How online pharmacy spammer organizations really work
You may remember Brian Krebs, one of the world’s premier cybercrime investigators, as the guy who broke news of Target’s staggering data breach last year. Formerly a staff writer at the Washington Post, Krebs left the job a half-decade ago to cover the industry on his own website, Krebs on Security, which repeatedly receives reportorial top honors.
On Tuesday, Krebs returned to print with his first book, Spam Nation: The Inside Story of Organized Cybercrime—from Global Pandemic to Your Front Door.
Krebs, who is on a first name basis with some of the Internet’s biggest baddies, occasionally finds himself a subject in his own stories. Earlier this year, a New York Times profile of Krebs introduced him this way:
In the last year, Eastern European cybercriminals have stolen Brian Krebs’s identity a half dozen times, brought down his website, included his name and some unpleasant epithets in their malware code, sent fecal matter and heroin to his doorstep, and called a SWAT team to his home just as his mother was arriving for dinner.
He spoke with us.
Fortune: You wrote a book about something that people hate, avoid, despise, actively dislike: spam. Why?
Krebs: That’s true, but just because something is inconvenient or annoying doesn’t mean you can ignore it. I had an opportunity to peer inside the biggest and longest running organized cybercrime operations out there. We’re talking about two competing organizations that paid spammers and virus writers lots of money to do what they do, and to incentivize that activity. I had an opportunity to explore this weird world and bring the reader inside. As far as I could tell nobody had written this book. The short answer is that old adage that if there’s a book that only you can write and it hasn’t been written, then you have to write it. I felt very strongly about this book in that way.
Spam is sort of shorthand for cybercrime. You can’t get cybercrime done these days hardly without spam. Look at some of the biggest data breaches that have leaked out over the past year: Target, Home Depot—well, we still haven’t really heard how Home Depot went down—J.P. Morgan, and a lot of these big ones started with a malicious email. Most people think about annoying ads when they think about spam, but malware is primarily disseminated through spam. So it’s still a huge vector for a ridiculous amount of cybercrime that gets perpetrated each day.
You mention that you believe it’s a book that only you could write. What about your position gives you such access and the ability to pull off a book of this sort?
I think it was just sort of being the first, I don’t know, maybe better known western journalists who took a real interest in this topic. A lot of the guys I interviewed for this book were very concerned that I get things right. And they were some of them were happy to walk me through this strange place and various parts of the underground because—well, I’m not really sure what their motivations were. One of the main guys, Pavel [Vrublevsky], he wanted to tell me tales about his rivals so I’d write about them and not him. He already knew I had all this information about him. He said early on that nobody’s going to care about all this stuff—as long as it’s just Russian and eastern European publications writing about this, nothing will change. But the minute that Western publications start caring that could actually start to change things.
People have their own reasons for sharing information. Sometimes that’s to make sure that the reporter gets the story right, and sometimes that’s to make sure that the reporter gets the story wrong.
Did you have a difficult time sorting through fact and fiction?
Yes, I did. Some of these guys intentionally leaked some information, but intentionally left information out that would make them look bad. Sometimes they only leaked stuff that made their enemies look bad. Sometimes they completely fabricated facts. And sometimes they mixed in stuff that they wanted me to believe. That was really tough. A lot of the raw data that I had to look through was in another language, so it was hard enough that this was an area that was still new to me at the time—you had all these cultural and linguistic differences that were hard to comb through and overcome.
How’s your Russian?
It’s OK. I’m told I have a decent accent, but I don’t get a lot of practice speaking it. I learned it mainly to get by on the [cybercrime] forums without using Google Translate. I think as far as that’s concerned, mission accomplished. But like I said, I don’t have a lot of chances to practice speaking it.
If you’re going to learn to read it you definitely have to learn at least to pronounce it and know the basics of how to speak it. So many of the words in Russian that relate to technology and security are English cognate words. If you can pronounce them in Russian, you can often guess their meaning because they sound the same.
What was the craziest thing you learned while reporting the book?
The most surprising thing for me was to learn just how much of a regular business spam and cybercrime have become. Part of the backdrop of the book is that I got access to just about every aspect of the day-to-day operations of two massive spam and cybercrime operations. I got to see their financial books, their profit and loss statements and the kinds of challenges that they dealt with and had to overcome. They do things much like regular businesses do. They set quarterly goals, they thought to achieve all kinds of efficiencies in their operations—to streamline things, lower costs, and cut overhead. Because they are a largely unregulated business they sought to do things like form cartels with their competitors. We’re all familiar with the drug cartels but these guys are sort of a different cartel. They’re marketing knockoff prescription drugs.
The other thing that surprised me is that I had this idea that a lot of cyber-crooks are sitting on beach somewhere sipping Mai Tais, but the reality is that most of these spammers—and spammer is sort of shorthand for cybercriminal—don’t make much money at all. And they’re still responsible for infecting countless users and hacking countless websites. Most of the crooks that I met or tracked down in this book had boring day jobs in addition to their cybercrime activities. For me the really aggravating thing about this is how much trouble these guys cause for individual users and computers when most aren’t seeking much in the way of riches for all the trouble their causing. There’s a relatively few number of guys who you could fairly say were successful in that they earned millions of dollars spamming over period of several years. Believe me, these guys were really few and far between. The thing that really struck me was for them to make modest riches the rest of us, the world needs this bajillion-dollar infrastructure of antivirus, and firewalls, and intrusion detection, and prevention software, et cetera.
Wouldn’t it be more lucrative for the crooks to apply their know-how to the other side? If the pay isn’t so good, what’s the incentive?
A lot of these guys—their day jobs usually have to do with computers or programming or web design or something like that—they just found that they could make more money or supplement their income by doing this other stuff. A lot of individuals involved in this actually figure out really interesting ways to rationalize what they’re doing as not criminal activity. The spammers sort of seem to think of what they’re doing as supplying consumers with something they’re demanding. In the case of knockoff prescription drugs, that means selling those without requiring a prescription. They’re unfortunately right about that.
The one thing that I found truly incredible in part of the data I got from both of these rogue pharmacy affiliate programs that pay the spammers and malware writers to blast out all this stuff was years worth of transaction records—people who had received spam and decided to go ahead, buy and ostensibly ingest pills that they had purchased from spam. I really wanted to know what motivated these people to do this. It seems to me like risky behavior. Everybody I talked to when I said I was working on a book about spam, they said, “Well, who are these idiots who are buying from spam? If they would just stop these guys would go away.” Well, number one, the demand shows no signs of dipping any time soon. This fact is lost on most Americans. Most of the rest of the world pays a lot, lot less than we do here in the United States for prescription drugs because their governments have put on price controls for the most part. We here in the United States tend to subsidize consumption of these things around the world. It’s not uncommon to find that the same drugs we might pay hundreds of dollars a month for at a local drug store might go for one quarter to one fifth of that cost in some other countries. And so what these guys are doing is arbitrage and adding a markup for their customer service and their overhead and dealing with suppliers and shippers and stuff like that. The demand isn’t going away. When I contacted these buyers—and I contacted hundreds of them though only a few dozen would talk to me—I heard the same thing over and over again: “Well, I lost my job and I don’t have insurance,” or “My insurance wouldn’t cover what I was prescribed and these guys were just offering it for a lot less…”
As long as theirs this huge disparity between what Americans pay for drugs and what the rest of the world pays for drugs, there’s always going to be a very large demand for this stuff.
Drugs for chronic illnesses is one thing. But the other is, like, you know…
Penis enlargement pills were like 65% to 70% of what these people were buying. The rest of it was drugs to treat more serious chronic illnesses. In point of fact, everybody I spoke to had gotten these male enhancement pills. The spammers felt so confident that they got their formula right for that that they ship free ones with every order, no matter what you buy. Even if you bought some drug that would have contraindications with using it—say you bought nitrates for treating chest pains, you don’t really want to mix that with Viagra. But that’s another story.
I actually explain this in chapter four pretty early on. Initially, when I started cold calling these buyers whose credit cards and phone numbers and addresses I had, I was very indiscriminate. I picked people who lived near me and stuff like that. And then I guess that changed after I called this one dude who ordered some generic Cialis. A woman answered and I told her why I was calling. She said she couldn’t imagine why her husband of advancing years had any reason to purchase one of these prescriptions, and she got really upset and stated. I just said, OK, I’m not going to call any more. So that was it.
I guess I can see now into the psychology.
What I did find almost universally is if you end up buying from one of these spammers, number one, you’ll get orders of magnitude more spam than you ever have before to that address and, number two, you’ll start getting calls at least once a day within a couple weeks of your order from people in India asking if you want to refill your prescription. By and large, people were actually getting what they expected—that was a surprise.
The other surprise was that people always think, “Well, don’t these people understand that they’re giving their credit cards to cybercriminals?” The interesting thing about the way these pharmacy spam affiliate programs are set up is that those are kept separate from the spammers. The spammers’ sole job is to drive traffic to these sites—they don’t get to see credit card numbers or anything like that. The last thing these operations want is to let the spammers see that sort of information because if they start getting a lot of fraud on their cards, they’ll get a lot of chargebacks. And if you get more than one percent chargebacks, Visa and MasterCard will fine you out the wazoo or just shut you down. So they actually work very hard and have lots of customer service people. If you were unhappy for whatever reason with your order, you just call one of these people and they would give you your money back, no questions asked. The last thing they want is a chargeback.
That’s interesting that there’s this sort of separation of church and state within these cybercrime organizations.
That’s the beauty really of these operations, that they’re actually pretty simple. The people who run the partnership actually do everything from the back-end back-office stuff—from working with the suppliers and the shippers and customer service and all that—and the only job of the spammers is to figure out ways to drive traffic to the site. The people running the program don’t have to get their hands dirty with that and they don’t really even care if most of these guys working for them don’t make much money because, well, somebody will figure out the best way to bring eyeballs to the site and when they do, they’ll make money off it. It’s very compartmentalized, for sure.
Of course, the affiliates of people doing the spamming get paid pretty handsomely. Every time somebody makes a purchase they would get paid anywhere from 30% to 50% in commission off whatever their customers bought.
Don’t take this the wrong way, but it seems pretty ballsy to put the word spam on something you want people to read. Do you worry about that at all?
I heard that same feedback from others. At the end of the day it’s shorthand for cybercrime, and I really didn’t want “cyber-” anything in the title of this book. There’s too much “cyber-“ this or that. This book really is about spam and there are very few cybercrime operations these days that operate outside the spam space. It always figures somehow in cybercrime operations. It’s the most effective delivery mechanism for these guys. It has been and it remains so. I spent a lot of time on the title of the book and lots of people had other suggestions but even they were sort of at a loss to say it was better than “Spam Nation.”
How do you reconcile this sort of empathy for spammers with a desire to protect consumers?
I don’t know if I’d call it empathy for the spammers. I certainly understand them pretty well, but I think that you better understand your enemy because there’s no other better way to have a chance in any sort of battle against an adversary—whether it’s on a real battlefield or on a network—you better be able to get inside the mind of your adversary. Without that you don’t stand a chance.
I think a lot of people have a tendency to dismiss spam as a nuisance, as something that is a dealt with problem, a problem that we have solved rather than for what it is, which is essentially a weapon that can be used in a whole host of ways from the traditionally marketing angle all the way up to a fairly stealthy way of breaking into Fortune 500 companies. I think it’s that sort of constant understatement of the threat that really gets everybody in trouble in cybercrime, whether we’re talking about consumers or large businesses. There’s a tendency to say that all this stuff that we’ve spent all this money on to keep this stuff out is going to save us in the end, and the jokes on those folks because increasingly keeping the bad stuff out requires a much more nuanced approach, a much more threat-focused approach. It requires understanding the ways that these guys work. And frankly that’s been my motivation from the get-go: understanding that better, and trying to do a better job of explaining that to readers.