Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
Chapter 10
Few subjects so predictably rile the spam and cybercrime community as much as discussions about “antis”—the underground’s derisive term for anti-spam vigilantes who act alone or in concert with other antis to hobble or take down the large-scale junk email operations plaguing us. The leaked online chats between Stupin and hundreds of bulk emailers who worked for SpamIt reveal that when affiliates weren’t busy spamming, they were using their bot armies to bludgeon someone or something offline that threatened to kill their criminal operations. Very often, rival spammers would turn their digital armaments on one another. But their favorite targets were antis, whom the spammers perceived as a real and present threat to their business models—and rightfully so.
By the third quarter of 2013, nearly 70 percent of all email sent daily was unsolicited bulk email relayed via spam botnets. To give you a sense of how massive the spam problem is, miscreants like those working for SpamIt and other spam partnerkas were sending
an
estimated
85 billion junk messages every day
. According to InternetWorldStats.com, almost 2.4 billion people were using the Internet by April 2012,
which
means
that
spammers
were
sending
approximately
35 junk emails for every Internet user each day.
Some of the anti-spam tactics came from independent activists, such as members of InboxRevenge.com, a forum dedicated to exposing spammers by reporting spam domains to registrars and calling attention to spam-friendly bulletproof hosting providers. One of the most active InboxRevenge members was Adam Drake, the same anti-spam activist to whom Vrublevsky initially leaked the SpamIt database to undermine his archrival Gusev.
Ironically, in order to take down the spammers, Drake and his merry band of vigilantes had to use their adversaries’ own techniques. They built a series of automated tools designed to place phony orders for drugs at dozens of spam-advertised websites simultaneously. These order-stuffing programs would place rapid-fire orders for pills using fake identities and made-up credit card details. The idea was to flood the spam partnerkas’ databases with so much junk that they would be forced to manually verify each order. In some cases, the order-stuffing programs slowed the pill websites to a crawl, blocking interested buyers from making purchases.
“We sent on average 20,000 to 30,000 ‘orders’ to their spamvertized domains every day,” Drake recalled of the initiative they began in 2007. In response, the spam partnerkas built increasingly sophisticated fraud detection systems that behaved much like the spam filters they detested, but for bogus orders. Those systems “scored” each order on the likelihood that it was fake by looking for a combination of qualities about an order that flagged it as high risk. In the process, Drake said, the spammers ended up declining or canceling a great many orders from legitimate buyers. “Clearly we cost them some money.”
Indeed, SpamIt and GlavMed’s order-checking system routinely red-flagged purchases that were even mildly suspect. A review of the customer order record leaked from those sister partnerkas shows that thousands of orders were held or denied based on the slightest whiff of a fake order. For example, many orders were declined for the following
reason, which accompanied thousands of orders in the SpamIt customer service system:
“This order is slightly riskier because the phone number supplied by the user is not located within the zip code of the billing address for the credit card.”
According to Vishnevsky—our “Virgil” in the spammer underworld and the guy who helped to bankroll the development of the Cutwail spam botnet—the anti-fraud measures also served to keep in check spam affiliates who tried to generate fake sales and commissions using stolen credit cards. Such fraud activity would not only result in commissions for phony sales, but would ultimately bring unwanted attention to the partnerka’s credit card processing systems, which would incur hefty fines if the number of credit card chargebacks exceeded a certain threshold (usually 1 percent of overall sales).
SpamIt administrators also took elaborate steps to ensure that anti-spam groups and activists could not easily take down the pharmacy websites being advertised via spam. The SpamIt folks used hacked PCs to help obfuscate the real location of the pill-shop sites, employing a circuitous method known as “fast-flux” hosting. This method, the virtual equivalent of the classic street-corner scam known as “three-card monte,” involves rapidly changing the locations of the website so that no one site is used long enough to be isolated and shut down.
Under a fast-flux setup, the customer clicking a link in a spam email might reach a different site or Internet address if he or she clicked the link again a few seconds later. Potential customers of these pill shops would not notice anything different, except perhaps a short delay.
SpamIt’s curators also kept a close eye out for fraud investigators from MasterCard, Visa, and the major pharmaceutical firms. The SpamIt database shows that they routinely added these Internet addresses and email addresses to a database of customers that were blocked from placing orders on the pharmacy sites.
Botmasters like Gugle and Cosma worked diligently to ensure
maximum inbox deliverability of their emails and were constantly changing their approaches to evade new protections being added to anti-spam software and hardware. This glut of spam became so overwhelming that many network security professionals in charge of defending corporate networks were forced to supplement their hardware and software-based anti-spam tools with spam “blacklists” (also called “blocklists”).
At its most basic, a spam blacklist is a record of Internet address ranges that are most frequently seen as sources of spam. Generally, Internet addresses on blacklists fall into one of two categories: they are at networks and Internet service providers (ISPs) that have earned a reputation for turning a blind eye to spammers on their networks—like Atrivo and McColo Corp.—or they are individual malware-infected, spam-spewing “zombie” PCs.
The most widely used blacklists were run by ad-hoc and secretive organizations with funny names, like Spamhaus, SURBL, and URIBL (the
BL
in these acronyms stand for “blacklist”). Companies trying to block spam for tens of thousands of employees routinely incorporate these blacklists into spam filters, blocking the delivery of email sent from any of the listed Internet addresses. Not infrequently, innocent, non-spamming networks would get lumped into these blacklists along with the bad actors. But most organizations were all too willing to accept that some legitimate email would not get through if it meant being able to stem the surging daily tide of junk messages.
For its part, the spam community was less than amused by these self-appointed guardians of the inbox, and maintained that antis had no right to decide which emails Internet users should and should not be able to receive. In 2011, a copy of Spamdot.biz, an extremely secretive forum frequented by most of the world’s top spammers, was made available to several law-enforcement agencies and this author. The forum postings show that as far back as 2005, spammers began organizing and executing large-scale Internet attacks aimed at punishing and intimidating anti-spam activists.
Among the most destructive and blistering of such campaigns was one of the largest cyberattacks in the history of the Internet waged against a remarkably effective anti-spam start-up called Blue Security Inc. The company had devised an elegant approach to stopping spam destined for more than half a million users of its Blue Frog software. The program would simply fire off a reply to the sender’s network, asking the spammer to stop delivering junk email to its users.
But because those sorts of requests tended to go ignored, Blue Security took them to the next level. It bombarded the spammers with requests from all 522,000 of its customers at the same time. That led to a flood of Internet traffic so heavy that it disrupted the spammers’ ability to send emails to other recipients—a crippling effect that caused a handful of known spammers to comply with the requests.
But after a short while, key members of the spam underground declared they’d had enough and said it was time for Blue Security to be wiped off the face of the Internet. According to a lengthy discussion thread on Spamdot.biz, at least a dozen top spammers spent weeks and more than $15,000 marshaling their forces for an all-out surprise attack on Blue Security’s customers.
Spamdot members had discovered that the Blue Frog software contained a critical weakness: spammers who wished to comply with Blue Frog removal requests were given a free tool that allowed them to clean their lists of Blue Frog user email addresses. While Blue Security took pains to encrypt the user email addresses included in that tool, it was easy for spammers to identify which email addresses on their spam distribution lists belonged to Blue Frog users. All the spammer needed to do was compare their unaltered spam email lists with those scrubbed by Blue Security’s tool. The addresses that were missing from the spammer’s scrubbed distribution lists were all Blue Security users.
The assault on Blue Security began with a threatening email sent to most of the 522,000 Blue Frog users. The message below was pasted for
review and later edited by several Spamdot forum members before being emailed to the Blue Frog community:
You are being emailed because you are a user of Blue Security’s well-known software “Blue Frog.”
Today, the Blue Security database became known to the worst spammers worldwide. Within 48 hours, the database will be published on the Internet, and your email address will be open to them all. After this, you will see the spam sent to your mailbox increase 10 to 20 fold.
Blue Security was illegally attacking email marketers, and doing so with your help. Many websites have been targeted and hit, including non-spam sites. Blue Security’s software has been fully analyzed and contains an abundance of malicious code. This includes: ability to send mass mail to users; the ability to attack websites with distributed denial of service attacks (DDoS); the ability to open hidden doors on any machine on which it is running; and a hidden auto-update code function, which can install anything on your computer and open it up to anyone.
Blue Security lists a USA address as their place of business, whereas their main office is in Tel Aviv. Blue Security is run by a few Russian-born Jews, who have previously been spamming themselves. When all is said and done, they will be able to run, hide, and change their identities, leaving you to take the fall. YOU CANNOT PARTICIPATE IN ILLEGAL ACTIVITIES and expect to get away with it. This email ensures that you are well aware of the situation. Soon, you will be found guilty of computer crimes such as DDoS attacking of websites, conspiracy, and sending mass unsolicited bulk email messages for everything from Viagra to porn, as long as you continue to run Blue Frog.
They do not take money for downloading their software, they do not take money for removing emails from their lists, and they have no visible revenue stream. What they DO have is 500,000 computers sitting there awaiting their next command. What are they doing now?
1.
Using your computer to send spam?
2.
Using your computer to attack competitor websites?
3.
Phishing through your files for your identity and banking information?
If you think you can merely change your email address and be safe while still running Blue Frog, you are in for a big surprise. This is just the beginning…
An unusually active member of the Spamdot forum, a user who adopted the nickname “BoT,” laid out a devious plan for an attack on Blue Security that would turn the company’s own anti-spam service against its users. The strategy was simple and elegant. The spammers would register dozens of domain names, all of which would redirect visitors back to a single website that the spammers controlled. Then, the miscreants would spam Blue Security’s entire user base, and sit back and wait for the inevitable wave of Unsubscribe requests to come in. When the removal requests started flowing back to that single website, the spammers would simply change the site’s settings so that all incoming traffic got redirected to Blue Security’s homepage, effectively causing the company’s own anti-spam technology to attack itself.
“This way they either get screwed in the ass by their own weapon or get abuse complaints,” BoT explained in a Spamdot forum posting just prior to the attack. “Even better, would be to redirect the traffic to the websites of CNN, BBC, Reuters, and such, and those sites will start writing that the Internet is turned into a battle because of the ‘blue froglings.’”
On May 1, 2006, the spam community unleashed a series of increasingly amplified attacks on Blue Security’s Internet servers, immediately blocking legitimate users from visiting the company’s site. Blue Security hadn’t yet been made aware that it was being targeted, but company
officials knew customers were having difficulties reaching the firm’s website. At some point, the decision was made to redirect traffic destined for its unreachable homepage to a company blog, which included a message to Blue Frog users acknowledging the problem.
Blue Security’s blog was hosted at a blogging service run by Six Apart Ltd., a San Francisco-based company that runs millions of websites through its TypePad service. (Six Apart would later be bought by Russian blogging giant LiveJournal.ru.) The result of this redirection meant that Six Apart’s blog service then received the brunt of the attack, and that thousands of web logs hosted there also went down. The denial-of-service assault also shut down operations for roughly twelve hours at Tucows Inc., a Toronto-based Internet services company that helped manage Blue Security’s site. Tucows CEO Elliot Noss called the attack “by far the largest the company had ever seen,” and said that only a handful of companies have the infrastructure in place to withstand such an assault, much less a more powerful one.