Monday, August 8, 2011

On The Changing Landscape For Non-Compliant Career Spammers

Hello, faithful readers of this blog.

As you all have no doubt been aware, updates here have been very few and far between for a while now. I wanted to post a quick update to let you know that yes, I'm still alive, and yes, many things are still underway in the fight against online criminals and the spamming they engage in, among other things.

When I started this blog, email spam was definitely a major scourge, and a vast amount of criminality stemmed from spam itself, which eventually led me further and further up the food chain. That meant that over time, email spam itself (or spam of any sort really) became less of a focus of investigation for me than more meaty subjects like the hosting infrastructure of one or another criminally-operated pharmacy affiliate program, or investigations into one or another botnet's infrastructure and command and control.

Over the past several years, my role in these investigations has been one of a disseminator of collected research and intelligence, handing over as much of the indepth analysis and research as I could supply to a larger and larger number of researchers and investigators.

As the last two years have shown, that's lead to a much greater set of eyes becoming focused on all manner of online crime, and the results have been pretty fascinating to see. I am not saying that my research specifically has directly led to legal action - I have no way of knowing - but it's part of a collected mass of research which may have assisted several organizations in deciding which action (or actions) to take against the operators of these large-scale spam operations.

I'll just itemize a few of these investigations here to get the idea across. Much of this has been covered in greater detail and with more background research by many other more established journalists, security researchers and bloggers than I would have been able to do here.

Microsoft managed to shut down the infamous Rustock botnet - responsible for the majority of spam sent on behalf of Spamit - via some extremely strategic legal and subsequently technical means. That led to a massive drop in spam of any sort (but especially fake pharma) being greatly, greatly reduced. It's also more recently led to a very public notification to the public, especially in Russia, where most recently they've offered a new $250,000 reward for the "identification, arrest and criminal conviction of whoever is responsible" for the Rustock botnet. (If you know who it is, you can file your own report at avreward[at]microsoft[ot]com.)

This is a big deal to anyone who has been researching spamming via botnets, since Rustock was the botnet responsible for the vast majority of this spam.

Since Rustock was shut down, the statistics for spam overall have seen a dramatic drop. I mean a seriously dramatic drop. It's still there (there are other botnets of course) but it's nowhere near the high volume enterprise that it once was. This is a monumental shift from how things were even a year or so ago, but especially when compared with spam volumes from 2006 through 2010.

As previously mentioned, Spamit themselves pulled the plug on their fake pharmacy affiliate program in October of 2010. Very shortly after this, the alleged owner and operator of Spamit (and, one might logically assume, Glavmed) - Igor Gusev - fled Russia where he began a blog outlining the criminal activities of Russian payment processor Chronopay. Renowned security blogger Brian Krebs has written about all of this at great length, and continues to cover more recent legal activity against Chronopay and its (now former) CEO, Pavel Vrublevsky.

I haven't written about any of that here, again because it's been covered in extremely deep detail by both Russian and North American bloggers and journalists. The litany of public leaks of internal Chronopay emails, documents and other items between 2010 and 2011 has been breathtaking and it most recently led to a large scale raid of the Chronopay offices, and the arrest of Mr. Vrublevsky. That is pretty huge news and I encourage any of my readers to dig into the stories covering that raid and the previous links because it's a pretty big eye openener into one of the largest online criminal operations I've seen in my time covering this subject. The leaked documents have revealed that Chronopay was the operator of one of the first taregted Mac-only fake antivirus scams, MacDefender, and further shows that Chronopay's direct statement insisting that they had no relationship with MacDefender whatsoever was an outright lie. The leaked documents further outline Chronopay as a company creating several new companies specifically to sell other types of fake antivirus "products" over many months. Vrublevsky is the co-founder of one of the larger fake pharmacy operations known as RX-Promotion. Rx-Promotion was formerly in third place after Spamit and what is now known as Eva Pharmacy (formerly and Since the raids, no longer resolves, and other criminal online programs which used Chronopay as their payment processor (notably, other fake-antivirus affiliate groups) have had to recently announce that they were no longer able to pay affiliates in a timely manner.

In the midst of all of this, Pavel Vrublevsky is arrested for having ordered or engaged in a DDOS attack against his competitors.

An additional interesting occurrence was the publishing of a couple of very well-researched reports and the subsequent widespread publicity of the same. Two very gifted researchers at the University of California at San Diego published two reports - "Click Trajectories: End-to-End Analysis of the Spam Value Chain" and "Show Me the Money: Characterizing Spam-advertised Revenue" - which I cannot recommend more strongly as a must-read for anyone interested in discovering how an online criminal spam operation works and who profits from them. These two scholarly reports, each of which have been linked to, Slashdotted, quoted, reported on by the New York Times and many other large-scale media organizations, investigate in very great detail and organize the research into every facet of how a typical criminally-run spam operation works.

So what does this mean for the spam landscape? Generally it appears that spamming, as a scummy way of making money, is way down the list of things a burgeoning online criminal or otherwise unscrupulous "marketing" affiliate would choose to engage in. In fact, forum spamming - euphemistically referred to as "SEO marketing" - has very quickly come in to take its place. There are numerous existing researchers and monitoring operations which report on this activity, and many companies such as Google (especially Google!) have already begun to put processes in place to make this type of search engine gaming less and less effective.

Based on feedback from many individuals out there, the majority of email spam that now routinely appears in anyone's mailbox (if indeed it appears there at all, given how good some spam filters have become, again most notably Gmail's) are for Nigerian scams. This has to mean that whoever is still sending any volume of spam today has definitely run short on options of what to send their stolen or harvested lists of recipients. That's mostly a good sign, since there's a lot of very public stories about how to avoid Nigerian scams, and most of the content of the messages promoting these scams haven't changed significantly since 2003.

Today, for the first time in several years, I received a stock spam message. I can only see this as a further indication of outright desperation on the part of whoever's lists I'm on. Stock spam, when it was sent regularly at all (2006 through 2008) only rose in volume once some facet of a fake pharmacy operation experienced major issues either in terms of their ability to keep sites up or to process transactions. Receiving a single stock spam message in the current climate, when most people are seeing very small numbers of pharma or replica watch spam, is something I personally see as a cry for help.

So: taken together we see several fairly big breakthroughs in only the past 10 months or so:

  • Spamit closes their doors
  • Spamit operator (Igor Gusev) flees
  • Gusev starts an anti-Chronopay blog
  • Numerous sources leak internal emails and lots of internal documentation from Chronopay
  • Many researchers and bloggers, Russian and otherwise, examine and report on findings from the leaked Chronopay documents and emails
  • Chronopay is linked to RX-Promotion directly
  • Chronopay is linked directly to one or more fake antivirus scams
  • Chronopay is identified as the payment processor of choice for numerous other fake antivirus scams
  • The Rustock botnet is shut down via legal and technical efforts from Microsoft
  • The creator of the Rustock botnet is currently a wanted man, and has a new bounty on his head
  • Chronopay offices are raided and its CEO, Pavel Brublevsky, is arrested for DDOS attacks against his competitors
  • Several fake-antivirus affiliate programs indicate that they can no longer process payments for their affiliates
  • RX-Promotion's website and affiliate portal shut down with no public explanation (but we can all take a wild guess.)

That's a lot of activity in such a short amount of time. In all the years I've been researching the multitude of online criminal activities, this is the first year where it looks like the options for online criminals are finally dwindling. It hasn't disappeared completely, and I don't think I should ever expect that to happen. But the fight against the people who thrive on this illicit activity is turning a corner.

I'd like to add a separate item which is mostly speculation on my part. Since the recent devastating earthquake in New Zealand, spamming for a variety of fake pharmacy, "herbal" penis enlargement, diet and fake replica products have seen a massive decrease as well. These were all products which were virtually identical to ones previously promoted via the former "AffKing" affiliate program, operated by Shane and Lance Atkinson, who both still have restraining orders and very heavy fines against them for promoting those products via spam (well: and for the products being, you know, fake.) The spam hasn't stopped 100% but it's clear that the earthquake affected the ability for this particular type of spam to be sent.

My involvement in the exposition of these operations has been reduced mostly due to my desire to get the proper research into the hands of people who can accelerate the fight against this activity. That's proven to be the best use of my time over the past couple of years. I still research it. I still document what I find. I still participate in the many online communities which engage in this research, sharing ideas, discovering how things work in the online criminal world. But my use of this research is better served by being shared with broader groups of researchers, and it's encouraging to see so many more researchers (or even better: large groups of researchers) who are making a difference with the data they uncover.

I think it will be interesting to see if certain parts of the spam landscape resuscitate themselves or not, or if they morph into some newer or unexpected form of scammy operation. I also think it is heartening to know that a large number of career spammers are now left with far less of their regular illicit income, and most importantly that law enforcement agencies, internationally, are working together to get this activity shut down on a very large scale.

If I do have more to report I definitely will do so, even if that means I ultimately link to someone else's report. The battle continues, and from where I sit I hope that you would agree that the developments in that battle have been very interesting indeed.

SiL / IKS / concerned citizen

No comments: