Spam Nation (4 page)

All of this may have seemed like an issue isolated to Russia and Eastern Europe, where these shadowy cybercriminal companies are allowed to exist. But the truth is that the vast majority of the business’s customers were actually Americans who were willing to pay more than forty dollars per month for subscription access to the child porn sites, known in the underground as “strawberry” and “lolita” sites (the latter being a literary reference to the novel of the same name by Russian author Vladimir Nabokov). According to press reports on the operation, Rubatsky’s network of child porn sites attracted more than 100,000 visitors per day and generated revenues of nearly $5 million per month.

But before long Alfa-Pay found itself at odds once again with
Petrovsky’s BillCards payment-processing business. By this time, Petrovsky had allied himself with Igor “Desp” Gusev, who was rumored to have been the administrator of a secret online forum called Darkmasters.com, which catered to webmasters (website owners) engaged in selling extremely hard-core porn, including child pornography.
4

Rubatsky’s Alfa-Pay and Petrovsky’s BillCards were soon vying to destroy one another, said Pavel Vrublevsky, cofounder and owner of ChronoPay, the Russian company mentioned in
Chapter 1
that got its start in 2003 processing payments for adult webmasters. (In 2003, Gusev would join Vrublevsky as a fifty-fifty cofounder in ChronoPay, which would later eclipse CyberPlat as Russia’s largest processor of online payments.)

“Alfa-Pay got in a huge fight with BillCards, and they both started launching computer attacks against one another, trying to start criminal cases against each other, and sending all kinds of incriminating information to mass media and all that crap,” Vrublevsky recalled in a 2010 interview that would eerily prefigure the turf battle then already underway between himself and Gusev over cornering the market for knockoff pharmaceuticals online. “As a result, both businesses fell apart, and it was a big scandal.”

That’s when Rubatsky decided it was time to go into another lucrative but less dangerous line of work: web hosting. According to Vrublevsky, the Belarusian set up a meeting with the men running Eltel, a local ISP whose networks connected much of St. Petersburg to the rest of the public Internet.

Vrublevsky maintains that Eltel’s management had bought political protection for their business from agents of the Russian Federal Security
Service (FSB), the successor to the Soviet Union’s KGB. This type of cover, known as
krusha
or “roof” in Russian, was considered necessary for any business capable of generating healthy profits—because such income made the business vulnerable to criminal and governmental interference and even violence.

According to Vadim Volkov, author of
Violent
Entrepreneurs: The Use of Force in the Making of Russian Capitalism
, FSB officers are frequently embedded as employees of Russian companies, ostensibly as a means to help them fight extortionists who might try to steal the company’s profits.

Volkov writes that Russian law allows FSB agents, while remaining in service, to be “assigned to work at enterprises and organizations at the consent of their directors… This provision allowed thousands of acting security officers to hold positions in private companies and banks as ‘legal consultants,’ as the position was modestly called. Using their ties with the state organizations and information resources of the FSB, they performed what has become known as ‘roof’ functions—protecting against extortion and cheating by criminal groups and facilitating relations with the state bureaucracy. Expert estimates suggest that up to 20 percent of FSB officers are engaged in informal ‘roof’ businesses.”

“The Eltel guys were famous for being really crazy and hosting child pornography and crap like this, because they had a good relationship with the local cops,” Vrublevsky said in a telephone interview. “But the ISPs upstream from Eltel were constantly blacklisting their sites, so [to get around that issue] Rubatsky came up with the idea of having a direct link to big [Internet backbone providers] like Telia and Tiscali.”
5
With a direct link, bulletproof hosting providers would no longer be at the mercy of smaller, intermediary ISPs that could be
bullied into pulling the plug on RBN at the slightest sign of interest from law enforcement.

To circumvent this obstacle, “this Rubatsky guy ended up spending a shitload of money so [Eltel] could have their own channel of Internet coming from abroad,” Vrublevsky recalled. “And they called it the ‘Russian Business Network,’ or RBN for short.”

According to Vrublevsky, Rubatsky appointed as head of the RBN project a smart, young technician named Eugene I. Sergeenko, a twenty-year-old hacker better known in the underground by his handle, “Flyman.”

Flyman would soon become synonymous with both RBN and the global spam epidemic, as RBN emerged as the global epicenter of malicious cyberactivity, including everything from phishing schemes to the penis-enlargement spam that bombards each of us every day.

♦    ♦    ♦

By 2007, RBN had evolved into a cybercriminal force to be feared. The rogue hosting provider had become a massive magnet for online criminal schemes of all kinds. Researchers in academia and at private Internet security firms had been sounding the alarm about RBN for more than a year, churning out countless reports about huge volumes of phishing scams, male enhancement spam, and sites hosting malicious software emanating from the troubled ISP and contaminating millions of Internet-connected systems around the world. But most of these reports were fairly technical analyses that examined just one or two aspects of the multifarious badness emerging from RBN—such as a new malware innovation, a botnet command center, or another orchard of malicious websites that had sprung up in RBN’s backyard.

It occurred to me that nobody had centralized all of the disparate research on RBN or sought to pull it all together into a single report revealing all of the malicious activity there. At the time, these various
reports had gradually worn down the support infrastructure that kept RBN’s network online, so it seemed to me that a major exposé in a widely read publication might topple the entire enterprise once and for all.

I’d recently carved out a cybercrime beat as a reporter at the
Washington
Post
and was eager to centralize the intelligence on RBN in a report that I hoped might bring broader attention to the size of the threat. I firmly believed that the cybercrime community had made a major strategic blunder in concentrating so much badness in one place. If somehow RBN was ostracized and shunned by the rest of the Internet community, many cybercriminal businesses would be unplugged from the web.

Cybersecurity experts I spoke with about the idea said such an action could increase the costs of these criminal operations and make it more difficult for them to find a stable home. One possible end result would be much less spam for everyday users and fewer sites pushing malicious software or peddling child porn. To me, the positive implications were huge. Not only could this decrease or possibly eradicate junk email and all of the viruses, malware, and other security problems that come with it, but it could also possibly decimate an illegal and shocking industry that harmed children for the perverse pleasure of a small minority of adults.

In June 2007, I began badgering dozens of sources for quantifiable data about malicious activity that persisted at RBN. Over the next four months, the reporting aspect of the story came together almost on its own, as facts pouring in from different sources about the location of websites both malicious and atrocious began to paint a truly frightening picture of this rogue Internet hosting firm and what it was doing to clog our networks with destructive spam email.

Nearly identical damnations of RBN came in the form of incriminating data from some of the most noted security firms in the industry, including Cisco, Dell SecureWorks, FireEye, HostExploit, Marshall/M86, the SANS Internet Storm Center, Shadowserver, Sunbelt Software
(now GFI), Symantec, Team Cymru, Trend Micro, and Verisign, to name just a few.

Ken Dunham, then director of rapid response for Verisign’s iDefense cyber intelligence unit, said his team examined all of the web properties hosted at RBN and couldn’t find a single redeemable quality there. “We went through and correlated all of their information, and we couldn’t find one good thing at RBN,” Dunham said. “We’ve seen virtual safe houses for criminal groups in the past, but virtually everything within this hosting provider has always been illicit or malicious.” In short, there was no redeeming reason for this criminal ISP to remain online.

Perhaps because of the mystery and aura of Russian organized crime that surrounded RBN, convincing sources to speak openly and plainly about what they knew of the ISP’s operations was far more challenging. One source, an academic who fed investigators at the Federal Bureau of Investigation daily dossiers on the sale of child pornography and other criminal activity at RBN, said he was worried for his physical safety if he spoke out publicly on what he knew.

“The Russian Mafia is behind RBN, and they have big guns and small morals,” the academician explained. “I’d love to be an ‘expert’ for you, but I really don’t want to get my family whacked.”

That was one of dozens of candid quotes I could never attribute, and I desperately needed experts to state on the record what they knew about RBN in order to expose this malicious network that was affecting the lives of millions of unsuspecting people. After much cajoling, I eventually convinced enough experts to speak the truth. On October 13, 2007, the
Washington
Post
ran the story “Shadowy Russian Firm Seen as Conduit for Cybercrime,” in the front section of the paper and featured the piece prominently on their website.

Not long after that story, the
Post
also ran a pair of supporting pieces on its Security Fix blog, detailing the malicious activity at RBN and explicitly calling out which ISPs were providing RBN connections to
the rest of the Internet. The jig was up. Now that their names were out in the open, these providers would need to justify taking money from RBN—an indefensible position given RBN’s horrid reputation as safe haven for any material, no matter how illegal or offensive.

Over the next few weeks, tens of thousands of Internet addresses previously assigned to the Russian Business Network were gradually abandoned. The cybercrime enterprises that had once occupied these “cyber lots” vanished, scattering to new bulletproof hosting providers in Italy, China, Korea, and elsewhere. The result was that for a short time, while the spam bots continued blasting out junk advertisements and links to malware-laced sites, the sites advertised in those emails sat unresponsive. Although on the surface this was a hollow victory, for many in the security community it was a welcome shot across the bow alerting the cybercrime underground that the online security industry was finally fighting back.

Not everyone was thrilled about this development. Whereas before RBN had been a concentration of known bad hosters that ISPs could easily block or filter with a handful of firewall instructions, such blocking became much harder once the sites at RBN were dispersed to dozens of networks. Now, ISPs had to spread their security nets farther to ensure that malicious websites, botnets, and spammers couldn’t get through. But ISPs, government officials, and corporations were finally starting to pay attention to this cybercrime underworld spreading beneath their feet.

That was the tip of the iceberg. In August 2008—almost a year after RBN was scattered to the four winds—I wrote a series about cybercrime activity concentrated a bit closer to home at a shadowy ISP called Atrivo. Like young Nikolai’s McColo, it was a Northern California-based hosting provider that had also ignored requests from law enforcement agencies and from the security community to unplug abusive websites that had become synonymous with botnet-hosting and huge numbers of sites set up to foist malicious software. I relied on the same
evidence collected by some of the security firms that had gathered data on RBN, and in particular a report from HostExploit, an organization of international respected Internet professionals dedicated to researching, exposing, and raising awareness about cybercrime.

That series, and growing attention from other media outlets and security experts, led to Atrivo being gradually excluded from the Internet, as its partners in the ISP industry who provided connections to the larger Internet for it and its cybercriminal users were publicly shamed into severing ties with the company one by one over a period of approximately two weeks.

One of the significant fallouts of Atrivo’s shutdown was the hastened demise of the Storm worm, an infamous botnet that had infiltrated and compromised millions of Americans’ PCs and “was once responsible for sending more than 20 percent of all spam,” I explained on the
Washington
Post
’s Security Fix blog on October 17, 2008. Atrivo had hosted a number of the master servers for the Storm worm; the worm discharged its final blast of spam three days before Atrivo was forced off the Internet by its final remaining Internet provider.

A week after Atrivo went dark, I heard from a trusted source who had contacts with many unsavory individuals in the cybercrime underworld. My source said he had a message to pass on from an unnamed cybercrook who’d been mildly inconvenienced and grudgingly impressed by the organized ostracism of Atrivo I had started.

“Tell Krebs ‘Nice job on Atrivo,’” the mysterious miscreant told my source. “But if he’s thinking about doing McColo next, he’s pushing his luck.”

I wasn’t sure what to make of this communication, which seemed like an amused observation backstopped by a veiled threat. But by the time my source relayed that message, it was too late to turn back. I was already knee-deep in an investigation of McColo, the ISP company led by Nikolai “Kolya” McColo. It was a logical progression, mainly because many of the miscreants and botmasters who had parked their botnet
and crimeware operations at Atrivo also had portions of their infrastructure hosted at McColo. And now that Atrivo was wiped off the Internet, McColo had become an even more critical bulletproof provider for the underground cybercrime community.