Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
Somehow, the prepaid industry had escaped the “know your customer” regulations that govern all U.S. financial institutions. These rules require banks to take specific steps to profile customer activity for signs of money laundering, suspicious transactions, and terrorist financing. After passage of the Credit CARD Act, however, prepaid networks fell under those same rules.
“These cards were all reloadable, and you could just set the name on the cards to whatever you wanted, because there were essentially no ‘know your customer’ rules for prepaid networks,” Savage said. “All of a sudden these networks needed to have anti-money-laundering protections on international transactions. The short-term impact of that was everyone in this industry basically said, ‘Okay, no more international transactions with prepaids,’ which instantly made my $5,000 in prepaid cards a useless pile of crap.”
Savage said he was discouraged and ready to give up at that point, but one of his graduate students—Chris Kanich—was undeterred. It was close to the end of November 2011.
“That son of a bitch totally ignored me and started cold-calling credit card issuers. He just called them and said, ‘Hi, my name is Chris Kanich and we’re doing this pharmacy spam research and we need a financial product that can do X, Y, and Z.’ He called like fifty banks until he found this little bank in the Midwest. The person he talked to was receptive and said the CEO of the bank was really interested in cybersecurity. So they cut us a special deal, and after that, it became way easier.”
The research team became intimately familiar with the various schemes that different rogue pharmacy networks used to weed out suspicious transactions. The rogue pharmacy networks were extremely wary of any fraud that might drive up their transaction rates or get them shut down, so they tended to rely on many layers
of anti-fraud measures. For example, they used geo-location services to check if the buyer’s Internet address showed that he was from a geographic location that was in the same town as the billing address on the credit card.
“Over time, we learned that each transaction was awarded a fraud score based on a number of criteria, and any transactions that went above a certain fraud score were just never put through by the merchant processors,” Savage said. “We learned that having an email address at a public webmail provider increased your fraud score. We learned over time that you needed to have a name that had a real physical address and a working phone number because they would often call you back to verify the order.”
Early in their bogus buying spree, the researchers got found out. They were trying to conduct at least one undercover purchase every month from each of more than two dozen online pharmacy partnerka programs, so that they could keep track of the acquiring banks that were processing the transactions. Little did they know that most of the partnerkas were using the same financial institutions—a handful of banks in Azerbaijan, Latvia, Cyprus, and Turkey.
“We tried to keep a low profile and put in one order per program per month, but since we didn’t know they were all getting processing from the same place, we were doing like thirty-five orders per month from the same people,” Savage said. “At one point Chris Kanich [still a coresearcher but by then an assistant professor at University of Illinois at Chicago] gets this call from customer service people from one of the partnerkas, and he’s having to think on his feet because they wanted to know why so many people at his address were ordering Zyrtec, which is an anti-allergy drug. And he basically made up some story, saying he lived in a college dormitory, and that he and all of his roommates had allergies because they were all allergic to cats and one of the guys had a cat. So, over time, we all learned how to do this fake ordering.”
Following the money trail revealed an astounding fact: 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies that the researchers purchased were handled by just three financial firms—one in Azerbaijan, one in Denmark, and another in Nevis, in the West Indies. Many Americans probably would be hard-pressed to find these places on a map, let alone recall conducting business with a company in those areas. And yet, a huge percentage of the credit card processing for the spam industry flowed through financial institutions in these regions. Anti-spam experts wanted to know why banks couldn’t spot this odd concentration of dodgy banking activity and put a stop to it.
The researchers published their findings in a paper, “Click Trajectories: End-to-End Analysis of the Spam Value Chain,” which described their “spamalytics” method for targeting the central weakness in any spam operation—its reliance on credit card processing for the goods advertised in junk messages.
Savage said that five days after the
New
York
Times
wrote about their paper, the researchers received a phone call from the White House. On the line was Victoria Espinel, the Obama administration’s intellectual property enforcement coordinator.
“She was having this come-to-Jesus meeting with the domain name registrars, big-name brands, and Google, saying, ‘Hey, we should all be doing something about this spam problem.’ In our paper, we said there were basically two ways of doing this: you can go bilaterally against the [pharmacy] merchant banks, but that’s slow. Or you could try to shut it off at the credit card issuing side, because these pharma networks were mostly all Western money. That was in retrospect a stupid idea, because when we talked to issuing banks here in the United States, they said, ‘Hey, our customers aren’t complaining, and we’re not in the business of policing what our customers do that appears to be legal in the transaction records.’”
Espinel connected Savage and his team with the International Anti-Counterfeiting Coalition, a nonprofit group created to help
corporate brands tackle commercial piracy and trademark abuse cases. The IACC was putting together an online portal where any brand holder could sign up and report abuse of their trademarks directly to MasterCard and Visa, which would investigate the claim and ultimately levy fines against any banks processing transactions tied to that claim.
The IACC relied on contracts that all banks sign as a prerequisite to doing business with the credit card associations, which stipulate that all product sales must be legal not only in the jurisdiction where the merchant bank resides, but also in the home country of the customer. And since shipping prescription drugs to consumers from outside of the United States violates U.S. law, any claim reported to Visa or MasterCard via the IACC by an affected brand holder effectively caused fines to rain down on banks that were processing payments for the pharmacy partnerkas.
“These stipulations were always in the contracts, but for some reason people weren’t paying attention to this,” Savage said. “It turns out that the people who really give a rat’s ass about the spam problem are the brand holders, because they’re the ones whose products, copyrights, and trademarks are being counterfeited and violated. And the beauty of this approach is it’s not a legal issue with criminal law. This is entirely a contract issue. In fact, there is no law enforcement involved in this process at all. It’s just about getting Visa and MasterCard to enforce their own contract rules.”
Ironically, it was not the pharmaceutical companies that stepped forward to use the IACC’s cudgel against the pharmacy spammers but Microsoft. The same networks blasting spam to pimp online pharmacies were also being used to promote sites peddling counterfeit copies of Microsoft’s Windows operating system, and Microsoft saw a golden opportunity in the IACC to make it much more expensive for counterfeiters to process credit card payments for knockoff copies of Windows.
“Microsoft decided they were going to go in whole hog. They were really committed,” Savage said. “The idea was, as the lead guy over there
said, ‘a special Thanksgiving present.’ They were going to simultaneously go after every bank being used in this program, all of the registrars registering domains, and all of the hosting companies, and then in a short time take down everything. And then go to Google and Bing and get [the spammers] out of search results too. There was a moment when they just dropped the bomb on the entire industry. And there is this transition going on in the underground where everyone is saying, ‘Hey, we’re having a little bit of trouble.’”
Savage said one major software vendor in particular went after affiliate programs that were selling its products. Affiliate programs that trade in pirated “OEM” or “original equipment manufacturer” software are those that principally traffic in high-dollar titles, including Microsoft Windows and Adobe products. It seems likely that Adobe was the vendor in question here, given the reaction on the OEM affiliate forums.
“This vendor went after everything. They did it so quickly—and not only for their own products—that it all but shut down the entire OEM ecosystem,” Savage said. “A couple of [OEM affiliate programs] survived by getting rid of that company’s brand, but in the beginning, when people had no clue what was going on, it shut down the entire business for everyone.”
Contracts between the banks and Visa and MasterCard stipulate that merchants are prohibited from selling goods and services that are illegal in the country where those goods or services are being purchased or used, or both. The credit card associations have a standard process for accepting complaints about such transactions, in which they warn the online merchant’s bank (including a notice of potential fines for noncompliance). After a complaint about such activity, the merchant’s bank conducts its investigation and may choose to contest the issue if they believe the complaint is in error. But if the bank decides not to challenge the complaint, then they will need to take action to prevent similar future transactions, or else face an escalating series of fines from the card associations.
The researchers noticed that in case after case, merchant accounts that had been used in fraudulent activity for an extended time before
the researchers filed a complaint with the IACC generally stopped being used within one month after a complaint was lodged.
Savage said the data suggests that the private sector can have a major impact on cybercrime merely by going after the funding for these operations.
“It doesn’t require a judge, a law-enforcement officer, or even much in the way of sophisticated security capabilities. If you can purchase a product, then there’s a record of it and that record points back to the merchant account getting the money,” Savage said. “Visa and MasterCard frown on sales of illegal purchases made on their networks and will act appropriately on complaints from brand holders based on undercover purchases.”
At approximately the same time that the researchers were submitting their findings to the IACC, Visa was enacting a series of changes to their operating regulations that seem designed to specifically target online pharmacies and sellers of counterfeit goods. First, sales of goods categorized as pharmaceutical-related were for the first time explicitly classified as “high risk” (along with gambling and various kinds of direct marketing services), and acquirers issuing new contracts for high-risk ecommerce merchants required significantly more due diligence (including $100 million in equity capital and good standing in risk management programs).
Also, the new documents explicitly call out examples of illegal transactions including “unlawful sale of prescription drugs” and “sale of counterfeit or trademark-infringing products or services,” among others. Finally, these changes include more aggressive fine schedules for noncompliance.
Some of the best evidence of the success of the test-buy strategy comes directly from the folks operating the affiliate programs that reward spammers and miscreants for promoting fake antivirus and pirated software and dodgy pill sites. In June 2012, a leader of one popular pharmacy affiliate program posted a lengthy message to gofuckbiz.com, a Russian language forum that caters to a variety of such affiliate
programs. In that discussion thread, which is now more than 250 pages in length, the affiliate program manager explains to a number of mystified forum members why the pharmacy programs have had so much trouble maintaining reliable credit card processing.
In May 2011, Visa initiated a new program, the so-called “Global Brand Protection Program.” How this would turn out for banks and merchants no one knew at the time, so at the time nothing much changed—everything kept working as before. After several months, Visa begins to act, and beginning in November 2011, fines of $25,000 USD on every domain containing brands Viagra, Cialis, and/or Levitra or other copyrighted medications began raining down on merchants.
The manager continued:
All affiliate programs have come under fire. Today, all sizable affiliate programs have paid more than hundreds of thousands in fines under this program. Banks also come under fire, and although in most cases they can cover their financial losses at the expense of merchants—provided their turnover is sufficient—Visa’s audits, reputation risks, and other hassles complicate their work. That is why some banks have completely refused to do business, some have greatly reduced the volume of “pharma” payments, [and] some have “overinsured” themselves in one way or another, leading to practically zero approval rates. Some (banks) continue to work, but today their number is very limited.
Another affiliate of a rogue pharmacy program put the situation in far less delicate terms, observing:
Right now most affiliate programs have a mass of declines, cancels, and pendings, and it doesn’t depend much on the program IMHO, there is a general sad picture, fucking Visa is burning us with napalm.
After getting scorched by Visa’s fines, many pill-shop processors have begun intentionally “miscoding” their pharmacy transactions, said Savage. The credit card companies require all transactions to be tagged with a transaction code that identifies the type of good or service being purchased. There are thousands of such codes (pharma is 5192, for example), and the contracts that merchants must sign with the card associations give the latter the power to levy huge fines against merchants that miscode high-risk transactions as lower-risk activity.