RAEC Press Release: Exposing the largest spammer in the world

This is a re-posting of a press release posted to the official RAEC website on Oct. 29th, 2010.

RAEC is the "Russian Association of Electronic Communication" who are tasked with investigating Russia-based online criminal activities.

Exposing the largest spammer in the world - the beginning of a real fight against cybercrime in Russia
29.10.2010

November 2 at 14:00 Interfax RAEC (Commission on Cybercrime) holds a press conference with representatives of the investigating authorities, relevant law enforcement agencies and the Internet industry participants.

Recall that as a result of search operations by Russian police was disclosed to the world's biggest criminal network, which specialized in distribution of pharmacological spam. According to the results of operational activities have been prosecuted at the head of a partner network Glavmed Gusev Igor Anatolyevich.

"It's a spammer Gusev" has received wide publicity, not only in Russia but throughout the world and has been reflected in major world media, including: The Washington Post, Gizmodo Australia, BBC, MSNBC, The Register, The New York Times, Bild, Telegraph, PC World, ABC.es, Los Mas Hablados, Bild.de, O Globo, France 24, iHNed.cz, ThaiIndian, Softpedia, MSN India, Gizmodo Australia, The New York Observer, Infosecurity Magazine, Le Monde, DailyFinance, The Inquirer, Bloomberg, Reuters and others

The authors of publications have expressed similar viewpoints on a sensational disclosure:

The correspondent of The New York Times, Andrew Kramer (Andrew Kramer) binds enhancing law enforcement actions against Gusev initiatives the president of Russia Dmitry Medvedev : "In summer 2010, the President visited Silicon Valley in California and during his visit repeatedly stated that Russia intends to legitimize its own Internet space, to fight against piracy, hackers and other manifestations of shady business in the network."

Similar position adheres Helen Popkin (Helen AS Popkin) from MSNBC: «In June, Dmitri Medvedev was in California, where he met with the organizers of Silicon Valley. Site SpamIt.com mysteriously closed for two weeks before October 10 in Moscow from Silicon Valley came the response, the delegation headed by the Governor of California Arnold Schwarzenegger."

"It Gusev said that Russian authorities are determined to fight the status quo. And although the spamming under Russian law is not a crime, it can be classified as illegal entrepreneurship" - told the press Pavel Zaitsev, a member of the public organization" National Anti-Corruption Committee.

Gusev - this is only the first target. At the disposal of the investigation was an impressive list of Russian spammers, as well as a list of all the illegal purchase of counterfeit "Viagra" and other drugs by U.S. citizens since 2006. ?. All participants in such illegal activities would be exposed.

"Commission on Cyber Crime RAEC over a year now waging a campaign to fight spam, and we are pleased to present the first, but the significant results of this work. Thanks to the efforts of our experts and law enforcement agencies the world's spam level dropped by almost half, "- said the deputy director of RAEC Sergei Grebennikov.

About a year ago RAEC stepped up its activities aimed at improving Russia's investment climate abroad, to offer a program to combat spam. The program included a series of measures, one of which - a series of pinpoint strikes on partner programs, including those mentioned in the "GlavMed" network, which has the maximum share of the market and is largely due to a negative attitude towards Russia as a source of spam.

Commission RAEC against cybercrime invites all interested journalists for a press conference, enlightenment this issue, which will bring together industry experts, representatives of the investigating authorities and the relevant law enforcement agencies.

A detailed list of the press conference will be presented on Monday.

Information on press conferences:
Venue: Interfax, Moscow, st. Tverskaya-Yamskaya 1-I, 2, p. 1
Conference dates: November 2 (Tuesday) from 14:00 to 16:00

Contact information:
pr@raec.ru , +7 926 654 24 26, +7 495 950 56551
Lihopersky Ivan

Any findings from this press conference will be collated and posted here. Stay tuned.

SiL

Spamit.com: Closing down?

[Note: This is a duplicate posting from my original I Kill Spammers blog. I'm placing a copy here to maintain archival information in the same place.]

After a tip from a few different sources, I was informed that the Spamit.com domain is now showing the following message:

Уважаемые партнеры и коллеги,

В связи с длинной чередой негативных событий последнего года и обострившимся вниманием к деятельности нашей партнерской программы, мы приняли решение свернуть свою деятельность и прекратить прием трафика с 1 октября 2010 года.

Мы считаем, что в создавшейся ситуации такое решение является наиболее правильным, т.к. оно позволяет полностью избежать рисков внезапной, незапланированной остановки, которая обязательно повлекла бы за собой коллапс всей деятельности нашей программы и, скорее всего, привела бы к невыплате заработанных вами средств. В нашем же случае, все заработанные средства будут выплачены в обычном режиме. Кидков не будет.

Пожалуйста, используйте оставшееся время для своевременного перевода трафика на другие партнерские программы.

Спасибо что работали с нами, мы очень ценим ваше доверие!


Dear partners and colleagues!

Because of the numerous negative events happened last year and the risen attention to our affiliate program we’ve decided to stop accepting the traffic from 1.10.2010. We find the decision the most appropriate in this situation. It provides avoiding the sudden work stop which leads to the program collapse and not paying your profit.

In our case the whole profit will be paid normally. All possible frauds are excluded. Please transfer your traffic to other affiliate programs till 1.10.2010.

Thank you for your cooperation! We appreciate your trust very much!
login

Here's a screenshot of Spamit.com from around an hour ago:

This was the output on Spamit.biz and Spamit.com. Now I and many others notice that spamit.com no longer resolves as a domain. Spamit.ru is also down but I don't know if that had been the case prior to today.

Note that no such notice appears anywhere on Glavmed.com, long known to be their sister company.

The #1 criminally-operated spam operation in the world is suddenly shutting down? (Albeit, possibly temporarily. I'll check back on Oct. 1st of course.)

The "numerous negative events" possibly refers to the loss of Mastercard processing which happened several months ago, and "the risen attention to our affiliate program" possibly means coverage from this blog but also several other media outlets, most notably a large amount of coverage in the Russian press.

If Spamit as an affiliate operation were in any way operating legally or legitimately, this media coverage would not be a cause to shut down. This only goes to show you what a scumbag, criminal operation Spamit and Glavmed have always been.

The fact that spamit domains specifically are shutting down the same day a few sources told me to check this page out indicates some Very Bad Things could be underway for the operators of Spamit.

This could be a very interesting few weeks.

SiL

March 2010 Spamit / Canadian Pharmacy Update

As many of you may be aware, many more media outlets and independent security researchers have also begun identifying Spamit and Glavmed as a source of not only a ridiculous amount of illegal pharmacy spam, but also a broad swath of criminal abuse of third-party servers, and a key recipient of promotion via not one but a variety of criminally-operated botnets.

My updates to this blog have been sporadic simply because I am in evidence-gathering mode. Fortunately, my blog is not the only one keeping an eye on this group of criminals.

Here's a roundup of the past several months of publicly disclosed evidence which refer directly to "Canadian Pharmacy", Spamit and Glavmed.

M86 Security Labs: SpamIt.com leaves its footprints [Feb. 22, 2010]

SpamIt.com is a secretive, invitation-only, group of email spam affiliates closely linked to GlavMed, which in turn is responsible for one of the largest and oldest affiliate programs called "Canadian Pharmacy". Recently, Canadian Pharmacy has been the dominant spammed program – by far. Our analysis from a few months ago found that links to Canadian Pharmacy sites comprised 60-70% of all spam, and is simultaneously spammed by most of the major spamming botnets.

Key allegations:

• Spamit is by far the most predominant spamming affiliate group.
• Canadian Pharmacy spam is the most commonly-discovered output of most botnets engaged in criminal spamming.
• Xarvester, in this case, is the botnet found to be associated with Spamit's criminal activity.

Cisco / Ironport: Hello Waledac, My Old Friend [June 23, 2009]

Storm was reborn as Waledac in December 2008. While Waledac hadn't advanced much technically — same P2P, same Canadian Pharmacy/Glavmed connection with template-based spamming, same social engineering tricks to spread the malware via email — the Waledac business development team had been busy expanding their partnerships beyond Glavmed to include Yambo Financials, Conficker and Rogue Antivirus.

[Note: Any reference to "Yambo Financials" should probably be construed as a reference to Bulker.biz / Bulkerbiz.com, operators of - among many others - "My Canadian Pharmacy", another completely criminal-operated fake online pharmacy. They hijack unix servers and use them for a variety of services. This has been well documented since 2006.]

Key allegations:

• Spamit / Glavmed have been seen sending spam via first Storm Worm, then Waledac.
• Obviously these botnets are used to spam more than merely Spamit properties, since they can be leased out to any mailer who will pay.
• Waledac, in this case, is the botnet found to be associated with Spamit's criminal activity.

The Register: Penis pill spam: The hard figures [Sep. 25, 2009]

"The members of SpamIt are allegedly the group behind the Storm, Waledec and potentially Conficker botnets, responsible for email distribution and fast-flux hosting of the spam websites."

Although GlavMed is the biggest operator in the unlicensed prescription drug affiliate business many other players exist including Stimul-cash.com, Rx-partners, Rxcash.biz, Evapharmacy, Rx-Signup.com and DrugRevenue. Most concentrate exclusively on web promotion methods, while a minority unofficially support traffic generated through spam emails.

Key allegations:

• Spamit is by far the most predominant spamming affiliate group.
• Canadian Pharmacy spam is the most commonly-discovered output of most botnets engaged in criminal spamming.
• There is a relationship between the use of botnets for spamming Spamit / Glavmed properties, and the promotion and infection of third-party websites to serve out rogue or fake anti-malware software, which in turn infects users' PC's for the purposes of joining botnets used to spam on behalf of Spamit / Glavmed.
• Storm, Waledac and Conficker are the botnets found to be associated with Spamit's criminal activity.

A very interesting comment was also posted in response to a blog posting regarding Conficker / Downadup:

Trend Micro Countermeasures Blog: Downad/Conficker, who’s the April Fool? [Mar. 25, 2009]

The comment is dated Jan. 8, 2010:

bodo unger said:

Friday, 8. January 2010 um 3:17 am

The writer of the conficker virus is Mario Fiege a German in the Philippines. he is working with glavmed.com.stimul-cash.com , rx-promotion.com , spamit.com. He is pretending to be a russian in the internet while hacking domains,,hijacking forums and sending millions of email spam out of malware ghettos like asian.
He is using proxyway.com

Key allegations:

• Someone named "Mario Fiege" wrote Conficker (Microsoft: Are you listening?)
• He personally uses Conficker to spam on behalf of a variety of well-known criminal pharmacy operations, among them Spamit / Glavmed
• This commenter distinguishes between Spamit and Glavmed, making it clear that this person spammed individually on behalf of each. (That could be a misinterpretation. I will continue to believe that they are one and the same.)

Obviously I would be interested to know who "bodo unger" is. He seems to know a great deal about this setup.

There have been others, but the push continues to awaken more mainstream news outlets about this very serious risk to the public's computers.

Resulting Assumptions / Conclusions:

So far the botnets identified as being used to send spam on behalf of Spamit, predominantly sending spam promoting the illegal online pharmacy known as "Canadian Pharmacy" are:

• Rustock
• Waledac aka Pushdo aka Cutwail
• Conficker
• Mega-D / Ozdok
• Xarvester

I'd also like to make a vast clarification regarding botnets and their use in the spamming economy.

Botnets are constantly in operation. Their owners set them up, and make sure there are enough infected hosts to become a part of the botnet for whatever purpose the botnet software was built to fulfill.

A botnet of any sort can be leased for a set period of time, much in the same way that any individual can rent a car (provided they have a license and insurance), any criminal individual can lease time on a botnet (provided they have decent references).
Once that individual has leased the botnet, depending on the price he paid, he can use it for a variety of operations including spamming (low cost), fast-flux hosting (mid-level cost) or Distributed Denial Of Service (DDOS) attacks (highest cost / shortest availability.)

Just because one individual sends spam promoting a Spamit property like "Canadian Pharmacy" using Xarvester does not mean that Xarvester, as a botnet, was created to spam on behalf of Spamit. A day later, it could be used to spam some otherwise unrelated porn site. Many tech media outlets make the mistake of correlating all activity of a single botnet to one rogue affiliate group. Spamit is definitely a "bad actor", and whoever wrote Xarvester and created that botnet did not have "good intentions", but those two details do not mean that Spamit is also a porn spamming operation. (At least: not yet.)

It is best to perceive each entity involved in every portion of these operations as being completely distinct and separate.

I felt this was especially important to mention given the very bright light which has recently been turned towards all manner of botnet-related activity.

Thank you for reading.

SiL / IKS / concerned citizen