Scareware scheme operator thrown behind bars for targeting US media

Visitors of the Minneapolis Star Tribune found their computers infected with malware and were exposed to fake Windows support messages.
Written by Charlie Osborne, Contributing Writer on

A Latvian national has been issued a prison sentence for his role in a scareware operation that targeted visitors of the Minneapolis Star Tribune website.

Peteris "Piotrek/Sagade" Sahurovs, a 29-year-old, was sentenced after being on the run for a number of years, the US Department of Justice (DoJ) said on Wednesday.

Sahurovs was originally wanted for questioning back in 2011 and was arrested on a District of Minnesota indictment in Latvia in the same year. However, after a local court released him, the man fled.

The suspected cybercriminal, who was once on the FBI's most wanted list for a $50,000 bounty, was discovered in Poland in late 2016.

Local law enforcement caught up with Sahurovs and he was extradited to the United States in the following year.

Sahurovs was accused of operating a "scareware" scheme in which readers of the Minneapolis Star Tribune were exposed to malvertising which led to fraudulent websites and malware payloads, as well as fake Windows support pop-ups and messages which attempt to frighten users into purchasing "antivirus" software to clean their PCs.

TechRepublic: Simple ways to avoid malware on all your devices

From at least May 2009 to June 2011, Sahurovs was the operator of "bullet-proof" hosting services in Latvia. So-called bullet-proof services are offered to customers who desire anonymity online, as well as a means to host illegal and criminal material.

In May this year, US prosecutors seized 10 dedicated servers belonging to the MaxiDed bullet-proof hosting service. Operating under the mantra of "Don't ask, Don't tell," the service was linked to illegal material including child pornography.

In the Latvian national's case, his web hosting service was used to "perpetrate criminal schemes," according to US law enforcement. This included malware hosting, fake antivirus software, spam, and botnet support.

See also: A question of security: What is obfuscation and how does it work?

"[Sahurovs] received notices from Internet governance entities (such as Spamhaus) that his servers were hosting malicious activity," US prosecutors say. "Nonetheless, Sahurovs admitted he took steps to protect the criminal schemes from being discovered or disrupted and hosted them on his servers for financial gain."

In February 2010, the Minneapolis Star Tribune began showing visitors online ads apparently for Best Western hotels.

However, 48 hours later, visitors began to find the ads had served malware, causing slow system performance, unwanted pop-ups, and in some cases "total system failure," according to prosecutors.

The malvertising scheme also pushed forward fake Windows security alerts which claimed that visitor PCs were infected and they had to buy "Antivirus Soft," a fake antivirus solution, for $49.95 to clean and protect their systems.

Visitors who purchased the software would be issued a file that did not perform any security-related activities -- beyond disabling the malware deployed by the malicious ads.

Sahurovs admitted that for his role and server use, he made between $150,000 and $250,000 through the campaign.

CNET: Fake cryptocurrency app installs ransomware on your computer

After pleading guilty on February 7 to wire fraud, District Judge Ann Montgomery of the District of Minnesota sentenced Sahurovs to 33 months in prison.

Once the sentence has been served, the Latvian national will be removed from the US and sent back to his home country.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards