Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
In a phone interview one month after Operation Pangea, Vrublevsky told me he contacted the RAEC leaders to make fun of them for participating in the copyright and trademark forum.
Unsurprisingly, the copyright owners—particularly from the movie industry—threatened RAEC members like Vkontakte (a Russian version of Facebook) and mail.ru (a webmail provider) that unless they removed all rights-infringing materials, law enforcement would get
involved, Vrublevsky said. “I heard about this and called those RAEC dudes and said, ‘Hey, how much brains do you need to have not to go to a meeting with rights holders called, ‘Say No to a Thief’?”
Later in 2010, RAEC sent an official letter addressed to Victoria Espinel, the Obama administration’s intellectual property enforcement coordinator. The letter—which also was sent to top officials at Google, Microsoft, the National Association of Boards of Pharmacy, and LegitScript—offered the Russian hi-tech industry’s help with anti-spam efforts and with future initiatives aimed at stamping out rogue Internet pharmacies.
The letter claimed that the economic loss in Russia caused by spam was $450 million in 2009, and that as a result, Russia was hard at work crafting its own anti-spam laws. RAEC didn’t mention that the man who cofounded the rogue Internet pharmacy targeted in the American government’s recent Pangea effort was also in charge of the Russian government committee responsible for recommending ways to draw up those anti-spam laws.
RAEC officials closed the letter by offering to host a closed-circuit videoconference bridge with officials from the Obama administration and the technology industry, “during which we could discuss the available results of researches, the current matters, the initiatives, and opportunities for joint actions dedicated to the stabilization of [the] situation in the area of cybercrime in general, and in relation to the pharmaceutical spam in particular.”
LegitScript President John Horton said his immediate reaction upon receiving a copy of the letter was to contact the FDA and Espinel.
“I said, ‘I’m sure you guys know about what’s going on with ChronoPay,’ and it turns out they did,” Horton said. “I also emailed Victoria [Espinel] and told her my informal suggestion was not to respond to the letter.”
In mid-August 2010, Andrew J. Klein, President Obama’s senior adviser for intellectual enforcement, invited leaders of the top Internet
domain name registrars and registries to attend a three-hour meeting at the White House to discuss voluntary ways to shutter websites selling counterfeit prescription drugs.
The invitation was sent via email to dozens of executives and attorneys at some of the world’s largest Internet companies, including Google, Microsoft, PayPal, Visa, and Yahoo! The recipients were invited to attend a meeting on September 29 with senior White House and Cabinet officials, including Victoria Espinel.
“The purpose of this meeting is to discuss illegal activity taking place over the Internet generally and, more specifically, voluntary protocols to address the illegal sale of counterfeit non-controlled prescription medications online,” the invitation stated.
Multiple people who attended the event called it more of an ambush than a collaborative meeting of the minds to solve a tough problem, and said that Espinel essentially told attendees that they needed to work out a voluntary approach—or else.
“She basically got a bunch of big brand holders in the room to say, ‘You guys need to do something about this or something will be done to you,’” UCSD’s Savage said, recalling a conversation with an attendee.
Though few knew about it at the time, one of the firms invited—Google—was already under criminal investigation by the U.S. Justice Department for actively courting fake Canadian pharmacies—including many rogue Internet pharmacies created by SpamIt and Rx-Promotion—to advertise drugs for distribution in the United States.
The implications of this case were huge. One of the ways that affiliates for GlavMed promoted their pharmacy sites was by hacking websites. Affiliates would insert dozens of links and even entire web pages into hacked sites that redirected visitors to sites peddling knockoff prescription drugs. The more hacked legitimate sites that affiliates had pointing to their pharmacy stores, the greater their ranking would be in the major search engine results when consumers searched for specific drug names. This process—known in the underground as
“black search engine optimization,” or “black SEO” for short—was a major driver of pharmacy sales for affiliates of both Rx-Promotion and GlavMed-SpamIt.
It was bad enough that Google’s search results were constantly being gamed by spammers. For Google to also be taking money from unregulated and potentially spammer-affiliated online pharmacies was beyond the pale. According to the Justice Department, Google was aware as early as 2003 that Canadian pharmacies were illegally shipping prescription drugs into the United States.
Google would later settle criminal charges in connection with the case and agree to pay a whopping $500 million in fines. One of the largest forfeitures ever paid to the Justice Department, the fine was intended to represent the company’s advertising revenue from the Canadian pharmacies and the revenue the pharmacies received from American customers buying controlled drugs.
Less than two months after the White House meeting, Espinel stood at the podium in a press conference at the White House. Flanked by U.S. Attorney General Eric Holder and then Department of Homeland Security Secretary Janet Napolitano, Espinel announced the creation of a new nonprofit entity to battle rogue Internet pharmacies.
“A group of founding private-sector partners announced today that they will form a new nonprofit to work with each other and the U.S. government to rid the Internet of illegal Internet pharmacies,” Espinel explained, naming the nonprofit members as American Express, eNom, GoDaddy, Google, MasterCard, Microsoft, Network Solutions, Neustar, PayPal, Visa, and Yahoo.
“This group of companies has taken an extraordinary and unprecedented step to combat illegal online pharmacies,” Espinel told a packed press room and CNN cameras. “We believe this will have a rapid and dramatic effect on illegal online pharmacies. This will change the rules of the road and make clear that legitimate companies will not interact with criminal actors.”
There was only one problem with the whole announcement. Few at the companies named as members could remember having agreed to form such a nonprofit.
“Prior to that news conference, the participants from those companies had a roundtable conference call to talk about it, but nobody went into that meeting planning to agree to form that group,” Warner said. “The people I spoke to who watched that announcement saying they’d agreed to form that group came out afterwards and were like, ‘We did?’”
Eighteen months after the creation of the nonprofit that was first announced by Espinel at the White House gathering, the group had yet to hold its first meeting. At the same time, the NIPR case was being closed. The Pfizer security chief’s warning would turn out to be eerily prescient. According to sources from two separate federal law-enforcement agencies who asked not to be identified because they were not authorized to speak on the record, the investigation into the core spammers and hackers employed by GlavMed and SpamIt was abandoned in part because most of the perpetrators were believed to be in Russia and former Soviet nations, countries that were typically less than cooperative with Western law-enforcement agencies seeking to apprehend cybercriminals within their borders.
Given the lack of interest by federal regulators in methodically testing drugs ordered through these fly-by-night online pharmacies, it remains unclear whether the bulk of these drugs contain adequate amounts of the active ingredients without also mixing in harmful contaminants that could hurt or even kill people who ingest them.
This inaction appears to suit the pharmaceutical industry, which is wary of testing and getting results that might indicate that the vast majority of the prescription drugs ordered through spam are far cheaper and no less safe than the same pills ordered through a local pharmacy.
Unfortunately, the lack of objective data about the safety and efficacy of spam-ordered prescription drugs does little to dampen demand, while continuing to expose consumers to a dangerous game of Russian roulette.
Chapter 6
There’s a famous quote from Sun Tzu’s
The
Art
of
War
that applies to my research and motivation for writing this book: “Know your enemy.” Indeed, with some understanding of what motivates these spam pharmacies and their customers, it’s time to look at how spam operations actually work. The driving force behind the success of programs like GlavMed and Rx-Promotion—and the engine that propels virtually every cybercriminal collaborative effort—is an arrangement known in Russia as the
partnerka
—literally, a “partnership.”
Partnerkas
such as GlavMed and Rx-Promotion seek to match dodgy advertisers with businesses that are willing to purchase the web traffic that can be generated through spam.
Many legitimate businesses that are searching for more customers—principally small businesses based in Russia and Eastern Europe—will try to raise awareness of and demand for their products or services by hiring a spammer. While using hacked computers to send junk email is technically illegal in Russia, many legitimate businesses there remain unaware or unafraid of this prohibition.
Indeed, as we’ll see in
Chapter 7
, our “Virgil” in the spammer underworld—Cutwail botnet bankroller Igor Vishnevsky—got his start in spamming when his boss ordered him to figure out how to drive more traffic to his heating company’s website.
In fact, when the Cutwail spam botnet is used to send spam to email addresses ending in “.ru,” the messages very often include a Russian phone number where recipients can inquire about ordering spam advertisements for their own products and services.
“I’ve seen pretty much everything from e-cigarettes to office space to resorts advertised in this way,” said Brett Stone-Gross, a University of California researcher who has studied the Cutwail botnet’s operation for years.
In a typical spam partnerka, the individuals who run the operation—the sponsors—assume responsibility for coordinating and maintaining almost every aspect of the business, from the web content to customer service, to negotiating with suppliers and setting up the web servers and domain names needed to advertise the product for sale.
The only role of the spammers (sometimes referred to as “adverts” or “traffers”) is to drive traffic to the websites where the goods advertised in the spam are sold, and they can walk away from the deal at any time. Spammers are typically paid commissions that equal 30 to 35 percent of the total sales generated by their traffic. It’s a fairly lucrative business for them, provided their traffic actually generates paying customers.
This dynamic of partnerka systems allows the sponsors to maintain a safe distance (in theory, at least) from the more illicit aspects of the spam business—which typically uses hacked PCs by the thousands to relay spam and to host pharmacy websites. The adverts benefit from the arrangement by being able to quickly unplug their traffic from one partnerka program in favor of another that may offer more attractive terms—such as higher commissions, better customer service, and greater product selection—that increase their likelihood of attracting customers through their spam. And there are multiple types of partnerships, including those that peddle replica watches, porn, knockoff designer handbags, and fake antivirus software as well as pharma spam. When spam emails show up in your inbox or get caught by your firewall, spam filter, or antivirus software, they’re likely from one of these partnerkas.
Technology and security experts like to talk about these partnerkas as “organized cybercrime.” But according to UCSD’s Stefan Savage, partnerka systems are more accurately described as “disorganized crime”—that is, loosely affiliated networks of independent contractors, each of whom is essentially out to make a buck for himself and will only continue the partnership so long as it remains economically viable and competitive to do so.
“It’s really a brilliant business model on both sides,” said Savage, who has coauthored several long-term studies on various aspects of the partnerka economy, from spam to botnets. “On the affiliate side you don’t need to learn about all the stuff like payment processing and fulfillment; you just have to figure out how to get traffic. Also, you have a great deal of flexibility—if one partnership goes offline or has better rates, you can move to someone else. So the partnerka model really offers incredible mobility to the affiliate, because they’re not tied to anything.”
Savage said the partnerka programs themselves benefit from the arrangement by not having to deal with the potential risks of being technically associated with botnets and other inventive yet potentially harmful (and legally murky) ways that their spammers may dream up to generate traffic.
“It’s a win for the affiliate program because they don’t need to make a bet on what’s the best way to get traffic,” he said. “The affiliate program says, ‘Most of these guys [the spammers] are going to get screwed, but I don’t care because I pay on a commission basis only. Someone is going to get this right, and when they do, I’ll make money off of it.’”
As a result of the partnerka dynamic, most spammers also have no allegiance to any one pharmacy partnerka program. For example, almost all top spammers for both GlavMed and Rx-Promotion partnered with at least a half-dozen other pharmacy partnerkas, including EvaPharmacy, Bulker.biz, Rx-Partners, and Mailien. This dynamic presents perhaps the most frustrating problem of all for anti-spam
crusaders trying to stem the flow of junk email. Much as squeezing an inflated balloon doesn’t make the balloon any smaller but instead merely displaces the air into new bulges, anti-spam campaigns that succeed in shuttering one partnerka or a major component of that operation often result in the most successful affiliates simply shifting their spam traffic to competing partnerkas.