Posts tagged ‘Pharma Wars’

Krebs on Security: Pavel Vrublevsky Sentenced to 2.5 Years

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to two-and-half years in a Russian penal colony this week after being found guilty of hiring botmasters to attack a rival payment processing firm.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing. Source: Novayagazeta.ru

Vrublevsky was accused of hiring Igor and Dmitri Artimovich in 2010 to use their Festi spam botnet to attack Assist, a competing payments firm. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company millions of dollars.

According to Russian prosecutors, Vrublevsky directed ChronoPay’s chief security officer Maxim Permyakov to pay $20,000 and hire the Artimovich brothers to launch the attacks. The Artimovich brothers also were found guilty and sentenced to 2.5 years. Permyakov received a slightly lighter sentence of two years after reportedly assisting investigators in the case.

Earlier this year, I signed a deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia. Those charges stem from Gusev’s alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

For more background on Vrublevsky and his case, check out these two stories from the Russian publication Novya Gazeta. This entry is the latest in my Pharma Wars series, which documents the rise and fall of the pharmacy spam business and how a simmering grudge match between Gusev and Vrublevsky ultimately brought down their respective businesses.

It might be tempting to conclude from Vrublevsky’s sentencing that perhaps the Russian government is starting to crack down on cybercriminal behavior in its own backyard. But all the evidence I’ve seen suggests this is merely the logical outcome of bribes paid by Gusev to some of Russia’s most powerful, payments that were meant to secure the opening of a criminal case against Vrublevsky. In Paying for Prosecution and The Price of (in)Justice, I highlight chat logs leaked from Gusev’s operations that show him making preparations to pay more than $1.5 million to Russian politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Krebs on Security: PharmaLeaks: Rogue Pharmacy Economics 101

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Consumer demand for cheap prescription drugs sold through spam-advertised Web sites shows no sign of abating, according to a new analysis of bookkeeping records maintained by three of the world’s largest rogue pharmacy operations.

Researchers at the University of California, San Diego, the International Computer Science Institute and George Mason University examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible and more discretely available drugs. The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day.

Their conclusion? Spam — and all of its attendant ills — will remain a prevalent and pestilent problem because consumer demand for the products most frequently advertised through junk email remains constant.

“The market for spam-advertised drugs is not even close to being saturated,” said Stefan Savage, a lead researcher in the study, due to be presented early next month at the 21st USENIX security conference in Bellevue, Wash. “The number of new customers these programs got each day explains why people spam: Because sending spam to everyone on the planet gets you new customers on an ongoing basis, so it’s not going away.”

The researchers found that repeat customers are critical to making any rogue pharmacy business profitable. Repeat orders constituted 27% and 38% of average program revenue for GlavMed and SpamIt, respectively; for Rx-Promotion, revenue from repeat orders was between 9% and 23% of overall revenue.

“This says a number of things, and one is that a lot of people who bought from these programs were satisfied,” Savage said. “Maybe the drugs they bought had a great placebo effect, but my guess is these are satisfied customers and they came back because of that.”

Whether the placebo effect is something that often applies with the consumption of erectile dysfunction drugs is not covered in this research paper, but ED drugs were by far the largest category of pills ordered by customers of all three pharmacy programs.

One interesting pattern that trickled out of the Rx-Promotion data underscores what made this pharmacy affiliate unique and popular among repeat buyers: A major portion of its revenues was generated through the sale of drugs that have a high potential for abuse and are thus tightly controlled in the United States, including opiates and painkillers like Oxycodone, Hydrocodone, and mental health pills such as Adderall and Ritalin. The researchers noticed that although pills in this class of drugs — known as Schedule II in U.S. drug control parlance — comprised just 14 percent of orders for Rx-Promotion, they accounted for nearly a third of program revenue, with the Schedule II opiates accounting for a quarter of revenue.

“The fact that such drugs are over-represented in repeat orders as well (roughly 50 percent more prevalent in both Rx-Promotion and, for drugs like Soma and Tramadol, in SpamIt) reinforces the hypothesis that abuse may be a substantial driver for this component of demand,” the researchers wrote.

THE PARTNERKA ECONOMY

The study also seeks to explain the revenue model behind these pharmacy affiliate partnerships — often referred to in Russian as “partnerkas.” In a typical partnerka, the program sponsors handle everything from purchasing pill site domains and arranging hosting, to procuring the pills, credit card processing, managing shipment and customer support. The sole role of the affiliates or spammers is to undertake the somewhat riskier job of figuring out ways to drive tons of traffic to the pill sites.

And for this, the affiliates are rewarded handsomely. The researchers observed that affiliate commissions ate up between 30 to 40 percent of revenue for all three programs. Interestingly, the researchers found that while each program employed hundreds of affiliates, most of the affiliates earned next to nothing. Rather, just ten percent of the highest-earning affiliates accounted for 75-90% of total program revenue across the three affiliate programs.

“This is the brilliance of the affiliate program model, because you let every schmuck come in and try to do their thing, and you don’t care whether they succeed because you pay them only on a commission basis,” Savage said. “So all affiliate programs want to get the good affiliates, but the problem is they may not know who’s good ahead of time, so you let lots of people in, but most of the affiliates are just wasting their time.”

As it happens, nearly all of the top earners for SpamIt and Rx-Promotion have already been profiled in previous stories on this blog: They are the affiliates thought to be responsible for running the world’s largest spam botnets, including Cutwail, Rustock, Waledac, Mega-D, Srizbi, and Grum. I hope to have an analysis of the Xarvester botnet author ready soon.

So how much did the affiliate program sponsors themselves make? After paying affiliates (30-40%), suppliers (~7% of gross revenue), for shipping (a loss leader, it turns out, at between 11% and 12%), credit card processing (10%) and a host of other direct and indirect costs, the sponsors made a net profit of about 20% of gross revenue.

“Clearly these affiliate programs are profitable, but they are operating a business enterprise,” the researchers wrote. “Their profit is still only a fraction of the overall revenue.”

As detailed in my Pharma Wars series, the volume of spam worldwide has fallen dramatically since late 2010, when an escalating turf war between the Russian businessmen behind Rx-Promotion and sister programs SpamIt and GlavMed forced these businesses to close up shop. Alert readers will notice that my name also is listed as a co-author to this research paper, although in truth my principal contribution to the project was the donation of the Rx-Promotion, GlavMed and SpamIt databases that had fallen into my lap as a result of the aforementioned turf war. I am currently spending quite a bit of my time working on a book about the epic rise and fall of these rogue pharmacy affiliate operations.

While the overall volume of email that is spam recently fell to historic lows, that ratio been steadily creeping back up since April, according to Symantec. It will be interesting to see if this trend continues as other affiliate programs compete to meet customer demand and lay claim to the market shares once held by the likes of GlavMed, Rx-Promotion and SpamIt.

A copy of the Pharmaleaks paper is available here (PDF).

Krebs on Security: Gateline.net Was Key Rogue Pharma Processor

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

It was mid November 2011. I was shivering on the upper deck of an aging cruise ship docked at the harbor in downtown Rotterdam. Inside, a big-band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on a long-running turf war between two of the largest sponsors of spam.

Promenade of SS Rotterdam. Copyright: Peter Jaspers

The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but in a private setting. Stepping out the night air, a woman from the conference approached, formally presented the three men behind her, and then hurried back inside to the warmth of the reception.

A middle-aged stocky fellow introduced as the senior FSB officer spoke in Russian, while a younger gentleman translated into English. They asked did I know anything about a company in Moscow called “Onelia“? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cyber criminal enterprises.

Later that evening, back at my hotel room, I searched online for details about the company, but came up dry. I considered asking some of my best sources in Russia what they knew about Onelia. But a voice inside my head warned that the FSB agents may have been hoping I’d do just that, and that they would then be able to divine who my sources were when those individuals began making inquiries about a mysterious (and probably fictitious) firm called Onelia.

My paranoia got the best of me, and I shelved the information. That is, until just the other day, when I discovered that Onelia (turns out it is more commonly spelled Oneliya) was the name of the limited liability company behind Gateline.net, the credit card processor that processed tens of thousands of customer transactions for SpamIt and Rx-Promotion. These two programs, the subject of my Pharma Wars series, paid millions of dollars to the most notorious spammers on the planet, hiring them to blast junk email advertising thousands of rogue Internet pharmacies over a four-year period.

WHO IS ‘SHAMAN’?

Gateline.net states that the company’s services are used by firms across a variety of industries, including those in tourism, airline tickets, mobile phones, and virtual currencies. But according to payment and affiliate records leaked from both SpamIt and Rx-Promotion, Gateline also was used to process a majority of the rogue pharmacy site purchases that were promoted by spammers working for the two programs.

The connection between Gateline and the spam programs is supported by chat logs seized in 2011 by Russian investigators who were looking into SpamIt. Those logs, leaked to this reporter last year, show hundreds of conversations between SpamIt co-owner Dmitry “Saintd” Stupin and a Gateline administrator who used the nickname “Shaman” (shaman@gateline.net), and was referred to as “Nikolai,” or the diminutive form, “Kolya”. The logs show more than 205 conversations between Shaman and Stupin from 2007 to 2010; Stupin also had 169 chat conversations with a SpamIt affiliate “dgc,” a programmer who used the email address dgc@gateline.net.

The leaked Stupin chats suggest that Shaman held enormous sway over the day-to-day operations of SpamIt. The pharmacy spam sponsor had great difficulty offering buyers the ability to pay by MasterCard, mainly because MasterCard seems to have been far more vigilant than Visa about policing the use of its services by rogue online pharmacies. The payment records of SpamIt indicate that Shaman received a sizable cut (~8 percent) from all sales processed by the SpamIt pharmacies, and that he sometimes earned tens of thousands of dollars per week for his services. He was typically paid via wire transfers to holding companies in Latvia, or via the WebMoney ID 49113952953.

In the following chat between Shaman and Stupin, recorded Nov. 23, 2009, Shaman can be seen chastising Stupin for not being more aware of transactions that they believed were from undercover buys made by MasterCard fraud investigators. At the beginning of the chat, Shaman posts a link to a story about a criminal case opened by Russian investigators into SpamIt and Stupin’s co-partner, Igor Gusev. By this time, the Pharma Wars between Gusev and his chief competitor Pavel Vrublevsky (a.k.a. “RedEye”) — widely considered to be the co-owner of Rx-Promotion — were well underway, with both Gusev and Vrublevsky slowly leaking data about the others’ operations to the media and on underground forums.

Shaman: http://www.runewsweek.ru/country/31283/

Stupin: Yep, yep.

Shaman: I’d suggest you not to advertise (P.R.) banks too much

Stupin: We need it the least.

Shaman: Otherwise, the entire business will go down. There have been something like that already.

Stupin: Igor is trying to remove those posts.

Shaman: Okay. What’s the deal with information wars? We have to stop this thing somehow. You’ll destroy the whole business.

Stupin: We will??? There have been not a single post from us. Igor is removing them all the time, we are not doing anything else.

Shaman: Stop responding to him in forum posts and RedEye will calm down.

Stupin: I will ask Igor whether he has been responding, if he has – I will ask him to stop doing it.

Shaman: WHanlinLittleton@gmail.com. Kill this asshole – he is MasterCard’s officer (employee). He made a purchase. http://www.iacva.org/PDF/William%20Hanlin.pdf

Shaman: Be more attentive with the batch. Kill these as well:

Charles Wilson, cwilson2020@comcast.net; Stephen Carpenter, flynavy@hotmail.com; Fredric Mangerfredmanger@gmail.comcapellau1968.test@yahoo.it, sandro racheli

Shaman: What’s going on with you?

Stupin: Programmers (developers) are checking what’s happened. This should not be happening.

Shaman: There have not been a single transaction from you to BinBank [one of Russian Banks --http://www.binbank.ru/index.wbp] since 00 hours.

Stupin: I am squeezing programmers to troubleshoot faster.

Shaman: As soon as you fix it, be more accurate. Process only established customers.

In a June 5, 2007 conversation between Stupin and Gusev, the former points out that Shaman is processing pharmacy site payments through Gateline’s sister processing program — a company called ufs-online.ru:

Stupin: Did you know that Shaman’s UFS-ONLINE is processing through Alfa (reference to one of the major Russian banks, Alfa-Bank)

Gusev: Yes.

Another interesting chat, recorded May 24, 2007, shows one of the benefits of personally knowing and doing business with the biggest spammers on the planet – one can try to reduce the amount of spam being sent to them.

Shaman: http://sidesky.hk – is it yours? Fuck, you spammed my whole office! Every employee!

Stupin: Yeah, it’s ours. I’ll ask the affiliate to remove from his list

Shaman: remove entire .ru zone from the spamlist..[and] .@ufs-online.ru

Stupin: He doesn’t want to remove, says it’s too cumbersome [to remove all of .ru]

WHO REALLY RUNS GATELINE?

Abridged Dunn & Bradstreet report on Oneliya OOO

Financial records retrieved from Dunn and Bradstreet show that Oneliya Ltd. is a Moscow computer programming and services firm with about 42 employees, bringing in annual revenues of nearly $346,000. This is almost certainly a highly conservative revenue number; financial records from SpamIt indicate that he earned at least that much in a year processing payments for the program. It is likely, however, that Shaman’s activities were off-book and not recorded as official revenue for Oneliya, or perhaps that money was counted toward revenues for one of the firm’s satellite companies, such as ufs-online.ru or ufs-travel.ru.

In any event, this document indicates the director of the company is a Russian named Rafael Khasanovich Mukhametshin. This is supported by an email leaked from ChronoPay — the company co-founded in 2003 by Gusev and Vrublevsky before they parted ways and turned bitter enemies. Mukhametshin did not respond to multiple emails seeking comment for this story.

Dozens of documents leaked from ChronoPay show that the ChronoPay routinely made large payments to the same WebMoney purse where Shaman had his SpamIt earnings sent. Each transaction is affixed with the notation “Shaman.” In an email exchange on June 9, 2010, Vrublevsky can be seen replying to a business partner who is asking about a processor he has heard about named Shaman who specializes in processing MasterCard and American Express payments.

“It is strange that you do not know, given that he works for Desp [Gusev] and also works with us: Gateline it is called,” Vrublevsky wrote. “Shaman is the nick of Kolya, a comrade of Rafael Mukhametshin (from ufs-online.ru if I’m not mistaken)”.

Shaman’s full name remains a mystery, to me at least, and it’s unclear if he still works for Gateline or whether the firm remains embroiled in processing payments for the rogue pharmacy industry. But Shaman’s prediction about ‘information wars’ ruining the business for everyone would eventually ring true. The SpamIt affiliate program was closed down in September 2010, after Russian investigators levied criminal charges against Gusev (although GlavMed, the sister program of SpamIt still appears to be running). Vrublevsky was recently released from a Moscow prison after being arrested for allegedly hiring a botmaster to attack a rival processor. Rx-Promotion is now for the most part a dead pharmacy affiliate program.

Krebs on Security: Who’s Behind the World’s Largest Spam Botnet?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released -  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!”

Around the same time that SpamIt’s database was leaked, hackers plundered the networks of ChronoPay, one of Russia’s biggest online payment processors. The company’s top executive, Pavel Vrubelvsky, was reputed to have been a co-founder of SpamIt’s biggest competitor — a rogue pharmacy operation called Rx-Promotion. The data that hackers leaked from ChronoPay included emails showing ChronoPay executives passing credentials to Rx-Promotion’s administrative back end database.

KrebsOnSecurity.com obtained a comprehensive data set showing all of the sites advertised by Rx-Promotion affiliates in 2010, as well as the earnings of each affiliate. That information was shared with several University of California, San Diego researchers who would later incorporate it into their landmark Click Trajectories study (PDF) on the economics of the spam business. The researchers spent four months in 2010 observing the top spam botnets, keeping track of which pharmacy affiliate programs were being promoted by different top botnets.

The GeRa-Stupin chats show that by the time the researchers started recording the data, GeRa had defected from SpamIt to work for Rx-Promotion. Indeed, the UCSD researchers found that Rx-Promotion and Grum were synonymous. Each RX-Promotion pharmacy includes a “site_id” in its HTML source, which uniquely identifies the store for later assigning advertising commissions.  The researchers discovered that whenever Grum advertised an Rx-Promotion site, this identifier was always the same: 1811. According to the leaked Rx-Promotion database, that affiliate ID belongs to a user named ‘gera.’

A tiny snippet of GeRa's sales from Rx-Promotion sites, which all bore his affiliate ID 1811 in the source.

“It doesn’t prove that GeRa owned Grum,” said Stefan Savage, a professor in the systems and networking group at UCSD and co-author of the study. “But it does show that when Grum advertised for Rx-Promotion, it was for sites where commissions were paid to someone whose nickname was ‘GeRa’.”

WHO IS GERA?

GeRa uses the alternative nickname “Ger@” on Internet forums, including the now-defunct Spamdot.biz, where top spammers from SpamIt and competing programs used to gather. Google’s search engine largely ignores the “@” character, which makes searching for that nickname difficult. But infiltrate enough invite-only cybercrime communities and eventually you will find a user named Ger@ who announces that he is buying traffic.

GeRa routinely purchases traffic from other botmasters and malware writers who control large numbers of hacked PCs. As he explained in the following post to an exclusive forum, victim browsers sent his way are typically funneled through sites hosting a gauntlet of exploits designed to install a copy of his spam bot (see below).

Ger@ writes: "We continue to buy all your traffic which goes to Eleonor (Exploit Pack) to load the spam bot…"

GeRa did not respond to multiple requests for comment sent via email and ICQ. He appears to have been much more careful with his identity than other top SpamIt botmasters, but he did leave several tantalizing clues. GeRa appears to have used a number of separate affiliate accounts for himself on SpamIt (possibly to make his earnings appear lower than they really were. Among his personal accounts were “GeRa,” “Kostog,” “Scorrp,” “Scorrp2,” “Scorrp3,” “UUU,” and “DDD.”

GeRa received commission payments for all of those accounts to a WebMoney purse with the ID# 112024718270. According to a source who has the ability to look up identity information attached to WebMoney accounts, that purse was set up in 2006 by someone who walked into a WebMoney office in Moscow and presented a Russian passport #4505016266. The name on the passport was a 26-year-old named Nikolai Alekseevich Kostogryz.

One of GeRa’s most successful referrals was a SpamIt affiliate who used the nickname “Anton,” and the WebMoney ID 186103845227. The information on the Russian passport used to open that account was Vasily Ivanovich Petrov. According to SpamIt records, Anton was the 18th most valuable affiliate overall, bringing in sales of nearly $1 million and earning commissions above $422,000.

A "mind map" that helped piece together data about GeRa and his associates.

Looking at the earnings of spammers from both SpamIt and Rx-Promotion, it’s difficult to ignore the remarkable asymmetry between their incomes and the global cost of dealing with junk email. In the United States alone, spam has been estimated to cost businesses more than $40 billion annually in lost productivity, anti-spam investments, and related costs. By comparison, the entire SpamIt program produced revenues just above $150 million over a four year period, while Rx-Promotion spammers generated a fraction of that revenue.

SpamIt, Glavmed earnings over the life of the programs.

This is the latest in my Pharma Wars series. In case you missed them, check out my profiles of other top botmasters, including:

Mr. Waledac: The Peter North of Spamming
‘Google,’ the Cutwail Botmaster
Mr. Srizbi vs. Mr. Cutwail
Chats with Accused ‘Mega-D’ Botnet Owner?
Rustock Botnet Suspect Sought Job at Google

Krebs on Security: Pharma Wars: Mr. Srizbi vs. Mr. Cutwail

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

ICQ 360000 (alias “SPM”): I want my logo to be next to yours on the forum.

Stupin: Understood.

SPM: Let’s decide.

Stupin: We can think of something.

SPM: Let’s do it. Fakir suggests that I start recommending your partnerka to my clients. I am not against that.

SPM: But I want to have the status of official software for spamdot. It will come to it, since majority of moderators on the forum are with me already.

Stupin: We can think of something like this  – we are placing your logo with ours,  in return you add our logo to your software, like you are recommending us.

SPM: Not a problem. I am leaving to draw the logo.

SPM: Give me a piece of the header, and I will draw right on it. I mean the header for the forum.

Stupin: Wait,  it cannot be decided that fast,  I need to discuss it with my partner and simply think all of this over.

SPM: Fine. Let me know when you discuss it.

Stupin: Certainly.

SPM: Thanks in advance. And when you are discussing this matter with your partner, let him know, that SPM’s plan is to become the ONLY system on the market, and I stay by my words :)

Stupin: Google is saying the same thing :)

SPM: Google is no match, believe me. I’ve already destroyed one competitive system on the market. So I have the experience :)

SPM: Google offered me a bribe for my going out of business :) That’s his method :) )

Stupin: Honestly, it’s more pleasurable to deal with you than with him.

SPM: I was surprised that someone is competing with me on spam soft market.  On the other hand, competition is always a good thing. So I am not against it. :)

The exchange above is part of a much longer conversation thread that is translated and reproduced in its entirety at this link. It recounts how SpamIt administrators debated and ultimately acquiesced to SPM’s demands, and how they later distanced themselves from Srizbi when security researchers turned up the heat on the criminal operation.

WHO IS SPM?

Clues about the identity and location of SPM are all over the SpamIt database and the chats. When SPM first registered with SpamIt in early 2007, he provided the email address mserver@mail.ru, and of course the ICQ address 360000. Early forum posts show that SPM rented his Reactor/Srizbi botnet to spammers who would log in to their accounts at reactormailer.com. The original Web site registration records for that domain list the same email address SPM provided to SpamIt: mserver@mail.ru.

When reactormailer.com was shuttered, SPM moved operations to www.reactor2.com, a domain originally registered to ronnich@gmail.com. SpamIt affiliate records show that a spammer who registered in 2007 with that same email address was a referral of SPM’s. Records also show that SPM referred at least two other affiliates, a “nenastnyj” who used the email address nenastnyj@gmail.com, and a programmer who used two accounts under separate nicknames, “Vladie” (volodyja@gmail.com) and “SigmaZ” (vlaman@gmail.com).

These names show up in an insightful analysis of Srizbi published in 2007 by Joe Stewart, senior security researcher at Atlanta-based SecureWorks. That report was prompted in part by a strange blast of spam sent via Srizbi that promoted the presidential candidacy of Texas Congressman Ron Paul.

Stewart wrote:

Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm” He calls his company “Elphisoft,” and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true; by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.

Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj.”

So Stewart’s conclusions about SPM’s business associates seem to have been spot-on. But what about SPM? Some of the more promising leads come from the spam king himself. As Stewart noted, SPM gave an interview in Jan. 2007 with the storied Russian hacker magazine Xakep.ru, in which he discusses how his Reactor Mailer botnet — “wholly owned” by him but built with the help of “some of the best coders from the former Soviet Union” –  had recently seized a quarter of the market for spam services. Early in the profile, SPM says he is the “owner of a company producing game software.”

The game company lead is the most tantalizing. Here’s why: Googling around for SPM’s ICQ — 360000 — I discovered that SPM has indeed been developing freeware games for many years. At freeware.ru, there are a number of games posted by a guy named Philipp Pogosov, who uses that same ICQ and the mserver@mail.ru address.

Things started really heating up when I located this thread from 2005 on the user forum of UCA Networks, an Internet service provider serving the Southwestern and Southern districts of Moscow. In it, a user named “spm” says he is selling his 2001 BMW 530ia. SPM tells interested buyers to contact him at ICQ 360000, and that pictures of the car are available at http://www.reactor2.com/bossmobile. Later in the thread, SPM tells a fellow forum member to send his resume to game@gameprom.com.

I had a look at Gameprom, which seems to be doing very well developing and selling video games for mobile devices. Russian incorporation records show that Gameprom was founded in 2004 and is owned by Philipp Pogosov. This is also the name on the domain registration records of gameprom.com. What is the email address used to register gameprom.com? You guessed it: mserver@mail.ru.

I made several unsuccessful attempts to contact Mr. Pogosov. Gameprom did not respond to requests for comment. Having no luck with email, I turned to social networking sites. LinkedIn.com includes 19 users who list their current or former employer as Gameprom, including a “Philipp P.” who is listed as the company’s owner. My attempts at convincing two of my mutual LinkedIn.com connections to introduce me to Pogosov failed, but I did learn one interesting thing from his LinkedIn profile: He is apparently based in Thailand.

If Pogosov really is SPM, then it seems he has resided in Thailand for several years. Earlier in my Pharma Wars series, I detailed the activities of Cosma — the top SpamIt affiliate who appears to have been responsible for a botnet that competed directly with SPM’s – Rustock.. In a chat between Cosma and Stupin on Oct. 1, 2008, Cosma jokes that he may soon be making enough money spamming that he can ditch his day job and go join SPM in Thailand. Here’s a snippet from that chat:

ICQ 761474 (alias=Cosma): When we reach $6-7k a day, I will leave you alone….I will go to SPM in Thailand and will drink cognac with him all day long =)

REACH OUT AND SPAM SOMEONE

It’s not clear why SPM left SpamIt, but it may have been because his botnet got clobbered in a double-whammy. First, the takedown of cybercriminal hosting hub McColo kneecapped Srizbi for a few weeks because all of its control servers were hosted there. Srizbi briefly recovered in Feb. 2009, only to be hammered again by Microsoft, which pushed out an update to its malicious software removal tool that uninstalled Srizbi from Windows PCs.

There is a year-long gap in the chat records between Stupin and SPM during 2009. When SPM does turn up again early 2010, it’s to pitch an ambitious scheme to spam mobile phones with text message ads for SpamIt’s rogue pharmacies.

The following chat was recorded on Jan. 24, 2010, roughly 9 months before SpamIt’s demise:

ICQ: 635635 alias “Namaste”: Hi. This is SPM. What’s new in the community?

Stupin: Nothing new. Everything repeats itself. :)

SPM: That’s the law of life.  :) How’s business?

SPM: Am I interrupting something?  I can knock later if I am.

Stupin: No, you are not interrupting. Business is going fine. It’s going and growing.

SPM: There are a couple of ideas to discuss. Idea 1) In short – I can do SMS spam. It is serious, many and fast. I believe the friends of ours told you about that already.

SPM: Maybe not.

Stupin: I am very happy for you. :)

SPM: In other words, you are not interested in using SMS for SpamIt spam?

Stupin: Well, I have not really heard an offer from you. :)

SPM: Well, we can produce an offering together. I do not have a finished offer yet. Simply, there is a way to send SMS spam, that’s it. Any text. Speed is about 100 SMS per second. Any provider. Inbox delivery – 80%, but outcome cannot be predicted by anyone, since, as far as I know nobody has been doing SMS spam yet.

Stupin: Well, go get our URLs and try.

SPM: We’ll need a version of your shops adapted for smartphones. With limited graphics.

Stupin: They are adapted automatically, using User-Agent.

SPM: Give me any link, and I will check on the phone.

Stupin: http://canadian-medshop.com

SPM: Do you have stats of connections to shops from smartphones?

Stupin: Yes, a small percent from overall traffic.

SPM: What kind of phones? Do you have this information?

Stupin: No surprises…iPhones, and Blackberry

SPM: How about Nokias?

Stupin: Very few.

SPM: Inconvenience that URL should be entered manually, but on the other hand – Inbox 80%….

Stupin: Databases are not targeted also, as far as I understand.

SPM: Surely, but on the other hand, there is a possibility to spam the entire provider’s space.

Stupin: Ask some hackers to give you a phone listing generated from an on-line pharmacy.

SPM: I thought about it. Is my account still alive? I forgot my password.

Stupin: Tell us login and which new password you want us to set.

SPM: spam101

Stupin: Okay.

SPM: Does your pharmacy serve Russia?

Stupin: No.

SPM: Pity. :) Our providers are very easy to harvest. All three of them.

Stupin: Password is done.

Stupin: Tell us if everything is okay.

SPM: Everything is okay. My GOD, there is even some money there :) Will you send to my WM?

Stupin: Yes. Let support know, if you need domains,  we can leave one theme for smartphones,  similar to what we have here: http://www.medshop.mobi

Krebs on Security: Pharma Wars: ‘Google,’ the Cutwail Botmaster

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Previous stories in my Pharma Wars series have identified top kingpins behind the some of the biggest spam botnets. Today’s post does that and more, including never-before-published information on “Google,” the lead hacker behind the world’s busiest spam botnet — Cutwail.

December 2011 spam stats from M86Security

For many years, Cutwail has been among the top three most prolific spam botnets. With the recent takedown of the Rustock botnet, Cutwail now is the top spam bot; according to M86 Security, versions of Cutwail are responsible for about 22 percent of the daily spam volumes worldwide.

Security researchers have extensively dissected the technical machinery that powers Cutwail (a.k.a. “Pushdo” and “Pandex”), but until now little has been published about the brains behind it. Krebs On Security has learned that the individual principally responsible for developing and renting this crime machine to other miscreants was a top moneymaker for SpamIt, until recently the world’s largest rogue Internet pharmacy affiliate program.

By the time he joined SpamIt in early 2007, the hacker named Google had already spent several years fine-tuning his spam botnet. Just months prior to its closure in Oct. 2010, SpamIt was hacked, and its customer and affiliate data leaked online. The data shows that Google used close to a dozen affiliate accounts at SpamIt, and made nearly $175,000 in commissions advertising SpamIt’s rogue online pharmacies with the help of Cutwail.

But Google would make far more money renting his botnet to other spammers, and SpamIt affiliates quickly became his biggest client base. Interestingly, the proprietors of SpamIt initially asked for Google’s help not to spam rogue pharmacies, but to jump-start a new affiliate program called Warezcash to sell “OEM” software — mostly pirated copies of Microsoft Windows and other high-priced software titles.

That relationship is evident from hundreds of chat logs between Google and SpamIt co-founder Dmitry “Saintd” Stupin. The conversations were part of thousands of hours of logs obtained by Russian cybercrime investigators who examined Stupin’s computer. The chats were later leaked online, and provide a rare glimpse into the day-to-day operations of Cutwail from the botmaster’s perspective. They also provide tantalizing clues as to the real-life identity of Google and his co-workers. Snippets of those conversations appear below, translated from their original Russian into English by native Russian speakers.

THE CUTWAIL MACHINE

Some of the best techical analysis of Cutwail came earlier this year in a paper from researchers at the University of California, Santa Barbara and Ruhr-University Bochum, which described in detail how the Cutwail botnet was operated, rented and promoted on the exclusive SpamIt forums. From their paper (PDF):

“The Cutwail spam engine is known in spam forums by the name 0bulk Psyche Evolution, where it is rented to a community of spam affiliates. These affiliates pay a fee to Cutwail botmasters in order to use their botnet infrastructure. In return, the clients are provided with access to a Web interface (available in Russian or English language) that simplifies the process of creating and managing spam campaigns…”

SpamIt affiliate records show that Google registered with the program using the email address psyche.evolution@gmail.com (according to historical WHOIS records, the domain name psyche-evolution.com was registered in 2005 by that same email address, to an organizations called “0bulk corp.” in Moscow).

In several chats with Stupin, Google describes how he and his pals switched to pharmacy spamming when promoting stocks via spam became less lucrative. In a discussion on Feb. 25, 2007, Google said he was “renting software for spam,” to competing spam affiliate programs “Mailien,” “Bulker,” and “Aff Connection,” and that all of his clients had great success converting traffic into sales. “We have been spamming stocks, however now stocks started converting badly, so we decided to spam in parallel with some affiliate programs. We organized people, gave them tasks to do. We’ve been spamming them for a week only, but I think we’ll do good.”

From a chat dated August 16, 2007, Google explains how to use the Cutwail botnet:

1) Access to the interface: http://208.72.173.10:3571/login.cgi

2) Stats and loader: http://208.66.194.231:3081/ldr/vn.cgi

3) Manual about our software: http://208.72.173.10:3571/man.cgi

4) Technical support contacts/Personal ICQ addresses for support:

198922489 – Psyche Support 1

468559240 – Psyche Support 2

481896712 – Psyche Support 3

353149439 – Psyche Sypport 4

5) Contact of Manager:  He handles questions about payments and all non-technical questions, also questions regarding complaints about the software and technical support, ICQ: 43266131

6) Technical support forum: http://psychetalk.com, Login  saintd, Password: VeryNice

Google’s alliance with SpamIt would quickly cement the Cutwail botnet as a top contender. On Sept. 7, 2007, Google bragged to Stupin that his malware had “made it to #14″ on Kaspersky’s most prevalent malware threats, pasting this link into the conversation. Kaspersky Labs confirmed that the Trojan Downloader.Win32.Agen.brk listed at #14 in that index is one of the aliases for a downloader Trojan used to deploy Cutwail.

GOOGLE’S IDENTITY REVEALED?

According to the Stupin logs, the SpamIt administrators worried that Google would not be mature enough to handle such a big operation, noting in one chat that Google was said to be only about 25 years old. Shortly after that conversation, on May 14, 2007 Stupin and Google agreed to hold a face-to-face meeting in Moscow to discuss the Warezcash OEM partnership. In that chat, Google asks Stupin to call him on his mobile number, which he gives as +7-916-4444474.

That same phone number is tied to the historic Web site registration records for several domains, including  antirootkit.ru, einfinity.ru, electronicinfinity.ru, hoha.ru, lancelotsoft.com, and ssbuilder.ru. In each record, the name of the initial registrant is “Dmitry S Nechvolod,” and the contact phone number is +7-916-4444474.

According to the Web site of Russian software firm Digital Infinity Developers Group (the search engine Google currently flags diginfo.ru as malicious), Nechvolod is part of a team of developers, and is described as an “administrator of UNIX-based systems (ATT/BSDi),” an “administrator of Cisco routers,” and “a specialist in information security software.”

It’s unclear whether Nechvolod is Google’s real name, a pseudonym, or merely clever misdirection to implicate someone else. But there are other interesting connections: spam.hoha.ru was at one point listed as a reliable place to rent mass spam campaigns, at least according to several members participating in this Russian Webmaster forum discussion.

Probably the best clue in support of a connection between Google and Nechvolod comes from the payment data that Google himself provided to SpamIt. Google asked SpamIt administrators to send his affiliate payments via WebMoney, a virtual currency that is quite popular in Russia and Eastern Europe. He requested that his commissions be paid to the WebMoney purse Z046726201099. According to a source that has the ability to look up identity information tied to WebMoney accounts, the personal information provided when this account was opened in 2004 was:

Нечволод Дмитрий Сергеевич (“Nechvolod Dmitry Sergeyvich”)

•  Passport  – 4507496669
•  Date of Issue (ММ/DD/YYYY) – 7/23/2004
•  Place of Issue – Moscow/Russia
•  Issued – ATS District Cheryomushki
•  Date of birth (as on passport) – July 9, 1983
•  E-mail – wm.lancelot@gmail.com
•  Telephone – +7 9164444474

Another strong link provided by Google (the search engine Google, not the spammer) stems from one of the domains registered to Nechvolod — einfinity.ru. In 2006, a Stanislav representing himself as a job recruiter for a company called “E-infinity” posted a message to the Russian programmer forum Delphimaster.net that he was seeking UNIX programmers for work at an E-infinity office in Moscow. Stanislav asked interested applicants to contact him at ICQ number 903445.

The Diginf.ru Team

SpamIt affiliate records show that in Sept. 2007, a new spammer signed up with the usernames Feligz/Eagle providing the email address maravanio@gmail.com and ICQ 903445 as his contact information. Stupin’s ICQ chat logs show that on Sept. 3, 2007, Stupin contacted Google’s manager (ICQ 43266131, see above) about an urgent problem, complaining that he was unable to reach Google or two of Google’s usual support personnel by ICQ or by phone. The manager says he will try to get in touch with the technical director within Google’s operation, a hacker who uses the screen name Eagle. Minutes later, Stupin receives an instant message from Eagle, who is using the ICQ number…wait for it….. 903445.

Remember the page at Diginf.ru referenced above that lists Dmitry Nechvolod as a system administrator? That same page lists a Stanislav Kuznetsov as another team member. What is Stanislav’s email? Eagle@diginf.ru.

CRIMEWARE EVOLUTION

For a variety of reasons, spam is not nearly as prevalent as it once was. According to a recent report (PDF) from Symantec, just 70 percent of email sent worldwide was spam in November 2011, the lowest rate since the rogue ISP McColo was shut down in late 2008. At that time, about 90 percent of email was junk.

Cutwail may have begun as a popular vehicle for sending male enhancement and OEM software spam, but in recent years it has morphed into a major spam cannon for malicious software. These days it seems more often involved in sending emails that try to trick recipients into opening malware-laden attachments, most often variants of the ZeuS and SpyEye trojans.

Information obtained by KrebsOnSecurity.com shows that as early as 2009, Google’s botnet was hired by a Ukrainian cyber fraud gang known as the JabberZeuS crew to help spread malicious emails that the gang used to conduct a number of lucrative cyber heists.

More recently, Cutwail has been seen sending out malicious spam campaigns with a variety of themes such as airline ticket orders, wayward Automated Clearing House (ACH) payments, Facebook notifications, and scanned documents. On Dec. 19, Microsoft warned about a Cutwail campaign that was blasting out ransomware attacks that used information about the recipient’s geographic location to tailor the email lure, which spoofed various national law enforcement organizations and warned victims that they were being investigated for possessing child pornography.

Krebs on Security: Chats With Accused ‘Mega-D’ Botnet Owner?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Recently leaked online chat records may provide the closest look yet at a Russian man awaiting trial in Wisconsin on charges of running a cybercrime machine once responsible for sending between 30 to 40 percent of the world’s junk email.

Oleg Nikolaenko

Oleg Y. Nikolaenko, a 24-year-old who’s been dubbed “The King of Spam,” was arrested by authorities in November 2010 as he visited a car show in Las Vegas. The U.S. Justice Department alleges that Nikolaenko, using the online nickname “Docent” earned hundreds of thousands of dollars using his “Mega-D” botnet, which authorities say infected more than half a million PCs and could send over 10 billion spam messages a day. Nikoalenko has pleaded not guilty to the charges, and is slated to appear in court this week for a status conference (PDF) on his case.

The Justice Department alleges that Nikolaenko spammed on behalf of Lance Atkinson and other members of Affking, an affiliate program that marketed fly-by-night online pharmacies and knockoff designer goods. Atkinson told prosecutors that one of his two largest Russian spamming affiliates used the online moniker Docent. He also said that Docent received payment via an ePassporte account under the name “Genbucks_dcent.” FBI agents later learned that the account was registered in Nikolaenko’s name and address in Russia, and that the email address attached to the account was 4docent@gmail.com.

According to my research, Docent also spammed for other rogue pharmacy programs. In fact, it’s hard to find one that didn’t pay him to send spam. In my Pharma Wars series, I’ve detailed how Russian cybercrime investigators probing the operations of the massive GlavMed/SpamIt rogue pharmacy operation seized thousands of chat logs from one of its principal organizers. The chats were later leaked online and to select journalists. Within those records are hundreds of hours of chats between the owners of the pharmacy program and many of the world’s biggest spammers, including dozens with one of its top earners — Docent.

According to the SpamIt records, Docent earned commissions totaling more than $325,000 promoting SpamIt pharmacy sites through spam between 2007 and 2010. The Docent in the SpamIt database also had his earnings sent to the same ePassporte account identified by the FBI. The Docent in the leaked chats never references himself as Nikolaenko, but in several cases he asks SpamIt coordinators to send documents to him at the 4docent@gmail.com address.

The chats between Docent and Stupin show a young man who is ultra-confident in the value and sheer spam-blasting power of his botnet. Below are the first in a series of conversation snippets between Docent and SpamIt co-administrator Dmitry Stupin. Before each is a brief note providing some context.

In the transcript that follows, Stupin tries to woo Docent to join SpamIt. Docent negotiates a much higher commission rate than is usually given to new spamming partners. The typical rate is 30 percent of each sale, but Docent is a known figure in the spamming underground, and argues that his botnet will bring such massive traffic to the SpamIt pharmacies that he deserves a higher 45 or 50 percent cut of the sales. This conversation was recorded on Feb. 1, 2007.

Stupin:  Hello! You have communicated with ICQ 397061228, I am writing regarding your case, Docent.

Docent: Which case?

Stupin:  Do you want to send spam regarding our partnerka ["partnerka" is Russian slang for a mix of private and semi-public affiliate groups that form to facilitate cybercrime activities].

Docent: Which exactly do you mean? I have not yet communicated with this 397061228.

Stupin: Here is the letter which recently came from  you: “It is usual spam,  GI bases, not opt-in. Big volume of emails. I mail a lot of [competing pharmacy] programs, Bulker, Mailien, SRX. I’m a member of most bulk forums. So if you need references, i can provide them. Usual traffic is 2k+ uniques. Also i need bulk-host.”

Docent: Yes, I got it. It’s just nobody IM’d me.

Stupin: ок) What kind of volumes of spam can you deliver? We are soon deploying our own “partnerka” for spam, we just do not have it right now.

Docent: Volumes are huge, 500 million + / day.

Stupin: Wow! Are you not accidentally on [Spamhaus] ROKSO List ?

Docent: Yes, it’s a list of idiots :) , with the exception of a couple of people.

Stupin:  We do contract people for our spam campaigns, but only verified people. We are not publicly opened yet.

Docent:  I know someone who personally knows Desp [the nickname used by Stupin's partner and SpamIt co-founder Igor Gusev].  And also we can collect references :)

Docent: Does your program accept Visa?

Stupin: Yes. Not only Visa. It would be fantastic if you provide your recommendations.  I will honestly depict our situation, we will not be able to sustain your volume of spam in addition our current traffic.  We can try to work with you in China or with new hosting platform, however hosts there are not tested.  If you are ok with that, I will send you several domains.

Docent: In any case, I will not switch the entire volume for you.

Docent: Regarding my Visa question… I actually meant MasterCard.

Stupin: We have MasterCard.   We’ll definitely not sustain the entire volume,  we can try little-by-little, checking each other out.

==

Approximately one week later…..

Stupin: Hey!  How about spamming for us?

Docent: What are the payment conditions?

Stupin: 30 [percent of sales] at the start, 35 if there are 5 order a day sustainable within minimum of 4 days, 40 if more than 10 orders a day.

Stupin: Payments via wire, Webmoney, Fethard, e-passport. When 40% – payments are done by request, otherwise – two times a month.

Docent: Hmm, 40% can be given right away to right people.

Stupin: If you are indeed as good as you say – you will not stay on 30% for long.

Docent: I am not going to switch on entire traffic. :)

Stupin:  I understand.

Docent: And 30 % is not cool, when other [affiliate programs] pay 45% )) However, your sites are indeed looking good.

Stupin: Who is paying you 45? If you show us statistics screen – we will give you 40 right away, if there is traffic there.

Docent: Where do you host?

Stupin: In Russia. Backup hosting is in China.

Docent: Has anyone spammed your Russian host?

Stupin: We work there for more than a year.  However, we have not tested it with large volumes.

Docent: OK, we’ll try later. I will be ready next week to switch traffic.

Docent: Now I need to get money from those people )

===

One week later….

Stupin: Hello! Do  you want to spam for us?

Docent: Hi. with pleasure, but later.

Stupin: We have just added xanax, valium, and Ambien.

Stupin: Hi! Am I interrupting anything?

Docent: Hello. No.

Stupin: Does “Bulker” [another pharmacy affiliate program] have a problem with billing?

Stupin: Do you want to work with us?

Docent: what do you mean?

Stupin: What do you mean what do I mean?

Docent: By asking me about balker having problems with billing?

Stupin: I heard, that he had a problem with order processing.

Docent: It’s not been going too well….

Stupin: Who do you work with right now?

Docent: How did you get information that I was somehow linked to balker?

Stupin: аа, I thought you worked with him, he is an authority.

Docent: Yes, I worked with him. And?

Stupin: I want to steal you.

Stupin: all Spammers are absolutely ecstatic about us, we now want to recruit spammers). How can we make you interested? :)

Docent: By good conditions (terms).

Stupin: What kind of terms do you want?

Docent: Well, give me sweeter conditions, and I am yours )

Stupin: We will not give more than 40%) but no charges.

Docent: And refunds? and why can’t you give more than 40?

Stupin: Whatever is on balance – is yours, no fees (charges).

Stupin: Because we want to eat as well.

Docent: How often do you pay? and where are the hosts?

Stupin: If more than 300-500 / a day – we pay whenever requested.

Stupin: Hosts – are in Russia.

Docent: OK. make an account. We’ll see.

Stupin: Invite code – QIHL5480,  register on – http://spamit.com/register.php

Docent: Cool domain :)

Stupin: Yep!)

Stupin: We have not yet completed the design, design is going to be absolutely cool.

Docent: Yes you have fantastic designs on all projects.

Docent:   Login: docent

Stupin: I set it at 40 [percent].

==

February 21, 2007

Docent: I will start a small test today. what kind of terms do you offer?

Stupin: 40%, visa & mastercard, private domains, controlled pills.

Docent: Controlled pills are Vicodin & Phentermine ?

Stupin: No, phentermine is only herbal( everything is being sold anyway without them.

Two days later, Docent is signed up with SpamIt, but has not yet started spamming for the affiliate program directly. In this chat, however, he obtains referral codes on behalf of two other spammers who want to join SpamIt; all of the affiliates he brings in will pay a portion of their commissions to Docent as a referral fee.

Stupin: I have bad news – we will have to turn off controlled,  someone got arrested there,  everything is getting turned off there(

Docent: Where has someone got arrested?

Stupin: Some supplier. Many Russians were sending via him.

Docent: Where do you ship from?

Stupin: From India, like everyone else.

Docent: It is strange that someone has got arrested in India.

Stupin: Well this one was tremendously illegal

Stupin: Only heroin is worse)

Docent: Not for India…

Docent: Is xanax illegal ?

Stupin: Yes

Docent: Vicodin is worse. Xanax is not very illegal.

Stupin: http://en.wikipedia.org/wiki/Xanax     Legal status     Schedule IV(US)

Docent: ))) Well, aaccording to US laws even spam can lead to 1000 years of imprisonment.

Stupin: Only schedule V is worse.

Docent: Especially is large volumes ). And from bots. :)

Stupin: Vicodin -  It is in Section III.

Docent: But nobody is selling it. because people can get really high from it.  But nobody can get high from xanax. All generic are selling it.

Stupin: ))))    it’s already a separate issue.

Docent: When are you going to put xanax back ?

Stupin: We do not have a date yet.

Docent: Pity )

Docent: Ok, good thing that you accept MasterCard ))

Stupin: Do you know if anyone like balker still has xanax? by the way where there should I send invites to?

Docent: Yes he still has it.

Stupin: How many do you need?

Docent: Give me a couple, I will invite a couple of people.

Stupin: 1STZ1R2, DRKMTWS6U [invited codes to SpamIt.com]

Stupin: Up to 16.6% of profit we pay for referrals.

Docent: How is it calculated?)) Meaning the percentage? it is funny formula “up to 16.6” )) I have never seen that))

Stupin: 5% off referral’s turnover, everywhere else it is 5% of profit, if referral has 30%, we have – 16.6%, if 40% -  only 12% from his profit.

Docent: ааh. That is cool.

Docent: 1STZ1R2 put 40% right away for this invite )

Stupin: Who is it?

Docent: He is good. I do not have bad friends.

Stupin: See, I have not seen you in action, and I do not know him)

Docent: Just trust me.

Stupin: What’s his login on spamdot?

Docent: We’ll say – 50 sales a day.

Stupin: I have done whatever you asked me.

Docent: I will invite one more person this evening… He spams very well.

Docent: Has he registered himself yet using this invite?

Stupin: Not yet.

Stupin: Bulker said that they did not have controlled [drugs].

Stupin: They did not work honestly, they screwed us up two times with processing. They also used our pictures of pills without our consent.

Docent: They also shave of a lot ["shaving" means to undercount sales/commissions]. I have stopped spamming for them a long time ago. However, I do not like my current partner. He screwed me over $50к. And he does not admit it, bastard.  I hope, everything is going to go well with you.

Stupin: We have already been doing SE “partnerka” business for 1.5 years.  Nobody has been complaining.

Stupin: and $50k payments also happen.

Docent: Yes, I just know the roots of your “partnerka” )  I do not want to show all my cards, but I am sure that we will have a great partnership.

===

In the conversation below, recorded Nov. 23, 2007, Docent and Stupin discuss earnings of two SpamIt affiliates referred to the program by Docent. One of them, who uses the nickname “Cosma,” eventually becomes one of SpamIt’s all-time top earners. According to Microsoft, Cosma was the individual behind the Rustock spam botnet. The other referred affiliate is an American spammer who used the nicknames “Speedy” and “Lightspeed.”

Stupin: Hello, have you heard anything about ICQ 197152928 (speedy)? He’s not been responding on ICQ.

Docent: Was he selling SOCKS proxies?

Stupin:  No, he was spamming for us.  He wanted to be paid with ATM cards.  We can give them to him now. It was his main requirement to spam for us :)

Docent: Nickname sounds familiar.

Stupin: He was YOUR referral!

Docent: Do you have a good host now?

Stupin: We have 5 of them :)

Docent: Good? Not bot and very fast?

Stupin: 5 hosts. 3 of those ) (not bot and fast). Two in Europe and one in US with Chinese IP address.

Docent: From  Abdullah?)

Stupin: Only in US and one in Europe. The other one is our own.

Docent: Your own…You are growing ).  Desp [Gusev] has to be happy.

Stupin: Yes he is ecstatic. By the way, you have a Balance: $1333.11

Docent: hmm. Where from?

Stupin: From Cosma and from Speedy. We have the largest referral payments.

Docent: How many % ?

Stupin: 12.5

Docent: Very good. Is Cosma sending now?

Stupin: Yes, he’s just started.

Docent: What kind of volume does he have a day?

Stupin: Ask him.

Docent: Haha. it can be calculated from referrals. how many sales does he do for you?

Stupin: I cannot tell you, he may not want you to know.

Docent: He should not care, besides, I will not tell him that you told me, lol)

Stupin: Sorry, no way.

Docent: Fine)

Docent: Is he making 2k profit?

Stupin: Again, ask him, I cannot tell you.

Docent: Why speedy is not in my Referrals?

Stupin: His login is Lightwave.

Docent: Give me a good host. I will spam for you.

Stupin: Do you have large databases?

Docent: Damn! Surely large!

Stupin: ок, how many domains?

Docent: 10

Stupin: ок

Docent: I will not start today for sure, since I am going out drinking.

Docent: I will start late night, if I am in proper condition, or on Sunday.

Stupin: Support will send that to you.

Docent: I’ve calculated Cosma’s profits ))

Docent: He was making 5k on average on herbal products.

Stupin: He has started just a few days ago. He is not working in full capacity.

Krebs on Security: DDoS Attack on KrebsOnSecurity.com

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week, not long after I published the latest installment in my Pharma Wars series, KrebsOnSecurity.com was the target of a sustained distributed denial-of-service (DDoS) attack that caused the site to be unavailable for some readers between Nov. 17 and 18. What follows are some details about that attack, and how it compares to previous intimidation attempts.

The DDoS was caused by incessant, garbage requests from more than 20,000+ PCs around the globe infected with malware  that allows criminals to control them remotely for nefarious purposes. If you’ve noticed that a few of the features on this site haven’t worked as usual these past few days, now you know why. Thanks for your patience.

I shared the log files of the attack with Joe Stewart, director of malware research at Dell SecureWorks. Stewart discovered that the botnet responsible for hitting my site appears to have been created with Russkill, a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground. Russkill, sometimes called Dirt Jumper, does its dirty work by forcing infected systems to rapidly request the targeted site’s homepage.

Stewart said he suspects — but can’t prove – that the control center for this botnet is noteye.biz, based on traffic analysis of Internet addresses in the logs I shared with him.

“I did not already have [noteye.biz] under monitoring so it is impossible to say for sure what targets were hit in the past,” Stewart wrote in an email. He noted that the same attacker also apparently runs a Dirt Jumper botnet at xzrw1q.com, which also is currently attacking Ukrainian news site genshtab.censor.net.ua, and kidala.info (“kidala” is Russian slang for “criminal,” and kidala.info is a well-known Russian crime forum).

“According to my logs this botnet did attack your site back in April, so this is some additional circumstantial evidence that suggests the noteye.biz [control network] may have been involved in the recent attack on your site,” Stewart wrote.

As Stewart notes, this is not the first time my site has been pilloried, although it was arguably the most disruptive. In October 2010, a botnet typically used to spread spam for rogue Internet pharmacies attacked krebsonsecurity.com, using a hacked Linux server at a research lab at Microsoft, of all places.

I’ve spoken at more than a dozen events this year, and the same question nearly always comes up: Do you ever get threatened or attacked? For the most part, the majority of the threats or intimidation attempts have been light-hearted.

Yes, occasionally crooks in the underground will get a bit carried away – as in these related threads from an exclusive crime forum, where I am declared the “enemy of carding;” or in the love I received from the guys at Crutop.nu, a major Russian adult Webmaster forum (the site now lives at Crutop.eu).

But some of the “attacks” have been downright funny. In June, someone hacked a news site and planted a story falsely claiming that F-Secure researcher Mikko Hypponen and I had been arrested for selling stolen credit cards.

My name also has been known to show up in malware. In June, a Trojan downloader that peddled adult Web sites included a reference that I had somehow gotten married to security blogger Dancho Danchev. In 2010, Fortinet found a variant of the spam botnet installer Pushdo that was controlled by a domain name called “fuckbriankrebs.com.” In 2009, Sophos wrote about a new email malware campaign disguised as an alert about a wayward DHL package: The message included a “tracking number” that was essentially the same sentiment, only spelled backwards.

I guess my stories about the ZeuS Trojan have angered those guys as well. In February 2010, a piece I wrote warning people about an oddball version of the ZeuS Trojan that stole Microsoft Word documents and PDFs was re-purpopsed to help make a follow-up campaign more successful.

Update, Nov. 23, 9:31 a.m. ET: As noted by one commenter already, a deep dive into Russkill/Dirt Jumper was recently published at DeepEndResearch.org, a new group that includes some well-known security researchers.

Krebs on Security: Pharma Wars: The Price of (in)Justice

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I spoke this week at Govcert 2011, a security conference in Rotterdam.  The talk drew heavily on material from my Pharma Wars series, about the alleged proprietors of two competing rogue Internet pharmacies who sought to destroy the others’ reputation and business and ended up succeeding on both counts. Here is the latest installment.

For those who haven’t been following along, I’ve put together a cheat sheet on the main players, the back story and the conflict. Click here to skip this section.

Actors

Pavel Vrublevsky: Co-founder and Former chief executive officer of ChronoPay, until recently a major processor of electronic payments in Russia. Vrublevsky has been accused of running an illegal business, a rogue Internet pharmacy affiliate program called Rx-Promotion, and is currently in prison awaiting trial on unrelated cybercrime charges. Known to business partners as “Red” or “RedEye.”

Igor Gusev: Co-founded ChronoPay with Vrublevsky in 2003. Had a falling out with Vrublevsky in 2005, left ChronoPay and started the Internet pharmacy affiliate programs GlavMed and SpamIt. The latter was closed in Sept. 2010, and Gusev has been charged with running an illegal business. He is still at large.

Dmitry Stupin: Gusev’s right-hand man. Helped to build SpamIt and GlavMed. The logs below are from a set of logs leaked to several download sites that contain thousands of conversations between Stupin and Gusev. The logs were obtained shortly after the police detained Stupin as part of the criminal investigation into Gusev.

Conflict: Two former business partners-turned-competitors try to sabotage each others’ business and to get the other arrested.

The Conversation

The conversation below takes place between Feb. 21 and 23, 2010, and is a chat log between Gusev and Stupin. Gusev already knows there are plans to file criminal charges against him, which indeed come just seven months after this conversation was recorded. The two are discussing plans to pay more than $1.5 million to politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Several attendees at Govcert 2011 asked about the likelihood of Vrublevsky serving time, if convicted. This chat may provide a clue. In the middle of the following conversation, Gusev says he has secured promises that if arrested, Vrublevsky “would remain in prison and would not be able to pay his way out,” Gusev wrote. “He is going to lose a large portion of his business and will be left with no money to fight the war.”

Gusev: Latest news – all the materials to start a criminal case were given to prosecutors on Friday. After holidays I am going to get some information regarding “what” and “who”. Are we meeting on 24th?

Stupin: Yes we are meeting on 24th.

Stupin: Shaman’s stuff got broken, everything is declined. I cannot come to Moscow, as usual. I broke my leg in Turkey.

Gusev: Really??? Is it really broken?

Stupin: Yes.

Stupin: Here. hip-notics.com.  I was learning how to do somersault doing Aerial skiing (freestyle).

Gusev:  In reality, I think it’s for the better. There is no need for you to go to Moscow. After the holidays I am going to get the information which was received by the prosecutors’ office, however I am planning to leave from here for a couple of months. This is extremely serious, this is not just articles in newspapers.

Gusev: Write down my new number. It used to be 325667.9. 20к (5k are going to the middleman and 15k are going to a person from prosecutors’ office). 5к (for the search of materials regarding Pasha’s case); $2к (to lawyer for compromising materials and Newsweek); summed up to: 298667.9

Stupin: Okay.

TWO DAYS LATER:

Gusev: I need a piece of advice: I found a person who is willing to help me in situation with Red. He has a proven scheme, because he is a very strong lawyer. A real fixer-upper. For his service, along with very large sum of money, he is asking for something in return — he is asking to help his friend – a very famous webmaster, who faced similar problem as the one we are facing, and who was saved by that person. This “friend” is not doing anything right now.  This lawyer is asking us to help him with establishing on-line pharmacy affiliation (partnerka). I am not glad with this proposition to create our own competition, however, out of all people I talked to, only this person offered a structured solution to the problem, giving us hopes.  People from Volleyball Association can and will cover us, using their FSB connections, but they can do very little with Prosecutors’ Office, they can only prolong the legal proceedings. They will also not be able to prosecute Red. The person who we are asked to help is my old acquaintance – Pet – the owner of лолного – billing of billcards (sunbill). [For more information on the role of the Russian Volleyball association in this story, see Pharma Wars: Purchasing Protection].

Stupin: Let’s offer him to create “us” under his own brand.

Gusev: We have already tried doing this.  He is going to leave on his own. IMHO the ideal way is to offer him our clone as 50-50 partnership. I have not offered anything to anyone yet before knowing your opinion. I cannot say no, otherwise, the “fixer-upper” is not going to take our case (even if we give him as much money as he asks for) :( In that case I will have to do everything by myself (I know how to do it and even have several people, who can split the whole scheme step by step and execute them). However, this way, there is very high chance that they will take the money, but will do nothing. Or will milk me and Red at the same time, making double the money, and, again, do nothing.

Stupin: It’s not a problem at all,  they have tried so many times to do something with us – and have not followed through on their own. Our sites are publicly available, there is no risk to process orders from trusted sites.

Gusev: Hosting is ours, tech support is only ours. We will not give the software. Maintenance is also ours.

Stupin; Yes, we are giving them the sites, they will redo them, giving them API for the affiliation (partnerka).

Gusev: ок, I will try to bound them by these conditions. Do you want to know how much the service regarding Red cost?

Stupin: Sure. I have just arrived, with my leg, I can’t really think straight.

Gusev: 1.5 million.

Stupin: Oh, God!!! What does he promise for that?

Gusev: He promises that Red would remain in prison and would not be able to pay for his way out + he is going to lose a large portion of his business and will be left with no money to fight the war.

Gusev: I do not want to write all the details here on Jabber, that is why I wanted to meet. I am gathering the money for him, and for your for the office, and I am leaving for 2-3 months.

Stupin: ok, are you going to bring money for the office?    Let’s meet at that time? Because I am going to get stuck for approximately a month with my leg.

Gusev: Yes, I am trying to gather enough money. Pasha is helping me, but with very small sums and when he has available money, not when I need it.

Gusev: Can we borrow from your brother? At most 150-200к?

Stupin: Yes, I will do it. Some time ago I rented a house in Moscow suburbs, and the owner offered to rent with his help,   I have his e-mail and the phone number, he is mature, calm, we can try.

Gusev: Could you find out his requirements?

Stupin: Okay, I will call.