Wednesday, December 26, 2007

A Stormy Christmas and a Botnet New Year

The newest round of Storm Worm Propagation emails has come out, and its
again, largely undetected malware.

The main URLs we are seeing at this point are:

uhavepostcard.com <== (majority use this one)

happycards2008.com <== (all of these dated today)

There are more than 100 samples using these two URLs so far. The first
was received December 24th at 12:10 PM. The most recent was received
just moments ago.

- -------
Subjects include:

A fresh new year
A fresh new year...
As you embrace another new year
Blasting new year
Happy 2008 To You!
Happy 2008!
Happy New Year To (emailhere)
Happy New Year To You!
Happy New Year!
It's the new Year
Joyous new year
Lots of greetings on new year
Message for new year
New Hope and New Beginnings...
New Year Ecard
New Year Postcard
New Year wishes for you
Opportunities for the new year
Wishes for the new year

---------

A scan of the current malware on VirusTotal just now showed a 37.5%
detection rate. The version scanned was 142,337 bytes and had the MD5
checksum of:

44dc7307c81eb9fe0a0cf9147a9932ef

Notable non-detections include F-Prot, Kaspersky, McAfee, and Sophos

Those detecting named the malware as follows:

AntiVir = TR/Rootkit.Gen
Avast = Win32:Zhelatin-ASX
BitDefender = DeepScan:Generic.Malware.FMH@mmign.55A134E9
ClamAV = Trojan.Zhelatin
DrWeb = Trojan.Spambot.2386
Fortinet = W32/Tibs.G@mm
Microsoft = Backdoor:WinNT/Nuwar.B!sys
NOD32v2 = probably a variant of Win32/Fuclip
Panda = suspicious file
Prevx1 = Stormy:Worm-All Variants
Symantec = Trojan.Peacomm
Webwasher = Trojan.Rootkit.Gen

PREVX.com says this version was first seen on December 26th and has been
reported by one user in Spain. (That's where VirusTotal is, so I guess
that's me and others using VirusTotal.)

A Christmas version of the Storm Worm Propagation email may still be lurking in in-boxes as employees return from their holiday vacations. The Christmas version primarily used the malware domain:

merrychristmasdude.com

and used these subject lines. Visiting those sites now actually downloads the same "happy-2008.exe" malware as the New Year propagation uses, since these are in reality the same infected computers acting as the web hosts.

The Christmas subject lines were:

Christmas Email
Cold Winter Nights
Feel the Holiday Spirit
Find Some Christmas Tail
Ho Ho Ho.s
How.s It Goin
I love this Carol!
Jingle Bells, Jingle Bells
Looking for something hot this Christmas
Merry Christmas From your Secret Santa
Merry Christmas To All
Mrs. Clause
Mrs. Clause Is Out Tonight!
Santa Said, HO HO HO
Seasons Greetings
The Perfect Christmas
The Twelve Girls of Christmas
Time for a little Christmas Cheer.
Warm Up this Christmas
Your Secret Santa

The domain names for all of these are set up in a "round robin". For instance, I use "nslookup" to query "merrychristmasdude.com" ten times in a row and get the following list of IP replies:

66.78.160.196
24.126.208.180
86.125.107.157
70.249.186.39
79.172.83.168
91.142.197.135
62.43.161.233
78.60.109.65
91.122.89.214
75.58.60.145

A much longer list of IP addresses which answer queries for all three of these domain names:

12.207.192.66
12.215.209.21
12.219.197.139
12.227.173.1
24.165.167.150
24.181.224.249
24.181.42.5
24.182.40.236
24.2.46.250
24.210.99.223
24.3.160.88
24.95.77.206
58.226.226.6
58.8.20.129
59.112.81.137
59.113.187.86
59.12.125.252
59.15.71.112
59.3.40.145
59.86.244.147
59.92.78.2
59.93.39.233
59.95.191.39
60.249.4.119
60.50.100.42
60.53.25.73
60.56.115.109
60.9.222.137
61.15.254.115
61.32.177.59
61.72.147.153
61.80.150.87
62.65.232.246
64.85.228.164
65.189.233.73
65.31.39.88
66.142.52.23
66.31.113.211
67.164.126.186
67.173.35.121
67.177.191.148
67.181.90.28
67.186.43.176
67.187.30.81
68.127.51.120
68.167.71.243
68.187.46.125
68.204.186.99
68.248.237.55
68.54.157.173
68.54.234.64
68.63.133.158
68.79.7.249
68.80.244.129
68.81.122.156
68.81.195.121
69.154.137.176
69.183.216.161
69.215.175.83
69.225.12.176
69.226.25.20
69.247.40.180
69.248.212.75
69.254.83.191
70.115.222.172
70.126.163.174
70.243.43.6
70.245.14.188
70.249.186.39
71.200.198.181
71.205.208.104
71.224.88.232
71.227.249.98
71.230.219.209
71.230.66.163
71.237.134.222
71.86.54.0
71.96.13.37
72.40.18.255
72.48.192.221
72.8.101.213
74.128.121.44
74.138.172.43
74.164.251.210
74.75.193.213
75.131.212.194
75.132.160.97
75.21.75.238
75.35.110.9
75.35.252.137
75.37.39.88
75.50.232.119
75.61.64.23
75.68.231.167
75.73.216.43
75.85.190.206
76.107.42.125
76.111.115.55
76.119.119.58
76.15.46.122
76.171.99.77
76.173.57.101
76.212.92.117
76.22.76.57
76.229.114.65
76.243.202.32
76.25.147.99
76.254.139.102
76.65.181.160
76.68.144.93
77.41.47.214
77.48.16.49
77.57.127.78
77.99.143.61
78.107.182.172
78.107.190.69
78.92.91.186
79.112.4.123
79.120.35.238
79.120.56.38
79.126.167.63
79.139.178.64
79.165.162.240
79.182.0.73
80.73.89.69
81.190.78.83
81.210.133.54
82.1.108.104
82.181.41.160
82.233.232.162
82.79.129.214
83.5.77.234
83.54.12.240
84.10.43.106
84.126.102.227
84.31.89.195
85.180.66.14
86.102.1.205
86.125.170.161
86.61.66.60
86.63.107.2
87.207.117.102
87.8.161.149
88.156.9.155
88.164.68.15
89.110.51.47
89.137.201.205
89.161.22.219
89.178.170.110
89.20.119.182
89.215.180.33
89.228.40.58
89.36.102.75
89.38.163.176
90.150.126.235
90.150.215.50
90.157.92.141
91.106.18.142
91.122.147.67
91.122.19.127
91.18.246.67
98.194.162.228
98.196.29.67
99.145.19.221
99.241.144.189
117.199.240.218
121.1.85.140
121.124.15.53
121.146.205.123
121.150.127.150
121.158.220.126
121.162.87.237
121.165.21.31
121.172.10.95
121.173.45.111
121.179.107.71
121.246.163.37
121.246.86.244
121.247.143.131
121.247.165.149
121.247.66.110
121.96.253.35
122.164.35.171
122.202.44.89
122.32.53.35
122.36.84.38
122.50.173.172
122.99.16.4
123.201.0.167
123.202.81.199
123.203.20.137
123.215.177.241
123.236.114.63
124.120.35.98
124.120.36.238
124.125.116.171
124.199.33.113
124.244.198.114
124.82.112.191
125.137.205.157
125.208.107.18
125.233.65.153
125.235.36.97
125.24.82.14
168.243.219.228
190.17.101.223
190.21.9.139
195.189.153.21
196.217.102.238
200.84.241.161
200.94.163.191
201.172.192.141
201.222.110.245
201.231.140.173
201.241.57.55
201.255.181.193
201.27.179.128
203.223.220.24
203.255.10.96
206.45.91.55
209.102.185.215
210.105.165.204
210.109.244.10
211.109.96.223
211.195.3.79
211.201.18.155
211.204.48.194
211.54.167.69
213.169.180.110
217.123.175.129
218.156.143.96
218.174.73.42
220.118.185.247
220.121.81.72
220.19.166.13
220.225.184.83
220.76.90.93
220.78.225.208
221.147.22.23
222.114.18.22
222.238.245.88
222.98.228.236

Good luck, and thanks for any help terminating the three domain names in question:


Merry Christmas and Happy New Year, CyberCrime Fighters . . .

_-_
gary warner
http://www.cis.uab.edu/forensics/

Thursday, December 13, 2007

"Google Referrer Only" malware sites

This summary is not available. Please click here to view the post.

Saturday, December 08, 2007

Off Topic: Browser and OS Trends

WARNING!! I'm going a bit off topic today.

This post started off to be about JavaScript enabled browsing by end-users. Security professionals have long recommended that JavaScript be disabled by default, and enabled only for those sites which require JavaScript and which are trusted by the user as a "Trusted Site".

In Internet Explorer this is done in a fashion that confuses most end-users, by creating a "Trusted Zone" and setting different security properties in the Trusted Zone than in the Global Zone. (Directions for using Trusted Zones are here)

In FireFox, the best way to accomplish this is by running the Plug-In "No Script", which disables scripting by default and allows the user to click to enable scripts on Trusted Sites that seem broken if they scripting is disabled. (The NoScript homepage is here)

Bottom Line: Unless a site requires Java support and you trust it, you should not be browsing with Java Enabled!

Unfortunately, as I reviewed three groups of web statistics - from visitors to this blog, from visitors to my haiku poetry website, and from visitors to my genealogy website, Almost EVERYONE had Java enabled. Between 97.7% and 98.5%!!

Then I laughed at myself as I realized that I was using Google Analytics to do that measurement, and Google Analytics doesn't record the visit unless Java is enabled. Which now has me puzzling over how ANYONE was recorded who had no Java.

But I still had some interesting, though slighly off-topic results to share with you, Dear Reader . . .




If we watch the media in its various forms, we are being bombarded with a few basic messages:
- The Age of the Macintosh is upon us
- Linux Threatens Windows
- Windows Vista is the Path to Security
- Internet Explorer 7 is the Path to Security

I thought it would be interesting to look at some statistics to see if these messages reflect the reality of the Average Internet User.

After careful reflection, I realized I don't have the ability to measure The Average Internet User, so instead I looked at some Google Analytics for three websites that I have tagged. The three are of course English-language biased, but then so is most of the media I consume, so I think that's ok.



Sample One: People who read this blog.

This blog is about CyberCrime, and usually CyberCrime in the United States. One hopes that the readers are people who care about CyberCrime and perhaps by a bit of a stretch, protecting their computers.

For the sample period I looked at there were 3,400 unique visitors to this blog from 85 countries and all 50 states, but with 78% of the readers coming from the US.












Windows88.65%
Mac7.91%
Linux3.09%
Windows breakdown
XP83%
Vista10%
20005%
Server 20031%
980.8%











Internet Explorer58.01%
FireFox34.69%
Safari4.44%
Opera1.13%
IE breakdown
IE 7.x50.24%
IE 6.x49.42%
IE 5.x0.34%





Sample Two: People who visit my haiku poetry website.

The Haiku Poetry fans, as you might imagine, are a bit different than the readers here. 6,600 unique visitors from 98 countries and all 50 states, with only 54% of the readership coming from within the US.











Windows88.49%
Mac8.86%
Linux2.53%
Windows breakdown
XP85%
Vista6%
984%
20003%











Internet Explorer67.26%
FireFox24.57%
Safari5.64%
Mozilla1.43%
IE breakdown
IE 6.x58%
IE 7.x39%
IE 5.x2%



SLIGHTLY higher Macintosh adoption (not statistically significant), slightly lower Linux adoption (also not statistically significant), but a much greater chance of using "old" Internet Explorer, not being on Vista, and still running Windows 98.




Sample Group 3: People who visit my genealogy websites

This was the smallest group, with 1200 unique visitors representing 37 countries, but with 86% of the traffic coming from within the United States. Genealogists tend to be older and thriftier people than Security professionals. Probably on a "technology" basis, they are more similar to the haiku poets than the security professionals. I included this as a hope towards a "lower tech but US based" sample, to see whether the haiku poets trends were representing their tech level, or their nation of residence.












Windows88.7%
Mac5.67%
Linux5.25%
Windows breakdown
XP86.5%
Vista7.5%
20003.2%
Server 20031.3%
981.2%











Internet Explorer70.14%
FireFox20.35%
Mozilla4.4%
Safari3.48%
IE breakdown
IE 6.x50.15%
IE 7.x49.04%
IE 5.x.08%




Conclusions?

Macintosh users, from my unscientific study, still represent less than 9% of the installed user base.

Linux users are still a small enough number for the average webmaster to safely ignore them.

Vista still represents less than 10% of the installed user base.

FireFox has an impressive market share and must be considered by all webmasters, but trails both IE 6 and IE 7 when considered individually.

Despite the security benefits of IE7, slightly less than half of those who could use it are using it. (From my experience this is because many web-based applications still don't work in IE7.)

Thursday, November 29, 2007

Russian Malware, Welcome to Texas!

Last week a whole group of formerly Russian malware infection websites migrated to a new home in Texas. The move seems to have been made on November 18th, when the virus sites that were formerly on the netblock with 81.95.146.236 moved wholesale to IP addresses in the netblock of 74.52.55.179.

Appropriate folks have all the details, but I wanted to talk today about the infection technique being used by one of the 46 domains, http://entireall.info/.

The way the PHP code on the website works, whatever you are sent on the command line becomes the name of an ".exe" file that is available for download.

So, if you have been sent a spam, or a messagebook-comment-spam to get the new version of Adobe Flash Version 11, then the site will obligingly give you a file called "Adobe_Flash_v11.exe"

As of this timestamp, the root directory of this site is advertising itself as an "Adobe_Flash_v11.exe" updater. VirusTotal.com indicates that only 21% of its 32 anti-virus checks detect this as a virus.

Which brings me to the real topic of today's blog: Constantly Repacked Malware

If you had a link though for "Gar_New_Virus", such as:

(badsite here)/search.php?qq=Gar_New_Virus

Then that would be the name of the file it would offer to download, sticking a ".exe" on the end of it for you.

This site functions in a similar way to other malware sites, typically related to pornographic movie spam, such as "ThisFreeMovies.com", which will send you to download "VideoAccessCodecInstall" because you are lacking the proper Windows Media Player Codec to view a movie. The malware site will obligingly announce that it is the update site for VideoAccessCodecInstall and have a file VideoAccessCodecInstall.exe for you to download.

This latter file is currently undetectable by 21 of the 32 anti-virus products at Virus-Total, including no detection from F-Prot, Kaspersky, McAfee, and Symantec.

Those that do detect it, place it in a family called "Zlob" or "Zlobar".

These sites have been live for several months. Why do the major anti-virus products not detect their malware? It has to do with the fact that they are constantly "re-packing" the offensive code so that traditional signature-based anti-virus products are constantly playing catch up.

On the older of the two malware samples I downloaded just now, the detections identify ZLob:


  • AntiVir = DR/Zlob.Gen
  • AVG = Downloader.Zlob
  • CAT-Quickheal = TrojanDownloader.Zlob.gen
  • ClamAV = Trojan.Dropper-2557
  • F-Secure = W32/Zlob.ARDM
  • Microsoft = TrojanDownloader:Win32/Zlob.AMM
  • Norman = W32/Zlob.ARDM
  • Rising = Trojan.DL.Win32.Zlob.def
  • Sophos = Troj/Zlobar-Fam
  • TheHacker = Trojan/Downloader.gen
  • Webwasher-Gateway = Trojan.Dropper.Zlob.Gen
  • The other 21 products detect nothing.


But look what happens on the nearly identical virus which was packed more recently!


  • AntiVir = TR/Crypt.XPACK.GEn
  • Authentium = could be infected with an unknown virus
  • AVG = Downloader.Zlob.NP
  • eSafe = suspicious Trojan/Worm
  • F-Prot = W32/Heuristic-119!Eldorado
  • NOD32v2 = probably unknown NewHeur_PE virus
  • Webwasher-Gateway = Trojan.Crypt.XPACK.Gen
  • The other 25 products detect nothing.


We need to develop new methods for anti-virus products to deal more appropriately with "repacked" malware. Congratulations to those that are using Heuristic detection, or marking the file as suspicious because of the strange packing, but we need to know that these things are bad and warn the users!

Tuesday, November 27, 2007

The Identity Theft Enforcement and Restitution Act of 2007

Senator Patrick Leahy introduced a much-needed Identity Theft bill in the Senate on October 30th. The bill, S.2168, cited as the "Identity Theft Enforcement and Restitution Act of 2007", passed by "Unanimous Consent" on November 15th, and we now anticipate rapid action from the House.

Key improvements from the bill include:

A change which removes the previous threshold of requiring $5,000 in damages to make identity theft or spyware a Federal Offense;

A change which makes the placing of spyware or keyloggers on more than 10 computers a FELONY offense;

A change to instruct Criminal Restitution to "pay an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense";

A change to ensure that Identity Theft resulting from theft of mail be considered under the guidelines for "Aggravated Identity Theft";

A change to the sentencing guidelines in Section 1030 Title 18 subsection (a)(5) "Malicious Spyware, Hacking, and Keyloggers", to increase first offense sentences to include a fine and prison terms up to five years. For a second offense under the same section, the prison term would be raised to up to ten years. Language was also added regarding "an attempt to commit an offense punishable under this subparagraph". ("Attempted hacking"?);

A change to Section 1030(a)(7) that would enhance and clarify the definition of Cyber Extortion;

A change allowing a much greater forfeiture of personal property gained as a result of finances obtained via identity theft;

The bill also directs the United States Sentencing Commission to consider 13 points as they seek to increase sentences for these types of offenses.




So what happens next?

Senator Leahy described the bill as being "requested by the Department of Justice", and "supported by a broad coalition of business, high-tech and consumer groups, including Microsoft, Consumers Union, the Cyber Security Industry Alliance, the Business Software Alliance, AARP, and the Chamber of Commerce." (A letter from the Chamber of Commerce was actually read into the Congressional Record in support of the Bill.)

In traditional law-making, bills are introduced in the House and passed to the Senate. This one appears to me to be reversing the process, which means it is now necessary for the House to accept this bill as one of their own. It is now a pressing matter that this bill be voted on by the House and get passed before we all go home for Christmas.

What can you do? Make sure that your Congressman knows about this important bill, and encourage them to get the vote scheduled and to vote in the affirmative for the bill.

Sunday, November 25, 2007

Naked Britney Does It Again!

Today I'm preparing for a lecture tomorrow about Malware and Phishing Risks. When I speak on phishing, I frequently mention that the two reasons that people fall for phishing scams for two primary reasons: Fear, and Greed. They are made afraid that their account is about to be lost, or has already been abused by criminals, or they are enticed the promise of a financial reward for behaving in the way the phisher desires.

When we talk about Malware, we have to add another motivation to the risks: Lust.

This week, we have another round of malware which rides on the desire of email recipients to see Britney Spears naked. The first example is a fairly standard reminder that most anti-virus products do not detect most malware during the first few days of their attack.

In this example, email recipients are told that the attachment to the email contains a "New Britney naked video". What the attached zip file actually contains is a file called "brit.exe", which, of course, turns the infected machine into a bot. Does anti-virus detect it? 53% of AV engines detect it at this time:



The second set of spam uses an assortment of "Britney" subject lines, including:

Britney showed it again!

which connects to a variety of sites with several paths to infection.

Several of the sites linked to from the emails, including: velart.net, blurcolombia.com, agrisanterre.com, which had been modified to include an "iframe" which pulled additional code from "meoryprof.info".

The second one I looked at linked to the website of the "Associação Nacional de Pesquisa e Pós-Graduação em Psicologia". On that page, there is a crazy bit of encoded Javascript at the top. When it is decoded, one finds that it links to two sites:

(CAUTION: THESE ARE BAD SITES! DO NOT VISIT!)

http://ramoneymayker.info/

http://spl.vip-ddos.org/

Nope. Nothing suspicious about THOSE names. "VIP Distributed Denial of Service dot org?" I wonder what happens when that box infects a PC?

The owner of "vip-ddos.org" also owns "botnet.cc". Gee. He must have been counting on his encryption preventing us from seeing those names. (AGAIN, don't visit. Even going to the homepage loads malware from certain Malaysian computers.... VIP-DDOS is actually also the name of a popular Chinese attack tool.

So what does it take to become infected by a Drive By Downloader? The temporary temptation to click on a link in an email promising a new Britney picture.

Saturday, November 17, 2007

Private Detective Spam

A disturbing new spam email was received thirty-four times this morning in my spam traps. The email has one of those social engineering bodies that I would imagine to be pure gold as far as its success rate convincing people to click on the attachment.

Here's the message:


I work in a private detective agency. My name is not important.
I want to warn you that i'm going to monitor your phone line.
Do you want to know who paid for shadowing you? Wait for my next letter.


P.S. I know, you don't believe me. But i think the record of your
yesterday's telephone conversation will change your point. The tape is
in archive. Archive password is 123qwe


The attachment is a ".rar" file, which is a compressed file format similar to a ".zip" file. The fact that many American computer users don't have software on their machines that knows how to open a RAR file may be the only thing that keeps some users safe!

When the file is extracted, it sits in the filelist with an icon which would make it seem to be an .MP3 File.



Although if you view it in a different manner, the fact that the file is a "Screen Saver" file.



The file name is actually:

"call1105.mp3 (many spaces here) .scr"

Of the thirty-four samples that I received at the beginning of the day:

Nine of them use the subject "attention".

Four use the subject "I'm watching you".

Six use the subject "We monitor your privacy".

Five use the subject "you are watched"

Four use the subject "Your phone is monitored"

Two use the subject "you're being monitored"

Two use "you are being monitored".

Two use "The tape of your conversation".

All have the password of "123qwe".

As of thirty minutes ago, there were twenty-one anti-virus companies that did NOT detect this as a virus in any way. Eleven companies, according to VirusTotal.com, mostly detected it as a generic "Dropper", though Symantec called it "Trojan.Peacomm.D", which is what it calls Storm Worm viruses.

F-Prot, F-Secure, Kaspersky, McAfee, Microsoft, Sophos, and others do not detect the virus at this time.

Thursday, November 15, 2007

250,000 node Bot Herder Busted (Or is he??)

3G Communications Group offers many security services for their clients:



According to the 3G Communications Group website, "More than a million bot-infected computers", and they should know, since one of their Network Security professionals was running 250,000 of them.

3G terminated their 26 year old employee John Schiefer last week as the facts began to emerge. According to a Press Release from the US Attorney's Office in the Central District of California, Schiefer "and several associates" developed malware which they used to build botnets of up to 250,000 computers, which were primarily used for stealing credentials from Paypal and other sites the owners visited.

The case has been called newsworthy because it is the first time that wiretap charges are being leveled at a botmaster.

Schiefer has agreed to plead guilty to:

1. Accessing protected computers to conduct fraud.

2. Disclosing illegally intercepted electronic communications.

3. Wire fraud.

4. Bank fraud.

Schiefer operated online with the handle "AcidStorm". I can't prove that the two are related, but an AcidStorm on one webserver that I visited posts advertisements for well known anti-spyware software, with a convenient link for downloading. The software is real, and the description he gives in the post is real, but why does he suggest you download the software from RapidShare rather than directing you to the real website?

It would be interesting if this was the SAME AcidStorm, because this AcidStorm has uploaded SEVERAL illegally shared (and possibly hacked) programs SINCE pleading guilty on November 9.





Pimp Daddy of Freebies, indeed! *THIS* Acidstorm is at best a software pirate. It will be interesting to see if he is also planting Trojans in his Warez.

Thursday, November 08, 2007

More Good News . . .

No time to give details (lecture in 45 minutes) but . . .

READ THIS: SEVENTEEN INDICTED for phishing, spamming, etc, etc.

Yes, that would be the Vadim Vassilenko who ran "The International Association for the Advancement of Criminal Activity."

Some organizational names are like waving a red flag before a bull.

VADIM VASSILENKO, YELENA BARYSHEVA and JOHN WASHINGTON were indicted today.

A full list of the indicted are on the weblink above.

And Now Some Good News . . .

Todd Moeller and Adam Vitale will join the short list of individuals who know what it feels like to be sentenced under the CAN-SPAM Act. The two were part of an online spam gang that called themselves the "g00dfellas", where Vitale went by the handle "Batch1" or "n1Hustler4Life", while Moeller called himself "Trill".

Before the period of time in question (April 2005 to August 2005) Moeller claimed to be in control of 35,000 spam-sending proxies, which he could use to hide the true origins of his email. He boasted that he could send millions of spam messages per hour. In the operation which ended in their arrest, for a $1,500 payment, and the promise of 50% of eventual sales of an imaginary anti-spyware software product, AOL intercepted 1,277,401 spam messages which had been sent from 73 unique IP addresses


Moeller was sentenced today
after Pleading Guilty on June 20, 2007 to


conspir[ing] with VITALE to send spam e-mails to AOL subscribers, and sent spam e-mails to AOL subscribers using techniques to hide the spam e-mails’ true origin, including the use of computers to relay and retransmit the spam e-mails and altering the spam e-mails’ header information.


Although the DOJ Press Release of the guilty plea indicated that Moeller could have received 11 years sentence, he got off with the relatively light sentence of 27 months in prison. While boasting of his spamming to the potential customer, who turned out to be a Secret Service Confidential Informant, Moeller claimed he was earning $40,000 per month by sending spam that attempted to manipulate the values of certain stocks. In this case, Moeller agreed to spam the CI's product for a 50% take on the sales.

In Adam Vitale's Guilty Plea it says that:


Forensic examination of the spam e-mails indicated that VITALE and MOELLER used two
different techniques to conceal from the recipients the source of the spam e-mails and allow VITALE and MOELLER to continue their illegal activity: (1) VITALE and MOELLER used computers connected to the Internet to relay or re-transmit the spam e-mails to make it look like the spam came from those computers, and not ones
that could be traced to VITALE and MOELLER; and (2) VITALE and MOELLER altered the header information in their spam e-mails to make it appear the spam e-mails came from a sender other than VITALE and MOELLER.


Vitale is scheduled to be sentenced on November 13th.

Thursday, November 01, 2007

Ron Paul spam and Online Support

Do you ever write something that you think is going to be ignored, like most of the things your write, and suddenly it takes on a life of its own?

At The University of Alabama at Birmingham (UAB), I am the Director of Research in Computer Forensics. What does that mean? It means that I work on three things:

Three Things



I train students who will have CyberCrime related jobs in the future, including Computer Forensics techs, CyberCrime Investigators, Special Agents, and Computer Scientists. Some of my current students are interning with the FBI, the US Secret Service, and the Jefferson County Sheriff just to name a few places.

I do research on CyberCrime related issues, including Phishing, Spam, and Malware. Besides writing about Ron Paul Spam, I've also written about many aspects of the Storm Worm, and have had my research presented at many law enforcement and computer security meetings. My students and I meet with people working in law enforcement and struggling with CyberCrime issues and work on better solutions to these problems. Several students have seen their research projects turned in to active law enforcement investigations.

I do public awareness and training for the public and current professionals. With October being Cyber Security Awareness Month, that was a pretty busy time for me, doing presentations on Spam, Phishing, Botnets, and participating in a Threat Assessment panel for the Congressional Internet Caucus".

Phishing



With regards to phishing, I'm a member of the CastleCops PIRT Squad where our all volunteer staff works to notify webmasters, banks, and law enforcement when someone has placed a phishing site on the Internet, and to provide them data to help them shut it down, and determine who did the attack. I'm also an active member of the Digital PhishNet where I serve on the Technology Committee, and the AntiPhishing Working Group where I co-chair the Working With Law Enforcement committee.

Spam



With regards to spam, I've presented twice at the FBI's "Slam Spam" conference, and have met with more than a hundred law enforcement professionals, security researchers, and lawyers regarding spam and related issues, including the folks who run the Federal Trade Commissions anti-spam lab, which is a fine place to report spam messages -- http://www.ftc.gov/spam/. As soon as UAB is prepared to receive your spam submissions, I'll certainly let you know here!

One of the main research projects we are working on in the Computer Forensics area is our Spam Data Mine for Law Enforcement Applications. We've had a paper accepted for presentation at the Association for Computational Machinery's Symposium on Applied Computing Conference in Brazil, and continue to develop our techniques. My co-authors and co-researchers have developed algorithms that "parse" the interesting parts of incoming spam email messages, and then attempt to "cluster" the messages into groups based on similarities between the parsed attributes. We have really big really fast computers to work on this project, and as our inbound spam volume increases, we have a great team of researchers in the department who specialize in "Grid Computing" who are looking forward to helping us shape our algorithms so they can take advantage of hundreds of processors to allow even more messages to be considered in our clustering and calculations.

In future phases of this research we look forward to having new spam campaigns automatically identified and browsable on a website dedicated to this project.

All of that to make clear to the many dozens of Ron Paul Supporters who have taken their valuable time to send me their thoughts, including a few profane ones, that I am not making this crap up.

How many people do I think were behind the Ron Paul spam? One. And not one that is officially recognized in any capacity by the Ron Paul campaign.

Let me make something very clear. I never said anything that was intended to imply Ron Paul does not have a lot of online support. Is it interesting that others have seen online regularities? Yes. But that doesn't mean that there not truly a large number of online supporters. In fact, I'll go a bit beyond that and give the Paul-ites some ammunition they can use.

One online research site measures vast amounts of Internet traffic, and then makes estimates of how many UNIQUE AMERICAN COMPUTERS visit a given website. Let's look at how some of the candidate websites stack up:











Fred08.com287,000
HillaryClinton.com209,000
BarackObama.com192,000
RonPaul2008.com155,000 UNIQUE IPs
JohnEdwards.com115,000
MittRomney.com103,000
JohnMcCain.com73,000
JoinRudy2008.com68,000



Want my source? I'll bet you do. Tell the mad dogs in your midst to stop the obscene phone calls and I'll post it later. haha!

There. Gary Warner of UAB says that Ron Paul's online following is dramatically larger than the offline polls would lead one to believe.

Can we go back to talking about Viagra now?

A Dark and STORMy Night

Just in time for the spookiest night of the year, the Storm botnet recruitment spam switched to a Halloween flavor.

On the evening of October 29th, the Storm worm continued to send spam messages about funny cats or krazy kats, but the websites began to change.



By October 30, many of the spam messages we received had also been modified to match the new theme. Subjects included:

Halloween Fun
To much fun
Watch him dance
You have received an ecard

With bodies such as:

I know you will like this. Heck you might even pass it on. LOL

Just a little Halloween fun.

This thing is to fun. I sent it to everyone. I hope you don.t mind.

Someone has sent you a card to make you laugh. Come see it online!

The volume of Storm recruitment email we are receiving has dramatically reduced this month, though the botnet is still sending quite a bit of Pump and Dump spam. It seems that the Storm Botnet masters still keep track of the holidays. Fourth of July, Labor Day, First Day of NFL Season, and now Halloween.

Monday, October 29, 2007

First 2008 Presidential Spam Campaign?

Does Ron Paul suddenly have a strong support base among foreign computer owners with strange names and multiple personalities? or is it possible we have the First 2008 Presidential Spam Campaign?

I thought it odd when I logged in to my computer this morning and found an email in which someone declared Ron Paul to be the winner of the Republican Debate yesterday, but then, I have all sorts of odd friends. By the time I had received my fifteenth copy of the email, I knew this was something more than a deluded pseudo-Republican. I thought at first this was a virus, but now it seems to be a plain ole Spam Campaign.

The question, I suppose, is what should be done about it? Will we see fans of other campaigns hiring out spam campaigns devoted to extolling the views and records of their candidates? Will there be an evolving message body on the Ron Paul spam to keep pace with the upcoming events on the campaign trail? Its too early to tell, but we will continue to document the trend from the Spam Lab at UAB.

Here's the body of the email . . .





Hello Scott,

Ron Paul is for the people, unless you want your children to
have human implant RFID chips, a National ID card and create
a North American Union and see an economic collapse far worse
than the great depression. Vote for Ron Paul he speaks the
truth and the media and government is afraid of him. This is
the last honest politican left to bring this country out of
this rut from the War Profiteers and bush Administration has
created. Get motivated America, don't believe the lies of the
media he has also WON the GOP Debate On Sunday! Value Freedom
and Liberty instead of corporate lies and corruption. Bypass
this media blackout they are doing to Ron Paul, tell your family
and friends and get involved in a local group at meetup.com make
your voice heard! He will end the War In Iraq immediately,
He will eliminate the IRS and wasteful government spending, and
eliminate the Federal Reserve and restore power to the people
and the only person not a member on the CFR. Can any other runner
make these claims or give Americans the true freedom we were all
raised to believe? We are all economic slaves to the banks and the
illegal federal Reserve. This is why our currency is worth nothing
because of Hidden Inflation Tax and the IRS taking everything
you make!

** RON PAUL WILL STOP THE IRAQ WAR IMMEDIATELY! **

He has NEVER voted:
* to raise taxes
* for an unbalanced budget
* to raise congressional pay
* for a federal restriction on gun ownership
* to increase the power of the executive branch

He HAS voted:
* against the Iraq war
* against the inappropriately named USA PATRIOT act
* against regulating the internet
* against the Military Commissions Act

He will eliminate the IRS, Wasteful Government Spending &
Stop The Iraq War Immediately!

Most importantly, he voted NO on anything in Congress that
is not allowed by the Constitution. And he Despises any
politican that does not do their job for the people and lives
up to the constitution!

Google.com & Youtube.com Search: "Ron Paul"
Join The Revolution!

***************************************
We Need A Real President That Will Restore And Protect
Americans! Stop The War! Protect Our Borders!
*********VOTE RON PAUL 2008************
ubPOJg






The subject line seems to be selected from a small number of subject lines, and then appended with a random character cluster (perhaps to break spam filters?):

Subject lines:

Vote Ron Paul 2008! ZyhYKbw

Iraq Scam Exposed, Ron Paul TLshVzn

Ron Paul Exposes Federal Reserve bpIHP

Ron Paul Stops Iraq War! gPsLhM

Iraq Scam Exposed, Ron Paul wjtsLBp

Ron Paul Stops Iraq War! LcskHxT

Government Wasteful Spending Eliminated by Ron Paul vpntZRr

Vote Ron Paul 2008! pboLKjr

Who Is Ron Paul? ZTobxay

Ron Paul Exposes Federal Reserve JrZXihF

Ron Paul Stops Iraq War! LyNdrha

Ron Paul Eliminates The IRS! fiqfRZZ

Government Wasteful Spending Eliminated by Ron Paul BtkmlDF

Ron Paul Wins GOP Debate! HMzjoqO

Ron Paul Exposes Federal Reserve SBHBcSO

Government Wasteful Spending Eliminated By Ron Paul mEoHUiR

Government Wasteful Spending Eliminated By Ron Paul HRAyaaI


The spam seems to invent a random first and last name, and combine that with a true email address from the infected machine. Here are sample senders from my inbox:


curtice andrzej - sph@research-int.com - [77.181.200.157] (Germany)

byrann shan - phyllis@faxsav.com - [86.9.35.98] (the UK)

humbert jerrimy - alessand@tvldyn.com - [87.210.63.248] (the Netherlands)

jamey jamal - fataneh@i-qts.com - [124.84.175.218] (Japan)

algernon heung-do - melville@surecom.com - [124.84.175.218] (Japan)

christoforo sharad - fang@ohiohills.com - [124.84.175.218] (Japan)

fabe rosemary - hywel@msn.com - [124.84.175.218] (Japan)

hamil orlando - osulliva@surecom.com - [58.140.151.170] (Korea)

cristobal dai - irma@seagate.com - [58.140.151.170] (Korea)

frants cresswell - aziz@3com.com - [190.86.81.131] (El Salvador)

claudius quinn - avi@shoyher.com - [200.166.91.2] (Brazil)

chaim billie - mukund@atomis.com - [200.166.91.2] (Brazil)

chris field - hal@connecthouston.com - [79.3.4.33] (Italy)

alonso sidharta - cindy@e-business-associates.com - [58.141.39.110](Korea)

linn ming-hor - jikun@four-soft.com - [196.207.13.18] (Nigeria)

jerad anant - gorog@franceloisirs.com - [218.209.109.27] (Korea)

Friday, October 26, 2007

How Many Websites Can a Hacker Hack without Being Prosecuted?

Apparently the answer to that is TENS OF THOUSANDS, or more.

IskorpitX, the tutor of an entire generation of Turkish hackers, will shortly be able to claim that he has broken into 200,000 websites. (He's currently at 191,000 according to one popular hacker watching website).

Brasilian hacker, Fatal Error, runs a distant second, having broken in to "only" 32,000 websites according to the same source.

Wouldn't you say that would make them "targets of interest" for law enforcement activity? Sadly, that is not the case. Perhaps, you think to yourself, they have only attacked "low value" websites. Perhaps they are brand new to the scene? If only that were the case! Fatal Error, who lists many US Government websites, and even my home state of Alabama government websites, among his victims, has been actively attacking websites since 2002.

IskorpitX has been defacing websites since at least 2003, and has the governments of Argentina, Australia, Brazil, China, Columbia, France, India, Italy, Korea, Malaysia, Peru, the Philippines, Thailand, Venezuela and South Africa among his many victims. Of course the US government is on the list as well (such as the National Endowment for the Humanities), as well as Harvard University and Bank of America.

IskorpitX even has his own YouTube videos!

http://www.youtube.com/watch?v=ahqSeJvM2XU

http://www.youtube.com/watch?v=jTah9ckvV3Y

Other Turkish "Cyber Warriors" have even done television news interviews about why they hack websites!

http://www.youtube.com/watch?v=w4QgEsuTZrM


Here's one interesting hacker this week and the victims which are still laying around in Google's Cache:

I found it interesting because this hacker is doing SQL Exploits such as we've seen on several high profile attacks in the past including the National Institutes of Health and the United Nations. In this case, a content management system is being SQL injected to replace "titles" of things with the name of the hacker.

Google for the string "OwneD by RootDamages by FasT", and you'll find some interesting victims among the 26,100 pages being returned.

How about The Department of Veterans Affairs and their Cooperative Studies program?

www.vacsp.gov/news.cfm
www.csp.gov/news.cfm

(Although the Malaysian government also got a visit:

www.mygeoportal.gov.my/faq.cfm

Or the Michigan Bar Association?

www.michbar.org/news.cfm

Systems Integrator "Regan Technologies"?

www.rtcorp.com/news.cfm

The Esalen Center for Theory & Research still has pages with the title "OwneD by RootDamages by FasT", such as:

http://www.esalenctr.org/display/confpage.cfm?confid=10&pageid=105&pgtype=1

As does Applied Robotics:

http://www.arobotics.com/about/company_news/news_details.cfm?ID=17

But they weren't just limited to News articles. I think I'd feel very safe using a shopping cart where every product in the online store had been renamed to "OwneD by RootDamages by FasT", such as those at MetroPole360:

http://www.metropole360.com/productcat.cfm?productCatID=3

But you don't have to be a business to have an insecure webserver. Just ask the National Limousine Association, or the NorWest Dog Training Club:

http://209.85.165.104/search?q=cache:d_YOcnX94A4J:norwestdogtraining.co.nz/Newsletter.cfm

http://209.85.165.104/search?q=cache:aN6AmMtGh0kJ:www.limo.org/scriptContent/t_inside.cfm

One subject "that comes up over and over again on Ducati Online" is "OwneD by RootDamages by FasT" according to this news article:

http://www.ducati.net/faq.cfm?id=4

They're even having a conference on the topic in Brasil at the Psychology Congress. September 7th was their conference on "OwneD by RootDamages by FasT". They expected 6 thousand people to attend.

So how many websites will these hackers be allowed to deface before someone decides to arrest them?

Monday, October 15, 2007

Is Your Fifth Grader Smarter Than a Laughing Cat?

Have you seen the television show "Are You Smarter Than a Fifth Grader?" I've been thinking about a variation of that question as I consider the newest version of The Storm Worm.

This morning on the "Good Morning, Alabama" show as I discussed the Storm Worm, the weatherman laughed and said "Fortunately, I pretty much stay awy from laughing cats". So do most adults with bank accounts. Ask the question another way though. "Is there anyone who uses your computer who is into laughing cats?"

Laughing Cat Storm Worm


Twenty of the Twenty-nine anti-virus products I scanned this particular virus with (using Virus Total), did not report an infection. As of this writing, ClamAV, F-Prot, F-Secure, Microsoft, Panda, and Symantec were among the anti-virus programs who said "No Virus Found" to this current malware. ( Click for Results of this scan.)

Previous versions of the Storm Worm have used things such as Greeting Cards, an NFL Game Tracker, Labor Day greetings, Fourth of July greetings, and even Virus Alerts as means to trick people into visiting the malware site.

UAB's Computer Forensics research area will continue to study and document the storm worm until we can find a way to identify the criminals and bring them to justice.

I'll be giving a Public Lecture on Botnets this Friday (October 19th) at the Hull University Center Auditorium.

Saturday, September 22, 2007

Is the Internet a Prosecution-Free Zone?

Jörg Ziercke, the chief of the Bundeskriminalamt (BKA) in Germany, was quoted in a
press release on the BFK website, following a simultaneous phishing raid in Bad Homburg, Düsseldorf, Köln, Frankfurt and Elmshorn. His words lay down an interesting challenge:

"This case shows once more: Criminal organizations are increasingly using the Internet in order to make enormous profits with an allegedly low risk of discovery." He said that prosecutors are constantly facing new challenges regarding Cyber Crime, but that "the Internet cannot develop into a prosecution-free zone."

That's exactly what's at risk. We have to decide whether the Internet is going to be patrolled and prosecuted just like the streets and alleys of our cities, or whether we are going to allow crime to occur unabated there.

In the BKA case, two women, aged 22 and 23, and six men, aged from 20 to 36 years old, have been imprisoned pending their court appearance. Two others are also charged but were not taken into custody.

Sounds good, and congratulations to the BKA! But what about all the other phishers? So far in September, we've made positive confirmation on more than THREE THOUSAND phishing sites in UAB's Computer Forensics Research lab. We can't continue to allow it to take 18 months before a phishing investigation leads to charges.

The more evidence we gather, and the more relationships we find between phishing campaigns, the greater the chance that we can get some law enforcement action.

Remember, if you hear of someone who has been a victim of Identity Theft, Phishing, or any other Cyber Crime, please make sure they fill out a complaint at the Internet Crime and Complaint Center, http://www.ic3.gov/.

Also, if there has not been a financial loss, phishing sites still need to be reported! When you receive a phishing email, please help by sending it to:

pirt@castlecops.com

or by using the webform at:

http://www.castlecops.com/pirt

Let's make sure the Internet doesn't become a "Prosecution-Free Zone".

Tuesday, September 04, 2007

TJX: From Florida to the Ukraine?

Last week the media lit up with speculations that 24 year old Ukrainian hacker, Maksym Yastremskiy, who had been arrested in Turkey on August 2nd, may be behind the TJX Credit Card hack. The Boston Globe's Ross Kerber may have had the best coverage with his story "Suspect
named in TJX credit card probe"
on August 21. The story quoted Greg Crabb of the US Postal Inspection Service's global investigations division. Crabb said Maksym was "likely the largest seller of stolen TJX numbers". TJX, the financial company in the TJ Maxx conglomerate, believes that as many as 45.7 million credit cards were stolen during a breach during 2005 and 2006, which captured credit card transactions all the way back to 2003.

How's your Turkish? This August 2nd article , "Antalya'da yakalanan Ukraynalı hacker 80 bin kişiyi dolandırmış", interviews Turkish police officer, Feyzullah Arslan, who arrested Maksym after a sting in a luxury night club in Kerem, Turkey.



Using a "follow-the-money" investigative technique, the investigation began with 10 guilty pleas in Florida back in March from a crew of careless cyber criminals who had racked up millions of dollars of purchases from Wal-Mart and other Florida retailers using stolen credit cards that tracked back to TJX. The Florida investigation actually started when Gainesville police were contacted regarding two local Wal-Mart stores who had made individual gift-card sales in the amounts of $18,000 and $24,000. HINT: IF SOMEONE WANTS $24,000 IN WAL-MART GIFT CARD, THERE MAY BE A CRIME LYING ABOUT.

Those cards were used at a Sam's Club in Miami, along with many other cards, to buy large quantities of electronics and jewelry. At that time, the cards were all tracked back to TJX, and an estimate of the loss from the database hack was released in the news -- Gainesville police Sergeant Ray Barber revealed "They estimate the loss from that hack job to be around $8 million", although this particular crew had only rung up $1 million in charges so far. (See, for example: "Florida police make arrests in TJX, Winners credit card theft".

The first six, arrested March 19, were:

Irving Jose Escobar, 18
Reinier Camaraza Alvarez, 27
Julio Oscar Alberti, 33
Dianelly Hernandez, 19
Nair Zuleima Alvarez, 40
Zenia Mercedes Llorente

All ten, including the additional:

Erick Fernandez Rodriguez
Hector Alfaro Rodriguez
Alexis Arcia
Armando Ochoa

have Mugshots posted on eweek.com.




In a USA Today story a map of Irving Escobar's shopping spree, where he bought as many as 60 $400 gift cards in a single location, and then spent the money from November 1st to January 18th, is mapped out.



The big break in this first case came when an alert Wal-Mart employee followed the gift card purchases out of the store and recorded their license plate number. (For more, see the March 24, 2007 Boston Globe story by Ross Kerber, quoted here: Scam May Be Tied to Stolen TJX Data

A second Florida-based TJX gang plead guilty in late June. This group was charged with possessing 172,000 sets of credit card data, which had been used to make at least $75 Million in bogus credit card charges. Arrested in this scam were:

Miguel Alegria, 46, of Hialeah, FL
Raynier Pupo, 22, of Miami, FL
Ariel Montero, 32, of Aventura, FL
Javier Padron-Bravo, 35, of Aventura, FL
Julio Lopez, 30, of Hialeah, FL
and Anett VIllar, 26, of Hialeah, FL



Alegria, Pupo, Montero, and Padron-Bravo plead guilty to conspiracy in exchange for a plea agreement that included cooperation.

The Nashville Secret Service ran the investigation as "Operation Blinky" named for the first suspect's online name, which they co-opted as an undercover identity. For more see: TJX, Polo Data Surfaces In Another Credit Card Bust.

Friday, August 31, 2007

The World v. AllofMP3.com & Russian Copyright Law

Music collectors on the Internet got a mixed message this week as a Russian court found that Denis Kvasov, the head of AllofMP3.com was innocent of all charges.

While Napster, iTunes, WalMart and other online music retailers sell songs for 75 cents to 99 cents each, AllofMP3.com had nearly as large a selection and sold tracks for a mere 10 cents apiece or entire albums for $1 apiece.

The US-based music industry cried foul, and the US Department of Commerce agreed, making the closure of AllofMP3.com a requirement in Russia's 2006 attempt to join the World Trade Organization. Eight online music sites in Russia were shut down, and criminal charges brought against their owners in July, prior to the WTO Summit.

The company's website made clear that users should make sure the use of AllofMP3.com did not violate copyright laws in their home country.

No news on the RIAA Lawsuit against AllofMP3.com, where they are asking for $150,000 in damages for each of the 11 million songs in their catalog, or a $1.65 Trillion lawsuit.

In Russia, the copyright law requires that selling copyrighted material is legal, if a 15% royalty payment is paid to ROM, the Russian Organization for Multimedia and Digital Systems. Oleg Nezus, speaking for ROM, says that all of the major record labels have royalty payments waiting for them in Russia, but EMI and Universal have refused to accept their payments - not wanting to send the message that 10 cent downloads are adequate for their constituents.

Zemchenkov, of the Russian Anti-Piracy Organization was praising Russia's newly beefed up anti-piracy laws, which carry penalties of up to six years in prison for DVD pirates, as recently as April -- see: Hollywood Reporter: Putin Beefs Up Penalties for Piracy. Now, he is saying this lack of action against AllofMP3.com "sets a very bad precedent".

Zemchenkov, whose organization has the support of the Motion Picture Association (MPA), has been active in the Coalition for Intellectual Property Rights, and has attended all of the meetings of the "Russian Federation IP Working Group". CIPR also produces a monthly newsletter about IPR issues in Russia. In their most recent issue they conclude their summary of the case with this statement:


the court was not convinced that EMI, Warner and Universal Music have rights to the music sold by Allofmp3


citing as their source this August 16th article in vedomosti.ru:

Вину Allofmp3 не доказали (Not Guilty Allofmp3 Vindicated)

Суд оправдал бывшего гендиректора “Медиасервисез”, владевшей музыкальным интернет-магазином Allofmp3. Прокуратура обвиняла его в нарушении прав звукозаписывающих компаний, но суд не нашел доказательств того, что EMI, Warner и Universal Music действительно владеют правами на музыку, которую продавал Allofmp3.

Which means (gar's rough computer-assisted translation):

Court absolved former general director MediaServices who owned the internet music shop Allofmp3. The office of the public prosecutor accused it of violating the rights of the production companies, but the court did not find evidence that EMI, Warner, and Universal Music really own rights for the music which was sold on Allofmp3.


The prosecutor in the case, had claimed that from September 4, 2003 until December 1, 2005, Kvasov had infringed on the rights of Universal, Warner, and EMI by distributing music for which they owned the rights.

The ruling went on to find there was no reason they could not return to business, which AllofMp3.com announced on their website this morning with the headline "The Service Will Be Resumed".

The press release, dated August 31st, says:

"The service will be resumed in the foreseeable future. We are doing our best at the moment to ensure that all our users can use their accounts, top up balance and order music."

This is a major blow to copyright holders around the world, as it sends a message that as long as you pay your license fee to the Russians, you can sell anything you want for any price you want. The Russians did have 1600+ arrests for copyright infringment in 2006, but it is believed these were cases against people who hadn't paid their local "fees".

A survey of Intellectual Property brand owners conducted in 2006 by CIPR had found that 6% believed the situation with regards to IPR in Russia had improved significantly while 46% believed it had improved slightly. (See Survey Results). I wonder what they will think after this ruling?

Tuesday, August 28, 2007

How Far Would You Travel for $7 Million in Gold?

How far would you travel for $7 million in gold bars? For Igor Klopov of Moscow, Russia, the answer was "all the way to Manhattan".

In an August 16, 2007 Press Release from the Manhattan District Attorney's office the full scheme was laid out as charges were pressed against Klopov and his four American co-conspirators.

Klopov found his inspiration as he read the Forbes 400 Richest People, determining that these would be the perfect victims. Using a combination of computer hacking, open source investigation, and actually hiring private detectives, he built profiles on his targets, but he felt safer using Americans to do his dirty work.

Using Monster.com and CareerBuilder.com, Klopov recruited Americans who would act as his agents to do the "real world" work. Klopov provided them with First Class air fare, 5-star hotels, limousine service, fake identities, and all of the false documents necessary to accomplish his frauds.

The co-defendants who were charged last week include:

Westley Watson, 37, Detroit MI
Lee Monopoli, 41, Fort Lauderdale, FL
James Dalton, 33, Konroe TX
Richard Hoskins, 29, London KY

JP Morgan Chase alerted law enforcement when they realized that James Dalton was attempting to withdraw $7 Million from the account of Charles Wyly. The Manhattan Identity Theft Task Force went into action, setting up an undercover sting.

In this operation, an undercover Secret Service agent managed to get himself "recruited" by Klopov. As proof that the transaction was completed, he arranged to have himself photographed with $7 Million in gold bars, which Klopov decided to come and handle himself.

He "snuck in" to the country on a private plane to meet the undercover officer, who arrested him at the airport in New York back in May.

Monday, August 20, 2007

Aggrevated Identity Theft Law in Action

There are so many interesting angles to the story this week about a case in Tucson, Arizona. The conviction actually went down in March 2007, with Jacob Vincent Green-Bressler, now 21 years old, being one of the 16 individuals who had been indicted in 2005 for trafficking in stolen identities. (See: Global Web Fraud Case has 17 Local Indictments in the Arizona Star, November 8, 2005.

Green-Bressler and company were not identity thieves themselves. They were not putting together phishing sites. They instead served in the role of "cashiers". A "cashier" in the Identity Theft business is someone who is willing to perform the risky role of converting the stolen identity information into an ATM Card and using that counterfeit card to drain a bank account.

During their time of activity, Jacob's gang obtained identities for 4,500 individuals from criminal conspirators in at least 20 countries, including Vietnam, Pakistan, Jordan, Egypt, the Philippines, Macedonia, Romania, Estonia, Lebanon, Mexico, France and the United Kingdom. They then used those identities to create counterfeit ATM cards which they used to steal and send overseas nearly $300,000 from various banking accounts. As their commission on these services, Jacob and friends kept $148,000 -- a 50% commission!

So what does this have to do with the Aggravated Identity Theft Law?

Jacob's original sentence would have been sixty months for his crime, but because of Title 18 section 1028A - the Aggravated Identity Theft Act, a mandatory +2 years is added to the jail time. With criminals getting so many light sentences for cyber crimes, its nice to see someone getting the Extra Two.

That's one of the reasons the Attorney General supported this act back in 2002. See this Congressional Testimony from Dan Collins, the Chief Privacy Officer of the US Department of Justice at the time. S.2541, the "Identity Theft Penalty Enforcement Act" was a good idea, and one that should be used more often in the courts.

The full list of defendants in this case:

Robbin Shea Brown, 24
Jacob Vincent Green-Bressler, 19
Joshua Trever Lee Breshears, 20
David Lee Merrill, 25
Corrine Dazette Perez, 24
Richard Daniel Staton, 24
Rollin Edward Vaughn II, 23
Randi Michelle Rodela, 20
Joseph David Wallum, 20
Joseph Robert Jando, 21
Martin Corey Halula, 19
James Dennis Olsen, 19
Steven Don Olsen, 23
Christopher James Griffin, 23
Daniel Roy Leon Mendez, 20
Robin Duane Brown, 52
Ana Marie Honeycutt, 32

(See: http://www.usdoj.gov/usao/az/press_releases/2005/2005-199(Brown%20etal).pdf )

I look forward to seeing how many of the others also get a taste of the Aggravated Identity Theft penalties!

Monday, August 06, 2007

AffPower Indictments Scare Affiliates!

Today I heard the news that the "AffPower" drug network is being shut down, starting with 18 arrests in Texas, Florida, Colorado, New York, and Oregon.

Congratulations, Corbin A. Weiss, Special Assistant US Attorney with the Computer Crime and Intellectual Property Section of the DOJ! What a great indictment!

Here's a link to the full Indictment (caution: 124 pages!)

http://www.courthousenews.com/Affpower.pdf

I have to say, I LOVE to hear about scared bad guys, and THIS one has people scared who have previously considered themselves bulletproof. Why? Because the AFFILIATES are also being arrested.

The 18 are:

3 doctors
2 pharmacists
1 pharmacy operator
1 credit card processor
and
8 website affiliates

Mark Anthony Heredia, Manager and administrator in the Affpower enterprise in San Jose, Costa Rica;

William Polk Harrington and Todd Wurtzel, AKA "Sonny Gallo", recruited doctors and pharmacies to participate in the Affpower enterprise and managed the doctors they recruited;

Claude Covino, operated Saveon RX Pharmacy in Florida, part of the Affpower enterprise, and recruited other pharmacies to participate;

Dolores Lovin and Mary Aronson, owned, operated, and were licensed pharmacists working in St. Vrain Pharmacy in Colorado;

Subramanya K. Prasad, MD, Chandresh B. Shah, MD, and Gerald C. Morris, MD, were licensed medical doctors who issued prescriptions for controlled and non-controlled prescription drugs through and on behalf of the Affpower enterprise;

Philip James Bidwell, 50, of Frisco, TX, is accused of operating multiple affiliated websites and recruiting other affiliates to the enterprise and managing them. He has been released on $1 million bail.

Henriko Chung is charged with the same activities as Bidwell.

David Eldon Fisher, Richard Edward Koch, Jeffrey A. Light, (Name Withdrawn By Request),
Peter P. Bragansa, and Bessie K. Ricoarango were affpower affiliates who operated multiple affiliate websites

Nathan Jacobson was the owner and manager of RX Payments, Ltd, a credit card processing agency in Tel Aviv, Israel.

How hard are they hitting the Website Affiliates?

Jeffrey A. Light, 44, of Heath, TX, has been released on $1 million bail.

(Name withdrawn by request), 46, of Dallas, has been released on $500,000 bail.

Chandresh Shah faces additional charges in Georgia, Subramanya Prasad faces additional charges in Kentucky and Ohio, and Gerald Morris faces additional charges in Massachusetts, the states where each was licensed to practice medicine.

Dolores Lovin and Mary Aronson face additional charges in Colorado, and Claude Covino faces additional charges in Florida, the states where they were licensed in pharmaceutical practice.

ALL of the defendants face racketeering charges and much more in this 313 count indictment.

--------------

But does this really scare the bad guys? ABSOLUTELY! Let's drop in and visit a few websites where they bad guys talk about their pill-spamming and see what they are saying:

We'll start at RxAffiliateForum.com.

http://rxaffiliateforum.com/showthread.php?t=5280

ChesterCoperPot, an RXAffiliateForum member since 2003 whose made more than 400 posts to this forum, starts things off by quoting in bold text "AND EIGHT AFFILIATE WEBSITE OPERATORS".

Pillz, a "senior member" with over 200 posts, adds:
"BTW, the gov't is going for RICO on this."

RxRob, another "senior member" with over 1400 posts, says:
"OMFG, they charged Bess (WICKED on this forum). She was just an Affiliate!"

Rumple, trying to stem the panic, posts:

------------

"Settle down boys and girls......

Trying to win a case against an affiliate would be very hard to do, the reason you never hear about affiliates being charged is because it would be damn hard to prove without a doubt in a court that an affiliate new that Affpower was breaking the laws that they were breaking...

You didnt touch any of the money being moved into Dave's accounts and you didnt handle any of the drugs being shipped .........so stop worring

It would be a waste of time and effort for the government to even try to get a case against an affiliate that it could win, you would have to have direct business dealings with Dave for them to have something on you..."

--------

And that is EXACTLY what needs to happen if we are going to stop pill-spam. If the government is serious about wanting to stop this, they need to convince the jury and the sentencing judge that it doesn't matter if they "touched the money" or if they didn't "handle the drugs". What matters is that their behavior makes this entire scheme possible, and puts American lives in danger for their own greed.

Some of the websites involved include:

buyallprescriptions.com
us-meds.com
secureprescriptionsonline.com
ubuyrx.com
millennium-pharmacy.com
medlinedrugs.com
officialpillsrx.com
horizonmeds.com
valuetrustrx.com
drugprescribe.com
rxdrugstore.us
life-meds.com
secure-pills-online.com
dietprescriptions.org
expressdrugstore.biz
easyprescribe.com
weldonpharmacy.com
pillscouts.com
pills-discount.info
medsshop.com
medsource-pharmacy.com
orderonlinepharmacy.com
netmedsdirect.cojm
medsdirect-md.com
ndapharmacy.com
giantrx.com
rxmedcorp.com
thepillstore.com
drugdepot.com
cheappillsonline.com
american-meds-direct.com
cheap-us-pharmacy.com
realpills.com
silverdrugs.com
rx-listings.com
mgdrugstore.com
mrhappypill.com


==========================
Let's peek in on a couple more forums and see how they affiliates are taking the news so far:

-------

http://www.epharmacywatch.com/freeboard/ubbthreads.php/ubb/showflat/Number/536852

On ePharmacyWatch everybody wants to know WHICH WEBSITES are involved! They are also scurrying to see if the sites they are selling for do business in Cyprus.

Sadly, several of the posts make it clear that some of these poor suckers think they are "following the rules" and doing pill-spam for prescription drugs in a "legal" way! DOH!

(One Hundred Seventy Two users had logged in to this forum in the previous 30 minutes when I was reading it!)

------


http://www.drugbuyers.com/freeboard/ubbthreads.php/ubb/showflat/Number/536852

(182 registered users in the past 30 minutes!!!)

This thread is also mostly about posters wondering if what they are doing is really illegal or not! Amazing!

------

Shroomery.com laughs at them all and points out that Magic Mushrooms don't use prescriptions. (a photo of a cow says "This is my pharmacist!")

------

Online Justice: Slow and Incomplete

Last week the online media went nuts over the sentencing of Christopher William Smith, known to anti-spam researchers as "Rizler". I'd like to stand at the front of the line in congratulating Assistant US Attorney Nicole Engisch and US District Judge Michael Davis for sticking it to Rizler with a THIRTY YEAR SENTENCE!

Rizler has been spamming an enormous volume for a long time. The 211-page complaint against Rizler by AOL documented over 1.1 BILLION emails that Rizler had sent -- just to AOL subscribers!

Rizler was arrested in a raid on May 10th, 2005, in which his 85-employee company, Xpress Pharmacy Direct, was shut down and in which $4.2 Million in assets, including $1.8 Million in luxury automobiles was seized. Skipping bail to the Dominican Republic, it was only a matter of weeks before Rizler had restarted his spamming operations. His websites, such as rxorderfill.com, xpress-rx.com, digihealthcorp.com, mypillrefills.com, and netmeds.com, claimed to operate legally by having a real doctor read answers to your online profile questions, and prescribe your medications from his office in New Jersey. Rizler paid Dr. Philip Mach $7 per prescription for these services. . .more than 20,000 times in one four month period!

Spamhaus's Steve Linford told Silicon.com's Will Sturgeon back at that time, "Rizler was way up in our Top Ten". (Silicon.com The Spam Report, 06JUL05)

Good story, right?

Well . . . how is that Rizler is charged with operating a "continuing criminal enterprise" and "conspiracy", but there don't seem to be any co-conspirators?

Bernadette Hollis, who was in charge of acquiring the Hydrocodone for the online pharmacies, and who Smith confided in with his desire to kill one of the prosecutions chief witnesses, walks away with one year of probation and forty hours of community service.

Alton Scott Poe, was described as being an innocent office manager, who was brought in to instill good business practices. Apparently the judge bought this story, or perhaps nobody ever heard of the Online University that Poe ran? The Lawsuit against Alton Scott Poe and his brother lays out their online scheme for selling diplomas for between $300 and $500, complete with an imaginary transcript showing what grades you received in what classes! Innocent Office Manager? He'll do 6 months for assisting in the sale of millions of dollars of illegal drugs. I wonder what scheme he'll launch in six months and one day?

Wednesday, July 25, 2007

GAO: CYBERCRIME Challenges

On July 20, 2007 I began my first day of work at The University of Alabama at Birmingham as the Director of Research in Computer Forensics. The position came about as a result of one fundamental issue that we have been working on together between the chair of Computer & Information Sciences and the chair of Justice Sciences: How can we better equip CyberCrime Investigators to do their job? The first part of our answer was to encourage more Academic partnership, where students would seek a "Certificate in Computer Forensics" by studying courses from both departments. We called this initiative "Training Digital Detectives for the 21st Century". The second portion was to begin hosting more training on CyberCrime Issues, such as The Birmingham Conference on Phishing on March 13-15, 2007, and the Identity Theft Summit held June 10-11, 2007. The third part was to create my position, and to begin focusing our joint research efforts on topics that would provide better techniques, tools, and training for CyberCrime Investigators.



With that background, you can imagine how reinforcing it was to see Federal Computer Week's article on July 23, 2007 -- FBI, Secret Service must improve CyberCrime Training. The article begins:

The FBI, the Homeland Security Department and other federal agencies are underequipped and lack enough properly trained employees to combat cybercrime, according to a recent report by the Government Accountability Office.

GAO found that staffing was one of four major challenges to addressing cybercrime.


The publication being referred to was GAO-07-705: CYBERCRIME: Public and Private Entities Face Challenges in Addressing Cyber Threats. This document, from David Pownder's group at the Government Accountability Office, says "The annual loss due to computer crime was estimated to be $67.2 Billion for US organizations" with the majority of that, $49.3 billion, being related to Identity Theft, and $1 billion associated specifically with phishing. That same opening letter pointed out that in addition, we know "Chinese military strategists write openly about exploiting the vulnerabilities" used by our military computing infrastructure, and that "terrorist organizations have used cybercrime to raise money to fund their activities". In 2006, it is estimated that there were 9.9 Million US consumers who suffered from Identity Theft.

Its our economy that is at risk. In the reports background it lists that "150 million US citizens" use the Internet, and that in 2006, "total nontravel-related spending on the Internet was estimated to be $102 Billion". And spam, according to a Ferris Research report cited by GAO, has a "global cost of $100 billion worldwide, including $35 billion in the United States".

As president of the Birmingham InfraGard, and a recipient of the 2006 "Partnership Award" from the IC3 and NCFTA, I was pleased to see the report listing "Key Partnerships Established to Address CyberCrime":


  • Internet Crime Complaint Center (ic3.gov)
  • InfraGard
  • The National Cyber Security Alliance
  • National Cyber Forensics and Training Alliance (ncfta.net)
  • Electronic Crimes Task Forces


The key challenges listed in the report are:


  • Reporting CyberCrime
  • Ensuring adequate law enforcement analytical and technical capabilities
  • Working in a borderless environment with laws of multiple jurisdictions
  • Implementing information security practices and raising awareness


Reporting CyberCrime


When surveys say 9.9 Million Americans lost $49 Billion to Identity Theft last year, its astounding that the Internet Crime & Complaint Center only had $180 Million in loss reports filed from 260,000 consumers. Some of the reasons GAO gave for this under-reporting were:


  • Financial Market Impacts - (will my stock tank if I tell you I was hacked?)
  • Reputation or confidence effects - (will my customers flee if I tell the truth about my brand's phishing losses?)
  • Litigation concerns - (will my customers sue me?)
  • Signal to attackers - (will other hackers pounce on me?)
  • Inability to share information - (is my data sequestered by the legal process?)
  • Job security - (will my IT staff be fired?)
  • Lack of law enforcement action - (will the cops do anything? do they know what to do?)


LE Analytical and Technical Capabilities



From the report:


Federal and state law enforcement organizations face challenges in having the appropriate number of skilled investigators, forensic examiners, and prosecutors.

...

officials, once an investigator or examiner specializes in cybercrime, it can take up to 12 months for those individuals to become proficient enough to fully manage their own investigations.


Some of the key challenges mentioned include the great possibility that a trained cybercrime investigator will be lured to the private sector by the much higher salaries their skills may demand in that arena. Within the FBI, the policy of rotating new agents to one of the 15 largest offices within 3 years often means that an agent recruited for their cyber abilities is assigned to a non-cyber position in their new office! (This happened to one of our favorite cyber agents in Birmingham, who is now in a non-cyber post in Miami!) These same rotations also mean that agents brought in to fill these new cyber-vacancies may have little or no cyber training. Even senior agents (supervisory agents) are limited to serving a 5 year term in their role if they wish to seek career advancement.

Keeping Up to Date with Technology and Techniques



The report also expresses the concern that cybercrime is evolving at a rate which requires new equipment and tools "and agencies' need for them does not always fall into the typical federal replacement cycle". Some of the training gaps are being met creatively within agencies by having centralized talent pools, such as the DOD Cyber Crime Center (DC3.mil), FBI Cyber Action Teams, and the Secret Service training programs for federal, state, and local officials (such as the new Center just opened in Hoover, Alabama!) These are all great, but often the resources are still too limited for the scope. These are supplemented by "public/private partnerships, like the FBI’s Infragard and National Cyber Forensics Training Alliance and the Secret Service’s Electronic Crimes Task Forces, [which] provide ways to share expertise between law enforcement, the private sector, and academia."

Borderless Crime



Key challenge in this area are:


  • techniques that "make it difficult to trace the cybercriminals to their physical location".
  • "the multiplicity of laws and procedures that govern in the various nations and states" - such as the fact that not all states or nations have antispam or antispyware laws.
  • "Developing countries, for example, may lack cybercrime laws and enforcement procedures."

  • The "need to rely upon officials of other jurisdictions to further investigate the crime."
  • "Conflicting priorities also complicate cybercrime investigations and prosecutions."
  • "Cybercrime can occur without physical proximity to the victim, and thus a cybercriminal can operate without victimizing a citizen in the jurisdiction or federal judicial district in which the crime originated." - It is difficult to commit local resources to investigate crimes that have no local victims!


Raising Awareness


"Criminals prey on people's ignorance". Ignorance of vulnerabilities. Of how to detect phishing. Of how to report CyberCrime.



In response to this report, the FBI mentioned that Director Mueller has established five "career paths" for agents, one of which will be a Cyber track. This will allow cyber agents to remain where there skills can be made most effective.

The Secret Service also responded, stating that their Electronic Crimes Special Agent Program (ECSAP) will have 770 trained and active agents by the end of FY 2007. Their response also mentioned their 24 Electronic Crimes Task Forces, which "combine the resources of state and local police, as well as academia and private industry", and their importance in maintaining a continuity of investigative ability even as new ECSAP agents face their 4th year rotations.

The Birmingham Electronic Crimes Task Force meets Quarterly according to their website. More information about the next meeting from 731-1144 or "bhmecwg@einformation.usss.gov".

Monday, July 23, 2007

CyberSecurity Enhancement Act of 2007

Its time to rally the troops on the political front once again. Those of you who know me know that I believe we have primarily not a lack of laws but a lack of manpower and interest in enforcing those laws. Is it against the law to send spam with false headers in the United States? Yes. It is actively investigated and prosecuted? No. Is it against the law to steal someone's identity in the United States? Yes. Is it actively investigated and prosecuted? No. Unless you can show enormous losses.

So, on the one hand, I would like to see adequate resources applied to enforcing the laws that we currently have on the books. On the other hand, when I see a great Bill is introduced in the House or the Senate, I'd like to see it supported.

The CyberSecurity Enhancement Act of 2007 is worth supporting. It goes beyond our current CyberCrime Laws and attempts to bring in the aspects of Organized Crime and Conspiracy that are behind the individual acts we see everyday.

Someone registered a new domain in Hong Kong and used a bot-infected computer to host a phishing website. Hardly interesting from a prosecutorial perspective. But if there were laws on the books that let investigators more easily go after the Criminal Conspiracy that encouraged this action to be committed hundreds of times this year by a related group of co-conspirators, that would make these smaller acts more likely to be prosecuted. Assistant US Attorney Erez Liebermann, the chief of the New Jersey CHIPS unit (Computer Hacking and Intellectual Property Section), was recently interviewed by Information Week where he mentioned this Bill. In the July 20th article, he says that by adding CyberCrime to the RICO statutes, as this Act would do, criminal penalties for these activities would be enhanced.

Are you familiar with the "CyberSecurity Enhancement Act of 2007"? Most of us aren't.

You can read the Full Text of the Bill here.

HR 2290 was introduced May 14th by Adam Schiff, a Democrat from California. (GovTrack categorizes him a "Radical Democrat". I like Radical Democrats love for technology and for their desire to help the poor. I can work with anyone. Schiff co-sponsored National Human Trafficking Awareness Day, and a bill to make trade in illegal nuclear weapons a Crime Against Humanity. Of course he also introduced a Bill to express No Confidence in our Attorney General, so bi-partisan, this guy ain't.)

This bill is currently sitting with the House Committee on the Judiciary, along with 43 other proposed amendments to Title 18 (where most of our CyberCrime Laws are outlined).

One of those other versions is a Republican sponsored Bill with almost the same name, introduced by Republican Lamar Smith, HR 836, introduced back in February.

A key phrase which was present in both the Republican and the Democratic version of the Bill would modify the penalties so that they applied both to the successful criminal, and the criminal who "conspires to" or "attempts" to commit certain CyberCrimes.

Another huge part of the act addresses the concern I mention at the top of this post. Section 10 of this act would give an additional $10 Million EACH to the Secret Service, the FBI, and the Attorney General for the Criminal Division of the DOJ, specifically for fighting CyberCrime. If for no other reason than this, I would strongly encourage your support of this bill!

I'm pleased to see that one of my two Congressman, Artur Davis, is listed among the co-sponsors of HR 2290. (I claim the one in the zip code where I work, and the one in the zip code where I live both represent me. I had the pleasure of escorting my son's orchestra on a Capitol Tour as guests of Mr. Davis' office last month!) I'm also pleased to see that Ohio Republican Steven Chabot and California Republican Daniel Lungren, 2 of the 9 Republican co-sponsors of Smith's earlier bill, and both members of the sub-committee on Crime, Terrorism, and Homeland Security, have joined as part of the 6 Republicans who make a total of 19 co-sponsors of HR 2290.

The fact that the members of this committee, both Democrats and Republicans, are signed on as co-sponsors to this Bill encourages me that it might make it out of committee!

I would encourage folks to read the Bill, and if you agree that it should be law, please encourage your Representative to lend his voice of support to the Bill.

The Bill is currently sitting in a sub-committee of the House Judiciary Committee, called the "Crime, Terrorism, and Homeland Security Committee". Especially if you are in Michigan, where the Honorable John Conyers, the Chairman of the Judiciary, is from, or in Virginia, where the Honorable Robert C. Scott, the Chairman of the sub-committee, is from, it would be very useful to hear your voice in this matter.

Please take a minute to review the Bill, members of the Subcommittee, and your own Congressmen's contact information, and determine what the right course of action is for yourself.

Thanks for your help!

_-_
gar