A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.
A prominent affiliate program that pays people to promote knockoff luxury goods closing down at the end of January. The program — GlavTorg.com — is run by the same individuals who ran the infamous Glavmed and SpamIt rogue pharmacy operations.
Microsoft on Monday named a Russian man as allegedly the guy responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from the world’s largest spam affiliate program suggests that the driving force behind Kelihos is a different individual who is still coordinating spam campaigns for hire.
Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used clever legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.
On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was run by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos. Rather, the researcher argues, the true coordinator of both Kelihos and Waledac is another Russian man who is well known to anti-spam activists.
Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as the first offering that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.
A new service in the cyber underground aims to be the Google search of underground Web sites, connecting buyers to a vast sea of shops that offer an array of dodgy goods and services, from stolen credit card numbers to identity information and anonymity tools.
A glut of stolen card data has spawned dozens of stores that sell the information. The trouble is that each store requires users to create accounts and sign in before they can search for cards.
Enter MegaSearch.cc, which aims to let fraudsters discover which fraud shops hold the cards they’re looking for, without having to first create accounts at each shop. This underground search engine aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.
Given the heightened security surrounding air travel these days, it may be hard to believe that fraudsters would try to board a plane using stolen tickets. But incredibly, there are a number of criminal travel agencies doing business in the underground, and judging from the positive feedback left by patrons, business appears to be booming.
The tickets often are purchased at the last minute and placed under the criminal buyer’s real name. The reservations are made using either stolen credit cards or hijacked accounts belonging to independent contractors in the travel industry. Customers are charged a fraction of the cost of the tickets and/or reservations, typically between 25 and 35 percent of the actual cost.
Jobs in the hi-tech sector can be hard to find, but employers in one corner of the industry are creating hundreds of full-time positions, offering workers on-the-job training and the freedom to work from home. The catch? Employees will likely work for cybercrooks and may make barely enough money in a week to purchase a Happy Meal at McDonald’s.
The last post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of Cutwail — currently the world’s largest spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of other botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the guy behind the infamous Srizbi botnet.
Previous stories in my Pharma Wars series have identified top kingpins behind the world’s largest spam botnets. Today’s post includes never-before-published information on “Google,” the secretive hacker in charge of the infamous Cutwail botnet.
A new service on the cyber criminal underground can be hired to tie up the phone lines of any targeted mobile or land line around the world. The service is marketed as a diversionary tactic to assist e-thieves in robbing commercial customers of banks that routinely call customers to verify large financial transfers.
