Fake antivirus scams and rogue Internet pharmacies relentlessly seek customers who are willing to trade their credit card numbers for a remedy. Banks and financial institutions become partners in crime when they process payments to fraudsters.

Published research has shown that rogue Internet pharmacies and spam would be much less prevalent and profitable if a few top U.S. financial institutions stopped processing payments for dodgy overseas banks. This is also true for fake antivirus scams, which use misleading security alerts to frighten people into purchasing worthless security software.

Researchers from the University of California, Santa Barbara spent several months infiltrating three of the most popular fake antivirus (fake AV) “affiliate” networks, organized criminal operations that pay hackers to deploy the bunk software. The researchers uncovered a peculiar credit card processing pattern that was common to these scams; a pattern that Visa and MasterCard could use to detect and blacklist fake AV processors.

The pattern reflects each fake AV program’s desire to minimize the threat from “chargebacks,” which occur when consumers dispute a charge. The fake AV networks the UCSB team infiltrated tried to steer unhappy buyers to live customer support agents who could be reached via a toll-free number or online chat. When customers requested a refund, the fake AV firm either ignored the request or granted a refund. If the firm ignored the request, then the buyer could still contact their credit card provider to obtain satisfaction by initiating a chargeback; the credit card network grants a refund to the buyer and then forcibly collects the funds from the firm by reversing the charge.

Excessive chargebacks (more than 2-3 percent of sales) generally raise red flags at Visa and MasterCard, which employ a sliding scale of financial penalties for firms that generate too many chargebacks. But the fake AV companies also don’t want to issue refunds voluntarily if they think a customer won’t take the next step of requesting a chargeback.

The UCSB team found that the fake AV operations sought to maximize profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor’s chargeback limits. Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds. Consider the following diagram, from the researchers’ report, which shows a direct and very close correlation between increased chargebacks and heightened refund rates.

The UCSB team found that of almost 2.3 million people who purchased fake AV from three affiliate networks over a three-year period, fewer than 10 percent requested a refund. An even smaller subset asked their bank to initiate a chargeback. This is exactly what I found in research that I published last summer, which highlighted the paucity of refund requests for fake AV affiliate networks run by Russian payment processor ChronoPay.

I have often written about ChronoPay’s close ties to the fake AV industry. It’s nice to see that others are witnessing this. The UCSB researchers found that all three fake AV businesses used ChronoPay’s credit card payment services. They also found communications between the processors and fake AV perpetrators revealed that the payment service providers were well aware of the fake AV businesses, and even offered advice to help the group sell more products.

“We observed that some payment processors allow an illicit company to create multiple merchant accounts in which transactions are periodically rotated (approximately every 30-45 days) through each account, such that a single account is never flagged for fraudulent activities, since the transactions — and any associated chargebacks — are distributed over all of the accounts,” the researchers wrote.

In addition, most fake AV affiliate networks typically changed the names of their products every three to seven days; that was the average time it took for victim complaints to start appearing on consumer Web forums and being indexed by search engines.

So, to answer the question in the headline of this post, I’ll name the financial institutions that agreed to process payments for these fake AV affiliate networks. According to the researchers, the banks are:

FMBE Bank Limited, Cyprus (SWIFT Code FBMECY2N)

Bank Hapoalim BM, Israel (SWIFT Code POALIL)

Ceska Sporitelna A.S., Czech Republic (SWIFT Code GIBACZPK)

International Bank of Azerbaijan (SWIFT Code IBAZAZ2X)

JSCB Bank Standard, Azerbaijan (SWIFT Code MOSZAZ22)

The researchers were fortunate to gain direct access to some fake AV customer records, one of which included the partial credit and debit card numbers of more than a half million people who were tricked into paying for scam software. The table below shows that about 50 percent of buyers made purchases with cards issued by the top card-issuing banks:

Maybe it’s unfair to pick on only these banks. After all, they are among the top card-issuing banks, so it’s natural that they would feature prominently in almost any customer list.

The researchers argue that Visa and MasterCard are in an extraordinary position for spotting the pattern of chargebacks and refunds that may reveal the existence of a fake AV processor.

“Payment processors or credit card networks have more information and have a better understanding of the firm’s chargeback constraints and may, therefore, be in a unique position to monitor these firms,” the researchers wrote. In other words, Visa and MasterCard could spot this activity quite easily and take action against the processor if they were motivated to do something about it.

Sometime in the next week, the third and penultimate piece in this series will report on the extent of the overlap between the credit card processing networks exploited by rogue online pharmacies and by the fake AV business.

A copy of the UCSB research paper is available here (PDF).

Tags: Bank Hapoalim BM, Ceska Sporitelna A.S., chargeback, fake antivirus, fake AV, FMBE Bank Limited, International Bank of Azerbaijan, JSCB Bank Standard, mastercard, rogue antivirus, Santa Barbara, UCSB, University of California, Visa