Posts tagged ‘chronopay’

Krebs on Security: Who’s Behind the ‘BLS Weblearn’ Credit Card Scam?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574).

I began hearing from readers about this early this month, in part because of my previous sleuthing on an eerily similar scheme that also leveraged payment systems in Malta to put through unauthorized junk charges ($9.84) for “online learning” software systems. Unfortunately, while the names of the companies and payment systems have changed, this latest scam appears to be remarkably similar in every way.

Reading up on this latest scam, it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network used by the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta.

And, just like with the $9.84 scam, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue.com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine).

The very first time I encountered Plimus was in Sept. 2011, when I profiled an individual responsible for selling access to tens of thousands of desktop computers that were hacked and seeded with the TDSS botnet. That miscreant — a fellow who used the nickname “Fizot” — had been using Plimus to accept credit card payments for awmproxy.net, an anonymization service that was sold primarily to individuals engaged in computer fraud.

Apparently, the Internet has been unkind to Plimus’s online reputation, because not long ago the company changed its name to BlueSnap. This blog has a few ideas about what motivated the name change, noting that it might have been prompted in part by a class action lawsuit (PDF) against Plimus which alleges that the company’s marketing campaigns include the “mass production of fabricated consumer reviews, testimonials and fake blogs that are all intended to deceive consumers seeking a legitimate product and induce them to pay. Yet, after consumers pay for access to any of these digital goods websites, they quickly realize that the promotional materials and representations were blatantly false.”

Damon McCoy, an associate professor of computer science at George Mason University, allowed that the bogus charges coming from BlueSnap’s payment network could be little more than abuse generated by a handful of bad guys who just happen to be using the company’s network. Then again, McCoy said, Plimus has long been associated with these schemes.

“Plimus has been doing processing for criminals for a while,” McCoy said. ”Most of it seems to have been on the criminal-to-criminal side of payments.”

BlueSnap did not immediately respond to requests for comment. I will update this story in the event that they do.

As with the $9.84 scheme, this latest round of phony charges appears tied to an affiliate marketing scheme for “online learning” (hence, the “Weblearn” notation on victims’ credit card statements). One site that’s connected to the Weblearn scheme is onlinelearningaccess.com, which actually includes commented-out code hidden in its HTML content stating that “the charge will appear on your credit card as WebLearn8884612032.”

That same site is closely tied to a network of other flimsy affiliate learning systems, including greatweblearning.com, jnselearning.com, and learnonlinemembers.com. As we can see from the checkout page at onlinelearningaccess.com, the base price of the “system” is $8.83, but different checkout totals can be achieved ($11.08 and $10.78, e.g.) simply by selecting different items to add to your shopping cart.

Unfortunately, these types of schemes are as old as the Internet, and will be with us as long as there are companies willing to engage in so-called “high-risk” credit card processing — handling transactions for things like online gaming, rogue Internet pharmacies, fake antivirus software, and counterfeit/knockoff handbags and jewelry.

There is an entire series on the sidebar of this blog called “Pharma Wars,” which chronicles the exploits of perhaps the most infamous high-risk processor of all time — a Russian company called ChronoPay and its now-imprisoned CEO. While ChronoPay was most known for processing payments for spam-advertised pill shops and fake antivirus affiliate programs, it also was caught up in a micropayment scheme that for years put through bogus, sub-$10 transactions on consumers credit cards (usually for some kind of software or ebooks program).

If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again.

For more  on this scam, check out these posts from DailyKos and Consumerist.

Update: I heard back from BlueSnap CEO Ralph Dangelmaier, who said BlueSnap terminated the merchant 10 days before my story ran. Dangelmaier said he believes the merchant in question was a legitimate affiliate program that got hacked. BlueSnap vetted the merchant before allowing it onto its payment network, and even purchased the affiliate learning program. He acknowledged, however, that it was indeed unusual that the affiliate program doesn’t appear to have been marketed on the Internet to attract real-life affiliates. 

“We think one happened is one of their affiliates got hacked into and might have done something wrong,” Dangelmaier said. “As soon as we saw suspicious transactions, we refunded any customer payments we thought were tied to those. We went out and bought the product ahead of time as part of our due diligence and we actually used it. It was an online training tool. We’re working very closely with the acquiring banks, Visa and the authorities to try to help.”

 

 

Krebs on Security: Pavel Vrublevsky Sentenced to 2.5 Years

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to two-and-half years in a Russian penal colony this week after being found guilty of hiring botmasters to attack a rival payment processing firm.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing. Source: Novayagazeta.ru

Vrublevsky was accused of hiring Igor and Dmitri Artimovich in 2010 to use their Festi spam botnet to attack Assist, a competing payments firm. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company millions of dollars.

According to Russian prosecutors, Vrublevsky directed ChronoPay’s chief security officer Maxim Permyakov to pay $20,000 and hire the Artimovich brothers to launch the attacks. The Artimovich brothers also were found guilty and sentenced to 2.5 years. Permyakov received a slightly lighter sentence of two years after reportedly assisting investigators in the case.

Earlier this year, I signed a deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia. Those charges stem from Gusev’s alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

For more background on Vrublevsky and his case, check out these two stories from the Russian publication Novya Gazeta. This entry is the latest in my Pharma Wars series, which documents the rise and fall of the pharmacy spam business and how a simmering grudge match between Gusev and Vrublevsky ultimately brought down their respective businesses.

It might be tempting to conclude from Vrublevsky’s sentencing that perhaps the Russian government is starting to crack down on cybercriminal behavior in its own backyard. But all the evidence I’ve seen suggests this is merely the logical outcome of bribes paid by Gusev to some of Russia’s most powerful, payments that were meant to secure the opening of a criminal case against Vrublevsky. In Paying for Prosecution and The Price of (in)Justice, I highlight chat logs leaked from Gusev’s operations that show him making preparations to pay more than $1.5 million to Russian politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Krebs on Security: Vrublevsky Arrested for Witness Intimidation

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor.

Pavel Vrublevsky's Facebook profile photo.

Pavel Vrublevsky’s Facebook profile photo.

Vrublevsky is on trial for allegedly hiring two brothers — Igor and Dmitri Artimovich — to use their Festi spam botnet to attack Assist, a competing payments processor. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company at least USD $1 million.

Vrublevsky was imprisoned for six months in 2011 pending his trial, but was released at the end of that year after admitting to his role in the attack. Later, he recanted his jailhouse admission of guilt. Today, he was re-arrested after admitting to phoning a witness in his ongoing trial and offering “financial assistance.” The witness told prosecutors he felt pressured and threatened by the offer.

Two months ago, I signed a book deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

I found this development noteworthy because I, too, was offered financial assistance by Vrublevsky, an offer that very much seemed to me like a threat. In mid-2010, after thousands of emails, documents and hundreds of hours of recorded phonecalls from ChronoPay were leaked to  this author, Vrublevsky began calling me at least once a day from his offices in Moscow. This continued for more than six months. In one conversation from May 2010 , Vrublevsky offered to fly me to Moscow so that I could see firsthand that he had “only a very remote relationship with this case.”

“My proposition to you is to  come to Moscow, and if you don’t have money….I realize journalists are not such wealthy people in America, we’re happy to pay for it,” Vrublevsky said in a phone conversation on May 8, 2010.

When I politely declined his invitation, Vrublevsky laughed and said I was wrong to feel like I was being bribed or intimidated.

“It’s quite funny that you think somehow when you fly to meet me in Moscow or ChronoPay offices that you are in any possible danger from me for being murdered,” Vrublevsky said. “Come to Moscow and see for yourself. Take your notebook, come to my office.  Sit in front of me and look around. Because you’re getting information, which, to be honest, is not factual.”

As I note in my book (due to be published in late Summer 2014) I believe Vrublevsky’s intention was more to somehow secure my future silence than to set the record straight. I did, however, eventually come to Moscow and interview him at his ChronoPay offices.

According to Russian news outlet Vedomosti, Vrublevsky is likely to spend another six months in prison for this latest stunt. He faces an additional two years in prison if he is ultimately found guilty of orchestrating the attacks on his company’s rival.

Krebs on Security: Who Is the ‘Festi’ Botmaster?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the co-founder of Russian payment processor ChronoPay, is set to appear before a judge this week in a criminal case in which he is accused of hiring a botmaster to attack a competitor. Prosecutors believe that the man Vrublevsky hired in that attack was the curator of the Festi botnet, a spam-spewing machine that also has been implicated in a number of high-profile denial-of-service assaults.

Igor Artimovich

Vrublevsky spent six months in prison last year for his alleged role in an attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors.

Investigators with the Russian Federal Security Service (FSB) last summer arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky.

As I wrote in last year’s piece, the allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured below) allegedly used to coordinate the DDoS attack against Assist.

Group-IB’s evidence suggested Artimovich had used a botnet he called Topol-Mailer to launch the attacks, but Topol-Mailer is more commonly known as Festi, one of the world’s largest and most active spam botnets. As detailed by researchers at NOD32 Antivirus makers ESET, Festi was built not just for spam, but to serve as a very powerful tool for launching distributed denial of service (DDoS) attacks, digital sieges which use hacked machines to flood targets with so much meaningless traffic that they can no longer accommodate legitimate visitors.

"Topol Mailer" botnet interface allegedly used by Artimovich.

Group-IB said Artimovich’s botnet was repeatedly used to attack several rogue pharmacy programs that were competing with Rx-Promotion, a rogue Internet pharmacy affiliate program long rumored to have been co-founded by Vrublevsky (security firm Dell SecureWorks chronicled those attacks last year).

Artimovich allegedly used the nickname Engel on Spamdot.biz, an online forum owned by the co-founders of SpamIt and GlavMed, sister rogue pharmacy operations that competed directly with Rx-promotion. In the screen shot below right, Engel can be seen communicating with Spamdot member and SpamIt affiliate “Docent.” That was the nickname used by Oleg Nikolaenko, a 24-year-old Russian man arrested in Las Vegas in Nov. 2010  charged with operating the Mega-D botnet.

Engel earned thousands of dollars spamming for both Rx-Promotion and SpamIt, but he abruptly quit the SpamIt program in 2009 after accusing its administrators — Igor Gusev and Dmitry Stupin — of under-counting his sales and commissions. Engel would go off and launch his own forum  — Spamplanet.net — while at the same time using Festi to launch DDoS attacks against SpamIt and GlavMed.

Engel probably regrets those attacks now. As I’ve previously reported, Gusev allegedly paid $50,000 to corrupt officials in Russia to launch a criminal investigation into Artimovich’s activities, and to probe his connections with Vrublevsky.

Interestingly, Engel’s profile on Spamdot.biz lists his email address as “support@id-search.org”. That domain is no longer online, but archive.org reveals that Engel used it as the home base for a bot whose sole purpose was to harvest email addresses from billions of Web pages. Engel claimed publicly that the bot was nothing more than a research project, but privately to Spamdot members he bragged that his search bot could scour hundreds of sites simultaneously and quickly collect “hundreds of megabytes” of email lists.

Krebs on Security: Gateline.net Was Key Rogue Pharma Processor

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

It was mid November 2011. I was shivering on the upper deck of an aging cruise ship docked at the harbor in downtown Rotterdam. Inside, a big-band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on a long-running turf war between two of the largest sponsors of spam.

Promenade of SS Rotterdam. Copyright: Peter Jaspers

The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but in a private setting. Stepping out the night air, a woman from the conference approached, formally presented the three men behind her, and then hurried back inside to the warmth of the reception.

A middle-aged stocky fellow introduced as the senior FSB officer spoke in Russian, while a younger gentleman translated into English. They asked did I know anything about a company in Moscow called “Onelia“? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cyber criminal enterprises.

Later that evening, back at my hotel room, I searched online for details about the company, but came up dry. I considered asking some of my best sources in Russia what they knew about Onelia. But a voice inside my head warned that the FSB agents may have been hoping I’d do just that, and that they would then be able to divine who my sources were when those individuals began making inquiries about a mysterious (and probably fictitious) firm called Onelia.

My paranoia got the best of me, and I shelved the information. That is, until just the other day, when I discovered that Onelia (turns out it is more commonly spelled Oneliya) was the name of the limited liability company behind Gateline.net, the credit card processor that processed tens of thousands of customer transactions for SpamIt and Rx-Promotion. These two programs, the subject of my Pharma Wars series, paid millions of dollars to the most notorious spammers on the planet, hiring them to blast junk email advertising thousands of rogue Internet pharmacies over a four-year period.

WHO IS ‘SHAMAN’?

Gateline.net states that the company’s services are used by firms across a variety of industries, including those in tourism, airline tickets, mobile phones, and virtual currencies. But according to payment and affiliate records leaked from both SpamIt and Rx-Promotion, Gateline also was used to process a majority of the rogue pharmacy site purchases that were promoted by spammers working for the two programs.

The connection between Gateline and the spam programs is supported by chat logs seized in 2011 by Russian investigators who were looking into SpamIt. Those logs, leaked to this reporter last year, show hundreds of conversations between SpamIt co-owner Dmitry “Saintd” Stupin and a Gateline administrator who used the nickname “Shaman” (shaman@gateline.net), and was referred to as “Nikolai,” or the diminutive form, “Kolya”. The logs show more than 205 conversations between Shaman and Stupin from 2007 to 2010; Stupin also had 169 chat conversations with a SpamIt affiliate “dgc,” a programmer who used the email address dgc@gateline.net.

The leaked Stupin chats suggest that Shaman held enormous sway over the day-to-day operations of SpamIt. The pharmacy spam sponsor had great difficulty offering buyers the ability to pay by MasterCard, mainly because MasterCard seems to have been far more vigilant than Visa about policing the use of its services by rogue online pharmacies. The payment records of SpamIt indicate that Shaman received a sizable cut (~8 percent) from all sales processed by the SpamIt pharmacies, and that he sometimes earned tens of thousands of dollars per week for his services. He was typically paid via wire transfers to holding companies in Latvia, or via the WebMoney ID 49113952953.

In the following chat between Shaman and Stupin, recorded Nov. 23, 2009, Shaman can be seen chastising Stupin for not being more aware of transactions that they believed were from undercover buys made by MasterCard fraud investigators. At the beginning of the chat, Shaman posts a link to a story about a criminal case opened by Russian investigators into SpamIt and Stupin’s co-partner, Igor Gusev. By this time, the Pharma Wars between Gusev and his chief competitor Pavel Vrublevsky (a.k.a. “RedEye”) — widely considered to be the co-owner of Rx-Promotion — were well underway, with both Gusev and Vrublevsky slowly leaking data about the others’ operations to the media and on underground forums.

Shaman: http://www.runewsweek.ru/country/31283/

Stupin: Yep, yep.

Shaman: I’d suggest you not to advertise (P.R.) banks too much

Stupin: We need it the least.

Shaman: Otherwise, the entire business will go down. There have been something like that already.

Stupin: Igor is trying to remove those posts.

Shaman: Okay. What’s the deal with information wars? We have to stop this thing somehow. You’ll destroy the whole business.

Stupin: We will??? There have been not a single post from us. Igor is removing them all the time, we are not doing anything else.

Shaman: Stop responding to him in forum posts and RedEye will calm down.

Stupin: I will ask Igor whether he has been responding, if he has – I will ask him to stop doing it.

Shaman: WHanlinLittleton@gmail.com. Kill this asshole – he is MasterCard’s officer (employee). He made a purchase. http://www.iacva.org/PDF/William%20Hanlin.pdf

Shaman: Be more attentive with the batch. Kill these as well:

Charles Wilson, cwilson2020@comcast.net; Stephen Carpenter, flynavy@hotmail.com; Fredric Mangerfredmanger@gmail.comcapellau1968.test@yahoo.it, sandro racheli

Shaman: What’s going on with you?

Stupin: Programmers (developers) are checking what’s happened. This should not be happening.

Shaman: There have not been a single transaction from you to BinBank [one of Russian Banks --http://www.binbank.ru/index.wbp] since 00 hours.

Stupin: I am squeezing programmers to troubleshoot faster.

Shaman: As soon as you fix it, be more accurate. Process only established customers.

In a June 5, 2007 conversation between Stupin and Gusev, the former points out that Shaman is processing pharmacy site payments through Gateline’s sister processing program — a company called ufs-online.ru:

Stupin: Did you know that Shaman’s UFS-ONLINE is processing through Alfa (reference to one of the major Russian banks, Alfa-Bank)

Gusev: Yes.

Another interesting chat, recorded May 24, 2007, shows one of the benefits of personally knowing and doing business with the biggest spammers on the planet – one can try to reduce the amount of spam being sent to them.

Shaman: http://sidesky.hk – is it yours? Fuck, you spammed my whole office! Every employee!

Stupin: Yeah, it’s ours. I’ll ask the affiliate to remove from his list

Shaman: remove entire .ru zone from the spamlist..[and] .@ufs-online.ru

Stupin: He doesn’t want to remove, says it’s too cumbersome [to remove all of .ru]

WHO REALLY RUNS GATELINE?

Abridged Dunn & Bradstreet report on Oneliya OOO

Financial records retrieved from Dunn and Bradstreet show that Oneliya Ltd. is a Moscow computer programming and services firm with about 42 employees, bringing in annual revenues of nearly $346,000. This is almost certainly a highly conservative revenue number; financial records from SpamIt indicate that he earned at least that much in a year processing payments for the program. It is likely, however, that Shaman’s activities were off-book and not recorded as official revenue for Oneliya, or perhaps that money was counted toward revenues for one of the firm’s satellite companies, such as ufs-online.ru or ufs-travel.ru.

In any event, this document indicates the director of the company is a Russian named Rafael Khasanovich Mukhametshin. This is supported by an email leaked from ChronoPay — the company co-founded in 2003 by Gusev and Vrublevsky before they parted ways and turned bitter enemies. Mukhametshin did not respond to multiple emails seeking comment for this story.

Dozens of documents leaked from ChronoPay show that the ChronoPay routinely made large payments to the same WebMoney purse where Shaman had his SpamIt earnings sent. Each transaction is affixed with the notation “Shaman.” In an email exchange on June 9, 2010, Vrublevsky can be seen replying to a business partner who is asking about a processor he has heard about named Shaman who specializes in processing MasterCard and American Express payments.

“It is strange that you do not know, given that he works for Desp [Gusev] and also works with us: Gateline it is called,” Vrublevsky wrote. “Shaman is the nick of Kolya, a comrade of Rafael Mukhametshin (from ufs-online.ru if I’m not mistaken)”.

Shaman’s full name remains a mystery, to me at least, and it’s unclear if he still works for Gateline or whether the firm remains embroiled in processing payments for the rogue pharmacy industry. But Shaman’s prediction about ‘information wars’ ruining the business for everyone would eventually ring true. The SpamIt affiliate program was closed down in September 2010, after Russian investigators levied criminal charges against Gusev (although GlavMed, the sister program of SpamIt still appears to be running). Vrublevsky was recently released from a Moscow prison after being arrested for allegedly hiring a botmaster to attack a rival processor. Rx-Promotion is now for the most part a dead pharmacy affiliate program.

Krebs on Security: Who’s Behind the World’s Largest Spam Botnet?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released -  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!”

Around the same time that SpamIt’s database was leaked, hackers plundered the networks of ChronoPay, one of Russia’s biggest online payment processors. The company’s top executive, Pavel Vrubelvsky, was reputed to have been a co-founder of SpamIt’s biggest competitor — a rogue pharmacy operation called Rx-Promotion. The data that hackers leaked from ChronoPay included emails showing ChronoPay executives passing credentials to Rx-Promotion’s administrative back end database.

KrebsOnSecurity.com obtained a comprehensive data set showing all of the sites advertised by Rx-Promotion affiliates in 2010, as well as the earnings of each affiliate. That information was shared with several University of California, San Diego researchers who would later incorporate it into their landmark Click Trajectories study (PDF) on the economics of the spam business. The researchers spent four months in 2010 observing the top spam botnets, keeping track of which pharmacy affiliate programs were being promoted by different top botnets.

The GeRa-Stupin chats show that by the time the researchers started recording the data, GeRa had defected from SpamIt to work for Rx-Promotion. Indeed, the UCSD researchers found that Rx-Promotion and Grum were synonymous. Each RX-Promotion pharmacy includes a “site_id” in its HTML source, which uniquely identifies the store for later assigning advertising commissions.  The researchers discovered that whenever Grum advertised an Rx-Promotion site, this identifier was always the same: 1811. According to the leaked Rx-Promotion database, that affiliate ID belongs to a user named ‘gera.’

A tiny snippet of GeRa's sales from Rx-Promotion sites, which all bore his affiliate ID 1811 in the source.

“It doesn’t prove that GeRa owned Grum,” said Stefan Savage, a professor in the systems and networking group at UCSD and co-author of the study. “But it does show that when Grum advertised for Rx-Promotion, it was for sites where commissions were paid to someone whose nickname was ‘GeRa’.”

WHO IS GERA?

GeRa uses the alternative nickname “Ger@” on Internet forums, including the now-defunct Spamdot.biz, where top spammers from SpamIt and competing programs used to gather. Google’s search engine largely ignores the “@” character, which makes searching for that nickname difficult. But infiltrate enough invite-only cybercrime communities and eventually you will find a user named Ger@ who announces that he is buying traffic.

GeRa routinely purchases traffic from other botmasters and malware writers who control large numbers of hacked PCs. As he explained in the following post to an exclusive forum, victim browsers sent his way are typically funneled through sites hosting a gauntlet of exploits designed to install a copy of his spam bot (see below).

Ger@ writes: "We continue to buy all your traffic which goes to Eleonor (Exploit Pack) to load the spam bot…"

GeRa did not respond to multiple requests for comment sent via email and ICQ. He appears to have been much more careful with his identity than other top SpamIt botmasters, but he did leave several tantalizing clues. GeRa appears to have used a number of separate affiliate accounts for himself on SpamIt (possibly to make his earnings appear lower than they really were. Among his personal accounts were “GeRa,” “Kostog,” “Scorrp,” “Scorrp2,” “Scorrp3,” “UUU,” and “DDD.”

GeRa received commission payments for all of those accounts to a WebMoney purse with the ID# 112024718270. According to a source who has the ability to look up identity information attached to WebMoney accounts, that purse was set up in 2006 by someone who walked into a WebMoney office in Moscow and presented a Russian passport #4505016266. The name on the passport was a 26-year-old named Nikolai Alekseevich Kostogryz.

One of GeRa’s most successful referrals was a SpamIt affiliate who used the nickname “Anton,” and the WebMoney ID 186103845227. The information on the Russian passport used to open that account was Vasily Ivanovich Petrov. According to SpamIt records, Anton was the 18th most valuable affiliate overall, bringing in sales of nearly $1 million and earning commissions above $422,000.

A "mind map" that helped piece together data about GeRa and his associates.

Looking at the earnings of spammers from both SpamIt and Rx-Promotion, it’s difficult to ignore the remarkable asymmetry between their incomes and the global cost of dealing with junk email. In the United States alone, spam has been estimated to cost businesses more than $40 billion annually in lost productivity, anti-spam investments, and related costs. By comparison, the entire SpamIt program produced revenues just above $150 million over a four year period, while Rx-Promotion spammers generated a fraction of that revenue.

SpamIt, Glavmed earnings over the life of the programs.

This is the latest in my Pharma Wars series. In case you missed them, check out my profiles of other top botmasters, including:

Mr. Waledac: The Peter North of Spamming
‘Google,’ the Cutwail Botmaster
Mr. Srizbi vs. Mr. Cutwail
Chats with Accused ‘Mega-D’ Botnet Owner?
Rustock Botnet Suspect Sought Job at Google

Krebs on Security: Pharma Wars: The Price of (in)Justice

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I spoke this week at Govcert 2011, a security conference in Rotterdam.  The talk drew heavily on material from my Pharma Wars series, about the alleged proprietors of two competing rogue Internet pharmacies who sought to destroy the others’ reputation and business and ended up succeeding on both counts. Here is the latest installment.

For those who haven’t been following along, I’ve put together a cheat sheet on the main players, the back story and the conflict. Click here to skip this section.

Actors

Pavel Vrublevsky: Co-founder and Former chief executive officer of ChronoPay, until recently a major processor of electronic payments in Russia. Vrublevsky has been accused of running an illegal business, a rogue Internet pharmacy affiliate program called Rx-Promotion, and is currently in prison awaiting trial on unrelated cybercrime charges. Known to business partners as “Red” or “RedEye.”

Igor Gusev: Co-founded ChronoPay with Vrublevsky in 2003. Had a falling out with Vrublevsky in 2005, left ChronoPay and started the Internet pharmacy affiliate programs GlavMed and SpamIt. The latter was closed in Sept. 2010, and Gusev has been charged with running an illegal business. He is still at large.

Dmitry Stupin: Gusev’s right-hand man. Helped to build SpamIt and GlavMed. The logs below are from a set of logs leaked to several download sites that contain thousands of conversations between Stupin and Gusev. The logs were obtained shortly after the police detained Stupin as part of the criminal investigation into Gusev.

Conflict: Two former business partners-turned-competitors try to sabotage each others’ business and to get the other arrested.

The Conversation

The conversation below takes place between Feb. 21 and 23, 2010, and is a chat log between Gusev and Stupin. Gusev already knows there are plans to file criminal charges against him, which indeed come just seven months after this conversation was recorded. The two are discussing plans to pay more than $1.5 million to politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Several attendees at Govcert 2011 asked about the likelihood of Vrublevsky serving time, if convicted. This chat may provide a clue. In the middle of the following conversation, Gusev says he has secured promises that if arrested, Vrublevsky “would remain in prison and would not be able to pay his way out,” Gusev wrote. “He is going to lose a large portion of his business and will be left with no money to fight the war.”

Gusev: Latest news – all the materials to start a criminal case were given to prosecutors on Friday. After holidays I am going to get some information regarding “what” and “who”. Are we meeting on 24th?

Stupin: Yes we are meeting on 24th.

Stupin: Shaman’s stuff got broken, everything is declined. I cannot come to Moscow, as usual. I broke my leg in Turkey.

Gusev: Really??? Is it really broken?

Stupin: Yes.

Stupin: Here. hip-notics.com.  I was learning how to do somersault doing Aerial skiing (freestyle).

Gusev:  In reality, I think it’s for the better. There is no need for you to go to Moscow. After the holidays I am going to get the information which was received by the prosecutors’ office, however I am planning to leave from here for a couple of months. This is extremely serious, this is not just articles in newspapers.

Gusev: Write down my new number. It used to be 325667.9. 20к (5k are going to the middleman and 15k are going to a person from prosecutors’ office). 5к (for the search of materials regarding Pasha’s case); $2к (to lawyer for compromising materials and Newsweek); summed up to: 298667.9

Stupin: Okay.

TWO DAYS LATER:

Gusev: I need a piece of advice: I found a person who is willing to help me in situation with Red. He has a proven scheme, because he is a very strong lawyer. A real fixer-upper. For his service, along with very large sum of money, he is asking for something in return — he is asking to help his friend – a very famous webmaster, who faced similar problem as the one we are facing, and who was saved by that person. This “friend” is not doing anything right now.  This lawyer is asking us to help him with establishing on-line pharmacy affiliation (partnerka). I am not glad with this proposition to create our own competition, however, out of all people I talked to, only this person offered a structured solution to the problem, giving us hopes.  People from Volleyball Association can and will cover us, using their FSB connections, but they can do very little with Prosecutors’ Office, they can only prolong the legal proceedings. They will also not be able to prosecute Red. The person who we are asked to help is my old acquaintance – Pet – the owner of лолного – billing of billcards (sunbill). [For more information on the role of the Russian Volleyball association in this story, see Pharma Wars: Purchasing Protection].

Stupin: Let’s offer him to create “us” under his own brand.

Gusev: We have already tried doing this.  He is going to leave on his own. IMHO the ideal way is to offer him our clone as 50-50 partnership. I have not offered anything to anyone yet before knowing your opinion. I cannot say no, otherwise, the “fixer-upper” is not going to take our case (even if we give him as much money as he asks for) :( In that case I will have to do everything by myself (I know how to do it and even have several people, who can split the whole scheme step by step and execute them). However, this way, there is very high chance that they will take the money, but will do nothing. Or will milk me and Red at the same time, making double the money, and, again, do nothing.

Stupin: It’s not a problem at all,  they have tried so many times to do something with us – and have not followed through on their own. Our sites are publicly available, there is no risk to process orders from trusted sites.

Gusev: Hosting is ours, tech support is only ours. We will not give the software. Maintenance is also ours.

Stupin; Yes, we are giving them the sites, they will redo them, giving them API for the affiliation (partnerka).

Gusev: ок, I will try to bound them by these conditions. Do you want to know how much the service regarding Red cost?

Stupin: Sure. I have just arrived, with my leg, I can’t really think straight.

Gusev: 1.5 million.

Stupin: Oh, God!!! What does he promise for that?

Gusev: He promises that Red would remain in prison and would not be able to pay for his way out + he is going to lose a large portion of his business and will be left with no money to fight the war.

Gusev: I do not want to write all the details here on Jabber, that is why I wanted to meet. I am gathering the money for him, and for your for the office, and I am leaving for 2-3 months.

Stupin: ok, are you going to bring money for the office?    Let’s meet at that time? Because I am going to get stuck for approximately a month with my leg.

Gusev: Yes, I am trying to gather enough money. Pasha is helping me, but with very small sums and when he has available money, not when I need it.

Gusev: Can we borrow from your brother? At most 150-200к?

Stupin: Yes, I will do it. Some time ago I rented a house in Moscow suburbs, and the owner offered to rent with his help,   I have his e-mail and the phone number, he is mature, calm, we can try.

Gusev: Could you find out his requirements?

Stupin: Okay, I will call.

Krebs on Security: Rove Digital Was Core ChronoPay Shareholder

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Rove Digital, the company run by six men who were arrested in Estonia this week for allegedly infecting four million PCs worldwide with malware, was an early investor in ChronoPay, a major Russian payment processing firm whose principal founder Pavel Vrublevsky also is now in prison and awaiting trial on cyber crime charges, KrebsOnSecurity has learned.

Estonian authorities on Tuesday arrested Rove Digital founder Vladimir Tsastsin, 31, along with five other Estonian nationals indicted on charges of running a sophisticated click fraud scheme. Yesterday’s blog post details Tsastsin’s criminal history, and his stewardship over Rove and a sister firm, EstDomains.. Today’s post will reveal how Tsastsin and his company were closely allied with and early investors in ChronoPay, and how that relationship unraveled over the years.

In my Pharma War series, I’ve published incorporation documents showing that Igor Gusev, a man currently wanted in Russia on criminal charges of running an illegal business in the notorious pharmacy spam affiliate programs GlavMed and SpamIt, was a co-founder of ChronoPay back in 2003. That series also details how Gusev sold his shares in ChronoPay, and that Vrublevsky later started a competing rogue pharmacy/spam operation called Rx-Promotion.

A spreadsheet showing front companies tied to ChronoPay.

It turns out that ChronoPay also had two other major and early investors: Rove Digital and a mysterious entity called Crossfront Limited. This information was included in the massive trove of internal ChronoPay emails and documents that was briefly published online last year and shared with select journalists and law enforcement agencies. Among those documents is a spreadsheet (XLS) listing all of the various shadowy companies allegedly owned and managed by ChronoPay founder Pavel Vrublevsky and associates. It lists ChronoPay B.V., the legal entity in The Netherlands that formed the initial basis of the company, as jointly owned by Gusev’s firm DPNet B.V., Red & Partners (Vrublevsky’s adult Webmaster provider) and Rove Digital OU.

When I met with Vrublevsky at his offices in Moscow in February of this year, he confirmed that Tsastsin was an old friend and that Rove Digital had been a key shareholder in the company. Further evidence of the connection between ChronoPay and Rove Digital is provided in a series of internal ChronoPay emails from May 2010.

At that time, ChronoPay was under investigation by Dutch banking regulators who suspected that the company’s intricate network of front companies and financial channels were acting in violation of the country’s anti-money laundering laws. In a tersely-worded email exchange, the Dutch bank  demanded a slew of additional accounting and administrative records, including “all documents that show the structure of ChronoPay BV, such as statutes, incorporation documents, names and addresses of director(s) and shareholders.”

The following email thread from ChronoPay executives shows how they struggled to discover the identity of the original principal shareholders of their own company:

From: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

To: Rob Peters

Subject: ChronoPay BV – Info

Could you please send me the directors’ names for each shareholder of ChronoPay BV? (i.e. Red&Partners B.V., DPNet B.V., ROVE Digital Ou, Crossfront Limited)?

==

Reply from: Anna Boguslavchik [mailto:a.boguslavchik@chronopay.com]

To: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

The thing is that we don’t have acting director appointed now and we need to have some documents for the bank signed urgently (Sasha Panin already told you that). According to the charter we need to have shareholders appoint someone as the signatory for the company. And for this we need signatures of all directors of the shareholding companies.

Here’s the info on the shareholding companies:
DP Net B.V. – 45 class B shares, director – someone named Terekhov
RED&Partners B.V. – 135 shares (45 class B and 90 class A). Ronnie was the director (see Martins’ email below). Martins has no info on who’s the director now.
Rove Digital OU – 45 class B shares. No information on who’s the director.
Crossfront Limited – 45 class B shares. No information on who’s the director.

If the bank is OK with this, we can prepare the decision of shareholders document in the form that I told you about yesterday.

==

It makes sense that Tsastsin’s Rove Digital was an early investor in ChronoPay: The two businesses served many of the same clients. Indeed, several messages between Vrublevsky and Tsastsin show the two men routinely turned to one another for favors over the years. In one email thread, Vrublevsky asks Tsastsin to set him up with several Web servers to help host torrent trackers for an MP3 business Vrublevsky is supporting.

But somewhere along the way, the relationship soured, and Vrublevsky and his executives grew either unwilling or unable to accommodate requests from Tsastsin. The following is the final email from Tsastsin to Vrublevsky, in which the former complains about a favor he asked of Vrublevsky that was promised but never delivered:

From: Vladimir T. <vladimir@itconsluting.ee>

To: Vrublevsky, Pavel <p.vrublevsky@chronopay.com>

Subject: patience

I never asked you for anything before, and was always really patient with you. Now I’m writing you because I can’t take this anymore. I asked you for help my friends with payment processing 4 months ago. Both Jan and Misha ignored the guy for 4-5 months, no one can arrange processing for him.

I will not list every favor I did for you personally and for ChronoPay. One day you needed my consultation on something, another day you need servers for running torrent [trackers], and we aren’t even charging you for them. Then you need us to create a statistics page for Fethard and to help you detect fraudsters. In summary – we do everything you ask for. And in return I’m not getting shit.

I wrote them myself and asked Jan personally with a cc/ to Abramov. They either blame Misha or suddenly their notebook gets broken or they have a vacation…. They drag this on for 5 months, it’s insane! I don’t know what to tell my friends, my reputation with them is ruined.

I will not continue to describe all this nonsense to you. What I want from you is to kick their asses really hard so that they do it immediately once and for all. I will be away on business for two days and if I get no reply from them by the time I return I will not be asking you or them for anything anymore since this relationship is a one-way street.

Have a nice day. I’m sick and tired of this.

Krebs on Security: Jailed ChronoPay Co-Founder Denied Bail

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Moscow court on Monday denied bail for Pavel Vrublevsky, a Russian businessman who was charged earlier this year with hiring hackers to launch costly online attacks against his rivals. The denial came even after Vrublevsky apparently admitted his role in the attacks, according to Russian news outlets.

Vrublevsky in 2004

Vrublevsky, 32, is probably best known as the co-founder of ChronoPay, a large online payment processor in Russia. He was arrested in June after Russian investigators secured the confession of a man who said he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. The former ChronoPay executive reportedly wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Aeroflot’s processing systems faltered for several days in the face of the attack, an outage that Aeroflot says cost the company about a million dollars a day.

Vrublevsky’s lawyers asked the court to release him pending a trial in December — offering to pay 30 million rubles (~ USD $1 million) — but the court denied the request.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay last year indicate Vrublevsky co-ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Vrublevsky and Gusev have been locked in an increasingly heated and public battle to ruin the others’ business, a saga that I have chronicled in an ongoing series: Pharma Wars.

According to Russia’s Interfax news agency, Vrublevsky faces punishment under two articles of the state’s criminal code – illegal access to computer information, and the creation, use and dissemination of harmful computer programs. Both involve imprisonment for three to seven years.

Stanislav Maltsev

Russian newspaper Vedomosti writes that Vrublevsky’s guilty plea will be considered by the court as a mitigating circumstance, and that his sentence will not exceed five years. “And considering the fact that attacks on computer systems – a relatively new type of crime is not a particularly dangerous for the society, the term most likely will not exceed three years and may be conditional,” the publication notes.

The Vedomosti story also observes an interesting fact: One of the lawyers representing Vrublevsky is Stanislav Maltsev, whom Vrublevsky hired in 2007 to be his head of security. Prior to joining ChronoPay, Maltsev was a Russian MVD official in charge of leading an earlier criminal investigation against Vrublevsky that ultimately went nowhere.

Krebs on Security: Pharma Wars: Paying for Prosecution

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In June 2011, Russian authorities arrested Pavel Vrublevsky, co-founder of ChronoPay, Russia’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals. New evidence suggests that Vrublevsky’s arrest was the product of a bribe paid by Igor Gusev, the other co-founder of ChronoPay and a man wanted by Russian police as a spam kingpin.

Igor Gusev, in an undated photo taken at a family birthday celebration.

Two years after forming ChronoPay in 2003, Gusev and Vrublevsky parted ways. Not long after that breakup, Gusev would launch Glavmed and its sister program SpamIt, affiliate operations that paid the world’s most notorious spammers millions of dollars to promote rogue Internet pharmacies. Not to be outdone, Vrublevsky started his own rogue pharmacy program, Rx-Promotion, in 2007, contracting with some of the same spammers who were working at Gusev’s businesses.

By 2009, the former partners were actively trying to scuttle each others’ businesses. Vrublevsky allegedly paid hackers to break into and leak the contact and earnings data from GlavMed/SpamIt. He also reportedly paid a man named Igor “Engel” Artimovich to launch a volley of distributed denial-of-service (DDoS) attacks against SpamIt.

Gusev told me he long suspected Artimovich was involved in the attacks, and that he had information that Vrublevsky hired Artimovich to attack ChronoPay’s rivals while they were locked in a competition for a lucrative contract to process online payments for Aeroflot, Russia’s biggest airline.

Last month, hundreds of chat conversations apparently between Gusev and his right-hand man, Dmitry Stupin, were leaked online. They indicate that Gusev may have caused Vrublevsky’s arrest by paying Russian law enforcement investigators to go after Artimovich.

Over the past year, Gusev has insisted in numerous phone interviews that the increasingly public conflict between him and Vrublevsky was not a “war,” but more of a personal spat. But if the chat below is accurate, Gusev most certainly viewed the conflict as a war all along.

The following is from a leaked chat, allegedly between Gusev and Stupin, dated Sept. 26, 2010. The two men had already decided to close SpamIt, and were considering whether to do the same with GlavMed. “Red,” mentioned twice in the discussion below, is a reference to Vrublevsky, also known as “RedEye.”

Gusev: $2k from HzMedia to China – it’s mine. We also need to send additional money for salaries plus double bonus to Misha (Michael). I have already paid $50k for Engel’s case (20к – forensics, $30к – to speed up the starting of the criminal case)

Stupin: Why have you paid for Engel’s case ? I was even against paying for the Red’s case. Why pay for Engel’s?  What is the point?

Gusev: To my mind, you do not fully understand what’s been going on for the last year. Paul has a plan to either throw me into jail or end me. His intentions are totally clear. There are only two choices: 1 – do nothing, and pay nothing to nobody, and at the end either go to jail or keep hiding until all the resources are exhausted; 2 – do the same thing, as he is doing, with the same goal.

Gusev: Any war costs money, resources and nerve cells. You cannot go to war little-by-little, you either fight to the end, or do not start it at all. Engel is going to harm us all the time…If there is any potential opportunity to take him out of the game, spending not too much money, we have to use such an opportunity. $50к – is very little comparing to the losses we’ve had because of his DDoS attacks and comparing to future losses if he is going to DDoS us again. Now he is aware that he is being investigated by law enforcement and he keeps a low profile. He only sends nasty ICQ messages to Andrey.

Gusev: There is also a third choice, when nothing is directly linked to you, but money keeps coming. So, decide what we are going to do with all of this. You either agree with my decisions regarding the war expenses, which you do not like, or do not agree with them. In the latter case, we should re-evaluate our income distribution from the business, and I will finance [the war] from my increased share,  I cannot step aside and do nothing.

Stupin: I do understand it, however, what’s Engel’s role? There is nothing to DDoS anymore.

Gusev: I do not want to close down GlavMed completely. Absolutely do not want to :( It’s better to take it underground, and, additionally, open up SpamIt under a new brand name. We are waiting for some news in October to make our final decision. Engel is absolutely positive that he can do anything he wants to under Red’s protection. You should read his messages to Andrey. However, even with all this sense of being untouchable he is no longer that impudent.

Gusev: I will be in mobile Jabber until tomorrow night. Send messages there.

Stupin: So, I am against paying $50k for Engel.

Krebs on Security: Pharma Wars: Purchasing Protection

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Leaked online chats between the co-owners of the world’s largest pharmacy spam operation reveal the extent to which illicit organizations in Russia purchase political protection, and bribe public officials into initiating or stalling law enforcement investigations.

Last month, there was a leak of more than four years of chat logs seized by Russian police who had arrested and interrogated Dmitry Stupin, allegedly the co-owner of GlavMed and the now-defunct SpamIt, organizations that paid spammers millions of dollars each month to promote fly-by-night online pharmacies.

In the the Jan. 9, 2010 chat between Stupin and Igor Gusev, the alleged other owner of GlavMed and SpamIt, Gusev has just learned that he and his operation are under investigation by Russian authorities (Gusev would be formally charged with illegal business activities in October 2010, forcing the closure of SpamIt). Gusev says he may be able to purchase shelter from the charges by funneling money to key Russian politicians who have influence over investigators.

Specifically, Gusev suggests purchasing a sponsorship of the Volleyball Federation of Russia. The price tag for this is an official sponsorship fee of 10 million rubles (about $350,000 USD), plus $150,000 in cash. The official head of the federation, Nikolai Patrushev, is a powerful man in Russian law enforcement. Patrushev was director of the Russian FSB, the successor organization to the KGB, from 1999 to 2008; he has been secretary of the Security Council of Russia since 2008.

Sources say it is typical for Russian sport leagues and charities to be used as vehicles for funneling money into the pockets of policymakers. One example comes from a book by Lennart Dahlgren, former head of the Russian division of Swedish furniture maker IKEA. In Despite Absurdity: How I Conquered Russia While It Conquered Me, Dahlgren writes of having to pay bribes of 30 million Rubles ($1 million USD) to Russian charities that helped funnel money to bureaucrats and top officials.

In this chat, translated from Russian into English, Gusev mentions that a close friend of his family is a director general of the Volleyball Federation;

Gusev: We have big problems. Register fake mailbox somewhere. I will send you something very important.

Gusev: Let’s move Jabber to a new server and encrypt it. We’ll have a trusted communication channel. Everything is very bad :(

Gusev: asdas12334@mail.ru / mgadjadtwa2009. check the e-mail.

Gusev: Are you reading?

Stupin: Yes. Do not know what to say.

Gusev: There is nothing to say. We have only two ways: find someone from law enforcement, pay up and be under protection [or] be placed in jail for 7-9 years and do self-analysis. I have one more way out, but I could not decide regarding it in December, because it was very expensive. It is about 10 million rubles officially and 150K under the table.

Gusev: Red [ChronoPay CEO and former business partner Pavel Vrublevsky] is such an asshole. Leaked information about the whole scheme in hopes to get me arrested. Now, everyone is under investigation. Does your brother have any connection “high above”?

Stupin: No.

Gusev: I asked “just in case”. I will try to get sponsorship of Volleyball Federation (Patrushev is its president). Maybe it’s a good idea for you to go somewhere, to Turkey, for example, until we know if we are going to be either squashed or milked. One good thing: nobody has asked about you yet.

Stupin: No, thank you. Who told you about volleyball? It is a public organization, its financial books are open.

Gusev: Close family friend – general director of that association. He helped Russian Standard [popular brand of Russian Vodka] when they were getting squashed.

Stupin: Maybe we’ll give him this money? Federation has open books, if someone wants to take money from it — it is going to be noticed.

Gusev: What am I going to tell Andrei about prosecutors’ office? I do not want to scare him, but he has to be in the loop. Maybe we’ll suggest him to go to Turkey again?

Stupin: Do you think we need to notify him now? Let’s wait, if they summon you – then we’ll tell him, but not now.

Gusev: What if they do not summon me, but will come directly and interrogate me and confiscate the servers?

Stupin: Yes he is waiting for it for several months already.

Gusev: Ok, let’s not do it now. Let’s move Jabber to another domain.

Stupin: Yes, get rid of “despmedia”,  close domains, liquidate the firm, and finally make the founder (of the company) from somewhere abroad. Changing location will not give us anything.

Gusev: I removed everyone from the firm, I am alone there. Liquidation is in progress. The office is leased by a company, which I have no relationship with.

Stupin: Very well. I will tell Andrei to get new IPs and domains.

Gusev: Okay.

Stupin: (to andy@im.despmedia.com): Despmedia.com, where is it physically?

Andy: Server is in Russia, but there are several proxies there.

Stupin: Can you let me know what’s going on there?  Let me read the message trail. I need to know where the leak of information is. Red, when he wanted to fight with everyone, told our Law Enforcement about the whole idea of on-line pharmacy.  Now they are looking who to milk.

Andy: We do not keep Jabber logs. Chat is encrypted, it’s impossible to connect to server without chat client configured with SSL.

Stupin (to Gusev): I had to tell him something… Came out OK, I think.

Gusev: OK.  I will use the same story.

Stupin: But it’s the truth.

Gusev: Yes, but omitting the details.

Gusev: Let’s talk less regarding work and money over the phone. Only if it is urgent. I ordered two payments from Despmedia [the legal entity that owns GlavMed and other businesses tied to Gusev]. This is to Volleyball association/FSB. In the morning, please, make sure that money got transferred.

Russian Vice Premier Sergei Ivanov (left) and ChronoPay co-founder Pavel Vrublevsky at a Russian Basketball League game, April 2011.

In May 2011, Gusev told me that he was a paid sponsor of the Russian Volleyball League, hoping to persuade someone to stop the criminal case against him. Gusev is convinced, and other leaked documents confirm his suspicions, that law enforcement interest in his activities was paid for by his former business partner turned competitor Pavel Vrublevsky.

In late 2010, Vrublevsky secured a sponsorship of the Russian Basketball League for his employer, ChronoPay, until recently Russia’s largest processor of online payments. The basketball league is headed by Sergei Ivanov, a former KGB officer who was tapped by Russian President Vladimir Putin as deputy prime minister of Russia.

“All that I wanted was to speak with someone from FSB [who] was making this [case] for Pavel, and to persuade them to stop all this conflict before it’s too late,” Gusev said. “Unfortunately, this didn’t help me very much.”

It apparently didn’t help Vrublevsky much either: the former ChronoPay executive and reputed co-owner of the illicit Rx-Promotion rogue Internet pharmacy program now sits in a Moscow prison, awaiting trial on charges of hiring a hacker to launch Internet attacks against his company’s competitors.

Krebs on Security: Pharma Wars, Part II

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.

According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.

Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.

The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.

I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.

While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.

The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.

“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”

The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”

Gusev: It looks like I am in deep shit.  Red gave our database to Americans.

Dmitriy Stupin

Stupin: To which Americans?

Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?

Stupin: No.

Gusev: http://krebsonsecurity.com/2010/08/white-house-calls-meeting-on-rogue-online-pharmacies

Stupin: Maybe you return back to Russia?

Gusev: I am planning to do that. I am really worried now :(

Stupin: What about Red? For that money. May be let’s close down everything?

Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan  (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.

Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.

Stupin: I think yes, we will receive lower priority.

Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.

Stupin: In reality if everything is going to proceed, the publicity is going to happen in a year, if we are not functioning for a year, there is no reason for publicity. And in 3 years everyone will forget about us. If we continue operations, it’s going to be undeniably worse, and if we stop — hopefully, it’s going to be better. There is no ultimate decision here, there is probability, and we can either increase or decrease it.

Stupin: I believe, you now understand that the money is not the main thing in life.

Gusev: You do not know how justice in USA works. They have no “statute of limitation”. They absolutely love big cases about hackers, carders, and spammer. Young prosecutors make careers out of such cases and do everything possible to find prooves for such processes. Here is the latest example: arrest of Badb (carder) in airport in Nice: http://www.nytimes.com/2010/08/24/business/global/24cyber.html He was investigated since Cardplanet collapse. He got sentenced in 2009 and they received OK to extradict him, and that’s it, after that it was only a matter of time till his arrest.

Gusev: I also think we need to shut the operations down, because it’s an absolute disaster :(

Stupin: I am not talking about “statue of limitation”, I am talking about publicity; the more noise, the more motivation they have and the larger sentence. Just imagine, if we have not functioned for 1/2 year or 1 year, would your life be easier?

Gusev: There was another case, where FBI broke into DDoS (denial of service) server to collect evidence and judge admitted that evidence in court — it’s an absolute precedent in their law proceedings. Our FSB [former KGB] made a case out of it later :) ) One moment… I will find info about it.

Gusev: My life is much easier already for the past year. I have only one desire – run to Taiga [remote forests in Siberia] and do not have access to the Internet for a year.

Stupin: Do not bother to look for the info (regarding the DOS case). You are correct in your desire [about running to woods]. Buy a lake in Altaj Republic and build a resort there.

Gusev: I tend to think about Irkutsk and Baikal. I have very good friends in local government there :)

Stupin: Very well. I can do a project on wakeboarding, which will almost positively be profitable.

Gusev: Great! Did it get started for you?

Stupin: No, but I know how NOT do do it.

Gusev: Regarding closing down — I think we need to shut down SpamIt first.  In a month or 1/2 month — GlavMed. I am planning to fly back now and fabricate a case against us to get sentenced in Russia with publicity. We need to accurately give top positions of our [search engine optimization] to Lesha (Aleksey); at least it will bring some money.

Stupin: Let’s not do it, let Lesha go up on his own.

Gusev: Has Andrey told you about it? andy@imjabber.com. I have a gravely important question. Theoretically, I can add several hours to “work day”, plus increase productivity.  Is there hope for me in 2-3-4 years to make enough money for Dima’s  house in Turkey? I cannot save money. This is gravely important question. You are right. Dima and I will think about it.

Stupin: He told me that same thing 1/2 a year ago.

Gusev: Maybe offer him an affiliate program? Give him 1/3 and let him transfer our SEO onto himself, but only based on new companies and accounts. I already have one new company; I found an acceptable nominal price. It is painful to just give our SEO to Drugrevenue and Rx-partners. Look it’s been holding its position for a year. Such a margin of stability.

Stupin: Well, it has dropped 2-3 times for the last 1/2 a year, and it is very unstable. If Shaman closes down tomorrow, we’ll have a lot of money sunk there and a lot of debts to advertisers. And we will have to pay them out of our own money, if we accurately close down, we might avoid the risks.

Gusev: Am I looking at wrong data? :) https://mtw8.srvz.net/shop/statistics/stat_orders.jsp. It’s for this August and August of 2009. The difference is 400k of monthly turn-around. Taking in consideration absence of “master” — IMHO it is great. Why Shaman has to close down tomorrow?

Stupin: Yes, but I am considering the profits we are taking, and stability of revenue.

Gusev: I talked to him: the political decision of “Raif” [?] is to keep the pharmacy as long as possible.

Stupin: And amount of money on the account and our debts to advertisers and suppliers.

Gusev: Yes, the stability got decreased after our departure from Latvia. They worked [like a] Swiss watch.

Stupin: The same “political” decision can be turned 180 degrees tomorrow.

Gusev: Maybe, maybe, what a pity. I also talked to Max and Mark – they will take new pharmacy of Lesha.

Stupin: Looks like money is still your priority.

Gusev: Is it really okay for you to lose such an income? It’s extremely hard for me to take, since I have no idea how to earn even 1/5 of it offline.

Stupin: It is really okay for me. There is enough money, do you need more to pay lawyers against the competition? You will not be happier. It is such a moment now that we can close down the project earning a little more, however, in the future there is a risk that the project will collapse on it’s own with even more financial losses.

Gusev: You’re right, but it is hard for me to make such a decision. It’s not the matter of money, but in business, which makes money. Write me your ideas on how we should shut down. I do not know how much time is required to resolve all the issues. USA have complicated everything to resolve the issue with Pasha [Pavel Vrublevsky). If he somehow finds a lot of money, it might require up to 1 million. However, so far, whatever we already paid is enough.

Stupin: Debts to suppliers : $150,000. To advertisers $1,100,000. What we have on our account: $800,000. Therefore, the balance is: -$450,000. This is the real numbers of our business, whatever we have invested does not reflect the actual truth. As you remember, we have been withdrawing very little from the account recently.  Therefore, we can say that the project is going down on its own. I will write you the strategy on what we need to do.

Gusev: Do not write it as additional points why we need to close down. I've already accepted that it cannot be avoided :) We have enough points already. I am interested in your ideas. For example, I want to make an official statement about us closing down, a little noise to calm down the Americans.

Stupin: Okay.

Gusev: To give a spot of "spammer number 1" to Pasha [Pavel Vrublevsky] and Yura [Yuriy Kabayenkov].

Stupin: Here is what we have now: Account balance is $800,000. We have to pay $1,100k to advertisers. We have to pay 150к to suppliers. Here is what we pay at liquidation in any case: Andrey’s compensation: $60к; Sasha’s (Alexander’s) compensation: ~$50к; Compensation to the staff ~$100. Resume: $660к of money, which we need to pay in any case, but cannot pay now. Shaman marked by 30.08 $450k in payments, therefore, we can balance everything to $0. Pessimistic outlook is if Shaman is going to be shut down.  We will end up with debt of 500-1000k, which we will have to pay. The business perspective is not rainbow-like, especially, taking in consideration the risk we take all the time and the expenses linked to it.

Plan of action: In any case, whether we liquidate or not: set commissions to 40% maximum, lower it down for those whose commission is 45%. With participation of Latvia we could afford a lot of transactions with low profitability.  However, we cannot afford the same with “shaman’s” unstable payments and with other small processing parties, which we cannot control and whether we are getting money from them or not. However, such a decision will deter “to pav”; the number of transactions will go down, we will not have a lot of losses, since we are on the brink of profitability. Turning off the affiliate (partnerka) is going to be easy.

Within two month: 20% of increase prices in shops, this will add profitability, but will decrease the number of advertisers. In case if revenue is going to rise sharply together with  profits, we will have time to change our decision within 1.5 months inventory of personnel, servers to increase profitability and moral preparation of everyone to potential end two weeks before the liquidation. Tell the staff about shutting down the operation, promise them compensation in amount of their normal salary if they finish the job well. Andrey and Sasha will be notified separately. Notify advertisers about shutting down off operations, increase whatever is left on e-Passporte and WebMoney, begin to hold payments to suppliers not to overpay, since usually we do overpay.

Gusev: Let’s start with raising prices, minimum 30-40%.  We need excessive profitability at this point. Do not lower commissions to GlavMed and SpamIt. Let’s kill conversions.  The people will leave on their own.  It is not a momentary process.  It is going to be easier to pay everyone. Shut down all outside billing operations, although there is nothing left already. In 10-14 days after raising of the prices — let all SpamIt know that we are closing down.  That will give us 2 weeks to transfer traffic. GlavMed should be kept 1.5 – 2 months from now to use its revenue to cover payments for SpamIt.

Stupin: OK, I will think of the exact course of actions.

Stupin: http://www.wake.ru/photo/album/show?id=2031469:Album:30595&amp;xg_source=activity&amp;xg_pw=&amp;commentPage=&amp;page=1. We did it on Saturday.

Gusev: Did you build this “wake” park?

Stupin: Yep.

Stupin: I have a suggestion, let’s tell Andrey about liquidation right away, tell him that at the end of the project we’ll pay him 3 times as much as his usual salary.  If I ask him to raise the prices too much, he will not understand why we are doing such an inhumane thing. We have great database.  Let’s ask Andrey and programmer/sysadmin to use it for spam with Eva Pharmacy. Let’s agree with Eva about larger commissions and pay Andrey the salary of $5,000, because we cannot pay more, and some percentage from the revenue generated by spam.

Gusev: Our database is already public.  Other affiliates already used it, called and spammed people.  There is a proof that at least 3 affiliates have the database.

Stupin: It’s tough. So what if they have it? [the SpamIt/GlavMed database]

Gusev: I need to go now, let’s discuss it later.

Stupin: Okay.

Krebs on Security: Fake Antivirus Industry Down, But Not Out

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.

A notice to BestAV affiliates

On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.

“Dear advertisers: Last week was quite complicated. Well-known force majeure circumstances have led to significant sums of money hanging in the banks, or in processing, making it impossible to pay advertisers on time and in full.”

The disruption appears to be partially due to an international law enforcement push against the fake AV industry. In one recent operation, authorities seized computers and servers in the United States and seven other countries in an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake AV.

There may be another reason for the disruption: On June 23, Russian police arrested Pavel Vrublevsky, the co-founder of Russian online payment giant ChronoPay and a major player in the fake AV market.

Black Market Breakdown

ChronoPay employees wait outside as Moscow police search the premises.

Vrublevsky was arrested for allegedly hiring a hacker to launch denial of service attacks against ChronoPay’s rivals in the payments processing business. His role as a pioneer in the fake AV industry has been well-documented on this blog and elsewhere.

In May, I wrote about evidence showing that ChronoPay employees were involved in pushing MacDefender — fake AV software targeting Mac users. ChronoPay later issued a statement denying it had any involvement in the MacDefender scourge.

But last week, Russian cops who raided ChronoPay’s offices in Moscow found otherwise. According to a source who was involved in the raid, police found mountains of evidence that ChronoPay employees were running technical and customer support for a variety of fake AV programs, including MacDefender. The photograph below was taken by police on the scene who discovered Website support credentials and the call records of 1-800 numbers used to operate the support centers.

Russian investigators also found that ChronoPay computers support the infrastructure of Rx-Promotion, a rogue online pharmacy program that paid spammers millions of dollars to promote Web sites that were pushing knockoff prescription drugs, including addictive painkillers like Vicodin and oxycodone (Rx-Promotion also appears to have closed up shop following Vrublevsky’s arrest).

Support info for MacDefenderand other fake AV products – found by Russian police on a ChronoPay PC.

Group-IB, a Russian computer-forensics firm that has been assisting the police in their investigation of Vrublevsky, said that his arrest and subsequent searches of ChronoPay’s office symbolize the possible interest of Russian law enforcement agencies in stopping the laundering of money earned in selling counterfeit medicines and fake AV.

“If allegations against ChronoPay are true then we should expect significant decrease of revenues received by cyber criminals in the appropriate segments of black market in the near future,” said Maxim Suhanov,  a computer-forensics specialist at Group-IB.

Ridiculously Profitable

Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly. Fake AV is extremely profitable, in large part because it is easily franchised.

Individual affiliates can quickly make a lot of money. Fake AV distribution networks pay affiliates between $25 and $35 each time a victim provides a credit card to pay for the junk software.

More importantly, fake AV affiliates can outsource the majority of their work. Damon McCoy, a researcher at the University of California, Santa Diego, has been studying the fake AV industry. He found that fake AV can be massively profitable when installed via pay-per-install (PPI) programs. PPI networks contract out the deployment of the malware to affiliates who get paid per one thousand installs (the payment rate varies with the geographic locations of the victim PCs).

McCoy said fake AV affiliates can purchase 10,000 installs of their scareware programs very cheaply. “For 10,000 installs, [the PPI networks] will charge you normally about $900, but if you squeeze them a bit they will go down to $750,” McCoy said.

In an analysis of the fake AV industry released last month, McCoy and other UCSD researchers discovered that fake AV affiliates can expect that one out of every 50 people who have fake AV installed on their systems will pay for the software.

“If you do the math, it’s almost like you’re printing money,” McCoy said. “You could pay the PPI networks $75 to get 1,000 fake AV  installs. And if you had an average conversion rate of one in 50, making between $25-$35 on each install, that works out to about 20 sales — or conservatively $500 per one thousand installs. So, you pay someone $75 and you can expect to make four or five times your investment. The  economics of this market are ridiculously profitable, and it’s easy to see why fake AV is the go-to method today for monetizing botnets.

Krebs on Security: ChronoPay Co-Founder Arrested

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Russian authorities on Thursday arrested Pavel Vrublevsky, co-founder of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals.

An undated photo of Vrublevsky

Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.

Russian state-run news organizations are reporting that Vrublevsky was arrested on June 23. Financial Times reporter Joe Menn writes that Vrublevsky was ordered held without bail and a hearing was set for a month’s time.

As I reported earlier this week, Vrublevsky fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. According to Russian news organizations, the ChronoPay executive wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Sources close to the investigation said Vrublevsky was arrested at the Sheremetievo airport outside of Moscow as he returned from a trip to the Maldives.

The arrest comes just 24 hours after authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million via scareware scams

Krebs on Security: Financial Mogul Linked to DDoS Attacks

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against a top ChronoPay competitor.

KrebsOnSecurity has featured many stories on Vrublevsky’s role as co-founder of the infamous rogue online pharmacy Rx-Promotion, and on his efforts to situate ChronoPay as a major processor for purveyors of “scareware,” software that uses misleading computer virus infection alerts to frighten users into paying for worthless security software.  But these activities have largely gone overlooked by Russian law enforcement officials, possibly because the consequences have not impacted Russian citizens.

In the summer of 2010, rumors began flying in the Russian blogosphere that Vrublevsky had hired a hacker to launch a distributed denial of service (DDoS) attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors. The attack on Assist occurred just weeks before Aeroflot was to decide which company would win the contract; it so greatly affected Assist’s operations that the company was unable to process payments for extended periods of time. Citing the downtime in processing as a factor in its decision, Aeroflot ultimately awarded the contract to neither ChronoPay nor Assist, but instead to Alfa-Bank, the largest private bank in Russia.

According to documents leaked to several Russian security blogs, investigators with the Russian Federal Security Service (FSB) this month arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. The documents indicate that Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky. The same blogs say Vrublevsky has fled the country. Sources close to the investigation say he is currently in the Maldives. Vrublevsky did not respond to multiple requests for comment.

"Topol Mailer" botnet interface allegedly used by Artimovich.

The allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which said it assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured at left) allegedly used to coordinate the DDoS attack against Assist. Group-IB said Artimovich’s botnet also was used to attack several rogue pharmacy programs that were competing with Rx-Promotion, including Glavmed and Spamit (these attacks also were observed by security firm SecureWorks in February).

This DDoS saga is the latest chapter in a fascinating drama playing out between the two largest rogue Internet pharmacies: Vrublevsky’s Rx-Promotion and Glavmed (a.k.a. “Spamit”), a huge pharma affiliate program run by Igor Gusev, the man who co-founded ChronoPay with Vrublevsky in 2003.

Gusev has been in exile from his native Moscow since last fall, when Russian authorities named him the world’s biggest spammer and lodged criminal charges against him for operating an illegal business. Spamit was forced to close shortly thereafter, and Gusev blames Vrublevsky for using his political connections to sabotage Spamit. Late last year, Gusev launched redeye-blog.com, a blog dedicated to highlighting alleged wrongdoing by Vrublevsky. In one post, Gusev charged that Artimovich agreed to DDoS Spamit.com because he believed forum members fleeing the program would join his own budding spammer forum: the still-active but largely dormant program Spamplanet.

Both ChronoPay and Glavmed/Spamit suffered hacking attacks last year that exposed internal documents, financial dealings and organizational emails. The data leaked from Glavmed/Spamit includes a list of contact information, earnings and bank account data for hundreds of spammers and hackers who were paid to promote the program’s online pharmacies. Those records suggest that for most of 2007, Artimovich was earning thousands of dollars a month sending spam to promote Spamit pharmacy sites.

The document that the FSB used to lay out the case for criminal proceedings against Artimovich, a.k.a. “Engel,” states that he was paid for the DDoS services with funds deposited into a WebMoney account “Z578908302415″. According to the leaked Spamit affiliate records, that same WebMoney account belonged to a Spamit affiliate who registered with the program using the email address “support@id-search.org.” Web site registration records for id-search.org show that the name of the registrant is hidden behind paid privacy protection services. But historic WHOIS records maintained by DomainTools.com reveal that for a two-month period in 2008 those registration records were exposed; during that brief window, records listed the registrant as Igor Artimovich from Kingisepp, Russia, a town 68 miles west of St. Petersburg.

The emails and documents leaked from the hacking intrusion into ChronoPay last year show that Artimovich and Vrublevsky exchanged numerous emails about payment for unspecified services. Among them is an email receipt from WebMoney showing a transfer of more than $9,000 from an account Vrublevsky controlled to Artimovich’s Z578908302415 purse on July 6, 2010, just days before the DDoS attacks began. The notation listed next to the payment receipt? “Engel.”

Krebs on Security: Organization Chart Reveals ChronoPay’s Links to Shady Internet Projects

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An online criminal enterprise, as tightly structured as any legitimate business corporation, was exposed in 2010. Emails and documents taken from employees of ChronoPay — Russia’s largest online payments processor — were shared with a select group of law enforcement agencies and with KrebsOnSecurity.com. The communications provide the strongest evidence yet that a notorious rogue online pharmacy and other shady enterprises are controlled by ChronoPay executives and employees.

The leaked ChronoPay emails show that in August 2010 co-founder Pavel Vrublevsky authorized a payment of 37,350 Russian Rubles (about $1,200) for a multi-user license of an Intranet service called MegaPlan.  The documents indicate that Vrublevsky used the service to help manage the sprawling projects related to ChronoPay’s “black” operations, including the processing of payments for rogue anti-virus software, violent “rape” porn sites, and knockoff prescription drugs sold through hundreds of Web sites affiliated with a rogue online pharmacy program Rx-Promotion.com.

ChronoPay employees used their MegaPlan accounts to track payment processing issues, order volumes, and advertising partnerships for these black programs. In a move straight out of the Quentin Tarantino film Reservoir Dogs, the employees adopted nicknames like “Mr. Kink,” “Mr. Heppner,” and “Ms. Nati.” However, in a classic failure of operational security, many of these folks had their messages automatically forwarded to their real ChronoPay email accounts.

MegaPlan offers an application that makes it simple for clients to create organizational charts, and the account paid for by ChronoPay includes a chart showing the hierarchy and reporting structure of its dark divisions.

A screen shot of the organization chart from ChronoPay's MegaPlan Intranet system.

Black Ops, Dark Divisions

Media: This division oversees ChronoPay clients and services that specialize in selling steeply discounted MP3 music files. ChronoPay saw the profit potential of dodgy music resellers early on, and is probably best known for being the processor for AllofMp3.com, a controversial Russian online music sales company. The wrath of the U.S. entertainment industry in 2006 created an international trade dispute between Russian and the United States.

R&P: Short for “Red & Partners,” this division was founded by Vrublevsky early in his career, and is responsible for processing payments for adult Web sites that specialize in violent “rape” photos and videos. ChronoPay emails show company slush funds routinely are used to process payments for the infrastructure used by dozens of these extreme adult sites. ChronoPay emails reveal that the director of R&P — listed in the graphic above as “Mr. Simon” — is ChronoPay employee Alexandr Alyushin.

StandardPay: A company founded by Vrublevsky that specializes in offering payment solutions for the extreme adult sites. Processing payments for pornography can be tricky in many countries, including Russia — where it is technically illegal to produce or sell pornography. “Mr. StandardPay” is a Russian named Mikhail Mikryukov, who uses the nickname “Human.”  Along with RedEye (Vrublevsky), Human is an administrator of Crutop.nu, a 8,000 member Russian adult Webmaster forum that also is used to recruit affiliates for Rx-Promotion and rogue anti-virus sales.

Big Bosses (“биг боссы”): ChronoPay CEO Pavel “RedEye” Vrublevsky, and Yuri “Hellman” Kabayenkov. ChronoPay emails show that these two men are 50/50 partners in the pharmacy program Rx-Promotion.

Rx-Promotion: ChronoPay emails and documents show that “Mr. Heppner” is Stanislav Maltsev, a former Russian police investigator previously responsible for heading up a criminal investigation of Vrublevsky in 2007. That investigation remains open but  appears to have gone nowhere, and Maltsev now works directly for Vrublevsky.

Communications between Mr. Heppner and Ms. Nati about payment for Rx-Promotion affiliates.

An individual listed in the ChronoPay MegaPlan account under the alias “Ms. Curly” does not appear to be a ChronoPay employee. Curly is named as a customer support representative for Rx-Promotion.com, and a user “Curly” also is listed as the support lead at the Rx-Promotion forum for affiliates of the rogue pharmacy program. Curly appears to be a pseudonym for Katya Ivanova, a slender, curly-haired redhead from Moscow shown in this this profile on Vkontake, a major Russian social networking site.

ChronoPay emails show that Ms. Nati, listed in the MegaPlan chart above as the public relations manager for Rx-Promotion, is a ChronoPay employee named Natalia Miloserdnaya. Members using the names Curly, Nati and Hellman also can be seen fielding questions from Rx-Promotion affiliates in that organization’s online forum.

A reverse engineering project based on Malwarebytes.

Project for AV: In previous investigations, I’ve shown that ChronoPay has consistently been among the biggest processors of rogue anti-virus software or “scareware.” Last month, I blogged about ChronoPay paying for several domains that were used in recent Mac Defender attacks. A study released this week (PDF) by researchers at the University of California, Santa Barbara looked at three rogue anti-virus distribution services, and found they all processed payments through ChronoPay.

When I visited Vrublevsky in Moscow in February, he told me of plans to launch a ChronoPay-branded anti-virus solution, and many of the documents included in this section of ChronoPay’s MegaPlan installation are technical papers referencing the development of different anti-virus software modules. The documents suggest that the company has hired programmers to reverse-engineer the free version of the commercial anti-malware product Malwarebytes.

Banking on Indifference

Another area of ChronoPay’s MegaPlan installation shows contact information for strategic and advertising partners. Among them is a bank in Azerbaijan called Azerigazbank that until recently processed Visa and MasterCard payments for Rx-Promotion customers, among a half-dozen other rogue Internet pharmacy programs. This is not your everyday, risk-averse financial institution: AG Bank’s slogan loosely translates to “Options for the Rich,” and this bizarre commercial for their services features scantily-clad women on a yacht tossing handfuls of huge diamonds into the sea while helicopter gunships circle overhead.

According to a UC San Diego research paper (PDF) released in May that analyzed spam from more than 30 illicit online pharmacy programs, Rx-Promotion-branded pharmacy sites were the most actively promoted via spam. As I’ve noted in previous stories about Rx-Promotion, it is one of the few remaining pharmacy programs that sells prescription drugs (no prescription required) that are highly controlled in the United States, including addictive painkillers Valium, Percocet, Tramadol, and Oxycodone.

As the academic paper and my reporting make clear, the traditional methods of exposing these programs — “outing” the merchant banks and shining a spotlight on the main actors — has little effect when the organizers live in countries that willingly turn a blind eye to this activity. I’ve been eager to write more about this treatise since it was first featured in a New York Times story last month. In a future blog post, I will discuss the potential impact of the main policy alternative outlined in that paper: Convincing a handful of card-issuing banks here in the United States to stop processing payments for a handful of merchant accounts known to be tied to illicit online pharmacies.

Krebs on Security: ChronoPay Fueling Mac Scareware Scams

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Some of the recent scams that used bogus security alerts in a bid to frighten Mac users into purchasing worthless security software appear to have been the brainchild of ChronoPay, Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business.

Since the beginning of May, security firms have been warning Apple users to be aware of new scareware threats like MacDefender and Mac Security. The attacks began on May 2, spreading through poisoned Google Image Search results. Initially, these attacks required users to provide their passwords to install the rogue programs, but recent variants do not, according to Mac security vendor Intego.

A few days after the first attacks surfaced, experienced Mac users on Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com. Others spotted fake Mac security software coming from macbookprotection.com. When I first took a look at the registration records for those domains, I was unsurprised to find the distinct fingerprint of ChronoPay, a Russian payment processor that I have written about time and again as the source of bogus security software.

The WHOIS information for both domains includes the contact address of fc@mail-eye.com. Last year, ChronoPay suffered a security breach in which tens of thousands of internal documents and emails were leaked. Those documents show that ChronoPay owns the mail-eye.com domain and pays for the virtual servers in Germany that run it. The records also indicate that the fc@mail-eye.com address belongs to ChronoPay’s financial controller Alexandra Volkova.

Recent domain purchases tied to ChronoPay's fc@mail-eye.com account.

The leaked documents also have given ChronoPay’s enemies access to certain online records that the company maintains, such as domain registration accounts tied to the firm. Both mac-defence.com and macbookprotection.com were suspended by the registrar — a company in the Czech Republic called Webpoint.name. But a screen shot shared with KrebsOnSecurity.com shows that someone recently used that fc@mail-eye.com account to register two more Mac security-related domains that haven’t yet shown up in rogue anti-virus attacks against Mac users: appledefence.com and appleprodefence.com.

Perhaps Apple will have better luck than others who have tried convincing ChronoPay to quit the rogue anti-virus business, but I’m not holding my breath. As I noted in a story earlier this year, ChronoPay has been an unabashed “leader” in the scareware industry for quite some time. In 2008, it was the core processor for trafficconverter.biz, the rogue anti-virus affiliate program that was designed to be the beneficiary of the first strain of the Conficker worm, a menacing contagion that still infects millions of PCs worldwide. Last March, the company was at the forefront of another emerging scam, when it began processing payments for icpp-online.com, a scam site that targeted filesharing users and stole victims’ money by bullying them into paying a “pre-trial settlement” to cover a “Copyright holder fine.”

Update, May 29: ChronoPay responded by publishing a statement denying any involvement in the MacDefender attacks.

Original post:

Apple has issued an official support note telling users how to avoid or remove Mac Defender malware. ZDNet also got hold an unofficial document that Apple apparently is distributing to its customer support personnel in charge of fielding complaints about the attacks. I should point out that all of the rules from my recent blog post Krebs’s 3 Basic Rules for Online Safety apply just as well to Mac users as they do to Windows folks. But #1 is the most important, and keeps Mac users out of trouble here: “If you didn’t go looking for it, don’t install it!”

TorrentFreak: Leaked Docs Show Results of Fake ‘RIAA/MPAA’ BitTorrent Scam

This post was syndicated from: TorrentFreak and was written by: enigmax. Original post: at TorrentFreak

In late March or very early April 2010, a fairly unusual and in parts quite ingenious piece of malware started circulating. After a Windows user was infected with a file – iqmanager.exe in a sub-directory of /documents and settings – the badware went to work, scanning the host machine for evidence of BitTorrent use.

Once the malware had found .torrent files, it used their filenames to generate a fake ‘copyright infringement’ report warning the user that their ‘offenses’ could result in 5 years in prison and a $250,000 fine.

Of course, in the true spirit of all pay-up-or-else schemes, they were also given the option to make the whole thing go away by paying a ‘fine’ of around $400, as can be seen from the screenshot below

The whole scam was run by an outfit calling themselves the ICCP Foundation and now, thanks to a report from security expert Brian Krebs, we can see what kind of money was involved in this scam.

Last year, thousands of documents were leaked from Chronopay, Russia’s largest processor of online payments, and Krebs managed to get his hands on them. They revealed that Chronopay is up to its neck in the operations of “high-risk” industries – ones with the greatest chance of credit-card chargebacks and the companies involved doing high-speed disappearing acts.

Krebs notes that Chronopay “handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software,” so it comes as no surprise that ICCP Foundation – or ICCP-Online as they are referred to in Chronopay’s documents – are partners of the payment processor.

As can seen from the cropped screenshot below, hundreds of people fell for the scam, with 451 people using Visa to pay nearly $220,000 and 129 using Mastercard to hand over just under $63,000.

With 580 people paying $283,000, each payment works out to around $483, which sounds roughly right given the sample screenshots given to TorrentFreak when we first reported the scam. Krebs points out that the message in Russian at the top of the email says that the calculation formula may have been producing errors, but this appears to be a reference to the fraud counts as highlighted in yellow on the full screenshot which can be found here.

Its worth mentioning that these figures only show 2 active months for the scam, so the true amounts could actually be higher.

If anything, the above shows how easy it is to extract money from BitTorrent users, whether one is a legitimate lawyer, a scam artist, or one of the copyright trolls that fall in between.

TorrentFreak

Krebs on Security: ChronoPay’s Scareware Diaries

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.

Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.

Click image for PDF version of timeline. Each entry is clickable and links to supporting documents.

ChronoPay handles Internet bill payments for a variety of major Russian companies, including domestic airlines and utilities. But ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning.

In June 2009, The Washington Post published the results of a six-month investigation into ChronoPay’s high-risk business. At the time, ChronoPay was one of a handful of processors for Pandora Software, the most prevalent brand of rogue software that was besieging consumers at the time. That story drew links between ChronoPay and an entity called Innovagest2000, which was listed as the technical support contact in the end-user license agreements that shipped with nearly all Pandora rogue anti-virus products.

When I confronted ChronoPay’s CEO Pavel Vrublevsky in 2009 about the apparent ties between Innovagest and his company, he insisted that there was no connection, and that his company’s processing services were merely being abused by scammers. But the recently leaked ChronoPay documents paint a very different picture, showing that Innovagest2000 was but one example of a cookie-cutter operation that ChronoPay has  refined and repeated over the last 24 months.

The documents show that Innovagest was a company founded by ChronoPay’s Spanish division, and that ChronoPay paid for everything, from the cost of Innovagest’s incorporation documents to the domain registration, virtual hosting and 1-800 technical and customer support lines for the company.

The same dynamic would play out with other ChronoPay “customers” that specialized in selling rogue anti-virus software. For example, leaked internal documents indicate that ChronoPay employees created two companies in Cyprus that would later be used in processing rogue anti-virus payments: Yioliant Holdings; and the strangely named Flytech Classic Distribution Ltd. ChronoPay emails show that employees also paid for domains software-retail.com and creativity-soft.com, rogue anti-virus peddling domains that were registered in the names and addresses of Yioliant Holdings and Flytech, respectively. Finally, emails also show that ChronoPay paid for the virtual hosting and telephone support for these operations. This accounting document, taken from one of the documents apparently stolen from ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft.com (the amounts in the document are in Russian Rubles, not dollars, and the document has been edited to remove full credit card numbers and victim names).

Further, the purloined documents show these domains were aggressively promoted by external rogue anti-virus affiliate programs, such as Gelezyaka.biz, as well as a rogue anti-virus affiliate program apparently managed in-house by ChronoPay, called “Crusader.”

MEETING IN MOSCOW

Last month, I traveled to Moscow and had a chance to sit down with Vrublevsky at his offices. When I asked him about Innovagest, his tone was much different from the last time we discussed the subject in 2009. This may have had something to do with my already having told him that someone had leaked me his company’s internal documents and emails, which showed how integral ChronoPay was to the rogue anti-virus industry.

“By the time which correlates with your story, we didn’t know too much about spyware, and that Innovagest company that you tracked wasn’t used just for spyware only,” Vrublevsky said. “It was used for a bunch of shit.”

Vrublevsky further said that some of ChronoPay’s customers have in the past secretly sub-let the company’s processing services to other entities, who in turn used it to push through their own shady transactions. He offered, as an example, an entity that I wasn’t previously aware had been a customer of ChronoPay’s: A rogue anti-virus promotion program called TrafficConverter.biz.

As I documented in a March. 2009 story for The Washington Post, Trafficconverter.biz paid its promoters or “affiliates” hundreds of thousands of  dollars a month to pimp rogue anti-virus software. The domain Trafficconverter.biz was shut down briefly at the end of November when it was discovered that it was being sought out by millions of Microsoft Windows systems infected with the first variant of the Conficker worm, which instructed infected systems to visit that domain and download a specific file that suggested it would attempt to install rogue anti-virus software.

“That was a case where ChronoPay had a merchant account registered as an Internet payment service provider with Visa Iceland, where the same merchant account was being used by hundreds of small merchants, and one of them turned out to be the infamous TrafficConverter,” Vrublevsky explained.

But what of the leaked documents that show what appear to be ChronoPay employees setting up entire businesses that would later sell rogue anti-virus — including incorporation records, associated bank accounts, Web hosting, domain registration, telephone support and merchant accounts tied to these entities? Wasn’t ChronoPay concerned that this activity could make it appear that the company was simply building rogue anti-virus merchants from the ground up?

No, this is what high-risk payment service providers do, Vrublevsky explained.

“This is part of the service you provide,” he said. “Basically you own the companies that have those merchant IDs, plus you do customer support and everything which is related to that. And that’s how any other payment service provider does it, and you can find the same thing if you dig into companies like Wirecard, and Visa Iceland. So most payment service providers basically register the companies  themselves and monitor the whole [operation] from the inside.”

SCAREWARE RESEARCH & DEVELOPMENT

The leaked records also show ChronoPay’s high-risk division worked diligently to stay on the cutting edge of the scareware industry. In March 2010, the company began processing payments for icpp-online.com, a scam site that stole victims’ money by bullying them into paying a “pre-trial settlement” to cover a “Copyright holder fine.” As security firm F-Secure noted at the time, victims of this scam were informed that an “antipiracy foundation scanner” had found illegal torrents from the victim’s system, and those who refused to pay $400 via a credit card transaction could face jail time and huge fines.

Internal ChronoPay documents show that hundreds of people fell for the scam, paying more than $400 each (the message at the top of the image indicates that the internal ChronoPay formula for counting the number of downloads and sales was generating errors, so take these numbers with a grain of salt).

ChronoPay also was the processor for a fake anti-virus product known as Shield-EC, which was processed through a merchant account tied to a company called Martindale Enterprises Ltd. Again, internal documents show that ChronoPay not only created Martindale Enterprises Ltd., and attached bank accounts to the company, but that it also paid for the domain registration, hosting and telephone support lines for shield-ec.com.

The shield-ec scareware scam was unique because the purveyors pitched it as “the result of a two-year research collaboration of programmers and analysts from Martindale Enterprises and ZeusTracker, the main center for ZeuS epidemic prevention.”

ZeusTracker is a free service run by an established security researcher, Roman Hüssy, who monitors Web addresses that are known to be associated with the distribution and management of the infamous ZeuS trojan. As Hüssy noted in a blog post at the time, the Shield-EC scareware campaign came with an interesting twist: The Web site shieldec.com was in fact hosted on a fast-flux botnet that was also being used to host at least two different servers used to control large numbers of PCs infected with ZeuS.

These days, Vrublevsky said, he’s hoping his company can have a go at the market for legitimate anti-virus products. When I met with him in Moscow, Vrublevsky told me about company plans to create and sell its own anti-virus product: ChronoPay Antivirus. At first I didn’t know whether to take him seriously. But then I found a document in the cache that confirmed that claim. A Russian-language document called ChronoPay AntiVirus Vision (PDF), dated June 15, 2010, details the company’s ambitions in this market.

Curious about what other domains ChronoPay currently owns? Check out this list (PDF), taken from a recent internal email that leaked from the company.

Krebs on Security: Pharma Wars

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

How do you chronicle the struggle for control of an underground empire when neither combatant wants to admit that he is fighting or even that that a war is underway? That’s the nature of a business-feud turned turf-war that is playing out right now between the bosses of two of the Internet’s largest illicit pharmacy operations.

On Thursday, I wrote about an anonymous source using the pseudonym “Despduck” who shared a copy of the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet. The database indicates that Glavmed processed in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010.

Despduck first proffered the Glavmed data through a mutual source in the anti-spam community, and claimed that the alleged owner of the pharmacy program, a Russian businessman named Igor Gusev, would soon be charged with illegal business activities. Sure enough, near the end of September 2010, Russian officials announced a criminal investigation into Gusev and his businesses. Shortly after those charges were brought, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other pharmacy networks.

Gusev is now in exile from Russia; he blames his current predicament– and the leak of the Glavmed data — on his former business partner, fellow Muscovite Pavel Vrublevsky. The latter is a founder of Russian e-payment giant ChronoPay, a company Gusev also helped to co-found almost eight years ago (according to incorporation documents I obtained from the Netherlands Chamber of Commerce — where ChronoPay was established — for a time Gusev and Vrublevsky were 50/50 partners in ChronoPay).

As reported in my story earlier this week, tens of thousands of internal documents and emails stolen from ChronoPay and leaked to key individuals suggest that Vrublevsky is managing a competing online pharmacy network called Rx-Promotion. It turns out that the Glavmed database was stolen at about the same time as ChronoPay’s breach.

Vrublevsky denies being the source of the purloined Glavmed/SpamIt database, but the bounty of leaked ChronoPay documents suggests otherwise. Included in the email records are messages sent to and from an inbox that used the display name “Kill Glavmed.” What was the email address tied to that name? “Despduck@gmail.com,” the very same address used to communicate with my anti-spam source.

Also in the leaked ChronoPay emails is a lengthy message thread in an inbox marked “vrublevsky” that details a negotiation with an individual named “Nooder Tovreance.” In the multi-email exchange, which begins Apr. 8, 2010 and ends at the beginning of June, Tovreance offers to sell the Glavmed database for $20,000, but says that he will need to break the file transfers up into multiple smaller chunks due to the size of the database. The two ultimately settle on a price of $15,000, with the first payment of $7,500 made to a Webmoney purse specified by Tovreance in exchange for half of the files, and the remaining amount payable upon receipt of the entire database.

SpamIt.com may be gone, but the Glavmed program is still rewarding affiliates for promoting pharmacy sites. Meanwhile, a number of online properties managed by Gusev are under nearly-constant attack. Joe Stewart, senior security researcher for SecureWorks, recently released a paper in which he profiled the makeup and activities of the world’s top spam botnets, or agglomerations of hacked PCs of the sort typically used to relay junk e-mail advertising rogue pharmacy sites.

One of the spam botnets in Stewart’s analysis, a 60,000 bot network nicknamed “Festi” was “developed as a distributed denial-of-service (DDoS) platform, and has been seen in recent weeks launching attacks against other Russian sites.” I asked Stewart for a list of the sites he’s seen Festi attacking; the list is quite short, and includes six Glavmed/Canadian Pharmacy sites, as well as gofuckbiz.com and armadaboard.com, affiliate forums that Vrublevsky has said on several occasions that he suspects are owned and operated by Gusev. The other site Stewart found Festi attacking was redeye-blog.com, a daily blog written by Gusev that is trickling out leaked ChronoPay documents and gossip about Vrublevsky.

Krebs on Security: Russian Cops Crash Pill Pusher Party

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I recently returned from a trip to Russia, where I traveled partly to interview a few characters involved in running the world’s biggest illicit online pharmacies. I arrived just days after the real fireworks, when several truckloads of masked officers from Russian drug enforcement bureaus raided a party thrown exclusively for the top moneymakers of Rx-Promotion, a major e-pharmacy program co-owned by one of the men I went to meet.

Chronopay founder Pavel Vrublevsky, at his office in Moscow

Within a few hours of my arrival in Moscow, I called Pavel Vrublevsky, the founder of ChronoPay, Russia’s largest processor of online payments. For years, I had heard that Vrublevsky was known online as “RedEye,” and that Rx-Promotion was using ChronoPay as the core credit card processor. Unlike other rogue Internet pharmacies, Rx-Promotion’s claim to fame is that it is one of the few that sells controlled substances, such as addictive painkillers like Oxycontin, Oxycodone and Codeine over the Internet without requiring a prescription.

Late last summer I came into possession of a mountain of evidence showing that not only is ChronoPay the core credit card processor for Rx-Promotion, but that Vrublevsky also is co-owner of the pharmacy program and  that ChronoPay executives have steered the pharmacy’s activities for some time.

In mid-2010, ChronoPay was hacked, and many of the company’s internal documents were posted on random LiveJournal blogs and other places that were mostly shut down shortly thereafter. But a much larger cache of tens of thousands of ChronoPay e-mails, and thousands of recorded phone calls and documents were siphoned from the company and distributed to a handful of people, including me.

Among the few others who have these documents is Igor Gusev, an early co-founder of ChronoPay and the man now charged by Russian officials as the owner of a competing online pharmacy affiliate program called Glavmed. Gusev is currently trickling out the leaked ChronoPay documents in a Russian language blog about Vrublevsky called Redeye-blog.com, mainly because he believes Vrublevsky was responsible for helping to bring the charges against him.

I told Vrublevsky that I’d also received the cache of stolen data, and as a result he has been calling me almost daily for the past eight months. His goals: To keep tabs on my activities and to learn tidbits about others in his industry. But most of all, Vrublevsky has acknowledged he’s been hoping to feed me tips that would lead to other stories that aren’t about him or what’s in those documents.

Some of what he’s told me has checked out and has indeed been useful. Yet, now that I’ve had time to pore over these documents and emails in detail (almost all of them are in Russian), a much clearer picture of Vrublevsky and his businesses is beginning to emerge.

My analysis indicates that in 2010 alone, Rx-Promotion sold tens of millions of dollars worth of generic prescription drugs (mostly to Americans), including millions of controlled pills that have high resale value on the street, such as Valium, Percocet, Tramadol, and Oxycodone. And yes, buyers are getting more or less what they’re seeking from this program, contrary to popular perception (more soon on how I know that).

I hadn’t told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.

“Duuuuuuuudddde!,” he answers. “It’s 7 a.m. where you are, who died?”

I reply that I am in fact in his time zone and that we should meet. After another long “Duuuuuuuuddde!” Vrublevsky promises to send a car if I will wait in the hotel lobby. He tells me he’ll be sending along with the driver his receptionist, named Vera. He proceeds to describe Vera as  this grossly overweight, unattractive older lady but, hey, she speaks English and knows how to deal with Westerners, so she’s coming, he says.

Fifteen minutes later, I am seated in the lobby waiting for Vera, watching incoming guests as they stomp off snow and trudge through the hotel’s revolving door. I find it difficult to avoid staring at this unusually attractive, slender, dark-haired young woman standing nervously just beside the door. I notice she also keeps glancing at me. Finally, she comes over and asks if my name is Brian. I am momentarily alarmed (I know next to no one in Moscow yet) until she says her name is Vera and I suddenly remember with a smile why I can trust almost nothing of what comes out of Vrublevsky’s mouth.

The joke continues when, after enduring about 20 minutes of creeping Moscow rush hour traffic to travel a couple of miles, we arrive at ChronoPay’s offices and I run into the same girl clad in different clothes: It turns out that Vera has a twin sister who also works at the company.

Vrublevsky is feeling especially punchy. Apparently, someone arranged a police raid on the Rx-Promotion Gold Party, a gathering held four nights earlier at Moscow’s Golden Palace. The normally boozy and bawdy event is thrown for all Rx-Promotion affiliates — those several hundred individuals who pimp Rx-Promotion pharmacy sites by whatever means necessary (usually by hacking sites and through search engine manipulation). The top affiliate was to win an actual 1-kilogram bar of gold, while other leading pill pushers would win iPads and iPhones.

Unfortunately for the Rx-Promotion affiliates, the party was broken up when several busloads of men in ski masks and machine guns stormed the party and began interrogating the revelers. Vrublevsky claims the men were sent on behalf of the drug enforcement authorities, but according to several of those in attendance who posted on various Russian forums about the experience, the police appear to have used the raid as a pretense to match Rx-Promotion affiliates’ online identities to real faces and names.

Vrublevsky never showed at his own party. As he explains it, the day before his wife inexplicably pleaded with him to go on an emergency vacation to the Maldives. What’s more, someone had the presence of mind to take down all Rx-Promotion logos from the rented party space hours before the police arrived.

“The whole Russian Internet knew there was supposed to be an RX-Promotion party in Moscow, and obviously everyone would expect logotypes of Rx-Promotion,” Vrublevsky tells me, chain smoking Marlboros in his company’s cramped boardroom, which features an enormous, outdated map of the world that is flanked by swords and a giant red Soviet-era flag. “And for some reason,” he continues, speaking about himself in the third person, “everyone expected Mr. Vrublevsky would show up there. Obviously, Mr. Vrublevsky would probably not be able to control every [person] with a cell phone camera around. And for that reason, Mr. Vrublevksy decided not to be there. At the same time, someone else decided to remove all of the Rx-Promotion logos around. Mr. Vrublevsky flies to Maldives to have a one-week vacation. He then gets a phone call that there are five buses of special forces from Russian DEA going to that party, closing down Golden Palace and two nearby cafes, just for the reason that there are too many special forces and dogs and cameras. Getting in there just to find out some very stupid shit: There is no Mr. Vrublevsky, no logotype, absolutely nothing to shoot on their video.”

Vrublevsky said he believes Gusev or one of his enemies paid a lot of money to bribe police into ruining his fun.

For his part, Gusev doesn’t want to disabuse anyone of the notion that he might have been responsible for causing his old enemy pain: Gusev is currently in exile from Russia on account of the criminal charges against him, and so he’s happy to see Vrublevsky apparently fleeing the country — if only temporarily — in response to law enforcement action.

“This raid at the party was very funny, because from one point of view everyone was sure it was my [doing], and it’s good for me if everyone thinks this,” Gusev said in a phone interview. He dodges the direct question, but concedes that the videos he has on his own blog post about the raid are not from the raid itself but from an unrelated incident. It is difficult to believe he would not have videos from the busted party if he was somehow responsible.

Gusev says if anyone had advance knowledge of the police raid, it was Vrublevsky.

“I find it strange that he went to Maldives the day before, when he never misses any of his parties,” Gusev told me. “All of the parties are very expensive and it’s the best time for him to meet people and show everyone that he’s powerful and cool. For me, knowing Pavel much better than anyone else from these people, it’s very strange. If he didn’t know, he was somehow expecting something [might] happen.”