Payment Processing and Unlicensed Online Pharmacies by Damon McCoy
Presented at the 2012 Partnership for Safe Medicines Interchange on September 28, 2012
Payment Processing and Unlicensed Online Pharmacies by Damon McCoy
1. P R E S E N TAT I O N S
P AY M E N T P R O C E S S I N G A N D
UNLICENSED ONLINE PHARMACIES
DA M O N M C C OY
GEORGE MASON UNIVERSIT Y
SEPTEMBER 28, 2012
N AT I O N A L P R E S S C L U B
WWW.SAFEMEDICINES.ORG
2. Payment Processing and Unlicensed
Online Pharmacies
Damon McCoy
George Mason University
joint work w/Neha Chachra, Brandon Enright, Mark Felegyhazi (ICSI), Chris Grier
(Berkeley), Tristan Halvorson, Grant Jordan, Chris Kanich (UIC), Christian Kreibich
(ICSI), Kirill Levchenko, He “Lonnie” Liu, Justin Ma, Vern Paxson
(ICSI/Berkeley), Andreas Pitsillidis, Stefan Savage, Geoff Voelker, and Nick
Weaver (ICSI)
3. • Context
– Unlicensed online pharmacies
• Why payments are where the action is
• Major doings in the last 10mos
4. Advertising-based e-crime
• Range of abuse vectors to reach consumer
– E-mail spam, SEO, OSN abuse, blog spam, etc.
• Range of products/services advertised
– Pharma, replica luxury goods, apparel and
electronics, pirated movies, music, books and
software, diplomas, porn, gambling (*)
• Monetized directly & knowingly by consumers
9. High-Risk Merchant Accounts
• “High-risk” accounts
– Property of merchant
(no history, big turnover) or
of category (pharma, gambling, porn, etc)
– Risks: chargebacks, non-repayment (e.g., fines)
– Only some banks willing to underwrite high-risk
• Risk controls
– Higher fees, rates, holdback (10% 180 days)
10. Costs?
• Up-front money (to set up account)
• Fees (both monthly and per transaction)
– Up to $1-2 per transaction
• Discount rate (percentage of each sale)
– e.g., 0.02 for “normal” transactions; pharma 0.10-
0.15, I’ve seen even higher for FakeAV
• Chargebacks (both cost and penalty)
• Fines (passed on by acquirer)
11. • Aug 1 -- Oct 31 2010
• 7 URL/Spam feeds + 5 botnet
feeds
• 968M URLs
• 17M domains
• Crawled domains for 98%
of URLs in
• 1000s of Firefox instances
• Large IP address diversity
• Hundreds of purchases
• Unique card # per order
• Full transaction data
12.
13. Merchant Banks (circa late ‘10)
St. Kitts & Nevis
AGBank
• Low diversity DnB NORD
• 3 banks covered 95% of pharma/replica/software spam
• Fewer banks willing handle “high-risk” merchants
• High switching cost
• Time: In-person account creation, due diligence
• Money: Upfront capital, holdback forfeiture
14. Hypothesis
• If we could target merchant accounts…
– Could demonetize entire system
– Asymmetry that favors the good guys!
15. So… What Happened Since?
• A stew of activities
– Encouragement from D.C.
– Brand interest
– Card association cooperation
– Complex politics around
SOPA/PIPA/etc
• Leads to two major changes
– Visa Global Brand Protection Program
(GBPP)
– Targeted merchant intervention (IACC
& brands)
16. Essence of Targeted Intervention
• Undercover test purchase at counterfeit site
– Only needs to authorize to get BIN
• IP holder notifies card network (e.g., Visa/MC)
– Investigation
– Complaint delivered to acquiring bank
• Leverage via card association contract
– Remember acquirer owns liability
– Fines, increased scrutiny, de-association
• Merchant account shutdown
17. So… Does it Work?
• Bottom line: Yes
• We tracked bank association w/affiliate
programs for over 18mos (continuing…)
– ~800 purchases (Visa only)
• Tracked impact of targeted complaints
– 170 against 25 distinct programs;
takedown in 30 days or less is typical
• Joined programs to get damage assessment
from inside
McCoy, Dharmdasani, Kreibich, Voelker and Savage,
Priceless: The Role of Payments in Abuse-advertised Goods, ACM CCS 2012
21. Glavmed
6/29/2012
Dear Partners,
As you may have noticed, in the last couple of days we've had problems
with processing. We don't have a solution yet, and there is no concrete
time when it will be resolved.
…….
From this point forward, GlavMed is switching to a "PAUSED" mode. No
new orders will be processed until the processing issue is resolved.
……..
We urge you to temporarily switch your traffic to other shops/projects.
22. Life is Tough all Around…
“Right now most affiliate programs have a mass of declines, cancels and
pendings, and it doesn't depend much on the program imho, there is a
general sad picture, fucking Visa is burning us with napalm (for problematic
countries, it's totally fucked, on a couple of programs you're lucky if you get
50% through).”
23. Summary
• Much of crime ecosystem is funded by
Western consumers via payment cards
• The banking relationship is the bottleneck
resource in the business model
– Can’t be hidden, high switching cost, valuable
• Payment intervention is hugely effective
when done right