Funny Pharma: Inside the Web’s leading Rogue Pharmacies
This talk will cover the world of rogue pharmacies through the lens of 2 of the biggest out there.
When we think of pharmacies we often think of Viagra. However there are many other types on offer, and only cover a small part of the problem.
Around 65% is some form of male enhancement drugs. The rest however, are for much more serious conditions (heart conditions, etc…).
When looking through the affiliate lists of these pharmacies, you find often that they got started in the adult entertainment industry. Because of this it’s often easy to go back in time and find out a lot of information about them. After all, they probably never thought they’d be a cyber-criminal one day.
If Marijuana is a gateway drug, then maybe the adult industry is a gateway service!
Alongside the adult content and pharma services, many of these criminals are also deeply involved in credit card fraud and in particular Rogue AV. Because of the limited resources for processing these credit cards within the underground, you often find them linked back through Chronopay (started by Pavel Vrublevsky and Igor Gusev, who himself got his start in the Adult industry).
After Igor Gusev and Pavel Vrublevsky parted ways, Igor moved into the Pharmacy industry (Glavmed). Not to be outdone, Pavel followed suit and began a competing service. It was about this time that Glavmed was shutdown by the authorities, opening up the change for Pavel to move in and become the biggest processor for this industry.
[If you want to read more about the tangled web between Pavel Vrublevsky and Igor Gusev, there are several stories on the Krebs On Security blog that cover things in detail]
At the peak of the program they were brining in $6 million a week.
Despite Chronpay moving their internal communications to a program called Megaplan and using pseudonyms… they were still hacked again and their information exposed. Due to many of the Chronopay users forwarding their pseudonyms to their real Chronopay email addresses, they could all be linked very easily.
After spending 100s of hours tracking and talking to buyers. Despite the rumours, many of them were happy with what they got. It looked the same, worked the same and was a quarter of the price.
In the US, people tend to pay much more for drugs. Which is one of the drivers for this entire industry. People are just trying to survive.
In the US 65% of buyers were buying male enhancement drugs
In Europe 98% of buyers were buying male enhancement or recreational drugs. Price differences for normal drugs wasn’t that much, reducing the demand.
On the record
The DEA hasn’t found a large number of foreign sites selling controlled substances, but those that do offer them, often are scams, Boggs said. “Most are scams, or you get something different than what you order,” he said. “They offer to sell you this or that, and you might get Viagra, or you might not get anything.
This comment goes against the evidence that Brian has found. Most appeared happy, and despite worries, credit card information appears to have been hidden from affiliates and very few buyers comment on CC theft.
The credit card processing firms are the same that are dealing with fake AV… So maybe if the payment processing dried up, the industry would as well! The banks and firms that deal with Pharma CC processing however, aren’t the kind of people to get pushed around. Take AG Bank for example… just take a look at their advert!
60% of sales can be traced back to 5 issuing banks in the US. If they would set a policy not to process payments for these known pharma companies, then it would make a huge impact on the industry.
In an interview with Igor Gusev regarding pharma, he commented the following regarding the problem .:
They need to put pressure on the card processors, which are monsters which only regulate on very negative public pressure. I think it would be a very powerful strike, and online pharma would be dead within two years if they could switch off the merchants who is somehow connected to online pharma.
Note: I’m sure this is all much more elegantly written over on Brian’s blog (linked below). These are purely notes from the live presentation. I would suggest following the Krebs on security blog, if you’re not already!
Note [16/06/2011]: I have removed some of the post due to the confusing way in which it’s written. Following the complex story live and writing in real-time was a little hit and miss. So I would suggest following the story straight on the Krebs On Security blog where it was originally documented.
The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.
"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."
Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!
I believe you made a few mistakes and exchange roles in this paragraph :
Seeking revenge, Igor managed to land a job advising the government on how to crackdown on spam and cyber crime. It was around this time that email leaks exposed Pavel as paying officials to take down his competition. The Russian government moved swift against Pavel and labelled him a spammer. Pavel flees, but not before Glavmed has their network hacked and their docs dropped.
It’s the opposite, and Igor is actually on the run and Chronopay that was hacked.
Hi, and thanks for bringing the confusion to my attention. They did indeed weave a tangled web 😉
I’ve removed that section of the notes, as I think it’s best if the reads read Brian’s posts to get a feeling of how things developed.
Pingback: #FIRST2011 – Round-up « Cатсн²² (in)sесuяitу / ChrisJohnRiley