Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
Thank you for purchasing this eBook
.
At Sourcebooks we believe one thing:
BOOKS CHANGE LIVES
.
We would love to invite you to receive exclusive rewards. Sign up now for VIP savings, bonus content, early access to new ideas we're developing, and sneak peeks at our hottest titles!
Happy reading
!
For my BizMgr
Copyright © 2014 by Brian Krebs
Cover and internal design © 2014 by Sourcebooks, Inc.
Cover design by The Book Designers
Sourcebooks and the colophon are registered trademarks of Sourcebooks, Inc.
All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means including information storage and retrieval systems—except in the case of brief quotations embodied in critical articles or reviews—without permission in writing from its publisher, Sourcebooks, Inc.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought.—
From a Declaration of Principles Jointly Adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations
All brand names and product names used in this book are trademarks, registered trademarks, or trade names of their respective holders. Sourcebooks, Inc., is not associated with any product or vendor in this book.
Published by Sourcebooks, Inc.
P.O. Box 4410, Naperville, Illinois 60567-4410
(630) 961-3900
Fax: (630) 961-2168
Library of Congress Cataloging-in-Publication Data
Krebs, Brian.
Spam nation : the inside story of organized cybercrime—from global epidemic to your front door / Brian Krebs.
pages cm
1. Computer crimes—United States. 2. Internet fraud—United States. 3. Spam (Electronic mail) 4. Phishing. 5. Organized crime—United States. I. Title.
HV6773.2.K74 2014
364.16’80973—dc23
2014023007
Chapter 6: Partner(ka)s in (Dis)Organized Crime
Chapter 8: Old Friends, Bitter Enemies
Epilogue: A Spam-Free World: How You Can Protect Yourself from Cybercrime
PAVEL VRUBLEVSKY
, a.k.a “RedEye”—Cofounder of ChronoPay, a high-risk card processor and payment service provider that was closely tied to the rogue antivirus industry. Co-founder of Rx-Promotion pharmacy affiliate program.
YURI KABAYENKOV
, a.k.a. “Hellman”—Co-owner of Rx-Promotion along with Pavel Vrublevsky.
IGOR GUSEV
, a.k.a “Desp”—Cofounder of ChronoPay, and co-owner of the pharmacy spam partnerships SpamIt and GlavMed.
DMITRY STUPIN
—Co-owner, along with Igor Gusev, of the pharmacy partnerships SpamIt and GlavMed.
IGOR VISHNEVSKY
—A spammer who helped develop the “Cutwail” spam botnet, and a one-time business partner of Dmitri “Gugle” Nechvolod, a major spammer.
DMITRY NECHVOLOD
, a.k.a. “Gugle”—One of SpamIt and Rx-Promotion’s most successful spammers, Gugle rented out his “Cutwail” spam botnet for use by many other junk emailers.
GENNADY LOGINOV
—A Belarusian man and leader of a militant organized crime group known as “The Village.” Partner with Alexander Rubatsky and involved in the kidnapping and ransom of Evgeny “Pet” Petrovsky—a rival businessman.
ALEXANDER RUBATSKY
—A Belarusian hacker closely tied to the child pornography industry who later founded the Russian Business Network (RBN) in St. Petersburg, Russia.
EVGENY PETROVSKY
, a.k.a. “Pet”—Belarusian owner of companies Sunbill and BillCards, credit card processing networks that were deeply involved in processing payments for child pornography sites.
NIKOLAI MCCOLO
, a.k.a “Kolya”—The young entrepreneur behind McColo Corp., which until its demise in 2008 was among the most popular Web hosting providers in the cybercrime underground.
LEONID KUVAYEV
—A convicted spammer who ran the RxPartners pharmacy spam affiliate program. Kuvayev is currently serving a ten-year prison sentence in Russia for child molestation and child pornography.
IGOR AND DMITRY ARTIMOVICH
, a.k.a. “Engel”—Brothers who allegedly operated the “Festi” spam botnet and were close allies of Vrublevsky. The brothers were convicted in 2013 of using Festi to attack the website of Assist, a ChronoPay competitor, although they deny this.
COSMA
—Spammer for both GlavMed-SpamIt and Rx-Promotion and principal author of the massive Rustock botnet.
SEVERA
—Spammer for both GlavMed-SpamIt and Rx-Promotion and the apparent author of the Waledac and Storm botnets.
Chapter 1
The navy blue BMW 760 nosed up to the crosswalk at a traffic light in downtown Moscow. A black Porsche Cayenne pulled alongside. It was 2:00 p.m., Sunday, September 2, 2007, and the normally congested streets adjacent to the storied Sukharevskaya Square were devoid of traffic, apart from the tourists and locals strolling the broad sidewalks on either side of the boulevard. The afternoon sun that bathed the streets in warmth throughout the day was beginning to cast long shadows on the street from the historic buildings nearby.
The driver of the BMW, a notorious local scam artist who went by the hacker nickname “Jaks,” had just become a father that day, and Jaks and his passenger had toasted the occasion with prodigious amounts of vodka. It was the perfect time and place to settle a simmering rivalry with the Porsche driver over whose ride was faster. Now each driver revved his engine in an unspoken agreement to race the short, straight distance to the big city square directly ahead.
As the signal flashed green, the squeal of rubber peeling off on concrete echoed hundreds of meters down in the main square. Bystanders turned to watch as the high-performance machines lurched from the intersection, each keeping pace with the other and accelerating at breakneck speed.
Roaring past the midpoint of the race at more than 200 kilometers per hour, Jaks suddenly lost control, clipping the Porsche and careening into a huge metal lamp post. In an instant, the competition was over, with neither car the winner. The BMW was sliced in two, the Porsche a smoldering, crumpled wreck close by. The drivers of both cars crawled and limped away from the scene, but the BMW’s passenger—a promising twenty-three-year-old Internet entrepreneur named Nikolai McColo—was killed instantly, his almost headless body pinned under the luxury car.
“Kolya,” as McColo was known to friends, was a minor celebrity in the cybercriminal underground, the youngest employee of a family-owned Internet hosting business that bore his last name—McColo Corp. At a time when law-enforcement agencies worldwide were just waking up to the financial and organizational threats from organized cybercrime, McColo Corp. had earned a reputation as a ground zero for it: a place where cybercrooks could reliably set up shop with little worry that their online investments and schemes would be discovered or jeopardized by foreign law-enforcement investigators.
At the time of Kolya’s death, his family’s hosting provider was home base for the largest businesses on the planet engaged in pumping out junk email or “spam” via robot networks. Called “botnets” for short, these networks are collections of personal computers that have been hacked and seeded with malicious software—or “malware”—that lets the attackers control the systems from afar. Usually, the owners of these computers have no idea their machines have been taken hostage.
Nearly all of the botnets controlled from McColo were built to blast out the unsolicited junk spam advertisements that flood our inboxes and spam filters every day. But the servers at McColo weren’t generating and pumping spam themselves; that would attract too much attention from Internet vigilantes and Western law-enforcement agencies. Instead, they were merely used by the botmaster businesses to manipulate millions of PCs scattered around the globe into becoming spam-spewing zombies.
By the time paramedics had cleared the area of Kolya’s accident, gruesome images of the carnage were already being uploaded to secretive Russian Internet forums frequented by McColo’s friends and business clients. Among the first to broadcast the news of Kolya’s death were denizens of Crutop.nu, a Russian-language hacker forum that counted among its eight thousand members some of the world’s biggest spammers. The same Crutop.nu members who spread pictures and news of the incident were some of McColo’s most successful web hosting customers, and many felt obligated (or were publicly shamed by forum administrators) to shell out funds to help Kolya’s family pay for his funeral expenses. This was a major event in the cybercrime underworld.
Days later, the motley crew of Moscow-based spammers would gather to pay their last respects at his service. The ceremony was held at the same church where Kolya had been baptized less than twenty-three years earlier. Among those in attendance were Igor “Desp” Gusev and Dmitry “SaintD” Stupin, coadministrators of SpamIt and GlavMed, until recently the world’s largest sponsors of spam
1
—and two figures that will play key roles in this book.
Also at the service was Dmitry “Gugle” Nechvolod, then twenty-five years old and a hacker who was closely connected to the Cutwail botnet. Cutwail is a massive crime machine that has infected tens of millions of home computers around the globe and secretly seized control over them for sending spam. Nechvolod had already earned millions of dollars using the botnet to send junk email for GlavMed and SpamIt to millions of people around the world. To this day, Cutwail remains one of the largest and most active spam botnets—although it is almost undoubtedly run by many different individuals now (more on this in Chapter 7, “
Meet the Spammers
”).
So why is it important to note these three men’s presence at such a
momentous event for cybercrime? Because their work (as well as Kolya’s and hundreds of others’) impacts every one of us every day in a strange but significant way: spam email.
Indeed, spam email has become the primary impetus for the development of malicious software—programs that strike computers like yours and mine every day—and through them, target our identities, our security, our finances, families, and friends. These botnets are virtual parasites that require care and constant feeding to stay one step ahead of antivirus tools and security firms that work to dismantle the networks. To keep their bot colonies thriving, spammers (or botmasters—the term is interchangeable) must work constantly to spread and mutate the digital disorders that support them. Because antivirus programs routinely clean up infected PCs used to send spam, botnet operators need to continuously attack and seize control over additional computers and create new ways to infiltrate previously infected ones.
This technological arms race requires the development, production, and distribution of ever-stealthier malware that can evade constantly changing antivirus and anti-spam defenses. Therefore, the hackers at the throttle of these massive botnets also use spam as a form of self-preservation. The same botnets that spew plain old spam typically are used to distribute junk email containing new versions of the malware that helps spread the contagion. In addition, spammers often reinvest their earnings from spamming people into building better, stronger, and sneakier malicious software that can bypass antivirus and anti-spam software and firewalls. The spam ecosystem is a constantly evolving technological and sociological crime machine that feeds on itself.
Thus far, the criminals responsible for unleashing this daily glut of digital disease are doing a stupendous job of overwhelming the security industry. Antivirus companies now report that they are struggling to classify and combat
an
average
of
82,000 new malicious software variants attacking computers every day
, and a large percentage of these strains are designed to turn infected computers into spam zombies
that can be made to do the attacker’s bidding remotely. Security giant McAfee said it detected 14 million new pieces of malware in the first quarter of 2013 alone.
But that also comes at a price to the spammers. In the case of Cutwail, the maintenance needed to sustain it required 24/7 teams of software developers and technical support staff. That’s because the software that powers botnets like Cutwail is typically rented out for use by other spammers, who frequently demand code tweaks or add-ons to help the bot programs work properly within their own criminal infrastructure.