back to article Feds crack multi-million scareware ring

The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m). Operation Trident Tribunal seized more than 40 computers and servers and arrested two people in Latvia. 22 computers were seized in the US along with 25 machines in France, Germany, Latvia, Lithunia, …


This topic is closed for new posts.
  1. Conrad Longmore
    Thumb Up


    As far as I can tell, the Latvian hosting company was Sagade. Good riddance!

  2. Piers

    $72m ($45m) - Grauniad much?

    "About 960,000 machines were infected with the scareware and $72m ($45m) extracted from worried users."

  3. Richard Jukes


    Having just spent a day removing such a virus from a laptop, I feel that I should be allowed half an hour with the none volatile rubber reprogramming tool and the ring leaders in a sound proofed cell.

    Hat's of to them in some respects, it must have took a lot of work to get the the scareware looking and working as it does.

    1. Z 1


      Same here, spent all of last night remove crapware from a machine. Though in dealing with these arseholes, I'd want to use a "customised" cattleprod, some old rolled carpet and black bin bags.

      1. Neil Greatorex

        Buy a copy of Malwarebytes

        Boot into safe mode, run, 10-20 minutes job done..

        I've lost count of the number of FF&N computers I've removed this crap from.

        The free version also works but the $25 cost is well worth paying for the time saved.

        1. Wallyb132

          Your statement gives the wrong impression

          Your comment gives the impression that the paid version of MalwareBytes Anti-Malware scans faster than the free version which isnt true, the free version and the paid version use the same scan engine, the paid version just adds a protection module that offers realtime protection.

          MalwareBytes scan engine is unmatched on detection and removal, the realtime protection module however lacks too much to be considered as a viable protection suite.

  4. Version 1.0 Silver badge


    All of which would have been collected via credit cards ... and therefore leaving a trail. Of course, if they'd been running a gambling site or streaming football programs then they would have been caught much earlier.

    But assuming they have 50% overhead then that still leaves $36m - how do you stash that sort of loot away? Where's the money? It's harder than you'd think to stash that sort of amount away and not leave traces - so either the total amount is wrong - or there's more going on than we're told?

    At $72m then the credit card fees to Visa and Master-card alone would have been well over $2m.

    1. Thomas 18

      probably in bank space

      Just because it came out of the pockets of the credit card companies doesn't mean it ended up in the pockets of the crooks. I'm guessing authorities seized it back from bankspace it or it was laundered by some criminal outfit and they have it.

  5. Anonymous Coward

    Windows Recovery?

    Anyone know what scareware these guys produced? A friend's PC got infected with "Windows Recovery" - which worked exactly the way described in the article. It was a nightmare to remove and I was quite impressed with how real it actually looked. It even went to the trouble of hiding all files on your computer to make it look as if you really had lost everything...

  6. Anonymous Coward

    I fucking hate these people

    Far more than hackers and writers of 'proper' viruses.

    Nuke because it's the only way to be sure.

  7. pricer

    Scareware Names

    Fake versions from this ring include (via FBI press release):

    Virus Shield

    Antivirus or VirusRemover.

    We've had 3 instances of these scareware attacks in the last 2 weeks alone (none of the above) on both XP and Win7 machines - fake GUI, hides all your folders, redirects web traffic through a proxy and stops executables (such as TDSS Killers) from running - and neither McAfee or MalwareBytes seemed to fix the issue ('FakeAlert!grb' trojan and TDSS rootkit) - eventually determined it was quicker to reformat the affected machines.

    Presumably, with the FBI et al, following the money trails/traces, more of these rings should be sought over the short-term?

    1. Anonymous Coward

      We normally get...

      3 instances of this a week, on a bad week, 5+

      This week we've have over 80 instances for us here and almopst 400 over the four comanies that all work together here. We did point this out to the Reg but its been ignored. As of this afternoon they are still comming thick and fast.

      We caught one of these in progress, grabbed the .exe uploaded it to and on Monday only Sophos could see it. Tuesday evening out of 15, only Sophos, Avira, Bitdefender and F-Secure could see it. Not tried yesterday or today.

      Bullguard didnt return our call (as a reseller we get gold support) then gave us a load of rubbish about how their software can stop it because its exceeelnt. Erm I called you to say it HAS infected your machines.

      Alwill (Avast) called us back and asked for samples, screenshots etc.

      Updating JVM and Flash wont help either, so god only knows how its coming in.

      So well done boys but please keep on it.

    2. Hairy Scary

      @ pricer

      I had that problem on a friends machine, even in safe mode no exe progs would run ---- got malwarebytes installed by renaming the installer extension to .scr, once installed, renamed mbam.exe to mbam,scr -- it then ran and cleaned up the infection.

  8. jonm01

    Interweb is broke

    Seriously, the internet is broken as far as I see it. When you can all but ruin your PC just by surfing the web then something is very badly wrong. We've had these on work machines several times now, often they are infected from just looking for legitimate looking stuff on google images. If you're lucky they are easy to remove with malwarebytes, but the one I had on my machine was really nasty, installing rootkit stuff that was only fixable with Combofix and it's still not 100% now. These people need to be shot. I am not joking.

  9. Anonymous Coward
    Anonymous Coward

    Got it twice

    It sidestepped Avast with ease both times. Got it from viewing a picture on imageshack, which was a surprise. Booted into safe mode and deleted the executables, easy fix. Now using MSE, fingers crossed...

  10. Terry Kiely
    Thumb Up

    easy to fix

    try 'combofix'

    takes ten mins and strips this rubbish (and a lot of others) out while cleaning up your registry

    hats off to Combofix writers

    1. Anonymous Coward
      Anonymous Coward

      Downvoted for failure to read.

      Previous poster noted he RAN combo-fix and it still doesn't work properly. This shit can be nasty - reinstall paths through obfuscated registry entries, rootkits, etc. I'm nearly to the point of just runing the wipedisk program, then the rootkit remover, and finally installing a fresh copy of the OS.

  11. dssf

    I wonder if this is tangentally related to the recent confiscation of servers in

    Reston, VA... data center raid.

  12. Nexox Enigma

    I hate to be that guy...

    ...but man, these are problems I just don't miss at all from my Windows days, though back then if you used Firefox or Opera there wasn't much risk of infection anyways. Clearly everyone should run OpenBSD : -)

  13. Goldberg

    easy money

    You guys happy this happened ?

    Don't you just love it working in pc repair shops and idiots who get infected with these come to seek help ?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020