How do you chronicle the struggle for control of an underground empire when neither combatant wants to admit that he is fighting or even that a war is underway? That’s the nature of a business-feud turned turf-war that is playing out right now between the bosses of two of the Internet’s largest illicit pharmacy operations.
On Thursday, I wrote about an anonymous source using the pseudonym “Despduck” who shared a copy of the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet. The database indicates that Glavmed processed in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010.
Despduck first proffered the Glavmed data through a mutual source in the anti-spam community, and claimed that the alleged owner of the pharmacy program, a Russian businessman named Igor Gusev, would soon be charged with illegal business activities. Sure enough, near the end of September 2010, Russian officials announced a criminal investigation into Gusev and his businesses. Shortly after those charges were brought, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other pharmacy networks.
Gusev is now in exile from Russia; he blames his current predicament– and the leak of the Glavmed data — on his former business partner, fellow Muscovite Pavel Vrublevsky. The latter is a founder of Russian e-payment giant ChronoPay, a company Gusev also helped to co-found almost eight years ago (according to incorporation documents I obtained from the Netherlands Chamber of Commerce — where ChronoPay was established — for a time Gusev and Vrublevsky were 50/50 partners in ChronoPay).
As reported in my story earlier this week, tens of thousands of internal documents and emails stolen from ChronoPay and leaked to key individuals suggest that Vrublevsky is managing a competing online pharmacy network called Rx-Promotion. It turns out that the Glavmed database was stolen at about the same time as ChronoPay’s breach.
Vrublevsky denies being the source of the purloined Glavmed/SpamIt database, but the bounty of leaked ChronoPay documents suggests otherwise. Included in the email records are messages sent to and from an inbox that used the display name “Kill Glavmed.” What was the email address tied to that name? “[email protected],” the very same address used to communicate with my anti-spam source.
Also in the leaked ChronoPay emails is a lengthy message thread in an inbox marked “vrublevsky” that details a negotiation with an individual named “Nooder Tovreance.” In the multi-email exchange, which begins Apr. 8, 2010 and ends at the beginning of June, Tovreance offers to sell the Glavmed database for $20,000, but says that he will need to break the file transfers up into multiple smaller chunks due to the size of the database. The two ultimately settle on a price of $15,000, with the first payment of $7,500 made to a Webmoney purse specified by Tovreance in exchange for half of the files, and the remaining amount payable upon receipt of the entire database.
SpamIt.com may be gone, but the Glavmed program is still rewarding affiliates for promoting pharmacy sites. Meanwhile, a number of online properties managed by Gusev are under nearly-constant attack. Joe Stewart, senior security researcher for SecureWorks, recently released a paper in which he profiled the makeup and activities of the world’s top spam botnets, or agglomerations of hacked PCs of the sort typically used to relay junk e-mail advertising rogue pharmacy sites.
One of the spam botnets in Stewart’s analysis, a 60,000 bot network nicknamed “Festi” was “developed as a distributed denial-of-service (DDoS) platform, and has been seen in recent weeks launching attacks against other Russian sites.” I asked Stewart for a list of the sites he’s seen Festi attacking; the list is quite short, and includes six Glavmed/Canadian Pharmacy sites, as well as gofuckbiz.com and armadaboard.com, affiliate forums that Vrublevsky has said on several occasions that he suspects are owned and operated by Gusev. The other site Stewart found Festi attacking was redeye-blog.com, a daily blog written by Gusev that is trickling out leaked ChronoPay documents and gossip about Vrublevsky.