Spam Nation


5
Feb 18

Alleged Spam Kingpin ‘Severa’ Extradited to US

Peter Yuryevich Levashov, a 37-year-old Russian computer programmer thought to be one of the world’s most notorious spam kingpins, has been extradited to the United States to face federal hacking and spamming charges.

Levashov, in an undated photo.

Levashov, who allegedly went by the hacker names “Peter Severa,” and “Peter of the North,” hails from St. Petersburg in northern Russia, but he was arrested last year while in Barcelona, Spain with his family.

Authorities have long suspected he is the cybercriminal behind the once powerful spam botnet known as Waledac (a.k.a. “Kelihos”), a now-defunct malware strain responsible for sending more than 1.5 billion spam, phishing and malware attacks each day.

According to a statement released by the U.S. Justice Department, Levashov was arraigned last Friday in a federal court in New Haven, Ct. Levashov’s New York attorney Igor Litvak said he is eager to review the evidence against Mr. Levashov, and that while the indictment against his client is available, the complaint in the case remains sealed.

“We haven’t received any discovery, we have no idea what the government is relying on to bring these allegations,” Litvak said. “Mr. Levashov maintains his innocence and is looking forward to resolving this case, clearing his name, and returning home to his wife and 5-year-old son in Spain.”

In 2010, Microsoft — in tandem with a number of security researchers — launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of computer code with Waledac.

Severa routinely rented out segments of his Waledac botnet to anyone seeking a vehicle for sending spam. For $200, vetted users could hire his botnet to blast one million pieces of spam. Junk email campaigns touting employment or “money mule” scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Waledac first surfaced in April 2008, but many experts believe the spam-spewing machine was merely an update to the Storm worm, the engine behind another massive spam botnet that first surfaced in 2007. Both Waledac and Storm were major distributors of pharmaceutical and malware spam.

According to Microsoft, in one month alone approximately 651 million spam emails attributable to Waledac/Kelihos were directed to Hotmail accounts, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks, and more. The Storm worm botnet also sent billions of messages daily and infected an estimated one million computers worldwide.

Both Waledac/Kelihos and Storm were hugely innovative because they each included self-defense mechanisms designed specifically to stymie security researchers who might try to dismantle the crime machines.

Waledac and Storm sent updates and other instructions via a peer-to-peer communications system not unlike popular music and file-sharing services. Thus, even if security researchers or law-enforcement officials manage to seize the botnet’s back-end control servers and clean up huge numbers of infected PCs, the botnets could respawn themselves by relaying software updates from one infected PC to another.

FAKE NEWS

According to a lengthy April 2017 story in Wired.com about Levashov’s arrest and the takedown of Waledac, Levashov got caught because he violated a basic security no-no: He used the same log-in credentials to both run his criminal enterprise and log into sites like iTunes.

After Levashov’s arrest, numerous media outlets quoted his wife saying he was being rounded up as part of a dragnet targeting Russian hackers thought to be involved in alleged interference in the 2016 U.S. election. Russian news media outlets made much hay over this claim. In contesting his extradition to the United States, Levashov even reportedly told the RIA Russian news agency that he worked for Russian President Vladimir Putin‘s United Russia party, and that he would die within a year of being extradited to the United States.

“If I go to the U.S., I will die in a year,” Levashov is quoted as saying. “They want to get information of a military nature and about the United Russia party. I will be tortured, within a year I will be killed, or I will kill myself.”

But there is so far zero evidence that anyone has accused Levashov of being involved in election meddling. However, the Waledac/Kelihos botnet does have a historic association with election meddling: It was used during the Russian election in 2012 to send political messages to email accounts on computers with Russian Internet addresses. Those emails linked to fake news stories saying that Mikhail D. Prokhorov, a businessman who was running for president against Putin, had come out as gay. Continue reading →


7
Dec 15

When Undercover Credit Card Buys Go Bad

I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar’s own security system triggered a “pig alert” and brazenly flagged the fed’s transactions as an undercover purchase placed by a law enforcement officer.

Law enforcement officials and bank anti-fraud specialists sometimes purchase stolen cards from crime forums and “carding” markets online in hopes of identifying a pattern among all the cards from a given batch that might make it easy to learn who got breached: If all of the cards from a given batch were later found to be used at the same e-commerce or brick-and-mortar merchant over the same time period, investigators can often determine the source of the card breach, alert the breached company and stem the flow of stolen cards.

Of course, such activity is not something the carding shops take lightly, since it tends to cut into their criminal sales and revenues. So it is that one of the more popular carding shops — Rescator — somehow enacted a system to detect purchases from suspected law enforcement officials. Rescator and his crew aren’t shy about letting you know when they think you’re not a real criminal. My law enforcement source said he’d just placed a batch of cards into his shopping cart and was preparing to pay for the goods when the carding site’s checkout page was replaced with this image:

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this "pig detected" alert.

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this “pig detected” alert.

The shop from which my source attempted to make the purchase — called Rescator — is the same carding store that was the first to move millions of cards on sale that were stolen in the Target and Home Depot breaches, among others. I’ve estimated that although Rescator and his band of thieves stole 40 million credit and debit card numbers from Target, they only likely managed to sell between 1 and 3 million of those cards. Even so, at a median price of $26.85 per card and the median loss of 2 million cards, that’s still more than $50 million in revenue. It’s no wonder they want to keep the authorities out. Continue reading →


3
Dec 14

Be Wary of ‘Order Confirmation’ Emails

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

An "order confirmation" malware email blasted out by the Asprox spam botnet recently.

An “order confirmation” malware email blasted out by the Asprox spam botnet recently.

Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.

This Asprox malware email poses as a notice about a wayward package from a WalMart  order.

This Asprox malware email poses as a notice about a wayward package from a WalMart order.

According to Malcovery, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet. Continue reading →


24
Nov 14

Spam Nation Book Tour Highlights

Greetings from sunny Austin, Texas, where I’m getting ready to wrap up a week-long book tour that began in New York City, then blazed through Chicago, San Francisco, and Seattle. I’ve been trying to tweet links to various media interviews about Spam Nation over the past week, but wanted to offer a more comprehensive account and to share some highlights of the tour.

For three days starting last Sunday, I was in New York City — doing a series of back-to-back television and radio interviews. Prior to leaving for New York, I taped television interviews with Jeffrey Brown at the PBS NewsHour; the first segment delves into some of the points touched on in the book, and the second piece is titled “Why it’s harder than you think to go ‘off the grid’.”

cbs-tm

On Monday, I was fortunate to once again be a guest on Terri Gross‘s show Fresh Air, which you can hear at this link. Tuesday morning began with a five-minute appearance on CBS This Morning, which included a sit-down with Charlie Rose, Gayle King and Norah O’Donnell. Later in the day, I was interviewed by the MarketPlace Tech ReportMSNBC’s The Cycle, as well as the Tavis Smiley show. Wednesday was a mercifully light day, with just two interviews: KGO-AM and the Jim Bohannon Radio Show. Continue reading →


17
Nov 14

Amazon: Spam Nation one of “Best of Month”

A quick update on my new book, Spam Nation, The Inside Story of Organized Cybercrime — From Global Epidemic to Your Front Door debuting on bookstore shelves  Tuesday, Nov. 18: Amazon has selected Spam Nation as one of their “Best Books of the Month” picks for November, listed alongside such notable authors as Stephen King and Nora Roberts.

abbotm-cIn addition, my publisher has graciously extended the freeZeusGard offer until Nov. 25 for the next 500 people who order more than one copy of the book.

In early October we launched a promotion in which the first 1,000 readers to preorder more than one copy of the book, audio recording and/or e-book version of Spam Nation would receive a free, KrebsOnSecurity-branded ZeusGard, a USB-based technology that’s designed to streamline the process of adopting the Live CD approach for online banking.

Approximately 500 readers took us up on this offer, but that means we still have about 500 left! Thankfully, my publisher (Sourcebooks) has agreed to extend this offer by one week (until Nov. 25, 2014).

Finally, if you live in Chicago, San Francisco, Seattle or Austin and would like a personalized copy of Spam Nation, please consider joining me this week as I drop by a local bookstore near you! See the tour schedule for dates, times and locations.


23
Oct 14

‘Spam Nation’ Publisher Discloses Card Breach

In the interests of full disclosure: Sourcebooks — the company that on Nov. 18 is publishing my upcoming book about organized cybercrime — disclosed last week that a breach of its Web site shopping cart software may have exposed customer credit card and personal information.

Fortunately, this breach does not affect readers who have pre-ordered Spam Nation through the retailers I’ve been recommending — Amazon, Barnes & Noble, and Politics & Prose.  I mention this breach mainly to get out in front of it, and because of the irony and timing of this unfortunate incident.

From Sourcebooks’ disclosure (PDF) with the California Attorney General’s office:

“Sourcebooks recently learned that there was a breach of the shopping cart software that supports several of our websites on April 16, 2014 – June 19, 2014 and unauthorized parties were able to gain access to customer credit card information. The credit card information included card number, expiration date, cardholder name and card verification value (CVV2). The billing account information included first name, last name, email address, phone number, and address. In some cases, shipping information was included as first name, last name, phone number, and address. In some cases, account password was obtained too. To our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card Verification Data (CVD). We are currently in the process of having a third-party forensic audit done to determine the extent of this breach.”

So again, if you have pre-ordered the book from somewhere other than Sourcebook’s site (and that is probably 99.9999 percent of you who have already pre-ordered), you are unaffected.

I think there are some hard but important lessons here about the wisdom of smaller online merchants handling credit card transactions. According to Sourcebooks founder Dominique Raccah, the breach affected approximately 5,100 people who ordered from the company’s Web site between mid-April and mid-June of this year. Raccah said the breach occurred after hackers found a security vulnerability in the site’s shopping cart software.

Shopping-Cart-iconExperts say tens of thousands of businesses that rely on shopping cart software are a major target for malicious hackers, mainly because shopping cart software is generally hard to do well.

“Shopping cart software is extremely complicated and tricky to get right from a security perspective,” said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, a company that gets paid to test the security of Web sites.  “In fact, no one in my experience gets it right their first time out. That software must undergo serious battlefield testing.”

Grossman suggests that smaller merchants consider outsourcing the handling of credit cards to a solid and reputable third-party. Sourcebooks’ Raccah said the company is in the process of doing just that. Continue reading →


8
Oct 14

Spam Nation Book Offer + Tour Details

As many of you know, my first book — Spam Nation — hits bookstore shelves on Nov. 18. I want to thank those of you who have already pre-ordered the book, and offer a small enticement for those who have yet to secure a copy.

Pre-order two or more copies of Spam Nation and get this "Krebs Edition" branded ZeusGard.

Pre-order two or more copies of Spam Nation and get this “Krebs Edition” branded ZeusGard.

Spam Nation is a true story about organized cybercriminals, some of whom are actively involved in using malware-laced spam to empty bank accounts belonging to small- and medium-sized businesses in the United States and Europe. I’ve written extensively about organizations that have lost tens of millions of dollars from these cyberheists. I’ve also encouraged online banking customers to take advantage of various “Live CD” technologies that allow users to sidestep the very malware that powers these cyberheists.

In July, I wrote about ZeusGard, one such technology that’s designed to streamline the process of adopting the Live CD approach for online banking. The makers of ZeusGard got such a positive response from that story that they offered to partner with Yours Truly in promoting Spam Nation!

I’m pleased to report that the first 1,000 customers to purchase two or more copies of Spam Nation — including any combination of digital, physical and/or audio versions of the book — before the official book launch on Nov. 18 will receive a complimentary KrebsOnSecurity-branded version of ZeusGard (pictured above)! Continue reading →