Spam Nation (12 page)

Read Spam Nation Online

Authors: Brian Krebs

Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology

The UAB computer forensics lab is the ideal location for testing drugs bought through spam. One floor below Warner’s lair, Elizabeth Gardner, PhD, spends much of her time analyzing new “legal highs.” These are mind-altering substances created with synthetic versions of chemical compounds whose use and distribution are restricted in the United States. Some of these legal highs are fairly benign, such as the “performance-boosting” pills sold at gas stations that hint at their supposed abilities to enhance a man’s stamina in the bedroom.

“Most of these are just lots of caffeine and wishful thinking,” Gardner quips.

Other legal highs are far more serious and can have devastating—even horrifying—side effects. Just prior to my visit to the UAB campus, police in Miami, Florida, responded to a call to a crime scene that was straight out of a Hollywood zombie movie. Police officers were summoned to the area beneath a local highway overpass, where one man was reportedly assaulting another. Arriving on the scene, officers shot and killed a thirty-one-year-old local man who was found gnawing
the face off a homeless person in broad daylight. Investigators later discovered that the assailant had been turned into a real-life zombie after ingesting prodigious amounts of “bath salts,” a synthetic stimulant designed to produce effects similar to amphetamines and cocaine.

On a Thursday afternoon in mid-June 2012, Gardner is looking at the chemical analysis of a local bath-salts sample. Bits of the drug are being fed into a large white box that resembles an oversized laserjet printer. The device is a mass spectrometer, a tool that this lab uses to search for and identify the active ingredients found in various controlled substances. Almost noiselessly, it automates the fetching and analysis of tiny glass vials filled with chemical samples that are fed into the machine’s interior.

The machine produces data that are relayed to a nearby computer, which uses the information to plot a line graph that shows several distinct upward spikes.

“See these spikes here,” Gardner says, pointing at two especially tall peaks in the graph. “These are the chemical markers for mephedrone, which is the active ingredient in these salts.”

Despite our efforts, I was unable to get any of the online drug buyers to send me useful samples of the pills for testing in Gardner’s lab. Not that it would have mattered: UAB couldn’t get legal cover to do it anyway.

Incredibly, the UAB researchers have legal approval from federal regulators and law-enforcement agencies to test and handle highly controlled and illegal substances, such as cocaine, heroin, and a methamphetamine, but they had not yet received permission from the FDA and DEA to test pills ordered through junk email.

Part of the problem is that Congress changed the law in 2008, when it enacted the Ryan Haight Act, which makes it expressly illegal for anyone to order prescription drugs over the Internet without a prescription. In addition, even if an American has a valid prescription for a drug, it is illegal for him or her to order the drug from a pharmacy outside the United States and have it shipped back into the United States.

“We’ve kind of gotten it taken care of,” Warner said. “We’ve got the memorandums of understanding in place and got the post office boxes all set up and the top-level approval at the university. But we still have this one tiny little administrative hurdle to get over.” They still needed a green light from federal regulators.

Warner even had a regional bank on board to provide his researchers with prepaid cards that could be used to covertly buy drugs from GlavMed-SpamIt and Rx-Promotion.

“The bank was willing to put up the money to help fund our operations, but we still needed a government letterhead memo basically saying that no one was going to go to jail for this,” Warner said. The university was slated to receive a grant from the FDA to conduct research on rogue pharmacies, but the grant would come with serious strings attached.

“They basically said that none of the money could be used to purchase drugs, and if any of the grant money is used to analyze drugs ordered from spam, then the grant will be withdrawn,” Warner said. “What changed between when the FDA tentatively offered the grant and these conditions? Nobody can say. They just said, ‘It’s not legal for us to authorize you to buy drugs.’ So the FDA Office of Compliance had to go back and revise the grant to only evaluate the websites in the spam emails, and we were no longer allowed to purchase the pills.”

This was not the first time Warner and UAB were frustrated in their attempts to test pills ordered through spam to conduct their research. Not long before I’d shared the GlavMed data with him, Warner had a meeting with executives and fraud investigators from Pfizer. The pharmaceutical giant indicated it was interested in working with UAB on a study to analyze drugs purchased through rogue pharmacy affiliate programs. After all, counterfeit sales of its blockbuster drug—Viagra—accounted for more than 40 percent of the transactions from both Rx-Promotion and GlavMed.

But the funding for such a project would come with certain strings attached. “Pfizer said they wanted to work with us on this project as
long as they had the right to shut the thing down if it turned out the drugs were real,” Warner recalled. “Microsoft was talking with us and Pfizer about whether UAB and Microsoft could do something like a website such as pilldangers.org or something, and warn people of dangers of buying pills online. And my chemist said, ‘Well, what if the drugs are real?’”

“In response, the Pfizer guy said, ‘Well, then we wouldn’t want to publish anything.’ I told them that we’re big on academic freedom and that we wouldn’t be able to live with that condition,” Warner recalled. “I told him that we’d want to be able to say, for example, ‘Okay, so in 25 percent of pharmacy orders we got, we got the real thing.’ They said, ‘No, no, you can’t do that. We only want you to publish about the fake pills.’”

Then, after Warner had received a copy of the GlavMed data, he had a chance to chat with another Warner—Mark Warner—the director of intelligence for Pfizer and a twenty-one-year veteran of the FBI. UAB’s Warner said Pfizer’s Warner called to discuss possible collaboration on mining the GlavMed data for information that U.S. law-enforcement officials could then present to Russian officials to help stop the tidal wave of spam affecting everyone.

“I got off the phone with him before I understood exactly who he was, but this guy acted like an old-school, knuckle-dragger cop,” UAB’s Warner recalled of the conversation. “He’s a New Yorker, so it kind of went like this:

“‘Well, Mistah Wahrnah, just listen to me. I’ve been doin’ this a lot longer than you. And here’s the way it’s gonna go: the Russians aren’t gonna do fuck all for us. What we need to do is find the spam affiliates who are in the United States and lock ’em up. Forget the Russians. We’re never going to touch the Russians. The Russians are bulletproof. We can’t touch ’em. So let’s just find the guys who are in the U.S., put them in jail, and move on.’”

On the one hand, Pfizer’s Warner had a point: according to most
law-enforcement experts I interviewed for this book, there was almost no chance that the Russians
would
do “fuck all” about it. For starters, hackers in Russia are generally left alone as long as they do not prey on the country’s own companies or citizens. But UAB’s Warner said he was taken aback by such a response. After all, more than 40 percent of GlavMed’s sales involved knockoff versions of Pfizer’s blockbuster drug Viagra, so it would be in the pharma company’s best interest to collaborate.

“I just couldn’t believe the caveman mentality that this guy had,” Warner recalled in a telephone interview. “I thought to myself, you know he may be a twenty-one-year veteran of the FBI, but it doesn’t mean he knows jack about cybercrime. At the same time, counterfeit versions of his company’s big moneymaker were by far the largest single drug that GlavMed sold. They’re the ones in a perfect position to complain about pharmaceutical spam, but who knows? Maybe $100 million in counterfeit SpamIt and GlavMed profits is nothing to a company that makes tens of billions a year.”

UAB’s Warner said he began to feel despondent about having so much information on a massive criminal cybercrime conspiracy, while law enforcement seemed to have so little interest in running with the data cache.

“I had been participating in the FBI’s pharmaceutical fraud working group, and I was horribly disappointed because hardly any of the big pharma companies came to the meetings,” Warner said. “At least in the meetings I attended, there would be seven pharmaceutical companies at the table, and not a single one of them I’d ever heard of. Roche wasn’t there, Bayer wasn’t there, Pfizer wasn’t there. Merck wasn’t there. AstraZenica might have been at one of the meetings. But we couldn’t get anyone interested.”

That said, there may have been another reason that Pfizer was in no mood to help the FBI. Not long before Warner acquired the GlavMed-SpamIt data, the FBI wrapped up a criminal investigation into Pfizer for promoting off-label uses of its biggest selling drugs and for paying
kickbacks to physicians to promote them. The government alleged that Pfizer sales reps made misleading marketing claims about uses for the firm’s drugs. For example, reps allegedly were urged to instruct physicians on staging conversations about prescribing Viagra for women who had difficulty reaching orgasm.

Pfizer denied the allegations but nevertheless agreed to a $2.3 billion settlement, at that time the single largest fraud settlement ever collected by the U.S. Justice Department. The settlement amount roughly equaled the revenues that Pfizer brings in each year from sales of Viagra. It’s no wonder the pharma giant didn’t want to draw the FBI into another investigation, even if this one was to the pharmaceutical giant’s benefit.

For its part, Pfizer has opted to pursue cases against spammers and counterfeiters via civil lawsuits. Over the past five years, the company has spent millions on investigation and legal fees to go after purveyors of fake Viagra and other drugs. (Pfizer declined repeated requests to be interviewed for this book.)

Warner was disappointed that he couldn’t get permission to test prescription drugs purchased from Rx-Promotion and GlavMed-SpamIt. But he seemed genuinely hopeful that the customer databases from both rogue pharmacy operations would be enough to help bring down some of the world’s biggest spammers and botnet masters, nearly all of whom were working for one or both of these affiliate programs and whose personal and financial data were sprinkled throughout each affiliate program’s leaked records.

The same anti-spam activist who had shared the GlavMed database with me said he sent a copy of it to contacts at the FBI. And for several weeks at the end of 2010, multiple law-enforcement agencies fought to take the lead on the investigation. Ultimately, the inquiry was determined to be best pursued as a trademark infringement matter and was turned over to a multi-agency task force of the U.S. Department of Homeland Security’s Immigration and Customs Enforcement (ICE) bureau.

That task force, known as the National Intellectual Property Rights Coordination Center (NIPR), draws on civil and criminal investigative resources from at least twenty separate agencies, including the FBI, Interpol, the U.S. Postal Inspection Service, the National Aeronautics and Space Administration (NASA), and the Royal Canadian Mounted Police.

The investigation at NIPR was part of a broader push by the Obama administration to crack down on abuses of intellectual property rights online, including rogue pharmacy sales and the illegal trade in pirated movies, music, and software. Around that same time, administration officials were announcing the results of Operation Pangea, an annual international law-enforcement push led by Interpol and aimed at disrupting pharmaceutical crime. The week-long operation led to the shuttering of at least 290 rogue online pharmacies; the seizure of nearly 11,000 packages containing more than a million pills; and the arrest or investigation of at least 76 individuals connected with the pharma stores.

Many of the sites taken down in Operation Pangea were web storefronts advertised by spammers working for Vrublevsky’s Rx-Promotion program. Just prior to the takedowns, the U.S. Food and Drug Administration sent a warning letter to Vrublevsky’s partner—Yuri “Hellman” Kabayenkov—stating that the agency had identified 294 websites that were selling addictive, highly controlled prescription drugs such as painkillers without a prescription. It seemed U.S. authorities were finally starting to take a stand.

Rx-Promotion essentially shrugged. According to Vrublevsky, hardly anyone in the program noticed the takedowns, which ironically more or less equaled the average number of sites that disappeared each week as a result of regular cleanup efforts from anti-spam groups and web hosting firms.

“It was very funny to read the news and see that there was this huge, international operation that resulted in the closure of hundreds
of illegal pharmacies on the Internet,” Vrublevsky said. “And then you read spammer and hacker forums and see these guys asking each other, ‘Dude, did you feel that?’ and, ‘Dude, did you notice that?’ It didn’t seem like anyone cared or really noticed.”

Vrublevsky said that in the weeks prior to the operation, a group of U.S. firms—mainly copyright holders in the entertainment industry—had called a meeting with members of the Russian State Duma, the lower house of Russian parliament. That meeting was part of a campaign in Russia by the entertainment industry to crack down on music and movie piracy. The campaign’s slogan was roughly translated, “Say No to a Thief!”

The leaked ChronoPay emails show that the company was quietly paying the salary of at least one member of the Russian Association for Electronic Communications (RAEC), an industry trade group. ChronoPay invoices indicate that the company paid a “monthly fee for public relations advice”—16,666.66 euros—to Dmitry Zakharov, then RAEC’s public relations director. (This was yet another debt that Vrublevsky and ChronoPay would welch on. ChronoPay’s internal email records are littered with emails from RAEC’s debt collectors, who hounded ChronoPay officials to pay tens of thousands of euros in delinquent “consulting” fees, without success.) I sought comment from Mr. Zakharov about this apparent arrangement, but received no response. That was frustrating and ironic, in part because Zakharov left RAEC in 2010 and is now deputy director of the department of external communications for the Russian government’s Ministry of Telecom and Mass Communications.

Other books

Graveyard Shift by Chris Westwood
Scarred Asphalt by Blue Remy
Camdeboo Nights by Dorman, Nerine
Out of the Depths by Valerie Hansen
Anything for You by Jo Ann Ferguson
Veiled Freedom by Jeanette Windle
The Night Detectives by Jon Talton
Cowboy Take Me Away by Lorelei James