×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Russian Payment Processor Runs Massive Scareware Operation

Unknown Lamer posted more than 3 years ago | from the legit-business-is-boring dept.

Security 62

An anonymous reader writes "Brian Krebs has posted a deep dive through more than a year worth of emails leaked from ChronoPay, Russia's largest online credit card processor. The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

62 comments

Money (1)

pinkeen (1804300) | more than 3 years ago | (#35382318)

Such operations need a lot of funding. It's not surprising to see that some legitimate companies decided to provide it...

Re:Money (2)

devxo (1963088) | more than 3 years ago | (#35382360)

The title and summary are horribly wrong anyway, no wonder it was submitted by anonymous coward. Even the article states that ChronoPay didn't run it, but they provided payment processing and setting up companies for receiving payments is normal process with every payment processor.

Re:Money (1)

anegg (1390659) | more than 3 years ago | (#35384014)

In the article that I read, a principal in the ChronoPay operation claims that setting up companies for receiving payments is normal process with every payment processor, not the author of the article. I read that as "we didn't do anything wrong, everyone else does the same thing, too." I don't listen to that kind of excuse from my children uncritically - I wouldn't listen to it from ChronoPay, either.

Queue the... (0)

Luniz (1115637) | more than 3 years ago | (#35382334)

"In Soviet Russia" jokes

Re:Queue the... (0)

Anonymous Coward | more than 3 years ago | (#35382692)

In Soviet Russia,

Re:Queue the... Ok then, you asked for it (0)

Anonymous Coward | more than 3 years ago | (#35382762)

In Soviet Russia, we don't do "In Soviet Russia" jokes. We do "In Capitalist America" jokes instead.

Re:Queue the... (1)

Angostura (703910) | more than 3 years ago | (#35384310)

In Soviet Russia, english language students knew the difference between "cue" and "queue".

Re:Queue the... (1)

Bigbutt (65939) | more than 3 years ago | (#35385444)

Depends. It could work either way. Either a queue of jokes (queue up the jokes) or cue the jokes. Taking it on face value, I suspect the OP meant "cue" but with English, dropping the "up" is common.

[John]

in soviet Russia credit card process you! (1)

Joe The Dragon (967727) | more than 3 years ago | (#35382344)

in soviet Russia credit card process you!

Re:in soviet Russia credit card process you! (0)

Anonymous Coward | more than 3 years ago | (#35382732)

In Soviet Russia this joke still funny!

Always wondered where these came from... (2, Interesting)

rwade (131726) | more than 3 years ago | (#35382388)

I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?

It was this ridiculous fake filescanner that would pop up at start up and scan every file on the computer, calling out 1/10th of them as "infected." This was Windows XP, and the filescanner suppressed msconfig and task man; in fact, you couldn't run notepad from the run dialog. It would pop up with "file infected; can't open" or some such. At any rate, this required going into the registry and checking what was in the "run once;" there was some weird file in allusers\localsettings. It was named like a random password, like asdf230123jfgnmv.exe.

The "removal" procedures were basically just to rename the file and restart. It hasn't come back yet. At any rate, while I was working with the file -- I noticed an artifact in the metadata listing the manufacturer -- I can't read Russian, but it definitely had cyrillic characters in it. Funny...

Re:Always wondered where these came from... (-1)

Anonymous Coward | more than 3 years ago | (#35382456)

cool story bro. I'm certain only ChronoPay and its associates use Cyrillic characters... never stop posting.

Re:Always wondered where these came from... (1)

spire3661 (1038968) | more than 3 years ago | (#35382606)

Anecdote is anecdote. Take it for what it is.

Re:Always wondered where these came from... (0)

Anonymous Coward | more than 3 years ago | (#35384532)

Anecdote is anecdote.

Well it had a lot more content than your stupid internally redundant post.

Re:Always wondered where these came from... (1)

smooth wombat (796938) | more than 3 years ago | (#35382550)

I have had to deal with several of these over the last two months or so here at work (a state agency). The people that get them swear they were on legitimate sites when they got the same infection you mention. This is probably true as we do block what sites people can visit.

After a while of deleting files it just became easier and faster to rename their profile, create a new one and move their bookmarks and anything from their desktop to the new profile. Once done, delete the old profile.

Of course, since our CIO hates anything that isn't Microsoft, we can't install Fx or anything else (though we have done so for select people and some of us in the IT area have it installed) so we will continue to get these infections.

Re:Always wondered where these came from... (1)

rwade (131726) | more than 3 years ago | (#35382588)

Yeah, it sure is a pain int he neck here. But I'll take this over a hidden virus/trojan -- at least you know that there is something wrong...

Re:Always wondered where these came from... (1)

GIL_Dude (850471) | more than 3 years ago | (#35382686)

Most of these infections have been coming from Flash and Adobe Reader exploits. Maybe the ones you got weren't, but many of them are. It is amazing how slowly people patch Flash and Reader - especially with all the exploit kits out there targeting them. About 8 months ago both my boss and my brother in law got one of these fake AV programs. Both got them through adobe Reader, and both were from normal everyday websites where the ad network had served ads with the exploit included.

However, you can get rid of the thing faster by just booting to Windows PE and deleting the file and registry entry. It takes about 10 minutes (and that includes the boot / reboot).

Adobe Reader is likely cause in my case (1)

rwade (131726) | more than 3 years ago | (#35384410)

I just spoke with my wife about her virus and suggested it might have come in through some rogue PDF document. She acknowledged that as a definite possibility; she's constantly downloading and reviewing scientific papers and the like -- a rogue PDF could have easily slipped into the pile somehow, theoretically. I advised that she switch to Sumatra PDF [kowalczyk.info].

Re:Always wondered where these came from... (1)

freedumb2000 (966222) | more than 3 years ago | (#35385978)

What I want to know is how to get them patched with a non-admin account. I want to allow already installed apps to update themself without allowing new aps to be installed by the user or being able to make other changes to the system.

Re:Always wondered where these came from... (1)

damium (615833) | more than 3 years ago | (#35387234)

We use a WSUS server and Local Update Publisher at work. It has been a bit of a pain sometimes, Adobe isn't fond of sticking to MSI standards and has published stuff with bad MSI applicability rule content (windows installer would still install it but you had to edit the xml so WSUS could validate it). They also only publish MSI files for the ActiveX version of flash player so we have to deploy the exe version of the mozilla plugin (WSUS can deploy exe, msi and msp files but msp files are the easiest).

It takes about 1 hour for us to write and test the deployment rules for each update. We test against both WinXP-32bit and Win7-64bit targets as they will sometimes need different applicability rules. Then we let the clients check-in to see if they mark the update as applicable. After we are satisfied that all of the clients that need it and only the clients that need the update will try to install it (we have had issues with this in the past) we mark the update as ready to install and the clients will install it in the next cycle.

This usually means that an update is out for 1-2 days before our clients have it installed so if there is an exploit being used broadly we will sometimes force clients to update via our inventory tool that can have it done in 1 hour. We have had systems where the user has been hit by these type of scareware drive-by-installs before the patch was even out.

Re:Always wondered where these came from... (0)

Anonymous Coward | more than 3 years ago | (#35389658)

Turn off adobe reader's embedded javascript (unless you actually use it?), and tell it to load separately not use the browser plugin (better yet strip it out of the browser). First decreases the attack surface in adobe reader, second stops a website being able to load a hidden pdf file, at least the whole reader window will popup if it tries.

Re:Always wondered where these came from... (0)

Anonymous Coward | more than 3 years ago | (#35382884)

Of course, since our CIO hates anything that isn't Microsoft, we can't install Fx or anything else (though we have done so for select people and some of us in the IT area have it installed) so we will continue to get these infections.

Smart guy your CIO. Who wouldn't want a manager who provides job security like that ;)

Re:Always wondered where these came from... (0)

Anonymous Coward | more than 3 years ago | (#35383280)

Infected ads would be my guess. Yay for Adblock!

Re:Always wondered where these came from... (1)

citylivin (1250770) | more than 3 years ago | (#35383634)

"Of course, since our CIO hates anything that isn't Microsoft, we can't install Fx or anything else"

Well he is right for hating firefox on the domain as it has no GPO or centralized management. I personally love firefox and dislike chrome, but chrome comes with msi's and gpos. So it was trivial to push that out to everyone on my network.

I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadmin. Users with custom apps can always fall back to IE.

Re:Always wondered where these came from... (1)

EdIII (1114411) | more than 3 years ago | (#35385524)

I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadmin. Users with custom apps can always fall back to IE.

Although I find that most of the installed base of XP in corporate environments is due to higher (it really is) TCO of Vista and 7, not to mention migration costs, loss of IE 6 is still a real deal killer.

I am still running across people that would want to change but deal with specialized portals and software that only run in IE 6. It's baffling, but when I talk to people, deal with other sysadmins, etc. that is the biggest challenge they have with migration and upgrades is a cant-live-without-it program or platform that prevents change.

One I can think of off the top of my head is some security camera software. They all developed on ActiveX controls which requires IE at a minimum.

It is tragically hilarious to have to absorb the costs of a VPN, or the security risks of terminal services open to the WAN, just so that executives with nice fancy new windows 7 tablets and laptops can still run IE 6 on an Win2K server.

Even the most competent sysadmin has to deal with legacy software requirements.

Re:Always wondered where these came from... (2)

PitaBred (632671) | more than 3 years ago | (#35382748)

The nice (bad) thing about Windows is it depends on extensions to run things. You can rename any .exe to a .com or even .bat I believe and it'll run fine. Most apps will just do name-based interception so you could have made a copy of notepad.exe as notepad.com and it would have worked. It's something I had to do with regedt32.exe once when I think it was Sasser or something took over the association for .exe filetypes.

Re:Always wondered where these came from... (1)

DeadDecoy (877617) | more than 3 years ago | (#35382934)

For me, I've always been amused at getting those "Your Windows Registry has been infected by a Trojan" popups on my linux box. Nope, my non-existent system32 is quite clean thankyouverymuch.

Re:Always wondered where these came from... (2)

Rick17JJ (744063) | more than 3 years ago | (#35383800)

I have seen several of those scareware pop-up advertisements on my Linux computer, claiming that viruses and spyware had been detected. In each case, without my permission, it would pretend to scan drive “C” and show a progress bar for about 30 seconds. It would then announce that it had found several types of viruses and spyware on drive “C” and also in my registry. Linux does not designate devices or partitions with drive letters or have a registry like Windows does, so both claims were obviously bogus.

It would then ask me to purchase their anti-virus software to fix the problems.

Contrary to what they were claiming, I doubted that their advertisement could have so casually scanned my hard drive like that, without my permission. I had a user configured firewall on both my computer and on my DSL modem, with all inbound ports closed. I was also up to date with all the latest security patches.

In another earlier encounter with a similar scareware advertisement, a couple of years earlier, it also tried to download an executable file, with a .EXE extension, without my permission. Of course my Linux computer did not know what to do with a Windows .EXE file, so it gave me a pop-up box asking me what pogram it should use to try to open a .EXE file. I did not suggest trying to run it under WINE and just chose the option to cancel the download instead.

Since then, I have started using the “No Script” plug-in for Firefox for most websites, so perhaps I will not see their scareware ads again.

Re:Always wondered where these came from... (0)

Anonymous Coward | more than 3 years ago | (#35383936)

It's rarely anything to do with JavaScript. I've seen them come in on my Mac box through Flash ads and/or Java. So unless I'm running Speedtest to test my ISP, I turn Java off on all browsers and run a Flash blocker. The latter also has the nice side-effect of getting rid of the most obnoxious ads out there.

Re:Always wondered where these came from... (1)

hughk (248126) | more than 3 years ago | (#35384044)

If you are a particularly nasty person like me, you would have returned the favour of a fake virus scan with a fake purchase from one of the test CC generators. Do that enough times and it may raise a flag with their upstream payment processor.

Re:Always wondered where these came from... (1)

rwade (131726) | more than 3 years ago | (#35384378)

Could you be accused of trying to commit fraud? Someone might get the impression that someone at your IP is trying to use a bundle of stolen CC numbers.

Re:Always wondered where these came from... (1)

hughk (248126) | more than 3 years ago | (#35396422)

If there is no match between names and numbers (they only pass initial validation) then you are hardly committing fraud. They could complain but they are making fraudulent claims.

Re:Always wondered where these came from... (2)

Jaqenn (996058) | more than 3 years ago | (#35384156)

I got a virus with these exact symptoms a few months ago. My wife called me at work to say the PC was acting wonky, and she had accidentally clicked an ad that brought her to some random website which she then closed.

My suspicion is that the website contained content which triggered some flash or firefox vulnerability. I can't prove it, though.

Sound like the lead in that you guys had?

Re:Always wondered where these came from... (1)

rwade (131726) | more than 3 years ago | (#35384252)

Honestly, I have no idea where it came from. Given the kind of work that she does on the computer, I could see it coming through an Adobe Reader hole.

Re:Always wondered where these came from... (1)

vlueboy (1799360) | more than 3 years ago | (#35385194)

This is the most common form of malware I've had to clean up. Back when Windows didn't have 'home versions' and lacked group policy they only got away with rewriting your dlls to spy on you and create popups.

I have stopped seeing the popups altogether --now it's just 'Windows Antivirus 2010 has detected legitProgram.exe / legitTechTool.exe / yourCLI contains a virus and must close it. To remove it, click below [and pay USD$80]' It is annoying that turning back the clock fails most of the time, or the person infected waits long enough that any clean copy of the OS is long discarded by newer infected System Restore snapshots.

I did find one removal tool distributed as .com .exe and .scr(eensaver), but never checked that the non-screensaver ones are just a file rename. Never had a chance to try out on with the exe-catching malware... Between exe-knocking and the design failure that puts group policy APIs in XP *Home* edition, malware pretty much forbids any tool --safe mode sometimes gets pwned or corrupted past any home of recovery.

Re:Always wondered where these came from... (0)

Anonymous Coward | more than 3 years ago | (#35386818)

They used exploits in Adobe Reader and Flash Player. Now they are attacking Java...

Re:Always wondered where these came from... (1)

julesh (229690) | more than 3 years ago | (#35387848)

I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?

The last one I got was injected via a (apparently 0-day) vulnerability in the Adobe Acrobat plugin that was exploited by banner ad code that was hosted on thepiratebay.org. The previous one was similar, but used a Java flaw. These were both browser neutral exploits, although I happened to be running Firefox. I have since installed Noscript, which appears to be the only way to guarantee security these days. I've also recently seen something similar on a friends' computer that was smart enough to completely hide the traces of where it came from, although I also suspect a banner-ad injected exploit in that case. I'd suggest anyone browsing sites that use the kind of dubious ad banner networks that show up adverts for "facebook of sex" or similar dodgy sites install it now.

Also known as Ebay (-1, Flamebait)

theaveng (1243528) | more than 3 years ago | (#35382428)

"Don't miss out! Buy this christmas present before it's too late!" - scare tactics

I spent over $500 on that damn site for my kids. Got a bunch of damaged games (instead of new as advertised). Complained to ebay. And ebay banned me. Dicks.

Whoa (1)

The Wild Norseman (1404891) | more than 3 years ago | (#35382532)

The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam.

Never heard of ChronoPay before. I had to read this part three times because at first I really thought they were talking about Norton.

Fake orders (0)

Anonymous Coward | more than 3 years ago | (#35382658)

Has anyone considered trying to place fake orders with random contact info [fakenamegenerator.com]?

Might as well complete fake anti-virus software with fake orders.

Russian perspective (0)

Anonymous Coward | more than 3 years ago | (#35382706)

Its not a surprise to me that they did. The basics of Russian economy is "Scam and try to screw over as many people as possible and make money in process". Also, i dont believe that ChronoPay did not receive any kickbacks. After all, over there every little deal is driven by them.

IT'S FUCKING RUSSIA !! DUH !! (0)

Anonymous Coward | more than 3 years ago | (#35382740)

Kapitalist Kommie Klowns stealing from coutrymen? Stealing from world? What's new? You can't find a more morally bankrupt peoples in the known universe!

Re:IT'S FUCKING RUSSIA !! DUH !! (0)

Anonymous Coward | more than 3 years ago | (#35382916)

u sir is wrong. they are far behind ppl on wall street. also, keep trolling

Re:IT'S FUCKING RUSSIA !! DUH !! (0)

Anonymous Coward | more than 3 years ago | (#35383206)

KKK moved to russia? Serves them right.

Nice to see them embracing capitalism (2)

elrous0 (869638) | more than 3 years ago | (#35382804)

They've learned well from their counterparts on Wall Street. But to reach the final level, they will need to find a way to not only not get caught, but to get the government to actually give them money for their thefts.

Re:Nice to see them embracing capitalism (1)

sabt-pestnu (967671) | more than 3 years ago | (#35383484)

Naw. The final level is getting laws written so that if you do get caught, the government defends you (successfully).

That Russian Entrepreneurial Spirit (2)

NicknamesAreStupid (1040118) | more than 3 years ago | (#35383010)

Marx may be rolling over in his grave, but Stalin would be proud, so would Al Capone. There is nothing more effectual, business-wise, than organized crime gone corporate.

That's Unpossible! (0)

Anonymous Coward | more than 3 years ago | (#35383028)

A Russian online credit card processor running scams?

What a shocker! I refuse to believe it.

Culture of corruption (1)

andydread (758754) | more than 3 years ago | (#35384210)

WTF is it with Russian, Eastern Bloc, and Chinese corruption. When i hear about scams like this i think hhmmm Russian, Romainian etc, or Chinese and 80% of the time my hunch is correct. The only thing i see common is that most of these countries are or were under some brutal regime but I don't see how that instills such a culture of corruption in the people in this fashion.

Re:Culture of corruption (2)

thebigmacd (545973) | more than 3 years ago | (#35384528)

You don't see how that instills a culture of corruption? Seriously?

How bout the fact that in a brutal regime the only way to get what you want is to pay people off...

The market will sort it out (0)

Anonymous Coward | more than 3 years ago | (#35384348)

No cause for concern. The free market will sort it all out!

In Soviet Russia (0)

Anonymous Coward | more than 3 years ago | (#35384780)

In Soviet Russia girls don't scissor, they Hammer and Sickle !

los Angeles Medical Society (0)

Anonymous Coward | more than 3 years ago | (#35387214)

KKDocs service coordinators will match you with a house call physician, medical society, home healthcare service or any healthcare provider in your area. They will make the appointment for you if you desire and will make sure that you are properly attended.
los Angeles Medical Society [kkdocs.com]

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...