Following the Money: Rogue Anti-virus Software
By its very nature, the architecture and limited rules governing the Web make it difficult to track individuals who might be involved in improper activity. Cyber-sleuths often must navigate through a maze of dead-end records, pseudonyms or anonymous corporations, usually based overseas. The success rate is fairly low.
Even if you manage to trace one link in the chain -- such as a payment processor or Web host -- the business or person involved claims that he or she was merely providing a legal service to an unknown client who turns out to be a scammer.
But every so often, subtle links between the various layers suggest a more visible role by various parties involved. This was what I found recently, when I began investigating a Web site name called innovagest2000.com.
This Innovagest2000 domain has for at least four years now been associated with spyware and so-called "scareware," surreptitiously installed software that bombards the victim with incessant and misleading warnings that their PC is infested with malicious software. The warnings usually mimic Microsoft software or the operating system itself, and persist until the victim figures out how to remove it or pays for a license to the software.
"The product names have changed from one to another, but that innovagest2000.com domain has been associated with the rogue [software] families since it was registered in 2005," including rogue anti-virus programs, said Patrick Jordan, a senior spyware researcher for Clearwater, Fla. based Sunbelt Software.
According to a report released earlier this year by Microsoft, scareware programs are now among the top threats around the world. Microsoft found that just two rogue families, which include the Antivirus2009/2010 and XPAntivirus/AntivirusXP products, were detected on more than 1.5 million computers in the second half of 2008.
Who is behind Innovagest? If you spend enough time peeling back the layers around innovagest2000.com, you find that the trail of Web site registration records leads to a large, Russian forum for operators of adult we sites called crutop.nu.
Crutop's members were by far the largest group of customers of 3fn.net, a San Jose, Calif. based Internet service provider that was knocked offline recently due to a lawsuit filed by the Federal Trade Commission. The FTC alleged that 3FN was the home of a nest of badness, including botnet control networks, child pornography Web sites, as well as a large number of sites promoting rogue anti-virus products and illegal online pharmacies.
Crutop, 9,500 member-strong, also was hosted at 3FN, and was named in the FTC's action. The FTC called Crutop a place "where criminals share techniques and strategies with one another," and a Russian language Web site "that features a variety of discussion forums that focus on making money from spam."
Further digging indicates that Crutop is linked to the operations of Chronopay, an online payment processor based in the Netherlands that has come under fire from security researchers for processing payments for a large number of Web sites hawking scareware. For example, Russian computer security firm Kasperksy Lab told Security Fix that as recently as July 9 it was tracking at least 25 different rogue anti-virus products that use Chronopay for payments.
Chronopay provides small businesses with the ability to take credit cards without having to have their own merchant account. On its Web site, Chronopay says it specializes in providing payment processing to high-risk sites, including adult, online pharmacy, and gambling Web sites.
What makes this case unusual is that Chronopay is an apparently above-board company that claims to have backing from banks such as ING, and to have just opened a regional office in Florida.
Chronopay's founder said the company's services are merely being abused by criminals, and that it has done nothing wrong.
Reached via phone in Moscow, Chronopay's founder, Pavel Vrublevsky, vehemently denied any knowledge of or association with any of the Web sites mentioned in this blog post aside from Chronopay.
"I am 100 percent the CEO of Chronopay, and I have absolutely nothing to do with these," he said. Vrublevsky maintains, however, that he has made some enemies of people in high places of power within Russia, and that they may have been trying to associate his name with these enterprises to besmirch his image and that of his company.
Vrublevsky did say that several merchants of Chronopay have been terminated recently for selling rogue anti-virus and generating an enormous number of chargebacks from consumers. But he said those chargebacks don't usually show up until three to four months after a rogue merchant starts doing business with Chronopay.
Indeed, rogue anti-virus vendors have favored Chronopay's service quite a bit over the last year.
In June, Joe Stewart, director of malware research at SecureWorks, an Atlanta-based computer security firm, published research showing that Chronopay was the processor for sites pushing rogue anti-virus product "Malware Doctor," a scareware title commonly installed by "Virut," one of the Web's most prolific computer viruses.
In October 2008, Stewart found that when he purchased a copy of rogue product AntivirusXP, that the charge appeared on his credit card statement as CHRpay.com, one of the Web sites owned by Chronopay. A Google search on that domain shows page after page of complaints from people who were tricked into paying for rogue anti-virus and anti-spyware software.
Stewart also found that the installer for that rogue anti-virus program was constructed so that it would not install on systems where the would-be victim had recently visited one of nearly a dozen Web sites. One of those sites was crutop.nu.
"It's hard to say whether they're just happy to take the money, or whether they're driving this type of activity," Stewart said. "But they've been at this for a long time, and we've seen over and over again Chronopay providing payment services for these rogue anti-virus sites."
How are Innovagest2000.com, Crutop.nu, and Chronopay.com linked? Read on after the jump to find out.
Shortly after Crutop was knocked offline by the disconnection of 3fn.net, the administrators of Crutop found new hosting and replaced their home page with a lengthy response to the FTC's allegations that Crutop was a forum dedicated to facilitating cyber crime and spam. In their response to the FTC, the anonymous administrators of Crutop argued that the site prohibits spam on its forums, and that the FTC misunderstood that the Crutop sub-forum titled "Spam" was little more than a joke.
Crutop's response also mentioned the Security Fix author by name: "And in conclusion we would like to add, that while paragraph 1 of our rules has never been taken seriously before and was written as a joke, but related to recent events we would like to know how it was possible that five (5!) reputable experts-agents (including NASA experts and Mr. Brian Krebs) from USA (where every 10th person speaks Russian, source: Wikipedia), could not figure out that on Crutop.nu in the SPAM sub-forum discussions have nothing to do with mail spam or other cyber-crimes?"
This got my attention because I have never mentioned Crutop in any of my stories. But I have done a little digging to see if I could find a bit more about who runs this forum.
All indications are that the innovagest2000.com domain referenced as a support Web site in dozens of rogue anti-virus products over the past several years was registered by the co-founders of Crutop.
Running a WHOIS search on innovagest2000.com reveals two e-mail addresses: firstname.lastname@example.org, and email@example.com. Conducting a similar search on mail-eye.com shows the domain is registered to a RED and Partners B.V., with an address in the Netherlands.
In their response to the FTC, Crutop administrators directed readers to a page on the forum called "nospam.html," which lists the contact information for the Crutop forum leaders as:
RED & Partners Group
A WHOIS lookup on the official Web site for RED and Partners B.V. - re-partners.biz - returned the firstname.lastname@example.org e-mail contact, as well as the same address, phone and fax number as the mail-eye.com domain. The contact page at re-partners.biz lists the same information, along with the email@example.com address.
Of the 9,500 registered users on Crutop, the very first and second users who registered on the forum back in 2000 picked the nicknames "Barmaley" and "Redeye."
Interestingly, the contact information for RED & Partners Group and its Web site are the same as that listed for Chronopay in its Web site registration records. What's more, the numeric Internet address used by both re-partners.biz and crutop.nu are addresses assigned by European Internet address space authorities to Chronopay LLC.
Chronopay, on the "contact" portion of its Web site, lists the exact same address, phone and fax number as listed on re-partners.biz. In addition, both Chronopay.com and re-partners.biz share the same domain name servers: ns1.dns-eye.com.
Perhaps the strongest piece of evidence linking Crutop to Chronopay is provided by Google. If you view the HTML source code on Chronopay's home page, you will find at the bottom an account number used by Google Analytics to track visitors to Chronpay. That account number -- "UA-630887" - is the same Google Analytics account number that is present in the HTML source from the homepage of Crutop.
I followed up with Chronopay regarding the Google Analytics connection, and received a reply from Kirill Vorobyev, the company's public relations manager. Vorobyev said the company suspects that a former employee in charge of online marketing at Chronopay may have been responsible for setting up the Google Analytics accounts.
"Now it [is] clear for us why our company received so many negative responses. We have suspected for a long time that it is one of our former employees," Vorobyev wrote to Security Fix. "We declare, however, that Chronopay doesn't have anything to do with a portal crutop.nu company, though we cannot guarantee it concerning our employees."
July 31, 2009; 1:13 PM ET
Categories: Cyber Justice , Fraud , Safety Tips , Web Fraud 2.0 | Tags: 3fn rogue antivirus, chronopay, crutop
Save & Share: Previous: Critical Update for Adobe Flash Player
Next: Security Updates for iPhone, Adobe Reader
Posted by: featheredge99 | July 31, 2009 1:43 PM | Report abuse
Posted by: BTKrebs | July 31, 2009 2:37 PM | Report abuse
Posted by: rjohnson2842 | July 31, 2009 2:48 PM | Report abuse
Posted by: bill93 | July 31, 2009 4:15 PM | Report abuse
Posted by: dward__ | July 31, 2009 4:56 PM | Report abuse
Posted by: tersuren | July 31, 2009 6:59 PM | Report abuse
Posted by: PlatinumMike | July 31, 2009 8:09 PM | Report abuse
Posted by: firstname.lastname@example.org | August 1, 2009 7:08 AM | Report abuse
Posted by: mhenriday | August 1, 2009 12:00 PM | Report abuse
Posted by: Rixstep | August 2, 2009 12:20 AM | Report abuse
Posted by: WladimirPalant | August 3, 2009 3:30 AM | Report abuse
Posted by: anonwashpost | August 3, 2009 9:15 AM | Report abuse
Posted by: aashley1 | August 3, 2009 12:31 PM | Report abuse
Posted by: gbooksdc | August 7, 2009 10:27 AM | Report abuse
The comments to this entry are closed.