Spam Nation (7 page)

Thankfully, I’d begun learning the language four years earlier on my own. In my work for the
Washington
Post
, I had found myself spending an unusual amount of time on Russian-language underground forums that were not only hostile to Westerners, but which often chastised or banned members for the unforgivable sin of communicating in English. To overcome this obstacle, I checked out sixty hours’ worth of Russian language instruction on CD from my local library. By 2008, I had finally mastered enough Russian to be able to read most forums without the aid of an online translation service. For an investigative reporter like me, this was vital to ensure I didn’t misinterpret any of the information I was picking up there. Plus it made my research go a whole lot faster.

As I trolled through the documents, I discovered hundreds of emails between Vrublevsky and Stanislav Maltsev, a former investigator with the Russian Ministry of Internal Affairs. In 2007, Maltsev was responsible for investigating charges of illegal business activities levied against Vrublevsky. But in short order, Vrublevsky had hired Maltsev as his head of security, and the case against Vrublevsky quickly died on the vine.
6

It also became clear that ChronoPay executives had tried in vain to isolate the company’s “black” projects—the Rx-Promotion pharmacy spam program and its fake antivirus business, for example—from the
company’s more legitimate client base. The leaked ChronoPay emails show that in August 2010 cofounder Pavel Vrublevsky authorized a payment of 37,350 Russian rubles (about $1,200) for a multiuser license for an online project-development tracking and management service called MegaPlan.

ChronoPay employees used their MegaPlan accounts to track payment processing issues, customer order volumes, and advertising partnerships for these black programs. In a move straight out of the Quentin Tarantino film
Reservoir
Dogs
, the employees adopted curious aliases such as “Mr. Kink,” “Mr. Stranger,” “Mr. Templar,” and “Ms. Gandalfine.”

However, in a classic failure of operational security, many of these employees had their MegaPlan messages and passwords automatically forwarded to their ChronoPay employee email accounts, which ended up in the corpus of emails that were leaked. An organizational chart featured on the ChronoPay MegaPlan homepage showed that the former cop Maltsev (a.k.a. “Mr. Heppner”) had been appointed the deputy manager of Rx-Promotion, directly under the “big boss,” Vrublevsky (a.k.a. RedEye).

Finally, I had the key that I’d been looking for. The MegaPlan accounts provided the single largest cache of information on the extent of ChronoPay’s involvement in fostering the development of markets for rogue antivirus software, or “scareware.” These are malicious programs that use misleading security prompts about nonexistent security threats on a victim’s PC, and then hijack the computer until the victim either figures out a way to remove the malware or pays for a license to the bogus software.

These types of programs affect tens of millions of people around the world and are shockingly lucrative. Most PC users would be hard pressed to say they’ve never encountered one of these messages, and it’s just the most visible sign that your computer has been hijacked by a remote spammer or other stealthier malware. (Whatever you do, don’t ever click these messages! Try to get the malware removed immediately
by an antivirus professional, or see the Epilogue for tips on how to avoid making a bad situation like this worse.)

The leaked records show ChronoPay’s high-risk or “black projects” division worked diligently to stay on the cutting edge of the scareware industry. In March 2010, the company began processing payments for icpp-online.com, an innovative scam site that stole victims’ money by bullying them into paying a “pretrial settlement” to cover a “copyright-holder fine.”

As security firm F-Secure noted at the time, victims of this scam were informed that an “Antipiracy Foundation scanner” had found pirated movie and music files on the victim’s system, and that those who refused to pay $400 via a credit card transaction could face jail time and huge fines. The scheme was brilliant in its simplicity. Many people have, at some point, watched or listened to pirated content, so there was no reason for them to distrust this message. As a result, thousands were swindled.

Here’s the kicker: for many years, scareware was a problem only for PC users who browsed the web with computers powered by Microsoft’s Windows operating system. But in May 2011, scareware purveyors began targeting users of Apple’s Mac OS X operating system for the first time. No one was safe from spam and malware attacks anymore.

The leaked ChronoPay internal documents would reveal the company’s hand in this innovation as well. A few days after the first attacks surfaced, experienced Mac users on Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com. Others spotted fake Mac security software coming from macbookprotection.com. When I first looked at the registration records for those domains, I was not surprised to find the distinct fingerprint of ChronoPay.

The website registration records for both domains include the contact address of [email protected] The leaked ChronoPay documents show that ChronoPay owned the mail-eye.com domain and had paid for the virtual servers in Germany that ran it. The records also indicate that the
[email protected] address belonged to ChronoPay’s financial controller, then an employee named Alexandra Volkova. One of the smoking guns had been found, and it was time to let the public know.

♦    ♦    ♦

After the Ponomarev story ran, I began hearing from Vrublevsky by phone at least once a day, often for no apparent reason. The calls came from a different mobile number almost every time. (When asked why his calls always appeared to come from a different Russian phone number, Vrublevsky nonchalantly replied that he currently had no fewer than nine mobile phones, and that this was a common tactic used by successful Russian businesses who wished to evade surveillance by meddlesome Russian government agents.)

At first, I thought he was being dramatic or overly paranoid; I would find out later he was very much the target of Russian government surveillance. “Gusev put in his blog the name of an FSB guy working on the Vrublevsky case,” the ChronoPay CEO told me in one phone conversation, referring to himself in the third person. “They’ve been tapping my phone and know that I have ongoing communications with you.”

I quickly discovered that this was a man who enjoyed the sound of his voice like no one else I’d ever encountered. Despite everything I knew about the guy—and the fact that he was often extraordinarily crass and derisive, and frequently outright insulting—I also found him to be disarmingly charming, funny, and likeable. He was just as likely to make fun of himself as he was of others, and he possessed a seemingly boundless supply of anecdotes about important Russian power brokers, politicians, and cybercrooks. Without prompting, Vrublevsky would excitedly segue from one colorful story to the other as if describing an elaborate soap opera, albeit one that never seemed to have a central plot or conclusion.

Moscow is eight hours ahead of the time zone in Washington, DC (Eastern), and that meant Vrublevsky would usually call me as his
chauffeur was shuttling him from ChronoPay’s offices to his home. In short, Pavel was frequently ready to unwind and be chatty right when I was getting ready to buckle down and start my workday. Most conversations ended with me hanging up on him after he refused to take a hint that I had more to do than to listen to him blather for hours on end.

Initially, I thought that the purpose of his phone conversations was to get me to publish something exonerating him of his wrongdoing, more and more of which I was discovering every day. In each of our conversations, Vrublevsky took great care to cast himself as an anti-cybercrime crusader determined to destroy the spam industry and ensure the arrest and conviction of all spammers.

Vrublevsky constantly intimated that I hadn’t a clue about cybercrime, and there was no way to fully understand the nuances of the subject without making at least a token visit to Russia. In one conversation, he offered to fly me to Moscow so I could see firsthand that he was in fact one of the good guys.

“My proposition to you is to come to Moscow, and if you don’t have money… I realize journalists are not such wealthy people in America… We’re happy to pay for it,” Vrublevsky said in a phone conversation on May 8, 2010.

When I politely declined his invitation, Vrublevsky laughed and said I was wrong to feel like I was being bribed or intimidated (which I did).

“It’s quite funny that you think somehow when you fly to meet me in Moscow or ChronoPay offices that you are in any possible danger from me for being murdered,” Vrublevsky said, pinpointing exactly what I was thinking. “Come to Moscow and see for yourself. Take your notebook, come to my office. Sit in front of me and look around. Because you’re getting information which, to be honest, is not factual.” (I would eventually do exactly as Vrublevsky urged, as we will see in Chapter 9, “
Meeting in Moscow
.”)

After about a month of daily calls from Vrublevsky—sometimes twice a day—I realized that he was feeding me semi-reliable information about other cybercrooks in the hope that I would be diverted into researching and writing about them, instead of him.

The real trouble with these chat sessions—aside from their tendency to eat up half of my workday—was untangling the bits of truth and fact from Pavel’s musings, paranoid conspiracy theories, and attempts to draw attention away from his own dealings. When I asked him point blank about my theory—that he was trying to turn the spotlight away from himself by regaling me with elaborate tales about rival businessmen in the Russian underground—Pavel momentarily dropped the phone as he burst out laughing for about a minute straight.

“You know, Brian, you surprise me sometimes. You really do. This is why I absolutely fucking love you,” he said after picking up his mobile phone, still snorting and having fun at my expense. “Why do I say this? It’s funny, sometimes I’m not really sure you are too bright. And then you go and say something like that. Dammit, Krebs, sometimes you’re a lot fucking smarter than you sound.”

But Vrublevsky also could be mercurial, prone to wild mood swings and bouts of mumbling or shouting profanities. Or sometimes the voice on the other end of the line sounded like a completely different person, the tone low and comparatively serene. Often, this was late at night when his three children and wife, Vera, were already in bed and he’d perhaps had a few drinks or something else to take the edge off.

In one marathon phone conversation shortly after I’d informed Vrublevsky about receiving the compromat, he was in one of his sullen moods and rather bluntly offered to pay me $30,000 to turn over all of the material that I’d been given. I’d told him about the leaked documents because I believed he already had a good idea of what information had been taken. Clearly, he was more interested in securing my future silence than in regaining control over the compromat. I
politely declined the monetary offer and told him I was flattered but still planning to continue my investigations.

I soon realized that Vrublevsky had another, far bigger target in mind on this crusade to recapture ChronoPay’s positive image: Igor Gusev, his former business partner in ChronoPay and now head of a pharmacy affiliate program that competed directly with Vrublevsky’s Rx-Promotion. Vrublevsky was convinced (and, I think, accurately) that Gusev or one of Gusev’s henchmen was responsible for leaking ChronoPay’s internal emails and other incriminating documents.

Around the same time that the first batch of ChronoPay compromat was leaked, Adam Drake—a source in the anti-spam community in whom I’d confided some of my stories about Vrublevsky’s strange phone calls—emailed to tell me about a bizarre message he’d just received. Drake’s mysterious correspondent, who used the pseudonym “Despduck,” said he had access to the database for GlavMed and SpamIt, sister programs that were responsible for a huge percentage of the world’s spam problem. The “Desp” portion of the nickname was a play on the moniker chosen by Igor “Desp” Gusev, the man who cofounded ChronoPay with Vrublevsky in 2003 and went off on his own two years later to start SpamIt and GlavMed.

Drake wrote:

Brian,

Recently you posted about a Russian government investigation into the SpamIt operation (“Following the Money, Part II”—
krebsonsecurity.com/2010/05/following-the-money-part-ii/
).

I have a guy from Russia contacting me claiming to be a friend of a former member of the SpamIt-GlavMed affiliate group. He has a lot of information I want to share with you confidentially. I say this because I wanted your thoughts on it, and he makes claims about how some info for that story was handed to you, which I wanted your thoughts on.

He also claims to have quite a bit of raw data related to some of
their gathering places which—if it seems legit—I will hand over to law enforcement. I’ve been working with a task force which includes members of Interpol and the FBI since last year investigating that group, so I haven’t been able to post much publicly at all.

If any of this is not up your alley or within your range of interests, let me know, but I thought it might be. This same group is likely also behind the rash of rogue “antivirus” crap that’s been making the rounds.

Hope you are otherwise well.

I immediately recognized Vrublevsky’s hand in this ruse and asked Drake to forward a copy of the Despduck email. I could scarcely believe my eyes as I read the message, which looked as if someone had been taking dictation from Vrublevsky while he was regaling whoever would listen with one of his excitedly told, rambling stories. The letter went on for more than two thousand words and was full of elaborate theories of who was behind the attacks on ChronoPay, a company about which Despduck spoke positively glowingly.

I told Drake about my hunch that he also was being hounded by Vrublevsky, and he confided that a law-enforcement friend who was quite familiar with Vrublevsky and had also seen the Despduck emails had independently come to the same conclusion.