Become a fan of Slashdot on Facebook


Forgot your password?
Books Spam Book Reviews

Book Review: Spam Nation 82

benrothke writes There are really two stories within Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door. The first is how Brian Krebs uncovered the Russian cybergangs that sent trillions of spam emails for years. As interesting and compelling as that part of the story is; the second storyline is much more surprising and fascinating. Brian Krebs is one of the premier cybersecurity journalists. From 1995 to 2009, he was a reporter for The Washington Post, where he covered Internet security, technology policy, cybercrime and privacy issues. When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians. Many of the stories Krebs ran took months to get approval and many were rejected. It was the extreme reticence by the Post to deal with the issue that ultimately led Krebs to leave the paper. Before Krebs wrote this interesting book and did his groundbreaking research, it was clear that there were bad guys abroad spamming American's with countless emails for pharmaceuticals which led to a global spam problem. Read below for the rest of Ben's review.
Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door
author Brian Krebs
pages 256
publisher Sourcebooks
rating 10/10
reviewer Ben Rothke
ISBN 978-1402295614
summary Excellent expose on why cybercrime pays and what you can do about it
Much of the story details the doings of two of the major Russian pharmacy spammer factions, Rx-Promotion and GlavMed. In uncovering the story, Krebs had the good fortune that there was significant animosity between Rx-Promotion and GlavMed, which lead to an internal employee leaking a huge amount of emails and documents. Krebs obtained this treasure trove which he used to get a deep look at every significant aspect of these spam organizations. Hackers loyal to the heads of Rx-Promotion and GlavMed leaked this information to law enforcement officials and Krebs in an attempt to sabotage each other.

Krebs writes that the databases offered an unvarnished look at the hidden but burgeoning demand for cheap prescription drugs; a demand that appears driven in large part by Americans seeking more affordable and discreetly available medications.

Like many, I had thought that much of the pharmaceutical spam it was simply an issue of clueless end-users clicking on spam and getting scammed. This is where the second storyline comes in. Krebs notes that the argument goes that if people simply stopped buying from sites advertised via the spam that floods our inboxes, the problem would for the most part go away. It's not that the spam is a technology issue; it's that the products fill an economic need and void.

Krebs shows that most people who buy from the spammers are not idiots, clueless or crazy. The majority of them are performing rational, if not potentially risky choices based on a number of legitimate motivations. Krebs lists 4 primary motivations as: price and affordability, confidentiality, convenience & recreation or dependence.

Most of the purchasers from the Russian spammers are based in the US, which has the highest prescription drug prices in the world. The price and affordability that the spammers offer is a tremendous lure to these US consumers, many of whom are uninsured or underinsured.

Krebs then addresses the obvious question that this begs: if the spammers are selling huge amounts of bogus pharmaceuticals to unsuspecting Americans, why doesn't the extremely powerful and well-to-do pharmaceutical industry do something about it. Krebs writes that the pharmaceutical industry is in fact keenly aware of the issue but scared to do anything about it. Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary. They have therefore decided to take a passive approach and do nothing.

The book quotes John Horton, founder and president of LegitScript, a verification and monitoring service for online pharmacies. Horton observed that only 1% of online pharmacies are legitimate. But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.

So while the Russian spammers may be annoying for many, they have found an economic incentive that is driving many people to become repeat customers.

As to the efficacy of these pharmaceuticals being shipped from India, Turkey and other countries, it would seem pretty straightforward to perform laboratory tests. Yet the university labs that could perform these tests have found their hands-tied. In order to test the pharmaceuticals, they would have to order them, which is likely an illegal act. Also, the vast amount of factories making these pharmaceuticals makes it difficult to get a consistent set of findings.

As to getting paid for the products, Krebs writes how the thing the spammers relied on most was the ability to process credit card payments. What they feared the most were chargebacks; which is when the merchant has to forcibly refund the customer. If the chargeback rate goes over a certain threshold, then the vendor is forced to pay higher fees to the credit card company or many find their merchant agreement cancelled. The spammers were therefore extremely receptive to customer complaints and would do anything to make a basic refund than a chargeback. This was yet another economic incentive that motivated the spammers.

As to the main storyline, the book does a great job of detailing how the spam operations worked and how powerful they became. The spammers became so powerful, that even with all the work firms like Blue Security Inc. did, and organizations such as Spamhaus tried to do, they were almost impossible to stop.

Krebs writes how spammers now have moved into new areas such as scareware and ransomware. The victims are told to pay the ransom by purchasing a prepaid debit card and then to send the attackers the card number to they can redeem it for cash.

The book concludes with Krebs's 3 Rules for Online Safety namely: if you didn't go looking for it, don't install it; if you installed it, update it and if you no longer need it, remove it.

The scammers and online attackers are inherent forces in the world of e-commerce and it's foolhardy to think any technology or regulation can make them go away. Spam Nation does a great job of telling an important aspect of the story, and what small things you can do to make a large difference, such that you won't fall victim to these scammers. At just under 250 pages, Spam Nation is a quick read and an important one at that.

Reviewed by Ben Rothke.

You can purchase Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door from Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.
This discussion has been archived. No new comments can be posted.

Book Review: Spam Nation

Comments Filter:
  • by gstoddart ( 321705 ) on Monday December 08, 2014 @04:24PM (#48549989) Homepage

    The spammers were therefore extremely receptive to customer complaints and would do anything to make a basic refund than a chargeback.

    So, the spammers are more interested in good customer service than the real companies?


    • Legitimate companies have a high volume of stable charges, and so can show a culpable minimized percentage of bad faith.

      Niche companies light up like a fucking christmas tree when you start sending chargebacks.

  • Should the reality be that the unauthorized pharmaceuticals are effective, then the pharmaceutical industry would be placed in a quandary.

    What quandary would that be? That they'd face (illegal) competition?

    A quandary is a situation where you're confused about what to do. Facing cheaper competition doesn't seem like it would be confusing. Difficult or challenging, yes. Terrifying, possibly. But not so much confusing.

    If the pharmaceutical industry had the choice of either selling lots and lots of drugs (through the spammers) at a discount that might put them in a quandary. Should they risk being found out (and potentially have everyone buy

    • Big pharma has long portrayed these foreign made pharmaceuticals as dirty and dangerous.

      The quandary is that if as John Horton noted that they are indeed indistinguishable from those sold by approved pharmacies; then US pharma is selling a drug at 10x the price.

      It would place them in a PR nightmare they could not get out of.

      • Big pharma has a buddy relationship going with the domestic regulators. They like a fairly high and expensive regulatory barrier to entry. It keeps competitors out and prices high. They have a fairly captive customer base of people who want to stay alive and healthy.

        • Exactly! There's no 'quandary' here - the price difference is entirely intentional. In order for there to be a quandary there needs to be some uncertainty on someone's part.

          (The book review author doesn't really spell out what the quandary is - the companies may not know exactly what they're going to do but if that's the quandary then it needs to be spelled out, rather than left to the reader to guess at)

        • Agreed, but they still have turned a blind-eye to the foreign illegal pharma. The amount important is not insignificant, and pharma has gone after smaller fish in the past.

  • I don't see any reason to be afraid of being sued by Russian criminals. A few jobs ago I once had a webpage up (which attracted very little attention) that somewhat similarly exposed a particular registrar as being overwhelmingly spammer-friendly. My employer got nervous and pulled down said web page on my behalf (it was being hosted on their server at the time - yeah, I should have had it elsewhere) because they were afraid of being sued.

    Frankly I don't see any reasone why it would even be a bad thin
    • International lawsuits terrify management. As these lawsuits are distracting, time consuming and extremely expensive.

      While libel is extremely hard to prove, no firm wants to be on the receiving end of a subpoena. The Washington Post is somewhat risk adverse, which is why they backed off on the story.

      • no firm wants to be on the receiving end of a subpoena

        I understand that, but what is a subpoena worth in a court in another country? Generally nothing, really. Sure if you fail to show up for a civil trial in another court they could find against you because you didn't show up but they still won't be able to get far with that unless you have assets in that country that they can seize.

        I can understand companies wanting to avoid dealing with it in the US court if they can, but I don't see the point of being so paranoid about it in other countries.

        • I don’t know the laws. But Krebs was explicit that the Washington Post lawyers put the kibosh on many of his stories due to those lawsuit fears. And when they didn’t, it took months of review to finally to get the story out.

        • The Washington Post has journalists working in Russia. They might reasonably be concerned about reprisals.

  • Krebs then addresses the obvious question that this begs:

    It does not beg any questions.

    • by neminem ( 561346 )

      Yes it does. It is literally (ok, fine, metaphorically) begging for you to ask that question. It begs the question. That's a perfectly legitimate shortening, even if it wasn't what the (significantly less clear) original meaning of the phrase was. Give it up.

      • It raises the question. We are now in the midst of reconfiguring the meaning of a (very useful) phrase just because some people can't remember that "raise" and "beg" are two different words.
        • by neminem ( 561346 )

          Indeed, they *are* two different words, and thus, their connotations are in fact not the same. "Raises the question" just means "brings up", whereas the modern definition of "begs the question" asks that you imagine as though the question were literally (and in this case, I do mean literally, as the "metaphorically" sense is coming from the verb "to imagine") begging you, "PLEASE! *Please* ask this question! I *insist* that you ask this question!", that merely "raising the question" doesn't. As such, I firm

          • If I were to say, "that's clearly begging the question: where did she go?", and you assumed a definition of "assuming the conclusion of an argument" in that sentence, what would that even *mean*?

            It would mean that your question assumes that she went someplace but that it hasn't been established that she has actually gone anywhere. It's kind of like the old question, "When did you stop beating your wife?" Not only does it assume that you are married it also assumes that at one time you were in the hab
  • When Krebs presented the Post with his story about the Russian spammers, rather than run with it, the Post lawyers got in the way and were terrified of being sued for libel by the Russians.

    Sure. The cost of a vice-Presidential candidate's wardrobe [] is a much safer thing to report...

  • I've read the review, but not the book, but a key element seems to come down to "Maybe it's real, but nobody knows". It seems a fairly simple procedure for him to order some of it and have it tested, and then he'd know. Yeah, that's a legal gray area, but it would make his case a lot stronger to be able to say "Yeah, I ordered a bunch of Russian Viagra and it tested out as 75% as good as the real stuff".

    I know that means taking a risk of being prosecuted, but isn't that something we commend journalists for?

    • Such tests require sophisticated testing equipment.

      Those with the equipment are not going to risk getting their labs shut down for testing illegal drugs.

      The book notes that The University of Alabama at Birmingham was ready to do the testing; but the necessary approval from the FDA and university administrations simply could not be obtained.

      • by jfengel ( 409917 )

        Really? It's illegal just to run the test? (Or at least, too close to a gray area to even consider it?)

        Wow, that sucks.

        • by benrothke ( 2577567 ) on Monday December 08, 2014 @08:26PM (#48551753)

          Krebs writes that he had people at The University of Alabama at Birmingham ready to do the testing. But they couldn’t get the necessary sign off, both from the school administration and the FDA.

          And even if they did, imagine if CNN got hold of the story. They would plaster the headlines with: University testing illegal Russian drugs for potency.

          • You'd think the FDA and Big Pharma would *want* to have definitive proof that illegal Russian/Canadian pharmaceuticals were EvilWickedMeanBadNasty things. My guess is that the stuff sold illegally is the same stuff sold in legit pharmacies a good portion of the time. Possibly from the same companies who sold it to the wholesalers. They just need the drugs to be more expensive here to make up the profits from selling them cheaper in tighter markets.
    • It's fairly clear from the investigations Krebs carried out that a good deal of the chemicals have the right components and sort the expected effect. The risk is much higher than buying full price stuff at legit shops, of course. Krebs investigates the reasons why buyers go that way, and conveys the feeling (to me, at least) that there are several legitimate needs that pharmaceutical suppliers are far from satisfying. There should be a better market for medicines, but that's not the point.

Remember to say hello to your bank teller.