Book Review: Spam Nation 82
benrothke writes There are really two stories within Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. The first is how Brian Krebs uncovered the Russian cybergangs that sent trillions of spam emails for years. As interesting and compelling as that part of the story is; the second storyline is much more surprising and fascinating. Brian Krebs is one of the premier cybersecurity journalists. From 1995 to 2009, he was a reporter for The Washington Post, where he covered Internet security, technology policy, cybercrime and privacy issues. When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians. Many of the stories Krebs ran took months to get approval and many were rejected. It was the extreme reticence by the Post to deal with the issue that ultimately led Krebs to leave the paper. Before Krebs wrote this interesting book and did his groundbreaking research, it was clear that there were bad guys abroad spamming American's with countless emails for pharmaceuticals which led to a global spam problem. Read below for the rest of Ben's review.
Much of the story details the doings of two of the major Russian pharmacy spammer factions, Rx-Promotion and GlavMed. In uncovering the story, Krebs had the good fortune that there was significant animosity between Rx-Promotion and GlavMed, which lead to an internal employee leaking a huge amount of emails and documents. Krebs obtained this treasure trove which he used to get a deep look at every significant aspect of these spam organizations. Hackers loyal to the heads of Rx-Promotion and GlavMed leaked this information to law enforcement officials and Krebs in an attempt to sabotage each other.| Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door | |
| author | Brian Krebs |
| pages | 256 |
| publisher | Sourcebooks |
| rating | 10/10 |
| reviewer | Ben Rothke |
| ISBN | 978-1402295614 |
| summary | Excellent expose on why cybercrime pays and what you can do about it |
Krebs writes that the databases offered an unvarnished look at the hidden but burgeoning demand for cheap prescription drugs; a demand that appears driven in large part by Americans seeking more affordable and discreetly available medications.
Like many, I had thought that much of the pharmaceutical spam it was simply an issue of clueless end-users clicking on spam and getting scammed. This is where the second storyline comes in. Krebs notes that the argument goes that if people simply stopped buying from sites advertised via the spam that floods our inboxes, the problem would for the most part go away. It's not that the spam is a technology issue; it's that the products fill an economic need and void.
Krebs shows that most people who buy from the spammers are not idiots, clueless or crazy. The majority of them are performing rational, if not potentially risky choices based on a number of legitimate motivations. Krebs lists 4 primary motivations as: price and affordability, confidentiality, convenience & recreation or dependence.
Most of the purchasers from the Russian spammers are based in the US, which has the highest prescription drug prices in the world. The price and affordability that the spammers offer is a tremendous lure to these US consumers, many of whom are uninsured or underinsured.
Krebs then addresses the obvious question that this begs: if the spammers are selling huge amounts of bogus pharmaceuticals to unsuspecting Americans, why doesn't the extremely powerful and well-to-do pharmaceutical industry do something about it. Krebs writes that the pharmaceutical industry is in fact keenly aware of the issue but scared to do anything about it. Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary. They have therefore decided to take a passive approach and do nothing.
The book quotes John Horton, founder and president of LegitScript, a verification and monitoring service for online pharmacies. Horton observed that only 1% of online pharmacies are legitimate. But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.
So while the Russian spammers may be annoying for many, they have found an economic incentive that is driving many people to become repeat customers.
As to the efficacy of these pharmaceuticals being shipped from India, Turkey and other countries, it would seem pretty straightforward to perform laboratory tests. Yet the university labs that could perform these tests have found their hands-tied. In order to test the pharmaceuticals, they would have to order them, which is likely an illegal act. Also, the vast amount of factories making these pharmaceuticals makes it difficult to get a consistent set of findings.
As to getting paid for the products, Krebs writes how the thing the spammers relied on most was the ability to process credit card payments. What they feared the most were chargebacks; which is when the merchant has to forcibly refund the customer. If the chargeback rate goes over a certain threshold, then the vendor is forced to pay higher fees to the credit card company or many find their merchant agreement cancelled. The spammers were therefore extremely receptive to customer complaints and would do anything to make a basic refund than a chargeback. This was yet another economic incentive that motivated the spammers.
As to the main storyline, the book does a great job of detailing how the spam operations worked and how powerful they became. The spammers became so powerful, that even with all the work firms like Blue Security Inc. did, and organizations such as Spamhaus tried to do, they were almost impossible to stop.
Krebs writes how spammers now have moved into new areas such as scareware and ransomware. The victims are told to pay the ransom by purchasing a prepaid debit card and then to send the attackers the card number to they can redeem it for cash.
The book concludes with Krebs's 3 Rules for Online Safety namely: if you didn't go looking for it, don't install it; if you installed it, update it and if you no longer need it, remove it.
The scammers and online attackers are inherent forces in the world of e-commerce and it's foolhardy to think any technology or regulation can make them go away. Spam Nation does a great job of telling an important aspect of the story, and what small things you can do to make a large difference, such that you won't fall victim to these scammers. At just under 250 pages, Spam Nation is a quick read and an important one at that.
Reviewed by Ben Rothke.
You can purchase Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.
Re: (Score:2)
Currently bloating my spam folder are sports betting sites promising NFL locks, a strange flood of tinnitus cures (is that a new hot thing?), diabetes "cures," solar ads, and lots and lots of fake gift card spams and insurance open enrollment ads.
Almost none of it makes it into my inbox.
LOL ... (Score:3)
So, the spammers are more interested in good customer service than the real companies?
Sad.
Re: (Score:3)
Legitimate companies have a high volume of stable charges, and so can show a culpable minimized percentage of bad faith.
Niche companies light up like a fucking christmas tree when you start sending chargebacks.
Re: (Score:1)
I don't think the bad guys would try to sue. Then they would have to reveal details of their evil doings. I assume he would name names and companies and not just blanket say "the Russians".
Re: (Score:3)
A client told me that after he sent his $25.01 how to enlarge his penis, he received a magnifying glass in the mail.
Sure. A "client".
Re: (Score:2)
The FDA has rather strict quality control standards so my guess is these pharmacies have not gone through the process to be fully licensed. And another thing:
But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.
Yes...after the quality control of toys, toothpaste, dog food, and drywall from China, we're sure we can trust their quality with our pharmaceuticals.
Re: (Score:2)
The FDA has rather strict quality control standards so my guess is these pharmacies have not gone through the process to be fully licensed. And another thing:
But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.
Yes...after the quality control of toys, toothpaste, dog food, and drywall from China, we're sure we can trust their quality with our pharmaceuticals.
Yeah, you know, they are "by and large" indistinguishable from the real ones. I mean, what's a few PPM of arsenic, or cyanide, or lead? The rest of the drug is still there, and that's what you ordered. You wouldn't send a gourmet steak back just because the cook brushed a little olive oil and salt on it, when it was listed on the menu as just a steak? So why are we rejecting these drugs?
Re: (Score:2)
Yeah, you know, they are "by and large" indistinguishable from the real ones. I mean, what's a few PPM of arsenic, or cyanide, or lead? The rest of the drug is still there, and that's what you ordered. You wouldn't send a gourmet steak back just because the cook brushed a little olive oil and salt on it, when it was listed on the menu as just a steak? So why are we rejecting these drugs?
What makes you think the 'official' drugs are made in different factories than the 'unofficial' drugs? Everything I've seen suggests the pharma companies source this stuff from the same places. The FDA process is a labeling process.
Re: (Score:2)
What have you seen that suggests this?
Re: (Score:2)
I can't speak to the Russian spammers.
However, I routinely buy asthma maintenance medications in Bangkok, Thailand, while on vacation. SAME manufacturers, SAME production lines, SAME LOT NUMBERS, but at a fraction of the cost.
Re: (Score:2)
What have you seen that suggests this?
TV shows. In particular a program on drug manufacture and all of of the production lines shown were in places like Pakistan and India, supplying the big pharma companies who supply worldwide. I don't think there's a 'gold standard' drug manufacturing industry based in the USA just to keep the idiot patriots happy.
Re: (Score:2)
Bullshit, Will Robinson! Bullshit!
Re: (Score:2)
I use comment sense and go even one step further and make an alias on the server for each service/company that asks for my personal email address.
However, all it takes is for one friend to use your business email address for an online service (some stupid file-sharing site) and you're screwed.
Re: (Score:2)
Only kids use Facebook.
or
If you need me to have a Facebook account to be able to contact me, then drop me as a friend.
Re: (Score:1)
If there's one thing Slashdot could use more of, it's comment sense.
Clarify this sentence, please? (Score:2)
Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary.
What quandary would that be? That they'd face (illegal) competition?
A quandary is a situation where you're confused about what to do. Facing cheaper competition doesn't seem like it would be confusing. Difficult or challenging, yes. Terrifying, possibly. But not so much confusing.
If the pharmaceutical industry had the choice of either selling lots and lots of drugs (through the spammers) at a discount that might put them in a quandary. Should they risk being found out (and potentially have everyone buy
Re: (Score:2)
Big pharma has long portrayed these foreign made pharmaceuticals as dirty and dangerous.
The quandary is that if as John Horton noted that they are indeed indistinguishable from those sold by approved pharmacies; then US pharma is selling a drug at 10x the price.
It would place them in a PR nightmare they could not get out of.
Re: (Score:1)
Big pharma has a buddy relationship going with the domestic regulators. They like a fairly high and expensive regulatory barrier to entry. It keeps competitors out and prices high. They have a fairly captive customer base of people who want to stay alive and healthy.
Re: (Score:2)
Exactly! There's no 'quandary' here - the price difference is entirely intentional. In order for there to be a quandary there needs to be some uncertainty on someone's part.
(The book review author doesn't really spell out what the quandary is - the companies may not know exactly what they're going to do but if that's the quandary then it needs to be spelled out, rather than left to the reader to guess at)
Re: (Score:2)
Agreed, but they still have turned a blind-eye to the foreign illegal pharma. The amount important is not insignificant, and pharma has gone after smaller fish in the past.
Why are we afraid of international lawsuits? (Score:2)
Frankly I don't see any reasone why it would even be a bad thin
Re: (Score:2)
International lawsuits terrify management. As these lawsuits are distracting, time consuming and extremely expensive.
While libel is extremely hard to prove, no firm wants to be on the receiving end of a subpoena. The Washington Post is somewhat risk adverse, which is why they backed off on the story.
Re: (Score:2)
no firm wants to be on the receiving end of a subpoena
I understand that, but what is a subpoena worth in a court in another country? Generally nothing, really. Sure if you fail to show up for a civil trial in another court they could find against you because you didn't show up but they still won't be able to get far with that unless you have assets in that country that they can seize.
I can understand companies wanting to avoid dealing with it in the US court if they can, but I don't see the point of being so paranoid about it in other countries.
Re: (Score:2)
I don’t know the laws. But Krebs was explicit that the Washington Post lawyers put the kibosh on many of his stories due to those lawsuit fears. And when they didn’t, it took months of review to finally to get the story out.
Re: (Score:2)
The Washington Post has journalists working in Russia. They might reasonably be concerned about reprisals.
Strunk & White Rolling Over... (Score:2)
It does not beg any questions.
Re: (Score:2)
Yes it does. It is literally (ok, fine, metaphorically) begging for you to ask that question. It begs the question. That's a perfectly legitimate shortening, even if it wasn't what the (significantly less clear) original meaning of the phrase was. Give it up.
Re: (Score:2)
Re: (Score:2)
Indeed, they *are* two different words, and thus, their connotations are in fact not the same. "Raises the question" just means "brings up", whereas the modern definition of "begs the question" asks that you imagine as though the question were literally (and in this case, I do mean literally, as the "metaphorically" sense is coming from the verb "to imagine") begging you, "PLEASE! *Please* ask this question! I *insist* that you ask this question!", that merely "raising the question" doesn't. As such, I firm
Re: (Score:2)
It would mean that your question assumes that she went someplace but that it hasn't been established that she has actually gone anywhere. It's kind of like the old question, "When did you stop beating your wife?" Not only does it assume that you are married it also assumes that at one time you were in the hab
Re: (Score:2)
"Strunk & White" should be used when referencing the manual.
We're both wrong :)
The brave American journalists (Score:2)
Sure. The cost of a vice-Presidential candidate's wardrobe [google.com] is a much safer thing to report...
So... did he have any tested? (Score:2)
I've read the review, but not the book, but a key element seems to come down to "Maybe it's real, but nobody knows". It seems a fairly simple procedure for him to order some of it and have it tested, and then he'd know. Yeah, that's a legal gray area, but it would make his case a lot stronger to be able to say "Yeah, I ordered a bunch of Russian Viagra and it tested out as 75% as good as the real stuff".
I know that means taking a risk of being prosecuted, but isn't that something we commend journalists for?
Re: (Score:3)
Such tests require sophisticated testing equipment.
Those with the equipment are not going to risk getting their labs shut down for testing illegal drugs.
The book notes that The University of Alabama at Birmingham was ready to do the testing; but the necessary approval from the FDA and university administrations simply could not be obtained.
Re: (Score:2)
Really? It's illegal just to run the test? (Or at least, too close to a gray area to even consider it?)
Wow, that sucks.
Re:So... did he have any tested? (Score:4, Insightful)
Krebs writes that he had people at The University of Alabama at Birmingham ready to do the testing. But they couldn’t get the necessary sign off, both from the school administration and the FDA.
And even if they did, imagine if CNN got hold of the story. They would plaster the headlines with: University testing illegal Russian drugs for potency.
Re: (Score:2)
Re: (Score:2)
That does seem to be the point he makes.
Re: (Score:1)
It's fairly clear from the investigations Krebs carried out that a good deal of the chemicals have the right components and sort the expected effect. The risk is much higher than buying full price stuff at legit shops, of course. Krebs investigates the reasons why buyers go that way, and conveys the feeling (to me, at least) that there are several legitimate needs that pharmaceutical suppliers are far from satisfying. There should be a better market for medicines, but that's not the point.