Spam Nation (6 page)

Read Spam Nation Online

Authors: Brian Krebs

Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology

At a meeting in mid-2009, the washingtonpost.com editors explained that, although my Security Fix blog attracted a loyal and admirably large following given the niche subject, the angle of my reporting didn’t quite fit into the
Post
’s emerging strategy of being the go-to source for news “for and about Washington, DC.”

That turn of phrase encapsulated the new strategy that was the centerpiece of a protracted and painful effort to merge the separate operations of the
Washington
Post
newspaper with the newsroom of washingtonpost.com, mainly for cost reasons.

The
Post
leadership had concluded that one way to save money was to shift the paper and site’s news coverage so that it more closely focused on local events in the nation’s capital and on explaining to readers how the events in Washington, DC, affect the rest of the world. The company also opted to close some of its major U.S. news bureaus and to rely more on wire services like the Associated Press and Reuters for breaking stories.

The editors were hoping I could spend most of my time writing about technology policy, specifically technology regulation and policy, or the future of technology innovation as it relates to policy. But I had
no desire to shift the focus of my reporting away from cybercrime. I’d covered the tech policy beat for several years early in my career at the
Post
, and had found it tedious and stultifying.

Moving back to tech policy would also mean abandoning my previous four years cultivating clueful and connected sources in both the security industry and the cybercrime community. I was in the midst of a yearlong series about increasingly costly and sophisticated cyberattacks being perpetrated every month against countless small to mid-sized organizations across the country. After all that careful research and investigation, I finally had a front-row seat that allowed me to peer into the day-to-day activities of large, organized cybercriminal gangs operating out of Eastern Europe.

Over the course of several months, I was able to learn who these criminals were, where they worked, what they did in their free time, and who they were attacking—often before the victims themselves knew they had been robbed of hundreds of thousands of dollars, sometimes millions. The bank accounts at most small businesses and organizations are managed by regular men and women who are no match for organized cybercrime gangs, and I desperately wanted to continue spreading the word about this increasingly common and costly form of online robbery.

Moreover, I was beginning to understand that ChronoPay and Vrublevsky were very much the tip of the iceberg—that they were just the most visible figures in a largely Russian and Eastern European underground community whose members all seemed to know and rely upon one another.

So fourteen years after I joined the
Washington
Post
, I was let go from the company with six months’ severance, just enough time to plot my next career move. I remember feeling at the time that it was very important for me to hit the ground running on a new job on January 1, 2010. What that new job was to be, exactly, I wasn’t sure of, though.

I discussed my termination with only a handful of family members and with two trusted sources, but no one else. So I was baffled when, less than a month later and well before my official termination date, I discovered a lengthy discussion thread on Crutop.nu titled “Krebs fired from the
Washington
Post
,” in which members took turns celebrating and jeering at the news.

“For those of you who don’t know—he is the author of Security Fix at WP, who loved to write about Atrivo, McColo, EstDomains, UkrTeleGroup, [and] 3FN, and he is the one who helped shut them down,” wrote the Crutop member who posted the thread. Other members greeted the news with cheers such as, “Thank you, Santa!” and “Santa got our letters!” Having something so personal and private exposed on a public forum run by some of the most active spammers that I’d been striving to expose was eerie and unnerving, but it also made me even more determined to continue my work.

I had anonymously registered the domain name
KrebsOnSecurity.com
just two weeks before that Crutop thread was posted, but hadn’t yet decided whether to pursue a traditional position at another major news publication or to go it alone on a blog. After hearing from colleagues at other large media outlets who were being let go, forced to take unpaid leave, or reassigned to more advertising-friendly beats, I was not anxious to jump back into a position at a major newspaper or online publication. But the idea of going out on my own—and making a living at it—seemed daunting, even terrifying at times.

At the same time, a part of me was eager to succeed on my own terms and to build an audience based solely on my original reporting. When I read that Crutop thread, it struck me almost as a personal challenge and I decided to take it on. In an encouraging development, I soon heard from Russian readers who expressed disgust at that Crutop thread and were anxious to share documents that could prove the extent of ChronoPay’s involvement in the cybercriminal underground. I suspected, but couldn’t be sure at the time, that Vrublevsky’s old business
partner-turned-nemesis—Igor Gusev—was behind this ruse, but for the moment I didn’t want to do anything to deter my sources from sharing what they knew.

“Do not be mistaken,” one source pseudonymously named “Boris” warned in an email that promised the delivery of massive amounts of incriminating evidence of wrongdoing at ChronoPay. “These guys, and probably Vrublevsky, will come at you hard, and it may not be pretty.”

But Boris and others were true to their promises and their warnings. The anonymous threats started just days after a virtual treasure trove of incriminating ChronoPay emails and documents fell into my lap. Any last hesitation I’d had about striking out on my own disappeared. It was time to get to work.

2.
I was unable to track down Rubatsky, but according to the Belarusian Telegraph Agency (the state-owned national news agency), Rubatsky is currently a fugitive who is wanted by Interpol, the international criminal police organization.

3.
Loginov and several associates were later prosecuted and found guilty of kidnapping and other crimes. According to a report in the
Ecommerce Journal
, Petrovsky is thought to be in hiding somewhere in Ukraine.

4.
In an email interview, Igor Gusev acknowledged that someone using his unusual nickname “Desp” was listed as an administrator on the homepage of Darkmasters.com, but denied that he himself was ever an administrator of Darkmasters. Instead, Gusev said he had merely agreed to lend his imprimatur on the site in exchange for money from the true administrator—another adult webmaster who used the nickname “Master.” Vrublevsky, on the other hand, insists this is “proof” that Gusev was closely aligned with the Russian Business Network.

5.
Now part of TeliaSonera, Telia was the dominant Swedish telecommunications company with operations throughout Europe and Asia. Tiscali is an Italian telecommunications company that provides domestic service but at one time offered services throughout Europe and Hong Kong.

Chapter 3

THE PHARMA WARS

The morning of May 14, 2010 began with a rambling, disturbing email message waiting in my inbox. The anonymous writer had read my blog post about a public speaking engagement on cybercrime that I’d just completed in upstate New York. The message read:

Brian,

You are a wonderful puzzle. Your wife apparently allows You to behave like a teenager. I would like to see You grow up.

We love You. But, Your wife is right. It’s time for You to put Your peculiar talent in the hands of professionals. The last report about You driving around upstate New York prompts me to send You this final plea before…

Your long suffering, but loving, wife should be empowered to make a contract with a professional person, (who might be a female but Your docile wife will eat her eyeballs on top of Your breakfast cereal before You come up from the basement if she makes moves on You).

So, why am I writing? Well, it’s easy. I like what You do and many more would if they only knew about You. But, like many artists You think everyone sees what You see. We do not.

Therefore, the next move is up to You. I would start with Your wife. I would ask her what she thinks of this email.

Then I would engage an attorney. You’ll need one when she falls “in love.”

The message was textbook Vrublevsky: Malevolent, rambling, graphic, and full of mangled metaphors. It was the kind of screed I frequently saw coming from Vrublevsky’s alleged “RedEye” identity on Crutop.nu—the Russian adult webmaster forum that he’d cofounded and that was an education center for spammers. As the U.S. Federal Trade Commission (FTC) described the forum in its takedown of hosting provider 3FN, Crutop “features a variety of discussion forums that focus on making money from spam.”

Vrublevsky had earned a name for himself early on in the business by creating a network of adult websites that specialized in extreme and violent pornography, mostly videos featuring rape, incest, and bestiality. His name and ChronoPay’s address are on the company registration records of “Red & Partners BV,” which was a company Vrublevsky formed and was the parent firm of his adult webmaster affiliate program, according to legal documents obtained by this author from the government of the Netherlands. Also, as I noted in a 2009 story in the
Washington
Post
, the websites for both ChronoPay.com and Red & Partners (re-partners.biz) shared the same domain name servers and Google Analytics code for tracking site visitors, though ChronoPay denied a connection between the two. Many of the webmasters on Crutop were affiliates that made money by reselling subscriptions to porn sites run by Vrublevsky and others on the forum.

But aside from the strange and somewhat threatening language, the message held few other clues to support my suspicion that Vrublevsky was the author. It was just a hunch, yet the timing was suspect.

Six months earlier, I’d decided to go it alone and start my own site—
KrebsOnSecurity.com
—a daily news blog dedicated to investigative reporting on cybercrime to increase public awareness and action against
it. The email arrived just two days after I’d told Vrublevsky that I was preparing to publish a story based on cybercriminal allegations leveled against him by Ilya Ponomarev, a deputy of the Russian State Duma’s high-tech development subcommittee. Ponomarev had sent a letter to Russian investigators, echoing many of the allegations in my earlier reporting on ChronoPay and Vrublevsky for the
Washington
Post
.

Ponomarev’s letter also included a new tidbit of information for me, which offered the first of many insights into the widespread corruption and backwardness of Russian politics. Incredibly, Vrublevsky—who according to multiple sources at this point ran one of the Internet’s most notorious pharmaceutical spam programs, Rx-Promotion—had been selected as chairman of the anti-spam working group of the Russian Ministry of Telecom and Mass Communication, a body tapped by Russian President Dmitry Medvedev to advise the government on new laws to curb junk email. Essentially, Ponomarev wanted Vrublevsky gone.

When I contacted him for comment on Ponomarev’s missive, Vrublevsky publicly denied being associated with Rx-Promotion or spam and then accused me of having been bribed by his enemies into creating negative press about him. He once again promised to sue me, and this time actually took steps to follow through on the threat. He had already begun the process by the time we spoke, but as I’d find out, his attorney and executives at ChronoPay eventually talked him out of it because he would have a slim chance of winning, the case could drag on for years, and he and ChronoPay would be vulnerable to having even more of their business dragged into the light of day if the case ever went to trial.

How did I find all of this out when Vrublevsky never said anything more than threatening to sue me? At this point, dozens of leaked emails began showing up in my inbox; they were between Vrublevsky and a Russian-speaking lawyer he’d hired from the Washington, DC, law firm of Duane Morris LLP. The emails would later show that to silence me,
Vrublevsky had been fully prepared to pay more than $100,000 to bring a defamation case against me for my stories about his role in the rogue antivirus and pharmacy industries.

These internal emails were the first of many compromised materials (or
compromat
, as they’re called in Russia) that I would receive over the course of a year from unnamed and anonymous hackers apparently bent on exposing ChronoPay and Vrublevsky. When I first began to receive these materials—usually via a link to an archive at a free file-sharing site—I considered the possibility that someone had forged emails and documents to make them appear stolen from ChronoPay. Eventually, however, the sheer volume, complexity, and interconnectedness of the records made it clear they were legitimate.

Months later, Vrublevsky himself would admit this same thing to me in a phone conversation. Unknown hackers or ChronoPay insiders had leaked huge caches of his firm’s internal correspondence—tens of thousands of emails and accounting documents—as well as hundreds of hours of phone conversations that Vrublevsky recorded with others. The information painstakingly documented the breadth of ChronoPay’s involvement in the rogue pharmacy and fake antivirus business endeavors. These required the creation of an elaborate network of shell companies and offshore bank accounts—all documented in well-organized Microsoft Excel spreadsheets, and in some cases described in Vrublevsky’s own voice.

This cache of purloined documents contained not only evidence of wrongdoing by ChronoPay and its executives, but also intricate, sometimes lurid details about some of the most powerful people in the cybercrime underground.

It took many months to read through all of the materials, but more importantly to discover the most significant emails and documents. Part of the difficulty was that the ChronoPay employee email inboxes I’d been given offline access to were, ironically enough, laden with spam messages themselves, causing plenty of false positives when I searched
them for specific terms that might expose ChronoPay’s involvement in establishing shell companies and affiliate programs, and running spam operations. Also, almost all of the missives were written in Russian, and specific phrases or proper nouns often had multiple permutations of their Cyrillic and transliterated Russian equivalents, or shorthands that required individual searches for each, or both.

Other books

Flicker by Thornbrugh, Kaye
Companions of the Night by Vivian Vande Velde
Jaydium by Deborah J. Ross
The Forsyte Saga by John Galsworthy
The Origin of Species by Nino Ricci
Revolution Baby by Joanna Gruda, Alison Anderson
Pecking Order by Chris Simms