Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Gang Behind the World's Largest Spam Botnet

Posted by samzenpus on from the who's-to-blame dept.

tsu doh nimh writes "A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. Brian Krebs uncovers fascinating information about a hacker named 'GeRa' who is supposedly behind the Grum botnet, which is currently sending about one out of every three spam emails worldwide. The story also points to several possible real-identities behind the Internet's largest spam machine."

24 of 58 comments (clear)

  1. Priorities by SJHillman · · Score: 5, Insightful

    MegaUpload: Some people love it, some people hate it. Most of their damage (much of it alleged) is limited to a single industry and affects a tiny percentage of their bottom line

    Global Botnets: Universally hated with very real damage caused in terms of time spent, infrastructure upgrades, spam filtering, etc, plus I'm sure a lot of that spam is also used for phishing and other activities that cause further damage. It affects pretty much every company and individual with any sort of online presence. I don't have any numbers, but I imagine the cost of spam botnets cause damage that's at least an order of magnitude greater than what copyright infringement is even claimed to be (nevermind the smaller amount it actually is).

    But hey, glad we took down the one that also served legal uses.

    1. Re:Priorities by SuricouRaven · · Score: 4, Insightful

      It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website. Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable. Where is the megaupload-style international police operation to shut that down? Instead we have a bunch of vigilantee hackers, hardly an ideal solution.

    2. Re:Priorities by shentino · · Score: 3, Insightful

      My guess is that the credit card companies that are collecting processing fees for the actual purchases don't mind the extra business.

    3. Re:Priorities by PopeRatzo · · Score: 2, Insightful

      Also, since if people are buying stuff through it means there should be a money trail to follow...

      And who wants to bet that the money trail would lead to places and people that the "enforcers" would rather we not know?

      --
      You are welcome on my lawn.
    4. Re:Priorities by Peter+Simpson · · Score: 4, Insightful

      Yeah. You know, if the CC companies *really* wanted to shut these guys down, it seems like they could do it by identifying the stream of transactions that trace back to one or two payment processors in their network. But there's money involved, so I guess that's not going to happen.

    5. Re:Priorities by KiloByte · · Score: 4, Insightful

      Spammers can use flux hosting for their websites so this part is not easy to target. Accepting payment, though, is something that's trivial to block -- if there was any will to do so.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    6. Re:Priorities by Hentes · · Score: 5, Insightful

      So next time a company will spam in the name of a rival, thus baiting authorities to take it down. Just because they are the ones advertised is no proof that they ordered the advertisement and if they did that they know that it's being achieved by illegal spam.

    7. Re:Priorities by slart42 · · Score: 2

      Problem with that is that I'd be able to get any web site taken down by paying people to send around a little spam linking to it :)

    8. Re:Priorities by somersault · · Score: 2, Interesting

      time spent, infrastructure upgrades, spam filtering, etc

      I of course hate spam, but that type of stuff does keep a lot of Slashdotters employed.

      Good job on being spectacularly biased and imagining up all those useful pieces of information to back up your viewpoint.

      --
      which is totally what she said
    9. Re:Priorities by Zocalo · · Score: 5, Insightful

      Chances are the website is also hosted on the botnet, thousands of times over, across possibly as many domains and sub-domains. The spammers can then use Fast Flux DNS to cycle between random selections of hosts every few minutes or so. That means you need to take out the C&C servers to take down the website(s) as well, and even then there's no reason that the bots could not keep on operating in autopilot while the operators try to regain control.

      Realistically, there is only one way to stop spam and that's to disrupt the money flow between the people that buy products from spam and the spammers to such an extent that it is no longer profitable. That's certainly not going to be easy, but for all its faults SOPA would have provided some of the necessary muscle needed to force Mastercard and Visa to try and prevent payments to known spam operators through its provisions to block financial flow to such sites (it's potential use for preventing sales of fake Viagra is why Pfizer is on the SOPA supporter's list). Another avenue of attack is blacklisting banks that can be shown to be processing spam related payments, especially since research has shown that there may only be a handful of banks prepared to deal with spammers in the first place.

      --
      UNIX? They're not even circumcised! Savages!
    10. Re:Priorities by __aaltlg1547 · · Score: 2

      So you follow the money trail back one or two steps further to the guy that accepted money to send the spam and the operators of the botnet.

      It's not that hard. The government knows how to do this. It's just not a high priority.

    11. Re:Priorities by Anonymous Coward · · Score: 2, Interesting

      Oh yeah, sure. It'd be about as easy as blocking payment to some other really damaging websites such as wikileaks. /sarcasm

    12. Re:Priorities by EXrider · · Score: 2

      Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.

      Probably because zombie machines on the botnet are the ones hosting the website(s).

      --
      grep -iw skynet /etc/services
    13. Re:Priorities by Splodgey · · Score: 4, Funny

      Destroying this botnet could have detrimental effects on men with tiny penises worldwide!

      --
      Sigs are for losers....oh wait...damnit
    14. Re:Priorities by GameboyRMH · · Score: 2

      Unless those processing fees are from donating money to a leak site. That money's no good.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    15. Re:Priorities by alaffin · · Score: 2

      I guess, by your logic, we should bother to try and take down Global Botnets either because there are rapists and murderers out there who have yet to be caught. Obviously we have our priorities mixed up.

      Leaving aside the whole "MegaUpload was a legitimate business" argument it's likely a matter of low hanging fruit. Shutting down a botnet is difficult. It's comand and control structures are usually obfuscated and redundant. It's operators are (usually) bright enough to cover their tracks. Innocent people/businesses are likely to get caught in the crossfire as their zombified PC's are often used to host significant portions of the systems. To say nothing of the fact that law enforcement agencies usually do not want to shine a light too directly at botnets - the cockroaches that run them tend to scatter to their hidey-holes rather quickly. Better rather to invest large amounts of time and effort to bring the thing down properly, so that there is a case against it's organizers. MegaUpload, on the other hand, was a business. Its location was known. Its infrastructure was known. Its CEO was known. No innovent bystanders. No way to hide.

      Now I'm with you. I think it was wrong to bring down MegaUpload. But don't criticize law enforcement agencies for, upon deciding that MegaUpload was in violation of the law, taking it down swiftly.

    16. Re:Priorities by GPLHost-Thomas · · Score: 2

      Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.

      It's more on the line of: remove the website - which isn't easy because it's most of the time hosted by a company that is accomplice - and another one pops up in a mater of hours.

    17. Re:Priorities by oh-dark-thirty · · Score: 2

      I've been saying that to anyone that cared to listen for years. As long as Visa/MC/the banks/processors get their cuts and the chargeback level stays low, they do not care who or what is transacting.

  2. 80k sales and $6m in revenue by Cid+Highwind · · Score: 5, Insightful

    Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

    ...and that's why we will never be rid of spam: because at least 80,000 people are dumb enough to buy boner pills over the internet from someone who spammed their inbox with poorly-spelled sales pitches.

    --
    0 1 - just my two bits
    1. Re:80k sales and $6m in revenue by Anonymous Coward · · Score: 2, Interesting

      The trouble is and always has been that money is really hard to follow. How do you think the federal government manages to lose TRILLIONS of it?

  3. Maybe they are Syrians? by AverageWindowsUser · · Score: 2

    "Syrian" hackers on a U.N. Peacekeeping Mission:

    http://www.themoscowtimes.com/news/article/syria-cyber-war-opens-new-front-in-russia/452200.html

    Syria Cyber War Opens New Front In Russia

    02 February 2012

    By Jonathan Earle

    The cyber front of Syria's year-old civil war spread to Russia this week as pro- and anti-government bots splashed criticism and expressions of gratitude across the Russian Internet, and Syrian hackers attempted to commandeer the website of a Russian embassy.

    The attacks are a response to Russia's ongoing resistance to proposed UN sanctions against Damascus and willingness to sell weapons to the Syrian government, which has been accused of killing thousands of civilians to stem a popular uprising that began in March.

    On Sunday, the Syrian National Council, the main opposition coalition, called on Syrian expatriates to stage protests at Russian embassies and consulates and "exert pressure" on Russia.

    Syrian electronic activists appear to have heeded the call, as Dozhd television said its website started receiving three to four comments per hour beginning Monday night.

    Thousands of Syria-related comments have since appeared on Russian news websites and Facebook pages. Most comments are sharply critical of Russia's defense of President Bashar Assad. "Russia sold its humanity when it sold weapons to a criminal regime" user Abu Mujahid al-Hamwi wrote on President Dmitry Medvedev's Facebook page Tuesday morning.

    A small percentage of the comments — which appeared in Arabic, Russian and English — expressed gratitude to Medvedev and Prime Minister Vladimir Putin, such as one from user Hamoud Youssef: "A heartfelt thank you to Russia. Thank you for the veto."

    The comments were ostensibly posted by users with Syrian-sounding names, but the high number of identical entries suggests that the effort is largely automated. Several comments appeared dozens of times from multiple users on Facebook pages belonging to Slon.ru, Afisha, and Lenta.ru.

    Meanwhile, a senior official at the Russian Embassy in New Delhi said Syrian hackers tried and failed to commandeer the embassy's website, Vesti.ru reported Monday. The official denied earlier reports that hackers had posted photographs of children allegedly killed by Syrian security forces.

    For months, Russia and its allies have resisted growing pressure from Western governments and much of the Arab world to take a harder line against the Syrian government, which opponents say is using tanks and heavy weapons to slaughter opponents. The UN estimates that more than 5,000 have died in the crackdown.

    The Syrian government says it is battling terrorist groups, and Russia has called on both sides to reject violence and come to the negotiating table. In October, Russia and China blocked a UN Security Council resolution calling for sanctions against Syria within 30 days if the government did not stop attacks on protesters.

    In December, Russia agreed to sell 36 Yak-130 trainer-fighter airplanes to the Syrian government in a $550 million contract, Kommersant reported this week. Last month, a Russian-owned ship laden with munitions arrived in Syria after being temporarily detained in Cyprus.

    Analysts have speculated that Russia is eager to hold on to a longtime ally and prevent a repeat of NATO's intervention in Libya. Also at play are billions of dollars worth of arms contracts and a naval base in the Mediterranean city of Tartus, Russia's only military base outside the former Soviet Union.

  4. How about stopping the product? by Marrow · · Score: 3, Insightful

    If actual products are being shipped (as opposed to pure fraud), then it should be possible to trace the physical deliveries back to their source. Pharmacy products are not e-product. They are physical. So if these products are being marketed through illegal means, and are probably illegal products themselves, then why not follow them back to their source.
    At the very least, the govt could make a big noise and say that goods marketed through spam are being seized enroute and people will throw their money away if they purchase them.

  5. Doubtful passport authenticity by vovick · · Score: 2

    One of the two hackers' names the author "uncovers" is Vasily Ivanovich Petrov which is basically one of many possible variations of John Doe in Russian. While there is a possibility for someone to be named this way (in fact, Wikipedia has an article on one http://en.wikipedia.org/wiki/Vasily_Ivanovich_Petrov), it seems highly doubtful that is the person's real name.

  6. wikileaks? by equex · · Score: 2

    what does this have to do with Wikileaks?

    --
    Can I light a sig ?