February 24, 2011

An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by KrebsOnSecurity.com.

In June 2010, an anonymous source using the assumed name “Despduck” began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet.

Source: M86 Security Labs

If you received an unsolicited email in the past few years pimping male enhancement or erectile dysfunction pills, chances are extremely good that it was sent compliments of a Glavmed/Spamit contractor or “affiliate.” According to M86 Security Labs, the sites advertised in those Glavmed/Spamit emails — best known by their “Canadian Pharmacy” brand name — were by far the most prevalent affiliate brands promoted by spam as of June 2010.

Despduck said he could deliver data on hundreds of thousands of consumers who purchased pills through Glavmed’s sizable stable of online pharma shops, as well as detailed financial records of Glavmed/SpamIt affiliates who earned thousands of dollars of month promoting pharmacy sites using spam and hacked Web sites.

After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.

The database reads like a veritable rogues gallery of the Underweb; In it are the nicknames, ICQ numbers, email addresses and bank account information on some of the Internet’s most notorious hackers and spammers. This huge cache of information shows that over the course of three years, more than 2,500 “affiliates” earned hefty commissions promoting Glavmed’s pharmacy sites.

In total, these promoters would help Glavmed process in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million.

Dmitry Samosseiko, senior manager of SophosLabs Canada, describes Glavmed (translated as “MedHeadquarters”) as the oldest and most well-known of the Russian affiliate partner networks, commonly referred to in slang as “partnerka.” As Samosseiko wrote in his landmark Virus Bulletin paper (PDF):

“This partnerka is open to the public but requires an invitation from another network member. Its main brand is the notorious ‘Canadian Pharmacy’, which is all too familiar to everyone through massive email spam campaigns that seem never to end. This spam is tied to a sister entity of GlavMed, called SpamIt (spamit.com), which is a closed private network of email spam affiliates that has proven hard to infiltrate. The members of SpamIt are allegedly the group behind the Storm, Waledec and potentially Conficker botnets, responsible for email distribution and fast-flux hosting of the spam websites [my emphasis added]. GlavMed, on the other hand, proclaims a strong anti-spam policy focusing on ‘legal’ SEO traffic generation.”

The database reflects the existence of two types of Glavmed affiliates, and is actually separated into two major components: One shows data from customer purchases at sites advertised via SpamIt affiliates; the second section of the database shows orders from customers of sites that were promoted by regular Glavmed members via search engine optimization and Web site hacking.

Glavmed/SpamIt affiliates are given a handful of pre-fabricated pharmacy Web site templates to deploy. Affiliates earn roughly 40 percent commissions on all sales generated by their sites. The most successful Spamit.com affiliates raked in millions of dollars in commissions. In fact, 8 out of 10 of the top moneymakers for SpamIt earned more than $1 million in commissions from Web sites they advertised via junk e-mail. Top SpamIt affiliates could expect to earn monthly commissions ranging from $5,000 to $50,000.

The purloined record books show that none of the regular Glavmed affiliates managed to crack $1 million in total commissions (the top earner made $981,362 over the course of his affiliation with Glavmed). Still, more than 50 Glavmed affiliates earned six-digit fortunes promoting pharmacy sites for the program.

A screen shot of a Glavmed affiliate panel. The pull-down menu in the middle shows legitimate Web sites this affiliate hacked and used to drive traffic to his pharmacy sites.

Most affiliates from both SpamIt and Glavmed were paid in Webmoney, a virtual currency popular in Russia that is similar to PayPal, except that transactions are largely irreversible. The rest were paid through ePassporte, a virtual currency that closed its doors in September 2010 amid allegations of fraud and misappropriation of funds.

In September 2010, Russian authorities announced a criminal investigation into Gusev and his businesses. Around that same time, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other partnerka networks. Meanwhile, Glavmed remains open for business, and is still paying affiliates to promote pharma sites.

Next in series: Pharma Wars

Glavmed isn’t all business: It prompts affiliates to “donate” a portion of their commissions to help orphans and other disadvantaged kids. Whether the money actually goes to those charities is an open question.

Update, 6:43 p.m. ET: Gusev pinged me via email to take rather strong exception to my “open question” remark at the close of the caption on the last image about Glavmed’s charity work. He pointed me to this thread on the Glavmed affiliate forum that includes pictures and details explaining how the affiliates’ donations were spent.


35 thoughts on “SpamIt, Glavmed Pharmacy Networks Exposed

  1. Rick Bennett

    Since you have the bank information on the affiliate accounts, why not facilitate their looting by an Anonymous-like group?

  2. KFritz

    Is the “Customer” smile appropriate? Is he smiling because the Viagra worked? (-;

    This is an amazing treasure trove. Contrary to my assumptions, there seems to be spasmodic legal action against these (readers’ choice of imprecation) malefactors in Russia. Are the spasm’s related to an interlocking culture of corruption between the ‘crooks’ and the ‘government?’ Or is law enforcement in Russia even more inherently spasmodic than it is here in the US?

  3. Scott

    A minor complaint, Brian… The statement “…worms generated more than $150 million…” implies that theft is wealth creation. To “generate” wealth is to create it, not to “transfer,” “steal,” “purloin” or any of a variety of other perfectly good words that could be used to describe the actions which took place. It may seem minor, but the phasing you use is supportive of a very disfunctional meme currently in high usage. Just as government cannot create wealth, neither can any other form of wealth transfer.

    – Scott

    1. An editor

      A minor complaint, Scott: Brian did not use any “phasing” that I could find.

      “Generate” has many more meanings in standard usage than just its roots in the Latin generāre – to beget; its definitions include “to produce.” It’s use here is not simply as a meme – and, if it were, then so what?

      1. InfoSec Pro

        @”An editor”, I tend to disagree that it is ever possible to decouple usage from meme status, as you suggest in “It’s use here is not simply as a meme” (btw as a grammatical stickler you should know that should be “its” not the contraction form for “it is”). Also, to answer “if it were, then so what?”, then I would say then Scott’s point would be validated.

        Even as it is not a meme, I tend to agree with Scott that it was a poor choice of words. Nothing that I feel particularly strongly about, but I did have a momentary pause when reading Brian’s article because ofcognitive dissonance.

    2. Grammar Lackey

      I for one had no perplexity with the application of the verb “generate”. Given the context and shear (as in sheep?) awesomeness of the details of the story I thought it was massaged in neatly.

      I once heard Bill Clinton speak, and refer to wikileaks as the “wikipedia-leaks”. But the content of his speech was spot on, so I didn’t bother correcting him. 😉

    3. Nick P

      What is with this nitpicking over this word? Nobody generates wealth anyway: every transaction or action is a transfer per the Law of Conservation of Matter and Energy. From then on, it’s just semantics. Grammar police forget that the purpose of English and other languages is to communicate something in a way the reader understands. If this occurs, the how it was executed doesn’t really matter. In this case, everyone knew what the author meant by “generating” $150 million for their company. Like most grammar police, your post adds nothing to the discussion. Thanks for “generating” unnecessary network congestion.

      1. bob

        Of course you can generate wealth. What a stupid statement. When mankind discovered ammonium nitrate fertiliser we went from a situation where 19 people were required to feed 20 to a situation where only 2 people were required. What’s conservation of energy got to do with human concepts of wealth?

        1. T.Anne

          I think the point was that if you’re taking “generate” to mean to litterally create, then we don’t really create our own money – we work and we get a paycheck, but the money was already created. Now yes, sometimes new money is printed – but I think the comment was in regards to the more normal day to day of the average person. I may earn money – but I do not create the money from nothing.

        2. Nick P

          The person I was posting on was arguing against a claim based on the literal semantics of the words in it, regardless of how well it worked in context. I just showed how pointless this was by semantically proving that wealth isn’t “generated” because wealth is a thing and conservation says the number of “things” in the universe are fixed, neither “generated” nor extinguished. It was just an illustration that arguing over semantics was useless because semantic arguments can be used to prove any thing, including nonsense.

          This was shown by the Sophists back in the day & every philosophy student learns of how they used semantics and wordplay to make nonsense seem useful and make other persons statements (e.g. Krebs’) seem flawed, even if they weren’t. Like the controversy over his use of “generate,” for instance… Imho, grammar police are modern day sophists with less range.

      2. jjjdavidson

        Wealth != Money. Money is a subset of wealth. When you create something of value (either physically or by service), you create a form of wealth, which you can exchange for money, a different form of wealth. Dig up a copy of Larry Niven’s “Staying Rich”, one of the best essays on just how wealthy we in developed nations have all become, and how much we have to lose.

  4. Gary H.

    My belief is this: we should try to be as precise as possible when chosing words. It facilitates clearer communication and sharper thinking.

  5. Igor Krein

    Wow, it seems Chronopay is not the only company that is suffering from insiders. (Despduck, hm… I wonder why one would use such a nickname.)

    But I would trust M86′ statistics about Glavmed/SpamIt very carefully. As far as I understand, Canadian Pharmacy brand could be used by anyone.

      1. Igor Krein

        Yes, I know this. The question is who would need to use a nickname based on the nickname of GlavMed’s boss.

  6. AlphaCentauri

    Any time someone is collecting for charity without specifying which organization(s) will receive the funds, alarms should go off. This orphan assistance effort is particularly creepy in light of a post Sysadmin added to the thread on Leo Kuvayev, the head of a rival pharma spam program:
    http://krebsonsecurity.com/2010/08/spam-king-leo-kuvayev-jailed-on-child-sex-charges/comment-page-1/#comment-13524

    “I know people who used to work for him before he got into the spam game that told me that he liked to argue that child porn provided money to children that would otherwise go starving.”

    1. BrianKrebs Post author

      Check out the Glavmed forum thread I linked to in the update I added to the story above. Gusev sent it to me personally, saying it shows some of the ways in which the money donated by affiliates is being spent.

      1. AlphaCentauri

        I guess that’s my point. They aren’t giving the money to an established charity that is subject to outside scrutiny. They are visiting the orphanages personally, bringing desperately needed supplies like disposable diapers to staff members so short of funds that they’re reusing disposable gloves. I’m sure that the staff at those institutions are so grateful they feel these guys could do no wrong. It could be completely altruistic, for the pure joy of helping children. But largesse equals access, and child molesters like John Wayne Gacy have used the same technique.

  7. Nic

    Here’s a list of current Canadian Pharmacy hosts and netblocks:

    http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=Canadian%20Pharmacy&rokso_id=ROK

    If you look at the dates, the list is stable and changes slowly, so your firewall filters can safely be updated once a week or so. Although many of these hosts are bulletproof-hosted spamservers, many are http servers delivering the actual web content. It’s good to specifically block these netblocks in the firewall in addition to using the Zen and DBL lists on your mailserver.

  8. Igor Gusev

    Great post, Brian.

    Last few months I feel myself as some kind of devil’s advocate for glavmed.
    I’m answering the questions about it, giving the interviews and running my own Redeye-blog.com. Too much publicity but that’s fine. It’s amazing how much paid articles in some newspapers could do. PR and the Internet are the true force of 21 century.

    Brian, could you share your thoughts who was hiding behind nickname “Despduck”?

    1. BrianKrebs Post author

      Hello Igor, welcome. Yes, I’ll be happy to share my findings on that in an upcoming post very soon.

      Stay tuned!

      1. Gues

        Someone has put my comment down.

        Ok. Again I will raise the same question.
        Igor Gusev aka Desp is a former co-admin of Darkmasters.info
        A forum solely devoted for all Russian webmasters doing child pornography. The only forum of its kind. There is a whole publication on that forum in Wikileaks.

        On top of that Igor Gusev aka Desp when hit with the criminal case against him recently being in a state of shock has admitted himself on Russian forums that he was involved in lolita trade in the past.

        Can someone explain me, how does that go along with charity actions for children?

        1. Igor Krein

          I think the title of the charity thread on GlavMed forum may contain part of the answer. It means: “Now you can not only earn money with GlavMed, but also fix your karma”. (I am not sure in my Russian-to-English capabilities, maybe it would be better to translate this like “…fix your karma a little”.)

          1. Gues

            Unfortunately no.
            You can not fix Your karma by doing charities for children when You are a child pornographer. Its plain sick.

            And yes, on Darkmasters.info, when it was operating, they used to do charity for children as well.

            I always wondered do actually orphanages realise where funds come from? Some things in life are just sad.

          2. Igor Krein

            Well, I’m not saying one can actually fix bad carma or whatever in this case — it’s just what GlavMed feels about it (or pretends).

    2. Gues

      Absolutely agree.
      Desp can You please explain whats the point being a childpornographer like You are to run charity for children?

  9. Nick P

    Good reporting, Krebs! We’d heard reports a while back that Storm was generating large amounts of illicit pharma revenue. Now, we see the big picture. I think this business model will continue into the future with new waves crooks trying to earn commissions on sales by any means possible. I mean, 40% is a decent number. Reports by other researchers indicate that search engine hacks and exploits can be bought for a few grand in the underground. I see more people trying to affiliate with a group like Glavmed, buying up some sploits, and making a killing on the resulting flow of traffic. This industry won’t die anytime soon.

  10. conscience

    You know Brian. I’m no way affiliated with generics distribution, but I want to put my two cents here. Perhaps these guys are not angels, but when I looked in the eyes of children that were thrown by their own parents and by the lovely Russian government which has no desire to spend on them a dime from its fantastically enormous oil wealth… Even a bad ass criminal who helps children is much better than a politician or a pressman who spent all his life to write burning articles and deliver right speeches, but hasn’t helped a single little waif during his famous but absolutely useless life…

  11. Chris

    Hello Brian et al,

    I see some great points here and generally agree with the comments I’m reading but somethings missing in this conversation.

    I get all the angst against Glavmed, I’ve lost count of how many 1000’s of emails have gone into junk mail after new tactics defeated my automatic junk filtering on 20+ email addies. I’ve likely lost 100+ hours between junking them and adjusting rules, I’d love to sue GlavMed for all my lost productivity as a result of them spamming Viagra emails at a man who’s only problem getting it on is getting the kids to bed before their mom for the night.

    What seems to be absent from the conversation is the question: If these a##holes abuse servers and service levels everywhere knowingly breaching policies and laws worldwide, hacking websites, defeating search engines and sending unwanted spam email, can we trust their medical practices given they seem to have no ethical standards?

    Ethical drug companies test their meds for consistency in dosing, does Glavmed?

    Ethical drug companies only sell high risk meds by prescription. This is because drugs like Viagra have serious side effects for people with certain pre-existing conditions. Needing a prescription means, you have to get one from a doctor, who will presumably order any needed tests to ensure you can safely take the med in question. Does Glavmed require a prescription? If so how do they scrutinize the validity of said prescription in order to ensure the safety of the patient?

    Ethical drug companies have established limits with government and pharmacies as to how many of a given med can be sold to one patient in a given time frame to help avoid abuse and redistribution. Does Glavmed participate in any of these agreements or just ship wholesale to anyone with the means to buy?

  12. ksec

    Nice writeup Brian.

    Wasn’t mega-d spam separate from Canadian Pharmacy? It seemed that you and M86 suggested that they are one in the same.
    Oleg Nikolaenko was arrested by the Milwaukee Fbi. How about some comparisons to his operations and news on him?

Comments are closed.