Don't install software from the Web unless it's directly from the company that made it. If you do install software, make sure you update it. And whatever you do, don't open attachments emailed to you by spammers.

These are just a few warnings from Brian Krebs, an investigative journalist and cybersecurity expert.

Krebs learned the ins and outs of how the spam industry works when he was given documents in the aftermath of a feud between two Russian companies — two of the largest sponsors of pharmaceutical spam.

The feud "would forever change the course of the spam industry," Krebs tells Fresh Air's Terry Gross. He writes about the feud and more in his new book Spam Nation.

About 10 years ago two Russian men — who previously worked together before having a falling out — incentivized the selling of products through spam, according to Krebs. In doing so they employed "probably most of the biggest virus writers out there, and the biggest spammers."

At some point, Krebs says, the men decided the "world isn't big enough for both of them," so they set out to shut each other down.

"Both of them pay hackers to break into each other's networks and steal huge amounts of information about their operation, including years' worth of emails, chat records, banking records — all these things that show how these organizations were set up," Krebs says. "They leak that to law enforcement here in the United States and in Europe, and they leaked it to me."

Ultimately, the companies destroyed each other: One company was shut down; the other guy went to jail.

Despite the crackdown, Krebs says, spam is just as prevalent today.


Interview Highlights

On how partnerships between spammers and companies work

The way the partnership works is you have the spam affiliate program, and this is just an organization that takes care of all the back-office stuff. They handle customer orders, they handle customer service, they handle getting the product from suppliers and they handle the shipping ... and then there are the spammers, and these folks, their only job is to drive traffic to the websites that are selling whatever that partnership is selling. So if it's male enhancement drugs or if its software or knock-off handbags or whatever, that's their job, is to get eyeballs to those sites. That's the partnership in a nutshell. ...

It's based on commission, so if I'm a spammer and I have a whole bunch of websites that belong to me, which is usually the case, I blast out a lot of spam. If somebody comes to one of these sites in response to a spam email I sent out and makes a purchase, I get about 30 to 50 percent of whatever their purchase price was.

On why people buy from spammers

Almost invariably what I found in talking to these folks was that they bought it for cost reasons. ... In the United States, it's not uncommon for people to pay three to four to five times as much as you would, say, in Europe or anywhere else in the world where they have socialized medicine [and where] the government says you can't charge any more than this for this drug. That's sort of the arbitrage game that these guys [the spammers and partnerships] are exploiting.

So when I went to interview folks: "What motivated you to buy and ingest pills that you ordered from dubious marketers?" Price invariably was the reason. I talked to a lot of folks who were out of work, they didn't have insurance, insurance didn't cover the drugs they were prescribed, and at the end of the day, it was a math issue for them.

On what happens after you order from spammers

Every buyer that I talked to reported the same experience after ordering from spam, which was that they got ... more spam after giving away their email address to spammers — no surprise there. They also got a lot of phone calls about a week or two after the drugs arrived in their mailbox. They started getting peppered with calls from India, people asking, "Hey, you want to renew your prescription? It's almost time to renew your prescription." They would get these calls every day. One woman ... had to change her phone number.

Brian Krebs, a former Washington Post reporter, runs the website Krebs on Security.

Brian Krebs, a former Washington Post reporter, runs the website Krebs on Security.

Courtesy of Kristoff Clerix

On why hacking and spamming is so prevalent in Russia

Russia is a very hospitable place for spam for all kinds of cybercrime. A lot of this has to do with the way the former Soviet Union and Russia educated folks, [with a] very strong emphasis on math, science and technology. And these sorts of things actually lend themselves very well to a career in computing, so there's a strong community there that grew up around technology and computers. And cybercrime brings in a tremendous amount of money to the country, and the government there has nurtured this industry to some degree.

I think having gone to Russia and really taken in the scene there — people who have never really spent any time there have a hard time conceptualizing this — but you walk into a store that sells magazines, you might find dozens of magazines dedicated to hacking — criminal hacking. You just wouldn't see that here; it's just a different culture.

On ransomware, the most dangerous kind of spam

The most dangerous spam is going to be an attachment, a malicious, booby-trapped attachment. It's going to be something that basically takes over your computer, steals your passwords, and if you're really unlucky, it will hold your computer for ransom and so this is probably the most diabolical and fastest growing spam out there, it's called ransomware.

Essentially what ransomware does is it gets on your system and it sits there very quietly and goes through all of your documents, your mp3 files, your pictures, everything that you might actually value on that system and it encrypts it with a very, very strong encryption [that] probably not even the NSA could break.

Once it's done with that process, it pops up a little note that says, "Hey, sorry for the interruption, your friendly neighborhood cybercriminal here, just want to let you know that we've gone ahead and encrypted all of your files and if you want them back you have to pay us $700 (or $300 or whatever the arbitrary amount is). And, oh by the way, you have 72 hours." And this little countdown clock starts.

The frustrating part about this is many people don't take this seriously. The first thing they do is try to remove the threat. And this type of malware is actually not difficult at all to remove, but your files are still encrypted. By the way, if you remove it, you remove the actual file that you need to actually get your files back. If you want to get your files back you have to pay a ransom, but you can't just pull out a credit card and pay it, for obvious reasons, so you have to pay with a virtual currency like Bitcoin.

On how to protect yourself from malware

If you didn't go looking for it, don't install it. If you're browsing the Web and cruising around and somebody says you need to install software, don't do that. ... If you do need it, get it from the place that made it. Don't just accept a file that some site says you need to run. ... The second rule is maybe even more important. If you did install it, update it.

... Even more dangerous is all the stuff that plugs into your browser so Adobe Flash, Java, Adobe Reader, Microsoft Silverlight ... and increasingly the fraudsters are attacking these programs because, No. 1, they know everybody has them installed, and No. 2 the companies that make them ship security updates for them at least once a month and it's really easy to fall behind on these things. ...

The reason that's important is you browse to a website that's hacked, the first thing these guys do is install automated tools that look for the presence of outdated programs in your browser. And if they find them, you'll silently get served malware and then your computer doesn't belong to you anymore.

Copyright 2015 Fresh Air. To see more, visit http://www.npr.org/programs/fresh-air/.

Transcript

TERRY GROSS, HOST:

This is FRESH AIR. I'm Terry Gross. Opening those spam emails about male enhancement drugs could be dangerous. My guest Brian Krebs is an investigative journalist and cyber security expert whose new book, "Spam Nation," explains how spam has become the primary impetus for the development of malicious software, programs that strike computers and through them target our identities, our security, our finances, families and friends.

He helped break the story of the feud between two of the largest sponsors of pharmaceutical spam, a feud, he says, would forever change the course of the spam industry. Hundreds of documents from the companies were leaked to him. He also spent a few hours in Moscow talking with the head of one of those pharmaceutical spam companies. Krebs is a former Washington Post reporter who now has the website Krebs on Security.

In October, the Association of Certified Fraud Examiners gave him the Guardian Award for vigilance in reporting. Brian Krebs, welcome back to FRESH AIR. So a lot of your book is about the Pharma Wars, the wars between two really large companies - here I call them companies - that were responsible for a lot of the pharmaceutical spam email, including a lot of the erectile dysfunction and penis enhancement emails.

BRIAN KREBS: Right.

GROSS: So explain like how these partnerships work.

KREBS: Sure. So the way the partnership works is you have the spam affiliate program. And this is - this is just an organization that takes care of all the back office stuff. They handle customer orders. They handle customer service. They handle getting the product from suppliers. And they handle the shipping. And they handle, you know, everything - all the back office stuff.

And then there are the spammers. And these folks - their only job is to drive traffic to the websites that are selling whatever that partnership is selling. So if it's male enhancement drugs or if it's software or if it's, you know, knockoff handbags or whatever, that's their job - is to get eyeballs to those sites. And that's the partnership in a nutshell.

GROSS: So how does the money relationship work between those two parts of the partnership?

KREBS: Yeah. So it's based on commission. So if I'm a spammer and I have a whole bunch of websites that belong to me, which is usually the case, I blast out a lot of spam. If somebody comes to one of these sites in response to something - a spam email I sent out - and makes a purchase, I get about 30 to 50 percent of whatever their purchase price was.

GROSS: So you're the spammer now?

KREBS: I'm the spammer, yeah.

GROSS: OK, and so say you're the business end, you know, and say you're the end that's like selling the erectile dysfunction drugs.

KREBS: Right.

GROSS: So you have - the only money you're paying to the spammer is the commission?

KREBS: Correct. If somebody makes a $100 purchase, the spammer's going to get probably $35 out of that. The partnership will get about $20 and the rest is overhead. And this is one of the - this is one of the things that I really wanted to address in the book, which is a lot of people, when they think about spam and they think about the things that you can - that are advertised in spam, they have a really hard time understanding whether people actually get something, or if they plunk down their credit card or they buy some drugs whether they actually get what they ordered. And I found in every case - I mean, I did hundreds of interviews with people who had bought from spam. And they all pretty much got what they were paying for.

GROSS: Well, at least there's some really interesting questions. You interviewed a lot of people, because you got access to a lot of secret records. You were able to interview people who'd purchased drugs online through these spam email ads. And why did people purchase it this way as opposed to going to their neighborhood pharmacy and buying it there from somebody who they could see and know and trust?

KREBS: Almost invariably what I found in talking to these folks was that they bought it for cost reasons. So the thing - the thing that drives pharmaceutical spam is the fact that most of us in America - we don't realize this, but we subsidize the rest of the world's consumption of prescription drugs.

So in the United States, it's not uncommon for people to pay three to four or five times as much as you would, say, in Europe or anywhere else in the world where they have socialized medicine, right? Their government says you can't charge any more than this for this drug. And that's sort of the arbitrage gain that these guys are exploiting - the spammers and the partnerships.

So when I went to interview folks, I said, you know, what motivated you to buy and ingest pills that you ordered from, you know, dubious marketers? And price invariably was the reason. So I talked to a lot of folks who were out of work. And they didn't have insurance. Their insurance didn't cover the drugs they were prescribed. And at the end of the day, you know, they looked at - it was a math issue for them. They looked at it and they said, well, I can pay $400 a month for this if I go to Walgreens, or I can pay a $100 if I get it from these guys. And that was - that was the primary reason that folks bought from spam that I talked to.

GROSS: Were there any consequences?

KREBS: Yes.

GROSS: Yeah?

KREBS: Every buyer that I talked to reported the same experience after ordering from spam, which was that they got orders of magnitude more spam after giving away their email address to spammers - no surprise there. They also got a lot of phone calls about, you know, a week or two after the drugs arrived in their mailbox. They started getting peppered with calls from India - people asking, hey, you want to renew your prescription? It's almost time to renew your prescription. And they would get these calls every day. And one woman I tracked down via email, she had to change her phone number, because they just kept calling her.

GROSS: So let's get back to the Pharma Wars, which were the wars between two of the leading purveyors of pharmaceutical spam.

KREBS: Right.

GROSS: And you write about them in your book "Spam Nation." What were these two groups? What - how are they similar? How are they different?

KREBS: Right. So there were two - they were two of the largest pharmaceutical spam organizations. And they're actually run by two different individuals - Russian men who started a company together in 2003. And they started a payment processing company.

And they got - they worked together for a while and then had a falling out and went their separate ways. And the one guy stayed on as the head of that payment processor. And the other guy went off and started a - what would become the largest pharmaceutical spam organization out there.

And so just to give you a little context of what that means, they incentivized the selling of products through spam. And in doing so they employed probably most of the biggest virus writers out there and the biggest spammers. And so not to be outdone, the guy in charge of the payment company decides he's going to start his own competing pharmaceutical spam organization.

And to differentiate himself and his program from others - at that point there were probably two dozen operating - he decides he's going to sell prescription drugs that are controlled substances. So this was something that a lot of the partnerships - the spam partnerships - didn't touch, because they were concerned about the heavy hand of law enforcement or Visa and MasterCard coming after them. But it actually works for him, because a huge percentage of their buyers are these folks looking for controlled substances like oxycodone and tramadol and things like that.

At some point, these guys decide the world's not big enough for the both of them and they start paying law enforcement folks and politicians in Russia to create a criminal case - investigations into each other's operations. Both of them pay hackers to break into each other's networks and steal huge amounts of information about their operations, including years' worth of emails, chat records, banking records, all these things that show how these organizations were set up. And they leak that to law enforcement here in the United States and in Europe. And they leaked it to me.

GROSS: So you got an extraordinary cache of documents. Tell us a little bit about what you got access to through these leaks.

KREBS: Right. So one of the most useful things that I got was four years' worth of instant message communications between the people running one of these pharmaceutical spam organizations and the spammers themselves. So you can imagine the day-to-day communications between people running huge networks of hacked computers through which they're using to send all this spam. And they're communicating with the people who are paying them to do this.

And they would have these - they would have these conversations like, you know, the botnet, the infrastructure's down today. I'm really sorry about that, but, you know, we'll be back up in a few minutes. We're sort of, you know, re-jiggering the technology side. They would have arguments about, you know, commissions, arguments about whether the pharmaceutical organization was shaving - they called it shaving - their profits and not paying them for stuff that they delivered. And that was really incredible.

GROSS: It's so interesting though that these two rival pharmaceutical spam organizations leaked the other's stuff. So it was kind of like mutually assured destruction.

KREBS: It was. And they both destroyed each other. They succeeded in spectacular fashion. Neither of them are around now. One of them was shut down by - essentially, by Russian law enforcement. And the other, you know, the guy running it went to jail.

GROSS: What happened when they shut down? How did that decrease the amount of spam in the world?

KREBS: Well, because these guys who were sending the spam were only doing it because somebody was paying them to do it - and when the one spam program shut down, they didn't have anyone paying them to send spam for several weeks. They had to figure out what they were going to do with all their traffic. So they just sort of - they put their crime machines in park until they could figure out who else they should - should benefit from their traffic. And so we saw spam volumes globally dip. I don't know what it was. I think it was 30 or 40 percent overnight.

GROSS: (Unintelligible).

KREBS: Yeah, of course, as soon as they figured out who best to give their traffic to - yeah, we saw it just pop right back up.

GROSS: So another link here is that I think both of the rival pharmaceutical spam organizations were involved in pornography, too.

KREBS: Yeah, this was a really interesting dynamic. The two gentlemen that I profile the most in this book - I mentioned earlier they started a business together. They started a credit card processing business in Russia because they were having trouble getting processing for the kind of content that they were selling. And it was - they were running adult webmaster networks. And they catered to - each of them catered to large numbers of individuals who were selling very, very extreme pornography. So the kind of stuff that you might understand why credit card processors wouldn't want to touch that.

So a lot of - much of it was child pornography. Some of it was, you know, zoo porn. Some of it was bestiality, rape, snuffs-type films. And so they really wanted to get - they wanted to get credit card processing. And they set up their own credit card processing networks. And one of the things that I found was really remarkable was that I sort of liken the porn industry as sort of a gateway drug for cybercrime. Almost universally when I've done the research to figure out who's who in the cybercrime world, they all got their start pimping pornography in one way or another.

GROSS: So if you're just joining us, my guest is Brian Krebs, and he runs the website Krebs on Security. He's an expert on cyber security. He's a journalist. And his new book is called "Spam Nation: The Inside Story Of Organized Cybercrime - From Global Epidemic To Your Front Door." And part of what he writes about is that pharmaceutical - the pharmaceutical spam. So Brian, let's take a short break. And then we'll talk more about cyber security and spam. This is FRESH AIR.

(MUSIC)

GROSS: If you're just joining us, my guest is Brian Krebs. He's a journalist who specializes in cyber security issues. He has the website "Krebs On Security" and is now the author of the new book "Spam Nation."

The two rival pharmaceutical spam organizations that you write about in your book "Spam Nation," where were they based?

KREBS: Both of them were based in Moscow.

GROSS: And why is Russia a hospitable - is Russia a hospitable place for spam?

KREBS: Russia's a very hospitable place for spam, for all kinds of cybercrime. A lot of this has to do with the way the former Soviet Union and Russia educated folks. A very strong emphasis on math, science and technology and these sorts of things actually lend themselves very well to a career in computing and so there's a strong community there that grew up around technology and computers. And you know, it brings in - cybercrime brings in a tremendous amount of money to the country and the government there has, I think, nurtured this industry to some degree and you know, I think having gone to Russia and really taken in the scene there, people who have never spent any time there have a hard time conceptualizing this - but you walk into a store that sells magazines, you might find dozens of magazines dedicated to hacking - and criminal hacking. You just wouldn't see that here in the United States. It's just a totally different culture.

GROSS: So because they have better math programs than we do (laughter) they have more spammers than we do?

KREBS: Well, no I mean I think part of it is is you have a community that's grown up around this industry - and cybercrime is an industry - and you have all kinds of communities that lend support to individuals who are engaged in this type of activity, and a majority of them happen to be in the Russian language so you know, if you want to get started in cybercrime and you're not really sure how to do it, it's never been easier to do that because there are dozens of forums where you can go and get tutelage you can get people to help you jumpstart your business. You know, if you don't understand it, you can sort of learn on the job.

GROSS: You mentioned one incident in which one of the heads of one of these pharmaceutical spam organizations was being investigated by somebody in the Russian police, but then the head of this pharmaceutical spam organization basically brought on that guy from the police into the spam organization and paid him a lot more money than the police had been paying him - end of investigation.

KREBS: Yeah. It sort of died on the vine. He hired him as one of his security guys and he was actually a lawyer, the guy that was investigating him for illegal business activities, and yeah he just said hey just come work for me, you know? You'll make a lot more money and it'll be a lot more fun so you know, come to the dark side, we have cookies.

GROSS: So what is the fate now of the men who headed up the pharmaceutical spam organizations that you write about?

KREBS: Right. So Vrublevsky went on trial a couple of years ago and it wasn't for sending spam or anything like that. It was he had paid one of his top spammers to use his crime machine - so we're talking about tens of thousands of hacked computers that they control remotely - to attack the website of Russia's largest airline. The company that this pharmaceutical spam executive was running was competing for a credit card processing contract with this airline with several other companies and he attacked one of the other companies that was in the running for that contract. He had his top spammer knock them off-line and when you do that to a company - so this is something I probably should've mentioned earlier in our conversation when you were asking about why cybercrime in Russia, they sort of don't care what you're doing to the rest of the world but as soon as you start picking on Russian banks or Russian companies, they care very much - and so he attacked this airline which was 51 percent owned by the Russian government and by the way, it delayed, you know, flights and you know, you can imagine if somebody attacked Washington International Airport. You'd have a lot of politicians be upset. So that's exactly what happened there was a criminal investigation into him. That was a bit of a farce of a trial, as many trials are there in Russia and he ultimately got sent to prison for a two-year sentence.

GROSS: How did the takedown of these two big pharmaceutical spam organizations change the spam industry?

KREBS: Unfortunately it really didn't. I mean, any time that something happens to disrupt these operations you see other types of effects. You see a drop in spam, you see a drop in malicious attacks online, but these are always temporary. The demand side of things, the reason that these pharmaceutical spam and other types of commercial spam industries exist is because there is a strong demand and some of the researchers that I worked with in this book found that exactly. They said, you know, it didn't matter what happened to these organizations, somebody would step in and fill that need and that's part of the reason I named the book "Spam Nation" because I wanted to make it clear that this problem, while we like to say well, you know, these cyber criminals in Russia and blah blah blah - the demand side of things is very much coming from this country.

GROSS: Brian Krebs, thank you so much for talking with us.

KREBS: Thanks, Terry.

GROSS: Brian Krebs is the author of the new book "Spam Nation." You can read an excerpt on our website freshair.npr.org.

Coming up, Norman Lear, the co-creator of the TV shows "All In The Family," "The Jeffersons," "Maude," "Sanford And Son" and "Good Times."

This is FRESH AIR. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate