This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security
It was mid November 2011. I was shivering on the upper deck of an aging cruise ship docked at the harbor in downtown Rotterdam. Inside, a big-band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on a long-running turf war between two of the largest sponsors of spam.
Promenade of SS Rotterdam. Copyright: Peter Jaspers
The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but in a private setting. Stepping out the night air, a woman from the conference approached, formally presented the three men behind her, and then hurried back inside to the warmth of the reception.
A middle-aged stocky fellow introduced as the senior FSB officer spoke in Russian, while a younger gentleman translated into English. They asked did I know anything about a company in Moscow called “Onelia“? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cyber criminal enterprises.
Later that evening, back at my hotel room, I searched online for details about the company, but came up dry. I considered asking some of my best sources in Russia what they knew about Onelia. But a voice inside my head warned that the FSB agents may have been hoping I’d do just that, and that they would then be able to divine who my sources were when those individuals began making inquiries about a mysterious (and probably fictitious) firm called Onelia.
My paranoia got the best of me, and I shelved the information. That is, until just the other day, when I discovered that Onelia (turns out it is more commonly spelled Oneliya) was the name of the limited liability company behind Gateline.net, the credit card processor that processed tens of thousands of customer transactions for SpamIt and Rx-Promotion. These two programs, the subject of my Pharma Wars series, paid millions of dollars to the most notorious spammers on the planet, hiring them to blast junk email advertising thousands of rogue Internet pharmacies over a four-year period.
WHO IS ‘SHAMAN’?
Gateline.net states that the company’s services are used by firms across a variety of industries, including those in tourism, airline tickets, mobile phones, and virtual currencies. But according to payment and affiliate records leaked from both SpamIt and Rx-Promotion, Gateline also was used to process a majority of the rogue pharmacy site purchases that were promoted by spammers working for the two programs.
The connection between Gateline and the spam programs is supported by chat logs seized in 2011 by Russian investigators who were looking into SpamIt. Those logs, leaked to this reporter last year, show hundreds of conversations between SpamIt co-owner Dmitry “Saintd” Stupin and a Gateline administrator who used the nickname “Shaman” (email@example.com), and was referred to as “Nikolai,” or the diminutive form, “Kolya”. The logs show more than 205 conversations between Shaman and Stupin from 2007 to 2010; Stupin also had 169 chat conversations with a SpamIt affiliate “dgc,” a programmer who used the email address firstname.lastname@example.org.
The leaked Stupin chats suggest that Shaman held enormous sway over the day-to-day operations of SpamIt. The pharmacy spam sponsor had great difficulty offering buyers the ability to pay by MasterCard, mainly because MasterCard seems to have been far more vigilant than Visa about policing the use of its services by rogue online pharmacies. The payment records of SpamIt indicate that Shaman received a sizable cut (~8 percent) from all sales processed by the SpamIt pharmacies, and that he sometimes earned tens of thousands of dollars per week for his services. He was typically paid via wire transfers to holding companies in Latvia, or via the WebMoney ID 49113952953.
In the following chat between Shaman and Stupin, recorded Nov. 23, 2009, Shaman can be seen chastising Stupin for not being more aware of transactions that they believed were from undercover buys made by MasterCard fraud investigators. At the beginning of the chat, Shaman posts a link to a story about a criminal case opened by Russian investigators into SpamIt and Stupin’s co-partner, Igor Gusev. By this time, the Pharma Wars between Gusev and his chief competitor Pavel Vrublevsky (a.k.a. “RedEye”) — widely considered to be the co-owner of Rx-Promotion — were well underway, with both Gusev and Vrublevsky slowly leaking data about the others’ operations to the media and on underground forums.
Stupin: Yep, yep.
Shaman: I’d suggest you not to advertise (P.R.) banks too much
Stupin: We need it the least.
Shaman: Otherwise, the entire business will go down. There have been something like that already.
Stupin: Igor is trying to remove those posts.
Shaman: Okay. What’s the deal with information wars? We have to stop this thing somehow. You’ll destroy the whole business.
Stupin: We will??? There have been not a single post from us. Igor is removing them all the time, we are not doing anything else.
Shaman: Stop responding to him in forum posts and RedEye will calm down.
Stupin: I will ask Igor whether he has been responding, if he has – I will ask him to stop doing it.
Shaman: WHanlinLittleton@gmail.com. Kill this asshole – he is MasterCard’s officer (employee). He made a purchase. http://www.iacva.org/PDF/William%20Hanlin.pdf
Shaman: Be more attentive with the batch. Kill these as well:
Charles Wilson, email@example.com; Stephen Carpenter, firstname.lastname@example.org; Fredric Mangerfredmanger@gmail.com; email@example.com, sandro racheli
Shaman: What’s going on with you?
Stupin: Programmers (developers) are checking what’s happened. This should not be happening.
Shaman: There have not been a single transaction from you to BinBank [one of Russian Banks --http://www.binbank.ru/index.wbp] since 00 hours.
Stupin: I am squeezing programmers to troubleshoot faster.
Shaman: As soon as you fix it, be more accurate. Process only established customers.
In a June 5, 2007 conversation between Stupin and Gusev, the former points out that Shaman is processing pharmacy site payments through Gateline’s sister processing program — a company called ufs-online.ru:
Stupin: Did you know that Shaman’s UFS-ONLINE is processing through Alfa (reference to one of the major Russian banks, Alfa-Bank)
Another interesting chat, recorded May 24, 2007, shows one of the benefits of personally knowing and doing business with the biggest spammers on the planet – one can try to reduce the amount of spam being sent to them.
Shaman: http://sidesky.hk – is it yours? Fuck, you spammed my whole office! Every employee!
Stupin: Yeah, it’s ours. I’ll ask the affiliate to remove from his list
Shaman: remove entire .ru zone from the spamlist..[and] .@ufs-online.ru
Stupin: He doesn’t want to remove, says it’s too cumbersome [to remove all of .ru]
WHO REALLY RUNS GATELINE?
Abridged Dunn & Bradstreet report on Oneliya OOO
Financial records retrieved from Dunn and Bradstreet show that Oneliya Ltd. is a Moscow computer programming and services firm with about 42 employees, bringing in annual revenues of nearly $346,000. This is almost certainly a highly conservative revenue number; financial records from SpamIt indicate that he earned at least that much in a year processing payments for the program. It is likely, however, that Shaman’s activities were off-book and not recorded as official revenue for Oneliya, or perhaps that money was counted toward revenues for one of the firm’s satellite companies, such as ufs-online.ru or ufs-travel.ru.
In any event, this document indicates the director of the company is a Russian named Rafael Khasanovich Mukhametshin. This is supported by an email leaked from ChronoPay — the company co-founded in 2003 by Gusev and Vrublevsky before they parted ways and turned bitter enemies. Mukhametshin did not respond to multiple emails seeking comment for this story.
Dozens of documents leaked from ChronoPay show that the ChronoPay routinely made large payments to the same WebMoney purse where Shaman had his SpamIt earnings sent. Each transaction is affixed with the notation “Shaman.” In an email exchange on June 9, 2010, Vrublevsky can be seen replying to a business partner who is asking about a processor he has heard about named Shaman who specializes in processing MasterCard and American Express payments.
“It is strange that you do not know, given that he works for Desp [Gusev] and also works with us: Gateline it is called,” Vrublevsky wrote. “Shaman is the nick of Kolya, a comrade of Rafael Mukhametshin (from ufs-online.ru if I’m not mistaken)”.
Shaman’s full name remains a mystery, to me at least, and it’s unclear if he still works for Gateline or whether the firm remains embroiled in processing payments for the rogue pharmacy industry. But Shaman’s prediction about ‘information wars’ ruining the business for everyone would eventually ring true. The SpamIt affiliate program was closed down in September 2010, after Russian investigators levied criminal charges against Gusev (although GlavMed, the sister program of SpamIt still appears to be running). Vrublevsky was recently released from a Moscow prison after being arrested for allegedly hiring a botmaster to attack a rival processor. Rx-Promotion is now for the most part a dead pharmacy affiliate program.