Posts Tagged: Spamit


2
Aug 13

Pavel Vrublevsky Sentenced to 2.5 Years

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was sentenced to two-and-half years in a Russian penal colony this week after being found guilty of hiring botmasters to attack a rival payment processing firm.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing.

ChronoPay founder and owner Pavel Vrublevsky, in handcuffs, at his sentencing. Source: Novayagazeta.ru

Vrublevsky was accused of hiring Igor and Dmitri Artimovich in 2010 to use their Festi spam botnet to attack Assist, a competing payments firm. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company millions of dollars.

According to Russian prosecutors, Vrublevsky directed ChronoPay’s chief security officer Maxim Permyakov to pay $20,000 and hire the Artimovich brothers to launch the attacks. The Artimovich brothers also were found guilty and sentenced to 2.5 years. Permyakov received a slightly lighter sentence of two years after reportedly assisting investigators in the case.

Earlier this year, I signed a deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia. Those charges stem from Gusev’s alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

Continue reading →


5
Jun 13

Vrublevsky Arrested for Witness Intimidation

Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor.

Pavel Vrublevsky's Facebook profile photo.

Pavel Vrublevsky’s Facebook profile photo.

Vrublevsky is on trial for allegedly hiring two brothers — Igor and Dmitri Artimovich — to use their Festi spam botnet to attack Assist, a competing payments processor. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company at least USD $1 million.

Vrublevsky was imprisoned for six months in 2011 pending his trial, but was released at the end of that year after admitting to his role in the attack. Later, he recanted his jailhouse admission of guilt. Today, he was re-arrested after admitting to phoning a witness in his ongoing trial and offering “financial assistance.” The witness told prosecutors he felt pressured and threatened by the offer.

Two months ago, I signed a book deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

I found this development noteworthy because I, too, was offered financial assistance by Vrublevsky, an offer that very much seemed to me like a threat. In mid-2010, after thousands of emails, documents and hundreds of hours of recorded phonecalls from ChronoPay were leaked to  this author, Vrublevsky began calling me at least once a day from his offices in Moscow. This continued for more than six months. In one conversation from May 2010 , Vrublevsky offered to fly me to Moscow so that I could see firsthand that he had “only a very remote relationship with this case.”

Continue reading →


11
Dec 12

A Closer Look at Two Bigtime Botmasters

Over the past 18 months, I’ve published a series of posts that provide clues about the possible real-life identities of the men responsible for building some of the largest and most disruptive spam botnets on the planet. I’ve since done a bit more digging into the backgrounds of the individuals thought to be responsible for the Rustock and Waledac spam botnets, which has produced some additional fascinating and corroborating details about these two characters.

In March 2011, KrebsOnSecurity featured never-before-published details about the financial accounts and nicknames used by the Rustock botmaster. That story was based on information leaked from SpamIt, a cybercrime business that paid spammers to promote rogue Internet pharmacies (think Viagra spam). In a follow-up post, I wrote that the Rustock botmaster’s personal email account was tied to a domain name ger-mes.ru, which at one time featured a résumé of a young man named Dmitri A. Sergeev.

Then, on Jan. 26. 2012, I ran a story featuring a trail of evidence suggesting a possible identity of “Severa (a.k.a. “Peter Severa”), another SpamIt affiliate who is widely considered the author of the Waledac botnet (and likely the Storm Worm). In that story, I included several screen shots of Severa chatting on Spamdot.biz, an extremely secretive Russian forum dedicated to those involved in the spam business. In one of the screen shots, Severa laments the arrest of Alan Ralsky, a convicted American spam kingpin who specialized in stock spam and who — according to the U.S. Justice Department – was partnered with Severa. Anti-spam activists at Spamhaus.org maintain that Peter Severa’s real name is Peter Levashov (although the evidence I gathered also turned up another name, Viktor Sergeevich Ivashov).

It looks now like Spamhaus’s conclusion on Severa was closer to the truth. More on that in a second. I was able to feature the Spamdot discussions because I’d obtained a backup copy of the forum. But somehow in all of my earlier investigations I overlooked a handful of private messages between Severa and the Rustock botmaster, who used the nickname “Tarelka” on Spamdot. Apparently, the two worked together on the same kind of pump-and-dump stock spam schemes, but also knew each other intimately enough to be on a first-name basis.

Spamdot.biz chat between Tarelka and Severa

The following is from a series of private Spamdot message exchanged between Tarelka and Severa on May 25 and May 26, 2010. In it, Severa refers to Tarelka as “Dimas,” a familiar form of “Dmitri.” Likewise, Tarelka addresses Severa as “Petka,” a common Russian diminutive of “Peter.” They discuss a mysterious mutual friend named John, who apparently used the nickname “Apple.”

Continue reading →


3
Dec 12

Vrublevsky Sues Kaspersky

The co-founder and owner of ChronoPay, one of Russia’s largest e-payment providers, is suing Russian security firm Kaspersky Lab, alleging that the latter published defamatory blog posts about him in connection with his ongoing cybercrime trial.

ChronoPay founder Pavel Vrublevsky, at his office in Moscow

Pavel O. Vrublevsky, is on trial in Moscow for allegedly hiring the curator of the Festi spam botnet to attack one of ChronoPay’s rival payment processors. He spent six months in prison last year after admitting to his part in the attack on Assist, a company that processed payments for Russian airline Aeroflot.

The events leading up to that crime are the subject of my Pharma Wars series, which documents an expensive and labyrinthine grudge match between Vrublevsky and the other co-founder of ChronoPay: Igor Gusevthe alleged proprietor of GlavMed and SpamIt, sister organizations that until recently were the largest sources of spam touting rogue Internet pharmacies. For his part, Vrublevsky has been identified as the co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion. 

Kaspersky blogger Tatyana Nikitina has covered Vrublevsky’s trial, which has been marked by prosecutorial miscues, allegations of official corruption, and the passage of new Russian laws that actually reduce the penalties for some of Vrublevsky’s alleged offenses. In her latest blog post, “The Vrublevsky Case is Ruined,” Nikitina laments yet another regressive milestone in the trial: The dismissal of claims by Aeroflot that it suffered almost $5 million losses as a result of the cyberattack.

Late last month, Vrublevsky’s lawyers fired back, filing a $5 million defamation lawsuit against Kaspersky Lab, charging that its publications contained untrue and defamatory information. In the suit, Vrublevsky argues that Kaspersky is not only trying to discredit him and influence the judicial process, but that Kaspersky is hardly a disinterested party. He noted that Assist was using Kaspersky’s DDoS protection services at the time of the attack, which Assist said took its services offline for a week.

Continue reading →


6
Aug 12

Harvesting Data on the Xarvester Botmaster

In January of this year, I published the results of an investigation into the identity of the man behind the once-infamous Srizbi spam botnet. Today’s post looks at an individual likely involved in running the now-defunct Xarvester botnet, a spam machine that experts say appeared shortly after Srizbi went offline and shared remarkably similar traits.

In this screenshot from Spamdot.biz, Ronnie chats with “Tarelka” the Spamdot nickname used by the Rustock botmaster. The two are discussing an M86 report on the world’s top botnets.

Srizbi was also known in the underground as “Reactor Mailer,” and customers could register to spam from the crime machine by logging into accounts at reactormailer.com. That domain was registered to a mserver@mail.ru, an address that my reporting indicates was used by a Philipp Pogosov. More commonly known by his nickname SPM, Pogosov was a top moneymaker for SpamIt, a rogue online pharmacy affiliate program that was responsible for a huge percentage of junk email over the past half-decade.

When reactormailer.com was shuttered, Srizbi customers were instructed to log in at a new domain, reactor2.com. Historic WHOIS records show reactor2.com was registered by someone using the email address ronnich@gmail.com. As I wrote in January, leaked SpamIt affiliate records show that the ronnich@gmail.com address was used by a SpamIt affiliate named Ronnie who was referred to the program by SPM.

The Srizbi botnet would emerge as perhaps the most important casualty of the McColo takedown at the end of 2008. At the time, all of the servers used to control the giant botnet were hosted at McColo, a crime-friendly hosting facility in Northern California. When McColo’s upstream providers pulled the plug on it, that was the beginning of the end for Srizbi. SPM called it quits on spamming, and went off to focus on his online gaming company.

But according a report released in January 2009 by Trustwave’s M86 Security called Xarvester: The New Srizbi, Xarvester (pronounced “harvester”) was a pharmacy spam machine tied to SpamIt that emerged at about the same time that Srizbi disappeared, and was very similar in design and operation. It appears that SPM may have handed control over his botnet to Ronnie before leaving the spamming scene.

Continue reading →


22
Jun 12

PharmaLeaks: Rogue Pharmacy Economics 101

Consumer demand for cheap prescription drugs sold through spam-advertised Web sites shows no sign of abating, according to a new analysis of bookkeeping records maintained by three of the world’s largest rogue pharmacy operations.

Researchers at the University of California, San Diego, the International Computer Science Institute and George Mason University examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible and more discretely available drugs. The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day.

Their conclusion? Spam — and all of its attendant ills — will remain a prevalent and pestilent problem because consumer demand for the products most frequently advertised through junk email remains constant.

“The market for spam-advertised drugs is not even close to being saturated,” said Stefan Savage, a lead researcher in the study, due to be presented early next month at the 21st USENIX security conference in Bellevue, Wash. “The number of new customers these programs got each day explains why people spam: Because sending spam to everyone on the planet gets you new customers on an ongoing basis, so it’s not going away.”

The researchers found that repeat customers are critical to making any rogue pharmacy business profitable. Repeat orders constituted 27% and 38% of average program revenue for GlavMed and SpamIt, respectively; for Rx-Promotion, revenue from repeat orders was between 9% and 23% of overall revenue.

“This says a number of things, and one is that a lot of people who bought from these programs were satisfied,” Savage said. “Maybe the drugs they bought had a great placebo effect, but my guess is these are satisfied customers and they came back because of that.”

Whether the placebo effect is something that often applies with the consumption of erectile dysfunction drugs is not covered in this research paper, but ED drugs were by far the largest category of pills ordered by customers of all three pharmacy programs.

One interesting pattern that trickled out of the Rx-Promotion data underscores what made this pharmacy affiliate unique and popular among repeat buyers: A major portion of its revenues was generated through the sale of drugs that have a high potential for abuse and are thus tightly controlled in the United States, including opiates and painkillers like Oxycodone, Hydrocodone, and mental health pills such as Adderall and Ritalin. The researchers noticed that although pills in this class of drugs — known as Schedule II in U.S. drug control parlance — comprised just 14 percent of orders for Rx-Promotion, they accounted for nearly a third of program revenue, with the Schedule II opiates accounting for a quarter of revenue.

“The fact that such drugs are over-represented in repeat orders as well (roughly 50 percent more prevalent in both Rx-Promotion and, for drugs like Soma and Tramadol, in SpamIt) reinforces the hypothesis that abuse may be a substantial driver for this component of demand,” the researchers wrote.

Continue reading →


13
Jun 12

Who Is the ‘Festi’ Botmaster?

Pavel Vrublevsky, the co-founder of Russian payment processor ChronoPay, is set to appear before a judge this week in a criminal case in which he is accused of hiring a botmaster to attack a competitor. Prosecutors believe that the man Vrublevsky hired in that attack was the curator of the Festi botnet, a spam-spewing machine that also has been implicated in a number of high-profile denial-of-service assaults.

Igor Artimovich

Vrublevsky spent six months in prison last year for his alleged role in an attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors.

Investigators with the Russian Federal Security Service (FSB) last summer arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky.

As I wrote in last year’s piece, the allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured below) allegedly used to coordinate the DDoS attack against Assist.

Group-IB’s evidence suggested Artimovich had used a botnet he called Topol-Mailer to launch the attacks, but Topol-Mailer is more commonly known as Festi, one of the world’s largest and most active spam botnets. As detailed by researchers at NOD32 Antivirus makers ESET, Festi was built not just for spam, but to serve as a very powerful tool for launching distributed denial of service (DDoS) attacks, digital sieges which use hacked machines to flood targets with so much meaningless traffic that they can no longer accommodate legitimate visitors.

“Topol Mailer” botnet interface allegedly used by Artimovich.

Group-IB said Artimovich’s botnet was repeatedly used to attack several rogue pharmacy programs that were competing with Rx-Promotion, a rogue Internet pharmacy affiliate program long rumored to have been co-founded by Vrublevsky (security firm Dell SecureWorks chronicled those attacks last year).

Artimovich allegedly used the nickname Engel on Spamdot.biz, an online forum owned by the co-founders of SpamIt and GlavMed, sister rogue pharmacy operations that competed directly with Rx-promotion. In the screen shot below right, Engel can be seen communicating with Spamdot member and SpamIt affiliate “Docent.” That was the nickname used by Oleg Nikolaenko, a 24-year-old Russian man arrested in Las Vegas in Nov. 2010  charged with operating the Mega-D botnet. Continue reading →


3
Apr 12

Gateline.net Was Key Rogue Pharma Processor

It was mid November 2011. I was shivering on the upper deck of an aging cruise ship docked at the harbor in downtown Rotterdam. Inside, a big-band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on a long-running turf war between two of the largest sponsors of spam.

Promenade of SS Rotterdam. Copyright: Peter Jaspers

The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but in a private setting. Stepping out the night air, a woman from the conference approached, formally presented the three men behind her, and then hurried back inside to the warmth of the reception.

A middle-aged stocky fellow introduced as the senior FSB officer spoke in Russian, while a younger gentleman translated into English. They asked did I know anything about a company in Moscow called “Onelia“? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cyber criminal enterprises.

Later that evening, back at my hotel room, I searched online for details about the company, but came up dry. I considered asking some of my best sources in Russia what they knew about Onelia. But a voice inside my head warned that the FSB agents may have been hoping I’d do just that, and that they would then be able to divine who my sources were when those individuals began making inquiries about a mysterious (and probably fictitious) firm called Onelia.

My paranoia got the best of me, and I shelved the information. That is, until just the other day, when I discovered that Onelia (turns out it is more commonly spelled Oneliya) was the name of the limited liability company behind Gateline.net, the credit card processor that processed tens of thousands of customer transactions for SpamIt and Rx-Promotion. These two programs, the subject of my Pharma Wars series, paid millions of dollars to the most notorious spammers on the planet, hiring them to blast junk email advertising thousands of rogue Internet pharmacies over a four-year period.

WHO IS ‘SHAMAN’?

Gateline.net states that the company’s services are used by firms across a variety of industries, including those in tourism, airline tickets, mobile phones, and virtual currencies. But according to payment and affiliate records leaked from both SpamIt and Rx-Promotion, Gateline also was used to process a majority of the rogue pharmacy site purchases that were promoted by spammers working for the two programs. Continue reading →


21
Mar 12

Bredolab Botmaster ‘Birdie’ Still at Large

Employee and financial records leaked from some of the world’s largest sponsors of spam provide new clues about the identity of a previously unknown Russian man believed to have been closely tied to the development and maintenance of “Bredolab,” a massive collection of hacked machines that was disassembled in an international law enforcement sweep in late 2010.

Bredolab grew swiftly after Birdie introduced his load system.

In October 2010, Armenian authorities arrested and imprisoned 27-year-old Georg Avanesov on suspicion of running Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers that were used to direct the botnet’s activities.

Dutch and Armenian investigators have long suspected that Avanesov worked closely with an infamous Russian botmaster who used the nickname “Birdie,” but so far they have been unable to learn the Russian’s real identity or whereabouts.

“He was a close associate of Gregory A.,” Pim Takkenberg, team leader of the National High Tech Crime Unit in the Netherlands, said of the hacker known as Birdie. “Actually, we were never able to fully identify him.”

According to records leaked from SpamIt — a pharmacy affiliate program that was the victim of a data breach in 2010 — Birdie was an affiliate with SpamIt along with Avanesov. Neither affiliates earned much from SpamIt directly; they both made far more money selling other spammers access to Bredolab.

Birdie was also the nickname of a top member of Spamdot.biz, a now-defunct forum that once counted among its members nearly all of the big names in Spamit, as well as a dozen competing spam affiliate programs. Birdie’s core offering on Spamdot was the “Birdie Load System,” which allowed other members to buy “installs” of their own malware by loading it onto machines already infected with Bredolab.

So successful and popular was the Birdie Load System among Spamdot members that Birdie eventually had to create a customer queuing system, scheduling new loads days or weeks in advance for high volume customers. According to his own postings on Spamdot, Birdie routinely processed at least 50,000 new loads or installs for customers each day.

“Due to the fact that many of my clients very much hate waiting in line, we’ve begun selling access to weekly slots,” Birdie wrote. “If a ‘slot’ is purchased, independently from other customers, the person who purchased the slot is guaranteed service.”

Using Birdie’s Bredolab load system, spammers could easily re-seed their own spam botnets, and could rely upon load systems like this one to rebuild botnets that had been badly damaged from targeted takedowns by anti-spam activists and/or law enforcement. Bredolab also was commonly used to deploy new installations of the ZeuS Trojan, which has been used in countless online banking heists against consumers and businesses.

Below is a translated version of Birdie’s Dec. 2008 post to Spamdot describing the rules, prices and capabilities of his malware loading machine (click the image below twice for an enlarged version of the Spamdot discussion thread from which this translation was taken). Continue reading →


1
Feb 12

Who’s Behind the World’s Largest Spam Botnet?

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released -  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!” Continue reading →