Saturday, December 31, 2011

SiL's 2011 Year-End Recap

Well here we are. The end of the year has arrived and again there is a lot to recap in terms of the ongoing fight against online crime in all its forms.

2011 was a busy year in terms of law enforcement action against predominantly overseas spamming criminals, and also for further leaks of valuable data, chat logs, email accounts and other information that exposed the inner workings of several mostly Russian spam operations. This is a continuation of the same leaks and law enforcement action which we saw in 2010. It also was a year that saw unprecedented cooperation between several international law enforcement agencies to shut down everything from botnets to financial fraud gangs to fake pharmaceutical manufacturers and promoters. There were also some incredibly detailed and in-depth investigative reports into the financial operations of large-scale pharmacy spam operations. So well done to all law enforcement agencies and investigators for an incredibly successful year.

Spam is still with us, but it's swiftly becoming a less popular and riskier method of making a quick buck. This is all good to see.

So here we go. Get some popcorn, enjoy, and have a happy new year.

Jan. | Feb. | Mar. | Apr. | May | Jun. | Jul. | Aug. | Sep. | Oct. | Nov. | Dec.

  • On Jan. 20th, an insightful article is posted on by Svetlana Kononova. The article outlines several new trends in online crime originating from Russia, and makes specific mention of the demise of the criminal online pharmacy affiliate program Spamit.
  • On Jan. 26th it is announced via several media outlets that Russian hosting company Volgahost was de-peered from the internet by their upstream provider This is due to several investigations identifying VolgaHost as a source of a great deal of online criminal activity including the control and command setups for several botnets, including several Zeus botnets. January is already off to a great start.
  • The same day, an article in the New Zealand Herald announces that an unnamed 32-year-old Chinese man has been arrested in Auckland, New Zealand charged with international distribution of counterfeit drugs. This followed a three year investigation by the Auckland Metro Crime and Operations Support (AMCOS).
  • A headline in the Toronto Star announces Canada no longer synonymous with spam. It's an odd "consumer affairs" piece but it does outline the difficulties of trying to run a genuine online pharmacy from Canada against the unending barrage of fake, Russia-based, criminally operated sites.
  • On Jan. 28th, social networking website Facebook is awarded $360,500,000.00 USD in statutory damages as the result of charges of spamming activity against the site by one Philip Porembski. This is the third major award to be granted by a court in Facebook's favor since it started going after spammers on its site in 2006. As for actually collecting the money? That's another story. But it continues to set a very strong precedent for any future spammers who think that Facebook is still worth flooding with spam.
  • In the "gift that keeps on giving" department, on Feb. 7th it is announced that Gregg Burger of Yonkers, New York has been arrested for acting as convicted stock spammer Alan Ralsky's stock broker. The SEC has also filed fraud and other charges against Burger and 10 other accomplices. Burger faces up to 25 years in prison and significant fines if convicted. (No followup story has been posted regarding this case.) See also the SEC Filing.
  • On Feb. 17th, another court action is announced, this time against repeat spamming offender Brendan Battles. The Australia Dept. of Internal Affairs seeks penalties of $200,000 AUD against Battles, and $500,000 AUD against his company, Image Marketing Group Limited. The court alleges that sent nearly 45,000 SMS text messages to Vodafone mobile customers in March of 2009, and later also engaged in email spamming. This makes the fifth year in a row where Mr. Battles has either been publicly exposed as a repeat spammer or has been charged directly.
  • In what would be the first of a series of great, great articles from Brian Krebs throughout 2011, on Feb. 21st "Krebs On Security" publishes an interview with renowned Chronopay operator Pavel Vrublevsky. The story is insightful, and inevitably outlines a raid on a party held by Russian online pharmacy "RX-Promotion". It's an insightful read, and marks the beginning of a lot of unwanted exposure for Vrublevsky throughout 2011.
  • On Feb. 24th the US Federal Trade Commission (FTC) asks a court to shut down a high volume text message spamming operation run by a man named Phillip A. Flora. [Court document PDF]. According to the court document, "During one 40-day period, beginning in August 2009, Flora's operation sent more than 5.5 million spam texts, a "mind boggling" rate of about 85 a minute".
  • Also on Feb. 24th, Krebs On Security posts a pair of engaging articles about the twin illicit online pharmacy affiliate programs Spamit and Glavmed. (Spamit as most of you will remember shuttered its operation in October 2010.) This begins a series he titles "Pharma Wars". The first article outlines how Spamit came to be investigated by law enforcement and others, and also makes a connection between the leak of Spamit data and Pavel Vrublevsky. The other documents a large-scale leak of the entire Spamit database in mid-2010 by someone named "Despduck". The database makes clear that both programs were operated and maintained by the same people, and generated millions of dollars of illegal profits from the sale of fake pharmaceutical products. This is a good peek behind the scenes of how a large-scale pharmacy spam operation works and how much money is generated from their illegal spamming activity.
  • In what appears to be a dubious article from Feb. 26th, TechWorld reports that China has been effectively clamping down on spam activity within its borders. Eight months later, we all still continue to see all kinds of spam volume originating from China, but the report is correct in stating that its activity has "dropped" compared to previous years.
  • Mar. 3rd, Wired Magazine's "Epicenter" blog reports on the release of career spammer Robert Soloway from federal prison, following his three year sentence. Soloway makes it clear that he is never going to spam again.
  • Also On Mar. 3rd, Krebs on Security posts another in a series of investigative articles regarding Chronopay and its involvement in the rogue antivirus / scareware industry, something Chronopay appears to support a great deal. In retaliation, a childish "press release" is sent to numerous security blogs, notably F-Secure, making the ridiculous claim that Brian Krebs and "his boyfriend" F-Secure's Myko Hipponen had both been "arrested" in relation to an online credit card theft ring. Absolutely nobody takes the article seriously, and sites which published the fake story immediately retract it. This is a good indication that the accurate reporting of Mr. Krebs is definitely ruffling all the right feathers.
  • On Apr. 3rd, Krebs on Security posts a story about another in a continuing series of large-scale data leaks, this time affecting customers of supermarket giant "Kroger Co." In this case the compromise was the result of criminal activity, but throughout 2011 various groups of online hacktivists, notably "LulzSec", would repeatedly, publicly release numerous large caches of data to illustrate the lack of security in place at common companies used by millions of people every day.
  • On Apr. 8th, Germans news website Welt Online publishes a story about the dismantling [Google Translation] of a fake pharmacy site operated in Potsdam, Germany. The fake pharmacy generated "at least 18 million euros" in earnings.
  • On Apr. 13th the US Dept. of Justice posts a press release announcing that the DOJ and the FBI acted together to shut down the "Coreflood" botnet, which infected more than 2 million computers at the time of the action. This takedown was unique in that not only were the command and control (C&C) servers taken over by law enforcement, but commands were also sent from the compromised C&C server to send commands to individual infected bot computers to stop sending any further data and to shut down. They also provided large lists of infected IP addresses to the respective Internet Service Providers so that the customers behind them could be notified of the infection of their computers, and what steps to take to remove the infection. This was an unprecedented legal action and would raise the bar for several future botnet shutdowns in 2011. This story was widely covered by numerous news outlets, blogs and websites, notably Reuters, Krebs on Security, ComputerWorld and Slashdot
  • On Apr. 19th, the FTC and other US federal regulators filed a lawsuit against a series of "online marketers" for fraudulently creating fake "news websites" used in spam campaigns to promote bogus Acai Berry weight loss products. They also charge that the claims made on these fake sites are completely false and represent a definite danger to consumers. Despite this action, we all continue to see this exact same "fake news website" technique used to promote numerous completely bogus "make money for free at home" websites via spam.
  • On May 23rd, an indepth report authored by a team of researchers at the University of California at San Diego (UCSD) is published which essentially "follows the money" through a typical criminal online pharmacy affiliate operation, and identifying just three banks which process all of the orders. The paper, entitled "Click Trajectories: End-to-End Analysis of the Spam Value Chain", was presented at the IEEE Symposium on Security and Privacy in Oakland, Calif. This is by far some of the most effective reporting on the profit structure of an illegal online pharmacy. This further causes lots of public investigation into the three banks which processed payments for this operation, notably Azerigazbank Joint-Stock Investment Bank in Baku, Azerbaijan.
  • McAfee publishes an insightful article in late May outlining how a "blackhat SEO" campaign (a.k.a.: forum spamming) can generate income from an illegal online pharmacy affiliate program.
  • Leonid "Leo" Kuvayev, renowned operator of numerous child porn sites and the "Mailien" criminal online pharmacy, "admits child abuse" on Jun. 1st in a court appearance after having been arrested back in December 2009. Police discovered a sex dungeon in a property of Kuvayev's while investigating him for illegal spam charges. He now faces up to 20 years in prison. More details, in Russian, available here.
  • On Jun. 2nd the UK's Telegraph reports that Google is publicly naming and shaming the Chinese government for "Spear phishing" as part of a series of attacks launched by China against Google's Gmail service in 2010. The Chinese government responds, calling Google's claims "unacceptable".
  • In some fairly major news, on Jun. 23rd, Russian authorities arrested Chronopay co-founder Pavel Vrublevsky "for allegedly hiring a hacker to attack his company’s rivals."
  • On Jul. 19th, Joseph Mercier, an IT Security supervisor from Laval, Québec, Canada, is arrested by Canada's RCMP (the Canadian equivalent of the FBI) for "allegedly coordinating an international computer hacking scheme." Mercier essentially crafted his own botnet, including the virus malware, and managed to infect computers in several countries. The report doesn't make clear what the purpose of the botnet actually was, but one can most likely imagine.
  • Long-renowned career spammer Sanford Wallace is again charged with spamming activity, this time coupled with a phishing attack. Spamford has been indicted numerous times since the late 1990's for his ongoing, unrelenting, malicious spamming activities. More coverage here.
  • Brian Krebs continues his highly informative "Pharma Wars" investigative series with a posting on Aug. 19th which exposes a leaked chat session between Spamit owner and operator Igor Gusev and a senior member of his technical team, Dmitri Stupin.
  • On Aug. 20th, ICANN begins an investigation into domain registrar eNom and their parent company "Demand Media" for predominantly providing domain registration services to online criminal organizations. This was in reaction to a detailed report by identifying eNom as a preferred domain registrar for all manner of criminal activity for many years, referring to them as the #1 most abusive domain registrar.
  • In an interesting turn of events, Google forfeits $500 million USD on Aug. 24th, "generated from Canadian pharmacies targeting US customers through its AdWords program".
  • After years in legal limbo, the ill-fated lawsuit on behalf of E360 Insight against Spamhaus is vacated on Sep. 3rd, with the result being that Spamhaus must pay a total of $3.00 USD to E360, but also making E360 liable for all legal costs. A judgement document skewers E360 owner and plaintiff David Lindhart, calling his testimony throughout the lengthy trial process "inherently unreliable" and outlining several "systemic problems" with much of the financial information he produced during the trial.
  • With the year 2011 not yet over, Brendan Battles again shows up on the spamming radar, this time charged with selling 50,000 email addresses without the owners' permission. His company, the notorious "Image Marketing Group Limited", now faces a $700,000 AUD fine for selling the addresses to an unnamed "businessman" via (you guessed it) spam. "The businessman alleges that when he bought the database, IMG assured him it complied with the necessary legislation and the email holders had given their permission to be contacted, said senior investigator Toni Demetriou."
  • On Oct. 4th, Krebs on Security (among others) reports on the conviction of the 13th defendant from a group which operated a Zeus botnet for the purposes of financial fraud against numerous victims. All 13 members of this gang were indicted, arrested, and convicted of operating a Zeus botnet which resulted in the theft of £3 million ($4,657,050.00 USD) from banks in the UK between Sept. 2009 and Mar. 2010.
  • Also on Oct. 4th (quite the day!), INTERPOL announces the results of an unprecedented international law enforcement action code-named "Operation Pangea IV", which took place between Sept. 20th and 27th. "In the largest operation of its kind, 81 countries have taken part in an international week of action targeting the sale on the Internet of counterfeit and illegal medicines, resulting in dozens of arrests and the seizure of 2.4 million potentially harmful medicines worldwide worth USD 6.3 million." This is definitely one of the largest international law enforcement actions in years, and certainly the largest action related directly to spamming and illegal online pharmacies.
  • In a related story, domain registrar, in direct response to the INTERPOL actions, "shut down DNS resolution for hundreds of domains to cut off access to over 13,500 websites peddling fake pharmaceuticals."
  • In a great recap article, Ars Technica reports on Microsoft's combined efforts to target, trap and reduce spam traffic, specifially phishing, malware and other dangerous elements.
  • In another installment in his "Pharma Wars" series, on Nov. 11th Brian Krebs posts another leaked chat session between Igor Gusev and Dmitri Stupin. Not long after the story is posted, is the target of a sustained DDOS attack, which he subsequently reports on in some detail thanks to the investigative assistance of Joe Stewart from Dell Secureworks. The operators and affiliates of Spamit and Glavmed have to be suffering financially for them to take this kind of action against a security blog with such a wide readership.
  • On Dec. 16th, Krebs on Security reports that (among a few others) former Ukranian General Verliu Gaichuk is arrested in Romania "suspected of being part of an organized cybercrime gang that laundered at least $1.4 million stolen from U.S. and Italian firms." This was another large-scale international law enforcement investigation which comprised Romanian authorities, the FBI and Italian special forces. Since 2010 we have seen more and more of this type of coordinated law enforcement coordination and cooperation, and it's very good to see.
  • On Dec. 8th, four Romanian nationals are indicted in the District of New Hampshire on charges of compromising the credit card data of more than 80,000 customers of the Subway restaurant chain - among others - covering nearly three and a half years. Three of the criminals were arrested and a fourth remains at large.

Happy Holidays everyone. Stay safe, and thanks again for reading.

SiL / IKS / concerned citizen