Spam, Bad Guys, and the Russian FSB

Interesting news this week with some heavy anticrime work in Russia resulting in the arrests of the alleged RBS Worldbank cybercriminals. In related research I had to laugh out loud at this particular turn of phrase reported by the Financial Times;

    • The Russian Federal Security Service (FSB)has detained suspects including Viktor Pleshchuk, an alleged mastermind behind a £6m (€6.6m, $9m) attack on the payment processing unit of Royal Bank of Scotland, said people familiar with the inquiry.
    • The FSB asked the Federal Bureau of Investigation in the US, which has made the inquiry an international priority, to avoid scaring other targets in Russia into covering their tracks.

I’m not sure how “avoiding scaring other targets” could be taken in any other way than ‘leave alone all of the other guys’… So today’s topic is around the question: Should the FBI actually lighten up as the FSB [allegedly] requests? First, let’s define what corruption really is.

J-D-L-R: Just Don’t Look Right.

JDLR is an acronym I learned from hanging out with cops: Just Don’t Look Right. That guy on the corner at 3am with the $200 sneakers on? To a beat cop, he probably would talk to him based on JDLR. At ESET malware is flagged because it JDLR (we call it heuristics).

What made me laugh about the Financial Times quote? When the FSB asks the FBI to ‘avoid scaring other targets’ in Russia it sounds too much like a dirty cop protecting other clients.

Corruption 101: Looking the other way

In my criminal investigative background, dirty cops got dirty by getting paid off or ‘hired’ by Bad Guy A to ignore criminal operations of Bad Guy A. Usually the escalation of this would end up Machiavellian and the dirty cop would be used to eliminate competition from Bad Guy B’s criminal operation.

All of this was almost mathematically formulaic in that it became a constant variable for the sphere of influence that Bad Guy A had with the dirty cop, with a fluctuating variable of the mandated positional effectiveness of the dirty cops. Basically, dirty cops keep their jobs by bringing in suspects in crimes. Dirty cops can double their personal effectiveness and bring in Bad Guy A’s competitors, leaving the dirty cops free to pursue other interests in their lives rather than working hard to fight crime.

In comparison between real life and television FX Network’s Shield crime-drama series was based on one such dirty cop. The series was loosely based on a real-life dirty cop story which took part in Rampart division of Los Angeles, California during the 1990s.

In one of these real world incidents, corrupt Rampart officer Perez (affiliated with one LA gang, our Bad Guy A) ended up framing Javier Ovando, another gang’s footsoldier or Bad Guy B. The dirty cop was in effect keeping his Bad Guy A safe by going after Ovando (Bad Guy B) and taking him off the streets.

My perspective is that it Just Don’t Look Right that the FSB would be concerned with mobsters covering their tracks, particularly those whose crime is cyber.

To be fair, let’s look at what ‘covering tracks’ may entail?

  1. A quick move out of jurisdiction to Belarus (currently at odds with Russia) is a $100 rail pass and cybercriminals can always telecommute.
  2. A skill set change to including a Cleaner to tie up loose ends either cyber or live makes things neat.
  3. Therefore there really isn’t much ‘heat’ the FBI could create – unless the FSB has internal leaks. (/snarky intended/)

Crime and punishment

Arrests and convictions are society’s way of setting boundaries. In Saudi Arabia, drug dealers get beheaded every Wednesday. Stateside, white collar crime sentencing (fraud, embezzlement, California’s Sec. 502 cybercrime, etc.) has historically not had as strong sentencing as violent, or blue collar crimes (armed robbery, assault, sexual assault). Some states even have three strikes laws to keep triple felony offenders out of society forever with life imprisonment.

With that in mind, I’m not seeing FSB’s actions as providing much of a deterrent. According to Wired’s reporting, their expert’s viewpoint is aligned with my own in skepticism:

    • Former FBI special agent E.J. Hilbert, who worked diligently with others to convince Ukrainian authorities to arrest Golubov [another heavy cybercriminal] in 2005, is doubtful that Pleshchuk will do any serious time.
    • “The cooperation between the FBI and FSB related to this arrest is monumental, and I’m hopeful it truly is a new era of cooperation,” he told Threat Level. “But I am extremely skeptical. Any criminal making this amount of money will be well connected and thus protected.”
    • Though agents on the ground may do their best to work for a conviction, “they’re battling a corrupt system” Hilbert said.

My analysis of this interview is that Hilbert’s experience is telling him things JDLR about this arrest having any relative impact based on his experience with countries having a corruption level so high. One truism which a whole slew of heavy-hitting US Attorneys on our side of the pond will tell you – until we can prosecute these cybercriminals in our courts, they’re not going to have any measure of deterrence.

Want more effectiveness than token arrests? Follow the money.

By way of Terry Zink’s MSDN blog I read this article by Dancho Danchev on ZDNet which talks about the solution of following the money:

    • Try to get to the top of the affiliate network chain, instead of prosecuting/fining a participant in the affiliate network – Who’s getting prosecuted for spamming at the end of the day? It’s usually not the one who should be. The next time you hear that a spammer has been arrested, is being sued, and possibly even fined, ask yourself the following – is this guy the one running an affiliate network with hundreds of thousands of spammers participating in it, the supplier of the counterfeit pharmaceuticals, or is he basically one of the thousands of participants in the network?

Dancho Danchev provides the best solution I’ve heard all day. Really.

Basic criminology usually solves the crime by following the money or influence and attacking the weakest link in the chain. In cybercrime, it may end with legislation (and enforcement) of tighter restrictions on affiliate network programs such as what Dancho recommends. As far as how effective these arrests might be, Dancho's main question from his blog post still points towards shared and similar skepticism:

    • Why are some of the Russian affiliate networks for spam already celebrating their 5th or 8th anniversaries?

Feel free to comment on what you feel the FSB statement could be interpreted as – maybe I’m being too harsh. I haven’t had my coffee yet.

Contributing Writer, Securing Our eCity

Author , ESET

Comments are closed.

Follow us

Copyright © 2017 ESET, All Rights Reserved.