Prior to its acquisition, Adconion offered digital advertising solutions to some of the world’s biggest companies, including Adidas, AT&T, Fidelity, Honda, Kohl’s and T-Mobile. Amobee, the Redwood City, Calif. online ad firm that acquired Adconion in 2014, bills itself as the world’s leading independent advertising platform. The CEO of Amobee is Kim Perell, formerly CEO of Adconion.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark Manoogian, Petr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment on charges of conspiracy, wire fraud, and electronic mail fraud. All four men have pleaded not guilty to the charges, which stem from a grand jury indictment handed down in June 2017.

‘COMPANY A’

The indictment and other court filings in this case refer to the employer of the four men only as “Company A.” However, LinkedIn profiles under the names of three of the accused show they each work(ed) for Adconion and/or Amobee.

Mark Manoogian is an attorney whose LinkedIn profile states that he is director of legal and business affairs at Amobee, and formerly was senior business development manager at Adconion Direct; Bychak is listed as director of operations at Adconion Direct; Quayyum’s LinkedIn page lists him as manager of technical operations at Adconion. A statement of facts filed by the government indicates Petr Pacas was at one point director of operations at Company A (Adconion).

According to the indictment, between December 2010 and September 2014 the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

The government alleges the men sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

“Members of the conspiracy would use the fraudulently acquired IP addresses to send commercial email (‘spam’) messages,” the government charged.

HOSTING IN THE WIND

Prosecutors say the accused were able to spam from the purloined IP address blocks after tricking the owner of Hostwinds, an Oklahoma-based Internet hosting firm, into routing the fraudulently obtained IP addresses on their behalf.

Hostwinds owner Peter Holden was the subject of a 2015 KrebsOnSecurity story titled, “Like Cutting Off a Limb to Save the Body,” which described how he’d initially built a lucrative business catering mainly to spammers, only to later have a change of heart and aggressively work to keep spammers off of his network.

That a case of such potential import for the digital marketing industry has escaped any media attention for so long is unusual but not surprising given what’s at stake for the companies involved and for the government’s ongoing investigations.

Adconion’s parent Amobee manages ad campaigns for some of the world’s top brands, and has every reason not to call attention to charges that some of its key employees may have been involved in criminal activity.

Meanwhile, prosecutors are busy following up on evidence supplied by several cooperating witnesses in this and a related grand jury investigation, including a confidential informant who received information from an Adconion employee about the company’s internal operations.

THE BIGGER PICTURE

According to a memo jointly filed by the defendants, “this case spun off from a larger ongoing investigation into the commercial email practices of Company A.” Ironically, this memo appears to be the only one of several dozen documents related to the indictment that mentions Adconion by name (albeit only in a series of footnote references).

Prosecutors allege the four men bought hijacked IP address blocks from another man tied to this case who was charged separately. This individual, Daniel Dye, has a history of working with others to hijack IP addresses for use by spammers.

For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra.

Optinrealbig’s CEO was the spam king Scott Richter, who later changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, Microsoft, MySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

Dye has been charged with violations of the CAN-SPAM Act. A review of the documents in his case suggest Dye accepted a guilty plea agreement in connection with the IP address thefts and is cooperating with the government’s ongoing investigation into Adconion’s email marketing practices, although the plea agreement itself remains under seal.

Lawyers for the four defendants in this case have asserted in court filings that the government’s confidential informant is an employee of Spamhaus.org, an organization that many Internet service providers around the world rely upon to help identify and block sources of malware and spam.

Interestingly, in 2014 Spamhaus was sued by Blackstar Media LLC, a bulk email marketing company and subsidiary of Adconion. Blackstar’s owners sued Spamhaus for defamation after Spamhaus included them at the top of its list of the Top 10 world’s worst spammers. Blackstar later dropped the lawsuit and agreed to paid Spamhaus’ legal costs.

Representatives for Spamhaus declined to comment for this story. Responding to questions about the indictment of Adconion employees, Amobee’s parent company SingTel referred comments to Amobee, which issued a brief statement saying, “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

ONE OF THE LARGEST SPAMMERS IN HISTORY?

It appears the government has been investigating Adconion’s email practices since at least 2015, and possibly as early as 2013. The very first result in an online search for the words “Adconion” and “spam” returns a Microsoft Powerpoint document that was presented alongside this talk at an ARIN meeting in October 2016. ARIN stands for the American Registry for Internet Numbers, and it handles IP addresses allocations for entities in the United States, Canada and parts of the Caribbean.

As the screenshot above shows, that Powerpoint deck was originally named “Adconion – Arin,” but the file has since been renamed. That is, unless one downloads the file and looks at the metadata attached to it, which shows the original filename and that it was created in 2015 by someone at the U.S. Department of Justice.

Slide #8 in that Powerpoint document references a case example of an unnamed company (again, “Company A”), which the presenter said was “alleged to be one of the largest spammers in history,” that had hijacked “hundreds of thousands of IP addresses.”

A slide from an ARIN presentation in 2016 that referenced Adconion.

There are fewer than four billion IPv4 addresses available for use, but the vast majority of them have already been allocated. In recent years, this global shortage has turned IP addresses into a commodity wherein each IP can fetch between $15-$25 on the open market.

The dearth of available IP addresses has created boom times for those engaged in the acquisition and sale of IP address blocks. It also has emboldened scammers and spammers who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, KrebsOnSecurity broke the news that Amir Golestan — the owner of a prominent Charleston, S.C. tech company called Micfo LLC — had been indicted on criminal charges of fraudulently obtaining more than 735,000 IP addresses from ARIN and reselling the space to others.

KrebsOnSecurity has since learned that for several years prior to 2014, Adconion was one of Golestan’s biggest clients. More on that in an upcoming story.

Levashov, in an undated photo.

Levashov, who allegedly went by the hacker names “Peter Severa,” and “Peter of the North,” hails from St. Petersburg in northern Russia, but he was arrested last year while in Barcelona, Spain with his family.

Authorities have long suspected he is the cybercriminal behind the once powerful spam botnet known as Waledac (a.k.a. “Kelihos”), a now-defunct malware strain responsible for sending more than 1.5 billion spam, phishing and malware attacks each day.

According to a statement released by the U.S. Justice Department, Levashov was arraigned last Friday in a federal court in New Haven, Ct. Levashov’s New York attorney Igor Litvak said he is eager to review the evidence against Mr. Levashov, and that while the indictment against his client is available, the complaint in the case remains sealed.

“We haven’t received any discovery, we have no idea what the government is relying on to bring these allegations,” Litvak said. “Mr. Levashov maintains his innocence and is looking forward to resolving this case, clearing his name, and returning home to his wife and 5-year-old son in Spain.”

In 2010, Microsoft — in tandem with a number of security researchers — launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of computer code with Waledac.

Severa routinely rented out segments of his Waledac botnet to anyone seeking a vehicle for sending spam. For $200, vetted users could hire his botnet to blast one million pieces of spam. Junk email campaigns touting employment or “money mule” scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Waledac first surfaced in April 2008, but many experts believe the spam-spewing machine was merely an update to the Storm worm, the engine behind another massive spam botnet that first surfaced in 2007. Both Waledac and Storm were major distributors of pharmaceutical and malware spam.

According to Microsoft, in one month alone approximately 651 million spam emails attributable to Waledac/Kelihos were directed to Hotmail accounts, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks, and more. The Storm worm botnet also sent billions of messages daily and infected an estimated one million computers worldwide.

Both Waledac/Kelihos and Storm were hugely innovative because they each included self-defense mechanisms designed specifically to stymie security researchers who might try to dismantle the crime machines.

Waledac and Storm sent updates and other instructions via a peer-to-peer communications system not unlike popular music and file-sharing services. Thus, even if security researchers or law-enforcement officials manage to seize the botnet’s back-end control servers and clean up huge numbers of infected PCs, the botnets could respawn themselves by relaying software updates from one infected PC to another.

FAKE NEWS

According to a lengthy April 2017 story in Wired.com about Levashov’s arrest and the takedown of Waledac, Levashov got caught because he violated a basic security no-no: He used the same log-in credentials to both run his criminal enterprise and log into sites like iTunes.

After Levashov’s arrest, numerous media outlets quoted his wife saying he was being rounded up as part of a dragnet targeting Russian hackers thought to be involved in alleged interference in the 2016 U.S. election. Russian news media outlets made much hay over this claim. In contesting his extradition to the United States, Levashov even reportedly told the RIA Russian news agency that he worked for Russian President Vladimir Putin‘s United Russia party, and that he would die within a year of being extradited to the United States.

“If I go to the U.S., I will die in a year,” Levashov is quoted as saying. “They want to get information of a military nature and about the United Russia party. I will be tortured, within a year I will be killed, or I will kill myself.”

But there is so far zero evidence that anyone has accused Levashov of being involved in election meddling. However, the Waledac/Kelihos botnet does have a historic association with election meddling: It was used during the Russian election in 2012 to send political messages to email accounts on computers with Russian Internet addresses. Those emails linked to fake news stories saying that Mikhail D. Prokhorov, a businessman who was running for president against Putin, had come out as gay.

SEVERA’S PARTNERS

If Levashov was to plead guilty in the case being prosecuted by U.S. authorities, it could shed light on the real-life identities of other top spammers.

Severa worked very closely with two major purveyors of spam. One was Alan Ralsky, an American spammer who was convicted in 2009 of paying him and other spammers to promote the pump-and-dump stock scams.

The other was a spammer who went by the nickname “Cosma,” the cybercriminal thought to be responsible for managing the Rustock botnet (so named because it was a Russian botnet frequently used to send pump-and-dump stock spam). In 2011, Microsoft offered a still-unclaimed $250,000 reward for information leading to the arrest and conviction of the Rustock author.

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

Microsoft believes Cosma’s real name may be Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev. In June 2011, KrebsOnSecurity published a brief profile of Cosma that included Sergeev’s resume and photo, both of which indicated he is a Belorussian programmer who once sought a job at Google. For more on Cosma, see “Flashy Car Got Spam Kingpin Mugged.”

Severa and Cosma had met one another several times in their years together in the stock spamming business, and they appear to have known each other intimately enough to be on a first-name basis. Both of these titans of junk email are featured prominently in “Meet the Spammers,” the 7th chapter of my book, Spam Nation: The Inside Story of Organized Cybercrime.

Much like his close associate — Cosma, the Rustock botmaster — Severa may also have a $250,000 bounty on his head, albeit indirectly. The Conficker worm, a global contagion launched in 2009 that quickly spread to an estimated 9 to 15 million computers worldwide, prompted an unprecedented international response from security experts. This group of experts, dubbed the “Conficker Cabal,” sought in vain to corral the spread of the worm.

But despite infecting huge numbers of Microsoft Windows systems, Conficker was never once used to send spam. In fact, the only thing that Conficker-infected systems ever did was download and spread a new version of the the malware that powered the Waledac botnet. Later that year, Microsoft announced it was offering a $250,000 reward for information leading to the arrest and conviction of the Conficker author(s). Some security experts believe this proves a link between Severa and Conficker.

Both Cosma and Severa were quite active on Spamit[dot]com, a once closely-guarded forum for Russian spammers. In 2010, Spamit was hacked, and a copy of its database was shared with this author. In that database were all private messages between Spamit members, including many between Cosma and Severa. For more on those conversations, see “A Closer Look at Two Big Time Botmasters.”

In addition to renting out his spam botnet, Severa also managed multiple affiliate programs in which he paid other cybercriminals to distribute so-called fake antivirus products. Also known as “scareware,” fake antivirus was at one time a major scourge, using false and misleading pop-up alerts to trick and mousetrap unsuspecting computer users into purchasing worthless (and in many cases outright harmful) software disguised as antivirus software.

A screenshot of the eponymous scareware affiliate program run by “Severa,” allegedly the cybercriminal alias of Peter Levashov.

In 2011, KrebsOnSecurity published Spam & Fake AV: Like Ham & Eggs, which sought to illustrate the many ways in which the spam industry and fake antivirus overlapped. That analysis included data from Brett Stone-Gross, a cybercrime expert who later would assist Microsoft and other researchers in their successful efforts to dismantle the Waledac/Kelihos botnet.

Levashov faces federal criminal charges on eight counts, including aggravated identity theft, wire fraud, conspiracy, and intentional damage to protected computers. The indictment in his case is available here (PDF).

Further reading: Mr Waledac — The Peter North of Spamming

Law enforcement officials and bank anti-fraud specialists sometimes purchase stolen cards from crime forums and “carding” markets online in hopes of identifying a pattern among all the cards from a given batch that might make it easy to learn who got breached: If all of the cards from a given batch were later found to be used at the same e-commerce or brick-and-mortar merchant over the same time period, investigators can often determine the source of the card breach, alert the breached company and stem the flow of stolen cards.

Of course, such activity is not something the carding shops take lightly, since it tends to cut into their criminal sales and revenues. So it is that one of the more popular carding shops — Rescator — somehow enacted a system to detect purchases from suspected law enforcement officials. Rescator and his crew aren’t shy about letting you know when they think you’re not a real criminal. My law enforcement source said he’d just placed a batch of cards into his shopping cart and was preparing to pay for the goods when the carding site’s checkout page was replaced with this image:

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this “pig detected” alert.

The shop from which my source attempted to make the purchase — called Rescator — is the same carding store that was the first to move millions of cards on sale that were stolen in the Target and Home Depot breaches, among others. I’ve estimated that although Rescator and his band of thieves stole 40 million credit and debit card numbers from Target, they only likely managed to sell between 1 and 3 million of those cards. Even so, at a median price of $26.85 per card and the median loss of 2 million cards, that’s still more than $50 million in revenue. It’s no wonder they want to keep the authorities out.

The analysis method used by my source — the buying of stolen cards to determine a breach source (also called “common point-of-purchase or “CPP” analysis) — was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years (including Target and Home Depot).

But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale. Rescator’s site earned its infamy in part by flouting this best practice with cards stolen in separate breaches at Target, Home Depot, Sally Beauty, P.F. Chang’s and Harbor Freight. But according to banking industry sources, more recently it seems Rescator and other card shops have been flooded with cards from hacked point-of-sale machines at small restaurants across North America.

I told my law enforcement source that it’s not unheard of for cyber thieves who run online stores to employ blacklists of Internet address ranges known to be frequented or assigned to government and law enforcement agencies worldwide. The cybercrime kingpins I wrote about in my book Spam Nation used blacklists to block purchases of rogue pharmaceuticals by fraud investigators (a Spam Nation excerpt showing two key cybercrooks arguing about how best to flag suspicious purchases is in the second half of this story).

Then again, perhaps Rescator’s site simply noticed something amiss when my source funded his account with Bitcoin. The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source’s screen — effectively stealing hundreds of taxpayer dollars directly from the authorities.

Unsurprisingly, my source was unwilling to divulge anything about his undercover operations, including any foibles he might have made that led to his outing. He just wanted advice about how to avoid the pig alert in future undercover buys. But I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations.

If the idea of fraudsters using intelligence to outwit investigators sounds fascinating, check out this Nov. 2015 story at PaymentsSource.com, which references the above-pictured pig alert and some other ways many of the more savvy black-market card shops are getting less welcoming to outsiders.

An “order confirmation” malware email blasted out by the Asprox spam botnet recently.

Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.

This Asprox malware email poses as a notice about a wayward package from a WalMart order.

According to Malcovery, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet.

Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email (such as the pharmaceutical spam detailed in my new book Spam Nation), and perpetuates additional Asprox malware attacks. Asprox also deploys a scanning module that forces hacked PCs to scan websites for vulnerabilities that can be used to hack the sites and foist malware on visitors to that site. For an exhaustive and fairly recent analysis of Asprox, see this writeup (PDF) from Trend Micro.

Target is among the many brands being spoofed by Asprox this holiday season.

Malcovery notes that the Asprox spam emails use a variety of subject lines, including “Acknowledgment of Order,” “Order Confirmation,” “Order Status,” “Thank you for buying from [insert merchant name here]”, and a “Thank you for your order.”

If you receive an email from a recognized brand that references an issue with an online or in-store order and you think it might be legitimate, do not click the embedded links or attachment. Instead, open up a Web browser and visit the merchant site in question. Generally speaking, legitimate communications about order issues will reference an order number and/or some other data points specific to the transaction — information that can be used to look up the order status at the merchant’s Web site. I know I’m probably preaching to the choir for the loyal readers of this site, but I’m sure most of you have friends and relatives who could use a reminder about all of this. Please feel free to forward them a link to this story.

Image: Malcovery

For three days starting last Sunday, I was in New York City — doing a series of back-to-back television and radio interviews. Prior to leaving for New York, I taped television interviews with Jeffrey Brown at the PBS NewsHour; the first segment delves into some of the points touched on in the book, and the second piece is titled “Why it’s harder than you think to go ‘off the grid’.”

On Monday, I was fortunate to once again be a guest on Terri Gross‘s show Fresh Air, which you can hear at this link. Tuesday morning began with a five-minute appearance on CBS This Morning, which included a sit-down with Charlie Rose, Gayle King and Norah O’Donnell. Later in the day, I was interviewed by the MarketPlace Tech Report, MSNBC’s The Cycle, as well as the Tavis Smiley show. Wednesday was a mercifully light day, with just two interviews: KGO-AM and the Jim Bohannon Radio Show.

Thursday’s round of media appearances began at around sunrise in the single-digit temperature Chicago suburbs. My driver from the hotel to all of these events took me aback at first. Roxanna was a petite blonde from Romania who could have just as easily been a supermodel. I thought for a moment someone was playing a practical joke when I first heard her “Gud mornink Meester Krebs” in a Eastern European accent upon stepping into her Town Car, but Roxanna was a knowledgeable driver who got us everywhere on time and didn’t take any crap from anyone on the road.

The first of those interviews was a television segment for WGN News and a taped interview with TouchVision, followed by my first interview in front of a studio audience at Windy City Live.  The guest who went on right before me was none other than the motivational speaker/life coach Tony Robbins, who is a tough act to follow and was also on the show to promote his new book. At six feet seven inches, Robbins is a larger-than-life guy whose mere presence almost took up half the green room. Anyway Mr. Robbins had quite the security detail, so I took this stealthie of Tony as he was confined to the makeup chair prior to his appearance.

On Thursday afternoon, after an obligatory lunch at the infamous Billy Goat burger joint (the inspiration for the “Cheezborger, cheezborger, cheezborger” Saturday Night Live skit) I visited the Sourcebooks office in Naperville, met many of the folks who worked on Spam Nation, signed a metric ton of books and the company’s author wall.

The Spam Nation signing in Naperville, IL.

After an amazing dinner with my sister and the CEO of Sourcebooks, we headed to my first book signing event just down the street. It was a well-attended event with some passionate readers and fans, including quite a few folks from @BurbsecWest with whom I had beers afterwards.

On Friday, I hopped a plane to San Francisco and sat down for taped interviews with USA Today and Bloomberg News. The book signing that night at Books Inc. drew a nice crowd and also was followed by some after-event celebration.

Departed for Seattle the next morning, and sat down for a studio interview with longtime newsman (and general mensch) Herb Weisbaum at KOMO-AM. The signing in Seattle, at Third Place Books, was the largest turnout of all, and included a very inquisitive crowd that bought up all of the copies of Spam Nation that the store had on hand.

Book signing at Seattle’s Third Place Books.

If you’re planning to be in Austin tonight — Nov. 24 — consider stopping by B&N Arboretum at 7:00 p.m. and get your copy of Spam Nation signed. I’ll be holding one more signing — 7:00 p.m. in Washington, D.C.’s Politics & Prose on Dec. 4.

For those on the fence about buying Spam Nation, Slate and LinkedIn both ran excerpts of the book. Other reviews and interviews are available at Fortune.com, Yahoo News, and CreditCards.com. Also, I was interviewed at length several times over the past month by CBS’s 60 Minutes, which is doing a segment on retail data breaches. That interview could air as early as Nov. 30. On that note, the Minneapolis Star Tribune ran a lengthy story on Sunday that followed up on some information I first reported a year ago about a Ukrainian man thought to be tied to the Target breach, among others.

In addition, my publisher has graciously extended the freeZeusGard offer until Nov. 25 for the next 500 people who order more than one copy of the book.

In early October we launched a promotion in which the first 1,000 readers to preorder more than one copy of the book, audio recording and/or e-book version of Spam Nation would receive a free, KrebsOnSecurity-branded ZeusGard, a USB-based technology that’s designed to streamline the process of adopting the Live CD approach for online banking.

Approximately 500 readers took us up on this offer, but that means we still have about 500 left! Thankfully, my publisher (Sourcebooks) has agreed to extend this offer by one week (until Nov. 25, 2014).

Finally, if you live in Chicago, San Francisco, Seattle or Austin and would like a personalized copy of Spam Nation, please consider joining me this week as I drop by a local bookstore near you! See the tour schedule for dates, times and locations.

Fortunately, this breach does not affect readers who have pre-ordered Spam Nation through the retailers I’ve been recommending — Amazon, Barnes & Noble, and Politics & Prose.  I mention this breach mainly to get out in front of it, and because of the irony and timing of this unfortunate incident.

From Sourcebooks’ disclosure (PDF) with the California Attorney General’s office:

“Sourcebooks recently learned that there was a breach of the shopping cart software that supports several of our websites on April 16, 2014 – June 19, 2014 and unauthorized parties were able to gain access to customer credit card information. The credit card information included card number, expiration date, cardholder name and card verification value (CVV2). The billing account information included first name, last name, email address, phone number, and address. In some cases, shipping information was included as first name, last name, phone number, and address. In some cases, account password was obtained too. To our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card Verification Data (CVD). We are currently in the process of having a third-party forensic audit done to determine the extent of this breach.”

So again, if you have pre-ordered the book from somewhere other than Sourcebook’s site (and that is probably 99.9999 percent of you who have already pre-ordered), you are unaffected.

I think there are some hard but important lessons here about the wisdom of smaller online merchants handling credit card transactions. According to Sourcebooks founder Dominique Raccah, the breach affected approximately 5,100 people who ordered from the company’s Web site between mid-April and mid-June of this year. Raccah said the breach occurred after hackers found a security vulnerability in the site’s shopping cart software.

Experts say tens of thousands of businesses that rely on shopping cart software are a major target for malicious hackers, mainly because shopping cart software is generally hard to do well.

“Shopping cart software is extremely complicated and tricky to get right from a security perspective,” said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, a company that gets paid to test the security of Web sites.  “In fact, no one in my experience gets it right their first time out. That software must undergo serious battlefield testing.”

Grossman suggests that smaller merchants consider outsourcing the handling of credit cards to a solid and reputable third-party. Sourcebooks’ Raccah said the company is in the process of doing just that.

“Make securing credit cards someone else’s problem,” Grossman said. “Yes, you take a little bit of a margin hit, but in contrast to the effort of do-it-yourself [approaches] and breach costs, it’s worth it.”

What’s more, as an increasing number of banks begin issuing more secure chip-based cards  — and by extension more main street merchants in the United States make the switch to requiring chip cards at checkout counters — fraudsters will begin to focus more of their attention on attacking online stores. The United States is the last of the G20 nations to move to chip cards, and in virtually every country that’s made the transition the fraud on credit cards didn’t go away, it just went somewhere else. And that somewhere else in each case manifested itself as increased attacks against e-commerce merchants.

If you haven’t pre-ordered Spam Nation yet, remember that all pre-ordered copies will ship signed by Yours Truly. Also, the first 1,000 customers to order two or more copies of the book (including any combination of digital, audio or print editions) will also get a Krebs On Security-branded ZeusGard. So far, approximately 400 readers have taken us up on this offer! Please make sure that if you do pre-order, that you forward a proof-of-purchase (receipt, screen shot of your Kindle order, etc.) to [email protected].

Pre-order two or more copies of Spam Nation and get this “Krebs Edition” branded ZeusGard.

Pre-order two or more copies of Spam Nation and get this “Krebs Edition” branded ZeusGard.

Spam Nation is a true story about organized cybercriminals, some of whom are actively involved in using malware-laced spam to empty bank accounts belonging to small- and medium-sized businesses in the United States and Europe. I’ve written extensively about organizations that have lost tens of millions of dollars from these cyberheists. I’ve also encouraged online banking customers to take advantage of various “Live CD” technologies that allow users to sidestep the very malware that powers these cyberheists.

In July, I wrote about ZeusGard, one such technology that’s designed to streamline the process of adopting the Live CD approach for online banking. The makers of ZeusGard got such a positive response from that story that they offered to partner with Yours Truly in promoting Spam Nation!

I’m pleased to report that the first 1,000 customers to purchase two or more copies of Spam Nation — including any combination of digital, physical and/or audio versions of the book — before the official book launch on Nov. 18 will receive a complimentary KrebsOnSecurity-branded version of ZeusGard (pictured above)!

If you already pre-ordered two copies of the book, print, digital and/or audio, and have submitted the proof-of-purchase to [email protected], you will automatically receive a ZeusGard and do not need to resend that proof-of-purchase. If you’ve already pre-ordered a copy and wish to acquire another (print, digital or audio copy), please make sure to send that extra proof-of-purchase to [email protected]. Pre-order your copy via several prominent booksellers, including Amazon, Barnes & Noble, Politics & Prose, and Powell’s.

So far, we have just 19 buyers who’ve chosen to purchase two or more copies, so we’ve got plenty more to go. I’ll put up another post if we get close to making the 1,000 customer limit.

Pre-orders are a big deal in the publishing industry because they signal to book sellers that a book is generating buzz and demand. They’re also important because they count toward the first week of sales, which can determine whether a book lands on best-seller lists.

So far, the reviews are very positive. Kirkus Reviews found the book “an eye-opening, immensely distressing exposé on the current state of organized cyberspammers.” Publisher’s Weekly calls Spam Nation “timely, informative, and sadly relevant in our cyber-dependent age.”

The Spam Nation book tour will kick off on Nov. 20 in Chicago, the hometown of my publisher — Sourcebooks. From there, we’ll be stopping in several other cities, including San Francisco, Seattle and Austin. In early December, I’ll be signing copies of Spam Nation at bookstores in New York and Washington, D.C. Please see the full schedule for more details, and join me if you’re able!