Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Gang Behind the World's Largest Spam Botnet

samzenpus posted more than 2 years ago | from the who's-to-blame dept.

Crime 58

tsu doh nimh writes "A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. Brian Krebs uncovers fascinating information about a hacker named 'GeRa' who is supposedly behind the Grum botnet, which is currently sending about one out of every three spam emails worldwide. The story also points to several possible real-identities behind the Internet's largest spam machine."

cancel ×

58 comments

Sorry! There are no comments related to the filter you selected.

Priorities (5, Insightful)

SJHillman (1966756) | more than 2 years ago | (#38901509)

MegaUpload: Some people love it, some people hate it. Most of their damage (much of it alleged) is limited to a single industry and affects a tiny percentage of their bottom line

Global Botnets: Universally hated with very real damage caused in terms of time spent, infrastructure upgrades, spam filtering, etc, plus I'm sure a lot of that spam is also used for phishing and other activities that cause further damage. It affects pretty much every company and individual with any sort of online presence. I don't have any numbers, but I imagine the cost of spam botnets cause damage that's at least an order of magnitude greater than what copyright infringement is even claimed to be (nevermind the smaller amount it actually is).

But hey, glad we took down the one that also served legal uses.

Re:Priorities (4, Insightful)

SuricouRaven (1897204) | more than 2 years ago | (#38901531)

It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website. Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable. Where is the megaupload-style international police operation to shut that down? Instead we have a bunch of vigilantee hackers, hardly an ideal solution.

Re:Priorities (3, Insightful)

shentino (1139071) | more than 2 years ago | (#38901561)

My guess is that the credit card companies that are collecting processing fees for the actual purchases don't mind the extra business.

Re:Priorities (4, Insightful)

Peter Simpson (112887) | more than 2 years ago | (#38901629)

Yeah. You know, if the CC companies *really* wanted to shut these guys down, it seems like they could do it by identifying the stream of transactions that trace back to one or two payment processors in their network. But there's money involved, so I guess that's not going to happen.

Re:Priorities (2)

oh-dark-thirty (1648133) | more than 2 years ago | (#38903779)

I've been saying that to anyone that cared to listen for years. As long as Visa/MC/the banks/processors get their cuts and the chargeback level stays low, they do not care who or what is transacting.

Re:Priorities (1)

PapayaSF (721268) | more than 2 years ago | (#38904517)

Still, aren't the CC companies and banks the weak point in spam operations? Surely the government would be able to lean on them even harder than they can lean on some foreign ISP regarding a website.

But every time I read about spammers like this, I think of the rubber stamp from the movie Top Secret! [zazzle.com] .

Re:Priorities (2)

GameboyRMH (1153867) | more than 2 years ago | (#38902323)

Unless those processing fees are from donating money to a leak site. That money's no good.

Re:Priorities (1)

Anonymous Coward | more than 2 years ago | (#38901563)

Also, since if people are buying stuff through it means there should be a money trail to follow...

Re:Priorities (2, Insightful)

PopeRatzo (965947) | more than 2 years ago | (#38901609)

Also, since if people are buying stuff through it means there should be a money trail to follow...

And who wants to bet that the money trail would lead to places and people that the "enforcers" would rather we not know?

Re:Priorities (1, Insightful)

Aighearach (97333) | more than 2 years ago | (#38901581)

the problem is that the scams can use ad-hoc resources cobbled together from infected systems, there is no need to have a permanent domain. People don't need to get their by searching, the spam provides them a link. So shut down the server. Just be aware the server's legal operator wasn't involved and now their sites are down. And the scammers failed-over to the next batch of infected systems.

Re:Priorities (4, Insightful)

KiloByte (825081) | more than 2 years ago | (#38901635)

Spammers can use flux hosting for their websites so this part is not easy to target. Accepting payment, though, is something that's trivial to block -- if there was any will to do so.

Re:Priorities (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38901875)

Oh yeah, sure. It'd be about as easy as blocking payment to some other really damaging websites such as wikileaks. /sarcasm

Re:Priorities (1)

houghi (78078) | more than 2 years ago | (#38902209)

Unfortunately not as trivial as it sounds.
A good step would be that the USofA starts using the chipset, like the rest of the world does. This would already help a LOT with stolen cards.

It is not as if they would say: please transfer X amount from creditcard Y to my own account. What they do is a bit more complex. They are pretty good in hiding sales under the radar.
A way would be to verify each sale by an SMS or any other means. This will be extremely inconvenient for the user.
As with DRM, it will harm the good user more then the bad user.

Hosting providers often don't care: follow the $$$ (1)

John Bokma (834313) | more than 2 years ago | (#38904177)

flux hosting? Heh, they just pick one of the many hosting companies that do nothing about spam reports received via SpamCop.net or emailed directly.

Case in point? I received spam last Friday, which has redirects to: 199.10 2.228.2 19/~ lig htfoo/tracking/rd/t-a-x/main/jonxqo The IP address is with ServInt. Despite contacting them via their abuse@ address, the live chat feature on their website, and their Facebook page (from which they have blocked me by now) the site is still up. And ServInt is just one example. Reporting spam via SpamCop to ovh.net seems to be a pointless exercise. After complaining at their site I was handed an additional email address: legal@. And presto, suddenly spam I report is taken action upon if I email manually both abuse@ and legal@. No idea how long this miracle stays up, though.

What I really don't get is why don't hosting providers/ISP check sites that report IP addresses that send spam or are abusive on a daily basis. My impression is that your head in the sand just makes more money...

And that's the problem. Some big USA/European hosting companies that don't do a thing about this. As always, follow the money.

Re:Hosting providers often don't care: follow the (1)

EvilIdler (21087) | more than 2 years ago | (#38908261)

I just started digging into finding Servint's upstream provider today because of all the fuckers abusing their servers (1-3 spam mails a day from as many scam companies with changing names). In my findings I also ran across 11 years old threads about their completely disgusting business practices. When reporting spam to them back then they threatened the spam reporters with reporting THEM as spammers! See the Spamcop mailing list 2000-2001 for more miserable reading.

From what I've found about Servint it looks like Network Solutions would be one possible provider - no domain name would make continuing their business a little tricky. Not sure who provides the actual network, though. I'm sure a whole article's worth of dirt could be found on those bastards.

Re:Priorities (5, Insightful)

Hentes (2461350) | more than 2 years ago | (#38901669)

So next time a company will spam in the name of a rival, thus baiting authorities to take it down. Just because they are the ones advertised is no proof that they ordered the advertisement and if they did that they know that it's being achieved by illegal spam.

Re:Priorities (0, Insightful)

Anonymous Coward | more than 2 years ago | (#38901693)

It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website.

More than that: it's not just promoting a website, but trying to sell something, so follow the money.

Re:Priorities (2)

slart42 (694765) | more than 2 years ago | (#38901695)

Problem with that is that I'd be able to get any web site taken down by paying people to send around a little spam linking to it :)

Re:Priorities (2)

Shavano (2541114) | more than 2 years ago | (#38901765)

So you follow the money trail back one or two steps further to the guy that accepted money to send the spam and the operators of the botnet.

It's not that hard. The government knows how to do this. It's just not a high priority.

Re:Priorities (5, Insightful)

Zocalo (252965) | more than 2 years ago | (#38901723)

Chances are the website is also hosted on the botnet, thousands of times over, across possibly as many domains and sub-domains. The spammers can then use Fast Flux DNS [wikipedia.org] to cycle between random selections of hosts every few minutes or so. That means you need to take out the C&C servers to take down the website(s) as well, and even then there's no reason that the bots could not keep on operating in autopilot while the operators try to regain control.

Realistically, there is only one way to stop spam and that's to disrupt the money flow between the people that buy products from spam and the spammers to such an extent that it is no longer profitable. That's certainly not going to be easy, but for all its faults SOPA would have provided some of the necessary muscle needed to force Mastercard and Visa to try and prevent payments to known spam operators through its provisions to block financial flow to such sites (it's potential use for preventing sales of fake Viagra is why Pfizer is on the SOPA supporter's list). Another avenue of attack is blacklisting banks that can be shown to be processing spam related payments, especially since research [arstechnica.com] has shown that there may only be a handful of banks prepared to deal with spammers in the first place.

Re:Priorities (2)

EXrider (756168) | more than 2 years ago | (#38902119)

Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.

Probably because zombie machines on the botnet are the ones hosting the website(s).

Re:Priorities (1)

kryliss (72493) | more than 2 years ago | (#38902335)

The reason something like this doesn't get shut down is because companies spend money to get rid of the problem, money spent is taxable, more money spent, more taxes paid.... then the next version of spam/virus/malware/etc... more money spent, more taxes paid... rinse and repeat.

Re:Priorities (2)

GPLHost-Thomas (1330431) | more than 2 years ago | (#38903759)

Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.

It's more on the line of: remove the website - which isn't easy because it's most of the time hosted by a company that is accomplice - and another one pops up in a mater of hours.

Re:Priorities (1)

Em Adespoton (792954) | more than 2 years ago | (#38905601)

For more information:
http://scholar.google.com/scholar?hl=en&q=related:mBwQLdGHFCUJ:scholar.google.com/&ei=WdwqT6PyBsOviQKsyfjGCg&sa=X&oi=science_links&ct=sl-related&resnum=1&ved=0CC4QzwIwAA [google.com]

This will tell you all you need to know about why it hasn't been done, direct from the experts in the field.

Short form: the Russians aren't about to take down a "legit pharmacy" just because of abuse of "referral programs".

PSAs? emails are for scammers (1)

Anonymous Coward | more than 2 years ago | (#38901639)

It affects pretty much every company and individual with any sort of online presence.

It's too bad that banks, credit companies, and others who are hurt by spam and botnets don't have public service annoucements on TV and in AARP that say something like "Consider all email to be scams!"

It' is interesting that my financial institutions no longer send links when there's some sort of update or annoucement. Their emails just say "log into your account and see ..."

It seems to be old people (70yrs+) that really get snookered - at least that age group seems to be the largest segment of victims. It's like they see it in "writing" and therefore is must be true.

OTOH, there are old people like my Dad who is constatnly forwarding me things and asking if it's true; which I rerspond with (after checking to be sure and to get links to back up what I say) "If it's in an email, it's a scam."

Re:Priorities (2, Interesting)

somersault (912633) | more than 2 years ago | (#38901721)

time spent, infrastructure upgrades, spam filtering, etc

I of course hate spam, but that type of stuff does keep a lot of Slashdotters employed.

Good job on being spectacularly biased and imagining up all those useful pieces of information to back up your viewpoint.

Re:Priorities (0)

Anonymous Coward | more than 2 years ago | (#38902497)

That is the broken window fallacy. You *COULD* be working on other things that are more productive then making sure your CEO doesnt get spam...

Re:Priorities (1)

somersault (912633) | more than 2 years ago | (#38902937)

I was just trying to inject some grey into that guy's black and white garbage. He's completely off base anyway, because several botnets have been taken down by authorities.

I'm not saying we shouldn't take down botnets - go for it, by all means! We'll never be able to eradicate it completely though, so we might as well appreciate the good that comes from it instead of just whining about the bad. It's the same as all those people who point out that piracy can actually get you some sales that you otherwise wouldn't have had.

It's kind of sad that he's so happy to break the law himself, and yet when some other guys are breaking the law in a way that inconveniences himself, suddenly he's up on his high horse as if he's any less of a leech than they are.

Re:Priorities (1)

repapetilto (1219852) | more than 2 years ago | (#38903999)

Broken window fallacy is not the same as people buying your stuff after downloading it first. Where do you people come from?

Re:Priorities (-1)

Anonymous Coward | more than 2 years ago | (#38902545)

So were you born an asshole or did it take years of college?

Re:Priorities (1)

somersault (912633) | more than 2 years ago | (#38903105)

If he was talking about copyright, he'd be doing the same by pointing out how piracy can be beneficial in some ways.

I'm not one of the ones who would want to keep spam around. I was simply pointing out that it doesn't only do "damage" because his levels or bias and hypocrisy are absurd.

Re:Priorities (1)

repapetilto (1219852) | more than 2 years ago | (#38904067)

Oh my god you've repeated this twice now. People buying something after trying it for free has nothing to do with the broken window fallacy.

Re:Priorities (1)

somersault (912633) | more than 2 years ago | (#38912997)

I take it you don't understand analogies either?

Re:Priorities (1)

repapetilto (1219852) | more than 2 years ago | (#38916293)

I usually do, but for some reason I failed on this one.

Re:Priorities (1)

somersault (912633) | more than 2 years ago | (#38917069)

People buying something after trying it for free has nothing to do with the broken window fallacy.

Well, the "broken window parable" - or "window maker fallacy" as some people call it - was created to investigate opportunity costs in a situation that might at first seem only negative. There is no one lesson to draw from that imagined situation, and there is obviously a lot of room for debate as to how the situation affects an economy, as economics are necessarily complex.

I don't see how it's very different to the ongoing debate going on about how copyright and piracy affect the economy. Outcomes are not necessarily 100% "good" or 100% "bad", they're mixed. People have pointed out how piracy actually can result in more sales than if there had been no piracy, that kind of thing. Just as with the broken window fallacy, there are lots of factors to consider, some which we may not have even thought of yet.

Re:Priorities (1)

Anonymous Coward | more than 2 years ago | (#38903957)

Good job on being spectacularly biased

So your point is that killing keeps many detectives, coroners, and funerary home employees working. So it's good.

Re:Priorities (1)

somersault (912633) | more than 2 years ago | (#38913017)

On a moral scale it's not good. On an economic scale, it's probably neutral-to-good right now, as it frees up jobs for other people, or gets rid of people drawing government welfare :p

Re:Priorities (1)

mapkinase (958129) | more than 2 years ago | (#38901783)

>But hey, glad we took down the one that also served legal uses.

Same comparison could be made between action taken by US against drug cartels and Taliban, al-Shabaab, etc.

Re:Priorities (1)

Pope (17780) | more than 2 years ago | (#38901815)

False equivalence, rear your head!

Re:Priorities (4, Funny)

Splodgey (951669) | more than 2 years ago | (#38902169)

Destroying this botnet could have detrimental effects on men with tiny penises worldwide!

Re:Priorities (1)

Sponge Bath (413667) | more than 2 years ago | (#38902229)

I feel your pain. The unbalanced allocation of resources mirrors so many policy decisions, from law enforcement to military involvement. If we could just use /. polls to drive these decisions, spammers would experience the same wake up call as the Somalis who took those aid workers hostage.

Re:Priorities (2)

alaffin (585965) | more than 2 years ago | (#38902425)

I guess, by your logic, we should bother to try and take down Global Botnets either because there are rapists and murderers out there who have yet to be caught. Obviously we have our priorities mixed up.

Leaving aside the whole "MegaUpload was a legitimate business" argument it's likely a matter of low hanging fruit. Shutting down a botnet is difficult. It's comand and control structures are usually obfuscated and redundant. It's operators are (usually) bright enough to cover their tracks. Innocent people/businesses are likely to get caught in the crossfire as their zombified PC's are often used to host significant portions of the systems. To say nothing of the fact that law enforcement agencies usually do not want to shine a light too directly at botnets - the cockroaches that run them tend to scatter to their hidey-holes rather quickly. Better rather to invest large amounts of time and effort to bring the thing down properly, so that there is a case against it's organizers. MegaUpload, on the other hand, was a business. Its location was known. Its infrastructure was known. Its CEO was known. No innovent bystanders. No way to hide.

Now I'm with you. I think it was wrong to bring down MegaUpload. But don't criticize law enforcement agencies for, upon deciding that MegaUpload was in violation of the law, taking it down swiftly.

Re:Priorities (0)

Anonymous Coward | more than 2 years ago | (#38913441)

The worst problem is finding a real online pharmacy which actually delivers, doesn't rip you off and which you can trust.

All of the crap created by these botnets causes so much static it's hard to find the real deal. I found magicpharma ... but had to filter out a lot to sort out that it was real.

The spammers need to die - nuclear strike from space, or just kick them off the planet.

Spam not really a problem (0, Flamebait)

Anonymous Coward | more than 2 years ago | (#38901663)

Email is dead. Everyone uses facebook to communicate now.

Re:Spam not really a problem (0)

Anonymous Coward | more than 2 years ago | (#38901915)

Have you ever been to the real corporate world?

Re:Spam not really a problem (0)

Anonymous Coward | more than 2 years ago | (#38902285)

This is most certainly satire.

Re:Spam not really a problem (1)

Anonymous Coward | more than 2 years ago | (#38902675)

in Korea, only old people use email

Re:Spam not really a problem (1)

PPH (736903) | more than 2 years ago | (#38903047)

Is that you, Zuckerberg? You're getting your IPO. Stop shilling for your company already.

Blah krebs (-1)

Anonymous Coward | more than 2 years ago | (#38901715)

Blog with a Serious Face right on top, to give credibility on what otherwise is marginal research mixed with a lot of prejudice and admonishment. Can't just let the topic damn itself on facts, noo, facts are too hard. Blah I say. Blah.

Wikileaks? (0)

Anonymous Coward | more than 2 years ago | (#38901909)

Sorry - what does this have to do with WIkileaks?

80k sales and $6m in revenue (5, Insightful)

Cid Highwind (9258) | more than 2 years ago | (#38902179)

Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

...and that's why we will never be rid of spam: because at least 80,000 people are dumb enough to buy boner pills over the internet from someone who spammed their inbox with poorly-spelled sales pitches.

Re:80k sales and $6m in revenue (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38903389)

The trouble is and always has been that money is really hard to follow. How do you think the federal government manages to lose TRILLIONS of it?

Re:80k sales and $6m in revenue (1)

Tom (822) | more than 2 years ago | (#38907657)

True.

You have convinced me to change my position on spam.

From "shoot the spammers" to "shoot the idiots who buy from them".

The only issue is that we must shoot idiots faster than they breed, and that is going to be challenging.

Maybe they are Syrians? (2)

AverageWindowsUser (2537474) | more than 2 years ago | (#38902677)

"Syrian" hackers on a U.N. Peacekeeping Mission:

http://www.themoscowtimes.com/news/article/syria-cyber-war-opens-new-front-in-russia/452200.html [themoscowtimes.com]

Syria Cyber War Opens New Front In Russia

02 February 2012

By Jonathan Earle

The cyber front of Syria's year-old civil war spread to Russia this week as pro- and anti-government bots splashed criticism and expressions of gratitude across the Russian Internet, and Syrian hackers attempted to commandeer the website of a Russian embassy.

The attacks are a response to Russia's ongoing resistance to proposed UN sanctions against Damascus and willingness to sell weapons to the Syrian government, which has been accused of killing thousands of civilians to stem a popular uprising that began in March.

On Sunday, the Syrian National Council, the main opposition coalition, called on Syrian expatriates to stage protests at Russian embassies and consulates and "exert pressure" on Russia.

Syrian electronic activists appear to have heeded the call, as Dozhd television said its website started receiving three to four comments per hour beginning Monday night.

Thousands of Syria-related comments have since appeared on Russian news websites and Facebook pages. Most comments are sharply critical of Russia's defense of President Bashar Assad. "Russia sold its humanity when it sold weapons to a criminal regime" user Abu Mujahid al-Hamwi wrote on President Dmitry Medvedev's Facebook page Tuesday morning.

A small percentage of the comments — which appeared in Arabic, Russian and English — expressed gratitude to Medvedev and Prime Minister Vladimir Putin, such as one from user Hamoud Youssef: "A heartfelt thank you to Russia. Thank you for the veto."

The comments were ostensibly posted by users with Syrian-sounding names, but the high number of identical entries suggests that the effort is largely automated. Several comments appeared dozens of times from multiple users on Facebook pages belonging to Slon.ru, Afisha, and Lenta.ru.

Meanwhile, a senior official at the Russian Embassy in New Delhi said Syrian hackers tried and failed to commandeer the embassy's website, Vesti.ru reported Monday. The official denied earlier reports that hackers had posted photographs of children allegedly killed by Syrian security forces.

For months, Russia and its allies have resisted growing pressure from Western governments and much of the Arab world to take a harder line against the Syrian government, which opponents say is using tanks and heavy weapons to slaughter opponents. The UN estimates that more than 5,000 have died in the crackdown.

The Syrian government says it is battling terrorist groups, and Russia has called on both sides to reject violence and come to the negotiating table. In October, Russia and China blocked a UN Security Council resolution calling for sanctions against Syria within 30 days if the government did not stop attacks on protesters.

In December, Russia agreed to sell 36 Yak-130 trainer-fighter airplanes to the Syrian government in a $550 million contract, Kommersant reported this week. Last month, a Russian-owned ship laden with munitions arrived in Syria after being temporarily detained in Cyprus.

Analysts have speculated that Russia is eager to hold on to a longtime ally and prevent a repeat of NATO's intervention in Libya. Also at play are billions of dollars worth of arms contracts and a naval base in the Mediterranean city of Tartus, Russia's only military base outside the former Soviet Union.

How about stopping the product? (3, Insightful)

Marrow (195242) | more than 2 years ago | (#38902755)

If actual products are being shipped (as opposed to pure fraud), then it should be possible to trace the physical deliveries back to their source. Pharmacy products are not e-product. They are physical. So if these products are being marketed through illegal means, and are probably illegal products themselves, then why not follow them back to their source.
At the very least, the govt could make a big noise and say that goods marketed through spam are being seized enroute and people will throw their money away if they purchase them.

Re:How about stopping the product? (1)

madhatter256 (443326) | more than 2 years ago | (#38903519)

There was an article on slashdot not too long ago about websites that pay you to act as a small "shipping/receiving" drop point for these illegal online pharmacies...

I try and search it, but slashdot search doesn't really bring it up...

Doubtful passport authenticity (2)

vovick (1397387) | more than 2 years ago | (#38904383)

One of the two hackers' names the author "uncovers" is Vasily Ivanovich Petrov which is basically one of many possible variations of John Doe in Russian. While there is a possibility for someone to be named this way (in fact, Wikipedia has an article on one http://en.wikipedia.org/wiki/Vasily_Ivanovich_Petrov [wikipedia.org] ), it seems highly doubtful that is the person's real name.

wikileaks? (2)

equex (747231) | more than 2 years ago | (#38904743)

what does this have to do with Wikileaks?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>