Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck IT

Banks Faulted For Fake Antivirus Scourge 117

krebsonsecurity writes "Merchant banks that process credit card payments for fake antivirus or 'scareware' exhibit a distinctive pattern of card processing that could be used by Visa and MasterCard to weed out the rogue processors, according to a new study by the University of California, Santa Barbara. From the study: 'The UCSB team found that the fake AV operations sought to maximize profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor's chargeback limits. Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds.' The study also highlights how few customers ever request a refund, and how affiliates pushing this junk software made more than $133 million."
This discussion has been archived. No new comments can be posted.

Banks Faulted For Fake Antivirus Scourge

Comments Filter:
  • I'd like to know that even with an up-to-date Windows system, the fucking thing is still vulnerable to these attacks.

    • Re:Pah (Score:5, Insightful)

      by Hatta ( 162192 ) on Wednesday July 06, 2011 @03:05PM (#36674818) Journal

      Of course it is. You can technically secure a computer all you want, but there's no defense against fraud.

      • by Anonymous Coward

        Of course it is. You can technically secure a computer all you want, but there's no defense against fraud.

        Actually, there is. I can sell it for you for $99. How about it? Tell you what - if you email me your banking details right now I'll give you a 90% discount.

        • You can technically secure a computer all you want, but there's no defense against fraud.

          Actually, there is. I can sell it for you for $99. How about it? Tell you what - if you email me your banking details right now I'll give you a 90% discount.

          Let me guess: if I have my bank make me a disposable checking account and deposit $9.90, you'll send me some iPad brochures.

    • Unfortunately, you can't patch users.
      • Unfortunately, you can't patch users.

        If they pay enough, I'll patch them (afterwards).
        The sadist in me detects an enticing business opportunity!

    • Seriously? You dont know? FUCKING PEOPLE WILLINGLY INSTALL THIS SHIT. Its impossible to secure a computer where the admin will grant root permission to almost anything that asks.
      • I'd like to know how non-admin users who don't have an admin password can still execute files in say, C:\programdata. I know users will run anything, I want to know how they can still, at the very least, poison their own profile.

        • Social engineering (Score:4, Interesting)

          by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Wednesday July 06, 2011 @03:18PM (#36675004) Homepage Journal

          I'd like to know how non-admin users who don't have an admin password can still execute files in say, C:\programdata.

          Social engineering becomes practical once the administrator is as dumb as the user, especially on a home PC. The scareware wedges itself deep into the user's profile, popping up a UAC or gksudo prompt every two minutes. "Daddy, the computer looks broken. Could you run this fix for me?"

          • gksudo prompt? Really? I've had my browser hijacked by scareware, but I've never had anything ask for sudo privileges. Maybe it was just cheap software, and wasn't smart enough to realize it should ask for sudo?

            • They ask for UAC privileges, and there is has been a Mac version in the wild that asks for sudo privileges. If the % of idiotic linux desktop users ever gets high enough to justify the ROI, you are likely to see them ask for gksudo privileges as well.

              • HAHA Joke's on them! I only run kde.

                • Then please allow me to rephrase: If the % of idiotic KDE desktop users ever gets high enough to justify the ROI, you are likely to see them ask for kdesudo privileges as well.
              • by yuhong ( 1378501 )

                Yea, I have said for a while that UAC and sudo are pretty much close to the same thing, especially in the Vista era when people were complaining about UAC.

          • . "Daddy, the computer looks broken. Could you run this fix for me?"

            "Of course, my little princess."

            >>Daddy inserts Ubuntu installation CD

            • by tepples ( 727027 )

              Daddy inserts Ubuntu installation CD

              Daddy, the computer is still broken. I can't play this game, even though I put in the CD and everything.

        • Most of these programs don't install, in the traditional sense. They copy themselves to %userprofile%\AppData. There are ways to protect a system from that [microsoft.com] but it's not easy to set up and still allow for all the oddball programs your users need.

          It's not like Linux stops you from running "rm ~ -rf". You don't need root to run that. This is the equivalent. It doesn't destroy the system. It's not particularly invasive. It does, however, completely mess with user data (toggling the Hidden bit or moving t

        • I want to know how they can still, at the very least, poison their own profile.

          Because they can write to their own profile? Because they can write to their own registry hive (Windows\currentversion\Run)? Because they can set up their own scheduled tasks? There are tons of ways that trojan malware can auto-start on a machine. And before you mention anything about Linux: ~/, .bashrc/.tcshrc, cron. Sure, you can put /home on another partition and mount it noexec, but not a lot of home users are going to do that, and of course Windows has Software Restriction Policies [microsoft.com]

        • The changes the rogue a/v do don't require admin rights in the users profile.That's why you will see only the user profile infected. It DOES require admin rights to change the HKLM, so on admin accounts they will typically change that as well.

          The lions share of rogue A/V are really just registry mods and a simple GUI sham program. But, I have been seeing some rogue A/V coming with rootkit as well, which would obviously happen more on XP or admin accounts.

          Here is an example: I have seen first-hand a limit
      • Its impossible to secure a computer where the admin will grant root permission to almost anything that asks.

        Sure you can: just take admin privileges away from the owner. Apple and the game console makers, for example, have chosen to require that the operating system publisher evaluate and sign all software for the platform and then require a substantial annual payment for the privilege to run a compiler.

        • Even where a user does not have admin privileges, the newer fake antivirus/hard drive failure programs can still poison their profile, the last few I've seen throwing the actual executable in c:\programdata. Frankly, I don't think users without admin privileges should have any capability to download and run an executable file.

          I've instituted Software Execution Policies on my AD networks, but I've heard that they are not all that hard to sneak past, but at least even if the user manages to download the prog

          • by tepples ( 727027 )
            So how would a developer on your AD networks run a compiler?
            • I have the good fortune of not having any developers. Pretty much everything is Office-Exchange and the like. Obviously my solution would no longer work in a situation where execute privileges were required. Probably at that point I'd do more stringent user profile backups and accept fake AV installs as a known risk.

            • Seems like they'd be able to run a compiler, but not test-run the compiled executable (they'd have to copy it to a test machine).
        • by sjames ( 1099 )

          And people who want to actually own the things they buy rightly complain about that and either jailbreak or just avoid Apple products.

          You could offer it as a special option, but then a zillion "power users" will check the "I know what I'm doing" box even though they haven't a clue. It would help the minority that know that they don't know, at least.

      • Seriously? You dont know? FUCKING PEOPLE WILLINGLY INSTALL THIS SHIT.

        So clearly the abstinent are safe! We have found a solution! :)

        Cheers,

      • Most of it today is not users installing shit but rather exploits by PDF reader and Flash. A rogue ad can install it just by viewing a website and giving you a browse by infection. My parents computer got infected this way and they had a 2 year old version of Flash, but had windows updates and the most recent version of Firefox installed thinking they were safe. Vector attacks are not noticable and can by pass UAC and run directly on the CPU by passing Windows entirely.

    • Actually, the single vector I've personally experienced for this kind of malware is FLASH PLAYER. You can keep your browser, OS, and AV up to date, but Flash will still betray you if it's mere days old.
    • Uninstall Flash and PDF reader folks and use Chrome if possible as it updates its flash automatically.

      I do not like Chrome, but I am genuinely paranoid about using Adobe PDF reader or Flash on any other system. Most users have the 2 year old Flash 9.0 that has many exploits.

      So Windows Update focuses on securing Windows and IE, so hackers focus on the plugin instead. Genius. Windows update is old news now and WebGL is going to come next I fear as a reflashed video card with malware would be a nightmare if no

      • Unfortunately I'm stuck with Flash. Some of the web tools we're required to use utilize it. Hopefully, eventually, HTML5 will render a good deal of this moot.

    • Comment removed based on user account deletion
    • I'd like to know that even with an up-to-date Windows system, the fucking thing is still vulnerable to these attacks.

      You know how I know you don't know what type of attack they're talking about?

  • Placebo (Score:5, Funny)

    by Anonymous Coward on Wednesday July 06, 2011 @03:11PM (#36674914)

    If homeopatic "medicine" can be sold legally, I see no reason why anti-virus software that does absolutely nothing should be considered illegal.

    • Re:Placebo (Score:5, Funny)

      by Chris Mattern ( 191822 ) on Wednesday July 06, 2011 @03:20PM (#36675020)

      If homeopatic "medicine" can be sold legally, I see no reason why anti-virus software that does absolutely nothing should be considered illegal.

      It contains less than 0.001% of the virus signatures found in other AV software, so you *know* it's super-effective!

    • Re: (Score:2, Funny)

      by Anonymous Coward

      anti-virus software that does absolutely nothing

      Yeah, McAfee should be illegal.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        McAfee does tons.

        It has to, otherwise your computer would still run after McAfee starts.

    • by jfengel ( 409917 )

      At least in theory, homeopathic medicine bottles are carefully labeled with something to the tune of "The FDA has not evaluated [product] for safety or efficacy," and they have to be very careful in phrasing their health claims. It's easy to be misled, and pretty dubious, but it's (barely, on a technicality) not illegal.

      Fake AV software is more explicit in its claims, and definitely fraud. The distinction is pretty arbitrary, of course.

      • Hell, you're not going far enough. At least homeopathic "remedies" don't actually give you diseases. Most fake AV products are active trojans, infecting your machine and (A) providing backdoors and further infection vectors (like disabling real AV) and (B) demanding more money to "fix" the damage it caused (and "fix" is scarequoted because at best, they do nothing; at worst, it's just paying to be trojaned further.)

        Fake AV is equivalent to homeopathic medicine made with 100% all-natural anthrax and HIV.

        • At least homeopathic "remedies" don't actually give you diseases

          Ever heard of using tapeworms to lose weight?

          • The term "homeopathic" specifically refers to medicines that are purported to be more effective the further they are diluted. Tapeworms aren't homeopathic - they're just one of many examples (another of which would be Radiation) of people using harmful things they didn't yet understand as if they were beneficial.
          • by TWX ( 665546 )

            At least a tapeworm generated results... ...and generally didn't kill the patient, unless they lost or otherwise didn't take the remedy to kill the tapeworm so many weeks later...

        • Lying to ill people and promising miracle cures is far more evil than fucking up their computer.

          People who sell homeopathic "medicine" and other such quackery should, like chiropractors and spiritualists, be hounded out of business.
    • Well at least with a Placebo, there is the Placebo effect. There is no Placebo effect on computers.

    • I had a customer with a full-blown antivirus suite installed. It had a real looking website, a very elegant sounding name (can't remember it now) and apparently cost quite a lot. Way more professional than "XP Antivirus 2011". The guy's "friend" installed it for him, said it was "the best" (had fake review sites). It also apparently installed a hacked version of deep-freeze. In that regard, it WAS effective at stopping viruses, because after a reboot, nothing was persistent.

      Of course, the antivirus was a c
    • Homeopathic medicine doesn't generally tell you have an infection that you don't really have in order to get people to buy it, and it doesn't generally change it's name every week so you can research it's effectiveness. Many homeopathic remedies work, and the plants from which they're extracted are the original source of many of the pharmaceutical medicines we have today (after creating a version that can be patented, since no really big money in selling plant extracts that aren't patentable).

      • Comment removed based on user account deletion
        • Which ones they are? In my whole life I have tried about 3-4 of them, one were some cold relief, which started working about a week of usage, and some travel sickness pills which worked for about 15 minutes in the car.

          Because trying 3-4 out of many thousands is a statistically valid sample.

          Still, even in that small sample, you experienced that some do work. So your point in attacking them in the first place was...?

          • by Quirkz ( 1206400 )
            Look closer at how he said they "work." Colds go away after 7 days on their own, and travel sickness doesn't generally set in immediately -- in other words the things he's joking that they did are things that would happen exactly the same way without the medicine.
            • Look a little closer at "3-4 examples out of thousands isn't statistically significant". I've had more than 4 prescription medicines that weren't effective in my lifetime, and I'll bet many of you have as well. And that's with a highly tested, highly refined medication that was prescribed by a highly trained Dr. It doesn't mean that all prescriptions are ineffective, or even that the ones I took are ineffective, they just didn't work for my specific condition (or don't work for my body chemistry). That's th

              • by Quirkz ( 1206400 )
                I don't have a voice in this argument, I was simply pointing out that you seemed to be missing his joke when you said "even in that small sample, you experienced some that do work." It was pretty clear he did not have any that actually worked for him. I agree with you that his 3-4 samples aren't statistically valid science, but I wasn't talking about that part at all.
      • Many homeopathic remedies work

        So does praying to a god for a lot of people. That doesn't prove god exists.

    • If a Placebo works well then why knock it.

      I understood Homeopathy and didn't believe it would work but went at my parents insistence and was then cured of 2-3 serious headaches a week - I now only get 1-2 mild headaches per year. I still think the method is silly, but hey, if it works then why be bothered about how it works.

  • by Anonymous Coward

    Microsoft cant fix the idiots that click "Yes"

    • It could make proper SEPs and stop non-admin users from being able to execute anything outside of approved folders, and they can't write to those folders.

      • It could make proper SEPs and stop non-admin users from being able to execute anything outside of approved folders, and they can't write to those folders.

        That already exists in Windows under the name "Software Restriction Policies", as I understand it. It also exists in Linux under the name "/home mounted noexec". But under such a lockdown, one would have to be an administrator to use Visual C++ or any other compiler. If that were to become the default, then computer labs in high schools and colleges that teach programming will just go back to running everything as an administrator, which most readers should already know is a horribly insecure practice.

        • Comment removed based on user account deletion
          • by tepples ( 727027 )

            If you use a compiler and still click on YES without knowing what you do, then you are an idiot.

            If they weren't idiots, they wouldn't need to still be in school.

      • The problem with your assertion is that rogue antivirus targets home users, where the unsavvy user is required to also be administrator. Or are you suggesting that the average user pays some service like Geek Squad to administrate the user's home computer? That sounds like it's an even bigger waste of money...
        • by tepples ( 727027 )

          Or are you suggesting that the average user pays some service like Geek Squad to administrate the user's home computer?

          More like paying Apple to be the administrator of one's tablet computer.

          That sounds like it's an even bigger waste of money...

          Can't disagree there.

    • So, we start a campaign to educate users, right? "If you see a popup, asking if you wish to install Windows, click "Cancel" immediately!"

  • by swb ( 14022 ) on Wednesday July 06, 2011 @03:27PM (#36675094)

    Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.

    Why doesn't the FBI turn the next prosecution into a RICO prosecution and drag a payment processor and/or bank and some of its executives into the prosecution?

    A few 20 year jail sentences and $250,000 fines plus forfeitures would make many processors think twice about their "man in the middle" role.

    Spam and scareware wouldn't be worth doing if you couldn't get paid for them -- no matter how scared I am, I can't manage to shove a $20 into my monitor.

    • by g0es ( 614709 )

      Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.

      Why doesn't the FBI turn the next prosecution into a RICO prosecution and drag a payment processor and/or bank and some of its executives into the prosecution?

      A few 20 year jail sentences and $250,000 fines plus forfeitures would make many processors think twice about their "man in the middle" role.

      Spam and scareware wouldn't be worth doing if you couldn't get paid for them -- no matter how scared I am, I can't manage to shove a $20 into my monitor.

      I don't see them ever making the banks accountable for this. Hell they didn't even make them accountable for the mess they created with the mortgage crisis. The banking industry just has to much power and will argue that putting checks in place to prevent this will inhibit free trade and would be a burden to them. But hell lets try and see what happens. I would love to see them take some responsibility.

    • And what do you think the processors have done illegally, or even wrong?

      These businesses are 'legitimate', in that they exist and are not otherwise prohibited by law from doing what they are doing, unless someone would care to initiate a fraud prosecution and force them out of business. Until that happens, charge processors are both unwilling and powerless to refuse the business.

      But trying to make the processors liable for a merchant's alleged fraudulent behavior would require that the processor be aware o

      • by vux984 ( 928602 )

        You do not want credit card processors deciding if merchants are legitimate. Trust me.

        They already do this. Half of them won't even give you an account if your in any of several lines of legitimate business, nevermind illegitimate ones.

      • They already do, in Europe anyway. They are jointly liable with the merchant for any legal claims relating to the product, so they check very carefully who they allow to open accounts, although possibly not carefully enough given the number of scam websites there are around selling fake tickets to concerts and sporting events.

        • I'm not looking for the U.S. to adopt EU regulations in this area. How you can ratiionally hold the processor responsible for a product's function is just not clear to me. That concept is intended to give consumers a way to get back their money for a failed product, and so it's risk shifting to the processor. And causes the processor to create the ability to assess their merchants' products and the veracity of their claims. And increases cost, but perhaps for a 'good' cause.

          Nontheless, it is also a resp

      • by kbg ( 241421 )
        VISA and Mastercard already refused Wikileaks so it seems they have no problems refusing businesses when they are pressured from the USA government. They have no problems refusing businesses when they feel like it. Why shouldn't they then refuse to serve obvious fraudulent businesses?
    • When was the last time we heard about the FBI asking a credit card company to stop payments to someone? Oh yeah, Wikileaks. We all know how well that turned out.
    • Well, towards that end, it's not just payment processing that remains a sink hole for fraud.

      Identify Theft could also be mitigated by the banks, yet at present they have no financial incentives to make any changes. This is because when a bank allows a criminal to open a credit line in your name, it remains your problem rather than a problem for the bank.

    • Credit card payment processing is the ideal complicity/trace/choke point for much of the world of spam and crimeware.

      It's also a choke point for Wikileaks (despite the real first amendment implications). And it just goes to show you what's the biggest priority for our government right now, preventing fraud or preventing leaks.

    • The banks and MSPs involved are not in the US, so it would be difficult to prosecute using US Law.

  • While the banks could do this, the real solution is for more people to be made aware of the problem and issue charge backs. That would get banks attention and they would take action against the problem charges. of course, getting people to realize they've been scammed and requesting a charge back is easier said than done.
  • by Anonymous Coward on Wednesday July 06, 2011 @03:44PM (#36675304)

    I would be really happy if my bank gave me a fake credit card number that I could give to every scammer or asshat who tried to sell me "car warranty insurance" or "anti-virus" over the phone. The idea is, it'd be declined, but it'd also flag that this retailer is less-than-ethical, not paying attention to "Do Not Call", etc.

    Like anything else, this shouldn't be connected to automated blacklisting (since people who decide that "Best Buy sucks" might try using it there), but it would be an immediate red flag if thousands of attempted transactions from a payment processor came back this way.

    • So you want to be the arbiter of what is right and wrong?

      Pardon me if I distrust you. How about asking the FTC etc to investigate the donotcall violations, and not being so clever, eh?

      And your point that using this against Best Buy would have unintended consequences (for you, I presume) makes the point. Frankly, I just hang up on them. I'm no longer invested in causing these thieves any discomfort, I just want to waste as little time as possible with them.

      • by Anonymous Coward

        My point wasn't that I would have a special magical poisoned credit card, it was that we should *all* have them, and that in doing so we would potentially help CC companies figure out where problems might be in a way that chargeback monitoring doesn't.

        Have you ever asked the FTC to investigate a do-not-call violation? I have. The experience just showed me how useless that process is.

    • by Anonymous Coward

      Swedbank is using a similar system in Sweden.

      I can "create" a "virtual card" with VISA, and most webshops etc works with it...(sometimes US stores cant handle them of some unknown reason?)
      I can set the lifetime of the "virtual card" and how much money can be charged.

      It is one of the best creditcard system's i know of since i am in total control.
      Since the bank has the transaction records etc, it is easy for them in case i want a charge back or similar actions.

      And of course since it is a great system, it will

    • by adolf ( 21054 )

      Go to a Wal-Mart with $3, and you can leave with a pre-paid Visa.

      In my experience, it denies charges immediately when the balance in the account can't cover it, while still keeping records of each declined transaction. (I did somehow manage to get one $.42 in the red once, but meh: There's also no overdraft fee.)

      (How you use this information is your problem.)

    • by Anonymous Coward

      Yeah bullshit. Any time a trap system is put into effect, MOST of the people with the keys to springing the trap start getting itchy fingers. Before you know it, the trap has been sprung on competitors, people they don't like, businesses/industries that go against their own personal moral code, and pretty much going from a trap to a flaming sword wielded by a lone white knight. See how often G-Mail violates SPAM traps, look at all the controversy behind spamhaus's ethics. Traps don't work.

      Case in point,

  • Me. One of the bastards responsible for one of these bullshit packages that takes over and disables Microsoft Forefront and forces me to break out the rkill thumb drive. Dark alley.
  • They're making money (Score:4, Interesting)

    by HangingChad ( 677530 ) on Wednesday July 06, 2011 @04:43PM (#36675956) Homepage

    ...that could be used by Visa and MasterCard to weed out the rogue processors

    It's not like the scareware crooks are blowing the whistle on potentially illegal government activity, so why would they get involved?

  • is akin to expecting poetry from Pit Bulls.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...