Spam Nation (15 page)

Cybercrime forums serve a number of core purposes. For starters, they offer relatively unknown and novice criminals an opportunity to establish a reputation as a trusted, reliable vendor or buyer of services. If these newbies wish to construct a new cybercrime operation—such as a spam botnet—but lack the knowledge or resources to build up a particular component of that business, they can simply purchase the missing components or information from other members. Or, they can turn to senior members and self-help tutorials on these forums for pointers and questions.

In this way, crime forums almost universally help lower the barriers to entry for would-be cybercriminals. Crime forums also offer crooks with disparate skills a place to market and test their services and wares, and in turn, to buy ill-gotten goods and services from others.

There are forums dedicated to almost every major language and specialization of cybercrime, but most crime forums are either in Russian or English. Likewise, most are built upon a similar structure of a main homepage with links to sub-forums dedicated to a broad array of cybercrime specialties, including: spam; online banking fraud; bank account “cashout” schemes; malicious software development; identity theft; credit card fraud; confidence scams; and black SEO, or techniques to fraudulently manipulate a site’s rankings in Google and other Internet search engines.

Even forums dedicated to a specific form of cybercrime—such as spam—tend to model themselves on this same sub-forum structure. In 2011, researchers at the University of California, Santa Barbara, and Ruhr-University Bochum in Germany published an in-depth analysis of the Cutwail botnet, “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns.” In the course of their investigation, the researchers acquired the back-end database of the now-defunct crime forum Spamdot.biz, a closely guarded cybercrime community, and ultimately agreed to share the site’s complete information with me for research
for this book. In 2007, Spamdot came under the ownership of Igor Gusev and Dmitry Stupin, the coadministrators of the sister pharmacy partnerkas GlavMed and SpamIt.

It was clear from this material that while Spamdot counted among its members some of the world’s most established and successful spammers, it also included dozens of members whose primary specialty was offering ancillary cybercrime services, from providing bulletproof web hosting and the mass registration of domain names, to selling huge email spam lists and software to help spammers “scrub” their existing lists of dead addresses and those used by anti-spam activists and security firms.

These activists frequently seed the Internet with dummy email addresses in the hopes that spammers will find and spam the addresses. Both vigilantes and security firms then use the spam sent to these dummy addresses to collect samples of the latest malicious software or phishing scams being distributed via junk email. These help gauge the size and location of major spam botnets, and from there, these anti-spammers can generally improve the performance of spam filters. But since these activities eventually tend to cut into the profitability and stability of any spamming operation, more experienced spammers recognize the long-term value in scrubbing their distribution lists of these decoy addresses. It’s a constant game of cat and mouse.

Sub-forums tend to be moderated by established cybercrooks who are proficient in their respective specialization. It is not unusual to see the same cybercriminal acting as the moderator of the same sub-forum across multiple, distinct cybercrime forums. For example, an infamous Russian fraudster known as “Severa” acts or has acted as the moderator of the spam sub-forum on at least four different major cybercrime forums, including Spamdot. As will be further described in Chapter 7 (“
Meet the Spammers
”), Severa is the author of some of the most prolific and “successful” spam botnets that have ever been created. As a result, Severa knows virtually everyone of consequence in the spam
industry and has a broad cross-section of knowledge about the topic that makes him ideally suited to moderate discussion forums dedicated to the subject.

Actors such as Severa are the living “glue” holding these cybercrime communities together. They possess a wealth of knowledge about their industry and are adept at connecting novices with more experienced members looking for partners or subcontractors. As such, core miscreants like Severa present attractive targets for law-enforcement officials, since taking them out can often destabilize the fraud ecosystem.

Many crime forums—particularly new, fledgling forums—allow open registration, accepting all comers. But forums populated by some of the most experienced and connected cybercrooks tend to erect various hurdles for new members designed to screen out useful and talented hackers from hangers-on or, worse, possible law-enforcement officials attempting to infiltrate and gather evidence of these spammers’ illicit activities. To create these safeguards, most established crime forums require new applicants to list at least two existing and trusted forum members as references or “vouches,” signaling that one or more existing members of the forum can vouch for the applicant’s skills and integrity and have invited the novice to apply for membership.

New applicants generally also must proffer a nonrefundable deposit, usually in the form of a digital currency such as WebMoney or bitcoins. Assuming the applicant’s references confirm that members know him and can vouch for his skills, the applicant is granted limited access to the forum, which he can then use to introduce himself to the broader community, plead his case for membership, and list any unique talents that his full membership would bring to the forum.

Existing members may use this trial period to haze or verbally abuse the applicant, or to test his knowledge of programming, hacking, or skill sets related to his claimed area of interest or speciality. This weeds out the weakest novices. In the end, however, many forums are democratic, leaving the approval of an applicant’s permanent membership to a
vote in which all established members may—but are not required to—participate.

So what’s the incentive to join these forums and why are they so popular among spammers? Much like a castle once provided its inhabitants with protection from marauding raiders and bandits, crime forums offer full members a modicum of protection (or at least cause of action) against getting ripped off. Fraudsters are particularly vulnerable to being cheated out on their own because they lack the ability to report being victimized to local authorities. After all, the transactions in which they engage are in most cases illegal. To combat any such “ripping” activity, forums enforce a strict code of ethics so that members caught trying to cheat fellow members are quickly ostracized or banned.

For starters, most established forums will offer an escrow service—a small percentage of the transaction cost—that will hold the buyer’s funds until he is satisfied that the seller upheld his part of the bargain. Legitimate and longtime forum members tend to insist on the use of escrow for all transactions, while cheapskates and less experienced members eschew this offering at their own risk.

Much like the online auction house eBay encouraging users to leave positive or negative feedback based on the quality of the transactions they conduct with other members, a fraud forum member’s standing is governed in part by the number of reputation or “rep” points he has accrued during his time on the forum. Members can earn rep points simply by being regular, active participants in various forums’ discussion threads—essentially sharing their knowledge and experience on a range of computer crime topics. The rep points are awarded or subtracted by established forum members and moderators who have earned the right to bestow or revoke such status indicators.

This system is remarkably effective at regulating the criminal acts of these crooks against each other. Aleksey Mikhaylov, a native Russian and information security expert who has exhaustively reviewed the documents, chats, and other material leaked from the Spamdot forum,
said that the threat of a single negative post on the forum prompts these guys to amicably resolve issues worth tens of thousands of dollars. Access to the forum and their “standing” there preoccupies all of them. Without the protection and accountability afforded by these criminal havens, spammers, scammers, and other online ne’er-do-wells are at much greater risk of getting fleeced by their contemporaries.

Members judged by forum administrators as guilty of multiple or serious forum rule infractions may be assigned the rank of “deer,” or even the more serious “ripper” label. A deer marker usually is an indicator of a new member who has violated the forum rules by accident, or because he isn’t yet familiar enough with them. Forum members who earn a deer status tend to be considered clueless newbies, their status alerting fellow forum members that dealing with them might be more trouble than it’s worth.

Rippers are those who have been shown to have “ripped” someone off by failing to consummate a previously agreed-upon transaction—either by refusing to pay for a service or good, or by neglecting to deliver on these as promised. The aggrieved party must demonstrate to forum administrators that he or she was ripped, typically by starting a discussion thread in a sub-forum called “blacklist.” Very often this means posting lengthy online chat records of a previous conversation that document the alleged infraction. Interestingly, these self-reported records can often present invaluable evidence and intelligence to undercover law-enforcement officials and security researchers who frequently lurk on underground crime forums.

Although the average crime forum has many members—sometimes tens of thousands—most of the more active forums exist to make money for the administrators, the subforum leaders, and those selling turnkey services or solutions to the rest of the community. The top sellers pay to have their sales threads made into “stickies” so that the sales pitches stay at the top of their respective sub-forums and are thus more likely to be to read by people seeking help in those cybercrime specializations.
Depending on the forum, these stickies are sold annually or monthly, and range in price from a hundred to thousands of dollars per month.

Over the past few years, the number of new cybercrime forums has skyrocketed, illustrating a burgeoning demand for criminal services and a robust competition among them for customers. And while many new crime communities disappear or fizzle out shortly after their creation, others are now more than a decade old, suggesting that the cybercrime industry is quite mature, each marketplace with its own unique means of self-policing, networking, and rapid information sharing.

Attempts by anti-spam activists to shutter the more mature of these cybercrime communities—usually by applying pressure to their hosting providers or domain registrars, or both—ultimately backfire. The forums simply transfer their domains to another, more bulletproof and insulated hosting provider, often enacting more stringent security measures in the process that more carefully screen new and existing members for signs of lurkers, law-enforcement officials, and researchers.

But there’s hope: Some of the most successful efforts at tackling the spam and malware epidemics have focused on identifying and apprehending the world’s top spammers and dismantling their crime machines, as we’ll see in the next chapter and in Chapter 11:
Takedown
.

9.
The name “Shaman” in this chat conversation is a reference to the nickname of Nikolai Victorovich Illin, the forty-three-year-old computer whiz behind Gateline.net. Gateline was a credit card processor that SpamIt, GlavMed, Rx-Promotion, and other partnerkas apparently prized for its ability to process MasterCard transactions. Stupin and Gusev considered Shaman a key and equal partner in their business.

Chapter 7

Igor Vishnevsky wouldn’t have known where or how to get started in the spamming business had it not been for the connections he made spending countless hours on several major cybercrime forums at the time. At nineteen years old, he enrolled at a university in Moscow and had dreams of landing a job as a programmer at a legitimate company. But soon enough, the money dried up.

“I studied three years, and then my parents stopped paying for my education because they didn’t have money,” Vishnevsky said in an interview.

What little Vishnevsky knew of computers dated back to his time as a teenager, when his parents bought him a Sinclair ZX Spectrum, an early home computer that was among the first mainstream home computers sold in Europe. In his early years, Vishnevsky taught himself everything from BASIC to more complex assembly programming languages. Later, he acquired a second-hand PC and learned PASCAL, a programming language designed to teach students how to devise more complex software programs.

The clever young hacker was making between $200 and $300 per month creating porn websites as part of an affiliate program run by Vrublevsky’s Crutop.nu. But that was hardly enough to live on in
Moscow, so he took a job at a local company that sold heating and air-conditioning equipment and services. Little did he know that would lead to spamming.

One day his boss asked for help in advertising the company’s services via some less-than-legitimate means.

“One time, my boss ordered spam from someone and told me that it was cool and that I should find out how to send spam myself,” Vishnevsky recalled. “Of course, I told him that spam was bad, blah, blah, blah, but he told me that we had a lack of orders and I have to do that [in order to drum up more business].”

Vishnevsky’s research for his boss into the spam industry led him to Carderplanet.com, which at the time was an extremely popular Russian language cybercrime forum. Carderplanet drew thousands of members from around the world who traded knowledge and tips on everything from running spam botnets to cashing out hacked bank and credit card accounts.

Founded in Ukraine in 2001, Carderplanet.com was the most brazen collection of carders (crooks who traffic in stolen credit cards) hackers, and cyberthieves the Internet had ever seen. As Joe Menn writes in his book, Fatal
System
Error
, there was virtually no enforcement of computer intrusion laws in Ukraine, so the group felt secure enough to organize parties and to advertise their hacking services on the larger Internet. Carderplanet would come to be the mold out of which nearly every future crime forum would be modeled, with sub-forums for every imaginable form of computer crime specialization.