Posts Tagged: Cosma2k

Aug 11

Flashy Cars Got Spam Kingpin Mugged

A Russian spammer suspected of maintaining the infamous Rustock spam botnet earned millions of dollars blasting junk email for counterfeit Internet pharmacies. Those ill-gotten riches let him buy flashy sports cars, but new information suggests that this attracted the attention of common street thugs who targeted and ultimately mugged the spammer, stealing two of his prized rides.

BMW 530xi

In March, I published a story linking the Rustock botnet to a spammer who used the nickname Cosma2k. This individual was consistently one of the top five moneymakers for SpamIt, which, until its closure last fall, paid spammers millions of dollars a year and was the world’s largest distributor of junk mail.

Earlier this month, someone leaked thousands of online chat logs taken from Dmitry “SaintD” Stupin, a Russian who allegedly ran the day-to-day operations of SpamIt. Those records include numerous chat conversations allegedly between Stupin and a SpamIt affiliate named Cosma.

In several chats, Cosma muses on what he should do with tens of thousands of compromised but otherwise idle PCs under his control. Throughout the discussions between Stupin and Cosma, it is clear Cosma had access to internal SpamIt resources that other spammers did not, and that he had at least some say in the direction of the business.

Porsche Cayenne

In one conversation, dated Oct. 14, 2008, Cosma allegedly tells Stupin that he’s dialed back his public image a few notches, after attracting unwanted attention from other crooks. The conversation below, translated from Russian into English, begins with a request from Cosma to withdraw funds from a SpamIt operating account.

Cosma: Hey. May I withdraw some money from the account?

Stupin: Surely you may.

Stupin: Sorry, I was picking up my car from the service shop.

Cosma: What got broken?

Stupin: Someone threw a stone, when the car was parked near home.

Cosma: Damn. What kind of car?

Stupin: Volvo.

Cosma: Fond of safety?

Stupin: Yes, and I am at ease when I am driving it. It’s a huge difference after Honda :)

Cosma: I also had enough of expensive rigs. =) They are getting stolen all the time and everyone is looking at you, estimating the score, and then rob you =) I have had such experience =)

Continue reading →

Jun 11

Rustock Botnet Suspect Sought Job at Google

Microsoft has fingered  a possible author of the late Rustock spam botnet – a self-described software engineer and mathematician who aspired to one day be hired by Google. Microsoft has apparently allocated significant resources to finding the author, but has not been able to locate him.

Rustock remains dead, but Microsoft is still on the hunt for the Rustock author. In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with virtual currency provider Webmoney about the owner of an account used to rent Rustock control servers,  and confirmed that the account was affiliated with a man named Vladimir Alexandrovich Shergin. Microsoft also mentioned another suspect, “Cosma2k,” possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev. Microsoft said it is continuing its investigation of these names, to determine whether additional contact information can be identified and to which notice and service can be effected.

To help in the hunt, I hereby offer some details about him.

Microsoft helped to dismantle Rustock in March after a coordinated and well-timed “stun” targeting the spam botnet’s infrastructure, which was mainly comprised of servers based in U.S. hosting facilities. Two weeks after that takedown, I tracked down a Web hosting reseller in Eastern Europe who acknowledged renting some of those servers to the apparent Rustock author. That reseller shared the Webmoney account number used to purchase access to the servers, and Russian investigators I spoke with confirmed that the account had been registered by a Russian named Vladimir Shergin. By consulting a leaked database I obtained last year of the top earners for — at the time the world’s largest rogue online pharmacy network — I discovered that the same Webmoney account was shared by three of the top ten Spamit affiliates.

The information from the reseller and from the Spamit database traced back to a Spamit affiliate who used the pseudonym “Cosma2k.” The email address tied to that Cosma2K account was “”. When I came into possession of the data back in August 2010, the site was still responding to requests, and the homepage presented some very interesting information. It included a job résumé, underneath a picture of a young man holding a mug. Above the image was the name “Sergeev, Dmitri A.” At the very top of the page was a simple message: “I want to work in Google.” Beneath the résumé is the author’s email address, followed by the message, “Waiting for your job”!

Here is the complete page and résumé, in case anyone wants a closer look at this Belorussian-educated job seeker. I shared the information with Google in August 2010, to find out if they’d received a job application from this person, or if they’d considered flying him to Mountain View, Calif. for an interview. I still don’t have an answer to either question. I shared this same information with Microsoft in March.

Microsoft seems determined to bring the Rustock malefactors to court. Maybe the mug shot in this résumé will help to identify at least one of them.

Mar 11

Microsoft Hunting Rustock Controllers

Who controlled the Rustock botnet? The question remains unanswered: Microsoft’s recent takedown of the world’s largest spam engine offered tantalizing new clues to the identity and earnings of the Rustock botmasters. The data shows that Rustock’s curators made millions by pimping rogue Internet pharmacies, but also highlights the challenges that investigators still face in tracking down those responsible for building and profiting from this complex crime machine.

Earlier this month, Microsoft crippled Rustock by convincing a court to let it seize dozens of Rustock control servers that were scattered among several U.S.-based hosting providers. Shortly after that takedown, I began following the money trail to learn who ultimately paid the botnet controllers’ hosts for their services.

According to interviews with investigators involved in the Rustock takedown, approximately one-third of the control servers were rented from U.S. hosting providers by one entity: A small business in Eastern Europe that specializes in reselling hosting services to shadowy individuals who frequent underground hacker forums. spoke to that reseller. In exchange for the agreement that I not name his operation or his location, he provided payment information about the customer who purchased dozens of servers that were used to manipulate the day-to-day operations of the massive botnet.

The reseller was willing to share information about his client because the customer turned out to be a deadbeat: The customer walked out on two months worth of rent, an outstanding debt of $1,600. The reseller also seemed willing to talk to me because I might be able bend the ear of, the anti-spam group that urged ISPs worldwide to block his Internet addresses (several thousand dollars worth of rented servers) shortly after Microsoft announced the Rustock takedown.

I found the reseller advertising his services on a Russian-language forum that caters exclusively to spammers, where he describes the hardware, software and connection speed capabilities of the very servers that he would later rent out to the Rustock botmaster. That solicitation, which was posted on a major spammer forum in January 2010, offered prospective clients flexible terms without setting too many boundaries on what they could do with the servers. A translated version of part of his message:

“I am repeating again that the servers are legitimate, funded by us and belong to our company. To the datacenters, we are responsible to ensure that you are our client, and that you will not break the terms of use. Also, to you we are responsible to make sure that the servers are not going to be closed down because of credit card chargebacks, as it happens with servers funded with stolen credit cards. In conclusion, they do not have an abuse report center, they are suitable for legitimate projects, VPNs and everything else that does not lead to problems and complaints to the data center from active Internet users. Please, take it in consideration, so that nobody is pissed off and there is no bad impression from our partnership.”

The reseller said he had no idea that his customer was using the servers to control the Rustock botnet, but he hastened to add that this particular client didn’t attract too much attention to himself. According to the reseller, the servers he resold to the Rustock botmaster generated just two abuse complaints from the Internet service providers (ISPs) that hosted those servers. Experts say this makes sense because botnet control servers typically generate few abuse complaints, because they are almost never used for the sort of activity that usually prompts abuse reports, such as sending spam or attacking others online. Instead, the servers only were used to coordinate the activities of hundreds of thousands of PCs infected with Rustock, periodically sending them program updates and new spamming instructions.

The reseller was paid for the servers from an account at WebMoney, a virtual currency similar to PayPal but more popular among Russian and Eastern European consumers. The reseller shared the unique numeric ID attached to that WebMoney account — WebMoney purse “Z166284889296.” That purse belonged to an “attested” WebMoney account, meaning that the account holder at some point had to verify his identity by presenting an official Russian passport at a WebMoney office. A former law enforcement officer involved in the Rustock investigation said the name attached to that attested account was “Vladimir Shergin.” According to the reseller, the client stated in an online chat that he was from Saint Petersburg, Russia.

Continue reading →