CHRISTIAN ANDRÉ CHMIEL
Czeslaw Ovseenko was a very elusive man. Both Internet research and official inquiries sent to authorities failed to uncover much information about him. In fact, he was barely more than a phantom. There was nothing distinguishing about him, and he kept himself hidden in the background. The photograph in his passport — the only known picture of him — showed a 33-year-old Ukrainian citizen with a face like a child's. But whether the photo really depicted Czeslaw Ovseenko or an imposter, no one knows. Even his residence at the time of this case was uncertain. It was assumed that he was either in Malta, Ukraine or Russia.
But one thing was certain — Ovseenko had to be a technically skilled programmer who was familiar with the production of highly sensitive and complicated software. Even if people did not know his name, the name of his software program was well-known to millions of Internet users. It was so famous that one of the leading software manufacturers offered a bounty of $250,000 for him. Why? Ovseenko not only had broad knowledge in the field of software programming, but he also had a high degree of criminal energy.
Online Sys-Tec Limited, based in Malta, was a software company that specialized in the development, programming and sale of antivirus software. It was founded by a group of software developers and programmers who previously worked together on a large technology project. The majority shareholder in Online Sys-Tec was a woman named Helena Sarantakos. Interestingly, she was not only the owner of the company but also the managing director and held the position of a secretary.
Helena's company offered software products to individuals and businesses to analyze the content of a Windows-operated PC in order to detect and remove malicious programs and files that had surreptitiously been installed on the computer. It was supposed to keep the PC clean and protect it from being infected by such malicious programs again. It purported to scan a computer, identify the invading programs and remove them.
The company offered its products only online. Its Web site featured the current software program and its capability, and customers were able to buy it directly online using their credit cards. The product did not need to be shipped because it was downloaded directly from the Web site. What was sold was aimed mainly at Internet users who had little or no experience in the fight against computer viruses and Trojan horses. Scare tactics were the primary marketing ploy on the Web site.
I was working as a compliance manager for an international bank that provided credit cards and other financial services to businesses. At the end of November, I received a letter from the United States with a credit card application for a new Internet-based merchant — Online Sys-Tec Limited. The fact that it was sent from the United States but based in Malta did not seem strange to me because several merchants have their headquarters outside Europe. At the time, I did not know that this would be the first unusual event in a series.
Enclosed with the application was a detailed business plan that said:
Online Sys-Tec Ltd. is currently offering an anti-virus product that can be purchased online from the product Web site quickly and easily. The product is a removal utility that will help fight all kinds of spyware, adware, browser hijackers and dialers that are some of the most annoying and pervasive threats in the Internet today. By simply browsing a Web page, you could find your computer infected with one of the above-mentioned malicious programs. The most important step you can take is to secure your system, ideally before something happens. "Virus-Smash" is the most powerful protection program available.
After reading that the software "is the most powerful protection program available," I thought it must be well known but I wondered why I had not heard about it. I decided to conduct a Google search for the product to see what I was missing out on, as opposed to starting the official compliance examination I run on new merchant applications. The results of my online search surprised me. Only 21 results were found on the term Virus-Smash. I began to suspect that the software might not be "the most powerful protection program available." I had a hunch that something might be wrong.
According to my employer's usual compliance procedure, I first ran a background check on Online Sys-Tec. I investigated Dun & Bradstreet's database and had a closer look at the company documents. I was interested in the fact that Helena Sarantakos was not only the managing director of Online Sys-Tec, but was also the managing director of 70 other limited companies registered in Malta. The company documents included a power of attorney signed the same day that the company was registered. With this document, Czeslaw Ovseenko was empowered to act in any capacity for Online Sys-Tec Limited. This power of attorney made me think that Helena Sarantakos was just a stooge and Czeslaw Ovseenko was the true owner.
Next I ran a check in the databases of two major credit card companies. First I searched for the company's name and the managing director but there were no matches for either. After that I searched for a match of the company's address, and more than 100 different results were displayed. This led me to the realization that the Online Sys-Tec was probably a shell company. My last step was to run a search for Czeslaw Ovseenko's name, and I actually got a result, which surprised me. Previously, Czeslaw Ovseenko was the managing director of a company named Zarbol Limited, which was located at the same address as Online Sys-Tec. Because of excessive charge-back problems and suspected credit card fraud on the part of Zarbol, the merchant had been terminated. This was the point when I began to deepen the investigation.
As a compliance manager, I am expected to be skeptical about many things. Because some inconsistencies had already appeared in my first analysis, my natural curiosity was aroused and I launched even more checks. First I wanted an overview of the products that Online Sys-Tec offered. I took a closer look at the company's Web site, which, in the end, would have been connected to our payment system. The Web site looked very professional. Routinely, I checked the product descriptions, the checkout process, the privacy statement, the imprint and the terms and conditions. I was amazed. The Web site was completely compliant in each aspect and requirement of credit card organizations. This was more than unusual. Normally new merchants need to make many changes before we consider them to be in complete compliance with the requirements of credit card organizations. Someone appeared to have done his homework in order to avoid any possible suspicion in case of a review.
However, I did discover a problem with the Virus-Smash software. To have a comprehensive picture of the company, I naturally wanted to test the software program's functionality. After I downloaded the 52-megabyte free version of the software, I was not able to run it. Each time I started the installation process I received an error warning and then the installation would be terminated. I tried to install the software on different computers but each time I had the same result.
Next, I expanded my search on Zarbol Limited in Dun & Bradstreet's database. Unfortunately, the credit rating information for the company was just as meaningless as the information I had found for Online Sys-Tec. Zarbol had been founded and liquidated eight months later. The company's official purpose was the trade of electronic goods. Both the business purpose and the length of time it was in operation indicated that Zarbol Limited might be the predecessor of Online Sys-Tec Limited.
I thought that Zarbol was my key to more information, so I ran a Google search on the name. Unfortunately, only a few general results came up, such as the Web site the company had used when it was in operation. Zarbol also appeared in a report titled "The Secrets of Cybercrime" (http://hostexploit.com) which described in detail the actions of a fake antivirus software program, along with screenshots. The report further said:
The fake anti-virus campaigns work on two levels. The first is installing malware that downloads up to 30 other independent Trojans and key loggers. The second level is the direct billing. Here the victims are misled or forced to buy the dangerous product with their credit card.
The report also provided the number of visitors to Zarbol's Web site each day; there was an average of 40,000 from the United States alone. If Online Sys-Tec Limited was actually the successor of Zarbol Limited, two things were clear. It could be a dangerous product that was used under certain circumstances to collect credit card information. In addition, the software was in a position to generate surprisingly high traffic and to spread extremely fast. I needed to find proof for the connection of these two companies.
After I was unable to run the software program provided by Online Sys-Tec and verify its function, I knew I needed other proof of the connection between these two companies and their apparently fraudulent intentions. My first approach was to compare the Web sites of Zarbol Limited and Online Sys-Tec Limited, based on the URL I already found in my Google search for Zarbol. Unfortunately, the Zarbol Web site had been shut down when the company closed and was unavailable. That left me with two other options to compare the Web sites: the Google cache and the Internet archive (www.archive.org).
The search engine Google stores a copy of every Web site it searches when creating a search index, the so-called Google cache. It can be viewed by individual users and is especially helpful when a Web site has been deleted by the operator. The problem is that the cache will be overwritten when the page is searched again, and the user will only see the latest state of the Web site prior to its closure. This fact was probably known by the employees of Zarbol Limited; when I tried looking in the cache I only received the message "It works!"
I had better luck with the Internet archive (also known as the "Wayback Machine"). In contrast to Google's cache, the archive not only stores the most recent copy, but also keeps records of the previous versions of the Web site. These records allowed me to compare Zarbol's and Online Sys-Tec's Web sites. Visually, there were obvious differences but, interestingly, the menu structure and the content were identical.
This confirmed my suspicion that Online Sys-Tec was the successor of Zarbol, so I instituted further inquiries to gather more evidence. I examined the Internet protocol (IP) address of Online Sys-Tec's domain more closely. For this I used a handy Web site known as the Robtex Swiss Army Knife, which allows users to search multiple features of any Web site. The first request I made was to determine the owners of the domain. The Whois search I conducted through Robtex indicated that the domain name was registered to a so-called privacy service. They are typically used to conceal a domain's true owner and are often used by shell companies. Privacy services are also used by "high-risk" ventures, such as adult entertainment or gambling, not by pure e-commerce businesses.
This raised the question of why a dealer who was selling antivirus software would conceal his identity. To get more information about the domain holder, I contacted the privacy service by e-mail. Unfortunately I was told that the information I was seeking would be provided only to investigative governmental authorities. This direction of my search hit a dead end.
Next, I decided to look into the IP address. To do this, I first had to identify to which domain it was registered. Again, Robtex was able to provide this information. I then conducted a reverse IP search, which would display any other domains that were registered on that the same IP address; unfortunately, this yielded no results. Undaunted, I tried to crosscheck the e-mail server that both Web sites used and found out that Online Sys-Tec's Web site used the same e-mail server as the former Web site of Zarbol.
As the final step, I conducted a test purchase of Online Sys-Tec's software. After I completed the ordering process on the Web site and paid for the software with an immediate bank transfer, I promptly received a confirmation e-mail. There was nothing remarkable about it, except for one small thing: The signature of the automatically generated confirmation e-mail said "Zarbol Limited."
I presented my evidence to my supervisor for review before handing it over to the control department. According to my research, this was not a minor offense; it seemed that thousands of Internet users had already fallen victim to Online Sys-Tec's scam. Because of this, I suggested that we submit the case to the federal authorities. However, if we were going to hand over the case for possible prosecution, I wanted to ensure that I had not misinterpreted the results of my audit.
My boss and I reviewed the documents that Online Sys-Tec Limited had submitted with the application for a credit card. A closer look at the business plan showed that it had been written very generally, so we conducted a plagiarism test to determine if the text had been copied from a publicly available source, such as another company's Web site. We used an Internet tool called Copyscape to conduct our search. The Web site uses various search engines to look for matches of the provided text on other Web sites.
From this search, we identified four more companies, which were purportedly involved in the sale of antivirus software products. They were based in either Malta or Cyprus, sometimes even at the same address as Online Sys-Tec Limited. Our suspicion hardened that we were dealing with a much larger fraud case than we originally thought.
Since we had four more names, we performed a fresh Internet search on each one. We discovered thousands of complaints from duped Internet users who purchased the antivirus program. A query to credit card organizations identified one bank that had already been affected by this scam — it had lost tens of millions of dollars.
We also uncovered information explaining how this scam works. The Internet user was offered a free virus scan and only had to install it. After downloading and installing the program from the Web page, the software told the user that his computer was not infected by a virus. Depending on the particular site, the program would sometimes tell the user that he did in fact have a virus, but that the software had removed it. Thus the customer thought the process was finished.
However, after about three to seven days, the software reported that the computer had become infected by a virus or a Trojan horse but this was just a ploy for the user to enter his credit card data, allegedly because only the purchased version of the software could remove the virus. If the user ignored this warning, the same message would appear two days later. Over time, the period between the warnings drastically reduced, until the individual could no longer use his computer because the message was popping up every two seconds. Eventually the frustrated user invariably purchased the software just to be able to stop the pop-up warnings and use his computer again.
Alternatively, the user could call a toll-free number to report problems. When presented with complaints of the pop-up warnings, customer service representatives consistently offered the same solution: For a small service charge of $21.99, the software would be disabled and the pop-ups would stop. This was presented to the individual as a preferred alternative to buying the software at full price. Not surprisingly, the user only had to furnish his credit card information over the phone.
The strength of our combined evidence convinced my supervisor to hand over the investigation to the federal authorities. As of this writing, a warrant has been issued for the arrest of Czeslaw Ovseenko, but he has proven difficult to locate. As unfortunately happens in too many Internet fraud cases, the perpetrator's anonymity allows him to slip away.
Christian André Chmiel studied at the Euro-FH in Hamburg, Germany, and at the University of Lincoln, Great Britain. He works as a compliance manager at Wirecard Bank AG in Germany and specializes in online investigations for fraud prevention in the acquiring business. His e-mail address is [email protected].