Security researcher highlights fake AV scams enabled by banks

And, Krebs asserts, published research has shown that rogue internet pharmacies and spam would be much less prevalent and profitable if a few top US financial institutions stopped processing payments for dodgy overseas banks.

This is also true, he says, for fake anti-virus scams, which use misleading security alerts to frighten people into purchasing worthless security software.

"Researchers from the University of California, Santa Barbara spent several months infiltrating three of the most popular fake AV affiliate networks, organised criminal operations that pay hackers to deploy the bunk software", he says in his latest security blog.

"The researchers uncovered a peculiar credit card processing pattern that was common to these scams; a pattern that Visa and MasterCard could use to detect and blacklist fake AV processors," he adds.

The former Washington Post security reporter goes on to say that the pattern reflects each fake AV programme's desire to minimise the threat from chargebacks - disputed transactions by consumers.

Krebs reports that the fake AV networks the UCSB team infiltrated tried to steer unhappy buyers to live customer support agents who could be reached via a toll-free number or online chat.

"When customers requested a refund, the fake AV firm either ignored the request or granted a refund. If the firm ignored the request, then the buyer could still contact their credit card provider to obtain satisfaction by initiating a chargeback; the credit card network grants a refund to the buyer and then forcibly collects the funds from the firm by reversing the charge", he says.

Krebs notes that levels of chargebacks greater than 2/3% raise red flags with Visa and MasterCard, who apply a sliding scale of penalties to those firms that generate excessive chargebacks.

But, he says, the fake AV companies don't want to issue refunds voluntarily if they think a customer won't take the next step of requesting a chargeback.

"The UCSB team found that the fake AV operations sought to maximise profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor's chargeback limits", says Krebs.

"Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds", he adds.

So which banks are facilitating all these fake AV company transactions?

They are, lists Krebs:

  • FMBE Bank Limited, Cyprus (SWIFT Code FBMECY2N)
  • Bank Hapoalim BM, Israel (SWIFT Code POALIL)
  • Ceska Sporitelna A.S., Czech Republic (SWIFT Code GIBACZPK)
  • International Bank of Azerbaijan (SWIFT Code IBAZAZ2X)
  • JSCB Bank Standard, Azerbaijan (SWIFT Code MOSZAZ22)

The researchers, he adds. were fortunate to gain direct access to some fake AV customer records, one of which included the partial credit and debit card numbers of more than a half million people who were tricked into paying for scam software.

The researchers also, he asserts, argue that Visa and MasterCard are in an extraordinary position for spotting the pattern of chargebacks and refunds that may reveal the existence of a fake AV processor.

What’s hot on Infosecurity Magazine?