Spam Nation (30 page)

Kimberly Zenz, a cybercrime expert with the Reston, Virginia-based firm Verisign iDefense, has tracked the feud for years. She said she believes Vrublevsky was the aggressor, and that he was brought down by an enormous ego and an overabundance of misplaced confidence.

“He loves the attention, and cybercriminals should not love attention,” Zenz said. “But this way, he gets to very publicly be the big boss and get respect for his role in the underground community.”

But according to Zenz, other factors worked to undermine Vrublevsky’s spam and rogue antivirus empire.

“He really was on the wrong side of history,” Zenz said. “At one point, people complained that Russia never cared about cybercrime. And I think Pavel misunderstood how far he could go and what he could attack. The part of his personality that made him grow ChronoPay the way he did was the same part that made him overstep his bounds and attack Assist, and think that he could take on Gusev and that there would be no problem with either.”

Stefan Savage, the UCSD professor, said Vrublevsky seemed obsessed with always coming up with some newer and greater blackhat scheme.

“You have to see it in that light to understand how he could have this legitimate company and then still want to pump it full of pharma and fake antivirus and all this other stuff,” Savage said. “He clearly felt driven to be the big man. And certainly, if you look at the interactions between him and other people at ChronoPay—and the fact that he would constantly show up at Visa security and fraud conferences in Europe—it’s clear he sees himself as this larger-than-life figure. He didn’t need to do all this to have a good standard of living. He could have been totally legit, although he might have done what he did to support a certain lifestyle. But I also suspect part of it as well was he had a certain social circle of people in this cybercrime space that he was trying to impress.”

But while the Pharma Wars may be temporarily over, the global threat from spam is stronger than ever. The demise of many large spam affiliate programs like SpamIt and Rx-Promotion coincided with a marked and more malevolent shift in the way cybercrime is monetized. For starters, the work done by Savage, Microsoft, and the brand holders who worked with the International Anti-Counterfeiting Coalition (IACC) to make it far more expensive for partnerka programs to obtain credit card processing effectively killed off much of the rogue antivirus or scareware industry that ChronoPay had so carefully nurtured. But in its place, a far more insidious threat has taken hold: ransomware.

Much like scareware, ransomware is most often distributed via hacked or malicious sites that exploit browser vulnerabilities. Typically, these scams impersonate the Department of Homeland Security or the FBI (or the equivalent federal investigative authority in the victim’s country) and try to frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content.

Ransomware locks the victim’s PC until he either pays the ransom or finds a way to remove the malware. Increasingly, ransomware attacks encrypt all of the files on the victim’s PC, holding them for ransom
until victims pay up. Victims are instructed to pay the ransom by purchasing a prepaid debit card or cash voucher, sold at convenience stores or retail outlets the world over. Victims are then told to send the attackers the voucher code or card number that allows the bad guys to redeem the information for cash.

“I don’t think it’s an accident that we’ve seen ransomware rise as it’s become harder for these partnerka programs to find a continuous supply of banks to help them process cards for scareware payments,” Savage said. “You have a bunch of people who are used to making good money for whom fake antivirus software and scareware have become problematic and for whom pharma is not really an option. There’s a void in the ecosystem where people can make money. It’s not at all an accident that these ransomware schemes essentially are bypassing traditional payment schemes.”

The past few years have also witnessed a noticeable change in the ways that botmasters are using the resources at their disposal. By August 2013, the proportion of email that is spam had dropped to 67 percent, according to Kaspersky Lab, a Russian antivirus and security firm. But to supplement a decline in revenue from commercial email missives, many miscreants increasingly are hiring out their botnets to send malicious software that poses a far more serious threat to consumers, especially those of us who never open spam or junk emails, let alone buy anything from them.

One excellent example of this is the Rustock botnet, which started off in 2007 promoting pump-and-dump stock scams. For years, it was among the world’s top promoters of pharmacy sites, but over the past few years, the miscreants at the helm of Rustock have dedicated more of their spamming resources to blasting malware wrapped in a thousand disguises, from phony missives from FedEx and UPS, to bogus audit alerts from the U.S. Internal Revenue Service. In most cases, this password-stealing malicious software is aimed at small- to mid-sized businesses in the United States and Europe, with the goal of infecting
the computer of the person in charge of the organization’s finances. Armed with that person’s username and password to the organization’s bank account, the fraudsters will push through fraudulent bank transfers from that victim’s account to accounts that they control.

Indeed, according to University of Alabama at Birmingham’s Gary Warner, malware sent via Cutwail spam is among the leading causes of corporate account takeovers. This increasingly common cybercrime scourge affects thousands of small businesses each year, often resulting in hundreds of thousands of dollars in losses for individual victim organizations.

Another notable shift is that cybercrime entrepreneurs who run their own botnets increasingly are seeking to extract more value from each infected system, carefully harvesting every nugget of personal data (for example, passwords, software license keys, and social media accounts) that they can from the compromised systems of unsuspecting users, all of which can be resold in the cyber underground, Savage said. What’s more, there are now more cybercrime bazaars than ever to help botmasters offload this data. In other words, it’s very possible that a cybercriminal right now is selling your personal information to someone else and making a pretty penny off it.

“Much like the Inuit Eskimos made sure to use every piece of the whale, we’re seeing an evolution now where botmasters are carefully mining infected systems and monetizing the data they can find,” Savage said. “The mantra these days seems to be, ‘Why leave any unused resources on the table’?”

While some are using ransomware and data harvesting, Savage said, many other former affiliates and managers of failed scareware, pharma, and pirated software partnerkas are casting about for the next big thing.

“It’s a period of innovation, and people clearly are looking around for another sweet spot that’s as good as pharma, which made more money more reliably than anything else out there,” he said. “A few
affiliate programs are trying to peddle pirated e-books and movies; others are getting into [advertising] payday loans. There are now tons of programs that will write term papers for students. That seems to be a big thing now.”

The other factor weighing on the spam industry, Savage says, is that many affiliates have found more success advertising websites using so-called “black SEO” techniques to manipulate search engine rankings for their sites. He notes that the biggest earner by far across thousands of GlavMed pharmacy affiliates was a black SEO expert who used the nickname “Webplanet.” This enterprising young hacker appears to have earned all of his money by gaming the search engines.

“There are a lot of games being played now doing [advertising fraud] or black SEO,” Savage said. “For now, a lot of these guys are becoming more diversified and are in kind of a regrouping period. And the subset of people doing well with pharma spam are either retrenching or saying, ‘Yeah, we’ll have to accept lower profits or find another niche.’”

Savage says he expects that online pharma as an industry will be dead two to three years from now.

“There will be some small affiliate programs, but I doubt there will be any big affiliate programs like Rx-Promotion or GlavMed,” Savage said. “It just draws too much attention and pressure from the card systems like Visa and MasterCard.”

Savage’s comments eerily echo the words I heard from Igor Gusev in our last interview in mid-2011.

“It’s very strange that some people need to have done so much expensive research to understand that [the] weakest part of this business is card processing,” Gusev said. “They need to put pressure on the card processors which are monsters [that] only regulate [under] very negative public pressure. I think it would be a very powerful strike, and online pharma would be dead within two years if they could somehow switch off the merchants who [are] connected to online pharma.”

Gusev, too, was wondering what the next big partnerka will be after pharmacy programs die off.

“I think that the next big thing will be connected to video, audio, and maybe social networking,” he said. “It will be some kind of service like what Google and Apple are trying to do now with sharing and having all your MP3s and videos uploaded to a web service so you can access it from anywhere. The only question is what kind of model they will use to do billing for that, and how people will pay for it.”

Gusev said he was considering going into the consulting business, advising online affiliate programs on how to navigate the choppy waters inhabited by the shady credit card processors and dodgy banks that support those industries.

“Honestly, I am looking into this business,” Gusev said. “From one point of view, it’s pretty risky because I want to stay as far as possible away from doing stuff which could lead to another criminal case. But from another point of view, I can earn some money just to make some consultations with merchants such as this, if the merchants agreed to pay some percentage for my expertise, because the banks are the vital thing to all of this stuff.”

Most readers of this book probably have never ordered anything advertised in unsolicited junk email or ingested prescription drugs of uncertain origin that were ordered online. But there are a myriad ways that even the wariest Internet users still end up supporting spammers, scam artists, and organized cyberthieves. And almost all of those ways invariably stem from one cause: apathy.

Whether we go online using a device powered by Microsoft Windows, Mac OS X, Linux, or Android, each of us has a role to play in combatting or contributing to online fraud. As such, we are all either part of the problem or the solution. There is no in-between anymore. Today’s online threats take full advantage of people who fall behind on security updates, or those who wantonly open unbidden email attachments and click on random links in email or on Facebook
and Twitter that seem legitimate. For more information on what all of us can do to fight spam and malware—and better protect ourselves online—check out the Epilogue that directly follows this chapter.

Many of us have had the experience of receiving a spammy email from a friend or loved one, only to have a frantic follow-up note arrive a few minutes later from that person stating that his or her email account was hacked and warning us not to open or respond to any of the messages sent by the intruder. To be sure, this is an alarming situation for many users. But the scarier truth is that if your inbox (or your phone, tablet, Twitter or Instagram account, anything really) gets hijacked by modern cyberthieves, spewing spam is about the most innocuous thing that can happen to it.

The true value of your email account to crooks is not merely in its ability to pump spam or even forward malicious software and viruses to your entire contact list. Depending on what you do with your account and how long you’ve had it, your inbox could be worth far more than you imagine.

For example, sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts—merely by requesting a password reset email. Got your retirement fund, bank account, or insurance plan tied to that inbox? An attacker in control of your email account—either via
phishing you or installing malware on your system—can simply visit the websites that manage those accounts, request a password reset, click a link in an email, and change your passwords (and they will start with your email password)!

Even if the person who hijacks your inbox doesn’t have the time or inclination to seize control over all of your associated accounts, he likely knows that those accounts have a resale value in the cybercrime underground. How much are these associated accounts worth? There isn’t exactly a central exchange for hacked accounts in the underground, but recent price lists posted by several ne’er-do-wells who traffic in nonfinancial compromised accounts offer some insights.

Several bad guys in the underground will sell purloined usernames and passwords for working accounts at overstock.com, dell.com, and walmart.com, all for two dollars each, for example. Other sellers peddle accounts at fedex.com and ups.com for five dollars a pop, and Apple iTunes accounts starting at eight dollars. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.

Some crime shops go even lower with their prices for hacked accounts, charging as little as three dollars for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com, and target.com, to name just a few. This may sound like peanuts and hardly worth the bother, but remember that the bad guys engaged in this activity very often run large botnets, meaning they can gather this information from hundreds or thousands of hacked computers simultaneously.

Even if your email isn’t tied to online merchants, it is probably connected to other accounts you care about. Hacked email accounts are not only used to blast junk messages. They are harvested for the email addresses of your contacts, who can then be inundated with malware, spam, and phishing attacks. Those same contacts may even receive a message claiming you are stranded and penniless in some
foreign country, and asking them to wire money somewhere. Trust me, countless people actually follow through on these fake pleas for help and wire money straight into the pockets of these cyberthieves.