(2h; ~73k words) Journalistic account of Brian Krebs’s (Wikipedia, blog) experience with some Russian spammers & associates.

Krebs has been engaged in a little war with Russian spammers: getting onto their forums, looking for weak points like abuse-friendly ISPs or payment processors, and blowing the whistle on them; he’s been heavily aided by the feuding community leaking lots of information and vouches to him, and the book revolves around one he’s hyped up as the ‘Pharma Wars’. All the leaks means he can do an unusually thorough job of documenting it and the principals, and the involvement of the Russian government in the e-crime scene. My own interests are mainly in the Western blackmarkets like Silk Road, and in the pharmacy affiliate networks which were one of the main routes for buying modafinil up until recently, so while Krebs doesn’t go into nearly as much detail as I would like, it’s still a fairly illuminating read. Few Westerners have as much experience with the area as he does, which makes it worth reading for anyone interested in this niche, and certainly it’s easier to read the book than try to piece together everything from his blog posts.

One downside is that the book comes off as a bit stream of consciousness and disorganized: there seems to be a rough chronological order, but not much of one; and a few diagrams of all the overlapping people and organizations (as well as a flowchart of the spam process) would probably be helpful. And I used the word ‘journalistic’ deliberately: Krebs’s writing is purple and sensationalistic. Something is not ‘terrifying’, it is ‘truly terrifying’; spammers are not a nuisance, but they become “potent threats”; in describing the fall of a small plurality source of spam (~20%, I believe he estimates), “consumers all over the world were enjoying a brief reprieve” from “the spam email empire”. His overheated writing aside, his own sources make the case that spam is not that important; eg towards the end:

Vrublevsky and Gusev’s Pharma Wars were extremely costly for the spam industry, and their internecine war cost everyone in their business plenty. The two are now widely reviled on cybercrime forums for costing spammers tens of millions of dollars in profits, and for focusing attention from law-enforcement officials and security experts on individual spammers. “These two fuckers killed the spam business,” Vishnevsky said in a May 2012 interview. “It was never super profitable for most guys; maybe five to ten guys earned really good money with spam. But after Pavel and Gusev started their war, everyone started thinking that every spammer is a millionaire and started hunting for spam and spammers.”…Legitimate high-tech and well-paying programming jobs are increasingly available to talented coders in Moscow, and many of his longtime employees have been hired away to legitimate jobs in Moscow’s young but promising tech sector. “Many representatives of the underground can’t find good coders now, because their salaries in Moscow are much more than you can earn with spam,” Vishnevsky said. “This business went to shit when Pasha [Vrublevsky] got busted. If Pasha and Gusev [had] not start[ed] that stupid war, everyone would be much happier.” Vishnevsky’s criticism may be harsh, but it is hardly an exaggeration. The spam industry has indeed taken a huge hit in the past few years. Prior to SpamIt’s closure in October 2010, the volume of spam sent worldwide each day hovered at around 5.5 billion messages. Since SpamIt’s closure, however, the volume of global spam sent daily has been in marked decline. According to Symantec, by March 2011, spam levels had fallen to just over one billion junk messages per day, and the total has hovered at or very close to that diminished level ever since.

(If spam is at 1/5 peak and even at the peak it was ‘maybe five to ten guys’…)

In other spots, Krebs makes mistakes or does not exhibit as much critical thinking as one would like: the illustration of the horrors of designer drugs is the infamous ‘causeway cannibal’ (except that that wasn’t bath salts, that was marijuana - and Krebs even acknowledges his mistake in a footnote! So why on earth does the main text confidently say he “turned into a real-life zombie after ingesting prodigious amounts of “bath salts””‽); when discussing the online pharmacies, he repeats idiotic pharmacorp talking points like “8% of the bulk drugs imported into the United States are counterfeit, unapproved, or substandard” without pointing out that no one actually cares about the fraction that are “counterfeit [or] unapproved”, and mentions that Marcia Bergeron’s poisoning death is “almost always recited in some form whenever experts allied with the pharmaceutical industry talk” without asking the obvious question if the online pharmacies are so dangerous, why is only that story ‘almost always recited’?; it’s interesting that there’s no mention of Kaspersky Lab’s connections to the FSB and why Krebs was being wined and dined by Kaspersky personally; there is a bizarre lack of mention of Bitcoin except for a throwaway line about Russian forums, which is particularly bizarre given that he discusses the rise of ransomware (now often Bitcoin-using) and seems to agree with the interviewed Russian spammers at the end that going after credit-card payment processors has effectively killed the industry (which would be an unwise prediction if they can move to Bitcoin, as many of the online pharmacies have begun to).

Further reading:

Some key authors: