Spam Nation (25 page)

When the attackers allied with Stophaus decided that they were not going to be able to bring down CloudFlare, which Spamhaus had hired to protect it from DDoS assaults, they began pelting the “peering points” at which Internet networks exchange traffic, including Internet exchanges in London, Amsterdam, Frankfurt, and Hong Kong.

The
New
York
Times
reported that authorities in Spain later arrested Sven Olaf Kamphuis, a thirty-five-year-old Dutch man thought to be responsible for coordinating the unprecedented attack on Spamhaus. According to Spamhaus and media reports, Kamphuis made claims about being his own independent country in the Republic of Cyberbunker. The
Guardian
reported that Kamphuis was extradited to the Netherlands, but there is no indication that he is being prosecuted for crimes there. Kamphuis denies being involved in the attack and said he was merely acting as a press contact for CB3ROB/Cyberbunker.

The Stophaus assault was the loudest and latest reminder that such weapons of mass disruption are readily and freely available today to any person or organization that chooses to wield them. The attack that hit Spamhaus—known as a DNS reflection and amplification attack—leveraged unmanaged domain name system (DNS) servers on the web to create huge traffic floods intended to intimidate and silence targets.

To understand the significance of this, here’s a bit of background. DNS servers act as the white pages of the Internet, transforming or “resolving” human-friendly domain names like example.com into numeric network addresses used by computers. Typically, DNS servers only provide services to machines within a trusted domain, in this case example.com. But DNS reflection attacks rely on consumer and business Internet routers that are configured to accept queries from
anywhere on the web. Attackers can send spoofed DNS queries to these so-called “open recursive” DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The amplification part of the attack takes advantage of the ability to craft DNS queries so that the responses are much bigger than the requests. They do this by leveraging an extension to the DNS standard that enables large DNS messages. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is sixty to seventy times as large. This amplification effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The good news is that Internet and security experts have long understood how to block these extraordinarily powerful attacks. “Indeed, a number of computer security specialists pointed out that the attacks would have been impossible if the world’s major Internet firms simply checked that outgoing data packets truly were being sent by their customers, rather than botnets,” wrote John Markoff and Nicole Perlroth of the
New
York
Times
.

The bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago, said Rodney Joffe, senior vice president and senior technologist at Neustar, a security company that also helps clients weather huge online attacks. Joffe estimates that there are approximately 25 million misconfigured or antiquated home and business routers that can be abused in these digital sieges. Most of these are home routers supplied by ISPs or misconfigured business routers, but a great many of the devices are at ISPs in developing countries or at Internet providers that see no economic upside to spending money for the greater good of the Internet.

“In almost all cases, it’s an option that’s configurable by the ISP, but you have to get the ISP to do it,” Joffe said. “Many of these ISPs are on very thin margins and have no interest in going through the process
of protecting their end users—or the rest of the Internet’s users, for that matter.”

And therein lies the problem. Not long ago, if a spammer or hacker wanted to launch a massive Internet attack, he had to assemble a huge botnet that included legions of hacked PCs. These days, such an attacker need not build such a huge bot army. Armed with just a few hundred bot-infected PCs, Joffe said, attackers today can take down nearly any target on the Internet, thanks to the millions of misconfigured Internet routers that are ready to be conscripted into the attack at a moment’s notice.

“If the bad guys launch an attack, they might start off by abusing 20,000 of these misconfigured servers, and if the target is still up and online, they’ll increase it to 50,000,” Joffe said. “In most cases, they only need to go to 100,000 to take the bigger sites offline, but there are 25 million of these available.”

Chapter 11

Nine months after my icebreaker cruise on the Russian trip to meet Vrublevsky, I found myself again gazing out at the starry night sky, standing on the deck of another large ship in a foreign country. This time, it was on the upper deck of an aging cruise liner that was docked at the harbor in downtown Rotterdam.

On the other side of the frosted porthole windows, a big band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on the turf war between Gusev and Vrublevsky. The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but only in a private setting.

My hands had grown so cold that I could no longer hold on to my beer glass, which was glazing with ice. I set the glass down on the ledge, and at the same time heard the thick steel door swing open behind me, squeaking loudly on its hinges. Stepping out into the night air, a woman from the conference approached, formally presented the three men following behind her, and then hurried back inside to the warmth of the reception.

A middle-aged stocky fellow introduced as the senior FSB officer
spoke in Russian, while a younger gentleman translated into English between drags on a Marlboro. They asked, did I know anything about a company in Moscow called “Onelia”? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cybercriminal enterprises.

Later that evening, back at my hotel room, I searched online for details about the company but came up dry. I considered asking some of my best sources in Russia what they knew about Onelia. But a voice inside my head warned that the FSB agents may have been hoping I’d do just that. They would be able to divine who my sources were when those individuals began making inquiries about a mysterious (and probably fictitious) firm called Onelia.

My paranoia got the best of me, and I shelved the information. That is, until several months later, when I discovered that Onelia (turns out it is more commonly spelled Oneliya) was the name of the limited liability company behind Gateline.net, the credit card processor that processed tens of thousands of customer transactions for SpamIt and Rx-Promotion.

Gateline.net states that the company’s services are used by firms across a variety of industries, including those in tourism, airline tickets, mobile phones, and virtual currencies. But according to payment and affiliate records leaked from both SpamIt and Rx-Promotion, Gateline also used to process most of the rogue pharmacy site purchases promoted by spammers working for the two programs.

The connection between Gateline and the spam programs is supported by chat logs seized in 2011 by Russian investigators who were looking into SpamIt. Those logs show hundreds of conversations between SpamIt co-owner Dmitry “SaintD” Stupin and a Gateline administrator, Nikolai Victorovich Illin, who used the nickname “Shaman” ([email protected]) and was referred to as “Nikolai,” or the diminutive form, “Kolya.” The logs show more than 205 conversations between Shaman and Stupin from 2007 to 2010.

The leaked Stupin chats suggest that Shaman held enormous sway over the day-to-day operations of SpamIt. The pharmacy spam sponsor had great difficulty offering buyers the ability to pay by MasterCard, mainly because MasterCard seems to have been far more vigilant than Visa about policing the use of its services by rogue online pharmacies. The payment records of SpamIt indicate that Shaman received a sizable cut (about 8 percent) from all sales processed by the SpamIt pharmacies, and that he sometimes earned tens of thousands of dollars per week for his services.

In the following chat between Shaman and Stupin, recorded November 23, 2009, Shaman chastises Stupin for not being more aware of transactions that they believed were from undercover buys made by MasterCard fraud investigators. At the beginning of the chat, Shaman posts a link to a story about the criminal case opened by Russian investigators into SpamIt and Stupin’s copartner, Igor Gusev.

SHAMAN
: www.runewsweek.ru/country/31283/

STUPIN
: Yep, yep.

SHAMAN
: I’d suggest you not to advertise (PR) banks too much.

STUPIN
: We need it the least.

SHAMAN
: Otherwise, the entire business will go down. There has been something like that already.

STUPIN
: Igor is trying to remove those posts.

SHAMAN
: Okay. What’s the deal with information wars? We have to stop this thing somehow. You’ll destroy the whole business.

STUPIN
: We will??? There has been not a single post from us. Igor is removing them all the time. We are not doing anything else.

SHAMAN
: Stop responding to him in forum posts and RedEye will calm down.

STUPIN
: I will ask Igor whether he has been responding. If he has—I will ask him to stop doing it.

SHAMAN
: [Pointing out an email address that apparently belonged to a MasterCard fraud investigator] Kill this asshole—he is MasterCard’s officer [employee]. He made a purchase. www.iacva.org/PDF/William%20Hanlin.pdf

SHAMAN
: Be more attentive with the batch. Kill these as well: Charles Wilson, Stephen Carpenter, Fredric Manger, Sandro Racheli…

SHAMAN
: What’s going on with you?

STUPIN
: Our programmers are checking what’s happened. This should not be happening.

When I met with the FSB officers, the noose was already beginning to tighten around Vrublevsky, and Gusev had long ago closed SpamIt and effectively scuttled GlavMed. Now, it appeared that the FSB was taking aim at the financial infrastructure that served both competing pharmacy partnerkas, as well as other rogue online pharmacy programs.

Vrublevsky and Gusev’s Pharma Wars were extremely costly for the spam industry, and their internecine war cost everyone in their business plenty. The two are now widely reviled on cybercrime forums
for costing spammers tens of millions of dollars in profits, and for focusing attention from law-enforcement officials and security experts on individual spammers.

“These two fuckers killed the spam business,” Vishnevsky said in a May 2012 interview. “It was never super profitable for most guys; maybe five to ten guys earned really good money with spam. But after Pavel and Gusev started their war, everyone started thinking that every spammer is a millionaire and started hunting for spam and spammers.”

Vishnevsky complained that as the revenues from his spam business dwindled, he was forced to take a second legitimate or “white” job to supplement his “black” deeds. He still sells his spam software to numerous other spammers, but he also now serves as a system administrator of a local company in Moscow, essentially being paid to defend against some of the threats he is helping to deploy with his spam business.

But his spam business is definitely way down since the golden years of pre-and post-McColo. It’s not that spamming somehow became a more dangerous activity in Russia. Rather, Vishnevsky is having trouble attracting and retaining talented programmers to help maintain his spam business. Legitimate high-tech and well-paying programming jobs are increasingly available to talented coders in Moscow, and many of his longtime employees have been hired away to legitimate jobs in Moscow’s young but promising tech sector.

“Many representatives of the underground can’t find good coders now, because their salaries in Moscow are much more than you can earn with spam,” Vishnevsky said. “This business went to shit when Pasha [Vrublevsky] got busted. If Pasha and Gusev [had] not start[ed] that stupid war, everyone would be much happier.”

Vishnevsky’s criticism may be harsh, but it is hardly an exaggeration. The spam industry has indeed taken a huge hit in the past few years. Prior to SpamIt’s closure in October 2010, the volume of spam sent worldwide each day hovered at around 5.5 billion messages. Since SpamIt’s closure, however, the volume of global spam sent daily has
been in marked decline. According to Symantec, by March 2011, spam levels had fallen to just over one billion junk messages per day, and the total has hovered at or very close to that diminished level ever since.

Spam remains a major problem, but it has moved much farther underground, and the major players seem to be quite a bit more circumspect in their activities. Of course, the turf war between Gusev and Vrublevsky was only one (albeit considerable) contributor to the decline of the spam economy. If the spam industry has become less attractive for would-be cybercriminals, that may have something to do with a series of targeted takedowns against major spam botnets over the past several years.

Here are a few other notable takedowns that targeted botnet operators and their crime machines:

•
In May 2009, the Federal Trade Commission convinced a court to force Internet providers to stop routing traffic for 3FN, a hosting provider in Northern California that had been identified by investigators and the FTC as a major source of harmful content online. Vrublevsky’s forum Crutop.nu was hosted there and forced to find a new home after 3FN’s closure.