Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
There was something else about Despduck’s letters that I couldn’t quite put my finger on. A week later, I went back and looked at my previous email correspondence with Vrublevsky, and compared it to the emails from “Despduck” that my anti-spam source was receiving. One commonality immediately jumped off of the screen in front of me. Both Despduck and Vrublevsky capitalized the letter
anytime they used the word “You” or “Your,” regardless of the word’s position in a sentence or how many times it was used. That capitalization pattern did not occur with any other words in the emails that shouldn’t have been capitalized.
Then it occurred to me: What about that threatening “eyeballs”
email I’d received just after calling Vrublevsky for a quote on the story about Ponomarev’s allegations? Sure enough, I saw the same capitalization pattern there. The pieces were starting to come together.
But why would Vrublevsky go to such pains to launch this multipronged campaign to simultaneously win me over and coerce me into cooperating with him? My anti-spam source provided the answer, sharing several emails sent by Despduck. They showed that Vrublevsky believed I had accepted money from his pharma-spam rival Gusev in exchange for writing stories about Vrublevsky’s exploits. Vrublevsky also seemed convinced that I was in league with shadowy figures behind the Russian Business Network (RBN), the bulletproof hosting empire detailed in the first half of
Despduck wrote (again, with the
capitalization in “You”):
Brian Krebs, believe it or not, was actually
by RBN guys (by GlavMed mostly) to publish his research. All of his info is actually based on the fact that re-partners.biz had an office address of ChronoPay, which is bullshit, of course. Anyone can put any address anywhere.
Then Ilya Ponomarev (NOT a leading politician in Russia) wrote a letter to the cops in Russia trying to somehow fuck Vrublevsky based on Krebs info. A stupid attempt, probably just making it look like it can work to get more money from Desp. Obviously nothing happened because ChronoPay has an extremely strong image and brand in Russia. ChronoPay will soon sue Krebs, and Ponomarev has already changed his opinion and sent another letter to the cops explaining he was not targeting Vrublevsky.
All this happened because Vrublevsky has a position with the Russian Government in fighting spam, and what’s more important, in protecting Russian image abroad. Spammers hate him for that. I’ll explain more when You have questions.
Once again, Despduck spoke glowingly of Vrublevsky as a cybercrime fighter who was being unjustly accused by the media and by his business rivals of orchestrating the nefarious activity he claimed to be battling. I was now more certain than ever that Despduck was Vrublevsky.
On July 12, 2010, an anonymous source with whom I’d be corresponding via email sent me another massive trove of compromat stolen from ChronoPay. My source, who used only the name “Boris” in our email exchanges, said he was sharing the data out of frustration with Russian authorities, who he said seemed to regard Vrublevsky as hardly worth the trouble of shaking down for bribes, to say nothing of investigating.
This file contains
information about criminal activity of ChronoPay and personally Pavel Vrublevsky on legalizing out-of-law money [sic]. We’ve tried all methods accessible in Russia, but the absolute corruption of the Russian police brakes [sic] the criminal case and marks time. We hope you can effectively use this information in the struggle for the cleanliness of the Internet. The same file was transferred two weeks ago to the FBI.
The ChronoPay emails leaked by Boris—the “treasure trove of documents” referenced at the conclusion of
Vrublevsky hired a hacker named Nooder Tovreance to break into Gusev’s SpamIt and steal the organization’s payment and customer records. In one email exchange between the two, which begins April 8, 2010, and ends at the beginning of June, Tovreance offered to sell the database to Vrublevsky for $20,000, but said that he needed to break the file transfers up into multiple smaller chunks due to the size of the database.
The two ultimately settled on a price of $15,000, to be paid in WebMoney, a virtual currency that is popular in Russia and Eastern Europe. The first payment of $7,500 was to be made to a WebMoney purse specified by Tovreance in exchange for half of the files, with the remaining amount payable upon Vrublevsky’s receipt of the entire database. Follow-up emails indicate that Vrublevsky paid the first $7,500, but welched on the second payment after receiving the database as promised. When I interviewed Tovreance, he confirmed that Vrublevsky had hired him to produce the GlavMed and SpamIt data, and that indeed Vrublevsky had stiffed him on half of the promised price.
♦ ♦ ♦
Roughly one week after miscreants leaked that ChronoPay compromat, Drake called with the news that Despduck had sent him a copy of the SpamIt and GlavMed database. By this time, I began to believe that just as Vrublevsky hid behind his “Despduck” identity in leaking the GlavMed-SpamIt customer database, Gusev was using the “Boris” identity to feed me the information stolen from ChronoPay.
The GlavMed-SpamIt database landed in my lap the day after I published on my blog the first breaking story about a new, exceedingly complex computer worm that appeared to have been weaponized for espionage. That blog post was the first widely read story about a piece of malware of unprecedented sophistication that would become known as “Stuxnet”—a computer worm that experts later discovered
was a cyberweapon created by Israeli and U.S. intelligence agencies in a successful bid to delay Iran’s nuclear ambitions.
But I filed the Stuxnet post just as I was leaving for a week-long vacation with my wife and mother in York, Maine, and I’d promised to give work a rest. While follow-up reporting on Stuxnet would take dozens of telephone interviews, delving into the scoop that my anti-spam source was handing me could be done without letting my family know I was back on the clock.
Drake set up an account for me on his web server and placed a copy of the SpamIt archive there. The file contained almost ten gigabytes worth of data. (To put that into perspective, if the SpamIt database was compiled into paperback books three inches wide, it would take a bookshelf roughly the length of a football field to hold them all.)
I was already overwhelmed with gigabytes of fascinating internal material from ChronoPay, and had to delete data from my Macbook’s hard drive to accommodate the SpamIt archive. As I sat on the back deck of a coastal Maine vacation property with my laptop propped up on my knees, while listening to the roar of the ocean surf, I began to see the enormity of the task before me. I would need to make sense of raw intelligence from two of the largest sponsors of spam on the planet, in the process potentially incurring the wrath of the most powerful and vengeful cybercriminals on earth.
Vrublevsky claimed the charges were trumped up and nothing more than a legal shakedown orchestrated by his enemies, but the company that was being “shaken down” operated a virtual currency he created to help his webmasters and spammers get paid without leaving an official money trail through the Russian banking networks.
While Vrublevsky acted as if he had nothing to do with RBN, the pharmacy spam websites and fake antivirus affiliate programs he ran took full advantage of hosting arrangements managed under the RBN banner.
Though my ultimate goal was to unmask the botmasters who were getting paid to send most of the world’s junk email, I knew it would take months, possibly years, of poring over the data coming in from the two competing rogue pharmacy programs. What I had discovered so far were small pieces of criminal activity here and there, so a lot more in-depth research and investigation would be required to build a watertight case against these guys and expose their malicious activities. I decided to focus my immediate efforts on reaching the people directly affected by these cybercriminals: customers who purchased and ingested pills from spam ads.
Almost all of us have gotten pill spam or pharma spam at some point in our lives—those emails that show up in our inboxes, spam filters, and junk folders, offering cheap prescription or enhancement drugs. It may be less than shocking that about 70 percent of the transactions made through rogue pharmacy websites advertised by Gusev’s SpamIt and Vrublevsky’s Rx-Promotion were for male-enhancement drugs like Viagra and Cialis. Even GlavMed customers who did not order drugs to treat erectile dysfunction (ED) usually received penis pills anyway. So confident were these pharmacies in the power of their ED formularies that they
routinely included two to four free samples of these pills with every customer order.
For those of us who would never dream of ordering from an unknown pharmacy, this might seem like an obvious and unnecessary gamble. Why not just use an ordinary pharmacy? Indeed, I was intensely curious to learn what motivated people to engage in this apparently risky activity, and whether they were happy with their purchases—or if they felt they’d gotten ripped off. I thought that if I interviewed enough of these buyers and found that overall they did not get what they expected, exposing this reaction could help reduce demand and eventually drive the spammers out of business.
Thanks to data leaks from both Rx-Promotion and GlavMed-SpamIt, I had the names, phone numbers, addresses, and credit card numbers of more than a million people who had bought spamadvertised drugs. Some of those orders were fairly recent, so I was eager to interview buyers who might still have some of the pills and could forward them to me for testing at a qualified lab to see what these consumers were really getting.
I purposefully avoided calling customers who sought out and paid for knockoff Viagra and Cialis, partly because I thought that those who had come to these fly-by-night pharmacies to purchase drugs for more serious ailments and conditions would have more interesting and sympathetic stories to tell that would help me get to the heart of this issue: who was purchasing these drugs and why? But I’d be dishonest if I said my reporting wasn’t also influenced by an experience I had with an interviewee very early in the process of contacting buyers.
Just a few days after I began phoning people who had purchased medications from GlavMed, I dialed the phone number supplied by a male customer who’d ordered Viagra. His wife answered instead.
She broke down in tears when I explained that her husband had purchased generic Cialis a few months prior. She was not aware of this fact and said she couldn’t think of a reason on earth why he would have wanted it. After that mercifully short interview, I decided to avoid calling any other customer who had purchased only erectile dysfunction drugs.
Over two months, I called more than four hundred people who had purchased pills from SpamIt. Most of those I reached either hung up on me or declined to be interviewed. But I managed to interview at least forty-five buyers who ordered everything from heart medication to antidepressants and pills to treat thyroid conditions. I began to get a clearer picture of who these people were, what their motivations were, and how their actions affect us all, even those of us who don’t open spam emails, let alone buy anything from them.
Many people—particularly anti-spam activists—take an understandably dim view of consumers who buy items advertised in junk email. After all, the argument goes, if people stopped buying from sites advertised via the spam that floods our inboxes every day, then the spam industry and many of its corresponding threats to our identities and security would probably be greatly diminished. But contrary to popular belief, most of the people buying from spam aren’t idiots or crazy. The majority appear to be technologically unsophisticated people making rational (if potentially risky) choices based on one or a combination of several primary motivations:
: Those who bought drugs other than male enhancement pills almost universally said they responded to prescription drug spam either because they had no health insurance, or because the same drugs available under their health plans cost
as much as the drugs offered via these legitimate-looking Canadian pharmacy sites. (In reality, the spammers were just borrowing the good reputation of legitimate
Canadian pharmacies. As we’ll see in
, the drugs that each affiliate program shipped were manufactured mainly in India and China, and the websites selling the drugs were most often hosted on botted PCs that had been hacked by the spammers for use in sending junk email.)
: The buyer wants to purchase specific drugs discreetly and quietly, either out of embarrassment or shyness, or because he or she feels compelled to hide something from a spouse or loved one. Most of the customers I interviewed broke down into two camps here—those who were self-treating venereal diseases, and those who were ordering impotence drugs to perform for a lover or spouse. Sadly, the order history suggests that some of these buyers repeatedly fit into both categories.
: Ordering drugs online without a prescription and having them shipped to your door is extremely convenient. In addition, a great many buyers I spoke with said they were merely purchasing drugs they had been previously prescribed for a similar or related ailment. In effect, these people were self-prescribing and didn’t see the need to pay for a doctor visit or to submit to the higher prices charged by their local pharmacies.
: Buyers in this category purchased mainly drugs whose use and sale have been restricted in the United States, usually because the drugs have the potential for abuse. These were primarily painkillers such as generic oxycodone, hydrocodone, and tramadol; weight-loss drugs like phentermine (a powerful stimulant); and sleeping pills like Soma and Lunesta. Perhaps because of the addictiveness of some of these drugs, this class of buyers tended to be the most loyal, profitable repeat customers.