ADVERTISEMENT

From Russia With Love

Review: Brian Krebs’ ‘Spam Nation’

AP
November 22, 2014

For ordinary Internet users, email spam is an inconvenience and a mystery. Diving into the spam folder to rescue legitimate correspondence, they are confronted with seedy missives from the Internet’s dark side—cryptic, misspelled messages from old friends urging them to click a link and reconnect, or else "laughably-awful filter-beating projects" seemingly generated by "some huge Dada machine," to borrow a memorable phrase from the 2013 book Spam by Finn Brunton.

For these users, spam is at worst a nuisance. With nearly 3 billion users online, however, spam is a nuisance of global consequence and a powerful asymmetric weapon for all manner of bad actors.

In Spam Nation, journalist Brian Krebs guides readers through the intimidating and technical world of organized cybercrime. It is a world he knows well, having covered it as a beat reporter for the Washington Post before departing the paper to start his own site, krebsonsecurity.com.

As evidenced by Spam Nation’s cover art, the titular nation is the United States, but it would be more accurate to say that Krebs has written a book about Russia. While Americans are the preferred marks of the billions of spam emails sent every day, the spammers Krebs describes are overwhelmingly from Russia and the former Soviet satellite states—which explains the bad grammar and Cyrillic characters.

Krebs focuses primarily on two spam barons and the nasty feud between them, dubbed the Pharma Wars.

Igor Gusev and Pavel Vrublevsky were co-founders of an e-commerce company, ChronoPay, that processed online transactions for companies without scrutinizing their enterprises too closely. Krebs documents how ChronoPay brokered transactions for extreme pornography sites and "scareware" operations, which effectively hold computers for ransom by infecting them with malware and then offering their users pricey "anti-virus" software to remove the problem. Unsurprisingly, both Gusev and Vrublevsky ran their own criminal enterprises on the side.

After parting ways with ChronoPay, Gusev founded GlavMed, a chain of online pharmacies that offered inexpensive medications without the prescription requirements and quality control standard maintained by legitimate pharmacies. SpamIt, another Gusev project, blasted out millions of spam emails on GlavMed’s behalf using networks of malware-infected computers, called botnets. Even if the click-through rate from these emails was small—fractions of a percent, in reality—a profit could be made through volume alone.

For his part, Vrublevsky stayed on as CEO of ChronoPay, which grew to become the largest e-commerce company in Russia. According to ChronoPay’s website, its clients today include Sony, Electronic Arts, Greenpeace, and the World Wildlife Fund. Vrublevsky’s position with ChronoPay lent him a certain public legitimacy which he would later leverage against his former partner.

Like Gusev, Vrublevsky moonlighted as a pharmacy spammer. His network, Rx-Promotions, was instantly in competition with GlavMed for the world’s impotent and infirm. Even as each made a fortune pushing pills, they began to look for ways to hamstring each other.

By 2010, Krebs was already well-known for his investigative reporting on spam, which had disrupted the operations of criminal outfits such as the Russian Business Network and complicit web hosts such as McColo Corporation. Krebs’ exposé on McColo led two major Internet service providers to drop it as a client. The volume of new spam email plummeted by over 50 percent after McColo was shut down, although the spammers were quick to recover.

In 2010, Krebs began to receive leaks of ChronoPay’s internal information sent by an anonymous hacker. Leaks about GlavMed followed, as Vrublevsky and Gusev traded broadsides in a battle to see who could have the other imprisoned first.

Vrublevsky had the "law"—such as there is such a thing in Russia—on his side. Due to his prominence in Russian e-commerce, he was selected to serve on several government campaigns against cybercrime. Vrublevsky used his public perch to target Gusev, even as he funneled millions of his own money to the Russian Federal Security Service (FSB) to protect himself from prosecution.

It didn’t work. The Pharma Wars ended in mutual destruction, with Vrublevsky cooling his heels in a Russian prison camp and Gusev on the run from an Interpol rap.

The power struggle Krebs depicts in Spam Nation is illustrative of many things, among them the Russian shakedown business, where criminals use the law "as both sword and shield," in the words of Thomas Firestone, a U.S. Department of Justice legal adviser in Moscow.

The tale also illustrates the bizarre world inhabited by professional spammers. As told in Brian McWilliam’s book Spam Kings, many spammers are disaffected oddballs. An extreme example is Andrew Greenbaum, a chess-playing Jew turned neo-Nazi ("Davis Wolfgang Hawke") who peddled penis enlargement pills before AOL hit him with a lawsuit in 2005. Out of luck, Hawke made for the ratlines and hasn’t been heard from since. His fortune is rumored to be buried on his parents’ property in Massachusetts.

That a lone neo-Nazi can marshal the resources to send malware to half the world points to spam’s most frightening aspect: its potential as weapon. While a million emails sent to a million addresses is a headache, a million emails sent to one address is a crippling blow.

Among the first to allegedly weaponize spam was—and here we are again—Russia. In 2007, the Estonian government announced that it was relocating a World War II monument dedicated to the Red Army, the liberators who never left. Shortly thereafter, the country’s information infrastructure was crippled by a distributed denial of service attack carried out by massive spam botnets. The government in Moscow, Estonia claimed, was making its displeasure known.

Russia is not alone. States such as China and Iran are all waking to the asymmetric promise of cyber warfare against a conventional behemoth like the United States. As are terrorist groups, a fact that led Assistant Attorney General John P. Carlin to warn that the United States is "in a pre-9/11 moment, in some respects, with cyber."

Future wars will be waged in part by talented hackers with bot armies at their backs. For now, we have Krebs as a guide, and—thankfully—email filters.

Published under: Book reviews