22
Aug 11

Flashy Cars Got Spam Kingpin Mugged

facebooktwittergoogle_plusredditpinterestlinkedinmail

A Russian spammer suspected of maintaining the infamous Rustock spam botnet earned millions of dollars blasting junk email for counterfeit Internet pharmacies. Those ill-gotten riches let him buy flashy sports cars, but new information suggests that this attracted the attention of common street thugs who targeted and ultimately mugged the spammer, stealing two of his prized rides.

BMW 530xi

In March, I published a story linking the Rustock botnet to a spammer who used the nickname Cosma2k. This individual was consistently one of the top five moneymakers for SpamIt, which, until its closure last fall, paid spammers millions of dollars a year and was the world’s largest distributor of junk mail.

Earlier this month, someone leaked thousands of online chat logs taken from Dmitry “SaintD” Stupin, a Russian who allegedly ran the day-to-day operations of SpamIt. Those records include numerous chat conversations allegedly between Stupin and a SpamIt affiliate named Cosma.

In several chats, Cosma muses on what he should do with tens of thousands of compromised but otherwise idle PCs under his control. Throughout the discussions between Stupin and Cosma, it is clear Cosma had access to internal SpamIt resources that other spammers did not, and that he had at least some say in the direction of the business.

Porsche Cayenne

In one conversation, dated Oct. 14, 2008, Cosma allegedly tells Stupin that he’s dialed back his public image a few notches, after attracting unwanted attention from other crooks. The conversation below, translated from Russian into English, begins with a request from Cosma to withdraw funds from a SpamIt operating account.

Cosma: Hey. May I withdraw some money from the account?

Stupin: Surely you may.

Stupin: Sorry, I was picking up my car from the service shop.

Cosma: What got broken?

Stupin: Someone threw a stone, when the car was parked near home.

Cosma: Damn. What kind of car?

Stupin: Volvo.

Cosma: Fond of safety?

Stupin: Yes, and I am at ease when I am driving it. It’s a huge difference after Honda :)

Cosma: I also had enough of expensive rigs. =) They are getting stolen all the time and everyone is looking at you, estimating the score, and then rob you =) I have had such experience =)

Cosma: I am driving BMW 530Xi.

Stupin: Why?

Cosma: A calm car. Not glaring. It only has a 3 liter engine with 272 HP. I used to have BMW 650, then after that a turbo-charged [Porsche] Cayenne. Much faster cars.

Stupin: ааh,  it’s understandable now what you meant by “calm”; ))))

Cosma: Cayenne was stolen in 1.5 month after it was bought and I was robbed because of the 650 =). So to hell with them. It’s better when it’s not flashy.

Stupin: Damn! How unlucky!!!

Cosma: Horrible experience: I was gagged, tied up… badly beaten.. uhhh… I am shivering from those memories =) I gave them everything. Life is more precious =)

Stupin: Horrible.

Cosma: Exactly.

Cosma: It looks like pharmacy is moving forward slowly but surely =)

Stupin: Sure, what else can happen to it :)

Cosma: Last time something else had happened =)

Microsoft has offered a $250,000 reward for information leading to the arrest and conviction of the Rustock author(s). On Aug. 5, Microsoft filed an update (PDF) to its legal case to unearth the identity of the Rustock botnet author. That document contains many clues as to who might be responsible for the once-mighty botnet. But one thing seems clear: If Cosma really was in control of Rustock, the world now knows the makes and models of three of the cars that he has owned.

Tags: , , , , , , ,

18 comments

  1. Well I certainly hope that these crimes were reported to the police!

  2. Brian K… your reporting is greatly appreciated. Exposure of these crinimals is in the public good. You are performing a valuable service. Please continue. If I could help, I would.

  3. Oh my gosh….Stupin (Stupid) & Cosma (Costme) have felt some pain. I suspect those receiving phony meds and endless spam are so sympathetic…….Yep…..bet they are…

  4. I think, Microsoft can ask Dmitry Stupin how to find Cosma2k.

  5. What’s the business about Honda? Was he driving some sort of ‘blingy’ Honda? A sports model? Is he just saying that Volvo is safer in a crackup?

  6. exciting news reporting Brian! The posting about Pharma Wars and this could be turned into a Hollywood movie..full of action and drama…plus it spreads awareness as well!

  7. What an interesting story. Wonder how legit (and traceable) those cars were, i.e. if the VIN numbers were “disappeared” and the plates bogus?

    Some script writer is probably already working on a pitch to the producers of Law & Order for a new “Criminal Intent,” this one being “Ruskie Botnet Herders.”

    • Why would the VINs or license plates be anything but clean? I am sure the cars were totally legit, bought for cash from a reputable dealer. Cosma2k is not a thug or mafia boss, he’s a geek, a programmer who “wants to work for Google” (in his own words) and who happened to come into a lot of money at a young age by engaging in online crime.

  8. Brian, It would be nice if you can share and post all chat logs for downloads. thnx.

  9. I had about 2 years ago a worker painting my house. He was from Republic Moldavia and as such worked also in Moskow and Sankt Petersburg on villas built by the newly enriched there. He told me he was mugged at knife point three times in 5 months. He was by no means rich, he had no car at all, it seems to me that switching from BMW 650 to BMW 530xi would still leave one pretty susceptible to opportunistic muscovite muggers.

    • In Europe, going frpm a BMW 650 (possibly a convertible) to a 530 is akin to going from a Ford Mustang GT to a Ford Taurus.

      I’ll agree that one could be more attractive to muggers driving any late-model BMW over a Lada, but it’s not nearly that flashy of a car.

    • I wouldn’t say so. Early twenties guy driving 530xi in Moscow would blend in nicely with the crowd. Same person driving 650 might draw some looks and attract unwanted attention from the bandits. Normally, the way things are in Russia – if someone drives 100k+ car at such age, they are somehow affiliated with the powers to be, being a relative or a protégé of some kind of a powerful person. I suspect Cosma2k did not belong to either group and was victimized twice because of this.

  10. Glavmed/Spamit has been associated with the Russian Business Network. (http://www.ironport.com/pdf/Malware_Trends_Report_IronPort_2008.pdf ) For all the rumors of the long tentacles of the RBN, apparently its reputation doesn’t protect its associates from attacks by petty criminals.

  11. I honestly think the Russians already know the authors. They know them, made money off them, and are protecting them. The strong influence of Russian organized crime in that country cannot be overlooked. My hypothesis is supported by what I just read in another Krebs article about how the Russians gave the RBS attackers probation, in spite of prosecutors wanting charges pressed. This kind of thing happens so often to big time criminals over there that I’m left to think it’s intentional corruption. For this reason, the Rustock authors will be safe so long as they’re useful to whoever over there makes money off of them.

    • Online criminals. just like any other kind of criminals in Russia, pay off corrupt law enforcement officials when they need their help. You overestimate Russian authorities if you think they are proactively aware of the botnet authors.

      • It’s very possible that’s you’re right and a few LEO guys got paid off. The thing I was thinking about was the money moving around & little care many crooks use in protecting their anonymity. If Russia was serious, they could easily track this stuff. The leaked British MOD Security Manual said Russians routinely tap communications of anyone they think has valuable information & are capable of ensuring you end up in a specially bugged room even if you ordered one you trust (in a plausibly deniable way). So, they are quite a surveillance state when it comes to gaining intellectual property or spying on enemies.

        And they can’t find the botnet authors? I’m just suggesting they don’t care enough, maybe for a financial reason or maybe another.

  12. $250k is nothing to spammers, Microsoft needs to jack up its reward if it wants to catch him.


Read previous post:
Pharma Wars, Part II

Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as "SaintD." Stupin was long rumored...

Close