Posts tagged ‘Glavmed’

Krebs on Security: Pavel Vrublevsky Sentenced to 2.5 Years

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to two-and-half years in a Russian penal colony this week after being found guilty of hiring botmasters to attack a rival payment processing firm.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing. Source: Novayagazeta.ru

Vrublevsky was accused of hiring Igor and Dmitri Artimovich in 2010 to use their Festi spam botnet to attack Assist, a competing payments firm. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company millions of dollars.

According to Russian prosecutors, Vrublevsky directed ChronoPay’s chief security officer Maxim Permyakov to pay $20,000 and hire the Artimovich brothers to launch the attacks. The Artimovich brothers also were found guilty and sentenced to 2.5 years. Permyakov received a slightly lighter sentence of two years after reportedly assisting investigators in the case.

Earlier this year, I signed a deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia. Those charges stem from Gusev’s alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

For more background on Vrublevsky and his case, check out these two stories from the Russian publication Novya Gazeta. This entry is the latest in my Pharma Wars series, which documents the rise and fall of the pharmacy spam business and how a simmering grudge match between Gusev and Vrublevsky ultimately brought down their respective businesses.

It might be tempting to conclude from Vrublevsky’s sentencing that perhaps the Russian government is starting to crack down on cybercriminal behavior in its own backyard. But all the evidence I’ve seen suggests this is merely the logical outcome of bribes paid by Gusev to some of Russia’s most powerful, payments that were meant to secure the opening of a criminal case against Vrublevsky. In Paying for Prosecution and The Price of (in)Justice, I highlight chat logs leaked from Gusev’s operations that show him making preparations to pay more than $1.5 million to Russian politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Krebs on Security: PharmaLeaks: Rogue Pharmacy Economics 101

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Consumer demand for cheap prescription drugs sold through spam-advertised Web sites shows no sign of abating, according to a new analysis of bookkeeping records maintained by three of the world’s largest rogue pharmacy operations.

Researchers at the University of California, San Diego, the International Computer Science Institute and George Mason University examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible and more discretely available drugs. The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day.

Their conclusion? Spam — and all of its attendant ills — will remain a prevalent and pestilent problem because consumer demand for the products most frequently advertised through junk email remains constant.

“The market for spam-advertised drugs is not even close to being saturated,” said Stefan Savage, a lead researcher in the study, due to be presented early next month at the 21st USENIX security conference in Bellevue, Wash. “The number of new customers these programs got each day explains why people spam: Because sending spam to everyone on the planet gets you new customers on an ongoing basis, so it’s not going away.”

The researchers found that repeat customers are critical to making any rogue pharmacy business profitable. Repeat orders constituted 27% and 38% of average program revenue for GlavMed and SpamIt, respectively; for Rx-Promotion, revenue from repeat orders was between 9% and 23% of overall revenue.

“This says a number of things, and one is that a lot of people who bought from these programs were satisfied,” Savage said. “Maybe the drugs they bought had a great placebo effect, but my guess is these are satisfied customers and they came back because of that.”

Whether the placebo effect is something that often applies with the consumption of erectile dysfunction drugs is not covered in this research paper, but ED drugs were by far the largest category of pills ordered by customers of all three pharmacy programs.

One interesting pattern that trickled out of the Rx-Promotion data underscores what made this pharmacy affiliate unique and popular among repeat buyers: A major portion of its revenues was generated through the sale of drugs that have a high potential for abuse and are thus tightly controlled in the United States, including opiates and painkillers like Oxycodone, Hydrocodone, and mental health pills such as Adderall and Ritalin. The researchers noticed that although pills in this class of drugs — known as Schedule II in U.S. drug control parlance — comprised just 14 percent of orders for Rx-Promotion, they accounted for nearly a third of program revenue, with the Schedule II opiates accounting for a quarter of revenue.

“The fact that such drugs are over-represented in repeat orders as well (roughly 50 percent more prevalent in both Rx-Promotion and, for drugs like Soma and Tramadol, in SpamIt) reinforces the hypothesis that abuse may be a substantial driver for this component of demand,” the researchers wrote.

THE PARTNERKA ECONOMY

The study also seeks to explain the revenue model behind these pharmacy affiliate partnerships — often referred to in Russian as “partnerkas.” In a typical partnerka, the program sponsors handle everything from purchasing pill site domains and arranging hosting, to procuring the pills, credit card processing, managing shipment and customer support. The sole role of the affiliates or spammers is to undertake the somewhat riskier job of figuring out ways to drive tons of traffic to the pill sites.

And for this, the affiliates are rewarded handsomely. The researchers observed that affiliate commissions ate up between 30 to 40 percent of revenue for all three programs. Interestingly, the researchers found that while each program employed hundreds of affiliates, most of the affiliates earned next to nothing. Rather, just ten percent of the highest-earning affiliates accounted for 75-90% of total program revenue across the three affiliate programs.

“This is the brilliance of the affiliate program model, because you let every schmuck come in and try to do their thing, and you don’t care whether they succeed because you pay them only on a commission basis,” Savage said. “So all affiliate programs want to get the good affiliates, but the problem is they may not know who’s good ahead of time, so you let lots of people in, but most of the affiliates are just wasting their time.”

As it happens, nearly all of the top earners for SpamIt and Rx-Promotion have already been profiled in previous stories on this blog: They are the affiliates thought to be responsible for running the world’s largest spam botnets, including Cutwail, Rustock, Waledac, Mega-D, Srizbi, and Grum. I hope to have an analysis of the Xarvester botnet author ready soon.

So how much did the affiliate program sponsors themselves make? After paying affiliates (30-40%), suppliers (~7% of gross revenue), for shipping (a loss leader, it turns out, at between 11% and 12%), credit card processing (10%) and a host of other direct and indirect costs, the sponsors made a net profit of about 20% of gross revenue.

“Clearly these affiliate programs are profitable, but they are operating a business enterprise,” the researchers wrote. “Their profit is still only a fraction of the overall revenue.”

As detailed in my Pharma Wars series, the volume of spam worldwide has fallen dramatically since late 2010, when an escalating turf war between the Russian businessmen behind Rx-Promotion and sister programs SpamIt and GlavMed forced these businesses to close up shop. Alert readers will notice that my name also is listed as a co-author to this research paper, although in truth my principal contribution to the project was the donation of the Rx-Promotion, GlavMed and SpamIt databases that had fallen into my lap as a result of the aforementioned turf war. I am currently spending quite a bit of my time working on a book about the epic rise and fall of these rogue pharmacy affiliate operations.

While the overall volume of email that is spam recently fell to historic lows, that ratio been steadily creeping back up since April, according to Symantec. It will be interesting to see if this trend continues as other affiliate programs compete to meet customer demand and lay claim to the market shares once held by the likes of GlavMed, Rx-Promotion and SpamIt.

A copy of the Pharmaleaks paper is available here (PDF).

Krebs on Security: Who’s Behind the World’s Largest Spam Botnet?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released -  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!”

Around the same time that SpamIt’s database was leaked, hackers plundered the networks of ChronoPay, one of Russia’s biggest online payment processors. The company’s top executive, Pavel Vrubelvsky, was reputed to have been a co-founder of SpamIt’s biggest competitor — a rogue pharmacy operation called Rx-Promotion. The data that hackers leaked from ChronoPay included emails showing ChronoPay executives passing credentials to Rx-Promotion’s administrative back end database.

KrebsOnSecurity.com obtained a comprehensive data set showing all of the sites advertised by Rx-Promotion affiliates in 2010, as well as the earnings of each affiliate. That information was shared with several University of California, San Diego researchers who would later incorporate it into their landmark Click Trajectories study (PDF) on the economics of the spam business. The researchers spent four months in 2010 observing the top spam botnets, keeping track of which pharmacy affiliate programs were being promoted by different top botnets.

The GeRa-Stupin chats show that by the time the researchers started recording the data, GeRa had defected from SpamIt to work for Rx-Promotion. Indeed, the UCSD researchers found that Rx-Promotion and Grum were synonymous. Each RX-Promotion pharmacy includes a “site_id” in its HTML source, which uniquely identifies the store for later assigning advertising commissions.  The researchers discovered that whenever Grum advertised an Rx-Promotion site, this identifier was always the same: 1811. According to the leaked Rx-Promotion database, that affiliate ID belongs to a user named ‘gera.’

A tiny snippet of GeRa's sales from Rx-Promotion sites, which all bore his affiliate ID 1811 in the source.

“It doesn’t prove that GeRa owned Grum,” said Stefan Savage, a professor in the systems and networking group at UCSD and co-author of the study. “But it does show that when Grum advertised for Rx-Promotion, it was for sites where commissions were paid to someone whose nickname was ‘GeRa’.”

WHO IS GERA?

GeRa uses the alternative nickname “Ger@” on Internet forums, including the now-defunct Spamdot.biz, where top spammers from SpamIt and competing programs used to gather. Google’s search engine largely ignores the “@” character, which makes searching for that nickname difficult. But infiltrate enough invite-only cybercrime communities and eventually you will find a user named Ger@ who announces that he is buying traffic.

GeRa routinely purchases traffic from other botmasters and malware writers who control large numbers of hacked PCs. As he explained in the following post to an exclusive forum, victim browsers sent his way are typically funneled through sites hosting a gauntlet of exploits designed to install a copy of his spam bot (see below).

Ger@ writes: "We continue to buy all your traffic which goes to Eleonor (Exploit Pack) to load the spam bot…"

GeRa did not respond to multiple requests for comment sent via email and ICQ. He appears to have been much more careful with his identity than other top SpamIt botmasters, but he did leave several tantalizing clues. GeRa appears to have used a number of separate affiliate accounts for himself on SpamIt (possibly to make his earnings appear lower than they really were. Among his personal accounts were “GeRa,” “Kostog,” “Scorrp,” “Scorrp2,” “Scorrp3,” “UUU,” and “DDD.”

GeRa received commission payments for all of those accounts to a WebMoney purse with the ID# 112024718270. According to a source who has the ability to look up identity information attached to WebMoney accounts, that purse was set up in 2006 by someone who walked into a WebMoney office in Moscow and presented a Russian passport #4505016266. The name on the passport was a 26-year-old named Nikolai Alekseevich Kostogryz.

One of GeRa’s most successful referrals was a SpamIt affiliate who used the nickname “Anton,” and the WebMoney ID 186103845227. The information on the Russian passport used to open that account was Vasily Ivanovich Petrov. According to SpamIt records, Anton was the 18th most valuable affiliate overall, bringing in sales of nearly $1 million and earning commissions above $422,000.

A "mind map" that helped piece together data about GeRa and his associates.

Looking at the earnings of spammers from both SpamIt and Rx-Promotion, it’s difficult to ignore the remarkable asymmetry between their incomes and the global cost of dealing with junk email. In the United States alone, spam has been estimated to cost businesses more than $40 billion annually in lost productivity, anti-spam investments, and related costs. By comparison, the entire SpamIt program produced revenues just above $150 million over a four year period, while Rx-Promotion spammers generated a fraction of that revenue.

SpamIt, Glavmed earnings over the life of the programs.

This is the latest in my Pharma Wars series. In case you missed them, check out my profiles of other top botmasters, including:

Mr. Waledac: The Peter North of Spamming
‘Google,’ the Cutwail Botmaster
Mr. Srizbi vs. Mr. Cutwail
Chats with Accused ‘Mega-D’ Botnet Owner?
Rustock Botnet Suspect Sought Job at Google

Krebs on Security: Glavmed Sister Program ‘GlavTorg’ to Close

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A prominent affiliate program that pays people to promote knockoff luxury goods is closing its doors at the end of January. The program — GlavTorg.com — is run by the same individuals who launched the infamous Glavmed and SpamIt rogue pharmacy operations.

Launched on July 4, 2010 and first announced on the Glavmed pharmacy affiliate forum, GlavTorg marketed sites that sold cheap imitations of high priced goods, such as designer handbags, watches, sunglasses and shoes.

“July 4 – U.S. Independence Day! Now, Russian craftsmen have a reason to celebrate this holiday. And on this occasion, the launch of GlavTorg.com. The all-new niche for all Russian search engine optimization (SEO) masters. Adult has died, online pharmacies are under pressure, and [fake anti-]spyware is dying. It’s time to move into a new direction. FASHION – that’s the trend this year! High demand, myriad of opportunities… Competition is almost non-existent.  High commissions.”

The program apparently was not profitable, or there was a mismatch between supply and demand, because on Dec. 21, 2011, GlavTorg affiliates were told it was being shut down and that they would not be paid after Jan. 31, 2012:

“Dear partners, We would like to inform you that we have decided to close the trade direction replica handbags and clothing. The reasons for this decision and are associated with economic deterioration in the quality of products provided by our suppliers. We believe that any business should be to balance the interests of buyers and sellers, which has recently become disturbed.”

GlavTorg’s failure may have had more to do with pressure from brand owners. In September 2011, handbag maker Chanel filed suit to shutter dozens of sites selling knockoff versions of its products. Among the domains seized and handed over to the company was topbrandclub.com, a primary GlavTorg merchandising site whose home page now bears a warning from Chanel about buying counterfeit goods.

It’s difficult to say whether other knockoff affiliate programs are feeling the same pressures as GlavTorg, but it is fascinating to see how spammers and fraudsters are constantly adapting. Igor Gusev, a Russian businessman closely tied to Glavmed and GlavTorg, has been trying to work out which “grey” Internet business he will pursue next. Gusev is in self-imposed exile from his native Moscow, due to pending criminal charges against him of running a spam operation in Glavmed and SpamIt.

In a phone interview with KrebsOnSecurity.com last July, Gusev said he was considering going into the consulting business, advising online affiliate programs on how to navigate the choppy waters of shady credit card processors and dodgy banks that support those industries.

“Honestly, I am looking into this business,” Gusev said. “From one point of view, it’s pretty risky because I want to stay as far as possible away from doing stuff which could lead to another criminal case. But from another point of view, I can earn some money just to make some consultations with merchants such as this if the merchants agreed to paid some percentage for my expertise,” because the banks are the vital thing to all of this stuff.”

Krebs on Security: Happy 2nd Birthday, KrebsOnSecurity.com!

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I’m taking a short break from some year-end downtime to observe that KrebsOnSecurity.com turns two years old today!

This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site.

My research and reporting involved more than a dozen public speaking events around the globe in 2011. The highlights of my work-related travel included trips to Austria, Canada, Poland, Russia, and The Netherlands. 2012 promises more interesting destinations.

When I founded Krebs On Security LLC in late 2009, I had no idea if it would work out. This past year, I’ve respectfully turned down some very flattering offers to work at important publications. The money and (apparent) stability those opportunities held out were certainly enticing, but I’m having way too much fun on my own, and today I can scarcely imagine doing anything else.

I look forward to continuing my investigative reporting on cybercrime, cybersecurity, and the underground economy. Most of all, I look forward to your continued readership and support. Thank you.

In case you missed them, here are some of the most-read investigative stories on KrebsOnsecurity.com from 2011:

Russian Cops Crash Pill Pusher Party

SpamIt, Glavmed Pharmacy Networks Exposed

Is Your Computer Listed “For Rent”?

Rent-a-Bot Networks Tied to TDSS Botnet

Who’s Behind the TDSS Botnet?

Gang Used 3D Printers for ATM Skimmers

Digital Hit Men for Hire

Beware of Juice-Jacking

Coordinated ATM Heists Net Thieves $13 Million

Rustock Botnet Suspect Sought Job at Google

Apple Took 3+ Years to Fix FinFisher Trojan Hole

Advanced Persistent Tweets: Zero-Day in 140 Characters

Pro-Grade (3D-Printer Made?) ATM Skimmer

How Much is Your Identity Worth?

Krebs on Security: Pharma Wars: The Price of (in)Justice

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I spoke this week at Govcert 2011, a security conference in Rotterdam.  The talk drew heavily on material from my Pharma Wars series, about the alleged proprietors of two competing rogue Internet pharmacies who sought to destroy the others’ reputation and business and ended up succeeding on both counts. Here is the latest installment.

For those who haven’t been following along, I’ve put together a cheat sheet on the main players, the back story and the conflict. Click here to skip this section.

Actors

Pavel Vrublevsky: Co-founder and Former chief executive officer of ChronoPay, until recently a major processor of electronic payments in Russia. Vrublevsky has been accused of running an illegal business, a rogue Internet pharmacy affiliate program called Rx-Promotion, and is currently in prison awaiting trial on unrelated cybercrime charges. Known to business partners as “Red” or “RedEye.”

Igor Gusev: Co-founded ChronoPay with Vrublevsky in 2003. Had a falling out with Vrublevsky in 2005, left ChronoPay and started the Internet pharmacy affiliate programs GlavMed and SpamIt. The latter was closed in Sept. 2010, and Gusev has been charged with running an illegal business. He is still at large.

Dmitry Stupin: Gusev’s right-hand man. Helped to build SpamIt and GlavMed. The logs below are from a set of logs leaked to several download sites that contain thousands of conversations between Stupin and Gusev. The logs were obtained shortly after the police detained Stupin as part of the criminal investigation into Gusev.

Conflict: Two former business partners-turned-competitors try to sabotage each others’ business and to get the other arrested.

The Conversation

The conversation below takes place between Feb. 21 and 23, 2010, and is a chat log between Gusev and Stupin. Gusev already knows there are plans to file criminal charges against him, which indeed come just seven months after this conversation was recorded. The two are discussing plans to pay more than $1.5 million to politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Several attendees at Govcert 2011 asked about the likelihood of Vrublevsky serving time, if convicted. This chat may provide a clue. In the middle of the following conversation, Gusev says he has secured promises that if arrested, Vrublevsky “would remain in prison and would not be able to pay his way out,” Gusev wrote. “He is going to lose a large portion of his business and will be left with no money to fight the war.”

Gusev: Latest news – all the materials to start a criminal case were given to prosecutors on Friday. After holidays I am going to get some information regarding “what” and “who”. Are we meeting on 24th?

Stupin: Yes we are meeting on 24th.

Stupin: Shaman’s stuff got broken, everything is declined. I cannot come to Moscow, as usual. I broke my leg in Turkey.

Gusev: Really??? Is it really broken?

Stupin: Yes.

Stupin: Here. hip-notics.com.  I was learning how to do somersault doing Aerial skiing (freestyle).

Gusev:  In reality, I think it’s for the better. There is no need for you to go to Moscow. After the holidays I am going to get the information which was received by the prosecutors’ office, however I am planning to leave from here for a couple of months. This is extremely serious, this is not just articles in newspapers.

Gusev: Write down my new number. It used to be 325667.9. 20к (5k are going to the middleman and 15k are going to a person from prosecutors’ office). 5к (for the search of materials regarding Pasha’s case); $2к (to lawyer for compromising materials and Newsweek); summed up to: 298667.9

Stupin: Okay.

TWO DAYS LATER:

Gusev: I need a piece of advice: I found a person who is willing to help me in situation with Red. He has a proven scheme, because he is a very strong lawyer. A real fixer-upper. For his service, along with very large sum of money, he is asking for something in return — he is asking to help his friend – a very famous webmaster, who faced similar problem as the one we are facing, and who was saved by that person. This “friend” is not doing anything right now.  This lawyer is asking us to help him with establishing on-line pharmacy affiliation (partnerka). I am not glad with this proposition to create our own competition, however, out of all people I talked to, only this person offered a structured solution to the problem, giving us hopes.  People from Volleyball Association can and will cover us, using their FSB connections, but they can do very little with Prosecutors’ Office, they can only prolong the legal proceedings. They will also not be able to prosecute Red. The person who we are asked to help is my old acquaintance – Pet – the owner of лолного – billing of billcards (sunbill). [For more information on the role of the Russian Volleyball association in this story, see Pharma Wars: Purchasing Protection].

Stupin: Let’s offer him to create “us” under his own brand.

Gusev: We have already tried doing this.  He is going to leave on his own. IMHO the ideal way is to offer him our clone as 50-50 partnership. I have not offered anything to anyone yet before knowing your opinion. I cannot say no, otherwise, the “fixer-upper” is not going to take our case (even if we give him as much money as he asks for) :( In that case I will have to do everything by myself (I know how to do it and even have several people, who can split the whole scheme step by step and execute them). However, this way, there is very high chance that they will take the money, but will do nothing. Or will milk me and Red at the same time, making double the money, and, again, do nothing.

Stupin: It’s not a problem at all,  they have tried so many times to do something with us – and have not followed through on their own. Our sites are publicly available, there is no risk to process orders from trusted sites.

Gusev: Hosting is ours, tech support is only ours. We will not give the software. Maintenance is also ours.

Stupin; Yes, we are giving them the sites, they will redo them, giving them API for the affiliation (partnerka).

Gusev: ок, I will try to bound them by these conditions. Do you want to know how much the service regarding Red cost?

Stupin: Sure. I have just arrived, with my leg, I can’t really think straight.

Gusev: 1.5 million.

Stupin: Oh, God!!! What does he promise for that?

Gusev: He promises that Red would remain in prison and would not be able to pay for his way out + he is going to lose a large portion of his business and will be left with no money to fight the war.

Gusev: I do not want to write all the details here on Jabber, that is why I wanted to meet. I am gathering the money for him, and for your for the office, and I am leaving for 2-3 months.

Stupin: ok, are you going to bring money for the office?    Let’s meet at that time? Because I am going to get stuck for approximately a month with my leg.

Gusev: Yes, I am trying to gather enough money. Pasha is helping me, but with very small sums and when he has available money, not when I need it.

Gusev: Can we borrow from your brother? At most 150-200к?

Stupin: Yes, I will do it. Some time ago I rented a house in Moscow suburbs, and the owner offered to rent with his help,   I have his e-mail and the phone number, he is mature, calm, we can try.

Gusev: Could you find out his requirements?

Stupin: Okay, I will call.

Krebs on Security: Rove Digital Was Core ChronoPay Shareholder

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Rove Digital, the company run by six men who were arrested in Estonia this week for allegedly infecting four million PCs worldwide with malware, was an early investor in ChronoPay, a major Russian payment processing firm whose principal founder Pavel Vrublevsky also is now in prison and awaiting trial on cyber crime charges, KrebsOnSecurity has learned.

Estonian authorities on Tuesday arrested Rove Digital founder Vladimir Tsastsin, 31, along with five other Estonian nationals indicted on charges of running a sophisticated click fraud scheme. Yesterday’s blog post details Tsastsin’s criminal history, and his stewardship over Rove and a sister firm, EstDomains.. Today’s post will reveal how Tsastsin and his company were closely allied with and early investors in ChronoPay, and how that relationship unraveled over the years.

In my Pharma War series, I’ve published incorporation documents showing that Igor Gusev, a man currently wanted in Russia on criminal charges of running an illegal business in the notorious pharmacy spam affiliate programs GlavMed and SpamIt, was a co-founder of ChronoPay back in 2003. That series also details how Gusev sold his shares in ChronoPay, and that Vrublevsky later started a competing rogue pharmacy/spam operation called Rx-Promotion.

A spreadsheet showing front companies tied to ChronoPay.

It turns out that ChronoPay also had two other major and early investors: Rove Digital and a mysterious entity called Crossfront Limited. This information was included in the massive trove of internal ChronoPay emails and documents that was briefly published online last year and shared with select journalists and law enforcement agencies. Among those documents is a spreadsheet (XLS) listing all of the various shadowy companies allegedly owned and managed by ChronoPay founder Pavel Vrublevsky and associates. It lists ChronoPay B.V., the legal entity in The Netherlands that formed the initial basis of the company, as jointly owned by Gusev’s firm DPNet B.V., Red & Partners (Vrublevsky’s adult Webmaster provider) and Rove Digital OU.

When I met with Vrublevsky at his offices in Moscow in February of this year, he confirmed that Tsastsin was an old friend and that Rove Digital had been a key shareholder in the company. Further evidence of the connection between ChronoPay and Rove Digital is provided in a series of internal ChronoPay emails from May 2010.

At that time, ChronoPay was under investigation by Dutch banking regulators who suspected that the company’s intricate network of front companies and financial channels were acting in violation of the country’s anti-money laundering laws. In a tersely-worded email exchange, the Dutch bank  demanded a slew of additional accounting and administrative records, including “all documents that show the structure of ChronoPay BV, such as statutes, incorporation documents, names and addresses of director(s) and shareholders.”

The following email thread from ChronoPay executives shows how they struggled to discover the identity of the original principal shareholders of their own company:

From: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

To: Rob Peters

Subject: ChronoPay BV – Info

Could you please send me the directors’ names for each shareholder of ChronoPay BV? (i.e. Red&Partners B.V., DPNet B.V., ROVE Digital Ou, Crossfront Limited)?

==

Reply from: Anna Boguslavchik [mailto:a.boguslavchik@chronopay.com]

To: Martins Berkis-Bergs [mailto:mbb@chronopay.com]

The thing is that we don’t have acting director appointed now and we need to have some documents for the bank signed urgently (Sasha Panin already told you that). According to the charter we need to have shareholders appoint someone as the signatory for the company. And for this we need signatures of all directors of the shareholding companies.

Here’s the info on the shareholding companies:
DP Net B.V. – 45 class B shares, director – someone named Terekhov
RED&Partners B.V. – 135 shares (45 class B and 90 class A). Ronnie was the director (see Martins’ email below). Martins has no info on who’s the director now.
Rove Digital OU – 45 class B shares. No information on who’s the director.
Crossfront Limited – 45 class B shares. No information on who’s the director.

If the bank is OK with this, we can prepare the decision of shareholders document in the form that I told you about yesterday.

==

It makes sense that Tsastsin’s Rove Digital was an early investor in ChronoPay: The two businesses served many of the same clients. Indeed, several messages between Vrublevsky and Tsastsin show the two men routinely turned to one another for favors over the years. In one email thread, Vrublevsky asks Tsastsin to set him up with several Web servers to help host torrent trackers for an MP3 business Vrublevsky is supporting.

But somewhere along the way, the relationship soured, and Vrublevsky and his executives grew either unwilling or unable to accommodate requests from Tsastsin. The following is the final email from Tsastsin to Vrublevsky, in which the former complains about a favor he asked of Vrublevsky that was promised but never delivered:

From: Vladimir T. <vladimir@itconsluting.ee>

To: Vrublevsky, Pavel <p.vrublevsky@chronopay.com>

Subject: patience

I never asked you for anything before, and was always really patient with you. Now I’m writing you because I can’t take this anymore. I asked you for help my friends with payment processing 4 months ago. Both Jan and Misha ignored the guy for 4-5 months, no one can arrange processing for him.

I will not list every favor I did for you personally and for ChronoPay. One day you needed my consultation on something, another day you need servers for running torrent [trackers], and we aren’t even charging you for them. Then you need us to create a statistics page for Fethard and to help you detect fraudsters. In summary – we do everything you ask for. And in return I’m not getting shit.

I wrote them myself and asked Jan personally with a cc/ to Abramov. They either blame Misha or suddenly their notebook gets broken or they have a vacation…. They drag this on for 5 months, it’s insane! I don’t know what to tell my friends, my reputation with them is ruined.

I will not continue to describe all this nonsense to you. What I want from you is to kick their asses really hard so that they do it immediately once and for all. I will be away on business for two days and if I get no reply from them by the time I return I will not be asking you or them for anything anymore since this relationship is a one-way street.

Have a nice day. I’m sick and tired of this.

Krebs on Security: Jailed ChronoPay Co-Founder Denied Bail

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Moscow court on Monday denied bail for Pavel Vrublevsky, a Russian businessman who was charged earlier this year with hiring hackers to launch costly online attacks against his rivals. The denial came even after Vrublevsky apparently admitted his role in the attacks, according to Russian news outlets.

Vrublevsky in 2004

Vrublevsky, 32, is probably best known as the co-founder of ChronoPay, a large online payment processor in Russia. He was arrested in June after Russian investigators secured the confession of a man who said he was hired by Vrublevsky to launch a debilitating cyber attack against Assist, a top ChronoPay competitor. The former ChronoPay executive reportedly wanted to sideline rival payment processing firms who were competing for a lucrative contract to process payments for Aeroflot, Russia’s largest airline. Aeroflot’s processing systems faltered for several days in the face of the attack, an outage that Aeroflot says cost the company about a million dollars a day.

Vrublevsky’s lawyers asked the court to release him pending a trial in December — offering to pay 30 million rubles (~ USD $1 million) — but the court denied the request.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay last year indicate Vrublevsky co-ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Vrublevsky and Gusev have been locked in an increasingly heated and public battle to ruin the others’ business, a saga that I have chronicled in an ongoing series: Pharma Wars.

According to Russia’s Interfax news agency, Vrublevsky faces punishment under two articles of the state’s criminal code – illegal access to computer information, and the creation, use and dissemination of harmful computer programs. Both involve imprisonment for three to seven years.

Stanislav Maltsev

Russian newspaper Vedomosti writes that Vrublevsky’s guilty plea will be considered by the court as a mitigating circumstance, and that his sentence will not exceed five years. “And considering the fact that attacks on computer systems – a relatively new type of crime is not a particularly dangerous for the society, the term most likely will not exceed three years and may be conditional,” the publication notes.

The Vedomosti story also observes an interesting fact: One of the lawyers representing Vrublevsky is Stanislav Maltsev, whom Vrublevsky hired in 2007 to be his head of security. Prior to joining ChronoPay, Maltsev was a Russian MVD official in charge of leading an earlier criminal investigation against Vrublevsky that ultimately went nowhere.

Krebs on Security: Pharma Wars: Paying for Prosecution

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In June 2011, Russian authorities arrested Pavel Vrublevsky, co-founder of ChronoPay, Russia’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals. New evidence suggests that Vrublevsky’s arrest was the product of a bribe paid by Igor Gusev, the other co-founder of ChronoPay and a man wanted by Russian police as a spam kingpin.

Igor Gusev, in an undated photo taken at a family birthday celebration.

Two years after forming ChronoPay in 2003, Gusev and Vrublevsky parted ways. Not long after that breakup, Gusev would launch Glavmed and its sister program SpamIt, affiliate operations that paid the world’s most notorious spammers millions of dollars to promote rogue Internet pharmacies. Not to be outdone, Vrublevsky started his own rogue pharmacy program, Rx-Promotion, in 2007, contracting with some of the same spammers who were working at Gusev’s businesses.

By 2009, the former partners were actively trying to scuttle each others’ businesses. Vrublevsky allegedly paid hackers to break into and leak the contact and earnings data from GlavMed/SpamIt. He also reportedly paid a man named Igor “Engel” Artimovich to launch a volley of distributed denial-of-service (DDoS) attacks against SpamIt.

Gusev told me he long suspected Artimovich was involved in the attacks, and that he had information that Vrublevsky hired Artimovich to attack ChronoPay’s rivals while they were locked in a competition for a lucrative contract to process online payments for Aeroflot, Russia’s biggest airline.

Last month, hundreds of chat conversations apparently between Gusev and his right-hand man, Dmitry Stupin, were leaked online. They indicate that Gusev may have caused Vrublevsky’s arrest by paying Russian law enforcement investigators to go after Artimovich.

Over the past year, Gusev has insisted in numerous phone interviews that the increasingly public conflict between him and Vrublevsky was not a “war,” but more of a personal spat. But if the chat below is accurate, Gusev most certainly viewed the conflict as a war all along.

The following is from a leaked chat, allegedly between Gusev and Stupin, dated Sept. 26, 2010. The two men had already decided to close SpamIt, and were considering whether to do the same with GlavMed. “Red,” mentioned twice in the discussion below, is a reference to Vrublevsky, also known as “RedEye.”

Gusev: $2k from HzMedia to China – it’s mine. We also need to send additional money for salaries plus double bonus to Misha (Michael). I have already paid $50k for Engel’s case (20к – forensics, $30к – to speed up the starting of the criminal case)

Stupin: Why have you paid for Engel’s case ? I was even against paying for the Red’s case. Why pay for Engel’s?  What is the point?

Gusev: To my mind, you do not fully understand what’s been going on for the last year. Paul has a plan to either throw me into jail or end me. His intentions are totally clear. There are only two choices: 1 – do nothing, and pay nothing to nobody, and at the end either go to jail or keep hiding until all the resources are exhausted; 2 – do the same thing, as he is doing, with the same goal.

Gusev: Any war costs money, resources and nerve cells. You cannot go to war little-by-little, you either fight to the end, or do not start it at all. Engel is going to harm us all the time…If there is any potential opportunity to take him out of the game, spending not too much money, we have to use such an opportunity. $50к – is very little comparing to the losses we’ve had because of his DDoS attacks and comparing to future losses if he is going to DDoS us again. Now he is aware that he is being investigated by law enforcement and he keeps a low profile. He only sends nasty ICQ messages to Andrey.

Gusev: There is also a third choice, when nothing is directly linked to you, but money keeps coming. So, decide what we are going to do with all of this. You either agree with my decisions regarding the war expenses, which you do not like, or do not agree with them. In the latter case, we should re-evaluate our income distribution from the business, and I will finance [the war] from my increased share,  I cannot step aside and do nothing.

Stupin: I do understand it, however, what’s Engel’s role? There is nothing to DDoS anymore.

Gusev: I do not want to close down GlavMed completely. Absolutely do not want to :( It’s better to take it underground, and, additionally, open up SpamIt under a new brand name. We are waiting for some news in October to make our final decision. Engel is absolutely positive that he can do anything he wants to under Red’s protection. You should read his messages to Andrey. However, even with all this sense of being untouchable he is no longer that impudent.

Gusev: I will be in mobile Jabber until tomorrow night. Send messages there.

Stupin: So, I am against paying $50k for Engel.

Krebs on Security: Pharma Wars: Purchasing Protection

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Leaked online chats between the co-owners of the world’s largest pharmacy spam operation reveal the extent to which illicit organizations in Russia purchase political protection, and bribe public officials into initiating or stalling law enforcement investigations.

Last month, there was a leak of more than four years of chat logs seized by Russian police who had arrested and interrogated Dmitry Stupin, allegedly the co-owner of GlavMed and the now-defunct SpamIt, organizations that paid spammers millions of dollars each month to promote fly-by-night online pharmacies.

In the the Jan. 9, 2010 chat between Stupin and Igor Gusev, the alleged other owner of GlavMed and SpamIt, Gusev has just learned that he and his operation are under investigation by Russian authorities (Gusev would be formally charged with illegal business activities in October 2010, forcing the closure of SpamIt). Gusev says he may be able to purchase shelter from the charges by funneling money to key Russian politicians who have influence over investigators.

Specifically, Gusev suggests purchasing a sponsorship of the Volleyball Federation of Russia. The price tag for this is an official sponsorship fee of 10 million rubles (about $350,000 USD), plus $150,000 in cash. The official head of the federation, Nikolai Patrushev, is a powerful man in Russian law enforcement. Patrushev was director of the Russian FSB, the successor organization to the KGB, from 1999 to 2008; he has been secretary of the Security Council of Russia since 2008.

Sources say it is typical for Russian sport leagues and charities to be used as vehicles for funneling money into the pockets of policymakers. One example comes from a book by Lennart Dahlgren, former head of the Russian division of Swedish furniture maker IKEA. In Despite Absurdity: How I Conquered Russia While It Conquered Me, Dahlgren writes of having to pay bribes of 30 million Rubles ($1 million USD) to Russian charities that helped funnel money to bureaucrats and top officials.

In this chat, translated from Russian into English, Gusev mentions that a close friend of his family is a director general of the Volleyball Federation;

Gusev: We have big problems. Register fake mailbox somewhere. I will send you something very important.

Gusev: Let’s move Jabber to a new server and encrypt it. We’ll have a trusted communication channel. Everything is very bad :(

Gusev: asdas12334@mail.ru / mgadjadtwa2009. check the e-mail.

Gusev: Are you reading?

Stupin: Yes. Do not know what to say.

Gusev: There is nothing to say. We have only two ways: find someone from law enforcement, pay up and be under protection [or] be placed in jail for 7-9 years and do self-analysis. I have one more way out, but I could not decide regarding it in December, because it was very expensive. It is about 10 million rubles officially and 150K under the table.

Gusev: Red [ChronoPay CEO and former business partner Pavel Vrublevsky] is such an asshole. Leaked information about the whole scheme in hopes to get me arrested. Now, everyone is under investigation. Does your brother have any connection “high above”?

Stupin: No.

Gusev: I asked “just in case”. I will try to get sponsorship of Volleyball Federation (Patrushev is its president). Maybe it’s a good idea for you to go somewhere, to Turkey, for example, until we know if we are going to be either squashed or milked. One good thing: nobody has asked about you yet.

Stupin: No, thank you. Who told you about volleyball? It is a public organization, its financial books are open.

Gusev: Close family friend – general director of that association. He helped Russian Standard [popular brand of Russian Vodka] when they were getting squashed.

Stupin: Maybe we’ll give him this money? Federation has open books, if someone wants to take money from it — it is going to be noticed.

Gusev: What am I going to tell Andrei about prosecutors’ office? I do not want to scare him, but he has to be in the loop. Maybe we’ll suggest him to go to Turkey again?

Stupin: Do you think we need to notify him now? Let’s wait, if they summon you – then we’ll tell him, but not now.

Gusev: What if they do not summon me, but will come directly and interrogate me and confiscate the servers?

Stupin: Yes he is waiting for it for several months already.

Gusev: Ok, let’s not do it now. Let’s move Jabber to another domain.

Stupin: Yes, get rid of “despmedia”,  close domains, liquidate the firm, and finally make the founder (of the company) from somewhere abroad. Changing location will not give us anything.

Gusev: I removed everyone from the firm, I am alone there. Liquidation is in progress. The office is leased by a company, which I have no relationship with.

Stupin: Very well. I will tell Andrei to get new IPs and domains.

Gusev: Okay.

Stupin: (to andy@im.despmedia.com): Despmedia.com, where is it physically?

Andy: Server is in Russia, but there are several proxies there.

Stupin: Can you let me know what’s going on there?  Let me read the message trail. I need to know where the leak of information is. Red, when he wanted to fight with everyone, told our Law Enforcement about the whole idea of on-line pharmacy.  Now they are looking who to milk.

Andy: We do not keep Jabber logs. Chat is encrypted, it’s impossible to connect to server without chat client configured with SSL.

Stupin (to Gusev): I had to tell him something… Came out OK, I think.

Gusev: OK.  I will use the same story.

Stupin: But it’s the truth.

Gusev: Yes, but omitting the details.

Gusev: Let’s talk less regarding work and money over the phone. Only if it is urgent. I ordered two payments from Despmedia [the legal entity that owns GlavMed and other businesses tied to Gusev]. This is to Volleyball association/FSB. In the morning, please, make sure that money got transferred.

Russian Vice Premier Sergei Ivanov (left) and ChronoPay co-founder Pavel Vrublevsky at a Russian Basketball League game, April 2011.

In May 2011, Gusev told me that he was a paid sponsor of the Russian Volleyball League, hoping to persuade someone to stop the criminal case against him. Gusev is convinced, and other leaked documents confirm his suspicions, that law enforcement interest in his activities was paid for by his former business partner turned competitor Pavel Vrublevsky.

In late 2010, Vrublevsky secured a sponsorship of the Russian Basketball League for his employer, ChronoPay, until recently Russia’s largest processor of online payments. The basketball league is headed by Sergei Ivanov, a former KGB officer who was tapped by Russian President Vladimir Putin as deputy prime minister of Russia.

“All that I wanted was to speak with someone from FSB [who] was making this [case] for Pavel, and to persuade them to stop all this conflict before it’s too late,” Gusev said. “Unfortunately, this didn’t help me very much.”

It apparently didn’t help Vrublevsky much either: the former ChronoPay executive and reputed co-owner of the illicit Rx-Promotion rogue Internet pharmacy program now sits in a Moscow prison, awaiting trial on charges of hiring a hacker to launch Internet attacks against his company’s competitors.

Krebs on Security: Pharma Wars, Part II

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.

According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.

Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.

The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.

I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.

While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.

The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.

“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”

The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”

Gusev: It looks like I am in deep shit.  Red gave our database to Americans.

Dmitriy Stupin

Stupin: To which Americans?

Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?

Stupin: No.

Gusev: http://krebsonsecurity.com/2010/08/white-house-calls-meeting-on-rogue-online-pharmacies

Stupin: Maybe you return back to Russia?

Gusev: I am planning to do that. I am really worried now :(

Stupin: What about Red? For that money. May be let’s close down everything?

Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan  (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.

Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.

Stupin: I think yes, we will receive lower priority.

Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.

Stupin: In reality if everything is going to proceed, the publicity is going to happen in a year, if we are not functioning for a year, there is no reason for publicity. And in 3 years everyone will forget about us. If we continue operations, it’s going to be undeniably worse, and if we stop — hopefully, it’s going to be better. There is no ultimate decision here, there is probability, and we can either increase or decrease it.

Stupin: I believe, you now understand that the money is not the main thing in life.

Gusev: You do not know how justice in USA works. They have no “statute of limitation”. They absolutely love big cases about hackers, carders, and spammer. Young prosecutors make careers out of such cases and do everything possible to find prooves for such processes. Here is the latest example: arrest of Badb (carder) in airport in Nice: http://www.nytimes.com/2010/08/24/business/global/24cyber.html He was investigated since Cardplanet collapse. He got sentenced in 2009 and they received OK to extradict him, and that’s it, after that it was only a matter of time till his arrest.

Gusev: I also think we need to shut the operations down, because it’s an absolute disaster :(

Stupin: I am not talking about “statue of limitation”, I am talking about publicity; the more noise, the more motivation they have and the larger sentence. Just imagine, if we have not functioned for 1/2 year or 1 year, would your life be easier?

Gusev: There was another case, where FBI broke into DDoS (denial of service) server to collect evidence and judge admitted that evidence in court — it’s an absolute precedent in their law proceedings. Our FSB [former KGB] made a case out of it later :) ) One moment… I will find info about it.

Gusev: My life is much easier already for the past year. I have only one desire – run to Taiga [remote forests in Siberia] and do not have access to the Internet for a year.

Stupin: Do not bother to look for the info (regarding the DOS case). You are correct in your desire [about running to woods]. Buy a lake in Altaj Republic and build a resort there.

Gusev: I tend to think about Irkutsk and Baikal. I have very good friends in local government there :)

Stupin: Very well. I can do a project on wakeboarding, which will almost positively be profitable.

Gusev: Great! Did it get started for you?

Stupin: No, but I know how NOT do do it.

Gusev: Regarding closing down — I think we need to shut down SpamIt first.  In a month or 1/2 month — GlavMed. I am planning to fly back now and fabricate a case against us to get sentenced in Russia with publicity. We need to accurately give top positions of our [search engine optimization] to Lesha (Aleksey); at least it will bring some money.

Stupin: Let’s not do it, let Lesha go up on his own.

Gusev: Has Andrey told you about it? andy@imjabber.com. I have a gravely important question. Theoretically, I can add several hours to “work day”, plus increase productivity.  Is there hope for me in 2-3-4 years to make enough money for Dima’s  house in Turkey? I cannot save money. This is gravely important question. You are right. Dima and I will think about it.

Stupin: He told me that same thing 1/2 a year ago.

Gusev: Maybe offer him an affiliate program? Give him 1/3 and let him transfer our SEO onto himself, but only based on new companies and accounts. I already have one new company; I found an acceptable nominal price. It is painful to just give our SEO to Drugrevenue and Rx-partners. Look it’s been holding its position for a year. Such a margin of stability.

Stupin: Well, it has dropped 2-3 times for the last 1/2 a year, and it is very unstable. If Shaman closes down tomorrow, we’ll have a lot of money sunk there and a lot of debts to advertisers. And we will have to pay them out of our own money, if we accurately close down, we might avoid the risks.

Gusev: Am I looking at wrong data? :) https://mtw8.srvz.net/shop/statistics/stat_orders.jsp. It’s for this August and August of 2009. The difference is 400k of monthly turn-around. Taking in consideration absence of “master” — IMHO it is great. Why Shaman has to close down tomorrow?

Stupin: Yes, but I am considering the profits we are taking, and stability of revenue.

Gusev: I talked to him: the political decision of “Raif” [?] is to keep the pharmacy as long as possible.

Stupin: And amount of money on the account and our debts to advertisers and suppliers.

Gusev: Yes, the stability got decreased after our departure from Latvia. They worked [like a] Swiss watch.

Stupin: The same “political” decision can be turned 180 degrees tomorrow.

Gusev: Maybe, maybe, what a pity. I also talked to Max and Mark – they will take new pharmacy of Lesha.

Stupin: Looks like money is still your priority.

Gusev: Is it really okay for you to lose such an income? It’s extremely hard for me to take, since I have no idea how to earn even 1/5 of it offline.

Stupin: It is really okay for me. There is enough money, do you need more to pay lawyers against the competition? You will not be happier. It is such a moment now that we can close down the project earning a little more, however, in the future there is a risk that the project will collapse on it’s own with even more financial losses.

Gusev: You’re right, but it is hard for me to make such a decision. It’s not the matter of money, but in business, which makes money. Write me your ideas on how we should shut down. I do not know how much time is required to resolve all the issues. USA have complicated everything to resolve the issue with Pasha [Pavel Vrublevsky). If he somehow finds a lot of money, it might require up to 1 million. However, so far, whatever we already paid is enough.

Stupin: Debts to suppliers : $150,000. To advertisers $1,100,000. What we have on our account: $800,000. Therefore, the balance is: -$450,000. This is the real numbers of our business, whatever we have invested does not reflect the actual truth. As you remember, we have been withdrawing very little from the account recently.  Therefore, we can say that the project is going down on its own. I will write you the strategy on what we need to do.

Gusev: Do not write it as additional points why we need to close down. I've already accepted that it cannot be avoided :) We have enough points already. I am interested in your ideas. For example, I want to make an official statement about us closing down, a little noise to calm down the Americans.

Stupin: Okay.

Gusev: To give a spot of "spammer number 1" to Pasha [Pavel Vrublevsky] and Yura [Yuriy Kabayenkov].

Stupin: Here is what we have now: Account balance is $800,000. We have to pay $1,100k to advertisers. We have to pay 150к to suppliers. Here is what we pay at liquidation in any case: Andrey’s compensation: $60к; Sasha’s (Alexander’s) compensation: ~$50к; Compensation to the staff ~$100. Resume: $660к of money, which we need to pay in any case, but cannot pay now. Shaman marked by 30.08 $450k in payments, therefore, we can balance everything to $0. Pessimistic outlook is if Shaman is going to be shut down.  We will end up with debt of 500-1000k, which we will have to pay. The business perspective is not rainbow-like, especially, taking in consideration the risk we take all the time and the expenses linked to it.

Plan of action: In any case, whether we liquidate or not: set commissions to 40% maximum, lower it down for those whose commission is 45%. With participation of Latvia we could afford a lot of transactions with low profitability.  However, we cannot afford the same with “shaman’s” unstable payments and with other small processing parties, which we cannot control and whether we are getting money from them or not. However, such a decision will deter “to pav”; the number of transactions will go down, we will not have a lot of losses, since we are on the brink of profitability. Turning off the affiliate (partnerka) is going to be easy.

Within two month: 20% of increase prices in shops, this will add profitability, but will decrease the number of advertisers. In case if revenue is going to rise sharply together with  profits, we will have time to change our decision within 1.5 months inventory of personnel, servers to increase profitability and moral preparation of everyone to potential end two weeks before the liquidation. Tell the staff about shutting down the operation, promise them compensation in amount of their normal salary if they finish the job well. Andrey and Sasha will be notified separately. Notify advertisers about shutting down off operations, increase whatever is left on e-Passporte and WebMoney, begin to hold payments to suppliers not to overpay, since usually we do overpay.

Gusev: Let’s start with raising prices, minimum 30-40%.  We need excessive profitability at this point. Do not lower commissions to GlavMed and SpamIt. Let’s kill conversions.  The people will leave on their own.  It is not a momentary process.  It is going to be easier to pay everyone. Shut down all outside billing operations, although there is nothing left already. In 10-14 days after raising of the prices — let all SpamIt know that we are closing down.  That will give us 2 weeks to transfer traffic. GlavMed should be kept 1.5 – 2 months from now to use its revenue to cover payments for SpamIt.

Stupin: OK, I will think of the exact course of actions.

Stupin: http://www.wake.ru/photo/album/show?id=2031469:Album:30595&amp;xg_source=activity&amp;xg_pw=&amp;commentPage=&amp;page=1. We did it on Saturday.

Gusev: Did you build this “wake” park?

Stupin: Yep.

Stupin: I have a suggestion, let’s tell Andrey about liquidation right away, tell him that at the end of the project we’ll pay him 3 times as much as his usual salary.  If I ask him to raise the prices too much, he will not understand why we are doing such an inhumane thing. We have great database.  Let’s ask Andrey and programmer/sysadmin to use it for spam with Eva Pharmacy. Let’s agree with Eva about larger commissions and pay Andrey the salary of $5,000, because we cannot pay more, and some percentage from the revenue generated by spam.

Gusev: Our database is already public.  Other affiliates already used it, called and spammed people.  There is a proof that at least 3 affiliates have the database.

Stupin: It’s tough. So what if they have it? [the SpamIt/GlavMed database]

Gusev: I need to go now, let’s discuss it later.

Stupin: Okay.

Krebs on Security: Banks Hold Key to Killing Rogue Pharmacies

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

More than half of all sales at the world’s largest rogue Internet pharmacy in the last four years were charged to credit and debit cards issued by the top seven card-issuing banks, new research suggests.

Unlicensed pharmacies create public health risks and confuse consumers who are looking for safe and reliable prescription medicines. Rogue pharma Web sites are primarily advertised with the help of spam, malicious software, and hacked Web sites. Curbing this drug dealing activity would promote both public health and Internet users’ safety.

Recent findings highlight additional levers that policymakers could use to curb sales at rogue online pharmacies, by convincing the card-issuing banks to stop accepting these charges or by enacting legislation similar to that used to squelch online gambling operations.

The figures shown below come from sales data stolen from Glavmed, a Russian affiliate program that pays webmasters to host and promote online pharmacy sites that sell a variety of prescription drugs without requiring a prescription. Last summer, a source sent KrebsOnSecurity a copy of the Glavmed database, which includes credit card numbers and associated buyer information for nearly $70 million worth of sales at Glavmed sites between 2006 and 2010.

I sorted the buyer data by bank identification number (BIN), indicated by the first six digits in each credit or debit card number. My analysis shows that at least 15 percent of all Glavmed purchases — approximately $10.7 million in rogue pill buys — were made with cards issued by Bank of America.

The Glavmed sales using cards issued by the top seven credit card issuers were almost certainly higher than listed in the chart above.  About 12 percent of the Glavmed sales could not be categorized by bank ID number (some card issuers may have been absorbed into larger banks). Hence, the analysis considers only the 88 percent of Glavmed transactions for which the issuing bank was known. More significantly, the figures in this the analysis do not include close to $100 million in sales generated during that same time period by Spamit.com, a now defunct sister program of Glavmed whose members mainly promoted rogue pharmacies via junk e-mail; the leaked database did not contain credit or debit card numbers for those purchase records.

The data help to draw a more complete picture of the financial infrastructure that powers the spam ecosystem. In May, researchers from two University of California campuses published findings from a three-month study of spam markets, during which they spent thousands of dollars buying drugs advertised via spam. The researchers discovered that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by three financial companies — based in Azerbaijan, Denmark and Nevis West Indies. The full paper is available here (PDF).

Glavmed + Spamit revenues 2006-2010.

The data from the Glavmed purchases suggest that the spam ecosystem could be crippled if banks stopped processing payments to a handful of institutions. It also shows that such an effort would require action by relatively few card-issuing banks.

Stefan Savage, one of the authors of the University of California study, said there is no shortage of smaller financial institutions that are willing to take on riskier transactions such as online pharmaceuticals. But he said forcing rogue pharmacies to constantly seek new processing partners could put a serious dent in revenues.

“The issue is that it is not a cheap or quick transaction to set up a new banking relationship,” Savage told me. “You need to meet these guys, Visa or MasterCard needs signed credentials for both you and the bank, and this process can take a week at light speed to set up. So, even if you as a pharmaceutical organization can change processors, you can’t do it overnight. And on the flip side, it would take me seconds to figure out if a pharma organization switched [processing] banks. So, technically, if [card-issuing] banks were willing to adopt a blacklisting approach, there is absolutely no way these pharma outfits could keep up.”

I wondered whether Savage’s proposed approach would work, so I asked Igor Gusev, the founder of Glavmed. Gusev is a fugitive from his native Russia, which last year lodged criminal charges against him and his business. In a phone interview with KrebsOnSecurity, Gusev said putting more concerted pressure on the merchant banks would decimate the rogue pharmacy industry, which tends to coalesce around a handful of processors and switch processors in lockstep when forced to move. For example, since the University of California study was published, the pharmacies featured in the study that were processing at Azerigazbank (AG Bank) in Azerbaijan stopped using AG Bank and moved their business to another institution in that country — Bank Standard.

“They need to put pressure on the card processors which are monsters [that] only regulate on very negative public pressure,” Gusev said. “I think it would be a very powerful strike, and online pharma would be dead within two years if they could somehow switch off the merchants who [are] connected to online pharma.”

Krebs on Security: Financial Mogul Linked to DDoS Attacks

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against a top ChronoPay competitor.

KrebsOnSecurity has featured many stories on Vrublevsky’s role as co-founder of the infamous rogue online pharmacy Rx-Promotion, and on his efforts to situate ChronoPay as a major processor for purveyors of “scareware,” software that uses misleading computer virus infection alerts to frighten users into paying for worthless security software.  But these activities have largely gone overlooked by Russian law enforcement officials, possibly because the consequences have not impacted Russian citizens.

In the summer of 2010, rumors began flying in the Russian blogosphere that Vrublevsky had hired a hacker to launch a distributed denial of service (DDoS) attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors. The attack on Assist occurred just weeks before Aeroflot was to decide which company would win the contract; it so greatly affected Assist’s operations that the company was unable to process payments for extended periods of time. Citing the downtime in processing as a factor in its decision, Aeroflot ultimately awarded the contract to neither ChronoPay nor Assist, but instead to Alfa-Bank, the largest private bank in Russia.

According to documents leaked to several Russian security blogs, investigators with the Russian Federal Security Service (FSB) this month arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. The documents indicate that Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky. The same blogs say Vrublevsky has fled the country. Sources close to the investigation say he is currently in the Maldives. Vrublevsky did not respond to multiple requests for comment.

"Topol Mailer" botnet interface allegedly used by Artimovich.

The allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which said it assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured at left) allegedly used to coordinate the DDoS attack against Assist. Group-IB said Artimovich’s botnet also was used to attack several rogue pharmacy programs that were competing with Rx-Promotion, including Glavmed and Spamit (these attacks also were observed by security firm SecureWorks in February).

This DDoS saga is the latest chapter in a fascinating drama playing out between the two largest rogue Internet pharmacies: Vrublevsky’s Rx-Promotion and Glavmed (a.k.a. “Spamit”), a huge pharma affiliate program run by Igor Gusev, the man who co-founded ChronoPay with Vrublevsky in 2003.

Gusev has been in exile from his native Moscow since last fall, when Russian authorities named him the world’s biggest spammer and lodged criminal charges against him for operating an illegal business. Spamit was forced to close shortly thereafter, and Gusev blames Vrublevsky for using his political connections to sabotage Spamit. Late last year, Gusev launched redeye-blog.com, a blog dedicated to highlighting alleged wrongdoing by Vrublevsky. In one post, Gusev charged that Artimovich agreed to DDoS Spamit.com because he believed forum members fleeing the program would join his own budding spammer forum: the still-active but largely dormant program Spamplanet.

Both ChronoPay and Glavmed/Spamit suffered hacking attacks last year that exposed internal documents, financial dealings and organizational emails. The data leaked from Glavmed/Spamit includes a list of contact information, earnings and bank account data for hundreds of spammers and hackers who were paid to promote the program’s online pharmacies. Those records suggest that for most of 2007, Artimovich was earning thousands of dollars a month sending spam to promote Spamit pharmacy sites.

The document that the FSB used to lay out the case for criminal proceedings against Artimovich, a.k.a. “Engel,” states that he was paid for the DDoS services with funds deposited into a WebMoney account “Z578908302415″. According to the leaked Spamit affiliate records, that same WebMoney account belonged to a Spamit affiliate who registered with the program using the email address “support@id-search.org.” Web site registration records for id-search.org show that the name of the registrant is hidden behind paid privacy protection services. But historic WHOIS records maintained by DomainTools.com reveal that for a two-month period in 2008 those registration records were exposed; during that brief window, records listed the registrant as Igor Artimovich from Kingisepp, Russia, a town 68 miles west of St. Petersburg.

The emails and documents leaked from the hacking intrusion into ChronoPay last year show that Artimovich and Vrublevsky exchanged numerous emails about payment for unspecified services. Among them is an email receipt from WebMoney showing a transfer of more than $9,000 from an account Vrublevsky controlled to Artimovich’s Z578908302415 purse on July 6, 2010, just days before the DDoS attacks began. The notation listed next to the payment receipt? “Engel.”

Krebs on Security: Pharma Wars

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

How do you chronicle the struggle for control of an underground empire when neither combatant wants to admit that he is fighting or even that that a war is underway? That’s the nature of a business-feud turned turf-war that is playing out right now between the bosses of two of the Internet’s largest illicit pharmacy operations.

On Thursday, I wrote about an anonymous source using the pseudonym “Despduck” who shared a copy of the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet. The database indicates that Glavmed processed in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010.

Despduck first proffered the Glavmed data through a mutual source in the anti-spam community, and claimed that the alleged owner of the pharmacy program, a Russian businessman named Igor Gusev, would soon be charged with illegal business activities. Sure enough, near the end of September 2010, Russian officials announced a criminal investigation into Gusev and his businesses. Shortly after those charges were brought, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other pharmacy networks.

Gusev is now in exile from Russia; he blames his current predicament– and the leak of the Glavmed data — on his former business partner, fellow Muscovite Pavel Vrublevsky. The latter is a founder of Russian e-payment giant ChronoPay, a company Gusev also helped to co-found almost eight years ago (according to incorporation documents I obtained from the Netherlands Chamber of Commerce — where ChronoPay was established — for a time Gusev and Vrublevsky were 50/50 partners in ChronoPay).

As reported in my story earlier this week, tens of thousands of internal documents and emails stolen from ChronoPay and leaked to key individuals suggest that Vrublevsky is managing a competing online pharmacy network called Rx-Promotion. It turns out that the Glavmed database was stolen at about the same time as ChronoPay’s breach.

Vrublevsky denies being the source of the purloined Glavmed/SpamIt database, but the bounty of leaked ChronoPay documents suggests otherwise. Included in the email records are messages sent to and from an inbox that used the display name “Kill Glavmed.” What was the email address tied to that name? “Despduck@gmail.com,” the very same address used to communicate with my anti-spam source.

Also in the leaked ChronoPay emails is a lengthy message thread in an inbox marked “vrublevsky” that details a negotiation with an individual named “Nooder Tovreance.” In the multi-email exchange, which begins Apr. 8, 2010 and ends at the beginning of June, Tovreance offers to sell the Glavmed database for $20,000, but says that he will need to break the file transfers up into multiple smaller chunks due to the size of the database. The two ultimately settle on a price of $15,000, with the first payment of $7,500 made to a Webmoney purse specified by Tovreance in exchange for half of the files, and the remaining amount payable upon receipt of the entire database.

SpamIt.com may be gone, but the Glavmed program is still rewarding affiliates for promoting pharmacy sites. Meanwhile, a number of online properties managed by Gusev are under nearly-constant attack. Joe Stewart, senior security researcher for SecureWorks, recently released a paper in which he profiled the makeup and activities of the world’s top spam botnets, or agglomerations of hacked PCs of the sort typically used to relay junk e-mail advertising rogue pharmacy sites.

One of the spam botnets in Stewart’s analysis, a 60,000 bot network nicknamed “Festi” was “developed as a distributed denial-of-service (DDoS) platform, and has been seen in recent weeks launching attacks against other Russian sites.” I asked Stewart for a list of the sites he’s seen Festi attacking; the list is quite short, and includes six Glavmed/Canadian Pharmacy sites, as well as gofuckbiz.com and armadaboard.com, affiliate forums that Vrublevsky has said on several occasions that he suspects are owned and operated by Gusev. The other site Stewart found Festi attacking was redeye-blog.com, a daily blog written by Gusev that is trickling out leaked ChronoPay documents and gossip about Vrublevsky.

Krebs on Security: SpamIt, Glavmed Pharmacy Networks Exposed

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by KrebsOnSecurity.com.

In June 2010, an anonymous source using the assumed name “Despduck” began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet.

Source: M86 Security Labs

If you received an unsolicited email in the past few years pimping male enhancement or erectile dysfunction pills, chances are extremely good that it was sent compliments of a Glavmed/Spamit contractor or “affiliate.” According to M86 Security Labs, the sites advertised in those Glavmed/Spamit emails — best known by their “Canadian Pharmacy” brand name — were by far the most prevalent affiliate brands promoted by spam as of June 2010.

Despduck said he could deliver data on hundreds of thousands of consumers who purchased pills through Glavmed’s sizable stable of online pharma shops, as well as detailed financial records of Glavmed/SpamIt affiliates who earned thousands of dollars of month promoting pharmacy sites using spam and hacked Web sites.

After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.

The database reads like a veritable rogues gallery of the Underweb; In it are the nicknames, ICQ numbers, email addresses and bank account information on some of the Internet’s most notorious hackers and spammers. This huge cache of information shows that over the course of three years, more than 2,500 “affiliates” earned hefty commissions promoting Glavmed’s pharmacy sites.

In total, these promoters would help Glavmed process in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million.

Dmitry Samosseiko, senior manager of SophosLabs Canada, describes Glavmed (translated as “MedHeadquarters”) as the oldest and most well-known of the Russian affiliate partner networks, commonly referred to in slang as “partnerka.” As Samosseiko wrote in his landmark Virus Bulletin paper (PDF):

“This partnerka is open to the public but requires an invitation from another network member. Its main brand is the notorious ‘Canadian Pharmacy’, which is all too familiar to everyone through massive email spam campaigns that seem never to end. This spam is tied to a sister entity of GlavMed, called SpamIt (spamit.com), which is a closed private network of email spam affiliates that has proven hard to infiltrate. The members of SpamIt are allegedly the group behind the Storm, Waledec and potentially Conficker botnets, responsible for email distribution and fast-flux hosting of the spam websites [my emphasis added]. GlavMed, on the other hand, proclaims a strong anti-spam policy focusing on ‘legal’ SEO traffic generation.”

The database reflects the existence of two types of Glavmed affiliates, and is actually separated into two major components: One shows data from customer purchases at sites advertised via SpamIt affiliates; the second section of the database shows orders from customers of sites that were promoted by regular Glavmed members via search engine optimization and Web site hacking.

Glavmed/SpamIt affiliates are given a handful of pre-fabricated pharmacy Web site templates to deploy. Affiliates earn roughly 40 percent commissions on all sales generated by their sites. The most successful Spamit.com affiliates raked in millions of dollars in commissions. In fact, 8 out of 10 of the top moneymakers for SpamIt earned more than $1 million in commissions from Web sites they advertised via junk e-mail. Top SpamIt affiliates could expect to earn monthly commissions ranging from $5,000 to $50,000.

The purloined record books show that none of the regular Glavmed affiliates managed to crack $1 million in total commissions (the top earner made $981,362 over the course of his affiliation with Glavmed). Still, more than 50 Glavmed affiliates earned six-digit fortunes promoting pharmacy sites for the program.

A screen shot of a Glavmed affiliate panel. The pull-down menu in the middle shows legitimate Web sites this affiliate hacked and used to drive traffic to his pharmacy sites.

Most affiliates from both SpamIt and Glavmed were paid in Webmoney, a virtual currency popular in Russia that is similar to PayPal, except that transactions are largely irreversible. The rest were paid through ePassporte, a virtual currency that closed its doors in September 2010 amid allegations of fraud and misappropriation of funds.

In September 2010, Russian authorities announced a criminal investigation into Gusev and his businesses. Around that same time, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other partnerka networks. Meanwhile, Glavmed remains open for business, and is still paying affiliates to promote pharma sites.

Next in series: Pharma Wars

Glavmed isn't all business: It prompts affiliates to "donate" a portion of their commissions to help orphans and other disadvantaged kids. Whether the money actually goes to those charities is an open question.

Update, 6:43 p.m. ET: Gusev pinged me via email to take rather strong exception to my “open question” remark at the close of the caption on the last image about Glavmed’s charity work. He pointed me to this thread on the Glavmed affiliate forum that includes pictures and details explaining how the affiliates’ donations were spent.