Spam Nation (16 page)

Read Spam Nation Online

Authors: Brian Krebs

Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology

It was on Carderplanet that Vishnevsky was introduced to Vardan Kushnir, a thirty-five-year-old notorious spammer who ran the American Language Center (ALC), a legitimate business in Moscow that taught English to Russian nationals. Kushnir offered to help get Vishnevsky started in spamming if he would agree, in turn, to use some of his resources to send junk email advertising the services of the ALC.

“He offered me money enough to rent servers, and soon I was making
four times as much as the climate company was paying,” Vishnevsky said. “But I continued to work there because I was not sure that spam was a stable source of money. Within a couple of months I was already quite good with spam.”

Through spamming for his mentor Kushnir, Vishnevsky was introduced to Dmitry “Gugle” Nechvolod.

“Gugle was Vardan’s friend, and he was always coming to him discussing different shit,” Vishnevsky said. “At some point, I started to communicate with [Gugle], too.”

But Vishnevsky’s real break came after his spamming mentor was suddenly and brutally murdered. One morning, Kushnir’s mother found her son’s bloodied corpse on her bathroom floor, his skull bashed in. As detailed in a 2007 story in Wired.com, Kushnir’s spam operation sent more than 25 million unsolicited junk messages each day, most of them pimping the ALC’s services and sent to Russian inboxes. According to Wired and Vishnevsky, Kushnir’s blatant and repeated disregard for complaints about spam pimping the ALC may have been a primary contributor to his murder.

Undeterred by Kushnir’s gruesome death, Vishnevsky and Gugle pooled their resources and started their own spam business.

By October 2011, I decided there was enough information in the leaked SpamIt and Rx-Promotion data to begin identifying and profiling the world’s top spammers, and by extension those responsible for building and maintaining the largest spam botnets. Buried within the gigabytes of internal ChronoPay documents was a Microsoft Excel spreadsheet innocuously titled “Registration data” that would become the Rosetta Stone for identifying many of these miscreants.

When I compared the information in this spreadsheet with other earnings and contact information I’d already gathered from the leaked SpamIt data, it was clear that for unknown reasons, someone at ChronoPay had compiled this list about the most active spammers. Most of the spammers for both Rx-Promotion and SpamIt were paid
via WebMoney, which, as mentioned, is a virtual currency like PayPal that is popular in Russia and Eastern Europe and widely used in the hacker underground.

WebMoney accounts can be set up under pseudonyms or as merchant accounts, or they can be formally attested. The latter two types of accounts require the applicant to show a copy of his passport at an authorized WebMoney location prior to obtaining attestation for that account. This account information is not listed publicly by WebMoney, but it appears that a ChronoPay employee paid an insider at WebMoney to divulge the name and other contact information tied to each account used by top SpamIt affiliates. As it turns out, many of those individuals also spammed for Rx-Promotion.

Of the 163 WebMoney accounts listed in that spreadsheet, roughly one-third of them were formally attested or were merchant accounts. The data included in the spreadsheet showed the affiliate’s WebMoney ID, name, address, phone number, date of birth, email address, passport number, and the street address of the government office that issued the passport.

Many of these WebMoney accounts had been set up years before their owners began spamming or participating in any cybercrime activity. But one in particular caught my eye. Among the attested accounts detailed in the spreadsheet was a WebMoney purse created in January 2002 to a user who provided the account alias “Software Seller.” This account was credited with more than $175,000 for promoting pharmacy websites for SpamIt. That was where I would start.

Gugle

It took many weeks of digging through countless leaked chat records between this user—who used the nickname “Gugle” on both ICQ instant message chat and as a nickname on Spamdot.biz—and the administrators of the SpamIt pharmacy partnerka. Ultimately, I was
able to determine that this was the same individual who ran the Cutwail botnet, easily the largest and most active spam botnet at the time. (It remains quite active.)

The spreadsheet entry for the corresponding WebMoney ID next to the botmaster named Gugle listed a Dmitry Sergeyvich Nechvolod, born July 9, 1983, and living in Moscow. When I saw Nechvolod’s information in that document, something in it reminded me of a conversation that I’d had with Vrublevsky earlier in the year. I didn’t realize the significance of that discussion at the time, because I didn’t quite understand Gugle’s role then.

It was late 2010, and Vrublevsky had just called me and was excitedly relaying some intelligence that he’d gleaned from his network of law-enforcement contacts. He’d received word that cybercrime investigators with the U.S. National Aeronautics and Space Administration (NASA) were coming to Moscow to meet with Russian FSB agents. The NASA officials, who have guns and badges and just as much investigative authority as other U.S. law-enforcement agencies, were coming to discuss cooperating with Russian authorities over an investigation into Nechvolod.

By that time, NASA investigators had connected the dots between Nechvolod and Gugle, and had been building a criminal case against him for allegedly infecting countless NASA computers with Cutwail malware.

“The Americans came to Moscow trying to find the Cutwail owner, who goes by the nickname ‘Gugle,’” Vrublevsky told me excitedly and proudly in a phone interview, speaking of a man who was among the top spammers for both Rx-Promotion and SpamIt. “They got his nickname and even his real name correct, but they were never able to catch him. Honestly, I think someone warned him. You know, Brian, the corruption level in Russian law enforcement related to cybercrime is really quite high.”

I’m still not sure why Vrublevsky told me all of this. Perhaps it was
to brag that he was so well-connected to Russian cyber law-enforcement officers that he could help save one of Rx-Promotion’s best spammers from being delivered into the arms of American federal agents. I believe Vrublevsky also wanted the NASA investigators to know he’d played them for fools. After all, these same NASA investigators had convinced the U.S. Federal Trade Commission to unplug the bulletproof hosting provider 3FN, a disconnection that caused much trouble and expense for Vrublevsky and his network of extreme adult webmasters, and fake antivirus and spam peddlers.

According to a source who helped work that investigation with NASA, Vrublevsky had been given advance notice of the visit by corrupt FSB agents. Days before the scheduled meeting between NASA and the FSB, Nechvolod fled Russia for Ukraine.

“Gugle and Pavel were business partners and friends,” said my law-enforcement source at NASA, speaking on condition of anonymity because he was not authorized to discuss the case. “It was Pavel who tipped off Gugle that [NASA] was meeting with the FSB about Cutwail. Gugle is reportedly in Ukraine now, lying low.”

According to the website of Russian software firm Digital Infinity Developers Group, Nechvolod was part of a team of elite programmers that could be hired out for jobs at diginf.ru. The Diginf Team page on that site (now defunct) listed Dmitry Nechvolod as an “administrator of UNIX-based systems,” an “administrator of Cisco routers,” and “a specialist in information security software.” Between Nechvolod’s expertise and that of his team, it is clear from reviewing their résumés that this group of programmers could hack their way in or around virtually any communications or security system.

Nechvolod’s cadre maintained a core version of the Cutwail bot code and rented it out to other miscreants on underground forums, where the spamming system was known as “0bulk Psyche Evolution.”

In many ways, Nechvolod is the poster child for the modern cybercriminal, a profession not unlike drug dealing in that it generates a
constant stream of cash. Those illicit funds need to be either laundered by investing in properties or other hard assets, or spent. Nechvolod, like many of his peers, preferred to splurge on a lavish and fast lifestyle of fast cars, fast girls, nice clothes, and drugs, Vishnevsky said.

“He always dressed very nice, and when he wrecked his $100,000 Lexus sedan, he went and bought a brand-new BMW,” Vishnevsky said.

By 2008, Nechvolod’s spam business was booming. His Cutwail botnet had grown to more than 125,000 infected computers and was able to blast out 16 billion spam messages daily. Soon enough, his company’s growth forced him to find and hire several new programmers. To give you a sense of what he was looking for, below is an ad that he posted to Crutop.nu, seeking a talented programmer experienced in building web applications.

Job type: local office in Moscow (benefits package included), full-time (9 hours per day, 5 days a week).

REQUIREMENTS:

•  Excellent knowledge of Perl and PHP

•  Excellent knowledge of SQL

•  Knowledge of AJAX, JavaScript

•  The ability to quickly write scripts without bugs

•  At least 22 years of age

•  Responsibility

The salary for a probationary period $1.5K (1 month), after—$2K +.

A full-time salary—with benefits—and opportunities for advancement. What enterprising young coder could ask for more? And while $23,500 a year would be a very good salary for a junior programmer
living in Moscow, it was an absolute dream for coders from the countryside who could convince the boss to let them telecommute. Nechvolod’s job offer is yet another illustration of how cybercrime businesses in some parts of the world are in direct competition with many legitimate companies in the search for talented programmers.

Cosma

The records leaked from both GlavMed-SpamIt and Rx-Promotion show that one of both partnerkas’ most successful spammers was a hacker who used a variety of nicknames, including “Cosma,” “Tarelka,” “Bird,” and “Adv1.” Cosma, as we’ll call him here for simplicity’s sake, and all of his affiliated accounts with SpamIt earned more than $3 million in commissions over three years with the pharmacy program.

His spam machine was the Rustock botnet, a malware strain that was first unleashed onto the Internet in 2006. The botnet’s name was derived from its initial purpose: to help perpetrate a form of securities fraud known as “pump-and-dump” stock scams. In such schemes, fraudsters buy up a bunch of low-priced microcap stock (the prices usually vary from a fraction of a penny to a few cents per share), blast out millions of spam emails touting the stock as a hot buy, and then dump their shares as soon as the share price ticks up from all the suckers buying into the scam.

In 2007, researchers began noticing that PCs infected with Rustock had started sending pharmacy spam in addition to pump-and-dump emails. Experts at Dell SecureWorks estimated around that time that Rustock had infected more than 150,000 PCs and was capable of spewing as many as 30 billion spam messages per day.

The emergence of pharmacy spam from Rustock coincides with the time that Cosma signed up as an affiliate with SpamIt. Those same three affiliate names that the Rustock botmaster used with SpamIt—Cosma2k, Bird, and Adv1—also were registered using the same ICQ
account at Vrublevsky’s Rx-Promotion. Leaked ChronoPay data shows that these three accounts collectively earned approximately $200,000 in commissions by promoting pharmacy websites for Rx-Promotion in 2010.

In several chats, Cosma muses on what he should do with tens of thousands of compromised but otherwise idle PCs under his control. Throughout the discussions between Stupin and Cosma, it is clear Cosma had access to internal SpamIt resources that other spammers did not, and that he had at least some say in the direction of the business.

In one conversation, dated October 14, 2008, Cosma tells Stupin that he’s decided to dial back his public image a few notches after attracting unwanted attention from other crooks. Cosma tells Stupin he was mugged and held hostage by thugs who’d targeted him because of his late-model Porsche Cayenne, a sport utility vehicle that costs considerably more than $100,000 in Moscow. After being roughed up by his captors, Cosma relinquished the keys to his Porsche. Cosma laments to Stupin that as a result of that incident, he decided to replace his stolen Cayenne with a less flashy BMW 530xi.

Cosma left behind a number of clues about his real-life identity. He registered with the SpamIt program using the email address [email protected]. That website disappeared in 2010, but a cached copy of the site shows that its homepage previously featured some very interesting information. It included a job résumé for a Belarusian-educated programmer underneath a picture of a brown-haired young man holding a mug. Above the image was the name “Sergeev, Dmitri A.” At the very top of the page was a simple message: “I want to work in Google.” Beneath the résumé is the author’s email address, followed by the message, “Waiting for your job!”

If the thugs who stole Cosma’s Porsche had known who he was, they might have handed him over to Microsoft. In July 2011, Microsoft offered a standing $250,000 reward for information leading to the arrest and conviction of the Rustock botmaster. Cosma remains at large.

Severa

Cosma ran his stock spam business in tandem with that of another cybercrook, a hacker who uses the nickname “Severa.” This spammer was named as a defendant in an indictment handed down by a U.S. federal court in 2007 as a major partner of Alan Ralsky, an American spammer who was convicted in 2009 of paying Severa and other spammers to promote the pump-and-dump stock scams. But while Severa was indicted, he was never arrested, and his case is still pending. Partially, this is because he appears to still be in Russia, a country that traditionally hasn’t extradited alleged cybercriminals to stand trial in the United States or Europe.

Severa’s spam machine was powered by a sophisticated computer worm known as “Waledac.” This contagion first surfaced in April 2008, but many experts believe that Waledac was merely an update to the Storm worm, the engine behind a massive spam botnet that first surfaced in 2007.

Other books

Stephen King's N. by Marc Guggenheim, Stephen King, Alex Maleev
Filling The Void by Allison Heather
The Long Journey Home by Don Coldsmith
Stranger in the Night by Catherine Palmer
Compromising Positions by Selena Kitt
Watch Me Walk Away by Jill Prand
My Heart Remembers by Kim Vogel Sawyer
Just Mercy by Bryan Stevenson
Light My Fire by Redford, Jodi