![Page 1: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/1.jpg)
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Spam after “My Canadian Pharmacy”Henry Stern, Senior Security Researcher
![Page 2: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/2.jpg)
Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
![Page 3: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/3.jpg)
Cisco Confidential 3© 2010 Cisco and/or its affiliates. All rights reserved.
![Page 4: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/4.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Source: SenderBase.org
0.0
50.0
100.0
150.0
200.0
250.0
300.0
350.0
400.0
450.0
![Page 5: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/5.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• Leading pharmaceutical affiliate program, SpamIt.com, shuts down abruptly. Rustock botnetsimultaneously ceases activity.
• “Al Capone”-style takedown by Russian police.
• Kommersant: Despmedianetted $120m since 2007. Owner, Gusev, received $2m in revenues.
The New York Times, “E-Mail
Spam Falls After Russian
Crackdown.” October 26, 2010.
![Page 6: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/6.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Spammers
Botnets: Reactor Mailer, Rustock, Storm/Waledac, Mega-D, Grum, Lethic
Deliver messages to massive address lists.
Purchase domain names and host landing pages.
• Affiliate Programs
GlavMed (SpamIt.com), RX-Promotion (Chronopay), SanCash, Bulker.biz
Host back-end order processing systems.
Provide customer support.
Pay high commissions to spammers.
• Fulfillment
Based in India and China.
Mail fake or generic pills to customers.
![Page 7: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/7.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Bulker.biz - MyCanadianPharmacy
• This investigation begins with a massive spam attack for “MyCanadianPharmacy” and tracks the spam back through the pharma supply chain
GlavMed - Storm Botnet and SpamIt.com
This investigation begins with the Storm botnet and its “Canadian Pharmacy” spam and traces the botnet and spam back to GlavMed, the supply chain organization.
Bonus: Reactor Mailer Botnet
The largest capacity spam botnet ever.
![Page 8: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/8.jpg)
Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved.
![Page 9: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/9.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
![Page 10: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/10.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
“Advertisement”
Call to Action URL Advertising
Pharmaceutical Web Site
“Hashbuster” text
![Page 11: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/11.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• 20 Billion Spam Attack in Two Weeks
1.5 billion messages per day
• Spam Trickery
2000 unique spam content mutations
New Content every 12 minutes
1500 unique domains used
New “Call to Action” domain every 15 minutes
![Page 12: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/12.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Rank Network Owner CountryCount%
1 Telefonica de Espana Spain 6.7%
2 France Telecom France 4.3%
3 Proxad France 3.4%
4 Telecom Italia Italy 2.6%
5 Deutsche Telekom AG Germany 2.2%
6 Cableuropa - ONO Spain 2.2%
7 Telemar Norte Leste S.A. Brazil 1.8%
8 Wanadoo France France 1.7%
9 Telefonica de Espana SAU Spain 1.7%
10 TELECOMUNICACOES DE SAO PAULO S.A.Brazil 1.7%
Zombie Population
by Country
Zombie Population by
Network
Top 10: 28% of spam
Top 25: 50% of spam
![Page 13: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/13.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Pharma Sites (9)My Canadian Pharmacy
International Legal RX
US Drugs
Super Viagra
Viagra Pro
Generic Viagra
Cialis Soft Tabs
Viagra Soft Tabs
Maxaman
Other Sites (6)Virility Patch
Super HGH (flash)
SpermaMax
My Replica Rolex
Exclusive Caviar Online
Double Your Dating
![Page 14: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/14.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
![Page 15: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/15.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
![Page 16: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/16.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
![Page 17: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/17.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
![Page 18: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/18.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
1592 Wilson Avenue
Toronto, ON M3L 1A6
![Page 19: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/19.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
18 more fraudulent elements including
Fake Certificate
"All orders are received via a secure server” - No HTTPS
Fake Verisign Logo
Fake BBB Logo
Fake Pharmacy Checker Rating
Fake Canadian International Pharmacy (CIPA) License Number
Fake “Verified by Visa” Logo
![Page 20: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/20.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
DNSstuff.comMastercardLatin American and Caribbean IP address Regional Registry New World Network University of CA San DiegoCompass Communications, Inc. Korax Online Inc. Verizon Internet Services Inc. IronPort Systems, Inc. SuperNewsThe Internet Channel MOREnetCrystalTech Web Hosting Inc. HickoryTech Corporation AT&T WorldNet Services
VISA INTERNATIONAL
Level 3 Communications, Inc.
US Dept of Justice
NTT America, Inc.
FBI Criminal Justice Information Systems
FBI Academy
XO Communications
Pfizer Inc.
Level 3 Communications, Inc.
Savvis
American Digital Network
Drug Enforcement Administration (DEA)
Health and Human Services (FDA)
![Page 21: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/21.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
1. Registered domain bigamousetract.info
Registered with 1-877namebid.com
Registered by Tobyann Ellis in Longview, WA
+68 phone number
dublin.com email
2. DNS servers
„NS‟ Records point to DNS servers in Taiwan, Spain, US, Brazil
„A‟ Record for web server points to Korean Telecom IP
3. Web server
bigamousetract.info server on Korean Telecom network
Web site images from Brazil, Slovenia, France, Greece, Netherlands
Spammers obfuscate web site connection using redirectors, framing, scripting, zombie proxies
4. Using “Fast Flux”
IP addresses for web and DNS servers changing every five minutes
![Page 22: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/22.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Sorry, but we can‟t process your credit card right
now. Sales manager will contact you in 24 hours.
If you don‟t want to wait for sales manager, you
may try to make a purchase using another credit
card. Thank you!
![Page 23: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/23.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
![Page 24: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/24.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Messages from hosting company Intercage.com
• Intercage located at:
1955 Monument, #236
Concord, CA, USA
• Long history of spam and malware support
250 domains hosting “CoolWebSearch” Exploits
WMF exploit hosting
Phishing support
![Page 25: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/25.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
![Page 26: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/26.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Server
located in
San Jose, CA
![Page 27: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/27.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
![Page 28: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/28.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
![Page 29: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/29.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
![Page 30: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/30.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
![Page 31: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/31.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
“Substances found are typical tablet Matrix (i.e. Palmitic acid, Stearic acid, Etc.). No other drugs,
pharmaceutical or Controlled substances found.”
Note: Subsequent orders were shipped from Shanghai China and
contained the active ingredient. We believe the manufacturer was
replaced.
![Page 32: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/32.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
![Page 33: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/33.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
![Page 34: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/34.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Investigated credit card merchant account
Unable to obtain any details
$84.95 refunded to my credit card
• Second order placed
Received 10 Pfizer-branded pills from Shanghai, China
New shipping and packing method
Contained full active ingredient
![Page 35: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/35.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
• Estimated at $150M/year
• Monitored “Zombie Proxy” and counted number of credit card transactions per hour
• Comparables - Christopher Smith (rizler) profits > $20M
• Confirmed with law enforcement and SpamHaus
![Page 36: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/36.jpg)
Cisco Confidential 36© 2010 Cisco and/or its affiliates. All rights reserved.
![Page 37: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/37.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 37
Spam Engines
(SMTP)
Landing pages
(HTTP)
3.School5. Super
Node
4. Job: Spamming
2. Storm is Born
1. Recruitment Spam
![Page 38: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/38.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
![Page 39: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/39.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
• Storm has sent a number of spam campaigns including
Phishing financial institutions
Mule Recruitment Spam
Pump and Dump stock market manipulation image spam
Pump and Dump stock market manipulation MP3 audio spam
Pharma spam for Canadian Pharmacy
• The vast majority of Storm spam has been for Canadian Pharmacy
![Page 40: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/40.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
![Page 41: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/41.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
![Page 42: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/42.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
• Many theories about the relationship between storm and pharma spam
• A capacity issue unveiled the primary relationship
![Page 43: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/43.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
• Spamit.com service manages spam domains and fulfillment
Registers spamvertized domain, creates DNS records, NS servers, websites
Botnet owners using Spamit service receive feed of live spam sites
• The Storm botnet retrieved a list of domains but received
• Storm used this string and other website boilerplate in the spam
• Proven link between Storm, SpamIt.com and Canadian Pharmacy
“The system is temporary busy, try to access it later.
No data can be lost.”
![Page 44: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/44.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
![Page 45: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/45.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Documentation excerpt for configuring web sites
“We take care of their entire shopping experience:
fulfillment, customer service, and shipping, and we
track the sales generated from your site.”
![Page 46: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/46.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
From Joe Stewart, SecureWorks
Source: Joe Stewart, Secure Works
![Page 47: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/47.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
• Modeled after distributed computing.
• Spam as a Service.
• Web user interface made bot spamming accessible to anyone.
• Responsible for 50-60% of global spam.
• McColo black-hat data centre in San Jose office building.
• Strong ties to SpamIt.com.
• Disconnected by upstream network service providers.
![Page 48: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/48.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
![Page 49: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/49.jpg)
Cisco Confidential 49© 2010 Cisco and/or its affiliates. All rights reserved.
![Page 50: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/50.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
0
50
100
150
200
250
300
350
400
Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 Dec-06 Jan-07
![Page 51: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/51.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
• The botnet formerly known as Storm.
• Notorious SpamIt.comaffiliate.
• Taken down with legal and technical measures.
![Page 52: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/52.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
• Database leaked to law enforcement, industry.
• Ceased operations on October 1, 2010.
• Russian police press charges against owner, Gusev.
![Page 53: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/53.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
• Ceased spamming between September 20 and 23.
• Shutdown coincided with SpamIt.com shutdown notice.
• Cisco SIO observed a spike in IPS events after shutdown.
![Page 54: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/54.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
• Operated by Georg Avanesov.
• Arrested in Armenia in October 2010.
• Alleged SpamIt.com affiliate and botnet reseller.
![Page 55: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/55.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
• Operated by Oleg Nikolaenko.
• Alleged SpamIt and SanCashaffiliate.
• Arrested in Las Vegas on November 4, 2010.
• Charged with felony CAN-SPAM violations and mail fraud.
• Pled “Not Guilty” and held without bail.
![Page 56: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/56.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Source: IronPort‟s Spam Collection and SenderBase.org
0
50
100
150
200
250
300
350
Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06
All Spam Pharma
![Page 57: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/57.jpg)
Cisco Confidential 57© 2010 Cisco and/or its affiliates. All rights reserved.
![Page 58: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/58.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
• 2 pharma affiliates remain.
• Grum and Lethic
Last two major botnets sending pharma and replica spam.
• Cutwail
Focused on social engineering-based viral attacks.
Targets enterprise users, finance departments in particular.
![Page 59: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/59.jpg)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
• High-volume spam will soon end.
• Delivered spam volumes will not change.
• Botnets monetized in more subtle ways.
• Fake anti-virus software.
• Rockphish/Avalanche gang gave up phishing for Zeus.
• Email attacks are becoming more targeted.
• More small-scale attacks aimed at high-value targets.
![Page 60: Henry stern - turning point on war on spam - atlseccon2011](https://reader031.vdocuments.site/reader031/viewer/2022030214/5899d8d31a28ab4a0b8b603b/html5/thumbnails/60.jpg)
Thank you.