Spam Nation (28 page)

Read Spam Nation Online

Authors: Brian Krebs

Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology

“At this point, most of the remaining pharmacy partnerkas start[ed] getting desperate, doing crazy things like laundering their transactions through parking garages and random banks in the United States,” Savage said. “The miscoding was great because [initially] for most of the counterfeit stuff, we as researchers couldn’t complain about it to Visa because we had no standing with Visa. We couldn’t just say, ‘Hey, here’s a Pfizer product that’s getting ripped off. Visa, you should do something about that.’ Only the brand holder can actually take action.

“But on this miscoding stuff, anyone can report anything. If we find that one of these pharma shops is using a U.S. bank and miscoding their transactions, we can often just call the bank and say, ‘Hey, did you know this is going on?’ And most times, they’ll say, ‘Thank you very much,’ because they can get big fines for processing these miscoded transactions. And so if you tell them, they get to shut it down without Visa finding out and fining them.”

Damon McCoy, assistant professor at George Mason University’s computer science department, said many pharmacy, scareware, and OEM software affiliate programs have responded to the payment system crackdowns by putting burdensome security measures in place to screen out test buys. For example, some rogue pharmacy programs—such as RxPayouts—began requiring buyers to send scans or faxes of their driver’s licenses and physical credit cards. Others have decided only to process payments for existing customers.

But both security measures can be self-defeating, for customers and
affiliates alike. The researchers note that RxPayouts’ photo ID requirement for new customers (enacted in January 2012) caused an uproar among affiliates. According to the researchers, one affiliate wrote in response, “This new rule is killing me, my conversion rate for new customers [has] dropped to [zero]. As soon as my new customers find out they have to fax their customer service a photo ID, they cancel their order.”

McCoy said the new requirements also serve to insulate affiliate programs from another potential source of headache and trouble: rogue affiliates who join the program merely to reap the commissions for orders placed with stolen credit cards.

“Originally, the affiliate programs were doing this to defend against the carders, and in the past if there was a chargeback for a purchase, the affiliate program ate that chargeback cost,” McCoy said. “Now, if a chargeback comes through, they’ll take that charge out of the affiliate’s subsequent earnings.”

The researchers observed that pharmacy affiliate programs also have responded recently by replacing brand-name drugs with their generic equivalents (for example, sildenafil citrate instead of Viagra, tadalafil instead of Cialis, and so on). The operators of these programs argue to their affiliates that such actions will eliminate the brand and trademark issues and thus undermine the ability of brand holders to shut down both individual sites and the associated merchant accounts.

Whether this last step will allow banks that cater to such businesses to continue to do so undisturbed by the credit card networks remains to be seen, according to the program affiliate manager quoted above, who posted the following on gofuckbiz.com.

“What this will lead to in the end, time will tell. Either everyone will stop using well-known brand names, which are so well known to buyers, and will start using the Indian generic names or names of active ingredients, or everyone will continue to compete in this mad race of who will outsmart whom.”

Chapter 12

ENDGAME

In June 2011, Vrublevsky made his second unscheduled trip to the Maldives that year. This time, he fled Moscow because he got word that prosecutors there were preparing to levy criminal charges against him in connection with a July 2010 cyberattack on Aeroflot’s ticketing systems.

Investigators had already arrested Igor and Dmitry Artimovich, brothers who allegedly co-built and operated the Festi botnet. Both brothers deny operating a botnet or sending spam, and claim that the Russian police planted evidence on their computers. Russian prosecutors had obtained a signed confession from Igor stating that Vrublevsky had hired him to attack Assist, Aeroflot’s payment processor. At the time of the attack, ChronoPay was among several companies bidding for a lucrative contract to process payments for Aeroflot, and prosecutors alleged that the attack was designed to ensure that Assist would not maintain the contract. Ironically, a month after the attack, Aeroflot awarded the contract to neither company, but instead to Alfa Bank, the largest private bank in Russia.

Russian authorities reminded Pavel that he could also be picked up by American or other national authorities while in the Maldives, and so he voluntarily returned to Moscow.

Upon his arrival, Vrublevsky was arrested and sent to Lefortovo, a high-security, fortress-like prison built in Moscow in 1881. The prison earned its infamy during the Cold War, when it was used by the Russian KGB to isolate and interrogate political prisoners. In 1994, control over Lefortovo was transferred to the Russian police, and later it was handed to the FSB, the successor agency to the KGB.

In prison, Vrublevsky admitted to ordering the attack on Assist, but later recanted that statement. Nevertheless, his lawyer—ChronoPay employee Stanislav Maltsev, the same former Russian policeman who was once in charge of investigating allegations of illegal business activities by Vrublevsky—argued that his client should be able to remain free pending his trial. The court denied that request and ordered Vrublevsky to be held in Lefortovo for six months, the maximum pretrial time allowed by law for the offenses alleged against him.

“The main risk of letting him out is not that he will run, but that he will do some negative thing to witnesses and try to persuade them not to give or testify to any information about him,” Gusev said in a phone interview.

This is a bold statement for a man whose leaked chat logs show that he and Stupin paid $1.5 million to bring a criminal prosecution against Vrublevsky and $50,000 to start the case against Igor and Dmitry Artimovich, the brothers who—sharing the nickname “Engel”—allegedly used their Festi botnet to spam for Rx-Promotion and to occasionally launch crippling attacks against online sites (including the Aeroflot DDoS that got Vrublevsky thrown in prison).

The following is from a leaked chat, allegedly between Gusev and Stupin, dated September 26, 2010. The two men had already decided to close SpamIt and were considering whether to do the same with GlavMed. Vrublevsky is referred to here as “Paul” (the Western equivalent of “Pavel”).

GUSEV
: To my mind, you do not fully understand what’s been going on for the last year. Paul has a plan to either throw me into jail or end me. His intentions are totally clear. There are only two choices: 1—Do nothing, and pay nothing to nobody, and at the end either go to jail or keep hiding until all the resources are exhausted; 2—Do the same thing as he is doing, with the same goal.

Gusev tells Stupin that “any war costs money, resources, and nerve cells. You cannot go to war little by little, you either fight to the end or do not start it at all. Engel is going to harm us all the time… If there is any potential opportunity to take him out of the game, we have to use such an opportunity. $50K is very little compared to the losses we’ve had because of his DDoS attacks and compar[ed] to future losses if he is going to DDoS us again.”

Gusev tells Stupin that if he won’t put up his share of the $50,000 bribe to bring a criminal investigation against the Artimovich brothers, Gusev will be forced to assume greater control over the pharmacy partnerka. Stupin ultimately acquiesces, but says he wants to go on record stating that he thinks it’s a bad idea.

The chats also show that around this same time, Gusev visited the Russian FSB and was enticed into working with them and giving information on big players within the rogue pharmacy industry.

“They have tons of info, and a very good understanding of how everything works and where money comes in and comes out,” Gusev told Stupin in January 2010. The FSB, he said, “definitely has information on the money movement of the wallets. In summary: If they want to put me in prison, they will. They also asked about you. For now they wanted me to work for them and give them info on others. They promised all kinds of benefits from working with them.”

Interestingly, the leaked chat logs between Gusev and Stupin were obtained by FSB investigators who had detained Stupin and made
a forensic copy of his hard drive. Somehow, Engel—perhaps via the bribes paid by Vrublevsky—obtained a copy of these logs and leaked them to several sources, including this author.

Conversations from those chat logs have been featured prominently throughout this book, but one of the most telling and honest conversations comes in a discussion thread on the Russian adult webmaster forum master-x.com. That conversation thread is full of comments from spammers who were sidelined from the business or lost money because of the Pharma Wars between Gusev and Vrublevsky. It currently spans more than one hundred pages.

The epic master-x.com discussion starts out with nearly everyone using nicknames and generally trying to hide their real-life identities, but about halfway through the thread Gusev starts to make references to himself that clearly identify him as the author. In this conversation, Gusev becomes uncharacteristically very emotional and launches into a series of increasingly hostile tirades directed at Artimovich.

Gusev says that Russian webmasters understood that the Pharma Wars between himself and Vrublevsky were just a contest to see who had more money and connections. Gusev also warns Artimovich that Vrublevsky is likely to turn his anger on him when he gets out of prison. (By admitting Vrublevsky hired him to DDoS Assist, Artimovich essentially sealed Pavel’s fate.)

Keep in mind that Pasha is a very vile man. And he has such a long memory! You see, the fact that I was doing better than him after leaving ChronoPay had caused him a severe butt hurt of 7 years!!! He could not sleep, was in a lot of pain over this! That’s what envy is. It destroys one slowly but surely. Now imagine his psychological state after he finishes his prison term. Hungry, angry, abandoned by all butt-kissers, without any business, and worst of all—with a clear realization that he could
not put me in jail after all. I think that Pasha’s psyche will not be able to withstand such pressure. And since he will not be able to reach me, he will focus on you and your brother.

And then Gusev says he may actually exact his revenge on Artimovich before Vrublevsky does.

But this is all musing about a possible future. Speaking of the present, I think I will get to you beforehand anyway. I warned you before that if you try to get my family involved in this conflict, the consequences would be very harsh. I will personally find you, tear your head off, and swap it with your ass—most likely no one will see a difference.

♦    ♦    ♦

On Dec. 23, 2012, Russian prosecutors freed Vrublevsky from Lefortovo Prison, just three days before his birthday. Vrublevsky’s release was hardly an act of mercy. Under Russian law, six months was the maximum time that prosecutors could hold him pending trial.

Within hours of returning to his Moscow home, Vrublevsky was tweeting and blogging about his triumphant release. He also wasted little time in calling this author, mainly to gripe about his treatment and living conditions in the famed prison. In a lengthy phone conversation, Vrublevsky lamented the presence of and constant utterances from numerous Muslim inmates who were held in captivity in his corner of Lefortovo.

“I didn’t even have hot water or a fucking window, and the light was on twenty-four hours a day,” Vrublevsky recalled. “This is the most strict prison in Russia, and half of the prison is there for some
kind of Muslim terrorism. I was blocked from communication with my family for three months…no phone calls, visits, nothing. Just this ‘Allah, Akbar!’ crap five times a day!”

Vrublevsky’s lawyer forbade him from discussing his case, but as always he had an amusing story to share about his situation. When prisoners of Lefortovo are to be released, they’re ceremoniously informed by the more senior convicts of a solemn tradition whereby the freed captive is supposed to later burn the clothes he had on when he was released. Fearing it might be welcoming more bad luck not to observe this tradition, Vrublevsky invited some friends over to his house the day after his release to torch the clothes he was wearing when he was admitted and expunged from Lefortovo.

“Imagine this picture: It is gray, ugly weather, we are behind the house, standing there with my clothes that I came out of the prison with,” Pavel recalled, barely able to stop laughing. “Standing there having a cigarette in front of the fire, having a funeral for the clothes. It’s like a real Hollywood-type movie, minus the dramatic music at this moment. Serious things are being said, like, ‘Dude, don’t go back there, blah, blah.’ All of a sudden, my wife runs out of the house screaming: ‘Pavel, you’re burning the wrong shoes!’ Turns out, I burned my expensive Yamamoto shoes, not the ones I wore home from prison!”

During his imprisonment, Vrublevsky signed a full confession stating that he masterminded the attack on Assist, Aeroflot’s credit card processor. Vrublevsky’s confession stated that he had instructed a ChronoPay employee—Maksim Permyakov, an information security specialist for the company—to deposit $20,000 in WebMoney payments into a purse owned by Igor A. Artimovich, the alleged Festi spam botmaster and a former employee of Sun Microsystems in Russia. Indeed, a lengthy email thread in the cache of messages leaked from ChronoPay details this exchange precisely.

Arrested by investigators with the Russian Federal Security Service
(FSB), Artimovich signed a similar confession stating that he’d been hired by ChronoPay to use Festi in an attack on Assist. The FSB also arrested Artimovich’s brother, Dmitry, a freelance programmer.

All four men—Vrublevsky, Permyakov, and the Artimovich brothers—were charged with violating two articles of the Russian criminal code: Article 272, which covers “illegal access to computer information,” and Article 273, which prohibits the use and distribution of malicious computer programs. Both articles provide for imprisonment for between three and seven years.

Other books

A Southern Girl by John Warley
Promise Me This by Christina Lee
Nowhere to Hide by Tobin, Tracey
Athena Force 12: Checkmate by Doranna Durgin
The Christmas Inn by Stella MacLean
Caught (The Runners) by Logan Rutherford
Deathless by Scott Prussing
The APOCs Virus by Alex Myers