitimate AV

Purveyors of fake anti-virus or “scareware” programs have aggressively stepped up their game to evade detection by legitimate anti-virus programs, according to new data from Google.

In a report being released today, Google said that between January 2009 and the end of January 2010, its malware detection infrastructure found some 11,000 malicious or hacked Web pages that attempted to foist fake anti-virus on visitors. The search giant discovered that as 2009 wore on, scareware peddlers dramatically increased both the number of unique strains of malware designed to install fake anti-virus as well as the frequency with which they deployed hacked or malicious sites set up to force the software on visitors.

Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them.

Google found that miscreants spreading fake anti-virus have over the last six months taken aggressive steps to evade the two most prevalent countermeasures against scareware: The daily updates shipped by the legitimate anti-virus makers designed to detect scareware installers; and programs like Google’s which scan millions of Web pages for malicious software and flag search results that lead to malware.

Google’s automated system scanned each potentially malicious page in real time using a number of licensed anti-virus engines, and all of the files were rescanned again at the end of the study. Beginning in June 2009, Google charted a massive increase in the number of unique fake anti-virus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate anti-virus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent.

“We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates,” said Niels Provos, principal software engineer for Google’s infrastructure group. “It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads.”

Continue reading →

Apr 10

Rogue Antivirus Gangs Seize on McAfee Snafu

Purveyors of rogue anti-virus, a.k.a. “scareware,” often seize upon hot trending topics in their daily efforts to beef up the search engine rankings of their booby-trapped landing pages. So it’s perhaps no surprise that these scammers are capitalizing on search terms surrounding McAfee, which just yesterday shipped a faulty anti-virus update that caused serious problems for a large number of customers.

Continue reading →