Posted by Jeff Meisner
Editor, Microsoft on the Issues

Microsoft recently announced its 10-year effort to destabilize and disrupt a global organized crime ring that traded in counterfeit software.

I sat down with Microsoft Assistant General Counsel Matt Lundy, Microsoft Online Piracy Senior Program Manager Peter Anaman, and Microsoft Senior Program Manager of Investigations Peter Fifka to learn about this decade-long case.

What can you tell us about this case? What’s the history of the operation?

Peter Fifka: In 2002, Microsoft investigators identified a small group of Eastern Europe-based criminals that were responsible for a website called cdcheap.net. This organization, which we internally dubbed “CD Cheap,” ran professional-looking e-commerce sites, employing a simple business model to fraudulently trick customers into buying counterfeit software. The online organized crime organization evolved from physical disc delivery model into a download-focused business model over the span of about five years, from 2002 to 2007. Both models created hundreds of bogus e-commerce sites that were primarily advertised by spam sent using sophisticated techniques, including the criminal use of botnets and Trojan-hijacked computers.

Peter Anaman: A professor at University of California at San Diego estimated that the criminals behind CD Cheap made up to $3.9 million per month with spam promoting counterfeit software. In fact, at one time, they had more than 4,000 active websites used for spam campaigns. It became evident to our team of investigators that the same crime organization responsible for CD Cheap also owned servers used for counterfeit pharmaceutical sales. Over the course of 10 years, Microsoft was able to work with law enforcement, ISPs, domain registrars, credit card companies and other financial institutions to shut off funding to these criminal organizations, significantly reducing the presence of counterfeit software spam and sites selling counterfeit software and other illegal products.

What can you tell us about these criminals?

Peter Fifka: When they were trading in physical software, they were industrious—we think that this group was one of the first that started using spam as a mechanism to advertise their websites offering counterfeit software. They had a sophisticated structure in place, but were partially traceable when they had to send things through the mail. As they migrated to online sales, they became more difficult to track.

Peter Anaman: Over the span of this operation, this organization had nearly 10,000 websites, all of which were intended to defraud customers into buying counterfeit software. They were hosted in approximately 18 countries around the world, from Canada to Hong Kong and Romania to the United Arab Emirates, and the domain names were registered in 22 different countries.

Matt Lundy: Cybercriminals move at the speed of technology and are not constrained by physical borders. So online criminal networks present a difficult challenge for law enforcement, given they are located and operate in different jurisdictions from every corner of the world.

Peter Anaman: At one point, we identified a number of CD Cheap websites that changed location every few minutes. After investigation, we discovered that they were using an underground service to rotate the websites on infected computers that were part of a botnet of apparently 450,000 “trojaned” systems. Again, in a matter of minutes they would move from being hosted in the U.S. to being hosted in Singapore.

How were you able to cut off their funding, with the organization being so difficult to pin down?

Peter Anaman: We tried so many different things to stop this organization… civil suits, suspending thousands of domains and hosts… nothing worked; the criminals stayed a step ahead. But in 2010, we had a breakthrough. We started to look at website templates to see how branding and website “fingerprints” were similar. Suddenly, when looking at 2,000 sites, we realized that there were really only 75 “look and feels.” From there, we began test purchases, and determined that there were only 12 merchant accounts in use. So a task that might seem daunting when you have 2,000 sites suddenly seems more manageable when you realize they are all tied to 12 merchant accounts.

Essentially, we developed a disruption strategy that focused on the economics of cybercrime —what kept it alive. In partnership with financial institutions, we were able to shut down the merchant accounts of sites that were trading in counterfeit software, as fraudulent activities violate their terms of service. Without a payment processor, a criminal can’t get paid. And where there is no money, there is no incentive. The proof of this came quickly: after only three months of employing this tactic, software spam stopped.

Matt Lundy: Counterfeit products and counterfeit software do not benefit anyone. They don’t benefit businesses, consumers or the economy. So by working together on this issue, we can help promote an online environment that supports legitimate commerce and protects consumers.

Was this alone enough to make them stop?

Peter Anaman: Once their revenue started to slow, the organization panicked because they had bills to pay. Even illegitimate business has an infrastructure it needs to support. Sending spam comes at a cost. Buying domain names comes at a cost. Interestingly, the organization needed to find companies that were willing to process payments for them in an effort to keep the money flowing. In one case, they used a parking garage in Spain; in another, they used a cosmetics store in Azerbaijan. Soon enough, we were victims of identity theft: the credit card we had used for test purchases was used for a number of unauthorized purchases. The criminals were desperate.

Why is all this significant?

Matt Lundy: This case illustrates that by working together, industry stakeholders can leverage existing laws to achieve meaningful progress in the struggle against online counterfeit sales.

Are the counterfeiters in jail?

Peter Anaman: No, they are not in jail… but we’ve created an environment where it is no longer profitable for them to be in this line of work. By reducing the number of criminals in the counterfeit software trade, we are confident that fewer people are being victimized, lured into a false sense of security and freely sharing credit card information and other personal details with people who have nefarious intent.

Can similar tactics benefit others in their fight to reduce online piracy?

Peter Anaman: The techniques we used can be applied to industries other than software, absolutely. In fact, we’ve seen Interpol employ a similar strategy for Operation Pangea, which involved counterfeit pharmaceuticals.

Matt Lundy: Microsoft is committed to doing our part to help combat cybercrime. We value our partnerships with law enforcement across the world, and recognize the resource constraints and challenges they face. Through collaboration with industry and law enforcement worldwide, we will continue working to promote an online environment that provides the greatest level of protection to our customers and legitimate businesses.

For more information about Microsoft’s efforts to make the public aware of the dangers of counterfeit software, visit Microsoft on the Issues and www.play-it-safe.net.