Russian Payment Processor Runs Massive Scareware Operation 62
An anonymous reader writes "Brian Krebs has posted a deep dive through more than a year worth of emails leaked from ChronoPay, Russia's largest online credit card processor. The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam."
Money (Score:1)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
http://www.youtube.com/watch?v=-jC8JIjW2cw [youtube.com]
In Soviet Russia, Pootis remove you!
Re: (Score:2)
In Soviet Russia, english language students knew the difference between "cue" and "queue".
Re: (Score:2)
Depends. It could work either way. Either a queue of jokes (queue up the jokes) or cue the jokes. Taking it on face value, I suspect the OP meant "cue" but with English, dropping the "up" is common.
[John]
in soviet Russia credit card process you! (Score:2)
in soviet Russia credit card process you!
Always wondered where these came from... (Score:3, Interesting)
I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?
It was this ridiculous fake filescanner that would pop up at start up and scan every file on the computer, calling out 1/10th of them as "infected." This was Windows XP, and the filescanner suppressed msconfig and task man; in fact, you couldn't run notepad from the run dialog. It would pop up with "file infected; can't open" or some such. At any rate, this required going into the registry and checking what was in the "run once;" there was some weird file in allusers\localsettings. It was named like a random password, like asdf230123jfgnmv.exe.
The "removal" procedures were basically just to rename the file and restart. It hasn't come back yet. At any rate, while I was working with the file -- I noticed an artifact in the metadata listing the manufacturer -- I can't read Russian, but it definitely had cyrillic characters in it. Funny...
Re: (Score:2)
Re: (Score:2)
I have had to deal with several of these over the last two months or so here at work (a state agency). The people that get them swear they were on legitimate sites when they got the same infection you mention. This is probably true as we do block what sites people can visit.
After a while of deleting files it just became easier and faster to rename their profile, create a new one and move their bookmarks and anything from their desktop to the new profile. Once done, delete the old profile.
Of course, sinc
Re: (Score:2)
Yeah, it sure is a pain int he neck here. But I'll take this over a hidden virus/trojan -- at least you know that there is something wrong...
Re: (Score:2)
However, you can get rid o
Adobe Reader is likely cause in my case (Score:2)
I just spoke with my wife about her virus and suggested it might have come in through some rogue PDF document. She acknowledged that as a definite possibility; she's constantly downloading and reviewing scientific papers and the like -- a rogue PDF could have easily slipped into the pile somehow, theoretically. I advised that she switch to Sumatra PDF [kowalczyk.info].
Re: (Score:2)
Re: (Score:1)
We use a WSUS server and Local Update Publisher at work. It has been a bit of a pain sometimes, Adobe isn't fond of sticking to MSI standards and has published stuff with bad MSI applicability rule content (windows installer would still install it but you had to edit the xml so WSUS could validate it). They also only publish MSI files for the ActiveX version of flash player so we have to deploy the exe version of the mozilla plugin (WSUS can deploy exe, msi and msp files but msp files are the easiest).
It ta
Re: (Score:2)
Well he is right for hating firefox on the domain as it has no GPO or centralized management. I personally love firefox and dislike chrome, but chrome comes with msi's and gpos. So it was trivial to push that out to everyone on my network.
I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadm
Re: (Score:2)
I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadmin. Users with custom apps can always fall back to IE.
Although I find that most of the installed base of XP in corporate environments is due to higher (it really is) TCO of Vista and 7, not to mention migration costs, loss of IE 6 is still a real deal killer.
I am still running across people that would want to change but deal with specialized portals and software that only run in IE 6. It's baffling, but when I talk to people, deal with other sysadmins, etc. that is the biggest challenge they have with migration and upgrades is a cant-live-without-it program o
Re: (Score:3)
The nice (bad) thing about Windows is it depends on extensions to run things. You can rename any .exe to a .com or even .bat I believe and it'll run fine. Most apps will just do name-based interception so you could have made a copy of notepad.exe as notepad.com and it would have worked. It's something I had to do with regedt32.exe once when I think it was Sasser or something took over the association for .exe filetypes.
Re: (Score:2)
Re: (Score:3)
I have seen several of those scareware pop-up advertisements on my Linux computer, claiming that viruses and spyware had been detected. In each case, without my permission, it would pretend to scan drive “C” and show a progress bar for about 30 seconds. It would then announce that it had found several types of viruses and spyware on drive “C” and also in my registry. Linux does not designate devices or partitions with drive letters or have a registry like Windows does, so both claim
Re: (Score:2)
Re: (Score:2)
Could you be accused of trying to commit fraud? Someone might get the impression that someone at your IP is trying to use a bundle of stolen CC numbers.
Re: (Score:2)
Re: (Score:3)
My suspicion is that the website contained content which triggered some flash or firefox vulnerability. I can't prove it, though.
Sound like the lead in that you guys had?
Re: (Score:2)
Honestly, I have no idea where it came from. Given the kind of work that she does on the computer, I could see it coming through an Adobe Reader hole.
Re: (Score:2)
This is the most common form of malware I've had to clean up. Back when Windows didn't have 'home versions' and lacked group policy they only got away with rewriting your dlls to spy on you and create popups.
I have stopped seeing the popups altogether --now it's just 'Windows Antivirus 2010 has detected legitProgram.exe / legitTechTool.exe / yourCLI contains a virus and must close it. To remove it, click below [and pay USD$80]' It is annoying that turning back the clock fails most of the time, or the pers
Re: (Score:2)
I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?
The last one I got was injected via a (apparently 0-day) vulnerability in the Adobe Acrobat plugin that was exploited by banner ad code that was hosted on thepiratebay.org. The previous one was similar, but used a Java flaw. These were both browser neutral exploits, although I happened to be running Firefox. I have since installed Noscript, which appears to be the only way to guarantee security these days. I've also recently seen something similar on a friends' computer that was smart enough to complete
Millions in Rubles (Score:3)
They have 1-800 numbers in Russia?
Well... (Score:5, Funny)
..was the operation runner named "Peggy"?
Re: (Score:1)
In soviet russia the operation Pegs you!
Whoa (Score:1)
The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam.
Never heard of ChronoPay before. I had to read this part three times because at first I really thought they were talking about Norton.
What part of (Score:2)
What part of "Russian Payment Processor" tipped them off?
Nice to see them embracing capitalism (Score:3)
They've learned well from their counterparts on Wall Street. But to reach the final level, they will need to find a way to not only not get caught, but to get the government to actually give them money for their thefts.
Re: (Score:2)
Naw. The final level is getting laws written so that if you do get caught, the government defends you (successfully).
That Russian Entrepreneurial Spirit (Score:3)
In Soviet Russia... (Score:1)
Payment Processor pays Scareware... errrr....wait... tssssssssss.... bah!...
In Soviet Russia and Capitalist America... (Score:1)
Culture of corruption (Score:2)
Re: (Score:3)
You don't see how that instills a culture of corruption? Seriously?
How bout the fact that in a brutal regime the only way to get what you want is to pay people off...