Back in February 2010, the Minneapolis StarTribune website was the victim of a malvertising exploit. Visitors to the Strib website would download malware that caused the computer to become slow and malfunction. Then a pop-up window would appear that advised the visitor that their computer was infected with malware, and the purchase of a $49.95 anti-malware product would solve the problem. I remember working on the computers of several clients who had fallen for the scam.
It turned out that two Latvian cyber-criminals were responsible, and had created a Florida shell company that bought hotel advertising on the StarTribune.com website. The ad ran on November 19, 2010, and two days later, they inserted malicious code into the add that cause the browser pop-ups to appear whenever someone visited the page the ad was on. The pair made $2 million dollars before the ad was taken down the following day. We wrote about this on July 7, 2011.
The perpetrators, Peteris Sahurovs and Marina Maslobojeva, a husband and wife team, were originally arrested in Latvia. Sahurovs and Maslobejeva were released by the Latvia court while waiting to stand trial. Sahurovs fled. At this point, the status of Maslobojeva is unknown, but it appears she was not extradicted by the Latvian prosecutor.
The FBI reported on June 12, 2017:
“PETERIS SAHUROVS, 28, a/k/a “Piotrek,” a/k/a “Sagade,” was indicted in 2011 in the District of Minnesota on charges of wire fraud, computer fraud and conspiracy. SAHUROVS was arrested on the indictment in Latvia in June of 2011. He was released by a Latvian court and later fled. In November of 2016, SAHUROVS was located in Poland and apprehended by Polish law enforcement, after which the U.S. began extradition proceedings. SAHUROVS was at one time the FBI’s fifth most wanted cybercriminal and a reward of up to $50,000 had been offered for information leading to his arrest and conviction.”
The story of Sahurovs and his young wife Marina Maslobojeva, reads like a crime novel, so I encourage you to check out the Twin Cities Business and StarTribune reports below. If you are a regular reader, you know that I occasionally get distracted from my usual cybersecurity dissertations to follow a particular cyber-criminal case . This usually happens when I’ve reported on the original exploit in this web log, as is the case now.
I haven’t seen a lot of “rogue security program” exploits like this one in years. Most malvertising exploits are prevented by better advertising scanning and analysis that looks for malicious code in ads before they are placed on the website. But I know that “scareware” fake security pop-ups are still appearing, so malicious ads are still getting through. The game now is usually to trick you into calling a toll-free support number, where some “Microsoft tech support” agents in India will relieve you of about $300. There are differences between the legitimate pop-up warnings spawned by your actual security program, and the fake pop-ups, and I suggest you learn to recognize the real thing. Learn the name of your security product. It will appear in the title bar of a real pop-up alert. Pop-ups from any other source are likely to be fake.
- US Department of Justice
- Twin Cities Business
- StarTribune online 2011 story
- StarTribune online 2017 story