Season 1 / Episode 3
In this episode of Malicious Life, we take a look at one of the oldest forms of criminal activity on the web- the spam empires of the 90's and 2000's. Find out how these multi-million dollar industries operated, how they served as a half step towards the organized online crime groups of the modern age, and what price was paid by those who tried to stop them. With special guest- Stephen Cobb.
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 9 million downloads as of July 2017.
The author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Stephen Cobb has been researching computer security and data privacy for 25 years, advising companies, consumers, and government agencies on the protection of sensitive data and systems. Cobb has been a CISSP since 1996 and currently leads a San Diego-based research team for security software maker ESET. He is also working on an MSc. in Criminology at the University of Leicester in England.
Hello and welcome back to Malicious Life. I’m Ran Levi.
On June 1st, 1864, the London Times edition published the following letter, sent by a member of the British Parliament:
On my arrival home late yesterday a telegram was put in my hands. It read as follows – ’Dr. Gabriel, dentist, 27 Harley st., Cavendish Square. Dr. Gabriel’s professional attendance will be 10 till 5.’
I have never had any dealings with [them] and beg to ask by what right do they disturb me by a telegram which is evidently simply the medium of advertisement? A word from you would, I feel sure, put a stop to this intolerable nuisance.”
The telegram that the member of parliament received was an advertisement or an early form of spam. Unfortunately, his angry letter to the London Times did not stop the SPAM phenomenon. If anything, the exposure in the newspaper probably doubled or even tripled the clinic’s income.
Spam is Everywhere
SPAM, therefore, appeared almost instantly as soon as electronic media appeared- and the internet is no exception, of course. Spam is everywhere in the online world. You can’t escape it. According to a report by Kaspersky Lab, in 2016, 6 out of 10 emails landing in inboxes were Spam, which is actually an improvement compared to 2009, when 9 out of 10 emails contained advertisements for fake bags and watches from supposedly leading brands, promises of weight loss products and magic diets, products to improve our sex life and many more. Spam is everywhere, even outside the email inbox: there’s Text Message Spam, spam in instant messaging application, in blog comments and in social media.
But Spam is much more than just a nuisance. Spam, especially email spam, has played a major role in the development of organized cybercrime. In this episode, we will tell the story of how Spam developed and discover how it shaped the online crime organizations of the 21st century.
Do Not Email Registry
In 2003, the US Federal Trade Commission, the FTC, established a database called the National Do Not Call Registry. Any citizen who didn’t want to receive telemarketing phone calls could add himself to the registry, and the telemarketing companies were obligated by law to respect that person’s wishes and avoid bothering them with unsolicited phone calls. The registry was a huge success and lowered the number of unsolicited phone calls drastically.
In 2004, two young Israeli entrepreneurs, Eran Reshef and Amir Hirsh, started a company called Blue Security, which developed a technology to combat email spam. Their technology was based on the same concept as that of the National Do Not Call Registry: a Do Not Email registry. If a spam email message reached one of Blue Security’s clients, the company would contact the business who sent the message and request that their client be removed from their mailing list.
But that was just the first step. Each one of Blue Security’s clients had a small software called Blue Frog. If the client received spam from a business that had already been contacted by the company requesting to remove that person from their lists, Blue Frog would automatically file a complaint regarding the spam at that publisher’s website, asking them to refrain from sending further spam messages.
Sounds simple, right? One spam equals one complaint. But as simple and trivial as Blue Security’s technology may seem, it proved to be incredibly useful in the struggle against spam. About one quarter of Blue Security’s clients reported a 50% decrease in the amount of spam they received, and CEO Eran Reshef said in interviews that 6 out of the world’s 10 leading spammers agreed to stop sending messages to clients in the company’s database. In order to put this achievement in the right perspective, consider that the FTC itself considered creating such a registry, but it decided not to continue with the concept out of a fear that the opposite would happen- that email addresses in such a list would receive more spam than before, not less.
So, why was the FTC so hesitant to create a Do Not Mail registry, and how was Blue Security able to implement this idea successfully? In order to answer this question, we must travel back in time to the origins of internet spam.
Origins of Spam
The first commercial spam was sent back in 1978, when the internet was still in diapers. Gary Thurek was a young and aggressive marketing professional for the Digital Equipment Corporation (or DEC), and wanted to demo a number of DEC’s new computers in California. The problem was that although Gary had many contacts on the east coast, he didn’t know anyone on the west coast. He decided to collect the email addresses of almost anyone who had an internet connection on the west coast- a few hundred engineers and academics- and sent them an email message regarding the demonstration.
Thurek’s unsolicited advertisement was not appreciated by many of the users, who complained about him to his supervisors. The energetic young marketer was reprimanded. However, his actions did pay off: the message earned DEC close to $14 million in sales.
Repulsive and Sleazy
The first time spam was perceived as repulsive and sleazy is accredited to two lawyers from Arizona named Laurence Canter and Martha Siegel. It was 1994, and the main meeting place for internet users were Usenet discussion groups. Canter and Siegel specialized in immigration law, and they hired a programmer to spread a message in all 6,000 discussion groups promoting their services regarding the Green Card lottery whose date was approaching.
If Gary Thurek’s advertisement was received with a cold shoulder by most users, Canter and Siegel’s spam created an uproar. The spam sent by the two lawyers crossed the line. Not only did they publish their message in every discussion group, including ones that had nothing to do with immigration, but everyone also knew that it was false and deceiving advertising. All you had to do to enter the lottery was send a postcard with your name and address. Canter and Siegel were going to charge hundreds of dollars to naive clients for this “service”.
Canter and Siegel were flooded with thousands of angry emails and verbal abuse over the phone, and their post box was jammed with many pounds of catalogues and magazines, sent as “punishment” for their rudeness. Their internet provider canceled their subscription and newspaper articles completely ruined their reputation. And still, the spam paid off: Lawrence Canter revealed in an interview that the two earned more than $100,000 thanks to those messages.
Easy to Monetize
Stephen Cobb is a Sr. Security Researcher at ESET, and in the late 90s, he developed a commercial product to combat the spam phenomenon. As Stephen explains, the stories of Gary Thurek and the two Arizona lawyers embody the basic reason why spam has become a common problem in the online age: emails, as opposed to viruses, are easy to monetize.
[Stephen] So spam really ramped up as the web became commercial. So I think Amazon opened up – Amazon.com was like 1996. In ’97, ’98, you saw this big rush of companies on to the internet selling product. And that was a legitimate commercial proposition. In fact, under slightly different circumstances that happens today, right? You get an offer in an email to buy a product. You click and you can go and buy the product. So it was – although email had been around for a while, it was the ability to link that to a commercial transaction through a websites that really …
[Ran] To monetize.
[Stephen] To monetize, yeah. And I think we need to be clear that it was seen initially by some people as a legitimate business opportunity. And so in the late ‘90s, the volume of spam exploded and a lot of it at that point was legitimate companies in the sense that they had product to sell but they were using what was then called unsolicited commercial email or UCE. And that was the initial battle that was fought over spam was whether or not it was ethically OK to send somebody an email if they did not ask for it or if they haven’t opted in to receive your email.”
So why then, did the FTC predict that a Do Not Mail registry would not be as successful as the National Do Not Call Registry? Well, telemarketing, at least back then, in the days before Robocalls, required effort: a human representative had to sit in front of the phone and talk to potential clients. Effort means money, and telemarketing companies had a clear interest for their representatives to contact only those people who might buy the products they are trying to sell, and not those who will never buy them. The National Do Not Call Registry helps telemarketing companies direct their investment to more financially viable channels, and along with punishing anyone who broke federal law, they have a clear incentive to respect the will of those citizens who have joined the registry.
In comparison, Canter and Siegel’s effort in spreading their spam summed up to a few hours of programming work, and they received a very nice return on that tiny investment. Furthermore, the automation of sending spam means that today, sending a million emails is not substantially different than sending 2 million or even 10 million. Research conducted a few years ago shows that only 1 in 12,000,000 spam messages converts to selling a medicinal product to a client, and still, the cost of sending 12 million emails is so minute, that even this lousy conversion rate makes spam profitable. This means that spammers don’t pay a financial price for disobeying the Do Not Mail registry, and if they aren’t US citizens, they don’t have to concern themselves with the law at all. Quite the contrary, actually: if a certain email address exists in the registry, it’s more likely that it belongs to an actual human who reads his emails, which makes it an even better target for spam. That is why the FTC didn’t want to create such a registry.
Hit The Spammers With Their Own Weapon
But Blue Security’s technology, and the idea that one spam equals one complaint, turned this financial equation on its head. Unlike sending spam, dealing with client complaints costs the business money. If, for example, 10,000 of Blue Security’s clients received spam from a business selling Viagra pills, that business will now receive 10,000 complaints, and will now have to invest serious efforts in filtering the automatic complaints in order to find the few emails from clients who actually expressed interest in buying the pills. The key word here is automation. The Blue Frog software hit spammers with their own weapon, and made them pay a financial price for disobeying the Do Not Mail registry.
Not everyone liked Blue Security’s initiative. There were many in the Information Security community who criticized this “eye for an eye” approach. Some claimed that it was unethical, since Blue Security was fighting spam with spam. Others were concerned with collateral damage to third parties due to mistakes that could harm innocent businesses. Many others were in favor of Blue Security’s approach and considered it the only effective solution against spam. Either way, in 2006, Blue Security already had around half a million registered users, and the company was heading for success.
But then, in May 2006, some of Blue Security’s clients received the following email:
“You are receiving this email because you are a member of Blue Security. You signed up because you were expecting to receive a lesser amount of spam, unfortunately, you will end up receiving this message, or other nonsensical spams 20-40 times more than you would normally. by signing up and remaining a Blue Security user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result. Just remove yourself from Blue Security, and make it easier on you.”
The sender didn’t sign his or her name, but different sources point to a spammer of Russian origin nicknamed Pharmamaster.
The support forums on Blue Security’s website filled with questions from concerned users. Is there truth in Pharmamaster’s threats? Was the email registry hacked, and were users now exposed to even greater amounts of spam? Eran Reshef was quick to calm down the users. The registry wasn’t hacked and the spammer had no way of extracting their email addresses from it. At best, he can only know if an email address that he already has is in Blue Security’s email registry, which is also the reason why only some of the clients received the threatening email. In other words- there was no reason for concern.
The Evolution of the Spam Industry
It’s most likely that Eran was right and that Pharmamaster’s threatening email was just a bluff. But what Blue Security didn’t take into account was that the world of cyber-crime in 2006 was very different than that of the 1990s, and that Pharmamaster wasn’t just another bored kid who was writing viruses to show off to his friends. Stephen Cobb from ESET explains:
Stephen: So, Ran, that’s the big question, and that’s how we got really to today’s malwares thing. People figured out that one way to send spam was to take over a whole bunch of personal computers.
And so this is where we saw the rise of Trojan code which doesn’t replicate itself but which is pushed out to infect machines and then is able to recruit the infected machines into what we call a botnet, lobotomized or zombie machines that typically unbeknownst to the owner of the machine are used to send spam in the background. And the ability to recruit a thousand, ten thousand even a million infected machines to send spam then became something which you could monetize.
So instead of spam being a singular operation where the person wrote the email, sent the email, and fulfilled the offer at the end, it became a division of labor where the person who could write the code to infect machines was one person. The person who infected the machines was another. The person who built the botnet then monetized that by renting it out to spammers.”
Stephen is describing an evolutionary process that the spam industry underwent, turning it from a collection of small time spammers, working separately from each other, to well-organized businesses. In these organizations, each actor has his role: one writes the malware’s code that takes over the computer and turns it into a “zombie”, another distributes it, and so on. There are also those who manage the sales network and some that are only affiliates, who earn commissions for every deal. In addition, quite a few spam support services came into existence, such as hosting services for sales pages, email collection services, payment services and many more- a whole new world of criminal finance. In other fields of law enforcement, such criminal organizations would be called Mafias.
“And what started to drive spam – was pharmaceuticals. When people realized there was a market for prescription medicine over the internet, that led to tremendous amounts of spam because you had a period of time where there were companies who were legally selling or shadily selling prescription drugs over the internet typically cheaper than you could get them through your doctor or you could get them even without a doctor’s prescription, that was quickly banned by many governments as illegal and of course, potentially dangerous. So that drove it underground. And that led to the rise of pharmaceutical spam and that powered the effort to infect machines with Trojan code and virus.”
This means that Pharmamaster didn’t pick his name randomly: his nickname points, most probably, to the main source of his income from spam. And as Stephen Cobb points out, trade in real or fake medication was a very lucrative business, which probably earned Pharmamaster millions of dollars every year. He wasn’t going to let go of that easily. Pharmamaster also had a weapon: an “army” of hundreds of thousands of computers, infected with malware, which were now under his command. On a day to day basis, Pharmamaster used his BotNet to send millions of spam messages, but now he turned it towards a new target: Blue Security. One May 1st, Pharmamaster launched a powerful DDoS attack against Blue Security’s home page: the infected computers on his BotNet flooded the website with billions of packets of information, and “drowned” it until it crashed.
May 1st was Israel’s Independence Day, but in Blue Security’s local offices, no one was celebrating. The DDoS attack prevented the company from providing service to its clients, and the damage accumulated with every passing minute. But the mood in Blue Security was combative, and Eran Reshef wasn’t going to give up. In a message published by the company, he said:
“Today is Israel’s Independence Day. It’s a public holiday in Israel, but all of us in Blue Security are working. But we are glad we’re working. We’re helping the community fight the Blue Independence War. We fight for our freedom from spammers and cyber criminals. This is our big chance to reclaim the Internet. We must not let it slip from our hands. Some desperate spammers are doing its worst to harm our community. They’d like us to back off, and agree to get their spam silently. Needless to say, that is not going to happen. We’re not here to listen to their vile threats and fraudulent advertisements. We’re here to stand up for our right not to be let alone.”
Blue Security had a reason to be optimistic. DDoS attacks were not unusual and it was possible to handle them. Furthermore, experience had shown that these attacks usually last just a few days, until the attacker loses interest or until he needs his BotNet for other things.
A Critical Mistake
But it was at this point that Blue Security made a critical mistake. In order to continue its contact with its clients despite the DDoS attack, the company directed all its internet traffic, which was supposed to reach bluesecurity.com, to a relatively old blog that was hosted by a company called Six Apart. That meant that the massive stream of billions of packets, which drowned Blue Security’s servers, was now turned to the servers of Six Apart. To add insult to injury, Blue Security didn’t alert Six Apart’s management in advance, and didn’t warn them about what was about to happen. Six Apart was not ready for a DDoS attack, and its servers could not handle it. Unfortunately, these servers also hosted a few thousand other blogs and websites other than Blue Security’s, and as the servers crashed as a result of Pharmamaster’s DDoS attack, so did all the other thousands of websites, innocent victims of a war they were not part of.
Blue Security took heavy criticism for this decision. Some compared it to pushing a burning couch from your apartment into your neighbor’s. Eran Reshef apologized to the owners of the websites that were hit, and explained that he wasn’t aware of the severe consequences of this decision. Despite the unpleasant hit on Blue Security’s good reputation, Reshef still seemed very confident in his and his company’s ability to survive Pharmamaster’s attack. In fact, he saw it as an encouraging sign. In an interview to MacWorld Magazine, he said:
“This guy is very desperate and he’s willing to rip apart the Internet to stop (us). This is a sign that [our technology] is working. We’ve finally created something that spammers actually care about.”
The Straw That Broke The Camel’s Back
The days passed, but the DDoS attack on Blue Security didn’t fade away. Pharmamaster, it was now clear, did not lose interest and wasn’t going to give up. But Blue Security didn’t give up either. Reshef hired the services of a company called Prolexic, which specialized in protecting websites against DDoS attacks. Prolexic’s engineers knew what they were doing, and were able to keep the website running for two weeks, despite recurring attacks from Pharmamaster.
But on May 16th, Pharmamaster found a weakness in Prolexic’s shield, and managed to kick them out of the internet as well. Just like in the Six Apart case, many innocents were also hit: other companies had hired Prolexic’s services and now their websites were out of commission, just like Blue Security’s.
That was the straw that broke the camel’s back. On the next day, May 17th, Eran Reshef announced that Blue Security was backing down and leaving the world of spam. Pharmamaster had won.
The official reason for the decision was the collateral damage that the war against Pharmamaster caused to innocent victims. In an interview for Wired Magazine, Reshef said the following:
“Our community would very much like us to continue on the fight against spam, and our community has grown over the last week, but at the end of the day if we continue doing so, within a few days, major websites will go down. I don’t feel that this is something I can be responsible for. I cannot go ahead and rip up the internet to make Blue Security work. This is not the decision a commercial entity can make.”
In another interview for NPR, he said:
“He [The spammer,] shut down 2 million blogs just to get our service, you know, out of the Internet. And what we came to a conclusion is that this is going to become a full-scale cyber warfare, and this is not something that we want to be responsible for. This is not something that our users sign up for. This is not something that a commercial entity can go ahead and authorize.”
This, as I said, was the official version- but there may have been another reason for this sudden surrender. Persistent rumors claim that Pharmamaster, or one of his friends in the underworld, threatened the founders of Blue Security and their families. Again, these are only rumors: I wasn’t able to confirm them. Anyone I approached from Blue Security, including Eran Reshef himself, refused to be interviewed for this show. Some offered the friendly advice of letting this subject go and not discussing it as part of this series.
A Great Catalyst of Cyber-Crime
Whether these rumors of threats are true or not, it is clear that the big money that spam brought with it was the great catalyst for the organization and establishment of cyber-crime. What started out as virus writing for the sake of intellectual challenge or as a type of vandalism, turned in the early 21st century to a sophisticated business which had an organized distribution of work between those who wrote the malware, those who ran the BotNets to distribute spam and those who ran the sales and marketing. The story of Blue Security is a kind of cautionary tale for those who might tend to discount virtual crime. Although this kind of crime is less photogenic than armed robbery, it’s still a very dangerous threat, and cyber-crime organizations have a significant amount of power. Today, more than ever, this power is spread throughout the globe.
It’s interesting to point out that there has been a certain decline in spam distribution in recent years: from an all-time high of 85% from all emails in 2009, to between 50%-60% nowadays. This decrease can be attributed to pressure applied by international policing bodies on BotNet managers, or maybe to the success of online marketing bodies such as Google, Facebook and Twitter, which provide small businesses alternative and legitimate modes of advertisement. But despite the decrease in spam, cyber-crime not only didn’t disappear, but it expanded to other more lucrative areas. In the following episodes, we will dive deeper into this brave new world of crime, and the people behind it.