As I write this, the latest provision of Canada’s anti-spam legislation (CASL) has just come into effect, which prohibits anyone in Canada working commercially or any Canadian Web site from installing software on other people’s computers without consent.
It’s worth remembering that CASL is only six months old, although spam is as old as the Internet.
That the Canadian government was finally able to pass legislation after several attempts — although Canada is far from the centre of the spam world — is praiseworthy, if not long overdue. And while Canada isn’t a major source of spam, CASL is part of an international effort to crack down on one of the most popular ways criminals try to extort money from people and infiltrate their systems with malware.
Most IT pros probably think of spammers as small rings of people. But in his recent book, Spam Nation (Sourcebooks, US$24.99) U.S.-based security blogger Brian Krebs focuses on large Russian networks that ran hosting providers, run credit card payment operations and create and rent out botnets.
Their leaders are larger than life figures who believe they can intimidate and buy politicians and prosecutors, hire elite programmers and race their cars wildly through the streets of Moscow.
Which is where the book opens, with the 2007 death in a car crash of a member of a family whose hosting provider was the base for the largest spammers in the world. It ends with the conviction of four Russians in that country for their part in a denial of service attack on Aeroflot’s credit card processor.
In between Krebs details how through payment processing sites Russians were behind the rise and fall of Internet pharmaceutical Web sites, some of which sold drugs of dubious — and sometimes fatal — quality.
That the so-called Pharma Wars ended at all is thanks to what Krebbs calls the “vicious feud” between to of the largest sponsors of pharmaceutical spam.
And it all apparently started with one allegedly paying a prosecutor to start a money laundering investigation into the other after the loss of $7 million in funds being held in escrow for certain hackers, which made some porn site Webmasters and spammers mad.
This is not the sort of thing that happens among developers in Canada (let alone in California).
But the investigation “would set in motion a damaging series of events that would find the two men competing to see who could spend more money bribing officials to ruin each other,” Krebs writes. “And they would both succeed.”
Think they play hardball in Silicon Valley? You haven’t seen the game. Which makes this entertaining book something different from the biographies of Bill Gates, Larry Ellison or Eric Schmidt you may have read.
Krebs focuses on people who are behind mass spamming, as opposed to the targeted attacks against corporations that made headlines in 2014. And since 2009 there have been a number of notable takedowns of botnet operators which, combined with the fall of certain Russian operations, has had a marked impact on the volume of spam.
Nevertheless, the book holds a lot of lessons for the C-suite, because they have to find ways of stripping out the huge volumes of junk mail corporations receive every day.
It may take fire to meet fire: Krebs notes Microsoft’s willingness to pay Russian IT consultants to monitor one spammer and share information with that country’s law enforcement agencies. It may be a coincidence, but later he was convicted on child molestation charges.
Governments will also have to kick butt: The IT industry was put on notice that it wouldn’t be allowed to be a silent partner when in 2011 Google agreed to pay US$500 million to settle allegations it allowed supposed Canadian pharmacies to advertise drugs for distribution in the United States.
And, Krebs writes, academic researchers were able to “browbeat” top commercial pharma and IT brands into pressuring Visa to take actions against online pharmacies and money launderers.
Krebs says the Pharma Wars may only be temporarily over. Meanwhile, there has been what he calls a malevolent shift in cybercrime towards ransomware. Indeed last week it was reported that a new version of the CryptoWall ransomware has just appeared. At the same time there has been an increase in malware aimed at stealing corporate passwords through phony FedEx and other messages.
Others in the spam industry are looking for the next new thing. It should be no surprise. As Krebs details, there’s so much money easily being made by spam its perpetrators can’t give it up.