Below is a series of links to articles by Brian Krebs investigating the payment-processing side of the fake-AV industry. He identifies a Russian organisation, Chronopay, and its CEO Pavel Vrublevsky as being heavily involved in setting up, running and profiting from a number of companies that receive money from users duped by fake AV's into using their credit cards to pay for 'removal' of non-existent threats.
- Following the Money: Rogue Anti-virus Software (July 31, 2009 - Washington Post)
- Following the Money, Part II (May 18th, 2010)
- Tough Talk from Those Who Hide (January 17th, 2010)
A piece written after Krebs lost his job at the Washington Post. Included here because it has some interesting additions in the comments section from a contributor identifying himself as "RedEye" - a name that crops up a number of times in these articles. [Note : RedEye is none other than Vrublevsky himself.] In the comments section RedEye is tackled by AlphaCentauri, a name not unknown in the McAfee Community forum ...
- Russian e-Payment Giant ChronoPay Hacked (December 29th, 2010)
- ChronoPay’s Scareware Diaries (March 3rd, 2011)
If you want to know the names of some of the high-risk domains that Chronopay controlled earlier this year, this link to a pdf document shows the domains, and who hosts them - including, in the USA, GoDaddy.
There is a piece in Trend Labs' Malware Blog from August 13th, 2010 ("Underground Credit Card Processor Compromised") which has some relevance to Krebs' articles; it discusses the hacking of an underground credit card processor company.
The compromised credit card company ... is infamous for processing payments for FAKEAV, pharmaceuticals on spam sites, extreme pornography, and cheap MP3s. Its official headquarters is in Amsterdam ... However, it only has a handful of Dutch employees and the actual work is done in Russia and Latvia.
One of the sources used by Brian Krebs in the articles noted above will have been a report from the University of California, Santa Barbara - "The Underground Economy of Fake Antivirus Software". The relevant section in this report is Section 4, "Following the Money Trail".
The banks used by Chronopay and similar organisations to process receipts from their worldwide activities change from time to time. Currently these payments are passing through certain banks in Azerbaijan, including Azerigazbank (Slogan : "Options for the Rich").
Since this was first put together there have been a number of developments, chronicled in 'Krebs on Security' and noted on many other security websites. The most important of these were the arrest by Russian police in June of Pavel Vrublevsky (one of the co-founders of ChronoPay and a co-owner of the Rx-Promotion rogue online pharmacy program), and a raid by Moscow police at the end of July on ChronoPay's offices which uncovered evidence that ChronoPay has been running technical and customer support for a variety of fake AV programs, including MacDefender.
The question of whether ChronoPay has prepared for the day when it might be forced out of its lucrative markets was raised earlier this year, when a paragraph in a Brian Krebs report revealed that ChronoPay software engineers were busy reverse-engineering the code of Malwarebytes, with the aim of launching a rival AV program of their own.
When I visited Vrublevsky in Moscow in February, he told me of plans to launch a ChronoPay-branded anti-virus solution, and many of the documents included in this section of ChronoPay’s MegaPlan installation are technical papers referencing the development of different anti-virus software modules. The documents suggest that the company has hired programmers to reverse-engineer the free version of the commercial anti-malware product Malwarebytes.
- ChronoPay Fueling Mac Scareware Scams (May 27th, 2011)
- ChronoPay Co-Founder Arrested (June 24th, 2011)
- Fake Antivirus Industry Down, But Not Out (August 3rd, 2011)
Vrublevsky's current difficulties stem from a falling-out with his former business partner Igor Gusev (the other co-founder of ChronoPay and allegedly the man behind Glavmed, aka Spamit.com) who fled Russia last November to avoid arrest. Vrublevsky leaked Glavmed's stolen back-end database to Brian Krebs; Gusev retaliated by sending Krebs a large number of confidential documents hacked from ChronoPay. This turf war has revealed the close links between the fake AV industry and the spammers marketing fake or black-market pharmaceuticals.
- Bredolab Mastermind Was Key Spamit.com Affiliate (October 30 2010)
- Russian Cops Crash Pill Pusher Party (February 21, 2011)
- Pharma Wars (February 25, 2011)
An example of this is "Peter Severa" (possibly an alias), a Russian who is rated fifth on Spamhaus‘s Register of Known Spam Operations. Until June Severa ran a fake antivirus distribution affiliate program called Sevantivir, which seems to have counted among its ranks a large number of Glavmed/Spamit members.
The malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites.
- Spam & Fake AV: Like Ham & Eggs (July 26 2011)
But Vrublevsky's big mistake was to turn to a St Petersburg hacker known as "Engel", real name Igor Artimovich, to launch a DDoS attack against Assist, the company that was processing payments for Aeroflot : the contract for processing those payments had been put out to tender, and ChronoPay was competing against Assist to win the contract. Assist's operations were crippled for a while, and it failed to get the contract; but neither did ChronoPay. After the FSB arrested "Engel" Vrublevsky, like Gusev, fled Russia (to the Maldives), but seems to have been confident that he was not in any danger of imminent arrest on his return. The unanswered question is whether by launching a DDoS on Assist (and inconveniencing Aeroflot) Vrublevsky unknowingly made enemies of powerful people in the Business-Political-Security establishment.
- Financial Mogul Linked to DDoS Attacks (June 23 2011)