Web hosting @bruceld
"I'd say, the best way to nip this type of activity in the bud is to go after their web hosts (which themselves are probably involved in the scam), then perhaps even their uplink providers. Doing a traceroute shows exactly where and when data flows throughout the internet and can be followed through IP addresses. It is actually very possible to pull the plug on their web sites anywhere along the traceroute.
Why isn't anyone using this technique to track the criminals?"
Oh, many people are, believe me.
The majority of these sites are hosted in the former Soviet Union, where they're beyond the reach of US law enforcement. I've seen these sites hosted on ISPs in Latvia, Moldova, and other former Soviet-bloc countries.
The political reality is that law enforcement in these places simply does not care. In fact, it's quite likely that law enforcement in these countries, such as it is, is highly corrupt and easily susceptible to influence from these same organized crime gangs. The Storm gang even appears to have allies in the highest levels of Russian government, for instance.
In many cases, these Eastern European ISPs receive their connectivity from an American outfit called WV Fiber (wvfiber dot com). WV Fiber responds to abuse reports by saying "We're not doing anything wrong; it's the ISP in Latvia that has the problem, not us." (When they respond to abuse complaints at all, that is. Mostly, they don't.)
Similarly, the domain registrar of choice, EST Domains, is headquartered in the US but responds to abuse complaints (on those rare occasions when they respond at all) by saying "Take it up with the hosting company, not us. We're not hosting them, we're merely providing registration service. What they do with it isn't our problem."