An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by KrebsOnSecurity.com.
In June 2010, an anonymous source using the assumed name “Despduck” began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet.
If you received an unsolicited email in the past few years pimping male enhancement or erectile dysfunction pills, chances are extremely good that it was sent compliments of a Glavmed/Spamit contractor or “affiliate.” According to M86 Security Labs, the sites advertised in those Glavmed/Spamit emails — best known by their “Canadian Pharmacy” brand name — were by far the most prevalent affiliate brands promoted by spam as of June 2010.
Despduck said he could deliver data on hundreds of thousands of consumers who purchased pills through Glavmed’s sizable stable of online pharma shops, as well as detailed financial records of Glavmed/SpamIt affiliates who earned thousands of dollars of month promoting pharmacy sites using spam and hacked Web sites.
After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.
The database reads like a veritable rogues gallery of the Underweb; In it are the nicknames, ICQ numbers, email addresses and bank account information on some of the Internet’s most notorious hackers and spammers. This huge cache of information shows that over the course of three years, more than 2,500 “affiliates” earned hefty commissions promoting Glavmed’s pharmacy sites.
In total, these promoters would help Glavmed process in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million.
Dmitry Samosseiko, senior manager of SophosLabs Canada, describes Glavmed (translated as “MedHeadquarters”) as the oldest and most well-known of the Russian affiliate partner networks, commonly referred to in slang as “partnerka.” As Samosseiko wrote in his landmark Virus Bulletin paper (PDF):
“This partnerka is open to the public but requires an invitation from another network member. Its main brand is the notorious ‘Canadian Pharmacy’, which is all too familiar to everyone through massive email spam campaigns that seem never to end. This spam is tied to a sister entity of GlavMed, called SpamIt (spamit.com), which is a closed private network of email spam afﬁliates that has proven hard to inﬁltrate. The members of SpamIt are allegedly the group behind the Storm, Waledec and potentially Conﬁcker botnets, responsible for email distribution and fast-ﬂux hosting of the spam websites [my emphasis added]. GlavMed, on the other hand, proclaims a strong anti-spam policy focusing on ‘legal’ SEO trafﬁc generation.”
The database reflects the existence of two types of Glavmed affiliates, and is actually separated into two major components: One shows data from customer purchases at sites advertised via SpamIt affiliates; the second section of the database shows orders from customers of sites that were promoted by regular Glavmed members via search engine optimization and Web site hacking.
Glavmed/SpamIt affiliates are given a handful of pre-fabricated pharmacy Web site templates to deploy. Affiliates earn roughly 40 percent commissions on all sales generated by their sites. The most successful Spamit.com affiliates raked in millions of dollars in commissions. In fact, 8 out of 10 of the top moneymakers for SpamIt earned more than $1 million in commissions from Web sites they advertised via junk e-mail. Top SpamIt affiliates could expect to earn monthly commissions ranging from $5,000 to $50,000.
The purloined record books show that none of the regular Glavmed affiliates managed to crack $1 million in total commissions (the top earner made $981,362 over the course of his affiliation with Glavmed). Still, more than 50 Glavmed affiliates earned six-digit fortunes promoting pharmacy sites for the program.
Most affiliates from both SpamIt and Glavmed were paid in Webmoney, a virtual currency popular in Russia that is similar to PayPal, except that transactions are largely irreversible. The rest were paid through ePassporte, a virtual currency that closed its doors in September 2010 amid allegations of fraud and misappropriation of funds.
In September 2010, Russian authorities announced a criminal investigation into Gusev and his businesses. Around that same time, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other partnerka networks. Meanwhile, Glavmed remains open for business, and is still paying affiliates to promote pharma sites.
Next in series: Pharma Wars
Update, 6:43 p.m. ET: Gusev pinged me via email to take rather strong exception to my “open question” remark at the close of the caption on the last image about Glavmed’s charity work. He pointed me to this thread on the Glavmed affiliate forum that includes pictures and details explaining how the affiliates’ donations were spent.