Many of us think of spam as a regular, everyday email nuisance, but a newly released book by cybersecurity blogger Brian Krebs paints a far more sinister picture. He reports that the same players and organizations in the former Soviet Union that produce the messages about cheap prescription drugs that we delete en masse are also involved in fraudulent credit card processing, identity theft, phishing, ransomware, and in some cases extreme pornography.
In his book Spam Nation: The Inside Story of Organized Cybercrime — From Global Epidemic to Your Front Door, Krebs sheds a much-needed spotlight on the world of cybercrime through solid research, his skills in investigative journalism, and interviews with some actors in Russia. Krebs traveled to Moscow in 2011 to meet these individuals, and also learned Russian in order to decipher and analyze the databases and records certain members of the spamming community made available to him.
Public officials, said Krebs in our recent interview, don’t see the web of connections in this murky underground economy and thus misjudge the threat. The regular computer and internet user don’t realize the value of their personal assets to cybercriminals and don’t take common sense steps to protect them. Krebs devoted the epilogue of Spam Nation to how consumers can secure their PCs and email accounts.
Something that did not surprise me in Krebs’ account, having spent two years in Russia in the nineties: The businessmen and spammers often do not see themselves as law breakers; in the case of cheap internet drugs, they saw a market need in the US and went after it.
“Krebs’s talent for exposing the weaknesses in online security has earned him respect in the IT business and loathing among cybercriminals,” writes Bloomberg Businessweek, calling him a “rare blogger who supports himself on the strength of his reputation for hard-nosed reporting.” The Businessweek article also details some of the attention-getting ways that cybercriminals have harassed Krebs.
I spoke with Krebs last month about his book. He began our conversation by discussing why he began working on it.
“I started working on the book when I started looking through all the databases that were leaked to me right after I broke the Stuxnet story (in 2010). These were leaked by the people who had hacked these big pharmacy operations. It was so much information, it was overwhelming. It was like a Rosetta Stone of who’s who in this space. And it really helped to show the overlap among players in these various cybercrime operations.”
“It became apparent that I had more visibility into these communities than anyone who was not already there — visibility into how they operated and the business challenges they faced, which was fascinating to me because, from an economic perspective, this is an interesting story to tell. It sounds much like an underground economy.”
A Russian company called ChronoPay soon crossed his path once he began covering cybersecurity.
“In 2008 I started to do a lot of reporting for The Washington Post that was focused on some of the centers of badness on the internet. Where are the places, if they went away, a whole lot of this bad stuff would go away?”
“And ChronoPay showed up on my radar soon after I started that project. At the time the biggest problem that most computer users were dealing with was rogue antispyware, or rogue antivirus stuff. Every time I worked with researchers who are tracking how people were paying to get their computers back after they were hijacked, they were paying with credit cards. When the researchers tracked who processed those payments, it was almost always ChronoPay.”
“I then learned that ChronoPay was actually a company that was formed in 2003 by two Russian guys who got their start in the extreme pornography space. They both ran affiliate programs that catered to Russian adult webmasters, and they were looking for a better way for those webmasters to get paid. So they started ChronoPay and worked together for a couple of years, and then had a falling out.”
The two founders of ChronoPay figure prominently in his blog, Krebs on Security, and his book, Spam Nation.
“One of the guys, Igor Gusev, went off and started a pharmacy spam program. And that quickly became the most popular pharmacy spam program on the internet, and employed the best virus writers and spammers. And the other character, Pavel Vrublevsky, someone I went to see in Moscow, was still running ChronoPay, and he was also working with a friend of his in a fifty-fifty partnership to run a competing pharmacy spam affiliate program that also had many of the same spammers and virus writers working for him. And then ChronoPay got hacked, either by an insider or outsider — most likely an insider just got bribed into giving up the information.”
“One of the first things I got was a huge amount of internal emails from ChronoPay. And of course all the stuff was in Russian, so it took me forever to figure out. And ironically, all of these inboxes that I got from the ChronoPay executives were full of spam. In addition to the ChronoPay records, I got a whole bunch of information about the internal operations of Rx-Promotion, which is a pharmacy affiliate program that Vrublevsky was running. Not long after that I got mysterious emails from somebody saying, how would you like some information on this guy Igor Gusev and his pharmacy spam operations?”
“And it took me a long time to figure it out, but it was basically Vrublevsky who hired some guy to get into the database of a competing spam operation and download it. And it had bank account numbers of the biggest spammers and virus writers, their personal email addresses, instant message addresses, all kinds of stuff. It also had the guys running Gusev’s pharmacy spam program. They also got to their chat records. I had spent a lot of time figuring out which spammers owned which ICQ accounts, and then piecing together who they were in real life, and what botnets they were using. Eventually I was able to identify who the biggest botnet masters were.”
I asked Krebs what he thought is the take home message for the American consumer.
“Cybersecurity is a global problem, but does have to start with each individual user. So many people don’t fundamentally understand why they have to care about this. The complaint is, this stuff is too hard, I just want to check my email and my sports scores. I don’t want to learn how to be a systems administrator. I don’t bank online, I don’t store sensitive information on my machine.”
“I try to explain that it’s not personal, but your computer has value to the attackers. And you may not realize all the value that it has, but I guarantee you that they do. I have graphics on my website, like the Value of a Hacked PC, or the Value of a Hacked Email Account, that speak to these issues.”
“Unfortunately, people need to care more, and these days that is increasingly challenging because they want to actually care less. All that they are hearing is that these companies that they have entrusted their data with have lost it. And if these companies can’t secure my information, then what chance do I have? There is a lot of fatalism, I think, among internet users.”
“The thing that I can try to get across to people these days is that it is a lot easier to keep your computer from getting hacked than to get it back once that happens. And part of the reason for that is we are starting to see more advanced, diabolical threats like ransomware pushed up onto people’s systems. Once you are infected with that you have no problem getting the actual problem off your system, but good luck trying to get your files back without paying for them.”
Krebs spoke frankly on how law enforcement fails to see the connections within cybercrime.
“There are very few types of cybercrime that exist in a vacuum. Most forms of cybercrime are in some way connected to others. For example, nobody runs a botnet or robs bank accounts without taking steps to hide their true internet address. Usually to do that they are using hacked computers to route their traffic through, they are probably using hacked servers to store the stolen data, and then they are using money laundering networks to cash out transactions.”
“The problem in how public officials tend to view spam and by extension cybercrime is they tend to put it into little buckets of problems, you know, like this is identity theft, and this is spam, and this is phishing, and this is money-laundering. And the reality is it’s all connected. There are a lot of erroneous assumptions about how tied to everything cybersecurity really is, and how the lack of cybersecurity in any large organization manifests itself in pretty damaging ways. It does if those assumptions are not questioned once in a while and overturned.”
Interestingly, the spammers went after pharmaceuticals because they saw it as a real market need.
“They’re going after it because they perceive that there’s a market there that’s not being met. Fundamentally, I think a lot of these guys involved in spreading spam and advertising these fly-by-night pharmacy stores don’t think they’re doing anything wrong. They are able to look at themselves as businessmen who are really trying to fill a need. I certainly heard some of that in the reporting that I did, as you will see in Chapter 4, The Buyers.”
“I had to call hundreds of people in the database just to get a few people to talk to me. The ones that actually did talk to me, a lot of them were people in situations where they could not afford to pay for their drug prescriptions, what they actually cost. They got laid off, or their employer cut back other hours so they could not qualify for healthcare, or they cut back drastically on what they would pay for medications, or the person did not have a job at all. And they didn’t have insurance, so they were just buying stuff. And it was actually a pretty big number of people I talked to who were in that situation.”