Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
“This attack really was like trying to take out a mosquito with an atomic bomb,” Noss said.
Not long after that, Blue Security CEO Eran Reshef received an email from one of the spammers who had previously agreed to stop spamming Blue Security’s users—telling him how to get in touch with the person in charge of the attack.
The message provided a link to a pharmacy website that was being promoted by spammers at the time and instructed Reshef to view the HTML source of the page. Within it, he would find an ICQ number. ICQ, or I-Seek-You, is an instant message technology that was immensely popular in the cybercrime community at the time.
Blue Security’s team downloaded a copy of the pharmacy site homepage and then opened it in an HTML editor to make sure it was not booby-trapped with malicious code. They then located the hidden message: “preved, stuchis v asku 299650295,” or “hello, add ICQ #299650295.”
Soon after Reshef sent a chat request to that ICQ number, someone using the name “Pharmamaster” replied. Pharmamaster was taunting and not at all interested in bargaining.
Tue May 02 16:30:57 2006
[16:02] BLUESECURITY
: Do you want to discuss now a friendly resolution to the current situation? We are aware of your concerns, but as I told you before, and unlike what you think, we don’t want to affect your business. We are not a common anti-spam company.
[16:07] PHARMAMASTER
: You started with me and my people and my staff, so you shall get hurt first and feel who we are. And when I’m sure you got the point of who we are, then we can talk. Bluesecurity.com is down now but how about we keep all your systems down for a few months?
Reshef declined to be interviewed about the specifics of the attack. But a source who helped the company respond to the onslaught said Reshef also received threats against his family.
“The level of the attack was so bad that I remember being in a meeting with Eran and the other guys,” said the source, speaking on the condition of anonymity. “The other stuff that was going on was a personal attack where Eran was getting pictures of his children at a playground sent to him—pictures he’d never seen before.”
The attacks continued for more than two weeks, with increasing intensity. At one point, the attackers began emailing Blue Security employees, saying that they had 70 percent of the Blue Frog email user base and offering $50,000 for the remaining 30 percent to any employee willing to turn over the company’s internal data.
On May 14, the management of Blue Security met with the FBI
to discuss their options, but this was more a formality than anything. Two days later, Reshef and Blue Security would wave the white flag. The
Washington
Post
ran a front-page story by this author on May 17, observing that the company had acknowledged defeat. Blue Security had received more than $4 million in venture capital funding, but its benefactors had decided it was time to throw in the towel.
That story quoted Todd Underwood, then chief of operations and security for Renesys Corp., a company that monitors Internet connectivity. Underwood called the attack “unsurprising but sad.”
“When the company’s founders first approached the broader anti-spam community and asked them what they thought of Blue Security’s business model, everyone said this was a terrible idea and that they would eventually cause a lot of collateral damage,” Underwood said. “But it’s also extremely unfortunate, because it shows how much the spammers are winning this battle.”
The individuals responsible for organizing the attack on Blue Security appear to have been the principals at one of the largest pharmacy partnerkas at the time. Many of the plans laid out on Spamdot.biz for attacking Blue Security were shaped and encouraged by a heavyweight Spamdot.biz user who had adopted the nickname “Mr. Green.” According to Spamhaus, Mr. Green was the alias used by a Russian named Vlad Khokholkov, a Moscow native who allegedly partnered with notorious spammer Leo Kuvayev.
The attack on Blue Security was a shot across the bow of anti-spammers everywhere. At the time, close to 90 percent of all email was junk advertisements, and Blue Security had tapped into a visceral sense of frustration among email users who were fed up with the daily deluge. But the top Spamdot members were running pharmacy partnerkas that were pulling in millions of dollars each month, and they viewed Blue Security as the vanguard of a new breed of anti-spam activity that posed a potent threat to the continued success of their money-making machines. They weren’t willing to be sidelined, whatever the cost.
Spamhaus believes Kuvayev and Khokholkov ran the pharmacy affiliate programs Mailien and Rx-Partners. This is backed up by the leaked instant message chats from SpamIt administrator Dmitry Stupin. In a 2008 conversation between Stupin and “Joop”—the nickname used by a Russian who was one of GlavMed’s top earners—the two are discussing a rival affiliate program called “Affiliate Connection.”
“If it’s no secret, do you know Leonid Kuvayev and Vlad Khokholkov (Mr. Green)?” When Stupin hesitated in answering, Joop apologized and changed the subject. “I am taking my question back. Something is wrong with my head. I forgot that their partnerka [was] Rx-Partners/Stimulcash.”
Kuvayev, a Russian national, was convicted of violating U.S. anti-spam laws in Massachusetts in 2003 and ordered to pay $37 million for blasting botnet spam that touted counterfeit copies of Microsoft Windows and other name-brand software. He reportedly fled the country after that, avoiding jail time. But at some point after his conviction, Kuvayev returned to Russia.
Ultimately, however, Microsoft got the last laugh. The software giant paid consultants at Russian computer forensics company Group-IB to monitor Kuvayev’s activities and to share the information with Russian law-enforcement agencies.
In 2011, Kuvayev was arrested on child molestation charges. He is now in a Russian prison. Police raided Kuvayev’s home after receiving a tip that he was having sex with underage girls. In his residence, they found hours of videotaped footage showing him abusing girls—some as young as fourteen years old—lured from a nearby Moscow orphanage. In 2012, Kuvayev was tried and convicted of child molestation, and he is currently serving a twenty-year prison sentence (recently reduced to ten years according to
MKRU
, a Russian weekly periodical).
Reached via email, Khokholkov denied being involved in the attack on Blue Security. Exactly who was responsible for orchestrating the attack remains unclear, but the leaked SpamIt chats and forum discussions
clearly show that Vlad and Leo worked as partners, and that Kuvayev’s spam gang was heavily involved.
Not long after the attack on Blue Security, Mr. Green asked Spamdot forum administrators to delete all of his postings and account information. But some of his forum messages survived as quoted text in forum conversations between other Spamdot members. They indicate that Mr. Green was working closely on the attack with a self-professed Satanist who used the nickname “Zliden,” and the email address “[email protected].” According to Spamhaus, this was the last known email address of Leo Kuvayev.
Kuvayev is widely considered one of the most blatant and unrepentant spammers that ever worked the business. But like other masters of bulk email, he took care to separate his various online identities from his offline existence, switching email addresses and nicknames and deleting old posts every so often to elude digital-crimes investigators and anti-spam activists.
Even so, Kuvayev’s experience (and that of his contemporaries like Cosma and Nechvolod) shows that while the Internet may occasionally lose track of online identities, anti-spam and Internet security activists have far longer memories and are willing to go to great lengths to bring spammers to justice.
The denizens of Spamdot.biz also planned and executed several powerful attacks against Spamhaus, as well as against the widely used spam blacklists maintained by URIBL and SURBL. In a message to fellow members in October 2008, Spamdot administrator “Ika” posted a note on the forum to update the group’s progress in collecting funds from spammers to launch a lengthy distributed denial-of-service (DDoS) attack against the websites of all three blacklist providers.
The message read, in part:
Dear Sirs,
We have collected more than $3,000 in the fund, of which portions will be allocated to the first four days of DDoS against URIBL and Spamhaus. We also bought $1,000 worth of bot installs at the rate of $25 for 1,000 bots.
Current DDoS targets: 1) Infrastructure lists.uribl.com/ 2) Home businesses of [Spamhaus founder Steve] Linford—www.uxn.com and www.ultradesign.com/net where the Spamhaus backup database is kept. 3) Both faces of Spamhaus.org.
A representative from the online pharmacy partnerka Affiliate Connection said that his spammers could pool together several million hacked PCs for use in a massive attack on Spamhaus. But he noted that the opportunity costs from an assault like that would be high, because anti-abuse companies would quickly identify and blacklist all further communications (including future money-making spam) from the spam zombies. What’s more, the Affiliate Connection leader said, URIBL and SURBL had recently purchased denial-of-service protection services from a leading anti-DDoS provider.
The SpamIt administrators responded that these factors were hardly enough to deter their plans.
“Well, then, if they are sitting on strong anti-DDoS channels, we will have to act strongly and decisively to fill their pipes,” Ika declared. “They will have to account for huge traffic volumes and it will become a real problem for them. It will be expensive, but I think that some of the affiliates can allocate a few hundred bucks a day on it.”
Weeks later, the Spamdot.biz thread on plans for attacking Spamhaus had generated pages of talk but little action. Disgusted with his colleagues, GeRa—the SpamIt and Rx-Promotion affiliate who operated the Grum spam botnet—challenged other spammers to step up and make sacrifices for the good of the industry.
I appeal to the largest spammers, you guys doing $50,000 to $200,000 in commissions per month, will you not be able to find $3,000 to solve this problem?
Docent, the curator of the Mega-D spam botnet, responded that he and his team were ready to lend funding to support a sustained attack on Spamhaus. But soon the discussion stalled on the question of who was going to take responsibility for directing and organizing the attack.
To complicate matters, not everyone on the spam forum was in favor of attacking Spamhaus and the other blacklist providers. Severa, the botmaster who built and operated the Waledac and Storm spam botnets, was more philosophical, observing that “Spamhaus is only a part of [a] huge evolution process,” and that spam filters actually helped to separate the novice spammers from the pros and discourage inexperienced, would-be spammers from taking up the craft.
“Guys, we CAN’T live without anti-spam filters anymore,” Severa reasoned in a reply on the Spamdot discussion. By advocating for the continued, widespread use of spam filters, Severa’s comments must have sounded almost heretical to many of his colleagues. But this spam kingpin in all likelihood correctly identified inexperienced spammers as a plague on the industry and a drain on his profits. If spam filters mainly succeeded at keeping the ankle-biters at bay, then so be it.
“Really, it stops newbies and lamers. Imagine, if all filters were turned off now. Would you earn money? NO! It would just kill email as communication service, nothing more. So, Spamhaus is not good or bad; Spamhaus is just Spamhaus.”
Spamdot member “Swank” said he agreed with Severa’s general statement, but that Spamhaus nevertheless needed to be humbled.
“Severa, you make a great point and you are exactly right,” Swank wrote. “Having anti-spam filters and more is good for technology and the Internet because both sides—spammers and anti-spam folks—are always adapting and changing things around to get past each other’s
latest. The end result is technology is constantly improving, which like you said also keeps the professionals going and the newbies out of the business. That being said, stupid companies like Spamhaus are not fair to the mailers who are compliant. Spamhaus is abusing their powers to take out ANYONE who is an email marketer, regardless of whether or not the person is compliant or not. Spamhaus hates all email marketers. That crap is absolute bullshit and is not fair to anyone. Spamhaus needs to realize they are not untouchable and they will soon realize this.”
In October 2008, GeRa announced to Spamdot members that he was releasing an automated attack tool that his programmers had built to help the community participate in a massive attack on Spamhaus. The tool, which he called Anti-Haus v. 1.0, was distributed to major botnet owners who in turn installed the program on tens of thousands of hacked PCs that they controlled and that were already relaying spam.
A representative from Spamhaus who gave his name only as “Barry” said the organization doesn’t recall this particular October 2008 attack, noting that Spamhaus has lost track of how many massive attacks it has been hit with over the years.
In March 2013, Spamhaus came under an attack that it would not soon forget. In fact, some experts called it the largest concerted cyberattack that the Internet had ever witnessed. A group of bulletproof hosting providers united under the “Stophaus” banner decided to attack the anti-spam provider. Stophaus formed an online forum to coordinate the assault after Spamhaus listed one bulletproof hosting provider in particular on its block list: a network known alternatively as CB3ROB, a.k.a. “Cyberbunker” because it operated from a heavily fortified NATO bunker in the Netherlands.
Attackers allied with Stophaus launched a nine-day digital siege that hurled as many as 300 billion bits of data per second at the organization’s website. As the
New
York
Times
described it, the data “fire hose” directed at Spamhaus didn’t just swamp the anti-spam provider; the deluge spilled over onto neighboring networks, causing what the
organization’s content distribution network CloudFlare estimated to be hundreds of millions of people to experience delays and error messages across the web.