Anti-virus software maker inside global cybercrime ring

BOSTON: Hundreds of computer geeks, most of them students putting themselves through college, crammed into three floors of an office building in an industrial section of Ukraine’s capital Kiev, churning out code at a frenzied pace. They were creating some of the world’s most pernicious, and profitable, computer viruses.

According to court documents, former employees and investigators, a receptionist greeted visitors at the door of the company, known as Innovative Marketing Ukraine. Communications cables lay jumbled on the floor and a small coffee maker sat on the desk of one worker.

As business boomed, the firm added a human resources department, hired an internal IT staff and built a call centre to dissuade its victims from seeking credit card refunds. Employees were treated to catered holiday parties and picnics with paintball competitions.

Top performers got bonuses as young workers turned a blind eye to the harm the software was doing. “When you are just 20, you don’t think a lot about ethics,” said Maxim, a former Innovative Marketing programmer who now works for a Kiev bank and asked that only his first name be used for this story. “I had a good salary and I know that most employees also had pretty good salaries.”

In a rare victory in the battle against cybercrime, the company closed down last year after the US Federal Trade Commission filed a lawsuit seeking its disbandment in US federal court.

An examination of the FTC’s complaint and documents from a legal dispute among Innovative executives offer a rare glimpse into a dark, expanding — and highly profitable — corner of the internet.

Innovative Marketing Ukraine, or IMU, was at the center of a complex underground corporate empire with operations stretching from Eastern Europe to Bahrain; from India and Singapore to the United States. A researcher with anti-virus software maker McAfee Inc who spent months studying the company’s operations estimates that the business generated revenue of about $180 million in 2008, selling programs in at least two dozen countries. “They turned compromised machines into cash,” said the researcher, Dirk Kollberg.

The company built its wealth pioneering scareware — programs that pretend to scan a computer for viruses, and then tell the user that their machine is infected. The goal is to persuade the victim to voluntarily hand over their credit card information, paying $50 to $80 to “clean” their PC.

Scareware, also known as rogueware or fake antivirus software, has become one of the fastest-growing, and most prevalent, types of internet fraud. Software maker Panda Security estimates that each month some 35 million PCs worldwide, or 3.5 per cent of all computers, are infected with these malicious programmes, putting more than $400 million a year in the hands of cybercriminals. “When you include cost incurred by consumers replacing computers or repairing, the total damages figure is much, much larger than the out of pocket figure,” said Ethan Arenson, an attorney with the Federal Trade Commission who helps direct the agency’s efforts to fight cybercrime.

Groups like Innovative Marketing build the viruses and collect the money but leave the work of distributing their merchandise to outside hackers. Once infected, the machines become virtually impossible to operate. The scareware also removes legitimate anti-virus software from vendors including Symantec Corp, McAfee and Trend Micro Inc, leaving PCs vulnerable to other attacks.

When victims pay the fee, the virus appears to vanish, but in some cases the machine is then infiltrated by other malicious programs. Hackers often sell the victim’s credit card credentials to the highest bidder.

Removing scareware is a top revenue generator for Geek Choice, a PC repair company with about two dozen outlets in the United States. The outfit charges $100 to $150 to clean infected machines, a service that accounts for about 30 percent of all calls. Geek Choice CEO Lucas Brunelle said that scareware attacks have picked up over the past few months as the software has become increasingly sophisticated. “There are more advanced strains that are resistant to a lot of anti-virus software,” Brunelle said.

Anti-virus software makers have also gotten into the lucrative business of cleaning PCs, charging for those services even when their products fall down on the job.

Charlotte Vlastelica, a homemaker in State College, Pennsylvania, was running a version of Symantec’s Norton anti-virus software when her PC was attacked by Antispyware 2010. “These pop-ups were constant,” she said. “They were layered one on top of the other. You couldn’t do anything.”

So she called Norton for help and was referred to the company’s technical support division. The fee for removing Antispyware 2010 was $100. A frustrated Vlastelica vented: “You totally missed the virus and now you’re going to charge us $100 to fix it?”

AN INDUSTRY PIONEER

“It’s sort of a plague,” said Kent Woerner, a network administrator for a public school district in Beloit, Kansas, some 5,500 miles (8,850 km) away from Innovative Marketing’s offices in Kiev. He ran into one of its products, Advanced Cleaner, when a teacher called to report that pornographic photos were popping up on a student’s screen. A message falsely claimed the images were stored on the school’s computer.

“When I have a sixth-grader seeing that kind of garbage, that’s offensive,” said Woerner. He fixed the machine by deleting all data from the hard drive and installing a fresh copy of Windows. All stored data was lost.

Stephen Layton, who knows his way around technology, ended up junking his PC, losing a week’s worth of data that he had yet to back up from his hard drive, after an attack from an Innovative Marketing program dubbed Windows XP Antivirus. The president of a home-based software company in Stevensville, Maryland, Layton says he is unsure how he contracted the malware.

But he was certain of its deleterious effect. “I work eight-to-12 hours a day,” he said. “You lose a week of that and you’re ready to jump off the roof.”

Layton and Woerner are among more than 1,000 people who complained to the U.S. Federal Trade Commission about Innovative Marketing’s software, prompting an investigation that lasted more than a year and the federal lawsuit that sought to shut them down. To date the government has only succeeded in retrieving $117,000 by settling its charges against one of the defendants in the suit, James Reno, of Amelia, Ohio, who ran a customer support center in Cincinnati. He could not be reached for comment.

“These guys were the innovators and the biggest players (in scareware) for a long time,” said Arenson, who headed up the FTC’s investigation of Innovative Marketing.

Innovative’s roots date back to 2002, according to an account by one of its top executives, Marc D’Souza, a Canadian, who described the company’s operations in-depth in a 2008 legal dispute in Toronto with its founders over claims that he embezzled millions of dollars from the firm. The other key executives were a British man and a naturalized U.S. citizen of Indian origin.

According to D’Souza’s account, Innovative Marketing was set up as an internet company whose early products included pirated music and pornography downloads and illicit sales of the impotence drug Viagra. It also sold gray market versions of anti-virus software from Symantec and McAfee, but got out of the business in 2003 under pressure from those companies.

It tried building its own anti-virus software, dubbed Computershield, but the product didn’t work. That didn’t dissuade the firm from peddling the software amid the hysteria over MyDoom, a parasitic “worm” that attacked millions of PCs in what was then the biggest email virus attack to date. Innovative Marketing aggressively promoted the product over the internet, bringing in monthly profits of more than $1 million, according to D’Souza

The company next started developing a type of malicious software known as adware that hackers install on PCs, where they served up pop-up ads for travel services, pornography, discounted drugs and other products, including its flawed antivirus software. They spread that adware by recruiting hackers whom they called “affiliates” to install it on PCs.

“Most affiliates installed the adware product on end-users’ computers illegally through the use of browser hijacking and other nefarious methods,” according to D’Souza. He said that Innovative Marketing paid its affiliates 10 cents per hijacked PC, but generated average returns of $2 to $5 for each of those machines through the sale of software and products promoted through the adware.

ANY MEANS BUT SPAM

The affiliate system has since blossomed. Hackers looking for a piece of the action can link up with scareware companies through anonymous internet chat rooms. They are paid through electronic wire services such as Western Union, Pay Pal and Webmoney which can protect the identity of both the sender and the recipient.

To get started, a hacker needs to register as an affiliate on an underground website and download a virus file that is coded with his or her affiliate ID. Then it’s off to races.

“You can install it by any means, except spam,” says one affiliate recruiting site, earning4u.com, which pays $6 to $180 for every 1,000 PCs infected with its software. PCs in the United States earn a higher rate than ones in Asia.

Affiliates load the software onto the machines by a variety of methods, including hijacking legitimate websites, setting up corrupt sites for the purposes of spreading viruses and attacks over social networking sites such as Facebook and Twitter.

“Anybody can get infected by going to a legitimate website,” said Uri Rivner, an executive with RSA, one of the world’s top computer security companies.

A scareware vendor distributed its goods one September weekend via The New York Times’ website by inserting a single rogue advertisement. The hacker paid NYTimes.com to run the ad, which was disguised as one for the internet phone company Vonage. It contaminated PCs of an unknown number of readers, according to an account of the incident published in The New York Times.

Patrik Runald, a senior researcher at internet security firm Websense Inc, expects rogueware vendors to get more aggressive with marketing. “We’re going to see them invest more money in that — buying legitimate ad space,” he said.

To draw victims to infected websites, hackers will also manipulate Google’s search engine to get their sites to come up on the top of anyone’s search in a particular subject. For instance, they might capitalize on news events of wide interest — from the winners of the Oscars to the Tiger Woods scandal — quickly setting up sites to attract relevant search times. Anti-virus maker Panda Security last year observed one scareware peddler set up some 1 million web pages that infected people searching for Ford auto parts with a program dubbed MSAntispyware2009. They also snare victims by sending their links through Facebook and Twitter.

Some rogue vendors manage their partnerships with hackers through software that tracks who installed the virus that generated a sale. Hackers are paid well for their efforts, garnering commissions ranging from 50 to 90 percent, according to Panda Security. SecureWorks, another security firm, estimates that a hacker who gets 1 to 2 percent of users of infected machines to purchase the software can pull in over $5 million a year in commissions.

Hackers in some Eastern European countries barely attempt to conceal their activities.

Panda Security found photos of a party in March 2008 that it said affiliate ring KlikVIP held in Montenegro to reward scareware installers. One showed a briefcase full of euros that would go to the top performer. “They weren’t afraid of the legal implications, ” said Panda Security researcher Sean-Paul Correll. “They were fearless.”

BANKING

One of Innovative Marketing’s biggest problems was the high proportion of victims who complained to their credit card companies and obtained refunds on their purchases. That hurt the relationships with its merchant banks that processed those transactions, forcing it to switch from banks in Canada to Bahrain. It created subsidiaries designed to hide its identity.

In 2005, Bank of Bahrain & Kuwait severed its ties with an Innovative Marketing subsidiary that had the highest volume of credit card processing of any entity in Bahrain because of its high chargeback rates, according to D’Souza.

Innovative Marketing then went five months without a credit card processor before finding a bank in Singapore — DBS Bank — willing to handle its account. The Singapore bank processed tens of millions of dollars in backlogged credit card payments for the company, D’Souza said.

To keep the chargeback rate from climbing even higher, Innovative Marketing invested heavily in call centers. It opened facilities in Ukraine, India and the United States. The rogueware was designed to tell the users that their PCs were working properly once the victim had paid for the software, so when people called up to complain it wasn’t working, agents would walk them through whatever steps it took to make those messages come up.

Often that required disabling legitimate anti-virus software programs, according to McAfee researcher Dirk Kollberg, who spent hours listening to digitized audio recordings of customer service calls that Innovative Marketing kept on its servers at its Ukraine offices. He gathered the data by tapping into a computer server at its branch in Kiev that he said was inadvertently hooked up to Innovative’s website. “At the end of the call,” he said, “most customers were happy.”

Police have had limited success in cracking down on the scareware industry. Like Innovative Marketing, most rogue internet companies tend to be based in countries where laws permit such activities or officials look the other way.

Law enforcement agencies in the United States, Western Europe, Japan and Singapore are the most aggressive in prosecuting internet crimes and helping officials in other countries pursue such cases, said Mark Rasch, former head of the computer crimes unit at the U.S. Department of Justice. “In the rest of the world, it’s hit or miss,” he said. “The cooperation is getting better, but the level of crime continues to increase and continues to outpace the level of cooperation.”

The FTC succeeded in persuading a U.S. federal judge to order Innovative Marketing and two individuals associated with it to pay $163 million it had scammed from Americans. Neither individual has surfaced since the government filed its original suit more than a year ago. But Ethan Arenson, the FTC attorney who handled the case, warned: “Collection efforts are just getting underway.”

—economictimes

Advertisements

Gates Foundation to invest Rs. 250 crore in UP

Uttar Pradesh has been assured of an investment of Rs. 250 crore by the Bill and Melinda Gates Foundation in medical, health and family welfare sectors in the state. Besides, the Foundation has also shown interest in extending its contribution towards improving the State’s health indices.

This was decided at a meeting between the Uttar Pradesh Chief Minister, Mayawati and the Foundation’s founder, Melinda Gates in Lucknow on Wednesday. The meeting held at the Chief Minister’s 5, Kalidas Marg official residence was attended by the officers of the Bill and Melinda Gates Foundation.

The programmes run by the Foundation in the State’s health and family welfare sectors, as well as the future plans were discussed in the meeting. Appreciating the initiative taken by the Founation, Ms. Mayawati assured all possible assistance from the Uttar Pradesh Government.

According to an official spokesman, the Uttar Pradesh Chief Minister was informed by Ms. Gates that schemes worth Rs. 500 crore have been launched by the Foundation with the maximum investment being made in U.P. . Ms. Gates said the Foundation was interested in extending the benefits to those sections who were unable to avail the medical, health and family welfare services.

Particular emphasis was laid on women and child welfare and polio and tuberculosis eradication programmes by Ms. Gates, the spokesman said.

Ms. Gates was apprised by the Chief Minister how the long period of political instability in Uttar Pradesh had ended following the formation of the Bahujan Samaj Party Government in May 2007. Ms. Mayawati said a comprehensive health and family welfare programme had been formulated by her Government to ensure that these services were extended to poor and deprived sections of the population.

Ms. Mayawati said the people of the State, particularly the poor, were now ensured of better health services.

Saudi Arabia arrests over 100 terror suspects

Saudi Arabia says it has arrested 101 people suspected of planning terrorist attacks on the country’s oil installations.

An Interior Ministry statement says security forces foiled several such attacks.

In the last major attempt, suicide bombers tried but failed to attack an oil facility at the Abqaiq oil complex in eastern Saudi Arabia in February 2006. The complex is the world’s largest oil processing facility.

Wednesday’s ministry statement did not say when the arrests were made. It said the suspects are 47 Saudis, 51 Yemenis, a Somali, an Eritrean and a Bengali.

IPL will do billion-dollar business this year: Modi

In terms of brand value or valuation there could be bigger sports club in the West but most of those have negative cash flow, Mr. Modi said

Indian Premier League would generate a revenue of USD one billion this season, thanks to huge fan following across the globe, attracting a large number of advertisers, its Commissioner Lalit Modi said on Wednesday.

“The tournament is still on and we have not reached the final number… Yes, it will be more than a billion dollar (about Rs. 4,700 crore) this season … last season we did USD 450 dollar.

“Thereafter, we would double every year,” Mr. Modi said and asserted that as long as the fans keep coming to IPL, the league’s brand value would increase and hence the revenue.

Revenue for Sony, the official broadcaster, alone would be about Rs. 700 crore to Rs. 800 crore, he said brushing aside the criticism that the advertising rates for the IPL’s third season were very high.

“There may be some advertisers who feel that way but there are lot many others who are willing to join us,” he said pointing out that the huge success of the tournament in terms of TV viewership would certainly entice the advertisers.

“There is no other sporting event across the world generating more eyeballs than the IPL,” he said, adding that the league was virtually in every part of the world through either broadcasters of through the Internet — via YouTube.

Asked about an independent brand consultancy valuing Brand IPL at USD 4.13 billion, more than double from last year, Mr. Modi said that it was not done by the organisation and .

“It is indeed valuation given to us by outsiders.”

Brand Finance, which came out with IPL brand’s latest valuation, said that the brand alone has risen significantly, providing tremendous economic value to its owner — BCCI.

It said this demonstrates the exponential value of IPL and the Brand potential in a cricket loving country like India and other global cricketing countries. Although the English Premier League is valued much higher at USD 12 billion, the IPL’s valuation has risen above USD four billion in just three years, Brand Finance pointed out.

In terms of brand value or valuation there could be bigger sports club in the West but most of those have negative cash flow, Mr. Modi said and pointed out that the English Premier League, though it commands a very high brand value, was facing a USD 800 million deficit.

“Here, we are talking about cash flow and it is growing to grow in future at IPL,” he said, while detailing the dynamics of financing of IPL franchises.

Mr. Modi said that the IPL teams had no load on them and “we are providing infrastructure and stadium free of cost.”

Asked about predictions that IPL could not sustain, Mr. Modi retorted: “Let them (cynics) say anything. I know the numbers. I know the game. I have delivered. We will continue to deliver.”

The success of IPL hinged on the capacity to draw huge crowds, a fact that need not be proven again and again, he said, adding that other factors included that teams were equally placed in terms of finances and capacity to buy the players.

“The level playing field between the teams would make the event more interesting,” he said and added that another factor for the success was that the revenue would be proportionate to the number of matches that are played.

This season there are 60 matches and the number would go to 90 by next year and, therefore, the revenue would increase on a pro-rata basis, he said

Crane overturns at Delhi Metro site; two injured

Two persons were injured when a mini-crane at a Delhi Metro construction site toppled and fell on an autorickshaw in south-east Delhi this evening.

The incident took place at Alimore in Sarita Vihar at around 4:30 pm.

“The mini-crane called hydra toppled and fell on an autorickshaw at a construction site between Mohan Estate and Tuglaqabad Metro stations on the Central Secretariat-Badarpur line,” a Delhi Metro official said.

The driver of the autorickshaw and a labourer identified as Rajesh (30) were injured in the incident. They were rushed to AIIMS Trauma Centre where they are undergoing treatment, police said.

Irish bishop resigns, apologises to abuse victims

This is an undated file photo of Irish Bishop John Magee. The Vatican said Pope Benedict XVI has accepted the resignation of Bishop John Magee in the country’s sex abuse scandal

Pope Benedict XVI accepted the resignation on Wednesday of Bishop John Magee, a former papal aide who stands accused of endangering children by failing to follow the Irish church’s own rules on reporting suspected paedophile priests to the police.

Bishop Magee apologized to victims of any paedophile priests who were kept in parish posts since he took charge of the southwest Irish diocese of Cloyne in 1987.

“To those whom I have failed in any way, or through any omission of mine have made suffer, I beg forgiveness and pardon,” the 73—year—old Magee said in a statement.

The Pope on Saturday published an unprecedented letter to the Irish church criticizing some of its bishops for mishandling child—abuse cases. It accepted no Vatican responsibility for the decades of cover—up.

Pope Benedict also has yet to accept resignation offers from three other Irish bishops who were linked to cover—ups of child—abuse cases in the Dublin Archdiocese, the subject of a major government—ordered investigation that published its findings four months ago.

Bishop Magee, however, had been expected to resign ever since a Catholic Church—commissioned investigation into the mishandling of child—abuse reports in Cloyne ruled two years ago that Bishop Magee and his senior diocesan aides failed to tell police quickly about two 1990s cases.

The church and government suppressed publication of that report’s findings until December 2008, when Bishop Magee faced immediate calls to quit from victims’ rights activists and some parishioners. They accused him of ignoring an Irish church policy enacted in 1996 requiring all abuse cases to be reported to the police.

Bishop Magee remained Cloyne bishop in name but handed over day—to—day responsibilities to his superior, Archbishop Dermot Clifford, in March 2009.

“I wish him all God’s blessings in his retirement,” Archbishop Clifford said of Bishop Magee. “I ask for the continued prayers and support of the lay faithful, priests and religious of the diocese of Cloyne for all those who have suffered abuse.”

Separately, the state investigators who reported on the Dublin cover—ups have turned their sole attention to Cloyne and are expected to report their own conclusions later this year. Bishop Magee said he would remain available to answer their questions.

The church’s Cloyne report found that Bishop Magee and his diocesan deputies fielded a range of complaints from parishioners about two priests from 1995 onwards – but told the police nothing until 2003 and little thereafter. The report said Cloyne church authorities appeared to be solely concerned about helping the two priests, not protecting children of the diocese.

One priest, who was accused of molesting a younger priest when he was just a boy, was encouraged by Bishop Magee to resign. But the investigation found that the bishop shielded the abuser’s identity from the police – and considered such concealment “the normal practice” for the church.

The other priest, a career guidance counsellor in a convent school, was accused by several teenage girls and grown women of molesting or raping them since 1995. One complaint came from a woman who had a consensual sexual relationship with the priest for a year – then saw him develop an intimate relationship with her teenage son.

The church has declined to identify the two priests publicly by name. Neither has faced any criminal charges.

Bishop Magee, who was born in the Northern Ireland border town of Newry, served as a private secretary to three successive popes – Paul VI, John Paul I and John Paul II – from 1969 to 1982. He then served as the pope’s master of ceremonies until 1987.

No U-turn by U.S. on direct access to Headley: Chidambaram

Union Home Minister P Chidambaram has said that there was no confusion over the issue of Indian investigators getting direct access to Pakistani-American LeT operative David Coleman Headley or not.

“No, I don’t think so,” Mr. Chidambaram shot back when asked whether there was a U-turn by the US after its envoy in New Delhi Timothy J Roemer said that “no decision on direct access for India to David Headley has been made.”

”…If you reflect more carefully that sentence (of Roemer) no way (it) contradicts what the US Attorney (Eric Holder) has told me,” Mr. Chidambaram, who is here on an official visit, told a TV news channel.

Last night Home Secretary G K Pillai said that India was not taking cognisance of Mr. Roemer’s remarks and would be sending its investigators to the US at the earliest.

“I think we are going ahead and we are not really taking cognisance of the US ambassador’s remarks,” he said.

The 49-year-old Headley had last week pleaded guilty to all the 12 terror charges of conspiracy involving bombing public places in India, murdering and maiming persons and providing material support to foreign terrorist plots and Pakistan-based LeT besides aiding and abetting the murder of six US citizens in the 26/11 attacks that killed 166 people.

Following a telephonic discussion with Holder, Mr. Chidambaram had directed National Intelligence Agency and other agencies concerned in the case to quickly prepare documents necessary to start a judicial proceeding in which Indian authorities could require Headley to answer questions and to testify.

India is likely to send a team of investigators in April to question Headley.

PTI story from Chicago adds

Headley will cooperate: lawyer

David Coleman Headley, who has confessed to plotting Mumbai attacks, will cooperate with Indian authorities as required under the terms of his plea agreement if the US government allows, his lawyer has said.

John Theis said 49-year-old Headley’s terms of the plea agreement on March 18 requires that he allows himself to be interviewed by Indian authorities.

“Headley will cooperate to the extent it is required to by the terms of his plea agreement but as for the specifics. I think really our government and our US attorney’s office have to be the ones to determine the actual form (of access),” he told PTI when asked to comment about US Ambassador Timothy J Roemer’s statement that no decision on direct access for India to David Headley has been made.

Headley moved a guilty plea at a US court on March 18 where he confessed to plotting the 2008 Mumbai attacks that killed 166 people, including six Americans.

“He is in US custody and so interviewing him does implicate the security issues and things like that,” Theis said.

When asked if Indian investigators, who come to the US, can be assured that they would get access to Headley and be able to put their questions to him, Theis said: “I’m not the one to ask that. You will have to ask our government, our US attorney’s office. They are the ones who are going to determine how this actually happens“.

Meanwhile, an FBI spokesperson told PTI: “If the plea agreement says that Headley has agreed to meet with investigators from India, then that is what he will do. It is a question of when and where. But I’m sure if that is what he agreed to, that is what will happen”.