Spam Nation (26 page)

•
In November 2009, FireEye, a Milpitas, Calif.-based security firm, led a coordinated effort to take down the Mega-D botnet. A year later, Mega-D’s alleged proprietor—twenty-four-year-old Oleg “Docent” Nikolaenko—was arrested in Las Vegas. He pleaded guilty to spreading malicious software to protected computers in 2013 and was sentenced to time served, plus three years’ probation. (Nikolaenko had already served twenty-seven months in custody related to his trial prior to his conviction.)

•
In January 2010, employees at the Internet infrastructure firm Neustar seized control over the Lethic spam botnet, a spam-spewing crime machine made up of more than 200,000 infected PCs.

•
In February 2010, Microsoft unveiled what would be the first in a series of court-assisted takedowns of major spam botnets. The first target was Severa’s Waledac spam botnet, which at the time was blasting billions of spam emails daily through a network of more than 60,000 hacked computers. In that effort, Microsoft convinced a U.S. federal court to grant the software giant legal ownership of 277 Internet domains that the Waledac botmaster was using to control his spam empire.

•
In October 2010, Armenian authorities arrested twenty-seven-year-old Russian Georgiy Avanesov in tandem with a coordinated takedown of the Bredolab botnet, a spam engine that had hijacked millions of PCs since its debut in 2009. At the height of Bredolab’s operation, experts say the botnet was blasting more than three billion messages each day. Investigators alleged that Avanesov made more than $130,000 per month renting his botnet out to other spammers. According to a BBC report, Avanesov was later convicted of computer sabotage and sentenced to four years in an Armenian prison. SpamIt records indicate he had multiple affiliate profiles generating income for him from that pharmacy program.

•
In March 2011, Microsoft went after Rustock, launching a legal sneak attack through the U.S court system to seize control over the domains being used to control Cosma’s spam engine. At the time, Rustock was running on an estimated 815,000 computers and was blasting huge volumes of junk email daily. Microsoft had help in the case from Pfizer, the drugmaker whose products and trademarks were most heavily abused by the spammers.

•
In July 2011, Microsoft announced it was offering a $250,000 reward for information leading to the arrest and conviction of the Rustock botmaster. Interestingly, while Spamdot.biz closed its
doors after Gusev was named the World’s Number One Spammer by Russian law-enforcement officials in October 2010, the spam forum didn’t go away. It merely changed its name and location. Not long after Microsoft offered its reward, Cosma—the Rustock curator (having changed his nickname by then to “Tarelka,” or “plate” in Russian)—could be seen on the new forum asking for advice on how to obtain a new passport under an assumed name.

•
In July 2012, FireEye and Spamhaus went after the Grum botnet, which had emerged as one of the top three most active spam machines, sending 18 billion messages per day. Their collaborative takedown briefly shrank global spam volumes, but the source code for Grum subsequently fell into the hands of several other miscreants, prompting its revival. Grum remains active today.

•
In July 2013, Microsoft and the FBI announced a joint operation that took down more than 1,400 distinct botnets that were using Citadel malware to control infected PCs. Citadel was primarily used by crime groups engaged in emptying bank accounts through online heists.

•
In December 2013, Microsoft worked with the FBI again and with authorities in Europe to disrupt the ZeroAccess botnet. ZeroAccess was often bundled with other threats (including spam bots and fake antivirus software), but the botnet mainly was designed to hijack search engine results on infected PCs and to redirect people to websites that fraudulently charged businesses for online advertising clicks.

•
In June 2014, the FBI in conjunction with multiple international law enforcement partners and private security firms took down the “Gameover Zeus” botnet, a collection of more than one
million hacked computers. The FBI also named a Russian man—thirty-one-year-old Evgeniy Mikhailovich Bogachev—as the mastermind behind the operation and the principal author of the botnet. According to the U.S. Justice Department, the Gameover botnet was used to steal more than $100 million from victimized businesses. The botnet was also a major platform for deploying costly online extortion attacks against individual computer users.

But it wasn’t only the spam industry that was temporarily trashed by the war between Gusev and Vrublevsky. ChronoPay was deeply involved in processing payments for partnerkas that pushed rogue antivirus products, and when Vrublevsky became the subject of a criminal investigation in 2011, his processing networks fell apart. Overnight, the rogue antivirus affiliate networks ground to a halt because they had lost their connection to the credit card networks. Vrublevsky was arrested at the end of May 2011 on unrelated charges, and by August 2011, computer security giant McAfee noticed a 60 percent decline in users reporting problems with fake antivirus programs.

Another front in the war on spam has targeted the pharmacy websites advertised via junk email. Typically, spammers have sought out domain name registrars who turn a blind eye to spammers registering hundreds or even thousands of domains per month for use in pharmacy spam campaigns. For many years, some of the largest players in the website name industry brushed aside requests by the anti-spam groups to de-register domains that were clearly registered to benefit from spam activity.

John Horton, a former deputy in the White House Office of Drug Control Policy and now president of LegitScript, an Internet pharmacy verification service, has tracked the rogue pharmacy domains for years. Horton said that for quite some time, most
registrars argued that it wasn’t their job to inspect how their customers were using their domains.

That situation began to change in late 2008, when EstDomains—a Estonian domain registrar that had emerged as a clear favorite of spammers and Internet scammers alike—had its accreditation revoked by the Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit entity that oversees the domain name registration industry. ICANN took action after a
Washington
Post
story by this author observed that EstDomain’s CEO—Estonian businessman Vladimir Tsastsin—had been previously convicted of money laundering, forgery, and credit card fraud.

ICANN acted after my
Washington
Post
story called attention to a little-known clause in the contracts that domain name registrars like EstDomains had signed with ICANN, which stated that registrars were not allowed to appoint principals who had criminal backgrounds. As mentioned in
Chapter 8
, Tsastsin was an early, major investor in ChronoPay, and in 2011 was arrested in Estonia along with six other men accused of running an enormous botnet that spanned more than four million machines worldwide.

Horton said the EstDomains incident spooked many in the domain registration business. One of EstDomains’ closest partners was an Indian registrar called Directi, which was grappling with its own deluge of abuse complaints about spammers using its service.

“Three to four years ago, nobody was suspending domain names engaged in rogue Internet pharmacy activity unless you could also clearly show that those domains were benefiting from spam activity,” Horton said. “Directi was one of the first registrars that said, if we know websites are selling prescription drugs without a prescription, and [those drugs are] being shipped into another country in violation of that country’s laws, we will take action to suspend the domain. After that, we saw GoDaddy and eNom and a few others do the same thing. If you look at registrars by market share, roughly 60 to 70 percent of
[the] registrar market now does act [to suspend domains] on the basis of those allegations.”

If the Internet community wasn’t aware of the financial risks of getting too deeply enmeshed in the web of fake pharma sites, they got that message loud and clear in August 2011, when the U.S. Justice Department announced that Google had agreed to pay a $500 million fine to settle a criminal investigation that it allowed supposed Canadian pharmacies—including many rogue Internet pharmacies—to advertise drugs for distribution in the United States. The $500 million figure was intended to represent the company’s advertising revenue from the Canadian pharmacies and the revenue the pharmacies received from American customers buying controlled drugs.

Probably the most lasting impact on the spam economy over the past two years has come from research published by a ragtag group of academic researchers who mapped out the money-laundering networks relied upon by nearly all pharmacy partnerkas. More importantly, the researchers were able to use their findings to browbeat top commercial brands into pressuring Visa to take action against the financial institutions that enable this activity.

By early 2010, the rogue pharmacy programs and fake antivirus peddlers were being infiltrated by a stealth band of white-hat researchers, university professors, and grad students who hoped to show that following the money could make it much harder for these businesses to obtain credit card processing. Over several months, these researchers made hundreds of “test buys” at websites from forty different shady businesses hawking knockoff prescription drugs, counterfeit software, and fake antivirus products. The researchers—from George Mason University, the International Computer Science Institute, and the University of California, San Diego (UCSD)—posed as buyers for these products.

The academic team believed that if they could locate and bring public attention to the financial institutions that were profiting from this trade, the industry as a whole would suffer. The reason is that although selling knockoff prescription drugs over the Internet is not illegal per se, it is illegal for foreign entities to ship prescription drugs into the United States. Such activity violates Visa and MasterCard card processing rules and can bring hefty fines.

As noted in
Chapter 5
, UCSD professor Stefan Savage and his team had a mountain of work to do just in gathering ground-truth data about the pharmaceutical spam economy.

“When we started this, we wanted to figure out the whole value chain for the spam economy,” Savage said. “One big part of it was the back-end processing and banks, which no one was looking at.”

Savage said that initially the University of California, Berkeley was none too interested in their research. The sticky ethical and legal issues of essentially violating federal law to conduct otherwise harmless research made the project a tough sell. The school and the researchers struck a bargain. They would only purchase generic drugs that were available in the United States over the counter and without a prescription, such as the abortion drug RU-486.

It turned out that the toughest part of their research was finding a reliable way to pay for their test orders. If they ordered the drugs with the same credit card over and over, the pharmacy partnerkas would cancel the transactions and flag the card number as suspicious. They settled on prepaid gift cards, since these payment instruments allowed their purchases to be anonymous. But it wasn’t enough to be able to purchase the drugs with the prepaid cards. The team needed to coax the card issuers into divulging the names of the banks and merchant account numbers used to process the transactions.

“We found [that using] gift cards was the easiest thing because we could put a fake name in them or whatever,” Savage said. “But with a lot of these gift cards, if you wanted to find out transaction information,
you needed to call some customer support center. And even some of these fairly big prepaid cards had only a few customer service people. And they would quickly get suspicious because if you did a lot of buys, you ended up talking to the same people all the time.”

Savage and the other researchers soon discovered the perfect prepaid network, although he declined to name it so as not to ruin similar ongoing and future research efforts. He would only say that it is a prepaid card issued by a fairly large grocery-store chain in the United States.

“So we asked another group that was exploring this, and they told us about a gift card from a grocery-store chain. [UCSD graduate student] Chris Kanich shows up at one of these grocery stores with like $5,000 in cash and buys a boatload of these grocery-store prepaids. They didn’t bat an eyelash,” Savage said. “We’ve still got a stack of them somewhere. But that really was a hard thing to get past the university: that we were going to take all this money and turn it into these untraceable payment instruments, and of course trust us that we’re not just going to go off on some Brazilian vacations or something.”

With the university’s blessing and a stack of prepaids the size of several decks of playing cards, the researchers set off buying knockoff drugs from sites that were being advertised via spam. The grocery store’s prepaid network worked like a charm at all of the online pill shops, and everything seemed to be humming along nicely. That is, until Uncle Sam decided that the largely unregulated and burgeoning market for prepaid cards was rife for abuse by money launderers.

“Everything was going fine until Congress decided to help the world with this Credit CARD Act of 2009,” Savage said, referring to a law that went into effect in 2010 and included multiple restrictions on how credit card companies can charge consumers. “The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) had always been very concerned about gift cards from the standpoint of volume to untraceable money, because they totally rocked and were great for money laundering. I swear, if you had a suitcase full of these,
you could move many millions of dollars and it would be a helluva lot lighter than several million bucks.”