Krebs enjoys an odd position in the Russian pharma spam underground, which accounts for a great majority of the spam, botnet, and crooked payment-processing in the cybercrime ecosystem. As a dogged investigator of the business, he is notorious and often hated by the spammers — who include some very unsavory characters — but he’s also something of a father confessor to some of the most senior members of the industry.
As Krebs tells it, he would frequently get early-morning phone calls from spam kingpins who would call to boast, rage, rant and taunt as they unwound at their desks in Moscow after a long day’s hard graft. These calls were supplemented by emails, some from different identities that Krebs has good reason to believe are all fronts for one person, that were by turns threatening and bragging.
But Krebs’s access to the inner workings of the spam underground was massively expanded when the two largest spam-bosses went to war against one another, paying corrupt Russian cops to investigate and incarcerate one another. Part of this war involved rival hackers breaking into one another’s internal networks and grabbing enormous troves of emails, chat-logs, and message-board databases that were fired off to law enforcement — and Krebs.
From these insider resources, Krebs pieces together a gripping — and even, at times, thrilling — story about the strange business of pharmaceutical spam, an industry that is bizarre, sprawling, dysfunctional and contradictory. Fuelled by world-beatingly high price of pharmaceuticals in the USA, the pharma-spam business uses millions of hacked PCs to send out come-ons advertising all manner of drugs, from anti-depression meds to fertility meds to powerful, controlled painkillers — and, of course, erectile dysfunction medication.
The “affiliates” who run the titanic botnets that send out all this spam make their money on commissions for successful sales, and live in terror of “chargebacks” from disgruntled customers, which endangers the whole system’s relationship with the few payment processors willing to handle its transactions.
The pharma orders are handed off to Indian and Chinese suppliers, who bid in realtime for the business, with the lowest bidder getting orders as they’re placed. Oftentimes, the drugs arrive just as described, having been produced by reputable pharmaceutical factories who supply the domestic markets. But with no controls on quality, there are worrying exceptions to this: sometimes customers receive expired drugs, and, in a few fatal incidences, drugs contaminated with heavy metals and even uranium.
For all this industry, the overall sums involved are rather modest, eroded by the cost of payment processing, paying for hackers to beat anti-virus software to keep their botnets alive, and the rest of the supply-chain. Although the spam industry has made millionaires of a few people at the top, the total revenues — to say nothing of the net profits — are much smaller than the total costs the industry inflicts on the Internet as a whole in the form of anti-spam, security, and other costs.
Meanwhile, the spam industry and the anti-spam vigilantes who make war on it have converged on tactics. In a fascinating chapter, Krebs relays how Russian spammer message-boards rage with discussion about the need for anti-spam tools that keep the low-level, ankle-biter spammers out of their victims’ inboxes, without which their own pharma spam would never be able to rise above the noise-floor. And as for the anti-spammers, one of their most effective tactics has been to stage denial-of-service attacks on the ordering systems, placing thousands of bogus orders for drugs that overwhelm the system’s ability to process them.
The story of the spam wars — which culminates in the high-tech gang war that resulted in much of Krebs’s source materials falling into his hands — is by turns hilarious (many of the characters in the Russian cybercrime underground are colorful and awfully funny) and awful (much of the payment processing in the spam underground is also used to process payments for rape- and child-porn). Krebs has organized the whole baroque tale into something that’s clearer and more interesting than it has any right to be, and it’s a great read for people trying to get a grip on why their inboxes bulge with spam.
Which is not to say that the book is perfect. Some of the evidentiary trials that Krebs strings together to show why he believes so-and-so is involved in such-and-such are described in eye-watering detail that could just as easily have been put in a footnote rather than bogging down the story. And there is a very disturbing passage in which Krebs starts cold-calling customers for pharma-spammers (he gets their numbers from a leaked database) to ask them about their participation in the spam economy. This is an important subject to investigate, but it is fraught with serious ethical problems, as he has become privy to the private medical details of his subjects through a criminal hack, and in some cases, he comprimises their privacy by discussing their orders with whomever answers the phone when he calls.
But taken as a whole, Spam Nation is an excellent look at the technicalities, ethics, economics, global politics, and business of spam and cybercrime, and it is researched and told with enormous care and verve.
Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door
-Cory Doctorow