Thursday, December 23, 2010

36 Million Americans Buy Drugs Online -- Illegally!

On December 14th, the White House Intellectual Property Health and Safety Forum was held by Victoria Espinel, the first U.S. Intellectual Property Enforcement Coordinator (IPEC) appointed by President Obama.

Intellectual Property Rights Advancement under President Obama

In June the IPEC released the Joint Strategic Plan on Intellectual Property Enforcement, which was released by Victoria's office, with support from the Departments of Agriculture, Commerce, Health & Human Services, Homeland Security, Justice, State, and the Executive Office of the President. One of the strategic parts of that plan was "Identify Foreign Pirate Websites as Part of the Special 301 Process."

The United States Trade Representative is required by Section 182 of the Trade Act of 1974 (Title 19 USC 2242) to produce an annual review of the global state of intellectual property rights, which is called the "Special 301 Report." One portion of that annual review is the "Notorious Markets List." Listed in the 2010 Special 301 Report as Notorious Markets are Baidu (China) for music piracy, TaoBao (China) and Alibaba (China) for game piracy, TV Ants (China) for sporting event piracy, (Russia) for music piracy, Webhards (Korea) for many types of illegal content,

In the December 14th forum, the focus was not so much on "general" Intellectual Property or piracy, but Intellectual Property rights violations that have the capacity to impact the health and safety of Americans.

This focus area, especially with regards to the Internet portion, has been under development for several months, with President Obama calling for a meeting between ICANN and other stakeholders back in September. See Obama seeks action on online pharmacies domain names as reported by the Securing Pharma website. This action expands from a previous report back in May by LegitScript, a company working to verify online pharmacies. After blasting the industry in general, and eNom in specific, for failing to respond to domain names registered through their company, (See Knujon report: Audit of the gTLD Internet Structure, Evaluation of COntractual Compliance and Review of Illicit Activity by Registrars, and the LegitScript/Knujon report: Rogues and Registrars: Are some Domain Name Registrars safe havens for Internet Drug rings?), eNom came full circle and entered an agreement September 21, 2010 with LegitScript and the National Association of Boards of Pharmacies to ensure that rogue pharmacies are not able to use eNom to register their domain names. (The criminals responded to this news by registering hundreds of horrible porn and bestiality websites using the name and contact information of LegitScript founder John Horton, as reported by Brian Krebs.)

The Forum

In case you missed it, CNN Image Source has a One hour video of the panel, chaired by Victoria Espinel. What a panel - Attorney General Eric Holder, DHS secretary Janet Napolitano, and John Morton, Director of Immigration and Customs Enforcement.

"We need more data to inform our policies and ensure that we are making smart decisions."

"The Alliance for Safe Online Pharmacies estimate that there are between 30,000 and 40,000 active online drug sellers operating at any one time."

(09:43:35)"The Partnership at announced the results of a suvey of consumers of online drug purchasing behavior. The survey's results? 1 in 6 adults, approximately 16% of adult population have bought or currently buy medications online without a doctor's prescription."

The report was sponsored by the Alliance for Safe Online Pharmacies and sponsored by The Partnership at

The survey was conducted by CARAVAN Survey. 1,015 adults were contacted by telephone from November 4-7, 2010. The margin of error is +/- 3%.

(09:45:30) A group of founding private sector partners announced today that they will form a non-profit to work with each other and the US Government to rid the Internet of illegal online pharmacies. Today they have issued priniciples that will guide those efforts.

(09:46:00) The list of eleven companies participating in the initiative was invited to stand and be recognized: American Express, eNom, Go Daddy, Google, Mastercard, Microsoft, Neustar, Network Solutions, PayPal, Visa, and Yahoo!

In case any of them are reading this, UAB Computer Forensics Research Laboratory is ready, willing, and able to help!

The next speaker was Attorney General Eric Holder, who has posted a transcript of his remarks on the Department of Justice website. He pledged his support to the Strategic Plan, and shared some recent successes, including a counterfeit cancer drugs case in August, a Texas case involving he seizure of 6,000 counterfeit pills that actually contained ground-up sheetrock as an ingredient, and a groundbreaking $100 million case in Richmond Virginia. (That last would be the case against Chong Lam, and Siu Yung Chan, who were found guilty on June 11. They were arrested back in January 2008 for smuggling more than 300,000 counterfeit handbags from China. Eric Yuen was actually found not guilty.

Holder was praised during his introduction for re-establishing the DOJ Intellectual Property Task Force, which he announced in February 2010.

Secretary Napolitano spoke next (09:59:40), stressing that both CBP and ICE are seizing more counterfeit goods than ever (seizures increased 97% over 2009), and pledging support for IPEC's Strategic Plan. The National Intellectual Property Rights Coordination Center (which I was able to visit December 7th, and which I blogged about recently regarding their Cyber Monday Operation in Our Sites enforcements.) ICE initiated more than 1,000 IPR cases in 2010, and criminal charges increased 79% over 2009. DHS also participated in Operation Pangea and Operation Mercury this year, coordinated through the World Customs Organization. Her full remarks are transcribed by LexisNexis.

John Morton, whose full title is "Assistant Secretary of Homeland Security for Immigration and Customs Enforcement", also has his remarks transcribed thanks to LexisNexis. He stressed that we needed to speak in plain English and get our message out, and the message is that "counterfeiting spells trouble for America." It robs Americans of jobs, innovation, and creativity. It is organized crime, and creates a risk of harm to consumers. He mentioned counterfeit toothpaste, heart medicine, and air bags, and discussed counterfeit engine parts and ball bearings, not just in cars, but in aircraft with GE Engines. Fake kevlar in Iraq, fake baby formula, fake CISCO routers, and counterfeit Christmas lights were also on his list. One case he went deeper on was the Kevin Xu case in Houston that AG Holder also mentioned.

Xu imported more than $9 million in counterfeit medicines, including Plavix (heart medicine), Casodex (cancer medicine) and Zyprexa (schizophrenia and bipolar medicine). He was arrested in 2007 and sentenced in January 2009 to 78 months and $1.28 million in restitution. Xu was arrested when he flew to Chicago to meet with undercover agents. Forensic Chemists working for the FDA determined that his drugs had less of the active ingredient than claimed on the label and had countless impurities of unknown origin. Some of the drugs had no active ingredient at all. He had managed to get his counterfeits into the real supply chain in the United Kingdom, prompting massive recalls of the drugs in June 2007.

First Panel: Dangers of Counterfeit Pharmaceuticals

The First Panel was moderated by Tony West, Assistant Attorney General, Civil Division, including enforcement of the Food, Drug, and Cosmetic Act.

Panelists included:
John Clark, VP of Global Security at Pfizer (former assistant deputy at ICE)
Tom Kubic, President of the Pharmaceutical Security Institute
Carmen Catizone, President of the Natioanl Association of Boards of Pharmacies
and John Taylor, Counselor to Commissioner of the FDA

After introductions, John Clark of Pfizer did a presentation about counterfeit drugs.

One counterfeit's ingredients were shown: roach powder, powdered brick, road paint, and floor wax. Clark showed slides of the difference between a real drug manufacturer and a fake one. He played a telephone interview where a drug maker was counseling his undercover agent on what he would need to set up his own manufacturing facilities.

John Taylor shared information on how FDA provides consumer alerts, which are also a means to gather further information for investigators.

(continues in part 2 CNN Image Source )

Tom Kubic of PSI has been investigating and measuring counterfeits since 2002. There has been a 700% increase in drug counterfeiting from 2002 to 2009. They have identified at least 800 unique medicines that were counterfeited worldwide just in 2009. (In 2002, there were around 250.) The ones they have reviewed "are neither safe nor effective."

Carmen Catizone made several points. Quoted (with a slight paraphrase):

When you obtain a medication that has been approved by the FDA, [prescribed] by a licensed practitioner, [dispensed] by a licensed pharmacy, that product is safe.
When you go out of the system, you are dealing with criminals who have found it is easier to sell drugs online than to sell crack or heroin on the street. Consumers and legislators don't understand that this is a serious consumer health risk. Carmen says several years ago he was told by legislators they would not take action until they were shown the dead bodies.

John Taylor follows up on Carmen's comment showing that the fakes don't have to produce death in order to be harmed. In one case the supplier of an active ingredient component TO the manufacturer caused an effective epilepsy drug to be suddenly ineffective. Patients around the country began to have seizures!

A guest from the audience joined the panel to share his story. As an AIDS patient, taking nearly 10,000 pills a year, found that his injectable medications were now giving him pain that had not been previously present when injecting. It turns out that his medicine, obtained from a national pharmacy chain, with a prescription, was a counterfeit. For six week period, he has no idea what he was injecting into himself.

Second Panel: Health and Safety Risks of the Counterfeiting of Trademarks

The Second Panel was moderated by Lanny Breuer, Assistant Attorney General, Criminal Division. This panel focused more on computer and electronic components. A bit off topic for today's blog post.

Panelists include:
Neal Rubin, VP and Director of Litigation at Cisco
Keith Williams, President of Underwriter Laboratories
Robert Barchiesi, President of the International Anti-Counterfeiting Coalition
Brett Brenner, President of the Electrical Safety Foundation International

(continues in part 3 CNN Image Source)


CNN Image Source

Prior activities

Many of the companies named in the new announcement have already been taking strides to reduce the sale and advertising of online drugs. In October, the National Assocation of Boards of Pharmacies released their report Internet Drug Outlet Identification Program: Progress Report for Federal Regulators which shared some of the findings of the International Internet Week of Action (IIWA). During October 5-12, 2010, the Food & Drug Administration, Interpol, and agencies in 45 countries took a concerted week of enforcement actions. Interpol calls the enforcement actions Operation Pangea III.

During the operation which saw the 45 participating countries send intelligence to a dedicated operations centre at INTERPOL's General Secretariat headquarters in Lyon, Internet monitoring revealed 694 websites engaged in illegal activity, 290 of which have now been shut down. In addition, some 268,000 packages were inspected by regulators and customs, almost 11,000 packages were seized and just over 1 million illicit and counterfeit pills were confiscated - including antibiotics, steroids, anti-cancer, anti-depression and anti-epileptic pills, as well as slimming or food supplement pills. Some 76 individuals are currently under investigation or under arrest for a range of offences, including illegally selling and supplying unlicensed or prescription-only medicines.

Operation Pangea III featured a series of YouTube videos themed "Don't Be Your Own Killer". Here are two examples:

Other organizations and actions

In 2009, US Customs & Border Protection (CBP) and Immigration and Customers Enforcement (ICE) seized over $260 million worth of couterfeit goods arriving at US ports.

The International AntiCounterfeiting Coalition (IACC) President, Robert Barchiesi, attended the forum as well.

Monday, December 20, 2010

DIICOT: Romanians Bust Up VOIP Ring

Any day that starts with a video of DIICOT in action is a good day! Over the weekend I saw Lucien Constantin share the good news on Softpedia that a Major VOIP Fraud Gang was Dismantled in Romania. Lucien was kind enough to point to the DIICOT press release from December 14th.

A Google translated version of the press release can be found here: For those who prefer to read their own Romanian, see here: DIICOT Press Release.

DIICOT is the Directorate for Investigating Organized Crime and Terrorism, and they have been gaining a world-wide reputation for scooping up cyber criminals. Regular readers of this blog will know I am in the DIICOT Fan Club, as we've previously written about on several occasions, including:

23SEP2010: eBay Spear Phisher Liviu Mihail Concioiu Arrested in Romania

12APR2010: Nicolae Popescu, Romanian hacker, at large!

06APR2010: 70 Romanian Phishers & Fraudsters Arrested

16JUL2008: 22 More Romanians meet the Long Arm of the Law


On 14DEC2010, there were 42 houses searched, with 31 in Constanta, 4 in Neamt, 3 in Brasov and others in Olt, Maramures, Cluj, and Dolj counties.

From Oct 2009 to Feb 2010, Cătălin Zlate is accused of running a team of over 50 individuals to commit computer crimes and to use fraudulent access to data to commit VOIP Fraud. Team members configured a VOIP client called "ZoIPer" to allow members to place Voice Over IP calls using fraudulently obtained credentials from other VOIP services. During the period Oct 2009 to Feb 2010, they generated 23,500 calls or 315,000 minutes of long distance charges, stealing from companies in Romania, South Africa, United Kingdom, Italy, and the United States.

Zlate is no stranger to computer crime. He was actually arrested in 2009, and sentenced to 1.5 years in jail for phishing. Unfortunately, the court system in Romania allowed him to be released with a suspended sentence. While I believe Romania has some of the best investigators and some of the hardest working police officers, they also have one of the most corrupt court systems in Europe. All the police can do is keep doing their job, and pray for a change in the court system.

According to, Zlate used the handle "Roşcatu" and was involved in a phishing gang with Manuel Sorin Paun, AKA "Puia", Mangue Barry, AKA "Dumbo", and Bogdan Nistor, AKA "Bobo". The four received "suspended sentences" of 2.5 years, 1.5 years, 3 years, and 3 years respectively for phishing, creating fake ATM cards, and withdrawing money from ATMs using those cards. DIICOT has been following "Roşcatu"'s exploits since at least 2006. The news of their previous conviction made the Ziu Constanta back on November 20, 2009.

Zlate came back with a passion, founding a new business in March of 2010.

That's when things really got out of hand. Through a new fraud company called "Shadow Communication Company Ltd", from February through June 12, 2010, 1,541,187 fraudulent calls were made, running up 11,094,167 minutes of talk time! The defendants were selling these fraudulently obtained minutes at about a 90% discount. While the actual costs should have been more than 11 MILLION EUROS, they actually sold the minutes for just over 1 MILLION EUROS. (Hint: If your telephone company is named something league "Shadow Communications" or "League of Evil", perhaps you should consider switching to AT&T.)

Charges brought against the group include:

- Article 7, Paragraph 1.3 - membership and support of an organized criminal group
- Article 18 Section 2 letter b of law 39/2003 - Money laundering
- Article 23 Paragraph 1 letter a, b, & c of law 656/2002 - Wireless access to a computer system to obtain data by breaching security measures
- Article 42 Paragraph 2.3 of law 161/2003 - Possession of a computer program in order to commit offenses
- Article 49 of law 161/2003 - Causing a loss of property through the introduction of computer code in order to obtain benefit for oneself or another

42 people have been brought to Bucharest to be charged of these crimes.

Here's the DIICOT video of the arrests and seizures:

Hopefully, this time the criminals will actually serve time in prison!

Wednesday, December 15, 2010

Minipost: Operation: Payback origin

Yesterday in our story about Crowds, Mobs, and Anonymous, Internet Anarchy: Anonymous Crowds Flex their Muscles, we mentioned that Operation Payback started back in September. Here is the letter that was sent to the media on September 19th:

After seeing Salon's story A brief history of Operation: Payback, which lists November 29, 2010 as the starting date, we thought it especially important to point out that this is NOT the start. The adoption of Wikileaks was an expansion of a three month old campaign in an effort to legitimize and expand the number of attackers Anonymous had at their disposal. For more on that "crowd action" mindset, the reader is referred back to yesterday's blog post.

Some have been asking "how do you know this is 4chan related?" Again, we refer readers back to early posts by Anonymous.

(Click to enlarge)
"I know that many of you, many of you whom I have seen on 4chan over the years, have grown cynical of the usefulness of anons as an army, especially since the mess that was Chanology*."

One of the places this image was posted back on September 20th was a hacker website run by a South African hacker. To put the message into context, the post immediately before this one read:

Anonymous vs Aiplex, MPAA, RIAA
This is happening right now. Join if you can.
/join #savetpb

We're targeting all the sites mentioned in the topic, but Aiplex first.

For piracy, for freedom, for victory.

* - While Operation Payback began September 19th, Anonymous has been involved in DDOS Protests since early 2008. (Project Chanology refers to the DDOS campaign that 4chan users waged against Scientology. The concept of that campaign was that because Scientology tried to remove all copies of a controversial Tom Cruise interview from the Internet, they were "censoring the Internet" and should be stopped. The campaign included DDOS attacks, fax campaigns, protests, and even an attempt to get the IRS to take away Scientology's tax exempt status. LOIC was one of their tools. Anonymous vs. Scientology ran "daily news" on YouTube documenting their in-person protests and raids. The same YouTube channel has been used for Anonymous messaging since at least April 20, 2008 (See: Reinstate Mark Bunker XENUTV1) and as recently as this week (see: Anonymous: Operation Leakspin.

Chanology was covered by:

Dan Kaplan at SC Magazine: "DDOS Hack Attack Targets Church of Scientology" - Jan 28, 2008.

John Leyden at The Register: "Critics Split over DDOS attacks on Scientology" - Jan 25, 2008. has the "" description of the project from July 2008, which showed substantial evolution from the original January 15, 2008 post archived here, by Encyclopedia Dramatica (caution, ED has crude and offensive messaging and is not 'work-friendly').

Monday, December 13, 2010

Internet Anarchy: Anonymous Crowds Flex their Muscles

One of the things I love about working in the UAB Computer Forensics Research Laboratory is having the opportunity to learn from professors from so many different specialty areas. In addition to the Computer Science professors who visit our lab for the weekly Spam Researchers Meeting, where we entertain guests from the Knowledge-Discovery & Data Mining Lab and the Artificial Intelligence Lab I also get to work with criminologists, sociologists, and forensic chemists who make up the rest of our "CIS-JS Working Group." Last week I had the pleasure of visiting a DEA Drug Testing lab with my colleague Dr. Elizabeth Gardner. Today I was able to compare data mining techniques with a visiting Bioinformatics professor from Colorado State. But some of the times I learn the most though are when I visit with my department chairs, Dr. Anthony Skjellum in Computer & Information Sciences and Dr. John Sloan from Justice Sciences.

A Sociologist looks at AnonOps

Like most Computer Security people, I've been following the Wikileaks responses from Anonymous with interest. As I've watched Anonymous recruit their activist army, I've been thinking more and more about lynch mobs, so I asked Dr. Sloan to come up to the lab and help me understand how mobs work. I made my best pitch to him, explaining how "AnonOps" as the Anonymous Operations group calls themself, calls to mind a mob that was a cross between the angry villagers storming Dr. Frankenstein's castle, and childhood memories of Detroit fans burning cars in the streets.

Dr. Sloan explained that the public (like me) have a lot of misconceptions about mobs. He said what we are dealing with in the Anonymous DDOS attacks are actually instances of "Diffuse Crowds." In the case of Anonymous, Sloan says that "Convergence Theory" explains this type of crowd. Its not that a group of people spontaneously erupted into acts of cyber vandalism, but rather that people who share similar passions come together with an intention to "make a difference" but without a clear agenda on how to do so. Some of the people who come to these online gatherings are bystanders, some followers and some leaders, but these roles are not set in stone. When the crowd has gathered - in this case on an IRC channel - various members of the crowd propose courses of action. When one of the proposals is adopted by the group, that person, whether or not they intended to be, is suddenly, and perhaps only temporarily, a leader.

The earlier prominent theory of crowd behavior was called "Contagion Theory" and proposed that membership in a crowd results in "irrational, emotionally charged behavior."

My early suggestions to Dr. Sloan was that it was because of being Anonymous that the crowd was choosing to participate in DDOS attacks. Perhaps the leaders of the group also counted on that affect. Their instructions for how to volunteer your computer to participate in the DDOS attacks against Mastercard said "if you get caught, don't admit to anything and tell the authorities that your computer must have a virus!" The belief of the general public is that mob behavior, such as that which lead to race riots and lynchings in previous generations, counts on the anonymity and the irrational frenzy of the mob for its success.

Crowds that take action are "Expressive Crowds" or "Mobs" if those expressions lean towards violence towards a target or "Riots" if those expressions lean towards generalized violence and lawlessness. Expressive Crowds gather around strong emotions, such as joy, excitement, anger, or fear.

While Dr. Sloan said that Convergence Theory also says that groups come together along strongly felt emotions, that they should be seen as "rational" with individuals understanding their decisions and acting by choice, not due to some "mass hysteria" or "frenzy."

Expressive Crowds in Cyberspace

As we look at previous expressive crowds that turned towards cyber attacks in the past we see that this seems to be a correct characterization.

In 2008, when Russia invaded the area of Georgia known as South Osettia, the interest was nationalism. As online chatrooms and forums discussed the rightness of the Russian cause, the idea was planted and began to spread that individuals could help with a DDOS against Georgian government and media computers.

August 19, 2008 - Evidence that Georgia DDOS Attacks are Populist in Nature

In 2009, when the Iranian government cracked down on the process of a free election, Facebook and Twitter users colored their profile pictures green to show solidarity with the oppressed voters. As more Twitter followers started watching the "#IranElection" hashtag, some began providing information on how to DDOS the Iranian government. The number of participants in the group grew, with some reading the tags (bystanders), some choosing passive signs of response (green profile pictures), and some choosing active measures (DDOS Attacks).

June 16, 2009 - Armchair Cyberwarriors: Twitter and #IranElection

This past summer Islamic activists, already in chat rooms and forums to communicate about proselytizing the Islamic way of life in the west, began sharing information on how to attack Facebook by downloading an attack tool.

June 1, 2010 - Virtual Jihad Against Facebook

Anonymous and Operation Payback

Operation Payback takes its name, and its tactics from a company that claims to have been contracted by the Motion Picture industry to shut down websites that are trading in pirated movies. Girish Kumar, the managing director of Aiplex Software, explains that the Film industry hires cyber hitmen to take down internet pirates. He claimed that his company is hired "to launch cyber attacks on sites hosting pirated movies that don't respond to copyright infringement notices sent to them by the film industry."

The die was cast in September 2010 when AIplex pointed its attention at the greatest source of pirated movies on the internet, The Pirate Bay. In response, one of the /b/rothers from 4chan pointed a botnet under his own control at AIPlex, taking the company's website offline while other members of the channel were still talking about the best way to do so.

Almost immediately, the 4chan buzz began looking for a new target. TechCrunch ran a story that contained the original call to arms:

How fast you are in such a short time! Aiplex, the bastard hired gun that DDoS’d TPB (The Pirate Bay), is already down! Rejoice, /b/rothers, even if it was at the hands of a single anon that it was done, even if ahead of schedule. now we have our lasers primed, but what do we target now?

We target the bastard group that has thus far led this charge against our websites, like The Pirate Bay. We target MPAA.ORG! The IP is designated at “″, and our firing time remains THE SAME. All details are just as before, but we have reaimed our crosshairs on this much larger target. We have the manpower, we have the botnets, it’s time we do to them what they keep doing to us.


(The original Anonymous image, according to's Anonymous entry)

They were able to knock offline, at least temporarily, the Recording Industry Association of America, the Motion Picture Association of America. Later in the month, the Low Orbit Ion Cannon, or LOIC as the chosen 4chan attack tool is called, was pointed at AFACT - the Australian Federation Against Copyright Theft. Nearly 8,000 other websites were casualties of that attack which overwhelmed the hosting platform. Many major organizations that deal with copyright and the protection of intellectual property have been attacked as part of Operation Payback at one time or another, including:
AIPlex Software
Davenport Lyons
Australian Federation Against Copyright Theft
DC Legal
Ministry of Sound
Ministerio de Cultura (spain)
Sociedad General de Autores y Editores
Federation of the Italian Music Industry (FIMI)
United Kingdom Intellectual Property Office
Associação do Comércio Audiovisual de Portugal
Gene Simmons (finland)
US Copyright Office
Irish National Federation Against Copyright Theft
Warner Brothers

Anonymous went after RIAA again in late October after the RIAA achieved a court order to terminate the LimeWire file sharing network.

Wikileaks and AnonOps

While a group may have leaders of the moment, there are permanent roles assigned by the "true" leaders of AnonOps, as well as "talent-based" roles. As AnonOps tries to move through its paces, it needs developers to improve and modify its attack tools, graphic artists to create its images. Video editors to create its YouTube videos, and network designers to help it build stable infrastructure.

But mostly, it needs a cause that the public supports. Those causes go back to the basic emotions upon which Diffuse Crowds converge. Wikileaks stirred up the passion of the press and the public as it began releasing revelation after revelation.

AnonOps recognized such an opportunity with Wikileaks. While the early "Operation Payback" was exactly what it said: "You DDOSed our website, so we are DDOSing your website" the new act is to convince the public that this was all about Internet Censorship from the beginning. "We fight censorship and stand up for truth" is a much more stable platform upon which to base a group, as opposed to the original "We pirate movies and break the law."

However, breaking the law, and getting away with it, is a great attractor of media. Dr. Sloan explained that this reminded him of the 1960s Vietnam War protests on college campuses. The more the media covered the protests, the more likely it was that your neighborhood college campus was going to have a protest.

Cyber attacks => Media Coverage => New like-minded individuals "converge" into the group => New skills and ideas => New missions and leadership

Exit Strategy

The question that is yet to be determined is, has the AnonOps groups reached a stable form? It is clear that the illegal activity is getting out of hand, and threatening the existence of their group. This weekend's attacks on Paypal, Mastercard, and Visa demonstrated the group's online power, and attracted more hackers. The targeting this evening was sporadic and approaching "riot" stage as various participants shouted out target names in the AnonOps chatrooms and watched as they fell. Established leaders were shouting things like "WHAT ARE YOU DOING?!?!? WHY ARE YOU ATTACKING AIRLINES!?!?! WHAT DOES THAT HAVE TO DO WITH WIKILEAKS OR CENSORSHIP?!?!" Meanwhile,,,, and others all suffered brief outages.

Some of the leadership are attempting to distance themselves from the DDOS attacks and are encouraging an alternative approach of encouraging people to read the leaked cables and write about them as a way of "uncensoring" them. Others are encouraging a new form of cyber attack, asking members to DDOS companies that are found to have been involved in, or believed to be involved in, atrocious acts described in the classified cables. Remember above that members are attracted to groups that share their same strongly held feelings and attitudes. When AnonOps revealed today that US taxpayer dollars were used by a defense contractor to pay for sex with young boys, they were playing perfectly to this theory of the crowd. EVERYONE would be outraged by some of these actions, if they occurred the way AnonOps describes them. That's a powerful tool for enlarging your group, and lowering the barrier to otherwise illegal action. It may be difficult to convince a member to DDOS their own credit card company, but the moral barrier to DDOSing "sex slave brokers" as one AnonOps post described the company, may be lower.

One attempt at legitimacy was to engage the Electronic Freedom Foundation. Leaders reasoned in the AnonOps chatrooms that a partnership with EFF would bring legitimacy to their cause, and EFF responded positively to the approach with their new Say No To Online Censorship campaign.

The new campaign within AnonOps uses the name "" which comes from a George Orwell quote:

“During times of universal deceit, telling the truth becomes a revolutionary act” - George Orwell

I guess my big takeaway from my discussions with Dr. Sloan was the new sociological theories on crowds and gatherings. Crowds can be rational. And, according to one Sociology text:

...Crowds themselves do not impair judgment. The actions of individuals at gatherings also illustrate that individuals remain independent, sometimes responding to solicitations, sometimes ignoring them, sometimes interacting with their subgroup, and sometimes acting spontaneously.

I hope the members of Anonymous will remember that while they are Anonymous, they are also individuals, and responsible for their individual behavior and decisions.

Monday, December 06, 2010

Wikileaks: Lessons Learned

I've spent the past couple days in our nation's capital, and it seems that everywhere I go, someone wants to know what I think of the Wikileaks scandal. I'll tell you at the end of this article. First, I want to talk about what we should LEARN from Wikileaks. When I worked more actively in Critical Infrastructure Protection, there was a saying I heard from time to time that the problem with most Crisis Events is that we don't learn from them. To rectify this failure to learn, the Department of Homeland Security even created the "Lessons Learned Information Sharing" site, Perhaps my exposure to DHS as a then-member of the Energy Sector has taught me to look for Lessons Learned as the silver lining to every dark cloud.

So what is the major Lesson Learned in the Wikileaks situation?

It has to do with information classification, access control, and monitoring. We'll go over those lessons learned, but first, here's a bit of background on what happened.


In the case of PFC Bradley Manning, here was a young man with a very important job. As an Intelligence Analyst, it was important that Manning have access to everything he needed to do his job. In the post-9/11 Kumbaya world of Information Sharing, that pretty much gives counter-terrorism warriors carte blanche. The information access level for people like this may be "If he needs it, give it to him, if you don't, the next 9/11 will be on your head!"

Like Katharine Gun, the UK's GCHQ intel analyst who decided to leak information about wiretaps among the UN prior to the Iraq invasion, Manning was an analyst who did not understand the chain of command. In Gun's situation, she became aware of cables which implicated the United States in the tapping of communications of United Nations personnel prior to the Iraq invasion. Gun determined that it would be a noble and responsible thing to ignore all of her oaths and orders and rather than sharing her concerns with her supervisors, smuggled this information out of GCHQ and leaked it to the press. Its a growing trend among Intelligence Analysts who determine they are in possession of information that the public has a "Right to Know" and Gun received the "Sam Adams Associates for Integrity in Intelligence" award for her actions. (Sam Adams was an information leaker during the Vietnam War.)

Brannon Manning became a ten-minute celebrity back in May for choosing to put his job on the line for a statement of his principles. He chose an act of civil disobedience, in the form of leaking a video of a helicopter gunship attack in Iraq where US forces fired on and killed Reuters news service photographer Namir Noor-Eldeen, 22, and his driver, 40-year-old Saeed Chmagh. Manning seemed to believe passionately that the US army had attempted to cover up their responsibility for the deaths, and decided to risk his job and his freedom to reveal this video. He was identified as a "whistle-blower" in the news. While I strongly disagree with his decision, that is an act of civil disobedience, and a "whistle-blower" action where a particular individual, possessing access to evidence of what they believe is an act of wrong-doing, "blows the whistle," understanding that there may be consequences for their action and choosing to accept the risk. I do not condone his actions in any way.

World-Wide Anarchy

To clarify, this attitude and action has absolutely nothing to do with the current Wikileaks crisis.

As reported in WIRED Magazine, the new hero of the left had no such intentions in mind when he then determined to leak 260,000 classified documents. He states his intention clearly:

“Everywhere there’s a U.S. post, there’s a diplomatic scandal that will be revealed,” Manning wrote. “It’s open diplomacy. World-wide anarchy in CSV format. It’s Climategate with a global scope, and breathtaking depth. It’s beautiful, and horrifying.”

So, was the goal of the "big data dump" to help reduce future civilian casualties? No. The stated goal was "world-wide anarchy."

According to the same article, Manning had access to "two classified networks from two separate secured laptops: SIPRNET, the Secret-level network used by the Department of Defense and the State Department, and the Joint Worldwide Intelligence Communications System which serves both agencies at the Top Secret/SCI level."

According to the same WIRED story, he boasted to celebrity hacker and information leaker Adrian Lamo:

“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
(source: WIRED: ThreatLevel)

While Manning apparently thought he would find a kindred spirit in Adrian Lamo, Lamo knows the difference between information disclosure and treason. Its curious that the New York Times seems to consider Manning a patriotic hero and is certainly selling a lot of papers based on his leaked information. Especially curious when you consider that when Adrian Lamo accessed confidential data at the New York Times back in 2002, the response was not to celebrate the glorious freedom of information, but rather to file charges against Lamo, resulting in facing up to five years in prison, (although he received House arrest, limited access to computers, and payment of restitution in the end. Lamo told the Washington Post that he agonized over the decision, but he turned him in.

Lessons Learned: #1 -- Classification vs. Categorization

I'm going to imagine a slightly oversimplified classification system for a moment, to make our illustrations easier. Let's imagine that the classifications in our system are Unclassified, Secret, Top Secret, and (Collateral / SCI / SAP). The last one is actually not a "classification" but rather means "super secret Need-To-Know." SCI means "Sensitive Compartmented Information" and SAP means "Special Access Programs." We'll imagine for the moment that they both mean simply "Need to Know."

Now, consider various types of information to which a government employee may have access.

It seems that in the environment in which Manning was working, as long as he held an appropriate clearance for the information, he was able to access the information. Imagine an information access chart then that looks like this:

Imagine this information request:

What level of classification does this diplomatic cable have?
"Top Secret"
Does the requester have Top Secret clearance?
Permission granted.

What failure has occurred? A failure in ACCESS MONITORING. Manning was attempting to access information for which he had an appropriate clearance, but information which was in an inappropriate CATEGORY for him.

The same challenge is present in many other workplaces where sensitive information can be found. Consider for example the categories of interest in a hospital or healthcare environment:

Although I've never been in a hospital where things are marked "SECRET" and "TOP SECRET", let's use those as an analogy to the sensitivity of data. Perhaps an unclassified Personnel fact would be that Joe works in radiology. A Top Secret Personnel fact may be that Joe has three DUIs in the past year and has to take a breathalyzer test each shift before reporting for duty. An unclassified patient billing fact may be that office visits cost $175. A Top Secret billing fact may be the credit card number of the patient. An unclassified billing payroll fact may be that Tom is in a minimum wage job. A secret payroll fact may be that Tom's wages are being garnished for child support.

While HIPAA makes it clear that only certain personnel are supposed to see certain records, how is this monitored within your organization?

A more appropriate monitoring situation for PFC Manning may have looked like this:

In a system like this, an auditing record is recorded for review whenever someone accesses Secret or Top Secret information that is outside of their assigned categories of responsibility. With this monitoring system, Manning would still be allowed access to Secret documents in other categories, but these would be flagged for a potential review because of the mismatch with his job description.

Here's a similar chart for a HealthCare environment:

Many of my students are surprised that in my own lab, I do not have "Administrator" access to the workstations! I don't want it! I gave it back! We have an IT staff who is responsible for the creation and maintenance of access permissions, and for the installation of software and documenting its licenses and controls. Because I am not a part of that group, and don't know their methods, I choose to not have that access.

Lessons Learned #2: Volume of Data Flow

The other red flag is the volume of information being extracted. As repeated requests for information IN ANY CATEGORY are made, the volume of requests should be used to determine if a more urgent review is needed. For example, if someone is working in the Iraq war theater, it would make sense for many requests to be made related to that category of information. Occasional requests in other categories may also not be alarming. However, if you saw a large number of requests in a category for which this person does not have a job responsibility match, those should sound a more urgent alarm.


We can agree to disagree on whether Manning is a Patriot, an Anarchist, or a Traitor, but the important outcome of any event of this nature is that we document our Lessons Learned.

Consider your own Information Collection in your workplace.

What are the "Categories of Information" and how is access to those categories assigned?

Within each area what are the "Sensitivity Levels" or "Classification" of that data?

What is a "reasonable volume" for accessing data in each of those categories and classes?

Perhaps most importantly, who is in charge of monitoring access to those categories of information, and how are "alarms" set when a category, class, or volume condition is reached?

Thursday, December 02, 2010

Oleg Nikolaenko, Mega-D Botmaster to Stand Trial

According to Milwaukee's Journal Sentinel one of the largest spam senders in the world is sitting in a cell in Milwaukee awaiting his first court appearance on Friday, where he will be charged with being one of the greatest spammers in the world.

The case being heard, in the Eastern District of Wisconsin (2:2010-cr-00246), charges Oleg Nikolaenko, born July 17, 1987, with violations of 18 U.S.C. §§ 1037(a)(3) and 2.

According to the 13 page criminal complaint beginning in January 2007, violated CAN-SPAM in a maximum way. The first charge against him was CAN-SPAM violations:

the defendant knowingly, in and affecting interstate commerce, materially falsified header information in multiple commercial electronic mail messages transmitted in furtherance of the offense exceeded 2,500 during a 24-hour period, 25,000 during a 30-day period, and 250,000 during a 1-year period, to wit, the defendants altered the header information of spam e-mails that they transmitted via the Internet to disguise the e-mails' true origin, in violation of 18 USC § 1037(a)(3)

Yeah, 10 billion per day is greater than 2,500. 8-)

The second charge brought in the complaint, by Special Agent Brett Banner of the Federal Bureau of Investigation, is that he shipped bogus drugs, failing to ship what was ordered. In other words, Mail Fraud.

Count two says:

On or about November 2, 2009, for the purpose of executing a scheme to defraud by failing to send purchased prescription drugs, the defendant knowingly caused to be sent and delivered by the Postal Service, the following matter: a package from Herbal Health Fulfillment House, 6 University Dr., Ste. 206-273, Amherst, MA 01002, containing 60 pills of "VPXL -#1 Dietary Supplement for Men", to an address in Milwaukee, State and Eastern District of Wisconsin, in Violation of 18 U.S.C. § 1341.

Oleg is messing with the wrong FBI Agent. Brett was the administrator of the Mid-Michigan Area Computer Crimes Task Force from June 2004 to September 2009. That would be Michigan, the state where Terrence Berg locks up spammers and throws away the key on behalf of the Department of Justice until replaced by Barbara McQuade by President Obama. I can't imagine a better office to learn about fighting spam with the legal system! (Don't get me wrong, McQuade is hitting drugs, child porn, and mortgage fraud hard, and earning a great reputation as well. But Berg was an anti-spam crusader!)

Special Agent Banner reveals in his complaint that Oleg was shipping "billions of spam emails on behalf of Jody Smith, Lance Atkinson, and others who were selling counterfeit Rolexes, non-FDA approved herbal remedies, and counterfeit prescription medications."

The fingers started pointing to Oleg from some other cases. In August 2009, Jody M. Smith pled guilty to "conspiracy to traffic in counterfeit Rolex watches" in the Eastern District of Missouri. How much money was Smith making in the watch business? Let's just say that in the court documents he admitted to spending TWO MILLION DOLLARS just on spamming services! Smith's affiliate spamming organization was called "AffKing" and actually included quite a few other messages as well. Just at the Federal Trade Commission's Spam Fridge, they had received over 3 million spam emails that were associated with the AffKing case.

We blogged about the AffKing case back in October of 2008 with this story - SanCash (AffKing) taken down in New Zealand.

Atkinson, who had been charged as part of a case called "Global Web Promotions" back in 2004, was called "the first criminal action under CAN-SPAM" according to the April 24th FTC Press Release. The FTC has the 25 page Judgement on their website.

According to the current criminal complaint, when Atkinson was being interviewed regarding his charges, he admitted posted messages on "a pro-spam Internet bulletin board" needing help from spammers to promote his herbal pills. Atkinson says that the two largest spammers he met on that board were Russians who called themselves "Docent" and "Dem". He estimated that 80% of all of his drug sales came from spam-delivered advertisements.

The complaint further shows that according to "The Director of Malware Research at SecureWorks" most of the AffKing spam was being routed through a botnet, which SecureWorks named "Mega-D" back in 2008, and which they claimed accounted for 32% of all the spam on the planet, or more than ten billion spam messages per day.

Monitoring of Atkinson's ePassporte account revealed that from October 2006 to December 2007, he sent out over $1.8 Million in payments of commission for items sold. Atkinson recalled that Docent used the ePassport account name "Genbucks_dcent".

A subpoena served on ePassporte compelled them to reveal that Genbucks_dcent was Oleg Nikolaenko of 28/10 Spasskiy Proezd, Vidnoe 2, Russian Federation, with the email addresses and In a six month period in 2007, Lance Atkinson had paid Genbucks_dcent $464,967.12 for his spamming services.

Search warrants provided to Google revealed that ddarwin and 4docent were sending and receiving emails from others about their spam, including "" (believed to belong to Lance Atkinson). The email also revealed malware being attached, which were analyzed by SecureWorks and determined to be part of the botnet family known as Mega-D.

In November of 2009, the security research company FireEye was able to take control of the Mega-D network, and was able to prove that 509,000 computers were infected with the spamming botnet software, including 136 computers located in the state of Wisconsin.

Another FBI Agent who was an investigator in parts of this case, Special Agent Jason Pleming, indicates that security research firm M86 Security informed him that a single infected computer on the Mega-D Botnet had been observed to send as many as 15,000 spam messages per hour.

A search of the U.S. State Department's visa applications indicated that Oleg Yegorovich Nikolaenko with matching address, email address, and birthdate, received a traveler's Visa to the United States and was in Los Angeles from July 17, 2009 to July 27, 2009. He was in the US again November 2, 2009 through November 6, 2009, staying in Las Vegas and logging in to his gmail accounts from an IP address at The Tower Hotel in Beverly Hills during that trip. (

The FBI agents indicate that Nikolaenko had expected to stay in the US until November 11, 2009, but that he left early. They propose that this may have been to go home and deal with the fact that FireEye disabled the Mega-D Botnet that week! Although M86 indicates that Mega-D totally disappeared for a short time that month, by December 13, 2009 it was back to 17% of worldwide spam.

Acting as an undercover purchaser, Special Agent Pleming clicked an email which claimed to be from "Amazon, Ltd" and visited a website that described itself as "Canadian Pharmacy". He purchased one package of VPXL, one package of Viagra, and received as a bonus four additional "Viagra Professional" pills.

Although a package arrived, Special Agent Pleming received his VPXL, but received no Viagra pills at all.

Now it was time to wait. . . .

On October 30, 2010, Nikolaenko arrived in the United States at JFK airport, flew to Las Vegas, and checked in at the Bellagio hotel, to attend the "Specialty Equipment Market Association (SEMA)" car show in Las Vegas. (He attended the same car show the previous year.)

The complaint was presented to Magistrate Judge Aaron E Goodstein on November 3rd, and a warrant was issued for the arrest of Oleg Nikolaenko, who was taken into custody in Las Vegas the following day.

The CAN-SPAM charges for which he was arrested in Las Vegas had a potential sentence of 3 years in prison, a $250,000 fine, and 3 years supervised release.

Nikolaenko will be presented with all these charges in court tomorrow, December 3rd.

[Note: after completing this story, while Googling up some additional facts, I notice that Brian Krebs has already written about this. I'll share my interpretation anyway - but please do see Brian's story at Had I seen it first, I would have saved myself a few bucks on PACER! haha!]

Monday, November 29, 2010

Minipost: IPR Center celebrates Cyber Monday

The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domains Selling Counterfeit Goods. The Operation, called Operation In Our Sites 2.0, expands the focus of the original op which concentrated on movies only. CyberCrime & Doing Time reported on the first Operation In Our Sites back on July 1st, when a half dozen major movie piracy websites were seized.

As with the original op, visitors to the domains see a warning like this instead:

The full list of Counterfeit Goods websites that were seized is available in this short report from ICE but its clear from the names these were not just movie sites.

In addition to sites selling DVD of movies and boxed sets of television series, there were handbags, watches, golfing gear, sunglasses, college and pro jerseys, ipods, shoes, and brand name clothes from Louis Vuitton, Timberland, and others.

Eighty-two sites is a good start, but you're sure to have seen other websites selling counterfeit goods. How do you report them?

Click the button below:

Or just visit:

Cyber Monday Warnings

Today is Cyber Monday, the more recent trendy computer version of Black Friday. It originated when the Internet at home was slow and expensive and corporations and online sellers realized that everyone came back from their long holiday weekend with a list of things they had been unable to buy in the malls and ready to use the company's fast Internet access to finish up their shopping lists.

Of course that's no longer true. Most of us have fast Internet at the house, and the online sellers realize this, which is why many companies started "Cyber Monday" over the weekend. I was getting messages yesterday afternoon from that "Cyber Monday Starts Today!" even though it was quite clearly Sunday. MSN's top ad yesterday was an animated cube from JC Penney announcing 40,000 deals for "Cyber Monday" were already available. Sears sent me emails announcing "The deals launch tonight! Get up to 20% off for Cyber Monday!" WalMart is among the firms extending the holiday shopping spree with "Cyber Week" sales available. I also received Cyber Monday emails from Best Buy, Guitar Center, Kohl's, Office Depot, Rosetta Stone, and Toys'R'Us. Just while I'm typing this two more came in! (Bass Pro Shops and Books-A-Million...excuse me, I'll be right back, and I'm not going fishing!)

I'll be joining all of you shopping, as soon as I get home from work, of course. But let's make sure to use some Cyber Sense to keep safe during this holiday shopping spree.

We've already talked about some general Consumer Safety tips, such as this Birmingham News article, Avoid Being Victimized While Shopping Online and our interview this morning on the CNBC Ron Insana show.

In this blog post, we wanted to share a bit more "techie" version of what we'll be watching for on this Cyber Monday. These are the things that have been troubling me as I think about what the bad guys are plotting for this holiday season.

ESP Spear Phishing leads to ... what?

You might know the term "ISP" is Internet Service Provider. "ESP" is Email Service Provider. Something that has me especially concerned as we head into Cyber Monday is a story from last week that ESP's have been the target of Spear Phishing campaigns. In "Phishing" criminals try to steal your userid, password, and other personal information by sending an email pretending to be from an online company with which you do business, and then directing you to a website to steal your information. In "Spear Phishing" criminals are not using a general "lure" but are instead targeting a particular individual. ESP "ReturnPath" shared this spear phishing attack they observed last week as an example of what was targeting their employees:

Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:


Let’s keep in touch then.


Michelle & Brian

Obviously, I added that "Do Not Visit" part...

Real people who were really getting married sending emails to real people working at the ESP. Only the wedding site was fake, and instead dropped two pieces of malware. Brian Krebs has more details on his KrebsOnSecurity column, but if the people working at the ESP followed the link, they would be infected with a password stealing program called iStealer and a RAT (a Remote Administration Trojan) called CyberGate.

Why? These companies, and it is believed that perhaps as many as a hundred ESPs were targeted, are the companies that send the "official marketing" emails for many of the largest companies on the planet. Their sending IPs are listed as "trusted" and their emails are signed with digital certificates that "prove" the email is legitimate. If the criminals can take over computers in these organizations, they can insert their malware links into the official marketing emails of large companies!

Shipping Spam Malware

A constant for more than a year, one of the main ways malware is delivered with spam is from messages claiming that a package that you were supposed to receive was not delivered for some reason. While most of the time this is a general annoyance, during the holiday online shopping spree season, this is the kind of email that people are likely to click on. What advice do we always give regarding email? DON'T CLICK THAT LINK! (Or in this case, open that attachment.)

To help protect yourself during the holiday season, make sure that you keep track of what packages have been shipped to you, and what the tracking numbers are for those packages. If you really need to know the status, UPS, FedEx, and the US Postal Service all have great websites where you can enter your tracking number to find out what's going on with your package. Visit the website and type in your tracking number.

We've blogged on this subject repeatedly in the past, including this story from last year's Cyber Security Awareness Month (scroll past the IRS spam, it was the second topic).

Holiday Gift Card Malware

Although we haven't seen it yet this year, some of the most successful malware distributions in the past, particularly with Storm and Waledac, have been holiday themed malware and especially "Greeting Card" malware. See for instance the 2009 story Happy New Year! Here's a Virus! or last Christmas and New Year's New Year's Waledac Card. We even saw these back in 2007, with A Stormy Christmas and a Botnet New Year.

Search Engine Poisoned Results

Back in April we detailed how the criminals use "Search Engine Optimization," which we prefer to call "Search Engine Poisoning" to attach their malware to hot search topics. In that article, that we called Fake AV in the News we demonstrated the technique using common search terms from hot news stories. Watch for the same technique to be used now, only using hard to find gifts as the bait!

(oops...just got another email from about Cyber Sale!)

Counterfeit (Illegal) Product Sales

There are so many spam campaigns going on right now, as usual, for Rolex watches, UGG Boots, ridiculous software sales, and luxury items, such as popular handbags.

These are largely criminal enterprises, using compromised home computers to send spam that advertises webservers hosted in China by criminals in Russia who will send you fake products of questionable quality that are illegal in the United States as they have violated the copyrights and trademarks of the legitimate companies.

Remember: Why do spammers spam? Because Americans keep buying their garbage. There is no such thing as "OEM Software" that is legal.

Penny Auctions & Gift Cards

Another scam we're seeing spammed heavily today are the "penny auctions" that promise to sell items for pennies on the dollar. One popular site is advertising "Save 95% off retail!" and shows iPhones for $19 and laptops for $40. Most of these work by selling bids. You pay a price to have the right to bid, but of course that doesn't guarantee you will win. The item may "sell" for $4, but in order to sell it for that, thousands of dollars of purchased bids are expended. We've seen spam this morning for QuiBid and BidCactus, as examples.

Other spam messages are giving away "Free $1,000 Gift Cards!" These scams, including popular spam right now for Victoria Secrets and Olive Garden work by having the visitors complete "Member Tasks" to earn their gift card. Another popular version allows you to "pick your gift card" and shows images of Sears, KMart, Kohl's, JCPenney, and Walmart gift cards. Before you actually get the card though, you have to do things like trying NetFlix or trying a new Tooth Whitener. The tasks get more complex, and more expensive, as you try to get enough "points" to get your gift card. By the end, some of the tasks are things like "spend at least $1800 on a EuroRail Pass," or "stay three nights in a Red Horse Inn hotel's luxury suite" or "buy a new car from General Motors!" READ THE FINE PRINT! (and don't waste your time!)

Work At Home, Refinancing, and Other Financial Desperation spam

As desperate as some Americans are for some extra holiday cash, answering a job ad that you receive in spam should not be a consideration. Many of these jobs are helping to facilitate money laundering or illegal product shipment. We've talked about this scams before, most recently in the story Running Out of Money Mules?. Don't fall for the temptation.

Today we've seen spam from "Home Jobs For Citizens", promising us we can earn $150 per day at home, as the most recent example.

We've also seen an uptick in really threatening sounding mortgage spam. One spam message I received today had my true street address in the subject line and warned that my mortgage was delinquent! The spam had my wife's name, my real address, and my email, and took me to a webpage that offered me a 3.6% interest rate on refinancing my home. They've got many "look and feels" all running on the same webserver:

These spammers are "lead generators" that have you fill out all the credit information that would be used to generate a loan application, and then shop you out to people desperate to make their quota refinancing. Its also not uncommon that this type of spam leads to identity theft. If you want to refinance your home, call a mortgage company, don't click a spam message!

Friday, November 26, 2010

Schoolboy Hackers steal $18 Million (£12 Million pounds)

The Background

Back in August one cybercrime story we were watching came to our attention via ZDNet's story Teenagers accused of running cybercrime ring. In that story most of the public learned for the first time of a criminal online forum called, run by a pair of 18-year-olds, Nicholas Webber and Ryan Thomas. Webber owned and operated the forum, which had over 8,000 members, while Thomas did day-to-day moderating and operations tasks.

The pair had actually been arrested back in October 2009 when they tried to pay a high-end hotel bill of around £1,000 with a stolen credit card. At the time of his arrest, Thomas' laptop revealed that he had a leading role on Webber actually had business cards calling himself "N2C AKA Webber". N2C was the main administrator of GhostMarket.

The pair jumped bail in October but were arrested when they returned to the UK on January 31st at the Gatwick airport. A laptop they were carrying at that time revealed the details of 100,000 credit cards and identified an additional co-conspirator, 21-year-old Gary Paul Kelly. Kelly had been previously identified as being involved with a Zeus botnet associated with the domain "". (several pieces of malware used IRC rooms to spread themselves as shown in this TeamElite report, this Wepawet report, or this Prevx report, or this malwareurl report.) listed the "woot/gate.php" file on totalunix as a confirmed Zeus distribution point as well.

Despite previously fleeing when they had posted bail, they were allowed to post bail a second time, on the condition they did not use the Internet. They entirely ignored this condition, and continued to perform their duties on GhostMarket.

In addition to Webber, Thomas, and Kelly, 20-year-old Shakira Riccardo and 21-year-old Samantha Worley were charged as well for their role in controlling two Halifax building society accounts used to handle proceeds from GhostMarket.

PCeU officers called the case Operation Pagode.

Born and raised in Guernsey, Nick Webber now attends school at St John's College in Southsea, Hampshire, where he lives on Cavendish Road.

According to The Guernsey Press, Webber's hometown paper, 65,000 bank accounts had been drained of approximately £8 million in what were called "linked frauds". The forums also contained bomb-making information, and Webber was said to have discussed his desire to blow up the home of the detective he believed was the head of the e-Crime unit.

Accusations against Webber, Thomas, Kelly, and Ricardo include "conspiracy to commit fraud", and "encouraging or assisting offcences" between 12 April 2009 and 4 November 2009, namely providing Ghostmarket credit card data, and tutorials on various crimes, including hacking, phishing, spamming, and manufacturing crystal meth.

Kelly is also charged with "conspiracy to make or supply articles for use in fraud" and "unauthorised modification to computers", while Ricardo was charged with "possession of articles for use in fraud" and "acquiring criminal property".

Worley is also charged with "acquiring criminal property" including a Tiffany ring and an H Samuel platinum chain.

The Crimes

Mikko Hyponnen found an interesting post on an underground forum the day before Kelly went back to trial, and shared it on his blog, "I possibly won't be back for a while...".

In that thread, Kelly points back to this SkyNews article about his original Zeus arrest, Two Arrested Over Computer Virus Plot from November 18, 2009.

Kelly, who used the hacker name "Cache" on several boards, was a sometime malware author, selling a "crypter" that he authored that would help protect malware from discovery. He also has been seen offering to buy "installs" from others when "his DNS got screwed up" and he lost a botnet he was controlling. He preferred to chat with Yahoo messenger using the name "" which was often associated with his alias "Mike Wilson".

He claims to have been charged with having 15,000 controlled Zeus bots, 2 million lines of stolen Zeus log data, for scamming a casino for 10,000 pounds, stealing $9,000 via Western Union, and other related crimes. He also was running a #ccpower IRC server, according to a post he made in January 2010 asking his fellow hackers how much prison time he might get for Zeus.

Nick Webber, who used the alias "N2C" to run Ghostmarket was teased when the full version of the abbreviation was shared:

He used that as his MSN chat handle, to register the domain name "" (with a zero) and for his YouTube page where he posted videos on hacking, such as this one called Advanced VBV / MSC Phisher (that's VBV as in Verified By Visa).

He also used that email with the N2C alias as his member email on, which was outed in RM #2 back in 2008. Back then he was logging in from BT Central on

The Trial

Webber and Thomas have now plead guilty to their charges, and Gary Kelly has admitted to being behind a particular Zeus trojan. The two others charged have admitted to their role as money mules. According to The Porstmouth News story, Teenage admits £12m internet banking fraud the sentencing is expected to be quite lenghty.

'You used your enormous skills and education in what looks like an enormous conspiracy to defraud and steal people's credit cards and bank accounts.

'These are such serious matters that there may well be substantial periods of imprisonment.'

Webber pleaded guilty to conspiracy to commit fraud, conspiracy to make or supply articles for use in fraud and encouraging or assisting offences, at Southwark Crown Court.

Kelly, of Swinton, Manchestor, pleaded guilty to the same charges as well as an additional count of conspiracy to make or supply articles for use in fraud and a further charge of conspiracy to cause unauthorised modifications to computers.

Ricardo, of Kings Road, Swansea, admitted conspiracy to commit fraud, conspiracy to make or supply articles for use in fraud, possession of articles for use in fraud and acquiring criminal property.

Worley, also of Kings Road, Swansea, admitted one charge of acquiring criminal property.

Webber and Kelly will be held until their sentencing, but the remaining three are out on bail.

The Daily Mail has the best photos of the group that I've seen, including:

Nick Webber

Samantha Worley

and Gary Kelly

Wednesday, November 24, 2010

Another M00P Group Member arrested

Pardon me while I have a Matrix-moment imagining this conversation. Matthew Anderson is sitting in a small room, and Detective Constable Bob Burls is flipping through the charges against him. "Mister Anderson ... it seems you've been living TWO lives. In one life, you're Matthew Anderson, program writer for a respectable software company. You have a social security number, you pay your taxes, and you help your landlady carry out her garbage. The other life is lived in computers, where you go by the hacker alias "Warpiglet" and are guilty of virtually every computer crime we have a law for. One of these lives has a future, and one of them does not."

OK, back to reality . . . who is Mister Anderson? Let's back up a bit.

In 2006, Brian Krebs, then of the Washington Post, ran a story in his Security Fix column called The Scoop on the m00p Group. The story started as an analysis of a June 27, 2006 Times of London story, Virus hackers held in UK and Finland. The Times told us that the suspects were a 63-year-old from England, a 28-year-old from Scotland, and a 19-year-old from Finland, who had released malware known variously as Ryknos, Breplibot, or Stinkx. Thousands of machines were hijacked, mostly in the UK, in violation of the 1992 Computer Security Act charge of "conspiracy to commit unauthorised modification of computer material" which at the time carried a maximum penalty of six months in prison and a £5,000 fine. Krebs went on to claim that "these jokers are thought to be responsible for releasing the Zotob.d worm." The Ryknos bot was an old-school IRC-controlled botnet. All of the bots were directed to join an Internet Relay Chat (IRC) channel where they would receive further commands from the bad guys, known as "botherders" in the community. One of Krebs' sources determined the method by which the bots joined the chat room and did so himself, sharing an interesting Chat Log back with Brian, where a botherder callin himself Uluz claimed he had sent out 5 million spam messages and 50,000 people had become infected and joined the chat room. Krebs believed the 63-year-old Brit was not a malware person himself, but was paying the botherders to deliver spam email messages using their bot-controlled computers.

We now know that Uluz, aka Warpigs, aka Warpiglet, aka Aobuluz, was actually Mr. Anderson.

What happened to the criminals? First, it is unlikely that m00p were the authors of Zotob, although they may have been using a Zotob variant. The author of Zotob was Farid Essebar, a 19-year-old Moroccan, who was sentenced to a two-year prison term in September of 2006. (See Symantec report Zotob author sentenced to 2 years in prison. Diabl0, as Essebar was known, created as many as 20 variants of his bot, and its possible that m00p was a customer of that process.)

In a Swedish language story published September 17, 2007, the headline read "Finnish man suspected of computer crimes" and gave more details (source: Finsk man misstänks för databrott with some help from Google Translate.)

A young man from Poris suspected of having participated in a computer hijacking offensive against millions of computers.

According to the police in Pori, the man made malware that uses e-mail distributed to tens of millions of computers around the world. The man admits that he made 30-40 different malware programs. The malware was so-called trojan horse programs, which means that the people managing the malware had access to the compromised computer and its contents. The hijacked computers formed botnets that can be used, for example, to spread malware.

The man is suspected to have belonged to an international group of computer criminals, led by a British man. The police found that group m00p had 64 million email addresses for spreading the malware.

The preliminary investigation on the most comprehensive data breach in Finland will be ready in September and then go for an objective consideration of the charges in the prosecutor's office in Stakunta.

Three days later, Finnish technology magazine DigiToday ran a story about the arrest of a member of the M00P Group that no one in English-speaking countries paid much attention to, perhaps with the exception of Detective Constable Bob Burls of the Metropolitan Police of London's -- M00p-ryhmä toimi tietoturvayhtiön suojissa, "Security Company working under the auspices of M00P-group." The story claims that while a company sold security software as a cover, secretly the group was distributing malware and botnets. The 63-year-old Englishman is said in this article to have hired the m00p group to infect members of a rival company and to gather information about that company from the data their trojans could harvest from the rival's computers.

DC Bob Burls, from the Police Central e-Crime Unit (PCeU), was still on the case all this time. Last month, Matthew Anderson, now 33 years old, plead guilty to his role in the group, as reported by the UK's IT Pro in their story of October 25, 2010, Virus spreading snooper pleads guilty. That story continued "A 33-year-old Scottish franchise manager helped spread viruses and spied on people via webcams". Burls is quoted as saying:

This organised online criminal network infected huge numbers of computers around the world, especially targeting UK businesses and individuals. Matthew Anderson methodically exploited computer users not only for his own financial gain but also violating their privacy.
- DC Bob Burls

We now know some more about the Finland-based hacker and his sentence. He did plead guilty to the charges mentioned above, and was sentenced to the harsh term of EIGHTEEN DAYS, yes, 18 DAYS, not months, and was forced to serve community service.

Fortunately, the Brits are a bit more reasonable in their sentencing. Anderson was sentenced on November 23 to serve 18 months in prison. The penalties were stiffened in 2008 under the law with which he was charged. If his crimes had occurred after October 2008 the maximum penalty could have been 10 years, and the judge mentions, according to this article in The Register he would have received at least 36 months instead.

The Daily Mail describes Anderson as a father of five, who did most of his hacking from his mother's front room in the Scottish Highlands town of Banffshire, Scotland. They claim he sent out 50 million spam emails with a malicious attachment, and at least 200,000 people clicked on the attention "enslaving" their computers to Anderson. Anderson was then able to gather files and photographs from their computers and to turn on their web cameras and record video. According to the Daily Mail "At his leisure he then sat spying into the living rooms or bedrooms of strangers."

In captured text from his computer, Anderson, using the name "Warpigs" boasts to another hacker, "CraDle", of one 16-year-old girl he had been "tormenting for hours" and saved a video of her bursting into tears as he made his presence known by changing her screen. According to DC Burls, the images and videos kept as trophies were carefully catalogued: passwords, CVs, medical records, intimate photos, etc.

Similar to yesterday's blog post, he claims that personal tragedy lead to his career choice. He became house-bound in his early 20s, experiencing panic attacks when he went out in public. This lead to his fascination with online chat. His company is a computer security firm, ironically protecting its customers, supposedly, from people just like him.

The only financial gain for Anderson seems to be his selling of email addresses that he had harvested from his bot computers. Only £12,000 in profit can be proven. In addition to private computers, Anderson controlled systems at John Radcliffe Hospital, Oxford University, and several non-military government computers in the UK.

According to the story Scottish botnet master jailed for 18 months by Chris Williams at TheReg, it was the hospital computer case that lead the PCeU to get involved. Burls was called to the hospital when the malware was discovered, and tracked the command and control of the botnet to a domain registered to the email address "". Inquiries to Paypal and eBay helped link that email address to Matthew Anderson and his company, Opton-Security.

Having his email address makes it possible to find quite a few interesting emails from Mr. Anderson.

Here's one forum post to the Toyota USENET Discussion Group "" found on Toyota Nation:
02-21-2006, 11:01 AM Subject: How to keep your private files private


I would like to offer you the chance of owning a very powerful product of ours. Opton FileCrypt is designed to keep your private files private. These can be personal files where you store your important passwords, credit card or banking details. It can also be used to protect legal documents, private databases, images and music files. In fact, it will lock and protect any filetype available on a PC

If you have anything at all you would like to keep away from prying eyes then this tool will lock & encrypt the files at a click of a button using MD5 encryption technology.

If you are at all worried about your personal information getting into the wrong hands, having your private images and files being looked at by your children or by anyone with out authorised access or being the victim of Identity Theft then I recommend this application highly. Its simplicity of use makes it reachable to all PC owners as no advanced skill are needed to operate the software.

To read more and possibly make a purchase please visit us at

Kind regards

John Anderson

The ironic reply to this thread, from Travis Jordan, was:

Now why would Mr. Anderson's UK-based company whose email address is
known variously as
and their domain contact

post this commercial material to a Lexus newsgroup?

I suppose it might be because

aren't geting enough spam.

Most Opton Security products, such as Opton FileCrypt Pro, were distributed as try-before-you-buy trial software. Some are creepy when you consider the charges above. Consider, for example, the description of the product "Opton Monitor Pro 1.0":

"Designed to record everything that is done on your business or home PC."

I'm guessing the license didn't reveal that the author's hobby was the same thing.

Investigators speculate that the m00p gang's success rate was approximately 1 computer take over for every 250 spam emails sent. The original spam campaign claimed that the recipient's computer was infected and that the attached program was being provided to fix it. At one point during police monitoring, police observed 1,743 new computers being added to the botnet in one 90 minute period.

Other members of the m00p gang hacked under the aliases Kdoe, CraDle and Okasvi, with the last being the alias of Artturi Alm, the Finland-based hacker who received the 18 day sentence, which the British press are being described as "brought to justice" of which I am not quite so convinced.

Anderson, photo from

Tuesday, November 23, 2010

Lord Aughenbaugh of the Trailer Park

It turns out you don't have to be an evil Russkrainian genius hacker to be a successful identity thief. Consider the case of sixth grade educated Lord Joseph Helaman Mormon Aughenbaugh and his trailer-mate, Todd Yurgin.

Here's the way these two made more than $1 million from the single-wide trailer in Bear, Delaware, according to the Aughenbaugh Indictment filed in Delaware.

In order to commit identity theft, first, you need some social security numbers. In this case, these were provided primarily through mail theft. At least thirty-six times, beginning possibly as far back as March 2003, the pair stole pieces of mail from other people's mail boxes.

They would use websites to verify the validity of the SSNs, and once confirmed use them to create driver's licenses and other identification cards using a photo editing program. Over the course of six years, Aughenbaugh and Yurgin "misappropriated" the social security numbers of at least 93 individuals.

Once they had their new identities, the two would begin applying for credit cards. They received at least 343 credit cards from at least forty financial institutions over the course of their scheme. These were paired with a dozen separate mailing addresses and Post Office Boxes they had set up.

Eventually the pair determined they needed a better source of income. Aughenbaugh set up two businesses. Cathouse was the name of his "Professional Services-Veterinarian" business and Restored was the name of his "Professional Services-Occupational Therapy" business. Cathouse used the SSN of an adult male as the owner while Restored belonged to a minor child, according to the SSN.

Aughenbaugh created a bank account at PNC Bank under the name Joseph H. Aughenbaugh d.b.a. Restored. Then they bought a Point of Sale Terminal, which they installed in their trailer home, and which they used as an ATM. Whenever they needed money, they would swipe one of their 343 credit cards and charge it for either veterinary or occupational therapy services, which would be deposited to their account.

They then used this money to:

1. make payments to the financial institutions of their various credit cards

2. transfer funds to other bank accounts they controlled

3. pay the lease on the land where their trailer was located

4. make payments on several parcels of real estate

5. to purchase goods and services

6. to make payments on their 2006 Mercury Mariner, 2007 Ford F-150, and 2009 Dodge Avenger

On April 15, 2009, a $40,000 deposit was made to the PNC Bank Account. The payment was written to "Cathouse" and was from "Helaman Mormon".

The various credit cards were also used to go shopping, paying for clothing, accessories, travel, vehicles, high-end jewelry, collectible items, gold coins, and other merchandise. The cards were frequently charged above their balance, and payments were often sent from invalid bank accounts created with fictitious names set up with invalid social security numbers.

So, what do the prosecutors charge them with?

COUNT ONE: Mail Fraud

From March 25, 2003 through September 8, 2009, the defendants "did knowingly conspire with each other to commit mail fraud, in violation of Title 18 USC Sections 1341 and 2, and bank fraud, 18USC sections 1344 and 2, to wit "by devising and intending to devise a scheme and artifice to defraud and to obtain money and property by means of false and fraudulent pretenses and promises and in so doing did deposit and cause to be deposited materials to be sent and delivered by the US Postal Service and by private and commercial interstate carriers, and did defraud a financial institution to obtain the moneys, funds, credits, and other property owned by or under the custody and control of, a financial institution."


The defendants applied for a Citibank Mastercard claiming to be for Clyde Aughenjbaugh, b. March 4, 1986, employed by the University of Pennsylvania, earning a $56,000 salary, with a SSN XX-XXX-4911, which belonging to a minor male child born in 1997. The card made multiple charges to "Cathouse" and also was used to pay for travel for Joseph Aughenbaugh and Todd Yurgin to Walt Disney World.

COUNT THREE: Title 42, USC Section 408(a)(7)(B) "with intent to deceive, falsely represents a number to be the social security account number assigned by the Commissioner of Social Security to him or to another person"

The defendants applied to Cardinal Financial to acquire a loan to purchase real estate in West Deptford, New Jersey. The loan was assured with a check for $7,500 from a PNC Bank Account in the names of T. Yurgin and J. Aughenbaugh, and a pay stub purporting to be from Verizon Communications showing Yurgin as an employee, born August 23, 1980, showing that he earned $92,000 per year as a manager and had SSN XXX-XX-4577, which actually belonged to a male born in 1964. (The defendants birthday is in 1968.)

That same SSN was used to acquire at least 25 credit cards including cards for Todd Yurgin, Tadd Yurgin, Matthew Yurgin, and Joshua Yurgin.

Yurgin obtained communication services from Verizon for the West Deptford property, but he used an SSN XXX-XX-4478, belonging to a minor female born in 2000. On the same app, he gives his birthdate as September 4, 1986 and claims to be an aide at the University of Pennsylvania.


Using the name "Tristan Yurgin" and an SSN XXX-XX-5009, the two applied for a Citibank card. That SSN belongs to a minor child.

COUNT FIVE - Title 18 USC Section 1957 - "engaging in monetary transactions in property derived from unlawful activity"

Transferring $17,000 from a PNC Bank Account into a WSFS bank account under their control.

COUNT SIX - Title 18 USC Section 1028A(a)(1) - Aggravated Identity Theft

Possessing and using without lawful authority the means of identification of another person during and in relation to Social Security Fraud.

COUNT SEVEN - Social Security Fraud

Presenting an application to Citi Financial Corp claiming to be Jonathan P. Aughenjbaugh with SSN XXX-XX-0002, which they knew to not be an SSN assigned to that name, but rather to a minor child.

COUNT EIGHT - Social Security Fraud and Aggravated Identity Theft

COUNT NINE - Title 18 USC Section 111 - Assaulting, resisting, or impeding certain officers

Todd Yurgin knowingly did forcibly assault, resist, oppose, impede, intimidate, and interfere with United States Social Security Adminstration Office of the Inspector General Special Agent Kevin Huse, and engaged in acts involving physical contact while Special Agent Huse was engaged in his official duties


Because of Counts 1-8, the defendants forfeited:

A silver and blue Mercury Mariner, a black Dodge Avenger, a 2.1 carat diamond, a .5 carat diamond ring, a three stone ring, ten "Presidential First Spouse" gold coins, five gift cards to Bailey, Banks & Biddle jewelry store, a Cannon SD550 ELPH camera, , nine other gift cards, a Gucci handbag, a Cartier 21 watch, two Dell computers, a Compaq computer, and many other pieces of jewelry.

The Sentencing Memorandom was quite extensive - 32 pages. It begins with the recap that Aughenbaugh had no maternal influence, moved fifteen times, lost his grandmother and his father, endured physical and sexual abuse on an almost constant basis and "with his sixth grade education he was easily influenced to break the law by close members of his family who he would expect to be only thinking of his best interests." The memo tells a truly tragic story of an early childhood of being bullied, living with a verbally abusive uncle who called him a "Nazi Bastard." The defendant tells his own story of his tragic childhood, including having his Uncle Wade leave his dog out on a cold night causing him to freeze to death, and being repeatedly sexually molested for a period of three or four years by the sons of his father's girlfriend. At his next address a cousin, Charles, forced him to perform sex on himself and two friends on a regular basis, lighting his clothes on fire, threatening him with knives and guns, and locking him into a trunk. At the next address, classmates forced him to have oral sex and beat him. After that, his father never enrolled him in school again. When his father became ill, Aughenbaugh began kiting checks to pay his medical bills. When he lost his house, he moved in with a homosexual man he met on AOL chat. After that ended disastrously, Aughenbaugh, then Calvin Ashley Harris, married, became a Mormon, and changed his name in 1996 to Lord Joseph Helaman Mormon Aughenbaugh. Lord Joseph, for Joseph Smith, Helaman, a hero in the book of Mormon who leads an army of children to conquer an enemy army, Mormon, for his new-found faith, and Aughenbaugh, the name of his new wife Janette, a widow with five children. The marriage lasted less than a year. He had a series of jobs, including cleaning motel rooms at several motels, working at Jury Box Restaurant, driving for a graphics company, working at Hardees, working at a loan office, working at a Westin Inn, a grocery store, a temp agency, Zion's Bank, and finally Jury Box Courtside Coffee Shops before returning to North Carolina. There he worked for Carolina Builders, Panera Bread, Warner Brothers, Wal-Mart, and Kay Bee Toys. In Philadelphia he worked for Rite Aid, and Macy's in New York. When he settled in Bear, Delaware, he worked at Mitchell Temporary Services, Butler County Publishing, P&R Environmental Industries, and Britt Enterprises.

In 1997, Aughenbaugh was sentenced to 14 months for violation of Title 18 sections 1341 (Mail Fraud), 1343 (Fraud by Wire, Radio or Television) and 1344 (Bank Fraud).
See USA v. Aughenbaugh Eastern District of North Carolina, CASE #: 5:97-cr-00155-H-1.

He was sentenced to 14 months, with 5 years supervised release, and ordered to pay $28,300 in restitution.

Shortly after his release, he met Todd Yurgin in Butner, North Carolina. They lived for a time with Todd's sister, but left to move to San Francisco, then Tennessee and then Kentucky. Todd was sent back to prison, arrested in 2001 after having his probation revoked, ordered to serve ten more months. About a year after he was released, he and Todd Yurgin moved to Philadelphia and then to New Jersey where they lived with Todd's sister and worked together cleaning houses. Finally, they moved to Delaware, where they purchased the trailer and began their new careers as identity thieves.

While all of these factors point to a tragic life where finding regular employment was difficult, crime still merits punishment, and Aughenbaugh was sentenced to twelve years. Todd Yurgin has still not been tried.