Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russian Payment Processor Runs Massive Scareware Operation

Posted by Unknown on from the legit-business-is-boring dept.

An anonymous reader writes "Brian Krebs has posted a deep dive through more than a year worth of emails leaked from ChronoPay, Russia's largest online credit card processor. The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam."

62 comments

  1. Money by pinkeen · · Score: 1

    Such operations need a lot of funding. It's not surprising to see that some legitimate companies decided to provide it...

    1. Re:Money by devxo · · Score: 2

      The title and summary are horribly wrong anyway, no wonder it was submitted by anonymous coward. Even the article states that ChronoPay didn't run it, but they provided payment processing and setting up companies for receiving payments is normal process with every payment processor.

    2. Re:Money by anegg · · Score: 1

      In the article that I read, a principal in the ChronoPay operation claims that setting up companies for receiving payments is normal process with every payment processor, not the author of the article. I read that as "we didn't do anything wrong, everyone else does the same thing, too." I don't listen to that kind of excuse from my children uncritically - I wouldn't listen to it from ChronoPay, either.

  2. Queue the... by Luniz · · Score: 0

    "In Soviet Russia" jokes

    1. Re:Queue the... by Shikaku · · Score: 1

      http://www.youtube.com/watch?v=-jC8JIjW2cw

      In Soviet Russia, Pootis remove you!

    2. Re:Queue the... by Anonymous Coward · · Score: 0

      In Soviet Russia,

    3. Re:Queue the... by Angostura · · Score: 1

      In Soviet Russia, english language students knew the difference between "cue" and "queue".

    4. Re:Queue the... by Bigbutt · · Score: 1

      Depends. It could work either way. Either a queue of jokes (queue up the jokes) or cue the jokes. Taking it on face value, I suspect the OP meant "cue" but with English, dropping the "up" is common.

      [John]

      --
      Shit better not happen!
  3. in soviet Russia credit card process you! by Joe+The+Dragon · · Score: 1

    in soviet Russia credit card process you!

    1. Re:in soviet Russia credit card process you! by Anonymous Coward · · Score: 0

      In Soviet Russia this joke still funny!

  4. Always wondered where these came from... by rwade · · Score: 2, Interesting

    I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?

    It was this ridiculous fake filescanner that would pop up at start up and scan every file on the computer, calling out 1/10th of them as "infected." This was Windows XP, and the filescanner suppressed msconfig and task man; in fact, you couldn't run notepad from the run dialog. It would pop up with "file infected; can't open" or some such. At any rate, this required going into the registry and checking what was in the "run once;" there was some weird file in allusers\localsettings. It was named like a random password, like asdf230123jfgnmv.exe.

    The "removal" procedures were basically just to rename the file and restart. It hasn't come back yet. At any rate, while I was working with the file -- I noticed an artifact in the metadata listing the manufacturer -- I can't read Russian, but it definitely had cyrillic characters in it. Funny...

    1. Re:Always wondered where these came from... by smooth+wombat · · Score: 1

      I have had to deal with several of these over the last two months or so here at work (a state agency). The people that get them swear they were on legitimate sites when they got the same infection you mention. This is probably true as we do block what sites people can visit.

      After a while of deleting files it just became easier and faster to rename their profile, create a new one and move their bookmarks and anything from their desktop to the new profile. Once done, delete the old profile.

      Of course, since our CIO hates anything that isn't Microsoft, we can't install Fx or anything else (though we have done so for select people and some of us in the IT area have it installed) so we will continue to get these infections.

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    2. Re:Always wondered where these came from... by rwade · · Score: 1

      Yeah, it sure is a pain int he neck here. But I'll take this over a hidden virus/trojan -- at least you know that there is something wrong...

    3. Re:Always wondered where these came from... by spire3661 · · Score: 1

      Anecdote is anecdote. Take it for what it is.

      --
      Good-bye
    4. Re:Always wondered where these came from... by GIL_Dude · · Score: 1

      Most of these infections have been coming from Flash and Adobe Reader exploits. Maybe the ones you got weren't, but many of them are. It is amazing how slowly people patch Flash and Reader - especially with all the exploit kits out there targeting them. About 8 months ago both my boss and my brother in law got one of these fake AV programs. Both got them through adobe Reader, and both were from normal everyday websites where the ad network had served ads with the exploit included.

      However, you can get rid of the thing faster by just booting to Windows PE and deleting the file and registry entry. It takes about 10 minutes (and that includes the boot / reboot).

    5. Re:Always wondered where these came from... by PitaBred · · Score: 2

      The nice (bad) thing about Windows is it depends on extensions to run things. You can rename any .exe to a .com or even .bat I believe and it'll run fine. Most apps will just do name-based interception so you could have made a copy of notepad.exe as notepad.com and it would have worked. It's something I had to do with regedt32.exe once when I think it was Sasser or something took over the association for .exe filetypes.

      --
      My blog. Good stuff (when I remember to update it). Read it.
    6. Re:Always wondered where these came from... by Anonymous Coward · · Score: 0

      Of course, since our CIO hates anything that isn't Microsoft, we can't install Fx or anything else (though we have done so for select people and some of us in the IT area have it installed) so we will continue to get these infections.

      Smart guy your CIO. Who wouldn't want a manager who provides job security like that ;)

    7. Re:Always wondered where these came from... by DeadDecoy · · Score: 1

      For me, I've always been amused at getting those "Your Windows Registry has been infected by a Trojan" popups on my linux box. Nope, my non-existent system32 is quite clean thankyouverymuch.

    8. Re:Always wondered where these came from... by Anonymous Coward · · Score: 0

      Infected ads would be my guess. Yay for Adblock!

    9. Re:Always wondered where these came from... by citylivin · · Score: 1

      "Of course, since our CIO hates anything that isn't Microsoft, we can't install Fx or anything else"

      Well he is right for hating firefox on the domain as it has no GPO or centralized management. I personally love firefox and dislike chrome, but chrome comes with msi's and gpos. So it was trivial to push that out to everyone on my network.

      I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadmin. Users with custom apps can always fall back to IE.

      --
      As a potential lottery winner, I totally support tax cuts for the wealthy
    10. Re:Always wondered where these came from... by Rick17JJ · · Score: 2

      I have seen several of those scareware pop-up advertisements on my Linux computer, claiming that viruses and spyware had been detected. In each case, without my permission, it would pretend to scan drive “C” and show a progress bar for about 30 seconds. It would then announce that it had found several types of viruses and spyware on drive “C” and also in my registry. Linux does not designate devices or partitions with drive letters or have a registry like Windows does, so both claims were obviously bogus.

      It would then ask me to purchase their anti-virus software to fix the problems.

      Contrary to what they were claiming, I doubted that their advertisement could have so casually scanned my hard drive like that, without my permission. I had a user configured firewall on both my computer and on my DSL modem, with all inbound ports closed. I was also up to date with all the latest security patches.

      In another earlier encounter with a similar scareware advertisement, a couple of years earlier, it also tried to download an executable file, with a .EXE extension, without my permission. Of course my Linux computer did not know what to do with a Windows .EXE file, so it gave me a pop-up box asking me what pogram it should use to try to open a .EXE file. I did not suggest trying to run it under WINE and just chose the option to cancel the download instead.

      Since then, I have started using the “No Script” plug-in for Firefox for most websites, so perhaps I will not see their scareware ads again.

    11. Re:Always wondered where these came from... by Anonymous Coward · · Score: 0

      It's rarely anything to do with JavaScript. I've seen them come in on my Mac box through Flash ads and/or Java. So unless I'm running Speedtest to test my ISP, I turn Java off on all browsers and run a Flash blocker. The latter also has the nice side-effect of getting rid of the most obnoxious ads out there.

    12. Re:Always wondered where these came from... by hughk · · Score: 1

      If you are a particularly nasty person like me, you would have returned the favour of a fake virus scan with a fake purchase from one of the test CC generators. Do that enough times and it may raise a flag with their upstream payment processor.

      --
      See my journal, I write things there
    13. Re:Always wondered where these came from... by Jaqenn · · Score: 2

      I got a virus with these exact symptoms a few months ago. My wife called me at work to say the PC was acting wonky, and she had accidentally clicked an ad that brought her to some random website which she then closed.

      My suspicion is that the website contained content which triggered some flash or firefox vulnerability. I can't prove it, though.

      Sound like the lead in that you guys had?

      --
      You are awash in a sea of fiercely stated opinions. Obvious exits are: 'File->Quit', 'Reply', and 'Page Down'.
    14. Re:Always wondered where these came from... by rwade · · Score: 1

      Honestly, I have no idea where it came from. Given the kind of work that she does on the computer, I could see it coming through an Adobe Reader hole.

    15. Re:Always wondered where these came from... by rwade · · Score: 1

      Could you be accused of trying to commit fraud? Someone might get the impression that someone at your IP is trying to use a bundle of stolen CC numbers.

    16. Re:Always wondered where these came from... by Anonymous Coward · · Score: 0

      Anecdote is anecdote.

      Well it had a lot more content than your stupid internally redundant post.

    17. Re:Always wondered where these came from... by vlueboy · · Score: 1

      This is the most common form of malware I've had to clean up. Back when Windows didn't have 'home versions' and lacked group policy they only got away with rewriting your dlls to spy on you and create popups.

      I have stopped seeing the popups altogether --now it's just 'Windows Antivirus 2010 has detected legitProgram.exe / legitTechTool.exe / yourCLI contains a virus and must close it. To remove it, click below [and pay USD$80]' It is annoying that turning back the clock fails most of the time, or the person infected waits long enough that any clean copy of the OS is long discarded by newer infected System Restore snapshots.

      I did find one removal tool distributed as .com .exe and .scr(eensaver), but never checked that the non-screensaver ones are just a file rename. Never had a chance to try out on with the exe-catching malware... Between exe-knocking and the design failure that puts group policy APIs in XP *Home* edition, malware pretty much forbids any tool --safe mode sometimes gets pwned or corrupted past any home of recovery.

    18. Re:Always wondered where these came from... by EdIII · · Score: 1

      I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadmin. Users with custom apps can always fall back to IE.

      Although I find that most of the installed base of XP in corporate environments is due to higher (it really is) TCO of Vista and 7, not to mention migration costs, loss of IE 6 is still a real deal killer.

      I am still running across people that would want to change but deal with specialized portals and software that only run in IE 6. It's baffling, but when I talk to people, deal with other sysadmins, etc. that is the biggest challenge they have with migration and upgrades is a cant-live-without-it program or platform that prevents change.

      One I can think of off the top of my head is some security camera software. They all developed on ActiveX controls which requires IE at a minimum.

      It is tragically hilarious to have to absorb the costs of a VPN, or the security risks of terminal services open to the WAN, just so that executives with nice fancy new windows 7 tablets and laptops can still run IE 6 on an Win2K server.

      Even the most competent sysadmin has to deal with legacy software requirements.

    19. Re:Always wondered where these came from... by freedumb2000 · · Score: 1

      What I want to know is how to get them patched with a non-admin account. I want to allow already installed apps to update themself without allowing new aps to be installed by the user or being able to make other changes to the system.

    20. Re:Always wondered where these came from... by Anonymous Coward · · Score: 0

      They used exploits in Adobe Reader and Flash Player. Now they are attacking Java...

    21. Re:Always wondered where these came from... by damium · · Score: 1

      We use a WSUS server and Local Update Publisher at work. It has been a bit of a pain sometimes, Adobe isn't fond of sticking to MSI standards and has published stuff with bad MSI applicability rule content (windows installer would still install it but you had to edit the xml so WSUS could validate it). They also only publish MSI files for the ActiveX version of flash player so we have to deploy the exe version of the mozilla plugin (WSUS can deploy exe, msi and msp files but msp files are the easiest).

      It takes about 1 hour for us to write and test the deployment rules for each update. We test against both WinXP-32bit and Win7-64bit targets as they will sometimes need different applicability rules. Then we let the clients check-in to see if they mark the update as applicable. After we are satisfied that all of the clients that need it and only the clients that need the update will try to install it (we have had issues with this in the past) we mark the update as ready to install and the clients will install it in the next cycle.

      This usually means that an update is out for 1-2 days before our clients have it installed so if there is an exploit being used broadly we will sometimes force clients to update via our inventory tool that can have it done in 1 hour. We have had systems where the user has been hit by these type of scareware drive-by-installs before the patch was even out.

    22. Re:Always wondered where these came from... by julesh · · Score: 1

      I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?

      The last one I got was injected via a (apparently 0-day) vulnerability in the Adobe Acrobat plugin that was exploited by banner ad code that was hosted on thepiratebay.org. The previous one was similar, but used a Java flaw. These were both browser neutral exploits, although I happened to be running Firefox. I have since installed Noscript, which appears to be the only way to guarantee security these days. I've also recently seen something similar on a friends' computer that was smart enough to completely hide the traces of where it came from, although I also suspect a banner-ad injected exploit in that case. I'd suggest anyone browsing sites that use the kind of dubious ad banner networks that show up adverts for "facebook of sex" or similar dodgy sites install it now.

    23. Re:Always wondered where these came from... by Anonymous Coward · · Score: 0

      Turn off adobe reader's embedded javascript (unless you actually use it?), and tell it to load separately not use the browser plugin (better yet strip it out of the browser). First decreases the attack surface in adobe reader, second stops a website being able to load a hidden pdf file, at least the whole reader window will popup if it tries.

    24. Re:Always wondered where these came from... by hughk · · Score: 1

      If there is no match between names and numbers (they only pass initial validation) then you are hardly committing fraud. They could complain but they are making fraudulent claims.

      --
      See my journal, I write things there
  5. Millions in Rubles by Sulphur · · Score: 2

    They have 1-800 numbers in Russia?

  6. Well... by Rocky · · Score: 4, Funny

    ..was the operation runner named "Peggy"?

    --
    "I'm an old-fashioned type of guy. I worship the Sun and Moon as gods. And fear them."
    1. Re:Well... by Shikaku · · Score: 0

      In soviet russia the operation Pegs you!

  7. Whoa by The+Wild+Norseman · · Score: 1

    The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam.

    Never heard of ChronoPay before. I had to read this part three times because at first I really thought they were talking about Norton.

    --
    "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
  8. Fake orders by Anonymous Coward · · Score: 0

    Has anyone considered trying to place fake orders with random contact info?

    Might as well complete fake anti-virus software with fake orders.

  9. What part of by boristdog · · Score: 1

    What part of "Russian Payment Processor" tipped them off?

  10. Russian perspective by Anonymous Coward · · Score: 0

    Its not a surprise to me that they did. The basics of Russian economy is "Scam and try to screw over as many people as possible and make money in process". Also, i dont believe that ChronoPay did not receive any kickbacks. After all, over there every little deal is driven by them.

  11. IT'S FUCKING RUSSIA !! DUH !! by Anonymous Coward · · Score: 0

    Kapitalist Kommie Klowns stealing from coutrymen? Stealing from world? What's new? You can't find a more morally bankrupt peoples in the known universe!

    1. Re:IT'S FUCKING RUSSIA !! DUH !! by Anonymous Coward · · Score: 0

      u sir is wrong. they are far behind ppl on wall street. also, keep trolling

    2. Re:IT'S FUCKING RUSSIA !! DUH !! by Anonymous Coward · · Score: 0

      KKK moved to russia? Serves them right.

  12. Re:Queue the... Ok then, you asked for it by Anonymous Coward · · Score: 0

    In Soviet Russia, we don't do "In Soviet Russia" jokes. We do "In Capitalist America" jokes instead.

  13. Was this a wikileak? by atari2600a · · Score: 0

    It's hard to keep track of them these days, what with there being no wiki anymore...

  14. Nice to see them embracing capitalism by elrous0 · · Score: 2

    They've learned well from their counterparts on Wall Street. But to reach the final level, they will need to find a way to not only not get caught, but to get the government to actually give them money for their thefts.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Nice to see them embracing capitalism by sabt-pestnu · · Score: 1

      Naw. The final level is getting laws written so that if you do get caught, the government defends you (successfully).

  15. That Russian Entrepreneurial Spirit by NicknamesAreStupid · · Score: 2

    Marx may be rolling over in his grave, but Stalin would be proud, so would Al Capone. There is nothing more effectual, business-wise, than organized crime gone corporate.

  16. That's Unpossible! by Anonymous Coward · · Score: 0

    A Russian online credit card processor running scams?

    What a shocker! I refuse to believe it.

  17. In Soviet Russia... by davcorp · · Score: 1

    Payment Processor pays Scareware... errrr....wait... tssssssssss.... bah!...

    --
    Gravity!... It's not just a good idea... It's the Law!
  18. In Soviet Russia and Capitalist America... by ark1 · · Score: 1

    financial institutions rob you

  19. Culture of corruption by andydread · · Score: 1

    WTF is it with Russian, Eastern Bloc, and Chinese corruption. When i hear about scams like this i think hhmmm Russian, Romainian etc, or Chinese and 80% of the time my hunch is correct. The only thing i see common is that most of these countries are or were under some brutal regime but I don't see how that instills such a culture of corruption in the people in this fashion.

    1. Re:Culture of corruption by thebigmacd · · Score: 2

      You don't see how that instills a culture of corruption? Seriously?

      How bout the fact that in a brutal regime the only way to get what you want is to pay people off...

  20. The market will sort it out by Anonymous Coward · · Score: 0

    No cause for concern. The free market will sort it all out!

  21. Adobe Reader is likely cause in my case by rwade · · Score: 1

    I just spoke with my wife about her virus and suggested it might have come in through some rogue PDF document. She acknowledged that as a definite possibility; she's constantly downloading and reviewing scientific papers and the like -- a rogue PDF could have easily slipped into the pile somehow, theoretically. I advised that she switch to Sumatra PDF.

  22. In Soviet Russia by Anonymous Coward · · Score: 0

    In Soviet Russia girls don't scissor, they Hammer and Sickle !

  23. los Angeles Medical Society by Anonymous Coward · · Score: 0

    KKDocs service coordinators will match you with a house call physician, medical society, home healthcare service or any healthcare provider in your area. They will make the appointment for you if you desire and will make sure that you are properly attended.
    los Angeles Medical Society

  24. yeah, 8-800 by Anonymous Coward · · Score: 0

    this is relatively new, maybe 5 years