Banks Faulted For Fake Antivirus Scourge

krebsonsecurity writes "Merchant banks that process credit card payments for fake antivirus or 'scareware' exhibit a distinctive pattern of card processing that could be used by Visa and MasterCard to weed out the rogue processors, according to a new study by the University of California, Santa Barbara. From the study: 'The UCSB team found that the fake AV operations sought to maximize profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor's chargeback limits. Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds.' The study also highlights how few customers ever request a refund, and how affiliates pushing this junk software made more than $133 million."

Re:Pah

[Hatta]

Of course it is. You can technically secure a computer all you want, but there's no defense against fraud.

Re:Pah

[The+MAZZTer]

Unfortunately, you can't patch users.

Re:Pah

[spire3661]

Seriously? You dont know? FUCKING PEOPLE WILLINGLY INSTALL THIS SHIT. Its impossible to secure a computer where the admin will grant root permission to almost anything that asks.

Placebo

If homeopatic "medicine" can be sold legally, I see no reason why anti-virus software that does absolutely nothing should be considered illegal.

Re:Placebo

[Chris+Mattern]

If homeopatic "medicine" can be sold legally, I see no reason why anti-virus software that does absolutely nothing should be considered illegal.

It contains less than 0.001% of the virus signatures found in other AV software, so you *know* it's super-effective!

Re:Placebo

anti-virus software that does absolutely nothing

Yeah, McAfee should be illegal.

Re:Placebo

McAfee does tons.

It has to, otherwise your computer would still run after McAfee starts.

Re:Placebo

[idontgno]

Hell, you're not going far enough. At least homeopathic "remedies" don't actually give you diseases. Most fake AV products are active trojans, infecting your machine and (A) providing backdoors and further infection vectors (like disabling real AV) and (B) demanding more money to "fix" the damage it caused (and "fix" is scarequoted because at best, they do nothing; at worst, it's just paying to be trojaned further.)

Fake AV is equivalent to homeopathic medicine made with 100% all-natural anthrax and HIV.

Re:Placebo

[scorp1us]

Well at least with a Placebo, there is the Placebo effect. There is no Placebo effect on computers.

Social engineering

[tepples]

I'd like to know how non-admin users who don't have an admin password can still execute files in say, C:\programdata.

Social engineering becomes practical once the administrator is as dumb as the user, especially on a home PC. The scareware wedges itself deep into the user's profile, popping up a UAC or gksudo prompt every two minutes. "Daddy, the computer looks broken. Could you run this fix for me?"

Payment processors need RICOing

[swb]

Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.

Why doesn't the FBI turn the next prosecution into a RICO prosecution and drag a payment processor and/or bank and some of its executives into the prosecution?

A few 20 year jail sentences and $250,000 fines plus forfeitures would make many processors think twice about their "man in the middle" role.

Spam and scareware wouldn't be worth doing if you couldn't get paid for them -- no matter how scared I am, I can't manage to shove a $20 into my monitor.

Re:Payment processors need RICOing

[jonbryce]

They already do, in Europe anyway. They are jointly liable with the merchant for any legal claims relating to the product, so they check very carefully who they allow to open accounts, although possibly not carefully enough given the number of scam websites there are around selling fake tickets to concerts and sporting events.

Re:Payment processors need RICOing

[stephanruby]

Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.

It's also a choke point for Wikileaks (despite the real first amendment implications). And it just goes to show you what's the biggest priority for our government right now, preventing fraud or preventing leaks.

Re:Pah

[AliasMarlowe]

Unfortunately, you can't patch users.

If they pay enough, I'll patch them (afterwards).
The sadist in me detects an enticing business opportunity!

Re:Cant fix stupid

[jojoba_oil]

The problem with your assertion is that rogue antivirus targets home users, where the unsavvy user is required to also be administrator. Or are you suggesting that the average user pays some service like Geek Squad to administrate the user's home computer? That sounds like it's an even bigger waste of money...

I wish I had a poisoned CC# to hand to scammers

I would be really happy if my bank gave me a fake credit card number that I could give to every scammer or asshat who tried to sell me "car warranty insurance" or "anti-virus" over the phone. The idea is, it'd be declined, but it'd also flag that this retailer is less-than-ethical, not paying attention to "Do Not Call", etc.

Like anything else, this shouldn't be connected to automated blacklisting (since people who decide that "Best Buy sucks" might try using it there), but it would be an immediate red flag if thousands of attempted transactions from a payment processor came back this way.

Re:I wish I had a poisoned CC# to hand to scammers

[rickb928]

So you want to be the arbiter of what is right and wrong?

Pardon me if I distrust you. How about asking the FTC etc to investigate the donotcall violations, and not being so clever, eh?

And your point that using this against Best Buy would have unintended consequences (for you, I presume) makes the point. Frankly, I just hang up on them. I'm no longer invested in causing these thieves any discomfort, I just want to waste as little time as possible with them.

Re:I wish I had a poisoned CC# to hand to scammers

[adolf]

Go to a Wal-Mart with $3, and you can leave with a pre-paid Visa.

In my experience, it denies charges immediately when the balance in the account can't cover it, while still keeping records of each declined transaction. (I did somehow manage to get one $.42 in the red once, but meh: There's also no overdraft fee.)

(How you use this information is your problem.)

Re:Cant fix stupid

[Runaway1956]

So, we start a campaign to educate users, right? "If you see a popup, asking if you wish to install Windows, click "Cancel" immediately!"

Re:Pah

[flappinbooger]

The changes the rogue a/v do don't require admin rights in the users profile.That's why you will see only the user profile infected. It DOES require admin rights to change the HKLM, so on admin accounts they will typically change that as well.

The lions share of rogue A/V are really just registry mods and a simple GUI sham program. But, I have been seeing some rogue A/V coming with rootkit as well, which would obviously happen more on XP or admin accounts.

Here is an example: I have seen first-hand a limited user account on a corporate windows domain (XP) get a fake A/V. This user couldn't even change the freakin CLOCK, yet she got a fake A/V. It was doing porn pop-ups as well.

Some rogue A/V will apply XP-Pro type Group Policy changes to the registry even on OS like XP Home. I just saw a fake A/V modify the registry so that every time a .exe was run, it would execute the fake A/V, with the original target as the command line variable. That way, the original program would allow some things to run, other things no. Also, it was a brilliant way to ensure persistence!

They're making money

[HangingChad]

...that could be used by Visa and MasterCard to weed out the rogue processors

It's not like the scareware crooks are blowing the whistle on potentially illegal government activity, so why would they get involved?