Posts tagged ‘pavel vrublevsky’

Krebs on Security: Pavel Vrublevsky Sentenced to 2.5 Years

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to two-and-half years in a Russian penal colony this week after being found guilty of hiring botmasters to attack a rival payment processing firm.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing. Source: Novayagazeta.ru

Vrublevsky was accused of hiring Igor and Dmitri Artimovich in 2010 to use their Festi spam botnet to attack Assist, a competing payments firm. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company millions of dollars.

According to Russian prosecutors, Vrublevsky directed ChronoPay’s chief security officer Maxim Permyakov to pay $20,000 and hire the Artimovich brothers to launch the attacks. The Artimovich brothers also were found guilty and sentenced to 2.5 years. Permyakov received a slightly lighter sentence of two years after reportedly assisting investigators in the case.

Earlier this year, I signed a deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia. Those charges stem from Gusev’s alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

For more background on Vrublevsky and his case, check out these two stories from the Russian publication Novya Gazeta. This entry is the latest in my Pharma Wars series, which documents the rise and fall of the pharmacy spam business and how a simmering grudge match between Gusev and Vrublevsky ultimately brought down their respective businesses.

It might be tempting to conclude from Vrublevsky’s sentencing that perhaps the Russian government is starting to crack down on cybercriminal behavior in its own backyard. But all the evidence I’ve seen suggests this is merely the logical outcome of bribes paid by Gusev to some of Russia’s most powerful, payments that were meant to secure the opening of a criminal case against Vrublevsky. In Paying for Prosecution and The Price of (in)Justice, I highlight chat logs leaked from Gusev’s operations that show him making preparations to pay more than $1.5 million to Russian politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Krebs on Security: Gateline.net Was Key Rogue Pharma Processor

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

It was mid November 2011. I was shivering on the upper deck of an aging cruise ship docked at the harbor in downtown Rotterdam. Inside, a big-band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on a long-running turf war between two of the largest sponsors of spam.

Promenade of SS Rotterdam. Copyright: Peter Jaspers

The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but in a private setting. Stepping out the night air, a woman from the conference approached, formally presented the three men behind her, and then hurried back inside to the warmth of the reception.

A middle-aged stocky fellow introduced as the senior FSB officer spoke in Russian, while a younger gentleman translated into English. They asked did I know anything about a company in Moscow called “Onelia“? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cyber criminal enterprises.

Later that evening, back at my hotel room, I searched online for details about the company, but came up dry. I considered asking some of my best sources in Russia what they knew about Onelia. But a voice inside my head warned that the FSB agents may have been hoping I’d do just that, and that they would then be able to divine who my sources were when those individuals began making inquiries about a mysterious (and probably fictitious) firm called Onelia.

My paranoia got the best of me, and I shelved the information. That is, until just the other day, when I discovered that Onelia (turns out it is more commonly spelled Oneliya) was the name of the limited liability company behind Gateline.net, the credit card processor that processed tens of thousands of customer transactions for SpamIt and Rx-Promotion. These two programs, the subject of my Pharma Wars series, paid millions of dollars to the most notorious spammers on the planet, hiring them to blast junk email advertising thousands of rogue Internet pharmacies over a four-year period.

WHO IS ‘SHAMAN’?

Gateline.net states that the company’s services are used by firms across a variety of industries, including those in tourism, airline tickets, mobile phones, and virtual currencies. But according to payment and affiliate records leaked from both SpamIt and Rx-Promotion, Gateline also was used to process a majority of the rogue pharmacy site purchases that were promoted by spammers working for the two programs.

The connection between Gateline and the spam programs is supported by chat logs seized in 2011 by Russian investigators who were looking into SpamIt. Those logs, leaked to this reporter last year, show hundreds of conversations between SpamIt co-owner Dmitry “Saintd” Stupin and a Gateline administrator who used the nickname “Shaman” (shaman@gateline.net), and was referred to as “Nikolai,” or the diminutive form, “Kolya”. The logs show more than 205 conversations between Shaman and Stupin from 2007 to 2010; Stupin also had 169 chat conversations with a SpamIt affiliate “dgc,” a programmer who used the email address dgc@gateline.net.

The leaked Stupin chats suggest that Shaman held enormous sway over the day-to-day operations of SpamIt. The pharmacy spam sponsor had great difficulty offering buyers the ability to pay by MasterCard, mainly because MasterCard seems to have been far more vigilant than Visa about policing the use of its services by rogue online pharmacies. The payment records of SpamIt indicate that Shaman received a sizable cut (~8 percent) from all sales processed by the SpamIt pharmacies, and that he sometimes earned tens of thousands of dollars per week for his services. He was typically paid via wire transfers to holding companies in Latvia, or via the WebMoney ID 49113952953.

In the following chat between Shaman and Stupin, recorded Nov. 23, 2009, Shaman can be seen chastising Stupin for not being more aware of transactions that they believed were from undercover buys made by MasterCard fraud investigators. At the beginning of the chat, Shaman posts a link to a story about a criminal case opened by Russian investigators into SpamIt and Stupin’s co-partner, Igor Gusev. By this time, the Pharma Wars between Gusev and his chief competitor Pavel Vrublevsky (a.k.a. “RedEye”) — widely considered to be the co-owner of Rx-Promotion — were well underway, with both Gusev and Vrublevsky slowly leaking data about the others’ operations to the media and on underground forums.

Shaman: http://www.runewsweek.ru/country/31283/

Stupin: Yep, yep.

Shaman: I’d suggest you not to advertise (P.R.) banks too much

Stupin: We need it the least.

Shaman: Otherwise, the entire business will go down. There have been something like that already.

Stupin: Igor is trying to remove those posts.

Shaman: Okay. What’s the deal with information wars? We have to stop this thing somehow. You’ll destroy the whole business.

Stupin: We will??? There have been not a single post from us. Igor is removing them all the time, we are not doing anything else.

Shaman: Stop responding to him in forum posts and RedEye will calm down.

Stupin: I will ask Igor whether he has been responding, if he has – I will ask him to stop doing it.

Shaman: WHanlinLittleton@gmail.com. Kill this asshole – he is MasterCard’s officer (employee). He made a purchase. http://www.iacva.org/PDF/William%20Hanlin.pdf

Shaman: Be more attentive with the batch. Kill these as well:

Charles Wilson, cwilson2020@comcast.net; Stephen Carpenter, flynavy@hotmail.com; Fredric Mangerfredmanger@gmail.comcapellau1968.test@yahoo.it, sandro racheli

Shaman: What’s going on with you?

Stupin: Programmers (developers) are checking what’s happened. This should not be happening.

Shaman: There have not been a single transaction from you to BinBank [one of Russian Banks --http://www.binbank.ru/index.wbp] since 00 hours.

Stupin: I am squeezing programmers to troubleshoot faster.

Shaman: As soon as you fix it, be more accurate. Process only established customers.

In a June 5, 2007 conversation between Stupin and Gusev, the former points out that Shaman is processing pharmacy site payments through Gateline’s sister processing program — a company called ufs-online.ru:

Stupin: Did you know that Shaman’s UFS-ONLINE is processing through Alfa (reference to one of the major Russian banks, Alfa-Bank)

Gusev: Yes.

Another interesting chat, recorded May 24, 2007, shows one of the benefits of personally knowing and doing business with the biggest spammers on the planet – one can try to reduce the amount of spam being sent to them.

Shaman: http://sidesky.hk – is it yours? Fuck, you spammed my whole office! Every employee!

Stupin: Yeah, it’s ours. I’ll ask the affiliate to remove from his list

Shaman: remove entire .ru zone from the spamlist..[and] .@ufs-online.ru

Stupin: He doesn’t want to remove, says it’s too cumbersome [to remove all of .ru]

WHO REALLY RUNS GATELINE?

Abridged Dunn & Bradstreet report on Oneliya OOO

Financial records retrieved from Dunn and Bradstreet show that Oneliya Ltd. is a Moscow computer programming and services firm with about 42 employees, bringing in annual revenues of nearly $346,000. This is almost certainly a highly conservative revenue number; financial records from SpamIt indicate that he earned at least that much in a year processing payments for the program. It is likely, however, that Shaman’s activities were off-book and not recorded as official revenue for Oneliya, or perhaps that money was counted toward revenues for one of the firm’s satellite companies, such as ufs-online.ru or ufs-travel.ru.

In any event, this document indicates the director of the company is a Russian named Rafael Khasanovich Mukhametshin. This is supported by an email leaked from ChronoPay — the company co-founded in 2003 by Gusev and Vrublevsky before they parted ways and turned bitter enemies. Mukhametshin did not respond to multiple emails seeking comment for this story.

Dozens of documents leaked from ChronoPay show that the ChronoPay routinely made large payments to the same WebMoney purse where Shaman had his SpamIt earnings sent. Each transaction is affixed with the notation “Shaman.” In an email exchange on June 9, 2010, Vrublevsky can be seen replying to a business partner who is asking about a processor he has heard about named Shaman who specializes in processing MasterCard and American Express payments.

“It is strange that you do not know, given that he works for Desp [Gusev] and also works with us: Gateline it is called,” Vrublevsky wrote. “Shaman is the nick of Kolya, a comrade of Rafael Mukhametshin (from ufs-online.ru if I’m not mistaken)”.

Shaman’s full name remains a mystery, to me at least, and it’s unclear if he still works for Gateline or whether the firm remains embroiled in processing payments for the rogue pharmacy industry. But Shaman’s prediction about ‘information wars’ ruining the business for everyone would eventually ring true. The SpamIt affiliate program was closed down in September 2010, after Russian investigators levied criminal charges against Gusev (although GlavMed, the sister program of SpamIt still appears to be running). Vrublevsky was recently released from a Moscow prison after being arrested for allegedly hiring a botmaster to attack a rival processor. Rx-Promotion is now for the most part a dead pharmacy affiliate program.

Krebs on Security: Rove Digital Was Core ChronoPay Shareholder

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Rove Digital, the company run by six men who were arrested in Estonia this week for allegedly infecting four million PCs worldwide with malware, was an early investor in ChronoPay, a major Russian payment processing firm whose principal founder Pavel Vrublevsky also is now in prison and awaiting trial on cyber crime charges, KrebsOnSecurity has learned.

Estonian authorities on Tuesday arrested Rove Digital founder Vladimir Tsastsin, 31, along with five other Estonian nationals indicted on charges of running a sophisticated click fraud scheme. Yesterday’s blog post details Tsastsin’s criminal history, and his stewardship over Rove and a sister firm, EstDomains.. Today’s post will reveal how Tsastsin and his company were closely allied with and early investors in ChronoPay, and how that relationship unraveled over the years.

In my Pharma War series, I’ve published incorporation documents showing that Igor Gusev, a man currently wanted in Russia on criminal charges of running an illegal business in the notorious pharmacy spam affiliate programs GlavMed and SpamIt, was a co-founder of ChronoPay back in 2003. That series also details how Gusev sold his shares in ChronoPay, and that Vrublevsky later started a competing rogue pharmacy/spam operation called Rx-Promotion.

A spreadsheet showing front companies tied to ChronoPay.

It turns out that ChronoPay also had two other major and early investors: Rove Digital and a mysterious entity called Crossfront Limited. This information was included in the massive trove of internal ChronoPay emails and documents that was briefly published online last year and shared with select journalists and law enforcement agencies. Among those documents is a spreadsheet (XLS) listing all of the various shadowy companies allegedly owned and managed by ChronoPay founder Pavel Vrublevsky and associates. It lists ChronoPay B.V., the legal entity in The Netherlands that formed the initial basis of the company, as jointly owned by Gusev’s firm DPNet B.V., Red & Partners (Vrublevsky’s adult Webmaster provider) and Rove Digital OU.

When I met with Vrublevsky at his offices in Moscow in February of this year, he confirmed that Tsastsin was an old friend and that Rove Digital had been a key shareholder in the company. Further evidence of the connection between ChronoPay and Rove Digital is provided in a series of internal ChronoPay emails from May 2010.

At that time, ChronoPay was under investigation by Dutch banking regulators who suspected that the company’s intricate network of front companies and financial channels were acting in violation of the country’s anti-money laundering laws. In a tersely-worded email exchange, the Dutch bank  demanded a slew of additional accounting and administrative records, including “all documents that show the structure of ChronoPay BV, such as statutes, incorporation documents, names and addresses of director(s) and shareholders.”

The following email thread from ChronoPay executives shows how they struggled to discover the identity of the original principal shareholders of their own company:

From: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

To: Rob Peters

Subject: ChronoPay BV – Info

Could you please send me the directors’ names for each shareholder of ChronoPay BV? (i.e. Red&Partners B.V., DPNet B.V., ROVE Digital Ou, Crossfront Limited)?

==

Reply from: Anna Boguslavchik [mailto:a.boguslavchik@chronopay.com]

To: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

The thing is that we don’t have acting director appointed now and we need to have some documents for the bank signed urgently (Sasha Panin already told you that). According to the charter we need to have shareholders appoint someone as the signatory for the company. And for this we need signatures of all directors of the shareholding companies.

Here’s the info on the shareholding companies:
DP Net B.V. – 45 class B shares, director – someone named Terekhov
RED&Partners B.V. – 135 shares (45 class B and 90 class A). Ronnie was the director (see Martins’ email below). Martins has no info on who’s the director now.
Rove Digital OU – 45 class B shares. No information on who’s the director.
Crossfront Limited – 45 class B shares. No information on who’s the director.

If the bank is OK with this, we can prepare the decision of shareholders document in the form that I told you about yesterday.

==

It makes sense that Tsastsin’s Rove Digital was an early investor in ChronoPay: The two businesses served many of the same clients. Indeed, several messages between Vrublevsky and Tsastsin show the two men routinely turned to one another for favors over the years. In one email thread, Vrublevsky asks Tsastsin to set him up with several Web servers to help host torrent trackers for an MP3 business Vrublevsky is supporting.

But somewhere along the way, the relationship soured, and Vrublevsky and his executives grew either unwilling or unable to accommodate requests from Tsastsin. The following is the final email from Tsastsin to Vrublevsky, in which the former complains about a favor he asked of Vrublevsky that was promised but never delivered:

From: Vladimir T. <vladimir@itconsluting.ee>

To: Vrublevsky, Pavel <p.vrublevsky@chronopay.com>

Subject: patience

I never asked you for anything before, and was always really patient with you. Now I’m writing you because I can’t take this anymore. I asked you for help my friends with payment processing 4 months ago. Both Jan and Misha ignored the guy for 4-5 months, no one can arrange processing for him.

I will not list every favor I did for you personally and for ChronoPay. One day you needed my consultation on something, another day you need servers for running torrent [trackers], and we aren’t even charging you for them. Then you need us to create a statistics page for Fethard and to help you detect fraudsters. In summary – we do everything you ask for. And in return I’m not getting shit.

I wrote them myself and asked Jan personally with a cc/ to Abramov. They either blame Misha or suddenly their notebook gets broken or they have a vacation…. They drag this on for 5 months, it’s insane! I don’t know what to tell my friends, my reputation with them is ruined.

I will not continue to describe all this nonsense to you. What I want from you is to kick their asses really hard so that they do it immediately once and for all. I will be away on business for two days and if I get no reply from them by the time I return I will not be asking you or them for anything anymore since this relationship is a one-way street.

Have a nice day. I’m sick and tired of this.

Krebs on Security: Pharma Wars: Purchasing Protection

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Leaked online chats between the co-owners of the world’s largest pharmacy spam operation reveal the extent to which illicit organizations in Russia purchase political protection, and bribe public officials into initiating or stalling law enforcement investigations.

Last month, there was a leak of more than four years of chat logs seized by Russian police who had arrested and interrogated Dmitry Stupin, allegedly the co-owner of GlavMed and the now-defunct SpamIt, organizations that paid spammers millions of dollars each month to promote fly-by-night online pharmacies.

In the the Jan. 9, 2010 chat between Stupin and Igor Gusev, the alleged other owner of GlavMed and SpamIt, Gusev has just learned that he and his operation are under investigation by Russian authorities (Gusev would be formally charged with illegal business activities in October 2010, forcing the closure of SpamIt). Gusev says he may be able to purchase shelter from the charges by funneling money to key Russian politicians who have influence over investigators.

Specifically, Gusev suggests purchasing a sponsorship of the Volleyball Federation of Russia. The price tag for this is an official sponsorship fee of 10 million rubles (about $350,000 USD), plus $150,000 in cash. The official head of the federation, Nikolai Patrushev, is a powerful man in Russian law enforcement. Patrushev was director of the Russian FSB, the successor organization to the KGB, from 1999 to 2008; he has been secretary of the Security Council of Russia since 2008.

Sources say it is typical for Russian sport leagues and charities to be used as vehicles for funneling money into the pockets of policymakers. One example comes from a book by Lennart Dahlgren, former head of the Russian division of Swedish furniture maker IKEA. In Despite Absurdity: How I Conquered Russia While It Conquered Me, Dahlgren writes of having to pay bribes of 30 million Rubles ($1 million USD) to Russian charities that helped funnel money to bureaucrats and top officials.

In this chat, translated from Russian into English, Gusev mentions that a close friend of his family is a director general of the Volleyball Federation;

Gusev: We have big problems. Register fake mailbox somewhere. I will send you something very important.

Gusev: Let’s move Jabber to a new server and encrypt it. We’ll have a trusted communication channel. Everything is very bad :(

Gusev: asdas12334@mail.ru / mgadjadtwa2009. check the e-mail.

Gusev: Are you reading?

Stupin: Yes. Do not know what to say.

Gusev: There is nothing to say. We have only two ways: find someone from law enforcement, pay up and be under protection [or] be placed in jail for 7-9 years and do self-analysis. I have one more way out, but I could not decide regarding it in December, because it was very expensive. It is about 10 million rubles officially and 150K under the table.

Gusev: Red [ChronoPay CEO and former business partner Pavel Vrublevsky] is such an asshole. Leaked information about the whole scheme in hopes to get me arrested. Now, everyone is under investigation. Does your brother have any connection “high above”?

Stupin: No.

Gusev: I asked “just in case”. I will try to get sponsorship of Volleyball Federation (Patrushev is its president). Maybe it’s a good idea for you to go somewhere, to Turkey, for example, until we know if we are going to be either squashed or milked. One good thing: nobody has asked about you yet.

Stupin: No, thank you. Who told you about volleyball? It is a public organization, its financial books are open.

Gusev: Close family friend – general director of that association. He helped Russian Standard [popular brand of Russian Vodka] when they were getting squashed.

Stupin: Maybe we’ll give him this money? Federation has open books, if someone wants to take money from it — it is going to be noticed.

Gusev: What am I going to tell Andrei about prosecutors’ office? I do not want to scare him, but he has to be in the loop. Maybe we’ll suggest him to go to Turkey again?

Stupin: Do you think we need to notify him now? Let’s wait, if they summon you – then we’ll tell him, but not now.

Gusev: What if they do not summon me, but will come directly and interrogate me and confiscate the servers?

Stupin: Yes he is waiting for it for several months already.

Gusev: Ok, let’s not do it now. Let’s move Jabber to another domain.

Stupin: Yes, get rid of “despmedia”,  close domains, liquidate the firm, and finally make the founder (of the company) from somewhere abroad. Changing location will not give us anything.

Gusev: I removed everyone from the firm, I am alone there. Liquidation is in progress. The office is leased by a company, which I have no relationship with.

Stupin: Very well. I will tell Andrei to get new IPs and domains.

Gusev: Okay.

Stupin: (to andy@im.despmedia.com): Despmedia.com, where is it physically?

Andy: Server is in Russia, but there are several proxies there.

Stupin: Can you let me know what’s going on there?  Let me read the message trail. I need to know where the leak of information is. Red, when he wanted to fight with everyone, told our Law Enforcement about the whole idea of on-line pharmacy.  Now they are looking who to milk.

Andy: We do not keep Jabber logs. Chat is encrypted, it’s impossible to connect to server without chat client configured with SSL.

Stupin (to Gusev): I had to tell him something… Came out OK, I think.

Gusev: OK.  I will use the same story.

Stupin: But it’s the truth.

Gusev: Yes, but omitting the details.

Gusev: Let’s talk less regarding work and money over the phone. Only if it is urgent. I ordered two payments from Despmedia [the legal entity that owns GlavMed and other businesses tied to Gusev]. This is to Volleyball association/FSB. In the morning, please, make sure that money got transferred.

Russian Vice Premier Sergei Ivanov (left) and ChronoPay co-founder Pavel Vrublevsky at a Russian Basketball League game, April 2011.

In May 2011, Gusev told me that he was a paid sponsor of the Russian Volleyball League, hoping to persuade someone to stop the criminal case against him. Gusev is convinced, and other leaked documents confirm his suspicions, that law enforcement interest in his activities was paid for by his former business partner turned competitor Pavel Vrublevsky.

In late 2010, Vrublevsky secured a sponsorship of the Russian Basketball League for his employer, ChronoPay, until recently Russia’s largest processor of online payments. The basketball league is headed by Sergei Ivanov, a former KGB officer who was tapped by Russian President Vladimir Putin as deputy prime minister of Russia.

“All that I wanted was to speak with someone from FSB [who] was making this [case] for Pavel, and to persuade them to stop all this conflict before it’s too late,” Gusev said. “Unfortunately, this didn’t help me very much.”

It apparently didn’t help Vrublevsky much either: the former ChronoPay executive and reputed co-owner of the illicit Rx-Promotion rogue Internet pharmacy program now sits in a Moscow prison, awaiting trial on charges of hiring a hacker to launch Internet attacks against his company’s competitors.

Krebs on Security: Organization Chart Reveals ChronoPay’s Links to Shady Internet Projects

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An online criminal enterprise, as tightly structured as any legitimate business corporation, was exposed in 2010. Emails and documents taken from employees of ChronoPay — Russia’s largest online payments processor — were shared with a select group of law enforcement agencies and with KrebsOnSecurity.com. The communications provide the strongest evidence yet that a notorious rogue online pharmacy and other shady enterprises are controlled by ChronoPay executives and employees.

The leaked ChronoPay emails show that in August 2010 co-founder Pavel Vrublevsky authorized a payment of 37,350 Russian Rubles (about $1,200) for a multi-user license of an Intranet service called MegaPlan.  The documents indicate that Vrublevsky used the service to help manage the sprawling projects related to ChronoPay’s “black” operations, including the processing of payments for rogue anti-virus software, violent “rape” porn sites, and knockoff prescription drugs sold through hundreds of Web sites affiliated with a rogue online pharmacy program Rx-Promotion.com.

ChronoPay employees used their MegaPlan accounts to track payment processing issues, order volumes, and advertising partnerships for these black programs. In a move straight out of the Quentin Tarantino film Reservoir Dogs, the employees adopted nicknames like “Mr. Kink,” “Mr. Heppner,” and “Ms. Nati.” However, in a classic failure of operational security, many of these folks had their messages automatically forwarded to their real ChronoPay email accounts.

MegaPlan offers an application that makes it simple for clients to create organizational charts, and the account paid for by ChronoPay includes a chart showing the hierarchy and reporting structure of its dark divisions.

A screen shot of the organization chart from ChronoPay's MegaPlan Intranet system.

Black Ops, Dark Divisions

Media: This division oversees ChronoPay clients and services that specialize in selling steeply discounted MP3 music files. ChronoPay saw the profit potential of dodgy music resellers early on, and is probably best known for being the processor for AllofMp3.com, a controversial Russian online music sales company. The wrath of the U.S. entertainment industry in 2006 created an international trade dispute between Russian and the United States.

R&P: Short for “Red & Partners,” this division was founded by Vrublevsky early in his career, and is responsible for processing payments for adult Web sites that specialize in violent “rape” photos and videos. ChronoPay emails show company slush funds routinely are used to process payments for the infrastructure used by dozens of these extreme adult sites. ChronoPay emails reveal that the director of R&P — listed in the graphic above as “Mr. Simon” — is ChronoPay employee Alexandr Alyushin.

StandardPay: A company founded by Vrublevsky that specializes in offering payment solutions for the extreme adult sites. Processing payments for pornography can be tricky in many countries, including Russia — where it is technically illegal to produce or sell pornography. “Mr. StandardPay” is a Russian named Mikhail Mikryukov, who uses the nickname “Human.”  Along with RedEye (Vrublevsky), Human is an administrator of Crutop.nu, a 8,000 member Russian adult Webmaster forum that also is used to recruit affiliates for Rx-Promotion and rogue anti-virus sales.

Big Bosses (“биг боссы”): ChronoPay CEO Pavel “RedEye” Vrublevsky, and Yuri “Hellman” Kabayenkov. ChronoPay emails show that these two men are 50/50 partners in the pharmacy program Rx-Promotion.

Rx-Promotion: ChronoPay emails and documents show that “Mr. Heppner” is Stanislav Maltsev, a former Russian police investigator previously responsible for heading up a criminal investigation of Vrublevsky in 2007. That investigation remains open but  appears to have gone nowhere, and Maltsev now works directly for Vrublevsky.

Communications between Mr. Heppner and Ms. Nati about payment for Rx-Promotion affiliates.

An individual listed in the ChronoPay MegaPlan account under the alias “Ms. Curly” does not appear to be a ChronoPay employee. Curly is named as a customer support representative for Rx-Promotion.com, and a user “Curly” also is listed as the support lead at the Rx-Promotion forum for affiliates of the rogue pharmacy program. Curly appears to be a pseudonym for Katya Ivanova, a slender, curly-haired redhead from Moscow shown in this this profile on Vkontake, a major Russian social networking site.

ChronoPay emails show that Ms. Nati, listed in the MegaPlan chart above as the public relations manager for Rx-Promotion, is a ChronoPay employee named Natalia Miloserdnaya. Members using the names Curly, Nati and Hellman also can be seen fielding questions from Rx-Promotion affiliates in that organization’s online forum.

A reverse engineering project based on Malwarebytes.

Project for AV: In previous investigations, I’ve shown that ChronoPay has consistently been among the biggest processors of rogue anti-virus software or “scareware.” Last month, I blogged about ChronoPay paying for several domains that were used in recent Mac Defender attacks. A study released this week (PDF) by researchers at the University of California, Santa Barbara looked at three rogue anti-virus distribution services, and found they all processed payments through ChronoPay.

When I visited Vrublevsky in Moscow in February, he told me of plans to launch a ChronoPay-branded anti-virus solution, and many of the documents included in this section of ChronoPay’s MegaPlan installation are technical papers referencing the development of different anti-virus software modules. The documents suggest that the company has hired programmers to reverse-engineer the free version of the commercial anti-malware product Malwarebytes.

Banking on Indifference

Another area of ChronoPay’s MegaPlan installation shows contact information for strategic and advertising partners. Among them is a bank in Azerbaijan called Azerigazbank that until recently processed Visa and MasterCard payments for Rx-Promotion customers, among a half-dozen other rogue Internet pharmacy programs. This is not your everyday, risk-averse financial institution: AG Bank’s slogan loosely translates to “Options for the Rich,” and this bizarre commercial for their services features scantily-clad women on a yacht tossing handfuls of huge diamonds into the sea while helicopter gunships circle overhead.

According to a UC San Diego research paper (PDF) released in May that analyzed spam from more than 30 illicit online pharmacy programs, Rx-Promotion-branded pharmacy sites were the most actively promoted via spam. As I’ve noted in previous stories about Rx-Promotion, it is one of the few remaining pharmacy programs that sells prescription drugs (no prescription required) that are highly controlled in the United States, including addictive painkillers Valium, Percocet, Tramadol, and Oxycodone.

As the academic paper and my reporting make clear, the traditional methods of exposing these programs — “outing” the merchant banks and shining a spotlight on the main actors — has little effect when the organizers live in countries that willingly turn a blind eye to this activity. I’ve been eager to write more about this treatise since it was first featured in a New York Times story last month. In a future blog post, I will discuss the potential impact of the main policy alternative outlined in that paper: Convincing a handful of card-issuing banks here in the United States to stop processing payments for a handful of merchant accounts known to be tied to illicit online pharmacies.

Krebs on Security: ChronoPay’s Scareware Diaries

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.

Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.

Click image for PDF version of timeline. Each entry is clickable and links to supporting documents.

ChronoPay handles Internet bill payments for a variety of major Russian companies, including domestic airlines and utilities. But ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning.

In June 2009, The Washington Post published the results of a six-month investigation into ChronoPay’s high-risk business. At the time, ChronoPay was one of a handful of processors for Pandora Software, the most prevalent brand of rogue software that was besieging consumers at the time. That story drew links between ChronoPay and an entity called Innovagest2000, which was listed as the technical support contact in the end-user license agreements that shipped with nearly all Pandora rogue anti-virus products.

When I confronted ChronoPay’s CEO Pavel Vrublevsky in 2009 about the apparent ties between Innovagest and his company, he insisted that there was no connection, and that his company’s processing services were merely being abused by scammers. But the recently leaked ChronoPay documents paint a very different picture, showing that Innovagest2000 was but one example of a cookie-cutter operation that ChronoPay has  refined and repeated over the last 24 months.

The documents show that Innovagest was a company founded by ChronoPay’s Spanish division, and that ChronoPay paid for everything, from the cost of Innovagest’s incorporation documents to the domain registration, virtual hosting and 1-800 technical and customer support lines for the company.

The same dynamic would play out with other ChronoPay “customers” that specialized in selling rogue anti-virus software. For example, leaked internal documents indicate that ChronoPay employees created two companies in Cyprus that would later be used in processing rogue anti-virus payments: Yioliant Holdings; and the strangely named Flytech Classic Distribution Ltd. ChronoPay emails show that employees also paid for domains software-retail.com and creativity-soft.com, rogue anti-virus peddling domains that were registered in the names and addresses of Yioliant Holdings and Flytech, respectively. Finally, emails also show that ChronoPay paid for the virtual hosting and telephone support for these operations. This accounting document, taken from one of the documents apparently stolen from ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft.com (the amounts in the document are in Russian Rubles, not dollars, and the document has been edited to remove full credit card numbers and victim names).

Further, the purloined documents show these domains were aggressively promoted by external rogue anti-virus affiliate programs, such as Gelezyaka.biz, as well as a rogue anti-virus affiliate program apparently managed in-house by ChronoPay, called “Crusader.”

MEETING IN MOSCOW

Last month, I traveled to Moscow and had a chance to sit down with Vrublevsky at his offices. When I asked him about Innovagest, his tone was much different from the last time we discussed the subject in 2009. This may have had something to do with my already having told him that someone had leaked me his company’s internal documents and emails, which showed how integral ChronoPay was to the rogue anti-virus industry.

“By the time which correlates with your story, we didn’t know too much about spyware, and that Innovagest company that you tracked wasn’t used just for spyware only,” Vrublevsky said. “It was used for a bunch of shit.”

Vrublevsky further said that some of ChronoPay’s customers have in the past secretly sub-let the company’s processing services to other entities, who in turn used it to push through their own shady transactions. He offered, as an example, an entity that I wasn’t previously aware had been a customer of ChronoPay’s: A rogue anti-virus promotion program called TrafficConverter.biz.

As I documented in a March. 2009 story for The Washington Post, Trafficconverter.biz paid its promoters or “affiliates” hundreds of thousands of  dollars a month to pimp rogue anti-virus software. The domain Trafficconverter.biz was shut down briefly at the end of November when it was discovered that it was being sought out by millions of Microsoft Windows systems infected with the first variant of the Conficker worm, which instructed infected systems to visit that domain and download a specific file that suggested it would attempt to install rogue anti-virus software.

“That was a case where ChronoPay had a merchant account registered as an Internet payment service provider with Visa Iceland, where the same merchant account was being used by hundreds of small merchants, and one of them turned out to be the infamous TrafficConverter,” Vrublevsky explained.

But what of the leaked documents that show what appear to be ChronoPay employees setting up entire businesses that would later sell rogue anti-virus — including incorporation records, associated bank accounts, Web hosting, domain registration, telephone support and merchant accounts tied to these entities? Wasn’t ChronoPay concerned that this activity could make it appear that the company was simply building rogue anti-virus merchants from the ground up?

No, this is what high-risk payment service providers do, Vrublevsky explained.

“This is part of the service you provide,” he said. “Basically you own the companies that have those merchant IDs, plus you do customer support and everything which is related to that. And that’s how any other payment service provider does it, and you can find the same thing if you dig into companies like Wirecard, and Visa Iceland. So most payment service providers basically register the companies  themselves and monitor the whole [operation] from the inside.”

SCAREWARE RESEARCH & DEVELOPMENT

The leaked records also show ChronoPay’s high-risk division worked diligently to stay on the cutting edge of the scareware industry. In March 2010, the company began processing payments for icpp-online.com, a scam site that stole victims’ money by bullying them into paying a “pre-trial settlement” to cover a “Copyright holder fine.” As security firm F-Secure noted at the time, victims of this scam were informed that an “antipiracy foundation scanner” had found illegal torrents from the victim’s system, and those who refused to pay $400 via a credit card transaction could face jail time and huge fines.

Internal ChronoPay documents show that hundreds of people fell for the scam, paying more than $400 each (the message at the top of the image indicates that the internal ChronoPay formula for counting the number of downloads and sales was generating errors, so take these numbers with a grain of salt).

ChronoPay also was the processor for a fake anti-virus product known as Shield-EC, which was processed through a merchant account tied to a company called Martindale Enterprises Ltd. Again, internal documents show that ChronoPay not only created Martindale Enterprises Ltd., and attached bank accounts to the company, but that it also paid for the domain registration, hosting and telephone support lines for shield-ec.com.

The shield-ec scareware scam was unique because the purveyors pitched it as “the result of a two-year research collaboration of programmers and analysts from Martindale Enterprises and ZeusTracker, the main center for ZeuS epidemic prevention.”

ZeusTracker is a free service run by an established security researcher, Roman Hüssy, who monitors Web addresses that are known to be associated with the distribution and management of the infamous ZeuS trojan. As Hüssy noted in a blog post at the time, the Shield-EC scareware campaign came with an interesting twist: The Web site shieldec.com was in fact hosted on a fast-flux botnet that was also being used to host at least two different servers used to control large numbers of PCs infected with ZeuS.

These days, Vrublevsky said, he’s hoping his company can have a go at the market for legitimate anti-virus products. When I met with him in Moscow, Vrublevsky told me about company plans to create and sell its own anti-virus product: ChronoPay Antivirus. At first I didn’t know whether to take him seriously. But then I found a document in the cache that confirmed that claim. A Russian-language document called ChronoPay AntiVirus Vision (PDF), dated June 15, 2010, details the company’s ambitions in this market.

Curious about what other domains ChronoPay currently owns? Check out this list (PDF), taken from a recent internal email that leaked from the company.