Banks Faulted For Fake Antivirus Scourge 117
krebsonsecurity writes "Merchant banks that process credit card payments for fake antivirus or 'scareware' exhibit a distinctive pattern of card processing that could be used by Visa and MasterCard to weed out the rogue processors, according to a new study by the University of California, Santa Barbara. From the study: 'The UCSB team found that the fake AV operations sought to maximize profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor's chargeback limits. Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds.' The study also highlights how few customers ever request a refund, and how affiliates pushing this junk software made more than $133 million."
Pah (Score:2)
I'd like to know that even with an up-to-date Windows system, the fucking thing is still vulnerable to these attacks.
Re:Pah (Score:5, Insightful)
Of course it is. You can technically secure a computer all you want, but there's no defense against fraud.
Re: (Score:1)
Of course it is. You can technically secure a computer all you want, but there's no defense against fraud.
Actually, there is. I can sell it for you for $99. How about it? Tell you what - if you email me your banking details right now I'll give you a 90% discount.
Disposable checking account (Score:2)
You can technically secure a computer all you want, but there's no defense against fraud.
Actually, there is. I can sell it for you for $99. How about it? Tell you what - if you email me your banking details right now I'll give you a 90% discount.
Let me guess: if I have my bank make me a disposable checking account and deposit $9.90, you'll send me some iPad brochures.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Unfortunately, you can't patch users.
If they pay enough, I'll patch them (afterwards).
The sadist in me detects an enticing business opportunity!
Re: (Score:3)
Re: (Score:2)
I'd like to know how non-admin users who don't have an admin password can still execute files in say, C:\programdata. I know users will run anything, I want to know how they can still, at the very least, poison their own profile.
Social engineering (Score:4, Interesting)
I'd like to know how non-admin users who don't have an admin password can still execute files in say, C:\programdata.
Social engineering becomes practical once the administrator is as dumb as the user, especially on a home PC. The scareware wedges itself deep into the user's profile, popping up a UAC or gksudo prompt every two minutes. "Daddy, the computer looks broken. Could you run this fix for me?"
Re: (Score:2)
gksudo prompt? Really? I've had my browser hijacked by scareware, but I've never had anything ask for sudo privileges. Maybe it was just cheap software, and wasn't smart enough to realize it should ask for sudo?
Re: (Score:2)
They ask for UAC privileges, and there is has been a Mac version in the wild that asks for sudo privileges. If the % of idiotic linux desktop users ever gets high enough to justify the ROI, you are likely to see them ask for gksudo privileges as well.
Re: (Score:2)
HAHA Joke's on them! I only run kde.
kDESUdo (Score:2)
Re: (Score:2)
There's very little reason to run untrusted binaries, as most software comes from the distro.
In general, only FOSS comes from the distro, and there are a few kinds of software where FOSS won't be a serious contender any time soon for various business reasons. One of these is games.
Re: (Score:2)
There's very little reason to run untrusted binaries, as most software comes from the distro.
You are thinking like someone who is interested in Linux and only wants to run FOSS, not the putative user who has migrated from Windows and is used to downloading programs from all over the place.
Re: (Score:2)
Yea, I have said for a while that UAC and sudo are pretty much close to the same thing, especially in the Vista era when people were complaining about UAC.
Re: (Score:2)
. "Daddy, the computer looks broken. Could you run this fix for me?"
"Of course, my little princess."
>>Daddy inserts Ubuntu installation CD
Re: (Score:2)
Daddy inserts Ubuntu installation CD
Daddy, the computer is still broken. I can't play this game, even though I put in the CD and everything.
Re: (Score:2)
Most of these programs don't install, in the traditional sense. They copy themselves to %userprofile%\AppData. There are ways to protect a system from that [microsoft.com] but it's not easy to set up and still allow for all the oddball programs your users need.
It's not like Linux stops you from running "rm ~ -rf". You don't need root to run that. This is the equivalent. It doesn't destroy the system. It's not particularly invasive. It does, however, completely mess with user data (toggling the Hidden bit or moving t
Re: (Score:2)
I want to know how they can still, at the very least, poison their own profile.
Because they can write to their own profile? Because they can write to their own registry hive (Windows\currentversion\Run)? Because they can set up their own scheduled tasks? There are tons of ways that trojan malware can auto-start on a machine. And before you mention anything about Linux: ~/, .bashrc/.tcshrc, cron. Sure, you can put /home on another partition and mount it noexec, but not a lot of home users are going to do that, and of course Windows has Software Restriction Policies [microsoft.com]
Re: (Score:3)
The lions share of rogue A/V are really just registry mods and a simple GUI sham program. But, I have been seeing some rogue A/V coming with rootkit as well, which would obviously happen more on XP or admin accounts.
Here is an example: I have seen first-hand a limit
Hence the walled garden (Score:2)
Its impossible to secure a computer where the admin will grant root permission to almost anything that asks.
Sure you can: just take admin privileges away from the owner. Apple and the game console makers, for example, have chosen to require that the operating system publisher evaluate and sign all software for the platform and then require a substantial annual payment for the privilege to run a compiler.
Re: (Score:2)
Even where a user does not have admin privileges, the newer fake antivirus/hard drive failure programs can still poison their profile, the last few I've seen throwing the actual executable in c:\programdata. Frankly, I don't think users without admin privileges should have any capability to download and run an executable file.
I've instituted Software Execution Policies on my AD networks, but I've heard that they are not all that hard to sneak past, but at least even if the user manages to download the prog
Re: (Score:2)
Re: (Score:2)
I have the good fortune of not having any developers. Pretty much everything is Office-Exchange and the like. Obviously my solution would no longer work in a situation where execute privileges were required. Probably at that point I'd do more stringent user profile backups and accept fake AV installs as a known risk.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And people who want to actually own the things they buy rightly complain about that and either jailbreak or just avoid Apple products.
You could offer it as a special option, but then a zillion "power users" will check the "I know what I'm doing" box even though they haven't a clue. It would help the minority that know that they don't know, at least.
Solution! (Score:2)
Seriously? You dont know? FUCKING PEOPLE WILLINGLY INSTALL THIS SHIT.
So clearly the abstinent are safe! We have found a solution! :)
Cheers,
Re: (Score:1)
Most of it today is not users installing shit but rather exploits by PDF reader and Flash. A rogue ad can install it just by viewing a website and giving you a browse by infection. My parents computer got infected this way and they had a 2 year old version of Flash, but had windows updates and the most recent version of Firefox installed thinking they were safe. Vector attacks are not noticable and can by pass UAC and run directly on the CPU by passing Windows entirely.
Re: (Score:1)
Re: (Score:1)
Uninstall Flash and PDF reader folks and use Chrome if possible as it updates its flash automatically.
I do not like Chrome, but I am genuinely paranoid about using Adobe PDF reader or Flash on any other system. Most users have the 2 year old Flash 9.0 that has many exploits.
So Windows Update focuses on securing Windows and IE, so hackers focus on the plugin instead. Genius. Windows update is old news now and WebGL is going to come next I fear as a reflashed video card with malware would be a nightmare if no
Re: (Score:2)
Unfortunately I'm stuck with Flash. Some of the web tools we're required to use utilize it. Hopefully, eventually, HTML5 will render a good deal of this moot.
Re: (Score:2)
Re: (Score:2)
I'd like to know that even with an up-to-date Windows system, the fucking thing is still vulnerable to these attacks.
You know how I know you don't know what type of attack they're talking about?
Placebo (Score:5, Funny)
If homeopatic "medicine" can be sold legally, I see no reason why anti-virus software that does absolutely nothing should be considered illegal.
Re:Placebo (Score:5, Funny)
It contains less than 0.001% of the virus signatures found in other AV software, so you *know* it's super-effective!
Re: (Score:2, Funny)
anti-virus software that does absolutely nothing
Yeah, McAfee should be illegal.
Re: (Score:3, Funny)
McAfee does tons.
It has to, otherwise your computer would still run after McAfee starts.
Re: (Score:2)
At least in theory, homeopathic medicine bottles are carefully labeled with something to the tune of "The FDA has not evaluated [product] for safety or efficacy," and they have to be very careful in phrasing their health claims. It's easy to be misled, and pretty dubious, but it's (barely, on a technicality) not illegal.
Fake AV software is more explicit in its claims, and definitely fraud. The distinction is pretty arbitrary, of course.
Re: (Score:3)
Hell, you're not going far enough. At least homeopathic "remedies" don't actually give you diseases. Most fake AV products are active trojans, infecting your machine and (A) providing backdoors and further infection vectors (like disabling real AV) and (B) demanding more money to "fix" the damage it caused (and "fix" is scarequoted because at best, they do nothing; at worst, it's just paying to be trojaned further.)
Fake AV is equivalent to homeopathic medicine made with 100% all-natural anthrax and HIV.
Re: (Score:2)
At least homeopathic "remedies" don't actually give you diseases
Ever heard of using tapeworms to lose weight?
Re: (Score:2)
Re: (Score:2)
At least a tapeworm generated results... ...and generally didn't kill the patient, unless they lost or otherwise didn't take the remedy to kill the tapeworm so many weeks later...
Re: (Score:2)
People who sell homeopathic "medicine" and other such quackery should, like chiropractors and spiritualists, be hounded out of business.
Re: (Score:2)
Re: (Score:3)
Well at least with a Placebo, there is the Placebo effect. There is no Placebo effect on computers.
Re: (Score:2)
Of course, the antivirus was a c
Re: (Score:2)
Homeopathic medicine doesn't generally tell you have an infection that you don't really have in order to get people to buy it, and it doesn't generally change it's name every week so you can research it's effectiveness. Many homeopathic remedies work, and the plants from which they're extracted are the original source of many of the pharmaceutical medicines we have today (after creating a version that can be patented, since no really big money in selling plant extracts that aren't patentable).
Re: (Score:2)
Re: (Score:2)
Which ones they are? In my whole life I have tried about 3-4 of them, one were some cold relief, which started working about a week of usage, and some travel sickness pills which worked for about 15 minutes in the car.
Because trying 3-4 out of many thousands is a statistically valid sample.
Still, even in that small sample, you experienced that some do work. So your point in attacking them in the first place was...?
Re: (Score:2)
Re: (Score:2)
Look a little closer at "3-4 examples out of thousands isn't statistically significant". I've had more than 4 prescription medicines that weren't effective in my lifetime, and I'll bet many of you have as well. And that's with a highly tested, highly refined medication that was prescribed by a highly trained Dr. It doesn't mean that all prescriptions are ineffective, or even that the ones I took are ineffective, they just didn't work for my specific condition (or don't work for my body chemistry). That's th
Re: (Score:2)
Re: (Score:2)
Many homeopathic remedies work
So does praying to a god for a lot of people. That doesn't prove god exists.
Re: Homeopathy (Score:2)
If a Placebo works well then why knock it.
I understood Homeopathy and didn't believe it would work but went at my parents insistence and was then cured of 2-3 serious headaches a week - I now only get 1-2 mild headaches per year. I still think the method is silly, but hey, if it works then why be bothered about how it works.
Re: (Score:1)
Cancer is a fairly risky one - you should stick to safer ones to predict, like being eaten by a grue.
That said, I used to get very severe migraines. The neurologist I was seeing couldn't do a thing with them, short of prescribing addictive narcotics (and neither of us wanted to introduce a new dependency without having exhausted all other possibilities). I went to a naturopath under the theory that I don't care if it's a placebo, as long as it works (and the placebos the neurologist gave me weren't workin
Re: (Score:2)
That doesn't necessarily sound like a placebo to me. I certainly don't know what medicinal properties black seed oil might have, but it is a concentrated extract of whatever the "black seeds" are, much like many traditional drugs. There may not have been controlled double-blind studies yet, but that doesn't mean it isn't effective. Histamines are a known cause of headaches, so it isn't an unreasonable claim that an anti-histamine could help.
Homeopathic remedies, on the other hand, are diluted to the point o
Re: (Score:2)
I know this is offf topic, and maybe it plays on the placebo effect, but millions of people are helped daily by homeopathic medicine. Just ridiculing it because you have been fortunate enough to have either never needed it or have all allopathic treatments fail to improve your condition is not fair.
Nobody particularly objects to deluded people using the power of self-suggestion, prayer or whatever if it makes them feel better. You just shouldn't be allowed to make money off it from other people.
Cant fix stupid (Score:1)
Microsoft cant fix the idiots that click "Yes"
Re: (Score:2)
It could make proper SEPs and stop non-admin users from being able to execute anything outside of approved folders, and they can't write to those folders.
Can't run compilers (Score:2)
It could make proper SEPs and stop non-admin users from being able to execute anything outside of approved folders, and they can't write to those folders.
That already exists in Windows under the name "Software Restriction Policies", as I understand it. It also exists in Linux under the name "/home mounted noexec". But under such a lockdown, one would have to be an administrator to use Visual C++ or any other compiler. If that were to become the default, then computer labs in high schools and colleges that teach programming will just go back to running everything as an administrator, which most readers should already know is a horribly insecure practice.
Re: (Score:2)
Re: (Score:2)
If you use a compiler and still click on YES without knowing what you do, then you are an idiot.
If they weren't idiots, they wouldn't need to still be in school.
Re: (Score:2)
Yeah all the funds we pour into schooling has really drastically reduced the number of idiots out there. Oh wait, no it hasn't.
Quite right, odl chap, we should return to the days when only independently wealthy people who could get mater and pater to pay for their education would go to school. The number of plebs with degrees, that you and I have to pay taxes to help fund, is truly shocking. After all, we don't really need our servants and people who serve us in shops to be able to read, write or think in the first place. It will only give them ideas above their station.
Re: (Score:3)
Re: (Score:2)
Or are you suggesting that the average user pays some service like Geek Squad to administrate the user's home computer?
More like paying Apple to be the administrator of one's tablet computer.
That sounds like it's an even bigger waste of money...
Can't disagree there.
Re: (Score:3)
So, we start a campaign to educate users, right? "If you see a popup, asking if you wish to install Windows, click "Cancel" immediately!"
Re: (Score:2)
Payment processors need RICOing (Score:3, Interesting)
Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.
Why doesn't the FBI turn the next prosecution into a RICO prosecution and drag a payment processor and/or bank and some of its executives into the prosecution?
A few 20 year jail sentences and $250,000 fines plus forfeitures would make many processors think twice about their "man in the middle" role.
Spam and scareware wouldn't be worth doing if you couldn't get paid for them -- no matter how scared I am, I can't manage to shove a $20 into my monitor.
Re: (Score:1)
Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.
Why doesn't the FBI turn the next prosecution into a RICO prosecution and drag a payment processor and/or bank and some of its executives into the prosecution?
A few 20 year jail sentences and $250,000 fines plus forfeitures would make many processors think twice about their "man in the middle" role.
Spam and scareware wouldn't be worth doing if you couldn't get paid for them -- no matter how scared I am, I can't manage to shove a $20 into my monitor.
I don't see them ever making the banks accountable for this. Hell they didn't even make them accountable for the mess they created with the mortgage crisis. The banking industry just has to much power and will argue that putting checks in place to prevent this will inhibit free trade and would be a burden to them. But hell lets try and see what happens. I would love to see them take some responsibility.
Re: (Score:2)
And what do you think the processors have done illegally, or even wrong?
These businesses are 'legitimate', in that they exist and are not otherwise prohibited by law from doing what they are doing, unless someone would care to initiate a fraud prosecution and force them out of business. Until that happens, charge processors are both unwilling and powerless to refuse the business.
But trying to make the processors liable for a merchant's alleged fraudulent behavior would require that the processor be aware o
Re: (Score:2)
You do not want credit card processors deciding if merchants are legitimate. Trust me.
They already do this. Half of them won't even give you an account if your in any of several lines of legitimate business, nevermind illegitimate ones.
Re: (Score:2)
That's the processor's risk modeling. A different issue.
Re: (Score:3)
They already do, in Europe anyway. They are jointly liable with the merchant for any legal claims relating to the product, so they check very carefully who they allow to open accounts, although possibly not carefully enough given the number of scam websites there are around selling fake tickets to concerts and sporting events.
Re: (Score:2)
I'm not looking for the U.S. to adopt EU regulations in this area. How you can ratiionally hold the processor responsible for a product's function is just not clear to me. That concept is intended to give consumers a way to get back their money for a failed product, and so it's risk shifting to the processor. And causes the processor to create the ability to assess their merchants' products and the veracity of their claims. And increases cost, but perhaps for a 'good' cause.
Nontheless, it is also a resp
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Well, towards that end, it's not just payment processing that remains a sink hole for fraud.
Identify Theft could also be mitigated by the banks, yet at present they have no financial incentives to make any changes. This is because when a bank allows a criminal to open a credit line in your name, it remains your problem rather than a problem for the bank.
Re: (Score:3)
Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.
It's also a choke point for Wikileaks (despite the real first amendment implications). And it just goes to show you what's the biggest priority for our government right now, preventing fraud or preventing leaks.
Re: (Score:2)
The banks and MSPs involved are not in the US, so it would be difficult to prosecute using US Law.
It's not the banks (Score:2)
I wish I had a poisoned CC# to hand to scammers (Score:4, Interesting)
I would be really happy if my bank gave me a fake credit card number that I could give to every scammer or asshat who tried to sell me "car warranty insurance" or "anti-virus" over the phone. The idea is, it'd be declined, but it'd also flag that this retailer is less-than-ethical, not paying attention to "Do Not Call", etc.
Like anything else, this shouldn't be connected to automated blacklisting (since people who decide that "Best Buy sucks" might try using it there), but it would be an immediate red flag if thousands of attempted transactions from a payment processor came back this way.
Re: (Score:3)
So you want to be the arbiter of what is right and wrong?
Pardon me if I distrust you. How about asking the FTC etc to investigate the donotcall violations, and not being so clever, eh?
And your point that using this against Best Buy would have unintended consequences (for you, I presume) makes the point. Frankly, I just hang up on them. I'm no longer invested in causing these thieves any discomfort, I just want to waste as little time as possible with them.
Re: (Score:1)
My point wasn't that I would have a special magical poisoned credit card, it was that we should *all* have them, and that in doing so we would potentially help CC companies figure out where problems might be in a way that chargeback monitoring doesn't.
Have you ever asked the FTC to investigate a do-not-call violation? I have. The experience just showed me how useless that process is.
Re: (Score:1)
Swedbank is using a similar system in Sweden.
I can "create" a "virtual card" with VISA, and most webshops etc works with it...(sometimes US stores cant handle them of some unknown reason?)
I can set the lifetime of the "virtual card" and how much money can be charged.
It is one of the best creditcard system's i know of since i am in total control.
Since the bank has the transaction records etc, it is easy for them in case i want a charge back or similar actions.
And of course since it is a great system, it will
Re: (Score:3)
Go to a Wal-Mart with $3, and you can leave with a pre-paid Visa.
In my experience, it denies charges immediately when the balance in the account can't cover it, while still keeping records of each declined transaction. (I did somehow manage to get one $.42 in the red once, but meh: There's also no overdraft fee.)
(How you use this information is your problem.)
Re: (Score:1)
Yeah bullshit. Any time a trap system is put into effect, MOST of the people with the keys to springing the trap start getting itchy fingers. Before you know it, the trap has been sprung on competitors, people they don't like, businesses/industries that go against their own personal moral code, and pretty much going from a trap to a flaming sword wielded by a lone white knight. See how often G-Mail violates SPAM traps, look at all the controversy behind spamhaus's ethics. Traps don't work.
Case in point,
Karma (Score:2)
They're making money (Score:4, Interesting)
It's not like the scareware crooks are blowing the whistle on potentially illegal government activity, so why would they get involved?
Expecting morality from banks (Score:2)
Re: (Score:2)
yup. Unfortunately here in our university, in many departments, when they hire IT staff, they don't hire full time, instead they hire international grad students which is much cheaper ( about $1,600 a month , plus a tuition waiver, for 20 hours a week, and you get to call yourself a research assistant). These position especially attracts engineering, CS and business students from either India or China.
These people get in with resumes that list MCSE, A+ certification etc. and good programming skills, and whe