Beware of Russian Cyber Gangs!

PC World reports:

Russian cybergangs have established a robust system for promoting Web sites that sell fake antivirus software, pharmaceuticals and counterfeit luxury products, according to a new report from security vendor Sophos.

To sell bogus goods, many of those sites rely on hundreds of “affiliate networks,” which are essentially contractors that find ways to direct Web users to the bad sites, wrote Dmitry Samosseiko, a Sophos analyst. He made a presentation this week at the Virus Bulletin security conference in Geneva.

Affiliate networks have been around for a long time and there are many legitimate ones. But “the majority of the most powerful and controversial affiliate networks are based in Russia,” Samosseiko wrote.

In Russian, the networks are known as “partnerka” and focus exclusively on promoting the dark corners of the Web. Essentially, someone who wants to become part of an affiliate signs up on a password-protected forum, most of which now are low profile and require an invitation. Once vetted, the new contractor is given a set of Web sites to promote.

One way to do so is to infect computers with malware either through spam or other means. The malware can tamper with a computer’s DNS (Domain Name Server) settings in order to direct the user to a fake Google search engine site, which meshes real search results with ones that lead to, for example, a site selling fake antivirus software.

Another trick is called black hat SEO (search engine optimization). It involves creating a Web site, then using a variety of tricks mostly forbidden by search engines to get those Web sites high in search rankings. Methods include incorporating the most recently used search terms, often listed by search engines such as Google’s Trends, into a Web site.

These affiliated “doorway” Web sites will redirect users to a dodgy Web page. A referring site can earn a commission if, for example, a person buys something.

The trick for someone selling a product is to “choose a partnerka with a high conversion rate to ensure that the generated revenue will be greater than the cost of traffic itself,” Samosseiko wrote.

It’s an insidious, yet profitable, scheme. Sophos was able to get a peek at one of the more popular partnerka called RefreshStats. That Web site enlists partners to create Web sites that implore people to download a codec, or a piece of software required to play video. Inevitably, the codec is a fake, and the PC is usually infected with fake antivirus software.

Samosseiko wrote that Sophos was able to see an administrator interface for RefreshStats that showed how much different contractors were making from the scheme. One particular contractor earned US$6,456 in August 2008. Another affiliate, called Topsale, offers up to a $25 commission for every sale of a fake antivirus product.

Samosseiko writes in his conclusion that there are hopeful signs that law enforcement and researchers can take down the rogue affiliates. But by all measures it doesn’t seem that the industry is slowing down.

A recent report from security vendor Panda Security said that as many as 35 million computers worldwide may be infected with fake antivirus programs each month.

The company has collected an astounding 200,000 samples of different rogue antivirus products, about 80 percent of which are copies or are slight alterations of 10 basic families of fake products, said Luis Corrons, director of PandaLabs.

“We were seeing more and more users were being infected,” Corrons said.

10 responses to “Beware of Russian Cyber Gangs!

  1. Best thing would be to cast off .RU off the web. No more Cialis, Viagra, Penis Extension Pills, and Rollex Watche spam. Fever fishing and Script Worms and other crap. Let Russians have .RU all to themselves and “Get High on Their Own Supply”.

  2. I remember I tried to enter civil.ge on the August the second 2008… then I tried all the other news web pages of Georgia… I mean they where all crashing and loading VERY VERY VERY slowly… I called to my friends in Georgia and one young person(I’m friends with his father) told me –

    “It’s clear that Russians are up to, I’m 100% sure. I just read their media, they say everything openly. Why are you in the west so calm? They might invade as soon as in a month!”

    Little I knew he was right… 5 days after the open part of Russian invasion begun… and we did NOTHING!

  3. My recent experience with pro-Putin influences on the internet, …with LiveJournal and maybe even Google: When I try to view 3 anti-Putin Russian-language blogging sites, thru the Google English translation (which I have been doing for over 2 years now….with no previous problems whateoever!), I have now gotten:
    “ACCESS FORBIDDEN:
    You’ve been temporarily banned from LiveJournal, perhaps because you were hitting the site too quickly. Please make sure that you’re following our BOT POLICY. If you have questions, contact us at webmaster@livejournal.com with the following information [ a bizarre number/letter combo that changes, frequently thru one day even]”:
    Z12etPt1J2a1J0D@74.125.75.4 ”
    When I viewed their ‘BOT POLICY’, it did not make any sence at all. When I sent them an email, protesting/questioning this, they have not responded. But, I now (today anyway, so far!), do not have this ‘Access Forbidden’, but I expect it to return. I and many other anti-Putin internet users, who view and contribute to various anti-Putin Russian-language blog sites (in my case, thru Google), agree that both LiveJournal and Google, SEEM to be under some degree of Kremlin influence. Google especially, when the Putin Georgia invasion occured, appeared to fully co-operate with the Kremlin’s cyber-attack on Georgian sites, etc.
    What do any of you, readers of La Russophobe, think about this?

    • Well, LJ is owned by a Russian (Moscow) firm now (and even “the president” has also an account there), so I guess if anyone posts “extremist” things there they must be very brave/stupid in first place (didn’t they jail people for blogging already?).

      @Google especially, when the Putin Georgia invasion occured, appeared to fully co-operate with the Kremlin’s cyber-attack on Georgian sites, etc.

      Elaborate please?

  4. To Robert: First of all, the Kremlin forces interfer with, foreign anti-Putin Russian bloggers, not only those living inside the RF. A fellow anti-Putin, anti-Moscow Patriarchy blogger, informed me, that ‘Google shut down Portal Credo.Ru, during the rigged election of Patriarch Kyrill Gundaev’, for one example of who gives the orders at Google.
    And what is Portal Credo.Ru?
    It is almost the sole remaining UNBIASED religious news of what is going on inside the Moscow Patriarchy….and gives the world also news on ALL religious activities of all religions inside and outside the RF & their persecutions, in the RF today. The Kremlin has been on the verge of totally shutting them down for years, and any day, we expect them to succeed. Periodically, they are severely interrupted. And who? in the RF has such power to so do? ( I give you one wild guess).
    Google, is now owned from Moscow.
    I cannot at this moment, give you exact information about Google and Georgia, but I will try to gather that info.
    Some feel, that Moscow controlls virtually MOST of the world-internet, and that they can, at will, shut it down, whenever they desire. Look at Estonia, but for one small example, or the cyber-war against Georgia.

    • A correction: It was LiveJournal….. which shut down Portal Credo.Ru during the ‘election’ of the current ‘Patriarch Kyrill'(KGB agent, Mikhail Gundaev), not Google, per se.
      Russians all over the world, and inside of the RF, frequently view that site (owned by anti-Putin/anti-MP Russian Orthodox dissident-church, members). It has been THE number one site, for accurate/trustworthy news about life inside the Motherland, and though it specializes in religious news, it of course also reports political/social/ethnic related matters as well.
      And why?…because Portal Credo. ru was accurately reporting on all the internal Moscow Patriarch opposition to Kyrill, and revealing his misdeeds, and his rotten past KGB history, etc.
      This temporary ‘shut-down’, was well documented. But of course, the Kremlin and
      spokesmen for the Moscow Patriarchy, denied all responsibility. They ascribed the shut-down, as ‘due to technical reasons’.
      ‘Technical reasons’/ ‘accidents’ …..can happen at any time, of course, especially in the neo-soviet RF.
      For instance, out of controll trucks, CAN accidentially run over loud-mouthed dissenters, and also guns can accidentially fire themselves, into the hard-heads of trouble-makers, and the plugs to opposition bloggers can get pulled….all by themselves!
      You know, …….life as usual in neo-soviet Russia!

    • It’s pretty usual Google business practices:

      Google censors itself for China
      http://news.bbc.co.uk/2/hi/technology/4645596.stm

      And as of their competition:

      Last year, Yahoo was accused of supplying data to China that was used as evidence to jail a Chinese journalist for 10 years.

      @Some feel, that Moscow controlls virtually MOST of the world-internet, and that they can, at will, shut it down, whenever they desire. Look at Estonia, but for one small example, or the cyber-war against Georgia.

      Actually, they had a hard time even against these tiny countries.

      Anyway, as of LJ, it’s certainly not safe at all:

      http://www.theotherrussia.org/2008/07/07/russian-blogger-sentenced-over-livejournal-comment/

    • Did Google or Russian state sponsored hackers shut Portal Credo.Ru down?

      I’m not so sure that Google is “owned” from Moscow or even cares about their Russian content and message boards. I read some LJ bloggers that were considering moving to Google to avoid being monitored a while back.

      Google hasn’t been asked to uphold state filtering censors as in China. The disgrace with both Google and Yahoo is that they both complied with the Chinese. Hey, profits trump democratic principles.

      • To Penny and all: Portal Credo.Ru did believe that the Putin governmental agencies, with instigation from the Moscow Patriarchy, and using LiveJournal,…and any other Russian-sites which they have some/ or total control of, caused the sudden shut-down of their site, to stop their truthful telling of the flaws of Kyrill-Gundaev in his ‘election’ as Patriarch, and as they tried to present the honest positions of his rivals for the throne. After he won, things went back to ‘normal’.
        ‘Normal’ for Portal Credo. Ru is that….daily…they await total/final closure, arrests of their small staff, or sundry ‘accidents’, etc.
        One way that they cope, is to: 1) say nothing….directly….attacking The President, 2) they prominently give all the ongoing (neutral) news of the humdrum doings/activities of the State Church ( the MP), etc. and 3) they TRY to present all news, from an unbiased journalistic perspective….i.e. just reporting facts, etc.
        Of course, we know where that can lead to in the neo-soviet RF…….accidents do happen/people do dissappear/guns fire themselves/heart-attacks occur, etc.
        Portal Credo. Ru depends on it’s foreign (mostly anti-Putin Russians living abroad) supporters, to use as it’s insurance policy against the Kremlin. So, far, this foreign support has had some effect, otherwise, they might have been closed long ago. They are a remnant of what, had been, a number of similar truth-telling webs in Russia., which the Putin gang have not found to be, ‘of use’ to them.
        From my sources, Google does have some degree of Kremlin influence, whether it is purely economic or not, who can say?
        But sure, how to ‘prove’ such matters???
        And, yes, money-talks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s