Payment Processing and Unlicensed Online Pharmacies by Damon McCoy

P R E S E N TAT I O N SP AY M E N T P R O C E S S I N G A N DUNLICENSED ONLINE PHARMACIESDA M O N M C C OYGEORGE MASON UNIVERSIT YSEPTEMBER 28, 2012N AT I O N A L P R E S S C L U BWWW.SAFEMEDICINES.ORG

Payment Processing and Unlicensed Online Pharmacies Damon McCoy George Mason Universityjoint work w/Neha Chachra, Brandon Enright, Mark Felegyhazi (ICSI), Chris Grier(Berkeley), Tristan Halvorson, Grant Jordan, Chris Kanich (UIC), Christian Kreibich (ICSI), Kirill Levchenko, He “Lonnie” Liu, Justin Ma, Vern Paxson (ICSI/Berkeley), Andreas Pitsillidis, Stefan Savage, Geoff Voelker, and Nick Weaver (ICSI)

• Context – Unlicensed online pharmacies• Why payments are where the action is• Major doings in the last 10mos

Advertising-based e-crime• Range of abuse vectors to reach consumer – E-mail spam, SEO, OSN abuse, blog spam, etc.• Range of products/services advertised – Pharma, replica luxury goods, apparel and electronics, pirated movies, music, books and software, diplomas, porn, gambling (*)• Monetized directly & knowingly by consumers

Example: RX-Promotion Direct costs: 70.8%Indirect costs: 12.8% Profit: 16.3%

Where Does the Money Come From?

Where Does the Money Come From?• Consumer payment networks• Of $173M in Glavmed/Spamit revenue – 67% Visa, 23% Mastercard, 6% Amex, 3% echeck McCoy, Pittsillidis, Jordan, Weaver, Kreibich, Krebs, Voelker, Savage, Levchenko, Pharmaleaks: Understanding the Business of Online Pharmaceutical Affiliate Programs, USENIX Sec 2012

Example: Mailien Pharma Spam

High-Risk Merchant Accounts• “High-risk” accounts – Property of merchant (no history, big turnover) or of category (pharma, gambling, porn, etc) – Risks: chargebacks, non-repayment (e.g., fines) – Only some banks willing to underwrite high-risk• Risk controls – Higher fees, rates, holdback (10% 180 days)

Costs?• Up-front money (to set up account)• Fees (both monthly and per transaction) – Up to $1-2 per transaction• Discount rate (percentage of each sale) – e.g., 0.02 for “normal” transactions; pharma 0.10- 0.15, I’ve seen even higher for FakeAV• Chargebacks (both cost and penalty)• Fines (passed on by acquirer)

• Aug 1 -- Oct 31 2010• 7 URL/Spam feeds + 5 botnet feeds • 968M URLs • 17M domains• Crawled domains for 98% of URLs in • 1000s of Firefox instances • Large IP address diversity• Hundreds of purchases • Unique card # per order • Full transaction data

Merchant Banks (circa late ‘10) St. Kitts & Nevis AGBank• Low diversity DnB NORD • 3 banks covered 95% of pharma/replica/software spam • Fewer banks willing handle “high-risk” merchants• High switching cost • Time: In-person account creation, due diligence • Money: Upfront capital, holdback forfeiture

Hypothesis• If we could target merchant accounts… – Could demonetize entire system – Asymmetry that favors the good guys!

So… What Happened Since?• A stew of activities – Encouragement from D.C. – Brand interest – Card association cooperation – Complex politics around SOPA/PIPA/etc• Leads to two major changes – Visa Global Brand Protection Program (GBPP) – Targeted merchant intervention (IACC & brands)

Essence of Targeted Intervention• Undercover test purchase at counterfeit site – Only needs to authorize to get BIN• IP holder notifies card network (e.g., Visa/MC) – Investigation – Complaint delivered to acquiring bank• Leverage via card association contract – Remember acquirer owns liability – Fines, increased scrutiny, de-association• Merchant account shutdown

So… Does it Work?• Bottom line: Yes• We tracked bank association w/affiliate programs for over 18mos (continuing…) – ~800 purchases (Visa only)• Tracked impact of targeted complaints – 170 against 25 distinct programs; takedown in 30 days or less is typical• Joined programs to get damage assessment from inside McCoy, Dharmdasani, Kreibich, Voelker and Savage, Priceless: The Role of Payments in Abuse-advertised Goods, ACM CCS 2012

Major Pharma Affiliates

Major Banks Serving Pharma (last 18mos) State Bank of Mauritius becomes “go to” bank for medium programs Growth of Bank of China 19

FYI:The Big Pharma Acquiring Banks Today 20

Glavmed6/29/2012Dear Partners,As you may have noticed, in the last couple of days weve had problemswith processing. We dont have a solution yet, and there is no concretetime when it will be resolved.…….From this point forward, GlavMed is switching to a "PAUSED" mode. Nonew orders will be processed until the processing issue is resolved.……..We urge you to temporarily switch your traffic to other shops/projects.

Life is Tough all Around…“Right now most affiliate programs have a mass of declines, cancels andpendings, and it doesnt depend much on the program imho, there is ageneral sad picture, fucking Visa is burning us with napalm (for problematiccountries, its totally fucked, on a couple of programs youre lucky if you get50% through).”

Summary• Much of crime ecosystem is funded by Western consumers via payment cards• The banking relationship is the bottleneck resource in the business model – Can’t be hidden, high switching cost, valuable• Payment intervention is hugely effective when done right

Payment Processing and Unlicensed Online Pharmacies by Damon McCoy

by The Partnership For Safe Medicines on Sep 27, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Payment Processing and Unlicensed Online Pharmacies by Damon McCoy Presentation Transcript