The Rise and Fall of Scan4You

The Rise and Fall of {Scan4You}

In May 2017, Scan4You, one of the biggest cybercrime facilitators, went offline after the FBI arrested and extradited two main suspects. The case against its operators concluded in a Virginia federal courtroom in May 2018. We delved into Scan4You’s activities from 2012 until it went offline in 2017.

Scan4You started in 2009 and eventually became one of the largest counter antivirus (CAV) services. Malware authors use these services to scan their malware against AV detection, allowing them to tweak their malware to reduce detection rates and increase infection chances.

Some of the CAV services may have started as an internal tool by cybercriminal groups, like Rove Digital’s. Business associates may have subsequently joined, and the service may have eventually opened to anyone willing to pay for it.

Anybody could sign up on Scan4You, which offers 100,000 scans per month for US$30 and US$0.15 for single scans. Payment methods include Paypal, WebMoney, and Bitcoin. The unique selling point promoted on its website: It doesn't share any data with any AV and cybersecurity company.

Scan4You was also popular among smaller CAV service resellers, including Indetectables (for Spanish markets) and RazorScanner (German). RazorScanner’s owner was arrested in April 2016 while’s British owner was sentenced to two years in prison in January 2018 as the result of collaboration between the U.K.’s National Crime Agency (NCA) and Trend Micro.

Scan4You was operated by Ruslans Bondars (b0rland/Borland) and Jurijs Martisevs (Garrik). They have been climbing the cybercriminal career ladder since at least 2006, and have since become infamous in the underground.

That they branched off into their own cybercriminal ventures is unsurprising: They were directly involved with Eva Pharmacy, which sold prescription and non-FDA-approved drugs. They also mounted banking malware campaigns and sold stolen credit card data.

Running a CAV business is neither easy nor lucrative. Based on the scans and their pricing model, Scan4You could have earned up to US$15,000 per month in 2013. While it may have eventually doubled or tripled, it still pales in comparison to what could be earned from click fraud or internet banking fraud.

Despite Scan4you’s claim that they don’t share data with AV companies, we were able to follow the URL, IP, and domain checks of its users against Trend Micro’s web reputation systems. Our visibility to Scan4You's URL scans shed light on its growth and success. Its usage decreased from fall 2013 until around April 2016. Its usage picked up again until the service went dark in May 2017.

URL scans on Scan4You from October 2013 to May 2017.

b0rland/Borland, a software developer, hosted Scan4You and Eva Pharmacy’s servers on the corporate infrastructure of a Latvian ISP. The Gmail account he used to register command-and-control (C&C) domains for his banking malware contained his real name and profile photo, which he also used on his Facebook account.

The phone number associated with Scan4You’s WebMoney account matches the WhoIs data of domains Garrik registered. He was also into binary options trading and college paper-writing services. He also appeared to have registered domains linked to the Eva Pharmacy group involved with marketing unapproved and misbranded drugs.

We have been in close contact with the FBI’s Washington field office since spring, 2014. The investigation spanned three years until Borland and Garrik's arrest and extradition in 2017. Scan4You's URL scan requests on our servers waned shortly after.

URLs scans on Scan4You in 2017

After almost eight years, Scan4You ceased to operate, leaving its competitor VirusCheckMate as the biggest remaining CAV service. It's easy to assume that Scan4You's users would move to the other service, but we have yet to see considerable growth in URL scans from VirusCheckmate. It appears most of Scan4You’s customers stopped using a CAV service altogether.

Thwarting Cybercrime
with Law Enforcement

The arrests of Bondars and Martisevs, and Scan4You subsequently going dark, are a dent against cybercrime.

Our foray into Scan4You’s activities is just one of the many we've made to gather and analyze threat intelligence that can help law enforcement organizations, legislators, and enterprises reinforce their policies and posture against cybercrime.

Read more about our research on the rise and fall of the largest CAV service in the underground, its operators, and the ties that bind Scan4You to other cybercriminals: The Rise and Fall of Scan4You.




Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.