Spam Nation (2 page)

Moscow resident Igor Vishnevsky, in his early thirties, was one of several hackers who worked closely with Nechvolod on Cutwail. (Vishnevsky would eventually strike out on his own, developing a rival version of Cutwail that he too used to spam and rent to other spammers. He agreed to act as our virtual “Virgil” and walk us through this strange and unfamiliar spammer underworld, and he appears throughout this book.) “We had an office for Gugle [Nechvolod, pronounced “Google”] with coders and support. Sometimes I visited it, but I didn’t work from there,” Vishnevsky recalled in an instant message conversation. He said Gugle’s office employed at least five full-time coders and as many support staff who rotated shifts around the clock and on weekends to better meet the demands of clients.

Hosting firms like McColo attracted clientele like Cutwail’s producers because they stayed online in the face of significant pressure from domestic and foreign law-enforcement agencies to unplug unsavory or illicit sites they hosted. According to Vishnevsky, McColo’s servers were legendary for their consistent speeds and for being “bulletproof,” or immune from shutdown requests lodged by other Internet service providers (ISPs) or foreign law-enforcement officials.

Shortly after Kolya’s death, McColo was quick to assure the cybercrime community that, while the organization’s most recognizable member had passed away, the hosting provider would continue business
as usual. Kolya’s partner, Alexey, spread the message on a number of top cybercrime-friendly forums, seeking to reassure the firm’s client base that the incident would result in no disruption of service.

The cybercrime community needed little convincing to stay. The service was mainly hosted in the United States, and was cheap, reliable, and fast. For the year following Nikolai’s death, Nechvolod and most of the top spam botmasters would keep their botnet control servers parked at McColo.

That is, until the evening of November 11, 2008, when an exposé in the
Washington
Post
about the high concentration of malicious activity at the hosting provider prompted the two suppliers of McColo’s connection to the larger Internet to simultaneously pull the plug on the firm. In an instant, spam volumes plummeted by as much as 75 percent worldwide, as millions of spam bots were disconnected from their control servers and scattered to the four winds like sheep without a shepherd.

The McColo takedown hit botmasters like Nechvolod and Vishnevsky directly in their pocketbooks. Spammers who were renting the botnets flooded Crutop.nu and other underground fraud forums with complaints that they had lost substantial investments, demanding to know what was going to be done about it.

“On McColo, we hosted servers in the USA that had good speed,” Vishnevsky recalled. “When McColo went down, we had to rent much slower servers in China and other countries that suck,” in their ability to withstand abuse complaints, he said.

In a sign that few thought McColo’s operations would ever go away—even after Kolya’s death—many spammers actually kept another major and expensive component of their operations—huge email address lists—directly on the company’s servers.

“Everyone lost their lists there,” Vishnevsky said, noting that he and Nechvolod lost a particularly large and valuable list of more than two billion email addresses after the takedown.

Kolya’s death and the dissolution of McColo were watershed events
because they signified the beginning of the end of an era in which spammers and cybercrime lords were allowed to operate under the radar with relative impunity. At the time, more than 90 percent of all email sent worldwide was unsolicited junk, the bulk of it advertising fly-by-night Internet pharmacy sites. In the ensuing four years, a series of similar takedowns of rogue ISPs, hosting providers, and large spam botnets would make a major dent in worldwide junk-email volumes and coincide with the arrest or imprisonment of several top spammers.

However, McColo’s demise also marked the dawn of a new age of spamming through the genesis of a protracted and costly turf war we’ll explore in this book. Dubbed the “Pharma Wars” by bystanders in the cybercrime and cybersecurity worlds, it exploded into a vicious feud between two of the largest sponsors of pharmaceutical spam—with unsuspecting users like you and me trapped in the middle.

On one side of the battle were the aforementioned Dmitry Stupin and Igor Gusev and their sister pharmacy operations GlavMed and SpamIt. On the other was Rx-Promotion, a competing rogue Internet pharmacy started by Gusev’s former business partner, thirty-five-year-old Muscovite Pavel Vrublevsky. Officially, Vrublevsky was the top executive at a company called ChronoPay, one of Russia’s largest online payment-processing firms and a company that he and Gusev cofounded.

In secret, he had deep ties to the cybercrime underworld, helping online miscreants of all stripes obtain credit card processing for their shady endeavors, and taking a hefty cut of the action. Vrublevsky also is the cofounder and administrator of the popular spammer forum Crutop.nu and another pivotal figure in the cyber wars that have made us into a spam nation—or in reality, a world of spam—today.

By 2010, I had spent more than a year investigating and reporting on allegations of corrupt business practices by Vrublevsky and his reputed ties to spammers working for the Rx-Promotion rogue pharmacy program, first as an investigative reporter for the
Washington
Post
and then for my own cybersecurity news website,
KrebsOnSecurity.com
.
But as I dug deeper and deeper, I wanted to know more about the spam email and cybersecurity problem: who was driving it and how to solve it. It was clear others did, too.

Prior to the war of attrition between spam kingpins that this book will explore, there was shockingly little public and reliable information available to answer the most basic questions facing the spam problem, such as:

•
Who is buying the stuff advertised in junk email, like Viagra, prescription drugs, and even Gucci purses? And what drives people to purchase and ingest pills pushed by these intrusive and unknown marketers?

•
Are these drugs real or ineffective—and possibly lethal—fakes?

•
Who is profiting from sending spam? How are the profits being divvied up, and where is the money going?

•
Why is the pharmaceutical industry—one of the richest and most influential businesses in the world—seemingly powerless to stop the wholesale theft and hijacking of its products, trademarks, and customers?

•
For that matter, why is it so easy to pay for these blatantly spam-advertised knockoffs with a credit card?

•
Do customers have their credit card accounts hacked or resold after buying from spammers? What if they don’t even buy from them? Are they still in danger?

•
And what can consumers, policymakers, and law enforcement use to get control of the cybercrime epidemic?

These are some of the questions people asked when I told them I was writing a book about spam. At the beginning, I could offer only my best guesses for answers. Even as I sought advice from purported spam experts, I discovered that some of the world’s top authorities on spam didn’t have a firm grip on the answers either. Many offered canned responses that seemed to be based on a handful of well-worn case studies, some of which were sponsored by major pharmaceutical or security companies, or both.

Leaked pharmacy spam databases that I was able to obtain from Rx-Promotion and GlavMed-SpamIt during the Pharma Wars changed all of that by providing a deep insider look at almost every significant aspect of the world’s largest spam organizations. Perhaps ironically, the spammers themselves provided this glimpse into their shady doings that affect each of us every day.

Hackers loyal to Gusev and Vrublevsky leaked this information to certain law-enforcement officials and to me in an attempt to sabotage each other. Instead, their databases offered unprecedented insight into the day-to-day operations and profits of these secretive, international drug cartels, which comprise a loose affiliation of spammers, virus writers, shadowy suppliers, and shippers. The information in these databases also forms the basis of my reporting for many portions of this book.

More importantly—and alarmingly—this cache of documents also contained the demographic, health, and financial information of millions of customers—mostly consumers in the United States—who had purchased prescription medications from the spam networks upon receiving a solicitation by junk email or after searching for prescription drugs online.

The databases offered an unvarnished look at the hidden but burgeoning demand for cheap prescription drugs, a demand that appears driven in large part by Americans seeking more affordable and discreetly available medications.

Given the increasing menace of spam email and related cybersecurity assaults that directly affect consumers and companies (like the major news story I broke to the media in December 2013 about the Target credit-card database breach—a cyberattack that compromised millions of Americans’ financial information and forced an even greater number of us to get new credit cards), you may be wondering why governments, law-enforcement officials, and corporations aren’t taking a stronger and more significant stance to stop the tidal wave of spam and cybercrime impacting us all.

Part of the reason for the Internet community’s stunted response to the malware and spam epidemic to date is that many policymakers and cybercrime experts tend to dismiss spam as a nuisance problem that can be solved or at least mitigated to a manageable degree by the proper mix of technology and law enforcement. For many of us, spam has become almost the punch line of a joke, thanks to its close association with male penile-enhancement pills and erectile dysfunction medications such as Viagra and Cialis. We assume that if we don’t open the emails or don’t purchase anything from them, we aren’t affected.

Unfortunately, that attitude underscores a popular yet fundamental miscalculation about the threat that spam poses to every one of us: namely, the sheer destructive power of the botnets and the misguided computer programmers who keep them going. Indeed, the botnets built and managed by members of SpamIt, Rx-Promotion, and other spam affiliate programs were not only used for distributing spam. Web criminals routinely rent access to these crime machines to mask their true location online, because botnets allow miscreants to bounce their Internet traffic through a myriad of infected systems that are largely untraceable.

Crooks running these botnets also regularly use them to harvest usernames and passwords from host PCs, stealing everything from people’s online banking credentials to digital keys that can unlock valuable corporate secrets at companies large and small. Indeed, the
miscreants at the helm of some of the world’s most active botnets already control thousands of zombie systems inside Fortune 500 companies that allow attackers to spam people using these corporations’ more powerful servers, and to siphon sensitive and proprietary data from internal company systems.

Botnets pose other serious threats. Frequently they are rented out as powerful hired muscle in high-stakes Internet extortion schemes known as distributed denial of service or “DDoS” attacks. In such assaults, crooks demand tens of thousands of dollars in protection money from businesses. If business owners refuse to pay up, the botnet masters will order their armies of infected PCs to pelt the targeted company’s website with so much junk Internet traffic that it can no longer accommodate legitimate visitors. The extorted business either pays up or stays offline until the attackers relent (or, if the targeted business can afford it, hires a legitimate anti-DDoS company to help deflect the attacks).

Politically or ideologically motivated DDoS attacks are capable of unplugging entire nations and silencing critics or protesters of certain issues. In 2008, a politically motivated, sustained DDoS attack against the ultra-wired former Soviet nation of Estonia knocked most government sites offline for several days, interrupted electronic banking for several hours, briefly incapacitated that country’s largest cellular network, and disrupted the national network that Estonians rely on in the event of medical emergencies.

Such firepower has gained the attention and concern of the U.S. government and its military operations as well. Cyberattacks have been identified as a potent and current threat to today’s network-centric war-fighting machine. In a seminal speech at the White House in May 2009, President Obama declared the cyber threat to be one of the most serious economic and national security challenges facing America today.

Despite government concerns, the public policy response to all of the organizational and technological machinery that powers the
spam epidemic has been lukewarm at best and, in some places, virtually nonexistent. Here is a threat that is capable of disrupting entire countries’ infrastructure, diluting vital communication networks, poisoning people with its spread of counterfeit consumer products, and fueling the development of an entire illegal underground economy, yet governments around the world have done little to protect their citizens from these invasive cyber armies.

Many lawmakers in the United States and elsewhere are using the cybercrime epidemic to lobby for changes to the laws that govern how police and federal authorities can gather data on their citizens. But more stringent penalties against cybercrime have done little to deter attackers or the activities of fortune-seeking pill spammers and modern e-thieves. Most of the recently proposed and approved Internet security laws in the United States have focused on vague initiatives to beef up the security of the nation’s critical information infrastructure—the computers and interconnected systems that run everything from manufacturing plants to water treatment facilities and the power grid.

Recent legislative efforts in the United States aimed at combating cybercrime have also met with stiff resistance from privacy advocates and the public at large. When the U.S. Congress tried to pass a law that would have forced ISPs to cease providing connectivity to websites that were deemed to have trampled on trademarks by peddling pirated or counterfeit goods, lawmakers were confronted with nothing short of a popular revolt from constituents opposed to the idea. Most of that resistance was organized and executed in artfully planned online demonstrations.