Future Tense

The Spam Wars

The Russian cybercrooks behind the digital threats in your inbox.

Illustration by Robert Neubecker

This essay is adapted from Spam Nation, by Brian Krebs, published by Sourcebooks.

The navy blue BMW 760 nosed up to the crosswalk at a traf­fic light in downtown Moscow. A black Porsche Cayenne pulled alongside. It was 2 p.m., Sunday, Sept. 2, 2007, and the normally congested streets adjacent to the storied Sukharevskaya Square were devoid of traffic, apart from the tour­ists and locals strolling the broad sidewalks on either side of the boulevard.

The driver of the BMW, a notorious local scam artist who went by the hacker nickname “Jaks,” had just become a father that day, and Jaks and his passenger had toasted the occasion with prodi­gious amounts of vodka. It was the perfect time and place to settle a simmering rivalry with the Porsche driver over whose ride was faster.

Now each driver revved his engine in an unspoken agree­ment to race the short, straight distance to the big city square directly ahead. As the signal flashed green, the squeal of rubber peeling off on concrete echoed hundreds of meters down in the main square.

Roaring past the midpoint of the race at more than 200 kilome­ters per hour, Jaks suddenly lost control, clipping the Porsche and careening into a huge metal lamppost. In an instant, the competition was over, with neither car the winner. The BMW was sliced in two, the Porsche a smoldering, crumpled wreck close by. The drivers of both cars crawled and limped away from the scene, but the BMW’s passenger—a promising 23-year-old Internet entrepreneur named Nikolai McColo—was killed instantly, his almost headless body pinned under the luxury car.

“Kolya,” as McColo was known to friends, was a minor celeb­rity in the cybercriminal underground, the youngest employee of a family-owned Internet hosting business that bore his last name—McColo Corp. At a time when law-enforcement agencies worldwide were just waking up to the financial and organizational threats from organized cybercrime, McColo Corp. had earned a reputation as a ground zero for it: a place where cybercrooks could reliably set up shop with little worry that their online invest­ments and schemes would be discovered or jeopardized by foreign law-enforcement investigators.

At the time of Kolya’s death, his family’s hosting provider was home base for the largest businesses on the planet engaged in pumping out junk email or “spam” via robot networks. Called “botnets” for short, these networks are collections of personal computers that have been hacked and seeded with malicious software—or “malware”—that lets the attackers control the systems from afar. Usually, the owners of these computers have no idea their machines have been taken hostage.

Nearly all of the botnets controlled from McColo were built to blast out the unsolicited junk spam advertisements that flood our inboxes and spam filters every day. But the servers at McColo weren’t generating and pumping spam themselves; that would attract too much attention from Internet vigilantes and Western law-enforcement agencies. Instead, they were merely used by the botmaster businesses to manipulate millions of PCs scattered around the globe into becoming spam-spewing zombies.

By the time paramedics had cleared the area of Kolya’s accident, gruesome images of the carnage were already being uploaded to secretive Russian Internet forums frequented by McColo’s friends and business clients. Among the first to broadcast the news of Kolya’s death were denizens of Crutop.nu, a Russian-language hacker forum that counted among its 8,000 members some of the world’s biggest spammers. The same Crutop.nu members who spread pictures and news of the incident were some of McColo’s most successful Web hosting customers, and many felt obligated (or were publicly shamed by forum administrators) to shell out funds to help Kolya’s family pay for his funeral expenses. This was a major event in the cybercrime underworld.

Days later, the motley crew of Moscow-based spammers would gather to pay their last respects at his service. The ceremony was held at the same church where Kolya had been baptized less than 23 years earlier. Among those in attendance were Igor “Desp” Gusev and Dmitry “SaintD” Stupin, co-administrators of SpamIt and GlavMed, until recently the world’s largest sponsors of spam.

Also at the service was Dmitry “Gugle” Nechvolod, then 25 years old and a hacker who was closely connected to the Cutwail botnet. Cutwail is a massive crime machine that has infected tens of millions of home computers around the globe and secretly seized control over them in order to spam. Nechvolod had already earned millions of dollars using the botnet to send junk email for GlavMed and SpamIt to millions of people around the world. To this day, Cutwail remains one of the largest and most active spam botnets.

So why is it important to note these three men’s presence at such a momentous event for cybercrime? Because their work (as well as Kolya’s and hundreds of others’) impacts every one of us every day in a strange but significant way: spam email.

Indeed, spam email has become the primary impetus for the development of malicious software—programs that strike comput­ers like yours and mine daily—and through them, target our identities, our security, our finances, families, and friends. These botnets are virtual parasites that require care and constant feeding to stay one step ahead of antivirus tools and security firms that work to dismantle the networks. To keep their bot colonies thriving, spammers (or botmasters—the term is interchangeable) must work constantly to spread and mutate the digital disorders that support them. Because antivirus programs routinely clean up infected PCs used to send spam, botnet operators need to contin­uously attack and seize control over additional computers and create new ways to infiltrate previously infected ones.

This technological arms race requires the development, produc­tion, and distribution of ever-stealthier malware that can evade constantly changing antivirus and anti-spam defenses. Therefore, the hackers at the throttle of these massive botnets also use spam as a form of self-preservation. The same botnets that spew plain old spam typically are used to distribute junk email containing new versions of the malware that helps spread the contagion. In addition, spammers often reinvest their earnings from spamming people into building better, stronger, and sneakier malicious software that can bypass antivirus and anti-spam software and firewalls. The spam ecosystem is a constantly evolving technologi­cal and sociological crime machine that feeds on itself.

Thus far, the criminals responsible for unleashing this daily glut of digital disease are doing a stupendous job of overwhelm­ing the security industry. Antivirus companies now report that they are struggling to classify and combat an average of 82,000 new malicious software variants attacking computers every day, and a large percentage of these strains are designed to turn infected computers into spam zombies that can be made to do the attack­er’s bidding remotely.

But that also comes at a price to the spammers. In the case of Cutwail, the maintenance needed to sustain it required 24/7 teams of software developers and technical support staff. That’s because the software that powers botnets like Cutwail is typically rented out for use by other spammers, who frequently demand code tweaks or add-ons to help the bot programs work properly within their own criminal infrastructure.

Moscow resident Igor Vishnevsky, in his early 30s, was one of several hackers who worked closely with Nechvolod on Cutwail. “We had an office for Gugle [Nechvolod, pronounced ‘Google’] with coders and support. Sometimes I visited it, but I didn’t work from there,” Vishnevsky recalled in an instant message conversation. He said Gugle’s office employed at least five full-time coders and as many support staff who rotated shifts around the clock and on weekends to better meet the demands of clients.

Hosting firms like McColo attracted clientele like Cutwail’s producers because they stayed online in the face of significant pressure from domestic and foreign law-enforcement agencies to unplug unsavory or illicit sites they hosted. According to Vishnevsky, McColo’s servers were legendary for their consistent speeds and for being “bulletproof,” or immune from shutdown requests lodged by other Internet service providers (ISPs) or foreign law-enforcement officials.

Shortly after Kolya’s death, McColo was quick to assure the cybercrime community that, while the organization’s most recog­nizable member had passed away, the hosting provider would continue business as usual. Kolya’s partner, Alexey, spread the message on a number of top cybercrime-friendly forums, seeking to reassure the firm’s client base that the incident would result in no disruption of service.

The cybercrime community needed little convincing to stay. The service was mainly hosted in the United States, and was cheap, reliable, and fast. For the year following Nikolai’s death, Nechvolod and most of the top spam botmasters would keep their botnet control servers parked at McColo.

That is, until the evening of Nov. 11, 2008, when an exposé I wrote in the Washington Post about the high concentration of malicious activity at the hosting provider prompted the two suppliers of McColo’s connection to the larger Internet to simul­taneously pull the plug on the firm. In an instant, spam volumes plummeted by as much as 75 percent worldwide, as millions of spam bots were disconnected from their control servers and scattered to the four winds like sheep without a shepherd.

The McColo takedown hit botmasters like Nechvolod and Vishnevsky directly in their pocketbooks. Spammers who were renting the botnets flooded Crutop.nu and other underground fraud forums with complaints that they had lost substantial invest­ments, demanding to know what was going to be done about it.

“On McColo, we hosted servers in the USA that had good speed,” Vishnevsky recalled. “When McColo went down, we had to rent much slower servers in China and other countries that suck,” in their ability to withstand abuse complaints, he said.

In a sign that few thought McColo’s operations would ever go away—even after Kolya’s death—many spammers actually kept another major and expensive component of their operations—huge email address lists—directly on the company’s servers.

“Everyone lost their lists there,” Vishnevsky said, noting that he and Nechvolod lost a particularly large and valuable list of more than 2 billion email addresses after the takedown.

Kolya’s death and the dissolution of McColo were watershed events because they signified the beginning of the end of an era in which spammers and cybercrime lords were allowed to operate under the radar with relative impunity.

At the time, more than 90 percent of all email sent worldwide was unsolicited junk, the bulk of it advertising fly-by-night Internet pharmacy sites. In the ensuing four years, a series of similar takedowns of rogue ISPs, hosting providers, and large spam botnets would make a major dent in worldwide junk-email volumes and coincide with the arrest or imprisonment of several top spammers.

However, McColo’s demise also marked the dawn of a new age of spamming through the genesis of a protracted and costly turf war. Dubbed the “Pharma Wars” by bystanders in the cybercrime and cybersecurity worlds, it exploded into a vicious feud between two of the largest sponsors of pharma­ceutical spam—with unsuspecting users like you and me trapped in the middle.

On one side of the battle were the aforementioned Dmitry Stupin and Igor Gusev and their sister pharmacy operations GlavMed and SpamIt. On the other was Rx-Promotion, a competing rogue Internet pharmacy started by Gusev’s former business partner, 35-year-old Muscovite Pavel Vrublevsky. Officially, Vrublevsky was the top executive at a company called ChronoPay, one of Russia’s largest online payment-processing firms and a company that he and Gusev co-founded.

In secret, he had deep ties to the cybercrime underworld, helping online miscreants of all stripes obtain credit card process­ing for their shady endeavors, and taking a hefty cut of the action. Vrublevsky also is the co-founder and administrator of the popular spammer forum Crutop.nu and another pivotal figure in the cyber wars that have made us into a spam nation—or in reality, a world of spam—today.

By 2010, I had spent more than a year investigating and report­ing on allegations of corrupt business practices by Vrublevsky and his reputed ties to spammers working for the Rx-Promotion rogue pharmacy program. But as I dug deeper and deeper, I wanted to know more about the spam email and cybersecurity problem: who was driving it and how to solve it. It was clear others did, too.

Hackers loyal to Gusev and Vrublevsky leaked this informa­tion to certain law-enforcement officials and to me in an attempt to sabotage each other. Instead, their databases offered unprecedented insight into the day-to-day operations and profits of these secretive, international drug cartels, which comprise a loose affili­ation of spammers, virus writers, shadowy suppliers, and shippers.

Given the increasing menace of spam email and related cyber­security assaults that directly affect consumers and companies, you may be wondering why governments, law-enforcement officials, and corporations aren’t taking a stronger and more significant stance to stop the tidal wave of spam and cybercrime impacting us all.

Part of the reason for the Internet community’s stunted response to the malware and spam epidemic to date is that many policy­makers and cybercrime experts tend to dismiss spam as a nuisance problem that can be solved or at least mitigated to a manageable degree by the proper mix of technology and law enforcement.

Unfortunately, that attitude underscores a popular yet funda­mental miscalculation about the threat that spam poses to every one of us: namely, the sheer destructive power of the botnets and the misguided computer programmers who keep them going. Indeed, the botnets built and managed by members of SpamIt, Rx-Promotion, and other spam affiliate programs were not only used for distributing spam. Web criminals routinely rent access to these crime machines to mask their true location online, because botnets allow miscreants to bounce their Internet traffic through a myriad of infected systems that are largely untraceable.

Crooks running these botnets also regularly use them to harvest usernames and passwords from host PCs, stealing everything from people’s online banking credentials to digital keys that can unlock valuable corporate secrets at companies large and small.

Indeed, the miscreants at the helm of some of the world’s most active botnets already control thousands of zombie systems inside Fortune 500 companies that allow attackers to spam people using these corporations’ more powerful servers, and to siphon sensitive and proprietary data from internal company systems.

Many lawmakers in the United States and elsewhere are using the cybercrime epidemic to lobby for changes to the laws that govern how police and federal authorities can gather data on their citizens. But more stringent penalties against cybercrime have done little to deter attackers or the activities of fortune-seeking pill spammers and modern e-thieves. Most of the recently proposed and approved Internet security laws in the United States have focused on vague initiatives to beef up the security of the nation’s critical information infrastructure—the computers and intercon­nected systems that run everything from manufacturing plants to water treatment facilities and the power grid.

Meanwhile, a handful of key arrests and disruptive actions against spam botnets and top players in the cybercrime under­ground appear to have done more to destabilize the industry than any of the half-baked legislative proposals put forth so far.

Governments around the world can perhaps achieve the most impact on cybercrime not by passing new laws or increasing penalties for various cyber­criminal offenses, but by better enforcing existing laws and by creatively applying pressure on and incentivizing global corpora­tions to address this problem in ways that suit their own interests and extend the reach of domestic law-enforcement agencies.

This is not to say that the answer to combating spam and botnets rests only with the governments of the world. On the contrary; some of the most effec­tive actions against these dual scourges have come from efforts by corporations to protect their own financial interests, customers, trademarks, and public image—and from consumers themselves.

Ultimately, spam and all of its attendant ills will diminish very little without a more concerted, cooperative push from some of the richest and most powerful interests in the world, including the pharmaceutical industry; the credit card and banking sectors; lawmakers and law enforcers around the globe; and people like you and me, most of whom are the unsuspecting targets and victims of these spammers and hackers every day.

Most readers of my new book, Spam Nation, probably have never ordered anything advertised in unsolicited junk email or ingested prescription drugs of uncertain origin that were ordered online. But there are a myriad ways that even the wariest Internet users still end up supporting spammers, scam artists, and organized cyberthieves. And almost all of those ways invariably stem from one cause: apathy.

Whether we go online using a device powered by Microsoft Windows, Mac OS X, Linux, or Android, each of us has a role to play in combatting or contributing to online fraud. As such, we are all either part of the problem or the solution. There is no in-between anymore. Today’s online threats take full advantage of people who fall behind on security updates, or those who wantonly open unbidden email attachments and click on random links in email or on Facebook and Twitter that seem legitimate.

It’s time to do something about this global epidemic, to protect our identities, our bank accounts, our families, and our lives before it’s too late.

This essay is adapted from Spam Nation, by Brian Krebs, published by Sourcebooks. Copyright 2014. Reprinted with permission.