The Gang Behind the World's Largest Spam Botnet

tsu doh nimh writes "A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. Brian Krebs uncovers fascinating information about a hacker named 'GeRa' who is supposedly behind the Grum botnet, which is currently sending about one out of every three spam emails worldwide. The story also points to several possible real-identities behind the Internet's largest spam machine."

Priorities

[SJHillman]

MegaUpload: Some people love it, some people hate it. Most of their damage (much of it alleged) is limited to a single industry and affects a tiny percentage of their bottom line

Global Botnets: Universally hated with very real damage caused in terms of time spent, infrastructure upgrades, spam filtering, etc, plus I'm sure a lot of that spam is also used for phishing and other activities that cause further damage. It affects pretty much every company and individual with any sort of online presence. I don't have any numbers, but I imagine the cost of spam botnets cause damage that's at least an order of magnitude greater than what copyright infringement is even claimed to be (nevermind the smaller amount it actually is).

But hey, glad we took down the one that also served legal uses.

Re:Priorities

[SuricouRaven]

It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website. Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable. Where is the megaupload-style international police operation to shut that down? Instead we have a bunch of vigilantee hackers, hardly an ideal solution.

Re:Priorities

[shentino]

My guess is that the credit card companies that are collecting processing fees for the actual purchases don't mind the extra business.

Re:Priorities

[Aighearach]

the problem is that the scams can use ad-hoc resources cobbled together from infected systems, there is no need to have a permanent domain. People don't need to get their by searching, the spam provides them a link. So shut down the server. Just be aware the server's legal operator wasn't involved and now their sites are down. And the scammers failed-over to the next batch of infected systems.

Re:Priorities

[PopeRatzo]

Also, since if people are buying stuff through it means there should be a money trail to follow...

And who wants to bet that the money trail would lead to places and people that the "enforcers" would rather we not know?

Re:Priorities

[Peter Simpson]

Yeah. You know, if the CC companies *really* wanted to shut these guys down, it seems like they could do it by identifying the stream of transactions that trace back to one or two payment processors in their network. But there's money involved, so I guess that's not going to happen.

Re:Priorities

[KiloByte]

Spammers can use flux hosting for their websites so this part is not easy to target. Accepting payment, though, is something that's trivial to block -- if there was any will to do so.

Re:Priorities

[Hentes]

So next time a company will spam in the name of a rival, thus baiting authorities to take it down. Just because they are the ones advertised is no proof that they ordered the advertisement and if they did that they know that it's being achieved by illegal spam.

Re:Priorities

[Anonymous Coward]

It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website.

More than that: it's not just promoting a website, but trying to sell something, so follow the money.

Re:Priorities

[Zocalo]

Chances are the website is also hosted on the botnet, thousands of times over, across possibly as many domains and sub-domains. The spammers can then use Fast Flux DNS [wikipedia.org] to cycle between random selections of hosts every few minutes or so. That means you need to take out the C&C servers to take down the website(s) as well, and even then there's no reason that the bots could not keep on operating in autopilot while the operators try to regain control.

Realistically, there is only one way to stop spam and that's to disrupt the money flow between the people that buy products from spam and the spammers to such an extent that it is no longer profitable. That's certainly not going to be easy, but for all its faults SOPA would have provided some of the necessary muscle needed to force Mastercard and Visa to try and prevent payments to known spam operators through its provisions to block financial flow to such sites (it's potential use for preventing sales of fake Viagra is why Pfizer is on the SOPA supporter's list). Another avenue of attack is blacklisting banks that can be shown to be processing spam related payments, especially since research [arstechnica.com] has shown that there may only be a handful of banks prepared to deal with spammers in the first place.

80k sales and $6m in revenue

[Cid Highwind]

Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

...and that's why we will never be rid of spam: because at least 80,000 people are dumb enough to buy boner pills over the internet from someone who spammed their inbox with poorly-spelled sales pitches.

How about stopping the product?

[Marrow]

If actual products are being shipped (as opposed to pure fraud), then it should be possible to trace the physical deliveries back to their source. Pharmacy products are not e-product. They are physical. So if these products are being marketed through illegal means, and are probably illegal products themselves, then why not follow them back to their source.
At the very least, the govt could make a big noise and say that goods marketed through spam are being seized enroute and people will throw their money away if they purchase them.