Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russian Payment Processor Runs Massive Scareware Operation

Posted by Unknown on from the legit-business-is-boring dept.

An anonymous reader writes "Brian Krebs has posted a deep dive through more than a year worth of emails leaked from ChronoPay, Russia's largest online credit card processor. The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam."

10 of 62 comments (clear)

  1. Re:Money by devxo · · Score: 2

    The title and summary are horribly wrong anyway, no wonder it was submitted by anonymous coward. Even the article states that ChronoPay didn't run it, but they provided payment processing and setting up companies for receiving payments is normal process with every payment processor.

  2. Always wondered where these came from... by rwade · · Score: 2, Interesting

    I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?

    It was this ridiculous fake filescanner that would pop up at start up and scan every file on the computer, calling out 1/10th of them as "infected." This was Windows XP, and the filescanner suppressed msconfig and task man; in fact, you couldn't run notepad from the run dialog. It would pop up with "file infected; can't open" or some such. At any rate, this required going into the registry and checking what was in the "run once;" there was some weird file in allusers\localsettings. It was named like a random password, like asdf230123jfgnmv.exe.

    The "removal" procedures were basically just to rename the file and restart. It hasn't come back yet. At any rate, while I was working with the file -- I noticed an artifact in the metadata listing the manufacturer -- I can't read Russian, but it definitely had cyrillic characters in it. Funny...

    1. Re:Always wondered where these came from... by PitaBred · · Score: 2

      The nice (bad) thing about Windows is it depends on extensions to run things. You can rename any .exe to a .com or even .bat I believe and it'll run fine. Most apps will just do name-based interception so you could have made a copy of notepad.exe as notepad.com and it would have worked. It's something I had to do with regedt32.exe once when I think it was Sasser or something took over the association for .exe filetypes.

      --
      My blog. Good stuff (when I remember to update it). Read it.
    2. Re:Always wondered where these came from... by Rick17JJ · · Score: 2

      I have seen several of those scareware pop-up advertisements on my Linux computer, claiming that viruses and spyware had been detected. In each case, without my permission, it would pretend to scan drive “C” and show a progress bar for about 30 seconds. It would then announce that it had found several types of viruses and spyware on drive “C” and also in my registry. Linux does not designate devices or partitions with drive letters or have a registry like Windows does, so both claims were obviously bogus.

      It would then ask me to purchase their anti-virus software to fix the problems.

      Contrary to what they were claiming, I doubted that their advertisement could have so casually scanned my hard drive like that, without my permission. I had a user configured firewall on both my computer and on my DSL modem, with all inbound ports closed. I was also up to date with all the latest security patches.

      In another earlier encounter with a similar scareware advertisement, a couple of years earlier, it also tried to download an executable file, with a .EXE extension, without my permission. Of course my Linux computer did not know what to do with a Windows .EXE file, so it gave me a pop-up box asking me what pogram it should use to try to open a .EXE file. I did not suggest trying to run it under WINE and just chose the option to cancel the download instead.

      Since then, I have started using the “No Script” plug-in for Firefox for most websites, so perhaps I will not see their scareware ads again.

    3. Re:Always wondered where these came from... by Jaqenn · · Score: 2

      I got a virus with these exact symptoms a few months ago. My wife called me at work to say the PC was acting wonky, and she had accidentally clicked an ad that brought her to some random website which she then closed.

      My suspicion is that the website contained content which triggered some flash or firefox vulnerability. I can't prove it, though.

      Sound like the lead in that you guys had?

      --
      You are awash in a sea of fiercely stated opinions. Obvious exits are: 'File->Quit', 'Reply', and 'Page Down'.
  3. Millions in Rubles by Sulphur · · Score: 2

    They have 1-800 numbers in Russia?

  4. Well... by Rocky · · Score: 4, Funny

    ..was the operation runner named "Peggy"?

    --
    "I'm an old-fashioned type of guy. I worship the Sun and Moon as gods. And fear them."
  5. Nice to see them embracing capitalism by elrous0 · · Score: 2

    They've learned well from their counterparts on Wall Street. But to reach the final level, they will need to find a way to not only not get caught, but to get the government to actually give them money for their thefts.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  6. That Russian Entrepreneurial Spirit by NicknamesAreStupid · · Score: 2

    Marx may be rolling over in his grave, but Stalin would be proud, so would Al Capone. There is nothing more effectual, business-wise, than organized crime gone corporate.

  7. Re:Culture of corruption by thebigmacd · · Score: 2

    You don't see how that instills a culture of corruption? Seriously?

    How bout the fact that in a brutal regime the only way to get what you want is to pay people off...