Scan4You Operator Gets 14-Year Prison SentenceCounter-AV Service Tied to $20.5 Billion in Losses, Likely Including at Target
Scan4You, a notorious cornerstone of the cybercrime-as-a-service economy that allowed malware developers to more easily create code to bypass anti-virus defenses, has been dismantled, and its Latvian technical administrator has been sent to prison.
On Friday, Ruslans Bondars, 38, a Latvian "non-citizen," meaning a citizen of the former USSR, was sentenced to serve 14 years in U.S. federal prison. He'd been residing in Riga, Latvia, until his arrest in April 2017 and extradition to the U.S. to face a four-count indictment.
Bondars was charged with running Scan4You, an online service designed to counter anti-virus software that the U.S. Justice Department says had at least 30,000 users who collectively committed at least $20.5 billion in fraud.
On May 16, following a five-day jury trial in the U.S. District Court for the Eastern District of Virginia, Bondars was convicted of one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of conspiracy to commit wire fraud and one count of computer intrusion with intent to cause damage and aiding and abetting. He'd faced a maximum of up to 35 years in prison.
"Ruslans Bondars helped malware developers attack American businesses," says Assistant Attorney General Brian A. Benczkowski of the Justice Department's criminal division. "The Department of Justice and its law enforcement partners make no distinction between service providers like Scan4You and the hackers they assist: We will hold them accountable for all of the significant harm they cause and work tirelessly to bring them to justice, wherever they may be located."
Bondars' partner in crime, Moscow-based Jurijs Martisevs, a Latvian citizen - and according to some reports, also a citizen of Russia - was also arrested in April 2017, when he was visiting Latvia, and extradited to the U.S.
A partially redacted, superseding indictment from April charged both men with four offenses, including wire fraud and violating the CFAA. It said Bondars was the technical mastermind, serving as Scan4You's administrator and maintaining its infrastructure and APIs, while Martisevs focused more on business development and providing customer support via email, ICQ, Jabber and Skype.
In March, Martisevs reached a plea deal with the U.S. Department of Justice, pleading guilty to two charges - conspiracy and computer intrusion. According to the plea deal, the 36-year-old also agreed to forfeit all proceeds from his criminal activities, which both parties agreed amounted to at least $126,000.
Martisevs has yet to be sentenced. Some documents pertaining to the case remain under seal.
Scan4You's Rise and Fall
Scan4You operated from 2009 until at least Oct. 12, 2016, court documents say. It was marketed via a dedicated website, as well as an Onion site reachable only via the anonymizing Tor browser, as a "no distribute scanner." It functioned like an illicit version of VirusTotal, allowing users to see if their malicious code might get flagged as such by AV engines, court documents say.
VirusTotal, however, shares scan results publicly, meaning that once malware gets uploaded, any anti-engine might then be able to flag it, whereas Scan4You promised anonymity, and it never shared samples.
As Information Security Media Group reported in 2014, Scan4You enabled criminals to create even more automated attacks. One cybercrime group, for example, wrote a script that regularly submitted one of their pieces of attack code to Scan4You and received an alert via ICQ when five of the 35 anti-virus engines running on Scan4You classified the code as malware. The script would then repack - or reobfuscate - the attack code and redistribute it to infected endpoints, instructing them to delete the old version and replace it with the new (see Hackers Grab 800,000 Banking Credentials).
Apparent Tie to Target Breach
Court documents suggest that one Scan4You user hacked Target. The Department of Justice said that in the case of a "major retail store located in the United States," the service had been used to test malware.
"A Scan4you customer, for example, used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion," the Justice Department says.
Martisevs also admitted to helping franchise Scan4You by letting sites outside of Russia tap the infrastructure. Scan4You's functionality also was built into the notorious Citadel banking Trojan, which was tied to over 11 million infections worldwide and more than $500 million in losses (see Russian Citadel Malware Developer Gets 5-Year Sentence).
"The Citadel developer took advantage of a special feature of Scan4you that allowed its integration directly into the Citadel malware toolkit through an application programming interface, or API," the Justice Department says. "The API tool allowed Scan4you users the flexibility to scan malware without the need to directly submit the malware to Scan4you's website."
Upsides to Shutting Down Scan4You
Last year, other "no distribute scanners" - including AnonScanner, RazorScanner and BlackShades Scanner - also disappeared.
Stopping these types of "counter anti-virus" services helps put a dent in cybercrime. "Since CAV services like Scan4You make it easier for a budding actor to climb the cybercriminal career ladder, stopping such a large CAV service is an important preventive measure to make it more difficult for young actors to venture into cybercrime," security researchers from Trend Micro said in a May research report. "Stopping these services also helps increase the costs of malware campaigns of more experienced actors who appear to be using CAV services. Finally, putting a stop to these types of services also sends a strong message to the underground that facilitating cybercrime can lead to arrests and prosecution."
Trend Micro says the two Scan4You operators did more than just provide CAV services, noting that they were participants in cybercrime rackets since at least 2006. "They were also involved in one of the largest and oldest pharmaceutical spam gangs, known as Eva Pharmacy," it said. "The group is infamous for the illegal sales of prescription drugs that they carefully marketed through spam and search engine optimization. They were also involved in the spread of banking malware like SpyEye and Zeus" (see Zeus Banking Trojan Spawn: Alive and Kicking).