At the Kiev offices of Innovative Marketing Ukraine, hundreds of programmers, translators and database engineers created a software product that made the company a world leader — an exceptional achievement in the impoverished former Soviet republic.
But the way the company made its multimillion-dollar profits is nothing to celebrate, according to the criminal charges its owners now face in a district court in Chicago.
Innovative Marketing, say investigators and Internet-security researchers, was one of the biggest and cleverest propagators of “scareware” — programs that run fake scans on computers of unsuspecting users and then claim to find viruses that can only be removed by downloading some software. Except the viruses don’t exist and the software — which can cost between $30 and $70 — is either useless or can infect the computer itself.
Scareware is one of the fastest-growing and most prevalent types of Internet fraud. Security-software firm McAfee says it saw a 400% increase in incidents reported last year and predicts the use of scareware will be the most costly online scam in 2010, infecting around 1 million computers per day and bringing in illegal global profits of over $300 million. Charges against Innovative Marketing, run by Swede Bjorn Daniel Sundin and Indian-born Shaileshkumar Jain, put it squarely in the frame as one of the leading perpetrators of the scam.
Sundin and Jain are yet to appear before the Chicago court, which on May 27 charged them with computer fraud and wire fraud, but two months before that indictment they had already been ordered to pay $163 million by a court in Maryland by a default judgment in a civil suit brought against them by the Federal Trade Commission (FTC). The FTC case was a rare victory in the fight against cybercriminals, who use lax law enforcement in countries like Ukraine to stay beyond the reach of the law. “This is one of the largest Internet-based fraud cases the FTC has ever prosecuted,” says Ethan Arenson, an attorney at the FTC who led that investigation. “[Innovative Marketing] were the biggest players in scareware operations for a long time.”
According to the FTC, in 2003, Innovative Marketing began peddling hundreds of antivirus products under names such as WinAntiVirus and DriveCleaner. Misleading advertisements placed on websites — including those of the National Hockey League, the Economist magazine and Major League Baseball — were used to automatically launch the bogus scans before directing the user to purchase the malicious software.
After receiving more than 1,000 complaints from computer users who had been duped, the FTC began tracking the suspects through shell companies set up around the world. A major breakthrough came when Dirk Kollberg, a researcher with McAfee in Germany, decided to investigate Innovative Marketing’s servers in 2008, after discovering that some of its ads were being used to automatically download software without the user’s consent.
Astonishingly, the company’s servers were not password-protected, meaning the information they held was publicly available. The data gave Kollberg an insight into the inner workings of the company and its products. What he saw convinced him that, behind its smart logo and customer-care hotline, Innovative Marketing was producing and selling fake antivirus software on a massive scale. Using figures obtained from the servers, Kollberg calculates that the alleged scam scored $180 million in sales in 2008 alone. His findings helped the FTC build its case against the company.
Attempts to crack down on the scareware industry are hamstrung by the fact that many of the companies are run out of countries with weak legislation, ineffective law enforcement and corrupt officials. Paul Ferguson, a threat researcher at California-based Trend Micro, says a number of major threats have emanated from Ukraine, including the Zeus trojan, which steals bank-account details and ran rampant in early 2009. According to Ferguson, the shifty business is run by organized criminal gangs who trade control of infected computers — and the information stolen from them — for cash “like at a bazaar.” “It’s like the Wild West,” he says. “There’s no sheriff.”
Ukraine is slowly waking up to the need to take on its cybercriminals. The Interior Ministry set up an anticybercrime unit last year, but according to unit leader Ruslan Pakhomov they are fighting an uphill battle. Pakhomov says he lacks vital resources and laments that judges and prosecutors don’t have the knowledge they need to bring cases to a conviction. And in a country where the average wage is a miserable $200 a month, young computer specialists are queuing up for work wherever they can find it — even if it’s at a scareware company. “There are lots of talented, well-educated programmers, but there aren’t enough jobs,” says Pakhomov. “They try to find a place to use their skills.”
According to profiles posted on the LinkedIn careers networking website, former Innovative Marketing staff are now working at leading banks and consulting companies, while others have moved to another Kiev-based antivirus software company. Innovative Marketing’s former bosses, meanwhile, are facing their day in court. According to the U.S. Department of Justice, Sundin is believed to be in Sweden, while Jain is thought to be in Ukraine and is listed as wanted by Interpol. A third defendant from Ohio is expected to present himself for arraignment at the Chicago court at a later date.
As far as anyone can tell, Innovative Marketing shut its doors last year, but Ukraine’s Interior Ministry says it could still be operating from another location. McAfee researcher Kollberg says many of the scareware scams traced to the company are still running, although it’s difficult to tell who is behind them now. “If you have a business and you’re making hundreds of millions,” he says, “why would you just give it up?”