Major Rogue Anti-Virus Program Shut Down

krebsatwpost writes "TrafficConverter.biz, one of the more notorious pay-per-install affiliate programs, was dismantled this week after media attention caused Visa and Mastercard to shut down the group's payment operations. The action comes just a few days after a report by The Washington Post that showed some affiliates were making more than $100,000 USD a week installing rogue anti-virus software. The credit card industry may have been spurred by the fact that the first version of the Conficker worm told infected systems to download a file from TrafficConverter, although the story posits that this could have been an attempted Joe Job rather than a blatant attempt to drum up more installs."

Amazing, credit card companies being useful!

[Bobnova]

I'm surprised visa/MC actually shut them down. 3% of 100k/week is a decent chunk of change.

Re:Amazing, credit card companies being useful!

[Dreadneck]

$3,000/week isn't a big enough chunk of change to compensate for the damage to their corporate image that would result if it became widely known they were knowingly doing business with such an outfit.

Re:Amazing, credit card companies being useful!

[PapayaSF]

I wonder why this doesn't happen more often. The vast majority of online scams (fake drugs, etc.) and spammers get their money through credit cards. Why not more effort to cut off their source of funds? It seems like a weak point in the operations.

Re:

[Z00L00K]

The problem is that the laws and the penalties are too relaxed for crimes like these.

A more severe penalty for involvement in fraud crimes would make many more a lot more vigilant when it comes to strangling that kind of behavior.

Re:

[Ihmhi]

When fraud happens, the credit card company often doesn't pay for it, the merchant does.

For instance, if someone steals your card and a goes out to eat, you don't pay for that meal and Visa doesn't pay for that meal. Guess who does?

Now if there were a law that Visa et. al. had to pay, in full, any fraudulent charges (i.e. absorb the damage), I bet this would change reaaal quick.

Re:

[Uzuri]

Nah, you'd still pay... Visa would just find another way to increase your "gotcha" fees.

Re:

[Pollardito]

Unfortunately $100K/week isn't the full extent of the scam, it's just one slice of the money. The article only says that top affiliates made that much individually, and they only break down the Top 10 affiliates for 4 separate two-week periods (which adds up to almost $2M over that time). There is no mention of how many total affiliates there were or how much money they brought in as a group, but even the glimpse of the Top 10 makes it clear that it's much more than $100K/week when you add up the entire t

Re:

[Dan541]

It's Visa and Master Card, who else are you going to use?

Re:

[rackserverdeals]

That's nothing.

First that figure is from just ONE affiliate.

Then add in all the money they were making from chargebacks too.

Re:

[ILuvRamen]

well obviously it wasn't them. The FBI or some government people probably contacted them and told them they need to stop allowing credit card operations to take place there.

Re:

[Anonymous Coward]

I think that's the issue. You can't accept dirty money... running it through your transaction gateway has no down side for the credit card companies. Now if they were responsible for a percentage of the damages...

Re:

[Dreadneck]

I guess we'll hear right-wing radio decrying this as yet one more example of government interference stifling innovation in the marketplace.

Apologies, but I couldn't resist.

Re:

[Dishevel]

I guess we'll hear right-wing radio decrying this as yet one more example of government interference stifling innovation in the marketplace.

Apologies, but I couldn't resist.

I guess I'll hear Leftist radio .... nevermind.

No one that can drive listens to left wing radicals.

Re:

[Anonymous Coward]

I'm surprised visa/MC actually shut them down.
3% of 100k/week is a decent chunk of change.

But not much in their overall operations, if you look at VISA and MC themselves.

The biggest hurdle is finding out exactly who the VISA/MC service provider really is, since most people scammed don't want the embarrassment of reporting it.

I doubt the service provider is a "real" bank, most likely it's one of the many non-bank providers who do it for the money, since that would be big money to them.

VISA and M/C should do more to police their service providers and enforce the contracts already in place.

Re:

[omz13]

I'm surprised visa/MC actually shut them down. 3% of 100k/week is a decent chunk of change.

Most of that 3% goes to the acquiring bank, rather than the payment system (Visa/MC).

About farking time...

[spywhere]

$100K per week: at about fifty bucks per victim, comes out to two thousand people getting robbed every week.
After all that, one article in the WaPo gets it shut down?

Welcome to Public Relations 101.

[khasim]

Yes. Because those thousands of people every year don't have the public impact that a news story does.

This has been going on for YEARS and the credit card companies NEVER took any action before now. Because the credit card companies were getting their share of the loot.

Now that the PR problem might be more costly than their share of the fraud, they take action.

Re:

[Steve Franklin]

That would be the Washington Post Exclusion Law that only allows you to be ethical if a story in the newspaper says you should be? I'm surprised Bernie M hasn't taken advantage of that law.

"But Your Honor, the Washington Post never told me I shouldn't be engaged in a Ponzi scheme!"

Re:

[Jurily]

Now that the PR problem might be more costly than their share of the fraud, they take action.

Again, all I can say is: ban Windows. Then let's see how well they do.

Yes, really. I'm getting sick of the worm-of-the-week crap.

Re:

[Quantos]

I resent that remark.
I'm quite happy with Windoze. The "worm-of-the-week' is like the Christmas gift that keeps on giving.

Re:

[RoFLKOPTr]

You obviously don't understand that the only reason there aren't many viruses for Linux is because virus writers don't give a shit about Linux. They only put their time and effort into something that will achieve their goal with most ease, and since Windows has % of the market share.... that's the one they write viruses for.

I know you were being facetious, but that doesn't negate the fact that your statement is retarded. The moment everybody starts using Linux is the moment that people start putting Linux_V

Re:

[Cathbard]

So nobody is interested in writing viruses to break into servers? I scoff at you and blow my nose in your general direction.

Re:

[AlphaCentauri4]

Do you get any spam for "My Canadian Pharmacy," "Canadian Health&Care Mall," "International Legal Rx Medication," "Men+ Health," "US Drugs," or "VIP Pharmacy ('Viagra + Cialis')?" Those are all hosted on hijacked Unix servers. They also use other hijacked Unix servers to load their images and host their nameservers. The professionals that monitor those servers can't find the files because they load, execute, and delete commands as called for. The admins don't notice the "tirqd" trojan, whose name looks

Re:

[Cathbard]

Which just goes to support the implication of my reply to the goose that says lack of use is THE reason there aren't linux viruses. There are many reasons people would want to hijack a server and as there are so many of them running *nix it can't be lack of motivation that has kept VIRUSES out of the linux world can it?

Re:

[palegray.net]

Installing rogue software on thousands of PCs: Free.

Flying under the radar while you collect tons of cash: Free.

Realizing that all that money isn't going to keep your posterior from being repeatedly violated in prison: Priceless.

Re:About farking time...

[Antique Geekmeister]

Make a bet? Decent lawyers can keep you out of jail for _years_, and even help you avoid extradition, or help keep you in a milder white collar prison where you are far less likely to discover what needing real virus protection is like.

Re:

[palegray.net]

discover what needing real virus protection is like

I just spit out my coffee. Thanks, bud.

Re:

[Kalriath]

You mean DirectI the large perfectly legitimate domain name registrar? I think you'll find they're as much a scam as Enom or Godaddy.

Actually, make that less. Enom and Godaddy don't exactly have pristine reputations.

These people should be in prison

[QuoteMstr]

While I'm glad these guys were shut down, Mastercard and Visa shouldn't have had to do it. This case constitutes outright fraud, and the perpetrators should be punished like other criminals: with handcuffs, a jury, and iron bars.

We used to have strong consumer protection agencies. Then something happened. How many more electronic Elixir Sulfanilamide incidents [fda.gov] (or real ones for that matter [webmd.com]) do we need before we re-create the strong and sensible regulatory bodies that used to protect us?

Re:

[Endo13]

Those people are all too busy protecting IP and going after nasty pirates now.

Re:

[mpe]

Those people are all too busy protecting IP and going after nasty pirates now.

Don't forget that they are also too busy chasing unlikely conspiracy theories about Islamic Terrorists. In spite of the fact that complex conspiracies (especially those operating internationally) appear to be far more likely to involve fraud than anything else...

Re:

[Logic Worshiper]

Sometimes the best way to deal with stuff like this is to stop the money. How do we know what country they're in anyway?

Re:

[Runaway1956]

IMO, Visa and MC SHOULD have "had to do it". They move money around the world, 24/7, in amounts that are astronomical, as well as minute. There is almost no one who understands the flow of money better than Visa and MC. They cannot be totally ignorant of the illegality and the immorality of some of their customers. Sure, they may be ignorant for awhile, but after a few dozen complaints from customers, they become aware. (Yeah, I read, and I understand, MOST customers fail to report these crimes, for fe

Re:

[jopsen]

Where I live, costumers can get the credit card companies to cancel the transaction if the product isn't delivered...
However, I think a part of the problem is that people doesn't know they've been subject to fraud. As I assume they do get a pretty look antivirus app, that doesn't do much but look pretty... :)

Re:

[davolfman]

There never were such bodies at the international scales on which these systems operate. I don't think anyone's dumb enough to run one from inside the US.

Re:

[shird]

I just hope they also go after the affliates, and make them pay. These are the guys creating the trojans and viruses infecting millions of people. Even if Traffic Converter goes down, they are still sitting on many millions of ill gotten gains and shouldn't be allowed to get away with that. They will just move on to TrafficConverter3.biz and do it again.

credit card processing is the chokepoint

[RonBurk]

Which is why we need 3 geeks, 3 lawyers [slashdot.org] to shutdown the lion's share of spam and misbehavior like this.

What about Antivirus 2009?

[postmortem]

That thing breaks havoc on every machine it is installed on. They too make over $100K a week: http://en.wikipedia.org/wiki/Antivirus_2009#Earnings [wikipedia.org]

Re:

[Deathlizard]

AV2009 and AV360 are the same thing. In fact, you could make a strong statement that AV360 is the upgrade to AV2009. Most of the sites that have AV360 have underlying AV2009 code. I've even seen AV2009 sites give me AV360 as the payload dropper and vice versa.

Supposedly, these guys are the guys pushing AV360, hopefully infectious fall for awile, but these guys are just like spammers. I've sure next month they'll be back with Antivirus 720 or something. (There's already an Antivirus 2010 out there) That and

I'm still trying to understand...

[Deathlizard]

...How F-secure can track down AV360's Virus Inc. but still can't figure out a way from stopping the rogue installers from running on a fully patched F-secure protected PC.

I know it's more technical than this and easy for Virus writers to workaround, but I would think that their DeepGuard system could at least block/warn anything with the name "InstallAVG_(Random 6 digit number).exe from running. That would at least keep 99% of the current AV360/AV2009 infections down for awile until they change their namin

Re:

[Quantos]

There are a lot of people out there that don't care what they click, they just want their damn porn. It happens all the time.

Traffic Converter

[shird]

Traffic Converter have a note on their site www.trafficconverter2.biz:

On March 18th, in the evening, with no warnings, the German Merchant Processing was cut off. Merchant was at the bank personally (without intermediaries), proved and with the arrangements on the highest level. Up until now the bank was not replying to our inquiries, but finally we received answers from them your Merchant was blocked and the account frozen until the determination of the facts. According to unofficial channels, we have been able to ascertain the following:
"I am sorry to inform you that both VISA and MC have done a surprise on site visit at the offices in Frankfurt. They are actually there as we speak.
They have instructed WC to freeze your account until further notice and both of these companies have different reasons for doing so:

VISA; they want to investigate where all the volume comes from.
MC; High CB`s the past few days."

This is absolutely unprecedented case when two of the largest payment system called the requirement to block the Merchant. We also have a reason to believe that the situation was caused by the recent publication about us and our products in Washington Post:
http://voices.washingtonpost.com/securityfix/ [washingtonpost.com]

There are, as you can see, some very serious accusations. Including the relation to Conficker, which we actually are not implicated with (and can prove it if necessary).

As a result of this situation:
- No money to pay;
- No capacity to process products (not because we're not working, but because this volume is not endure any processor)
- There is a chance to get ourselves under prosecution and let down Webmasters.
So, the decision was made to âefault and shut down the Traffic Converter. In case we resolve this issue and manage to refund the money from the bank, we will pay you off all debts as quickly as possible.
If we manage to get the stable traffic conversions we have demonstrated during the year and a half, we will contact you on individual basis.
Thanks to everyone for succesful business cooperation.

Re:

[dargaud]

It's an international operation but they only write in engrish ?!? And people trust those asswipes ?

What about following proper judicial procedure ?

[zzyzyx]

Am I the only one to be shocked that a private company (Visa and MC) can shut down another one simply on the basis of denunciations in the press, and be congratulated about it ?

Traffic Converter should be tried before the judicial system. They probably aren't saints, but justice works only if it is applied the same way to everybody. Otherwise it's called arbitrary. This should be obvious but apparently it seems necessary to repeat it often.