Slashdot Mirror
Book Review: Spam Nation
benrothke writes There are really two stories within Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. The first is how Brian Krebs uncovered the Russian cybergangs that sent trillions of spam emails for years. As interesting and compelling as that part of the story is; the second storyline is much more surprising and fascinating. Brian Krebs is one of the premier cybersecurity journalists. From 1995 to 2009, he was a reporter for The Washington Post, where he covered Internet security, technology policy, cybercrime and privacy issues. When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians. Many of the stories Krebs ran took months to get approval and many were rejected. It was the extreme reticence by the Post to deal with the issue that ultimately led Krebs to leave the paper. Before Krebs wrote this interesting book and did his groundbreaking research, it was clear that there were bad guys abroad spamming American's with countless emails for pharmaceuticals which led to a global spam problem. Read below for the rest of Ben's review.
Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door
author
Brian Krebs
pages
256
publisher
Sourcebooks
rating
10/10
reviewer
Ben Rothke
ISBN
978-1402295614
summary
Excellent expose on why cybercrime pays and what you can do about it
Much of the story details the doings of two of the major Russian pharmacy spammer factions, Rx-Promotion and GlavMed. In uncovering the story, Krebs had the good fortune that there was significant animosity between Rx-Promotion and GlavMed, which lead to an internal employee leaking a huge amount of emails and documents. Krebs obtained this treasure trove which he used to get a deep look at every significant aspect of these spam organizations. Hackers loyal to the heads of Rx-Promotion and GlavMed leaked this information to law enforcement officials and Krebs in an attempt to sabotage each other.
Krebs writes that the databases offered an unvarnished look at the hidden but burgeoning demand for cheap prescription drugs; a demand that appears driven in large part by Americans seeking more affordable and discreetly available medications.
Like many, I had thought that much of the pharmaceutical spam it was simply an issue of clueless end-users clicking on spam and getting scammed. This is where the second storyline comes in. Krebs notes that the argument goes that if people simply stopped buying from sites advertised via the spam that floods our inboxes, the problem would for the most part go away. It's not that the spam is a technology issue; it's that the products fill an economic need and void.
Krebs shows that most people who buy from the spammers are not idiots, clueless or crazy. The majority of them are performing rational, if not potentially risky choices based on a number of legitimate motivations. Krebs lists 4 primary motivations as: price and affordability, confidentiality, convenience & recreation or dependence.
Most of the purchasers from the Russian spammers are based in the US, which has the highest prescription drug prices in the world. The price and affordability that the spammers offer is a tremendous lure to these US consumers, many of whom are uninsured or underinsured.
Krebs then addresses the obvious question that this begs: if the spammers are selling huge amounts of bogus pharmaceuticals to unsuspecting Americans, why doesn't the extremely powerful and well-to-do pharmaceutical industry do something about it. Krebs writes that the pharmaceutical industry is in fact keenly aware of the issue but scared to do anything about it. Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary. They have therefore decided to take a passive approach and do nothing.
The book quotes John Horton, founder and president of LegitScript, a verification and monitoring service for online pharmacies. Horton observed that only 1% of online pharmacies are legitimate. But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.
So while the Russian spammers may be annoying for many, they have found an economic incentive that is driving many people to become repeat customers.
As to the efficacy of these pharmaceuticals being shipped from India, Turkey and other countries, it would seem pretty straightforward to perform laboratory tests. Yet the university labs that could perform these tests have found their hands-tied. In order to test the pharmaceuticals, they would have to order them, which is likely an illegal act. Also, the vast amount of factories making these pharmaceuticals makes it difficult to get a consistent set of findings.
As to getting paid for the products, Krebs writes how the thing the spammers relied on most was the ability to process credit card payments. What they feared the most were chargebacks; which is when the merchant has to forcibly refund the customer. If the chargeback rate goes over a certain threshold, then the vendor is forced to pay higher fees to the credit card company or many find their merchant agreement cancelled. The spammers were therefore extremely receptive to customer complaints and would do anything to make a basic refund than a chargeback. This was yet another economic incentive that motivated the spammers.
As to the main storyline, the book does a great job of detailing how the spam operations worked and how powerful they became. The spammers became so powerful, that even with all the work firms like Blue Security Inc. did, and organizations such as Spamhaus tried to do, they were almost impossible to stop.
Krebs writes how spammers now have moved into new areas such as scareware and ransomware. The victims are told to pay the ransom by purchasing a prepaid debit card and then to send the attackers the card number to they can redeem it for cash.
The book concludes with Krebs's 3 Rules for Online Safety namely: if you didn't go looking for it, don't install it; if you installed it, update it and if you no longer need it, remove it.
The scammers and online attackers are inherent forces in the world of e-commerce and it's foolhardy to think any technology or regulation can make them go away. Spam Nation does a great job of telling an important aspect of the story, and what small things you can do to make a large difference, such that you won't fall victim to these scammers. At just under 250 pages, Spam Nation is a quick read and an important one at that.
Reviewed by Ben Rothke.
You can purchase Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.
Krebs writes that the databases offered an unvarnished look at the hidden but burgeoning demand for cheap prescription drugs; a demand that appears driven in large part by Americans seeking more affordable and discreetly available medications.
Like many, I had thought that much of the pharmaceutical spam it was simply an issue of clueless end-users clicking on spam and getting scammed. This is where the second storyline comes in. Krebs notes that the argument goes that if people simply stopped buying from sites advertised via the spam that floods our inboxes, the problem would for the most part go away. It's not that the spam is a technology issue; it's that the products fill an economic need and void.
Krebs shows that most people who buy from the spammers are not idiots, clueless or crazy. The majority of them are performing rational, if not potentially risky choices based on a number of legitimate motivations. Krebs lists 4 primary motivations as: price and affordability, confidentiality, convenience & recreation or dependence.
Most of the purchasers from the Russian spammers are based in the US, which has the highest prescription drug prices in the world. The price and affordability that the spammers offer is a tremendous lure to these US consumers, many of whom are uninsured or underinsured.
Krebs then addresses the obvious question that this begs: if the spammers are selling huge amounts of bogus pharmaceuticals to unsuspecting Americans, why doesn't the extremely powerful and well-to-do pharmaceutical industry do something about it. Krebs writes that the pharmaceutical industry is in fact keenly aware of the issue but scared to do anything about it. Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary. They have therefore decided to take a passive approach and do nothing.
The book quotes John Horton, founder and president of LegitScript, a verification and monitoring service for online pharmacies. Horton observed that only 1% of online pharmacies are legitimate. But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.
So while the Russian spammers may be annoying for many, they have found an economic incentive that is driving many people to become repeat customers.
As to the efficacy of these pharmaceuticals being shipped from India, Turkey and other countries, it would seem pretty straightforward to perform laboratory tests. Yet the university labs that could perform these tests have found their hands-tied. In order to test the pharmaceuticals, they would have to order them, which is likely an illegal act. Also, the vast amount of factories making these pharmaceuticals makes it difficult to get a consistent set of findings.
As to getting paid for the products, Krebs writes how the thing the spammers relied on most was the ability to process credit card payments. What they feared the most were chargebacks; which is when the merchant has to forcibly refund the customer. If the chargeback rate goes over a certain threshold, then the vendor is forced to pay higher fees to the credit card company or many find their merchant agreement cancelled. The spammers were therefore extremely receptive to customer complaints and would do anything to make a basic refund than a chargeback. This was yet another economic incentive that motivated the spammers.
As to the main storyline, the book does a great job of detailing how the spam operations worked and how powerful they became. The spammers became so powerful, that even with all the work firms like Blue Security Inc. did, and organizations such as Spamhaus tried to do, they were almost impossible to stop.
Krebs writes how spammers now have moved into new areas such as scareware and ransomware. The victims are told to pay the ransom by purchasing a prepaid debit card and then to send the attackers the card number to they can redeem it for cash.
The book concludes with Krebs's 3 Rules for Online Safety namely: if you didn't go looking for it, don't install it; if you installed it, update it and if you no longer need it, remove it.
The scammers and online attackers are inherent forces in the world of e-commerce and it's foolhardy to think any technology or regulation can make them go away. Spam Nation does a great job of telling an important aspect of the story, and what small things you can do to make a large difference, such that you won't fall victim to these scammers. At just under 250 pages, Spam Nation is a quick read and an important one at that.
Reviewed by Ben Rothke.
You can purchase Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.
This is one of the better book reviews I've seen on slashdot.
It is so good that I am left feeling like I don't need to read the book unless I'm looking for the dramatical aspects of the story.
So, the spammers are more interested in good customer service than the real companies?
Sad.
Lost at C:>. Found at C.
>sued for libel by the Russians
seriously? is that even possible in the us?
A client told me that after he sent his $25.01 how to enlarge his penis, he received a magnifying glass in the mail.
1. bogus pharmaceuticals/unauthorized pharmaceuticals
2. Should the reality be that the unauthorized pharmaceuticals are effective...
1. are they not real drugs or are they just unapproved for purchase in the us?
2. the placebo effect?
Bullshit, Will Robinson! Bullshit!
I use comment sense and go even one step further and make an alias on the server for each service/company that asks for my personal email address.
However, all it takes is for one friend to use your business email address for an online service (some stupid file-sharing site) and you're screwed.
Get free satoshi (Bitcoin) and Dogecoins
Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary.
What quandary would that be? That they'd face (illegal) competition?
A quandary is a situation where you're confused about what to do. Facing cheaper competition doesn't seem like it would be confusing. Difficult or challenging, yes. Terrifying, possibly. But not so much confusing.
If the pharmaceutical industry had the choice of either selling lots and lots of drugs (through the spammers) at a discount that might put them in a quandary. Should they risk being found out (and potentially have everyone buy the cheap stuff (thus reducing their overall revenue and profit)) or should they NOT sell their product through the black market, thus passing on the money they could get from that. That's a situation where it's not really clear what the best thing to do is.
Interesting book, sounds like. And thank you for the review - I've got it on hold at my local public library now!
However, all it takes is for one friend to use your business email address
People don't email people any more, they contact them on FB. There's no reason for your friends to even have "your business email". Most of the people I know barely even know what to do with an email address, and they certainly don't use it for friend-to-friend talking.
So I'd agree, there's no reason to ever get spammed. Use throwaways when signing up, and that's all you need to do.
> Your friends aren't going to spam you
Facebook
Google+
Linked In
And that's only "legitimate" companies. Viruses have accessed email address books for a variety of reasons. Usually just to perpetuate themselves, but some are no doubt gathering lists of valid addresses.
Internet is the jewel for crime. You can hide your tracks, have little overhead and can disappear when things heat up. Sony knows all too well how good cyber crime is. But just because you are one singular individual does not mean crime is not looking at you. People are very dumb when it comes to securing information. They do simple passwords, use them at multiple sites, and change them almost never. Come to think of it, would not surprise me even a company like Sony is guilty of a lot of this. Every time we see a successful Target or Sony hacking. We know it emboldens the hackers even more. Their success is our demise.
Or one virus on his computer to dump out his contact list (or just guessing his webmail password).
The FDA has rather strict quality control standards so my guess is these pharmacies have not gone through the process to be fully licensed. And another thing:
But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.
Yes...after the quality control of toys, toothpaste, dog food, and drywall from China, we're sure we can trust their quality with our pharmaceuticals.
If there's one thing Slashdot could use more of, it's comment sense.
Why would you give anything but a throwaway to Facebook, G+, or Linked In? Makes no sense. It just allows them to spam you.
There are services you can use for "one shot" addrs that will let you reply to their signup email, and then the addr is deleted. They're super handy!
I don't see any reason to be afraid of being sued by Russian criminals. A few jobs ago I once had a webpage up (which attracted very little attention) that somewhat similarly exposed a particular registrar as being overwhelmingly spammer-friendly. My employer got nervous and pulled down said web page on my behalf (it was being hosted on their server at the time - yeah, I should have had it elsewhere) because they were afraid of being sued.
Frankly I don't see any reasone why it would even be a bad thing to be sued by these goons. They usually are doing their "business" in countries that don't have any kind of extradition (yeah, I know that usually doesn't matter in civil suits) agreements with the US or any other way to force me to show up for their lawsuit or be bound by its findings.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
It does not beg any questions.
Only kids use Facebook.
or
If you need me to have a Facebook account to be able to contact me, then drop me as a friend.
Get free satoshi (Bitcoin) and Dogecoins
Currently bloating my spam folder are sports betting sites promising NFL locks, a strange flood of tinnitus cures (is that a new hot thing?), diabetes "cures," solar ads, and lots and lots of fake gift card spams and insurance open enrollment ads.
Almost none of it makes it into my inbox.
i can tell u wrote this in russian and use google translate!
thank you boris!
Sure. The cost of a vice-Presidential candidate's wardrobe is a much safer thing to report...
In Soviet Washington the swamp drains you.
I've read the review, but not the book, but a key element seems to come down to "Maybe it's real, but nobody knows". It seems a fairly simple procedure for him to order some of it and have it tested, and then he'd know. Yeah, that's a legal gray area, but it would make his case a lot stronger to be able to say "Yeah, I ordered a bunch of Russian Viagra and it tested out as 75% as good as the real stuff".
I know that means taking a risk of being prosecuted, but isn't that something we commend journalists for? At least, better than making allegations about what corporate execs and government employees are thinking without evidence.
The FDA has rather strict quality control standards so my guess is these pharmacies have not gone through the process to be fully licensed. And another thing:
But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.
Yes...after the quality control of toys, toothpaste, dog food, and drywall from China, we're sure we can trust their quality with our pharmaceuticals.
Yeah, you know, they are "by and large" indistinguishable from the real ones. I mean, what's a few PPM of arsenic, or cyanide, or lead? The rest of the drug is still there, and that's what you ordered. You wouldn't send a gourmet steak back just because the cook brushed a little olive oil and salt on it, when it was listed on the menu as just a steak? So why are we rejecting these drugs?
thank you for banking with Capital One!
u must use gmail.
sign up for a yahoo or hotmail account...wait an hour...u will have spam.
wait 1 week...u will have lots of spam.
That might be fine among neckbeards, but out in the real world, people communicate with Facebook.
In my real world, when I want to talk to my friends, I ring them, email them, or even go to see them.
Facebook seems to be for attention whores who live in their mom's basement and wish they had actual friends.
Yeah, you know, they are "by and large" indistinguishable from the real ones. I mean, what's a few PPM of arsenic, or cyanide, or lead? The rest of the drug is still there, and that's what you ordered. You wouldn't send a gourmet steak back just because the cook brushed a little olive oil and salt on it, when it was listed on the menu as just a steak? So why are we rejecting these drugs?
What makes you think the 'official' drugs are made in different factories than the 'unofficial' drugs? Everything I've seen suggests the pharma companies source this stuff from the same places. The FDA process is a labeling process.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
What have you seen that suggests this?
good then; but what else is there to talk about?
The reason you get a lot of solar ads is that that the US Govt. has subsidized a lot of the installations.
The power company is also in on it.
Many of the solar firms are legit, but many are scammers.
Start your research here - http://www.solarreviews.com/
The New Spam Ecosystem the book is about it truly devastating to my privacy.
they work like magic and the pharmacutical firms are not tooo happy about that.
u wrote the funniest thing i have read in months - The FDA has rather strict quality control standards...
the fda is a bunch of pylons! u 2 tooo funnie.
I can't speak to the Russian spammers.
However, I routinely buy asthma maintenance medications in Bangkok, Thailand, while on vacation. SAME manufacturers, SAME production lines, SAME LOT NUMBERS, but at a fraction of the cost.
Gmail has the best spam filter I even seen in 30 years of email! Once or twice a year, something ends in my spam folder that I wanna see and I don't recall the last thing I had spam in my inbox. Gmail has made spam his bitch!
Weird, are the bottom of this page is says, "The use of anthropomorphic terminology when dealing with computing systems is a symptom of professional immaturity. -- Edsger Dijkstra". This is the first thing I disagree with Dijkstra. Long live professional immaturity!
Followed-on item to my just requested request:
Besides reviewing the book by Chris, all his reviews are can be found in the following URL:
http://www.amazon.com/gp/cdp/member-reviews/AH62BQTCMR3BR/ref=cm_cr_pr_auth_rev/192-7946993-1915354?ie=UTF8&sort_by=MostRecentReview
As a followup to my followup - please follow Chris here: https://twitter.com/chris767roberts
What have you seen that suggests this?
TV shows. In particular a program on drug manufacture and all of of the production lines shown were in places like Pakistan and India, supplying the big pharma companies who supply worldwide. I don't think there's a 'gold standard' drug manufacturing industry based in the USA just to keep the idiot patriots happy.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.