Brian Krebs - Spam Nation

For my BizMgr

Copyright 2014 by Brian Krebs

Cover and internal design 2014 by Sourcebooks, Inc.

Cover design by The Book Designers

Sourcebooks and the colophon are registered trademarks of Sourcebooks, Inc.

All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means including information storage and retrieval systemsexcept in the case of brief quotations embodied in critical articles or reviewswithout permission in writing from its publisher, Sourcebooks, Inc.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. From a Declaration of Principles Jointly Adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations

All brand names and product names used in this book are trademarks, registered trademarks, or trade names of their respective holders. Sourcebooks, Inc., is not associated with any product or vendor in this book.

Published by Sourcebooks, Inc.

P.O. Box 4410, Naperville, Illinois 60567-4410

(630) 961-3900

Fax: (630) 961-2168

www.sourcebooks.com

Library of Congress Cataloging-in-Publication Data

Krebs, Brian.

Spam nation : the inside story of organized cybercrimefrom global epidemic to your front door / Brian Krebs.

pages cm

1. Computer crimesUnited States. 2. Internet fraudUnited States. 3. Spam (Electronic mail) 4. Phishing. 5. Organized crimeUnited States. I. Title.

HV6773.2.K74 2014

364.1680973dc23

2014023007

PAVEL VRUBLEVSKY , a.k.a RedEyeCofounder of ChronoPay, a high-risk card processor and payment service provider that was closely tied to the rogue antivirus industry. Co-founder of Rx-Promotion pharmacy affiliate program.

YURI KABAYENKOV , a.k.a. HellmanCo-owner of Rx-Promotion along with Pavel Vrublevsky.

IGOR GUSEV , a.k.a DespCofounder of ChronoPay, and co-owner of the pharmacy spam partnerships SpamIt and GlavMed.

DMITRY STUPIN Co-owner, along with Igor Gusev, of the pharmacy partnerships SpamIt and GlavMed.

IGOR VISHNEVSKY A spammer who helped develop the Cutwail spam botnet, and a one-time business partner of Dmitri Gugle Nechvolod, a major spammer.

DMITRY NECHVOLOD , a.k.a. GugleOne of SpamIt and Rx-Promotions most successful spammers, Gugle rented out his Cutwail spam botnet for use by many other junk emailers.

GENNADY LOGINOV A Belarusian man and leader of a militant organized crime group known as The Village. Partner with Alexander Rubatsky and involved in the kidnapping and ransom of Evgeny Pet Petrovskya rival businessman.

ALEXANDER RUBATSKY A Belarusian hacker closely tied to the child pornography industry who later founded the Russian Business Network (RBN) in St. Petersburg, Russia.

EVGENY PETROVSKY , a.k.a. PetBelarusian owner of companies Sunbill and BillCards, credit card processing networks that were deeply involved in processing payments for child pornography sites.

NIKOLAI MCCOLO , a.k.a KolyaThe young entrepreneur behind McColo Corp., which until its demise in 2008 was among the most popular Web hosting providers in the cybercrime underground.

LEONID KUVAYEV A convicted spammer who ran the RxPartners pharmacy spam affiliate program. Kuvayev is currently serving a ten-year prison sentence in Russia for child molestation and child pornography.

IGOR AND DMITRY ARTIMOVICH , a.k.a. EngelBrothers who allegedly operated the Festi spam botnet and were close allies of Vrublevsky. The brothers were convicted in 2013 of using Festi to attack the website of Assist, a ChronoPay competitor, although they deny this.

COSMA Spammer for both GlavMed-SpamIt and Rx-Promotion and principal author of the massive Rustock botnet.

SEVERA Spammer for both GlavMed-SpamIt and Rx-Promotion and the apparent author of the Waledac and Storm botnets.

Chapter 1

The navy blue BMW 760 nosed up to the crosswalk at a traffic light in downtown Moscow. A black Porsche Cayenne pulled alongside. It was 2:00 p.m., Sunday, September 2, 2007, and the normally congested streets adjacent to the storied Sukharevskaya Square were devoid of traffic, apart from the tourists and locals strolling the broad sidewalks on either side of the boulevard. The afternoon sun that bathed the streets in warmth throughout the day was beginning to cast long shadows on the street from the historic buildings nearby.

The driver of the BMW, a notorious local scam artist who went by the hacker nickname Jaks, had just become a father that day, and Jaks and his passenger had toasted the occasion with prodigious amounts of vodka. It was the perfect time and place to settle a simmering rivalry with the Porsche driver over whose ride was faster. Now each driver revved his engine in an unspoken agreement to race the short, straight distance to the big city square directly ahead.

As the signal flashed green, the squeal of rubber peeling off on concrete echoed hundreds of meters down in the main square. Bystanders turned to watch as the high-performance machines lurched from the intersection, each keeping pace with the other and accelerating at breakneck speed.

Roaring past the midpoint of the race at more than 200 kilometers per hour, Jaks suddenly lost control, clipping the Porsche and careening into a huge metal lamp post. In an instant, the competition was over, with neither car the winner. The BMW was sliced in two, the Porsche a smoldering, crumpled wreck close by. The drivers of both cars crawled and limped away from the scene, but the BMWs passengera promising twenty-three-year-old Internet entrepreneur named Nikolai McColowas killed instantly, his almost headless body pinned under the luxury car.

Kolya, as McColo was known to friends, was a minor celebrity in the cybercriminal underground, the youngest employee of a family-owned Internet hosting business that bore his last nameMcColo Corp. At a time when law-enforcement agencies worldwide were just waking up to the financial and organizational threats from organized cybercrime, McColo Corp. had earned a reputation as a ground zero for it: a place where cybercrooks could reliably set up shop with little worry that their online investments and schemes would be discovered or jeopardized by foreign law-enforcement investigators.

At the time of Kolyas death, his familys hosting provider was home base for the largest businesses on the planet engaged in pumping out junk email or spam via robot networks. Called botnets for short, these networks are collections of personal computers that have been hacked and seeded with malicious softwareor malwarethat lets the attackers control the systems from afar. Usually, the owners of these computers have no idea their machines have been taken hostage.

Nearly all of the botnets controlled from McColo were built to blast out the unsolicited junk spam advertisements that flood our inboxes and spam filters every day. But the servers at McColo werent generating and pumping spam themselves; that would attract too much attention from Internet vigilantes and Western law-enforcement agencies. Instead, they were merely used by the botmaster businesses to manipulate millions of PCs scattered around the globe into becoming spam-spewing zombies.