Spammers make real money on fake drugs

Times Staff Writer

Cyber-crime pays. But selling counterfeit drugs apparently pays better.

Some of the world’s most prolific spammers used to tout products for a few pennies per million e-mails or con consumers into forking over credit card information.

But these groups have found that the most profit and growth potential lies in actually shipping the fake Viagra and other products they’re hawking, according to a study scheduled for release today by a top security researcher.

For consumers, the evolution means that what had been an annoyance and a drag on productivity will get worse.


The new commercial operations use the same combination of cutting-edge technology and best practices, including customer service and supply-chain management, that have brought riches to Inc. and Dell Inc.

The perpetrators “are what I call the Bill Gateses of cyber-crime,” said Pat Peterson, a security researcher at Cisco Systems Inc.

Peterson has spent much of the last year and a half investigating the spam sent by Storm, a piece of malicious software known as a Trojan horse that turns ordinary PCs into spam-spewing robots.

“Gates succeeded not because he was smart, a great engineer or a good businessman, but because he had all of those qualities and an innovative entrepreneurial spirit as well,” Peterson said. “That’s what we see here.”

In the study, Peterson links the Storm system to a Russian drug maker called GlavMed, which uses factories in India and China to churn out knockoffs of Viagra and other popular drugs. GlavMed didn’t respond to an interview request.

Cyber-criminals have learned not only how to outwit the computer-security industry, but how to become self-sustaining businesses with substantial budgets for researching and developing new ways to deliver their merchandise.

“There are real products being sold and big money being made,” said Joe Stewart, a researcher at network security firm SecureWorks. “It seems unreal that they can get away with it, but they do.”

Security firm MessageLabs Inc. estimates that spam already comprises three-quarters of all e-mail. And an estimated 1 in 6 Internet-connected personal computers has been infected by programs that turn them into zombie armies of spam-senders.

Organized crime is exploiting software flaws and human curiosity to increase those numbers. For example, Storm, which emerged last year, uses a wide range of tricks to get users to download it. Instead of including suspicious-looking attachments, Storm sends e-mail with links to fake holiday cards and YouTube videos.

When visited, those websites look for security holes in the computer user’s Web browser and other programs. If they don’t find those holes, they ask the user to download a purported video player or other software that infects his or her machine with the Trojan horse.

To make the e-mails more enticing, Storm uses headings related to current events, such as the winter storm in Europe that inspired researchers to give the enterprise its name.

Computer owners usually don’t notice that their machines have been turned into pawns of the spam operation, because the PC is pressed into service only sporadically.

Although some security firms say Storm infected tens of millions of machines, Peterson thinks it peaked in July at 1.4 million.

Stewart said Storm was the fifth-most pervasive zombie system of the moment. All told, he said, the top 11 have more than 1 million captive computers and can send 60 billion pieces of spam daily.

Storm’s genius for infecting new hosts is just one of the technical innovations that make it what Peterson said was the most effective Trojan to date. But the economics behind Storm make it stand out from other malicious programs.

A few years ago, buying something from a spammer usually meant that a crook would charge your credit card and resell the account number to other criminals. The goods never arrived.

But, as they say in Silicon Valley, that business model didn’t scale. To charge lots of credit cards, one needs a merchant account. And that usually means a verifiable physical address, various forms of documentation -- and no long list of demands for refunds.

The brains behind Storm simply decided to find a more legitimate business. According to Peterson, they hooked up with GlavMed, which supplies counterfeit drugs, and SpamIt, GlavMed’s covert system for processing orders over the Web.

Peterson said his smoking gun was “broken” pieces of spam sent by Storm-infected computers that referred to SpamIt’s internal systems.

About 80% of that spam now touts drugs from such websites as, which Peterson estimates takes in $150 million each year. Most of those who place orders will get pills from Mumbai, India, or Shanghai that contain 100% to 110% of the advertised dose of the active ingredient.

Exactly who is in charge of Storm remains a mystery.

The few arrests and limited improvements in anti-virus software might have taught the remaining practitioners whom and what to avoid.

Just like the overuse of antibiotics can produce more resistant strains of human viruses, Peterson said, “We’ve generated these super-gangs in Eastern Europe that have moved way outside the jurisdiction of any law enforcement. They have created a criminal ecosystem that completely isolates them from the security community.”