Skip to content ↓ | Skip to navigation ↓

A man who spent years on the run from the FBI for his part in a lucrative criminal operation that spread scareware via the Minnesota Star Tribune website has finally been sent to prison.

Twenty-nine-year-old Peteris Sahurovs (also known as “Piotrek” and “Sagade”) was sentenced this week by a U.S. court to 33 months in prison for conspiracy to commit wire fraud.

The story starts in February 2010 when visitors to the website of The Star Tribune, Minnesota’s largest newspaper, reported seeing fake alerts that their computers were infected by malware.

Scared users were informed that their PCs had a security problem and were urged to purchase software called “Antivirus Soft” at a price of $49.95 to fix the issue.

Inundated with reports from readers, The Star Tribune disabled all of its online advertising while it investigated the incident. It also published a warning to readers:

We have received reports that a third-party advertising network has been placing a “Malware Ad” onto our site.

A “Malware Ad” is a potentially malicious ad that could contain a virus or attempt to get you to pay for unsolicited services. The ad informs you that your machine has been infected with a virus and that you should click it to run a scan on your machine. We do not approve of this ad and consider it a potential security threat to your computer — although we do not yet know that for certain.

We take this situation very seriously and are responding aggressively to get it resolved. We have removed all ad networks from our site. All advertising networks will be required to perform complete a check of every ad they run, and to verify that they are not running this ad, before we allow them to run on our site.

The newspaper later confirmed that some of the ads it had served to visitors had been malicious. It subsequently informed the authorities, who launched in investigation into the scheme’s origins.

The method used to spread scareware via the newspaper’s website was impressive in its audacity. Rather than hacking into the newspaper’s server and planting malicious code, the gang created a bogus advertising agency and pretended to be representing the Best Western hotel chain that – they claimed – wished to place online adverts on startribune.com.

At first, ads served up by the fake advertising agency were benign, but after a few days, the advertisements were switched for ones that served up malware, slowed down computers and displayed security warnings.

The attack on Star Tribune readers came after a spate of other malvertising attacks via other online news websites. In one instance, criminals posed as internet telephone company Vonage and persuaded NYTimes.com to run ads that initially appeared as legitimate online adverts.

Many of the scareware attacks successfully presented themselves as professional-looking security products in an attempt to more easily lure victims into paying up. In some cases, the bogus anti-virus software looked better than the genuine article!

Over time, criminals have tended to move away from using scareware to trick users into handing over money. Many switched to directly extorting funds from their victims through ransomware.

Sahurovs, who provided bullet-proof hosting services for online criminals and offered technical support to the scareware scheme launched against readers of the Minnesota Star Tribune, was initially arrested in Latvia in June 2011, but was later released and went on the run. At one time, Sahurovs was listed by the FBI as their fifth most-wanted cybercriminal. Rewards of up to US $50,000 were offered for information that could lead to his apprehension and conviction.

Sahurovs was found in Poland in November 2016 by local law enforcement and finally extradited to the United States in June 2017.

After serving his prison sentence, Sahurovs will be sent back to Latvia.

 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

['om_loaded']
['om_loaded']