Thursday, December 2, 2010

Oleg Nikolaenko, Mega-D Botmaster to Stand Trial

According to Milwaukee's Journal Sentinel one of the largest spam senders in the world is sitting in a cell in Milwaukee awaiting his first court appearance on Friday, where he will be charged with being one of the greatest spammers in the world.

The case being heard, in the Eastern District of Wisconsin (2:2010-cr-00246), charges Oleg Nikolaenko, born July 17, 1987, with violations of 18 U.S.C. §§ 1037(a)(3) and 2.

According to the 13 page criminal complaint beginning in January 2007, violated CAN-SPAM in a maximum way. The first charge against him was CAN-SPAM violations:

the defendant knowingly, in and affecting interstate commerce, materially falsified header information in multiple commercial electronic mail messages transmitted in furtherance of the offense exceeded 2,500 during a 24-hour period, 25,000 during a 30-day period, and 250,000 during a 1-year period, to wit, the defendants altered the header information of spam e-mails that they transmitted via the Internet to disguise the e-mails' true origin, in violation of 18 USC § 1037(a)(3)


Yeah, 10 billion per day is greater than 2,500. 8-)

The second charge brought in the complaint, by Special Agent Brett Banner of the Federal Bureau of Investigation, is that he shipped bogus drugs, failing to ship what was ordered. In other words, Mail Fraud.

Count two says:

On or about November 2, 2009, for the purpose of executing a scheme to defraud by failing to send purchased prescription drugs, the defendant knowingly caused to be sent and delivered by the Postal Service, the following matter: a package from Herbal Health Fulfillment House, 6 University Dr., Ste. 206-273, Amherst, MA 01002, containing 60 pills of "VPXL -#1 Dietary Supplement for Men", to an address in Milwaukee, State and Eastern District of Wisconsin, in Violation of 18 U.S.C. § 1341.


Oleg is messing with the wrong FBI Agent. Brett was the administrator of the Mid-Michigan Area Computer Crimes Task Force from June 2004 to September 2009. That would be Michigan, the state where Terrence Berg locks up spammers and throws away the key on behalf of the Department of Justice until replaced by Barbara McQuade by President Obama. I can't imagine a better office to learn about fighting spam with the legal system! (Don't get me wrong, McQuade is hitting drugs, child porn, and mortgage fraud hard, and earning a great reputation as well. But Berg was an anti-spam crusader!)

Special Agent Banner reveals in his complaint that Oleg was shipping "billions of spam emails on behalf of Jody Smith, Lance Atkinson, and others who were selling counterfeit Rolexes, non-FDA approved herbal remedies, and counterfeit prescription medications."

The fingers started pointing to Oleg from some other cases. In August 2009, Jody M. Smith pled guilty to "conspiracy to traffic in counterfeit Rolex watches" in the Eastern District of Missouri. How much money was Smith making in the watch business? Let's just say that in the court documents he admitted to spending TWO MILLION DOLLARS just on spamming services! Smith's affiliate spamming organization was called "AffKing" and actually included quite a few other messages as well. Just at the Federal Trade Commission's Spam Fridge, they had received over 3 million spam emails that were associated with the AffKing case.

We blogged about the AffKing case back in October of 2008 with this story - SanCash (AffKing) taken down in New Zealand.

Atkinson, who had been charged as part of a case called "Global Web Promotions" back in 2004, was called "the first criminal action under CAN-SPAM" according to the April 24th FTC Press Release. The FTC has the 25 page Judgement on their website.

According to the current criminal complaint, when Atkinson was being interviewed regarding his charges, he admitted posted messages on "a pro-spam Internet bulletin board" needing help from spammers to promote his herbal pills. Atkinson says that the two largest spammers he met on that board were Russians who called themselves "Docent" and "Dem". He estimated that 80% of all of his drug sales came from spam-delivered advertisements.

The complaint further shows that according to "The Director of Malware Research at SecureWorks" most of the AffKing spam was being routed through a botnet, which SecureWorks named "Mega-D" back in 2008, and which they claimed accounted for 32% of all the spam on the planet, or more than ten billion spam messages per day.

Monitoring of Atkinson's ePassporte account revealed that from October 2006 to December 2007, he sent out over $1.8 Million in payments of commission for items sold. Atkinson recalled that Docent used the ePassport account name "Genbucks_dcent".

A subpoena served on ePassporte compelled them to reveal that Genbucks_dcent was Oleg Nikolaenko of 28/10 Spasskiy Proezd, Vidnoe 2, Russian Federation, with the email addresses ddarwinn@gmail.com and 4docent@gmail.com. In a six month period in 2007, Lance Atkinson had paid Genbucks_dcent $464,967.12 for his spamming services.

Search warrants provided to Google revealed that ddarwin and 4docent were sending and receiving emails from others about their spam, including "Affking1@gmail.com" (believed to belong to Lance Atkinson). The email also revealed malware being attached, which were analyzed by SecureWorks and determined to be part of the botnet family known as Mega-D.

In November of 2009, the security research company FireEye was able to take control of the Mega-D network, and was able to prove that 509,000 computers were infected with the spamming botnet software, including 136 computers located in the state of Wisconsin.

Another FBI Agent who was an investigator in parts of this case, Special Agent Jason Pleming, indicates that security research firm M86 Security informed him that a single infected computer on the Mega-D Botnet had been observed to send as many as 15,000 spam messages per hour.

A search of the U.S. State Department's visa applications indicated that Oleg Yegorovich Nikolaenko with matching address, email address, and birthdate, received a traveler's Visa to the United States and was in Los Angeles from July 17, 2009 to July 27, 2009. He was in the US again November 2, 2009 through November 6, 2009, staying in Las Vegas and logging in to his gmail accounts from an IP address at The Tower Hotel in Beverly Hills during that trip. (65.86.127.226).

The FBI agents indicate that Nikolaenko had expected to stay in the US until November 11, 2009, but that he left early. They propose that this may have been to go home and deal with the fact that FireEye disabled the Mega-D Botnet that week! Although M86 indicates that Mega-D totally disappeared for a short time that month, by December 13, 2009 it was back to 17% of worldwide spam.

Acting as an undercover purchaser, Special Agent Pleming clicked an email which claimed to be from "Amazon, Ltd" and visited a website that described itself as "Canadian Pharmacy". He purchased one package of VPXL, one package of Viagra, and received as a bonus four additional "Viagra Professional" pills.

Although a package arrived, Special Agent Pleming received his VPXL, but received no Viagra pills at all.

Now it was time to wait. . . .

On October 30, 2010, Nikolaenko arrived in the United States at JFK airport, flew to Las Vegas, and checked in at the Bellagio hotel, to attend the "Specialty Equipment Market Association (SEMA)" car show in Las Vegas. (He attended the same car show the previous year.)

The complaint was presented to Magistrate Judge Aaron E Goodstein on November 3rd, and a warrant was issued for the arrest of Oleg Nikolaenko, who was taken into custody in Las Vegas the following day.

The CAN-SPAM charges for which he was arrested in Las Vegas had a potential sentence of 3 years in prison, a $250,000 fine, and 3 years supervised release.

Nikolaenko will be presented with all these charges in court tomorrow, December 3rd.


[Note: after completing this story, while Googling up some additional facts, I notice that Brian Krebs has already written about this. I'll share my interpretation anyway - but please do see Brian's story at KrebsOnSecurity.com. Had I seen it first, I would have saved myself a few bucks on PACER! haha!]

No comments:

Post a Comment