Sunday, January 30, 2011

Criminal Talent

The Russian Constitution Stands in the Way of Russian Law Enforcement Agencies Collaborating with Other Countries in the Field of Internet Security

Investigators from the Federal Bureau of Investigation (FBI) are pursuing a 23-year-old Russian believed to be the mastermind behind the notorious “Mega-D botnet,” a network of spam-spewing personal computers blamed for an estimated one third of all spam E-mails worldwide. But although the network’s operations were suspended last year, American prosecutors will be hard-pressed to arraign Oleg Nikolaenko as long as he remains in Russia.  

According to a criminal complaint filed by FBI officer Brett Banner at the United States District Court, the 23-year-old Moscow resident Oleg Nikolaenko was identified as the prime suspect of an ongoing grand jury probe for violating U.S. anti-spam and fraud laws. Webmail records from two Gmail accounts and financial transactions (via the ePassporte service) link Nikolaenko to the operation of the botnet, according to court papers submitted in a grand jury investigation.

The “Mega-D” zombie network was notorious for peddling fake prescription drugs, herbal remedies and even fake Rolex watches. In a series of sting operations by the FireEye security firm, “Mega-D,” also known as Ozdok, was taken down in November of 2009. Federal agents were able to pinpoint Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” E-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenue of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.

Atkinson told investigators that commissions to “Docent” (Nikolaenko’s online alias) were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the E-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow. According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the “Mega-D” malware.

But the U.S. investigators missed at least two chances to apprehend Nikolaenko last year, Brian Krebs, a former Washington Post reporter, wrote on his blog Wednesday. According to the grand jury, a review of U.S. State Department records indicate that Nikolaenko entered the United States in Los Angeles on July 17, 2009, and left the country ten days later. He returned to the U.S. on Oct. 29, 2009, entering from New York and visiting Las Vegas before exiting the country on November 9 from Los Angeles. Investigators say Nikolaenko was supposed to leave Los Angeles on November 11, but cut his trip short by two days. They concluded that the 23-year-old left early because he wanted to get home to repair damage that security experts had inflicted on his botnet. On November 4, 2009, researchers from California-based FireEye took over “Mega-D” command and control networks by executing a “stun” attack.

“Based on the timing of the FireEye attack on the ‘Mega-D’ botnet, I believe that Nikolaenko left the United States early to repair damage caused by FireEye,” wrote Special Agent Brett Banner in the government’s complaint against Nikolaenko. After the FireEye takedown, spam from “Mega-D” all but disappeared. But in the days following his return to Moscow, the botnet recovered gradually, and by November 22, spam from “Mega-D” was back to pre-takedown activity levels. By December 13, “Mega-D” was responsible for sending nearly 17 percent of the spam worldwide, according to security vendor M86 Security. Joe Stewart, a senior security researcher at SecureWorks, said that at the beginning of November 2009 there were at least 120,000 computers infected with “Mega-D” that were relaying spam, but Stewart said he hasn’t seen any signs of activity from “Mega-D” over the past several months.

While “Mega-D” may be dead, information obtained by KrebsOnSecurity.com suggests that Nikolaenko has nonetheless continued spamming, and that, until at least June 2010, he was a top-earning affiliate for Spamit.com. Prior to its closure at the end of September 2010, Spamit was the world’s most active affiliate program for promoting knockoff prescription drugs. A Spamit affiliate using the same “4docent@gmail.com” address made nearly $81,000 in the first five months of 2010 promoting online pharmacies for Spamit. The earnings were deposited into the same “Genbucks_dcent” ePassporte account named in the criminal complaint against Nikolaenko. “It’s not clear whether Nikolaenko was able to enjoy all of those earnings [as] ePassporte also went belly-up in September, leaving thousands of customers without access to millions of dollars in funds,” Krebs writes.

“It is quite true that so many talented Russian programmers are involved in cyber criminal activity across the globe, including spamming,” said Irina Levova, a leading analyst and Cybercrime Committee Coordinator at the Russian Association of Electronic Communications (RAEC), a trade group that promotes Internet security in Russia. Russian spammers earned 3.7 billion rubles ($118 million) last year, while the economy has lost 14.1 billion rubles ($449 million) because of their activities, figures released by RAEC show. Seven of the world’s top ten spammers are from Russia, according to the nonprofit anti-spammer organization, Spamhaus.

Last month Russian investigators opened a criminal case against Igor Gusev, a Moscow businessman accused of involvement in a major spamming operation flooding the Internet with advertisements for the anti-impotence drug Viagra. Police said Gusev's spam network has helped earn Despmedia, his affiliate company, $120 million over a period of three and a half years from medicine sales over the Internet, a charge denied by his lawyer. In August, French authorities arrested a resident of Moscow who used his Internet network called CarderPlanet to sell stolen credit cards, the U.S. Secret Service said in a statement on its Web site.

“What Russian spammers do is organize a special cyber network to sell fast-moving stuff like counterfeit drugs to gullible buyers in United States, Canada and Europe over the Internet,” Levova said. “The products are often packaged to encourage impulse-buying by credit cards holders with ability to pay moderate sums of money without delay.” Levova said the pyramid-like scheme has grown into a multi-million dollar industry partly because it costs almost nothing to send out spam, while its potential victims are willing to sidestep requirements for prescription drugs by buying cheap online. She estimates that while some drugs are generic, over two thirds of drugs sold by Russian spammers online are fake.

Due to some loopholes in Russian cybercrime legislation, the perpetrators are able to live and move freely in Russia even though law-enforcement agencies have sufficient information about their activities, experts say. “Most of these cybercrimes are deemed to have been committed outside Russia and not on its territory,” Levova said. “The best law-enforcement agencies could do in most cases is to charge them for non-payment of taxes.” The Russian Interior Ministry’s high-tech crimes department could not be interviewed for this article, but independent legal experts expect Nikolaenko to go scot-free as long as he remains in Russia. “While Article 18 of the Law on Advertising prohibits mass-mailing without the consent of the recipient, there is no definition of spamming in Russia's law on information technology and information protection,” Maria Ivoylova, a partner at Yukov, Khrenov&Partners law firm told Gazeta.ru on Wednesday.

That though may be about to change, as Russia comes under increasing pressure from Western partners to clamp down on abuse of the Internet. The State Duma is presently considering amendments to the 1978 Information Technologies and Information Protection law to impose stiffer penalties on hackers. The draft bill, which is jointly sponsored by the State Duma Committee on Information Policy and RAEC, is proposing a new definition for spamming while imposing harsher punishments on perpetrators, Gazeta.ru reported Wednesday.

But even such a legislative makeover is unlikely to alter the status quo, other legal experts say. "The main problem for law-enforcement agencies is in the Russian Constitution and not in the criminal code," Edward Bekeschenko, the head of a dispute resolution group at Baker & McKenzie, said. "According to the country’s main legal document, if a Russian citizen is liable for a criminal offense, the case against him can only be tried in a Russian court. Since the Russian Constitution prohibits the extradition of citizens, the only way U.S. authorities can get hold of Nikolaenko is if somehow he voluntarily returns to the United States.

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More