Notes from a cyber underground

It is difficult to write an entire book on spam that holds the reader's attention. The whole point of spam -- on the receiving end -- is to not read it, right?

But Brian Krebs, for the most part, succeeds in doing so because of the novelty of his reporting. The investigative journalist's new book, Spam Nation, traces the ignominious rise and fall of some of the world's biggest spammers. Krebs introduces us to a colorful cast of Russian cybercriminals and hands down a measure of justice by interviewing at least one of them in person.

The book is a strong chronicle of how and why this junk business succeeds. FCW readers of a policy bent seeking details on how, exactly, the FBI, Interpol and other authorities are coordinating to undercut these spammers might have to wait for a sequel. Though Krebs covers law enforcement episodically, his focus is on the spammers, their enablers and their victims.

Why write a whole book on spam? Who clicks on those incoherent emails peddling penis pills? A lot of people, actually, and for reasons that Krebs puts into four categories: affordability, confidentiality, convenience and recreation or dependence. Though most of the pharmaceutical spammers are in Eastern Europe, many of the buyers are American. In the affordability category are sick people whose insurance -- or lack thereof -- prices them out of medicine and who are willing to risk buying cheaper knock-off pills.

Krebs reveals that many of these counterfeit pills are indistinguishable from the stuff you get at your local pharmacy, but can still be dangerous because their production is often unregulated. Pharmaceutical giant Pfizer seems to be part of the problem, according to Krebs. Worried that consumers would find out that their pills are largely the same as fake ones, Pfizer balked at supporting a study of shady online pharmacies that was otherwise in the firm's interest, he reports.

And who is pumping out these billions of daily spam emails advertising knock-off products? They are carried out by "botnets," large groups of computers that hackers hijack and lace with infected software (malware) to send emails on a computer's behalf. Krebs does a good job of dissecting and explaining in layman's terms things like botnets and distributed denial-of-service (DDoS) attacks, which can overwhelm a hosting service with users. Some of these phenomena are not complicated but are often skimmed over by journalists in their coverage of cyber threats and nuisances. Krebs, a 14-year reporter for the Washington Post and founder of a popular cybersecurity blog, takes the time to fill the unfamiliar in on this terminology.

With two-thirds of the book done, I was getting restless with Krebs for having not visited Russia. He had patiently probed sources in the cyber underground and uncovered a lot about the world's biggest spammers through a trove of leaked emails. Yet for all of the abstractness of the "cyber world" – a term whose ubiquity deprives it of much meaning – its protagonists, of course, are still operating in the physical world. In this case, it is the nightclubs and coffee shops of Moscow, from which Krebs should have spent more time reporting (though he does an admirable job of sleuthing from afar, and one shouldn't discount the dangers of reporting from Russia).

Krebs' trip to Russia, though it should have come earlier and more often, does not disappoint when it finally arrives. We come face-to-face with Pavel Vrublesky, a gregarious cyber kingpin whose rambling phone conversations with the author helped animate earlier parts of the book. Vrublesky founded one of the world's largest pharmaceutical affiliate programs along with ChronoPay, a credit firm that allowed pill pushers to process payments.

Krebs presents Vrublesky with a stack of the leaked emails he obtained from employees of ChronoPay that linked him and the firm to the phony anti-virus industry. The emails point to Vrublesky as the orchestrator of one of the most sophisticated and malicious spam operations in the world. Vrublesky shrugs off the evidence, telling Krebs, "I really don't violate too many laws."

There is a degree of comeuppance for some of the spammers Krebs profiles. Some do jail time. Others flee Russia. Still others' businesses suffer after Internet service providers pull the plug on malicious hosts in response to Krebs' reporting. But the reader is rightly left with the sense that spamming will likely be with us forever, and with it the lucrative business of IT security.

"Individually, these junk email artists earned a few million dollars for their efforts, yet they've forced businesses and consumers to spend hundreds of millions more shoring up digital defenses to fight their daily glut of crimeware," Krebs writes.

The online pharma-spam industry might not be long for this world, according to Krebs' reporting, as Western corporations lobby for tighter restrictions on black-market payment-processing firms. But the virus is only mutating and being rerouted. Botnets, after all, are at the mercy of their masters, for whom the dark corners of the Web will be a refuge for the foreseeable future.