January 17, 2010

It is said that you can judge the mettle of a man by the quality of his enemies. So I guess it should be flattering when a group of individuals who appear dedicated to making misery for countless Internet users express glee at what they perceive as my misfortune.

Since my final posting on The Washington Post‘s Security Fix blog last year, I’ve been made aware of several discussions among different shadowy online groups who were apparently celebrating the end of that blog.

Some of those conversations I am not at liberty to point to here, but at least one of them is public: A thread on crutop.nu, a 8,000 member Russian language forum dedicated to Webmasters who specialize in high-risk Web sites, including rogue anti-virus software sales, pharmacy sites, and all manner of extreme porn (including beastiality and rape).

The last time I got this much attention from crutop.nu was last summer, when I published the results of a lengthy investigation that traced a huge number of rogue anti-virus Web site payment processing pages back to Crutop and to Chronopay, a Russian payment processing company that also specializes in high-risk sites. Indeed, that post concluded that the same individual was responsible for running both entities, (Chronopay founder Pavel Vrublevsky, a.k.a. “Redeye” on Crutop).

In this discussion on Crutop, members can be seen celebrating the demise of the Security Fix blog and my employment at The Washington Post, essentially saying that Santa Claus had answered their letters. Members then go on to discuss how I should be shot (among other indignities), as well as various search engine gaming schemes that might bury the rankings of my new blog at krebsonsecurity.com.

The entire thread (or least up until today) can be read by expanding the images below, in order, and viewing a rough translation. For whatever reason, the default view when you see the full sized image may start at the center of the page. If this happens, just scroll up and start from the top. Caution: Some of the language displayed in these posts may be offensive to some readers, and certain thumbnail images may not be appropriate for viewing at work.

PAGE 1

PAGE 2

PAGE 3


40 thoughts on “Tough Talk from Those Who Hide

  1. BrianKrebs Post author

    I don’t know why, but this part just got cut off of the original post:

    Lest my fans and enemies in the criminal virus writing community feel left out, I should mention that security firm F-Secure on Saturday intercepted another piece of malware being distributed that insults this author. According to the Virustal scan results shared by F-Secure, there’s a new variant of what may be Virut, Harebot or Cutwail (depending on which anti-virus vendor you ask) that references the following domains:

    f u c k b r i a n k r e b s . c o m
    a n t i s g e t o u t . c n
    a a a . o d u v a n c h i c . c o m
    f i r e a s s e y e . c o m

    Happy New Year to you too, guys!

  2. Lofti

    Gratz, Brian. Best validation of your work you could ask for.

  3. ~sg

    Old Chinese proverb: It is better to be hated than to be ignored. You can be sure, Brian – no one can ignore your work.

  4. Prefect

    Any comment on the “responding to pressure from banks” comment they reference? Was there ever an issue with advertisers with any of the security stories?

    1. BrianKrebs Post author

      That was a suspicion shared by at least one source, but it’s not one that I put much stock in. If there were ever any issues with advertisers about stories that I wrote, I never heard about them.

  5. Fausto

    No virus or trojan has my name somewhere in it. No virus or worm insults me. Brian, I feel envy! You are a star, Im just ignored 🙂 You should feel happy and important.

  6. James

    The clowns in these threads sound like the Keystone Cops . . . buffoons who need an online discussion to figure out your status. In any event, keep up the wonderful work and please keep posting those threads!

    1. KFritz

      If you think they’re inept buffoons, read this analogous tale. This is fr/ Wikipedia. Walter Johnson was the first pitcher to regularly pitch over 90 mph and won 400 games. This is Ty Cobb’s account of their first encounter

      “On August 2, 1907, I encountered the most threatening sight I ever saw in the ball field. He was a rookie, and we licked our lips as we warmed up for the first game of a doubleheader in Washington. Evidently, manager Pongo Joe Cantillon of the Nats had picked a rube out of the cornfields of the deepest bushes to pitch against us… He was a tall, shambling galoot of about twenty, with arms so long they hung far out of his sleeves, and with a sidearm delivery that looked unimpressive at first glance… One of the Tigers imitated a cow mooing, and we hollered at Cantillon: ‘Get the pitchfork ready, Joe– your hayseed’s on his way back to the barn.’
      …The first time I faced him, I watched him take that easy windup. And then something went past me that made me flinch. The thing just hissed with danger. We couldn’t touch him… every one of us knew we’d met the most powerful arm ever turned loose in a ball park.”[4]

      Don’t take these miscreants lightly.

  7. J.C.

    Well, hey! That just makes me want to donate to your site! The deeper the hole, the bigger the flashlight you need to find ’em and dig ’em out.

  8. Jeffrey

    It’s nasty and in poor taste, but that’s what happens when enough of your posts hit the 10 ring on the target. Good job, Brian.

    And keep hitting that 10 ring from your new digs.

  9. TheGeezer

    Just to add to what has already been said “Congratulations Brian”. I would rate this above Cisco’s Cyber Hero award!

    However, I would just like to add that, from what I have heard from other volunteer organizations, russian ISPs have responded to notifications of malware on their sites faster than many american ISPs. Russian sites are victims of these miscreants as well as everyone else.

  10. Wladimir Palant

    I have to join in with my congratulations. I read the thread at the source, some more text has been added there – in particular, some people complaining how you caused them losses of hundreds of dollars when 3FN was shut down (and they didn’t even have a backup). Well done!

  11. Issviews

    Congratulations Brian, I was an avid reader at Security Fix and am pleased I can continue to read your valuable posts here 😀 The comments by your enemies only go to show the mentality of morons. You hit them hard and they know it. This is the only way they can spit their dummy out 😀

  12. N3UJJ

    What I wouldn’t give to read the conversations that could not referenced. (smile)

  13. Charlie G.

    Hey! …Brian!…

    Good for you! Step on some more of those same nerves…then stomp ’em! … Yer’ gettin’ their attentshun!-ski.

    Technical note: The comments were very tiny on my screen, and when I clicked Ctrl and + to make them bigger, the images were very blurry…any suggestions, I’d like to read just how they crude they really are….

    Cheers….

  14. Charlie G.

    @ N3UJJ…

    …Thanks, N3UJJ…I finally saw that very small clickable (-) and (+),

    ……. serious, nasty stuff waiting to be peeled away out there, right?

  15. Frank

    I have to add my congratulations! Next time I am in Russia I will mention your name and see what kind of a reception I get.

  16. AlphaCentauri

    Congratulations! Best endorsement of your work you could hope for. They seem not to have heard how widely the ax swung at the Washington Post last month.

    I wouldn’t worry. They only make money while their activities are hidden. If there were any serious harrassment of a Western journalist, Visa and Mastercard might get a clue and stop processing orders for all those Glavmed affiliates posting in that forum.

  17. AlphaCentauri

    Congratulations! It’s a great endorsement of the work you’ve done so far. (They seem not to have heard how widely the ax swung at the Washington Post last month.)

    I wouldn’t worry, though. Internet criminals only make money while their activities are hidden. If there were any serious harassment of a Western journalist, Visa and Mastercard might get a clue and stop processing their orders for fake drugs and watches.

  18. George

    If you ever need encouragement, or have a spare moment, check out groklaw.net. Hours (if not months) of serious fun.

  19. Wladimir Palant

    Frank, do you think that the entire Russian population is engaged in cybercrime? Don’t be silly. Most people there are busy working hard for very little money. However, some computer programmers found a better-paid “job” in the cybercrime community. And then there are morons like the ones discussing in this forum thread – they have very little actual knowledge, mostly using tools other people created. But unfortunately right now earning money this way is easier than working.

  20. RedEye

    I’ll post this in English so all Brian readers may read our point of view on Mr. Brian Krebs activity in the past, now and in the future.

    Dear Brian, and I’ll be frank with You, I hope on behalf of all our members here, I beleive its a huge success for US journalist market, for FBI, for WP, for Secret Service, that they have let You out finally and I do hope it will stay so.

    The problem I see is that this is not enough because I beleive that some of Your actions in the past may be, if proven of course, be considered criminal to be honest.

    And now let me explain why.

    World-wide as far as I know in order to claim something You must have a valid proof of what You are claiming or leading to.

    Before the post here about You leaving WP I have never ever, beleive it or not, taken any interest in Your blog even after You have mentioned crutop.nu there. The reason is, most of what You posted is simply not true, so why bother. It was fun of course, it was fun to read about Crutop in FTC papers, but not so interesting to be honest with You.

    However after the topic has been started here about You leaving WP I’ve taken my time and have read through all (!!!) Your posts on WP blog from start to end.

    I was interested in only ONE thing – who are Your sources.
    And now let me explain You why.

    You see, the picture which You are creating, about us here being the active part in worlds computer crime, let me quote “crutop.nu, a 8,000 member Russian language forum dedicated to Webmasters who specialize in high-risk Web sites, including rogue anti-virus software sales, pharmacy sites, and all manner of extreme porn (including beastiality and rape).” or “among different shadowy online groups ” as You call us as well, well this picture is incorrect but what is indeed interesting that it remains so in Your posts from time to time.

    It works pretty well for You, because more or less, You now have a name in battling computer crime and us here, poor folks, we’re Russian and (obviously) post in Russian as well, so if You’d say we trade here atomic bomb secrets with China or work closely in financing Al Qaueda (or whatever) Your readers would most likely believe that as well, see I give You good ideas already, and thanks indeed for choosing us as a target, however a question remains, why?

    And that exactly is the question which I had in my mind when I have started reading Your blog, You see, there must have been a reason why You and Your research ended up here anyways.

    Now let me explain to Your readers, and those of our own here, how mass media works in general. A journalist must have a source to work with. Usually, correct me if I am wrong, those sources appear during journalist investigations, for example a big official source makes a claim (say FBI says that 3FN is a bad company and was closed), the journalist would then find contact details of 3FN General Manager and question him if he responds and that becomes a source.
    Obvious? Yes.

    Now, THIS IS IMPORTANT, I’ve read through the blog of WP on Security by Mr. Brian Krebs and what I have discovered has surprised me a bit but I have had this suspicion already before, You see, before ONE event has happened and investigated Mr. Krebs more or less has not been so well infrormed on who are bad guys (as he thinks), more or less
    Mr. Krebs was a typical reporter making small comments on press releases by various security companies, for instance, like this ingenious publication

    http://voices.washingtonpost.com/sec…ws_data_1.html , where the only thing which is being investigated is whether Mr. Krebs is good in reading english in Microsoft press releases or not.

    And that has been so before the case of RBN has started. When the foreign mass media and authorities (succeeded by the way by Russian authorities later on, which Krebs and alike have missed in their chase of self popularity) have started to close down that group, THAT WAS THE MOMENT when Mr. Krebs all of a sudden became very well informed of what happes in the internets o criminal world as he thought. Its after those publications suddenly Mr. Krebs begins saying here and there that he has “sources”.

    So who were those sources? For me, it is quite obvious. Moreover, it is quite obvious why those sources were so well informed on CERTAIN subjects.

    Lets do our own small investigation here. Thanks to Mr. Krebs popularity and mentioning us here and this topic in his own star-blog we may be very sure to get enough attention.

    So,
    1. As far as I know RBN, if You let aside all mass-media rubbish around it (participating in DDOS attacks against Georgia for example) was simply a so called “bullet proof hosting” company, i.e. a company in St. Petersburg which was specialised in proving hosting services to various criminals in the internet and other shady businesses.
    Right?

    Why RBN has attracted so much attention? Because RBN managed to get on board all possible and impossible gray stuff ever originating from Russia. True? TRUE.

    RBN as a business name has been closed after all the mass-media attention and certain authorities actions in Russia. However as we know, no-one has been put in jail and we may beleive their business is still operating one way or another. Perhaps they are still offering hosting services under another name?

    2. Most bullet proof hosting companies actually have normal clients as well. At least to show they are doing something clean.

    In partiqular these kind of webhosting companies are actually popular with adult websites webmasters, reason is that while in US, since its a legal business there, a lot of companies provide this service as well, it is more convinient for Russian based adult webmasters to use Russian based hosting companies for that business sometimes, paying for hosting is easier for example, because transferring funds from Russia to USA based hosting sometimes is a mess. So on one famous cyber-crime criminal as a client in a hosting company there will be 1000 normal dudes doing simple adult websites. You may ask, why for such an adult hosting company bother with that one criminal client and get an investigation leading to the closure of the business, read further on – You’ll understand.

    3. Now if again we take away few stupid bits in WP Security Blog here and there (for instance great in their stupidity publications about Crutop) who were other MAJOR successes of Mr. Brian Krebs? OTHER HOSTING COMPANIES.

    Since 2005 did Mr. Krebs publish any revealing OUTSTANDING information about anything else, say a known criminal, spammer, hacker whatever, except hosting companies providing hosting services to gray businesses, i.e. rivals or competitors to RBN ?

    No he didnt. 98% of all his posts were comments on other companies press-releases.

    So, if we conclude, that Mr. Krebs has gained a great source in RBN itself, at the time when he was in contact with them for the first time, which he either beleived to be giving out true information or what is much worse, and I suspect it to be so, to be frank, he was somehow compensated to beleive in that, and thus RBN was through Mr. Krebs attacking its COMPETITORS.

    My question to this is quite simple – is this legal in USA or anywhere else in the world, that a journalist is actually ASSISTING cyber-crime proffesionals to clean out their competition, whatever they beleive to be their competition?

    Unfortunately, Mr. Krebs being in USA and all that and us being poor Russian folk we cant do too much about that, so relax Brian, but at least I can relax as well that those who will read this will at least figure out what You are up to, who are Your sources and how You earn Your money.

    Let me also give a few facts about Your previous EXCELLENT job in discovering cyber-crime in Russia and abroad:

    1. 3FN hosting company which was attacked by FTC and in FTC paperwork You were mentioned as one of main experts, linking 3FN to Crutop.nu HAS NEVER been engaged in anything really criminal. Whatever was the reason for the failure of the company we dont know. We know that over 15000 webhosting accounts were blocked with perfectly legitimate business. Yes perhaps morally wise, it was far from Holy Bible, but at the same time morality equals to law, and legally wise, that was just a popular webhosting FOR YEARS for adult websites.

    2. Crutop.nu has never been “a shadow group of people”, mother of crime, Ben Laden of the internet. Its just a forum for Russian based adult webmasters primarily. Later on it has evolved in other higher-risk (BUT LEGAL EVEN IN USA) business models, take pharmacy for example, there was huge number of investigations in that field, none of them has proved it to be illegal, its a question of lobbying within USA more or less. There are a lot of US based forums with webmasters just like Crutop. Closest example would be http://www.gofuckyourself.com (GFY, run by Adult.com owner)

    3. Crutop has never been associated with the processing company You’re trying to link it to as well. Someone has paid You well to do it though.

    4. EST Domains has had some troubles with certain clients and yes their boss had served his time in jail before as far as we know, but again comparing it to RBN its like a pellet gun to nuclear weapons.

    With all that said, let me excuse for my poor english, and let me make one final statement, which I beleive to be even more important than anything esle posted by me here, and I beleieve that as well will be our forums official postion – Brian, if You want our advice, this face of Yours all over Your blogs THIS IS SOOOOO GAY!

    Hm?

    1. BrianKrebs Post author

      By the way, Pavel, if you recall, I never once mentioned you or Crutop in any of my blog posts, until more than a month *after* Crutop.nu changed its homepage to include the screed that is up there still, railing against the FTC and criticizing me by name.

  21. BrianKrebs Post author

    Hello Pavel, nice to see you here. As usual, though, your rant contradicts itself in many places. I wonder if anyone will actually read the entire thing? Anyway, I doubt readers will do anything but bury your comment in a hail of “dislikes,” for being a troll, but I could be wrong.

    There’s also a broken link to my old blog there. Care to tell us which story you were pointing to?

    What I find funny is how you and your pals there are so indignant that my stories have made all Russians out to be cheaters and scammers. It is people like the founders and members of Crutop and other forums there who profit from spreading misery that give the Russian people a bad name. Sorry, Pavel, you can deny and blame others all you want, but it’s true.

    1. RedEye

      Brian , it’s a nice joke of Yours copying my message from Crutop here in Your blog, thanks for the invitation so to say.

      However Brian, I would prefer to be with my own forum.
      If You want to comment, You’re free to register, just as Your friends there. I hope You can figure it out.

      🙂
      So my reply will be there.

      1. BrianKrebs Post author

        Haha. That’s too funny, Pavel…I mean, Redeye. But I wouldn’t stoop to something so lame. Must have been one of your many dear, adoring fans there at Crutop or elsewhere that pasted it as you here.

        If people really want to, they can find your thread, but for reasons that I hope are painfully obvious, I will not be linking to your site here and won’t approve of any comments that do.

  22. vinton

    Another point of view on what Brian Krebs is doing. Reposted from crutop.

    Just wanted to say thank you Brian for a huge work you have been doing for e-business and adult industry as well. There’s a big number of honest webmasters which stand for common sense and honest business tactics here and in other webmaster communities. We would like to support your activity and ask to continue your hard work in cleaning up the mess in global e-commerce market.

    The reason why people dislike you here is because many of us were dealing with those shady companies you have been chasing. Some of us have had some clue that we were dealing with wrong people, but most of us hadn’t. And one day it became a real hell here once many people have actually lost their honest businesses. Of course they didn’t blame themselves, but you.

    It’s only those who do nothing that make no mistakes. I’ve read many of your investigation reports and found some data weren’t accurate. But at the end of the day the job is well done. Heads up and there’s still a lot of stuff to do

    And please, don’t make labels on Russian people in general. There’s good people and shady people here, just like everywhere else. Let’s take global adult entertainment market (damn, it’s 2257 porn). The major mess is caused by US companies and US people. I’m talking about shady x-sells, un-authorized transactions on surfers credit cards, huge pharma spam of paysites members, totally false promises on tours, fake dating sites, tons of stolen content which are just everywhere, i mean EVERYWHERE. This is being done on a very huge scale and there’s nothing we regular guys can do about it. I really suggest it must be because of corrupted US officials, those violations are too big to be avoided by US authorities for such a long time. Please take a look into this.

    Good luck in finding a good job and keep doing your stuff.

    Best of luck,
    regular russian on-line biz guys

  23. AlphaCentauri

    I’d like to set the record straight about whether any of those Russian pharma sites are “legal in the U.S.”

    * To be legal in the U.S., a pharmacy site has to require prescriptions for drugs that legally require them under U.S. FDA regulations. It isn’t adequate to have an anonymous doctor on the payroll who writes a prescription after reviewing a questionnaire, either. To qualify as telemedicine, there must be a meaningful doctor-patient relationship.
    * To be legal in the U.S., the pharmacy selling to U.S. residents must be located in the U.S. Laws that allow individual patients to import a personal supply of drugs from overseas refer to people who are physically returning from visiting those countries, not to mail order pharmacies.
    * To be legal in the U.S., the pharmacy must follow U.S. patent and trademark laws. The fact that India allows generic versions of patented drugs earlier than North American or European countries doesn’t make it legal to sell them here. And it’s not legal to display the trademarked images/logos of the brand name drugs on the website when people order, then ship generic equivalents or placebos.
    * To be legal in the U.S., the sponsor must ensure its affiliates do not violate CAN-SPAM by harvesting email addresses with automated software or using deceptive “from” addresses and subject lines, and it must ensure their emails provide valid opt-out contact information that really gets people opted out. Under CAN-SPAM, the sponsor is responsible for violations of the law in the spam sent by its affiliates.
    * To be legal in the U.S., the pharmacy must have U.S. licensed pharmacists and must comply with individual state laws in the locations where their customers live.
    * And of course, to be legal in the U.S., the pharmacy website can’t use a domain name registered with fake information, can’t mail its spam or host its website on other people’s hacked servers, can’t allow protected health information to be transmitted over a non-secure connection (even if it uses a fake padlock icon to pretend it is secure), can’t display forged pharmacy licenses or fake seals from the Better Business Bureau/PharmacyChecker/CIPARx, and can’t engage in all the other fraudulent practices that spamvertised pharma sites and their non-spammed “premium” counterparts do.

    Just which pharma sites that are “legal in the U.S.” is he talking about?

  24. RedEye

    Alpha,
    with all that said by about local USA laws on pharmacies I beleive that relates to a pharma website running from WITHIN USA and based from USA or at the very least run by a US citizen. Which I thought was quite obvious.

    Since those pharmacy websites are NOT US based those laws are not related to them and should not be related to them.

    The only legal aspect of interest is whether US based customers of internet pharmacies themselves actually violate any local law while buying pills over the internet. In any case this has VERY vague relation to anything done illegaly by pharmacy website owners.

    That said, I’d like to exclude and explain in a separate part about SPAMMING related to pharmacy which farmacy affiliate programs often rely upon.

    While CAN-SPAM again does not have any influence on affiliates based OUT of USA the SPAMMING technologies violate laws one way or another anyways, even Russian laws are severely violated because by Russian law bot technologies used for spamming are directly violating Criminal Code 272, 273, 274.

    So SPAMMING is Illegal. Because of that most pharmacy affiliate programs are not supporting SPAM for years already.

    However You will not find Mr. Brian Krebs making any comments on that beleive me Alpha. Suprise me Brian, prove me I am wrong.

    You see, the reason is, as I have explained earlier in my small research, it looks like Mr. Krebs was sponsored by a group called RBN based out of Russia, St. Petersburg to act on their behalf to attack through his blog everyone who they beleive to be their enemies and they have quite perverse logic in that.

    RBN as well, as has been stated in many reputable resources, is behind worlds biggest pharma spam operations.

    For example check this out.
    http://www.newsweek.com/id/228674/page/2
    http://spamtrackers.eu/wiki/index.php/Glavmed

    1. AlphaCentauri

      @RedEye,

      The pharma sites I have in mind specifically say they will ship to the U.S., or else they have “testimonials” by models in stock photos whose location is listed in the U.S. It’s legal to sell drugs without prescription in many countries. But it isn’t legal for a U.S. resident to have drugs shipped into the U.S. from another country. It’s smuggling. So such sites definitely aren’t “legal in the U.S.”

      If you know of pharmacy sites run by Russian citizens that are operating under U.S. law — and Russia trains many fine physicians and pharmacists, so there is no reason to assume no one has obtained the proper licenses to operate a pharmacy within the U.S. — I just haven’t seen any site like that yet. I’d be curious to know about them.

      1. RedEye

        No, Alpha,
        As I have explained already, whether it is legal or not for a USA customer to buy from such a pharmacy is a legal problem of buyer ONLY.

        Do You follow me here?

        P.S. I am not entirely sure it is illegal fro USA customers to shop in Non-US based online pharmacies. I can not be sure but the reason why I doubt that it is illegal, that usually in such cases (like with MP3 or casinos where buying itself is a crime as well or child porn for example) there would have been already thousands of cases against buyers in US and accused and prosecuted would have included very old nearly dead women, very young just born men, their home pets (say dogs) and all accused of buying illegal VIAGRA and a few known politicians caught in the middle of pushing BUY button of mycanadiancheapviagra.com
        🙂

        As for smuggling, if You a buy a bottle of wine and send it over DHL to Russia, from Russian point of view if it will pass customs it would be smuggling I think (as sending over wine and alcohol by mail is smuggling, correct me if I am wrong), but it will be legal in the point of sending.

        Same story here. It is legal to send it over by mail from the point it is sent from.

  25. RedEye

    P.S. Brian removing link to my forum was really lame.
    🙂
    You have put a whole post about Crutop, made screenshots (!!!) with translations (!!!), and now what? You have removed link where people actually can see what You are talking about and put comments and talk openly about all this?

    Good job man!

  26. BrownEye

    RedEye,

    Crawl back under your rock and go back to editing your kiddie porn collection. The adults here are getting tired of you.

  27. combat

    Brian Krebs, senk very mach. благодаря посту
    “Would You Have Spotted the Fraud?” который был опубликован на Cizmodo.com, полазил по блогу, наткнулся на эту статью и узнал про полезный форум. По моиму мнению зря Вы так. все выживают как могут, только способы разные. я бы с удовольствием почитал вашу колонку в газете, но незнание языка мне мешает, а переводчик не дает полностью понять смысл.

  28. Mikhail

    Wrong translation “have-a-good-day” is a special topic on crutop. When fethard was robbed(and everyone was unable to get their money from it), their support support were finishing all converstions with customers by saying “have a good day”.

    1. BrianKrebs Post author

      Mikhail — the archive you sent me does not open with the password you provided, nor can I reply to your e-mail (it bounces). Please double check the password. Tx

Comments are closed.