Thursday, October 29, 2015

Passwords, Password Cracking, and Pass Phrases

Yesterday I was contacted by a journalist who had questions about passwords.  I tried to convey some concepts to her, but when her response was "Wow.  You must really like math!"  I knew I had failed to communicate.  The story may have accomplished some purpose, but not one that would please a technical audience.  Below, I try again.

The story was partly prompted by a new password policy at UAB, where I work.  The basic policy is that you should have a 15-character password, but the quid pro quo for that is that you will only have to change your password once per year.

How Often to Change Passwords

We'll talk about the 15-characters below, but quickly about the one year.   The original "wisdom" about changing your passwords every thirty days was based on the fact that the average computer hacker using an average computer would need about thirty days to crack a password.  By changing your company's passwords every thirty days, if a hacker had managed to grab your /etc/passwd file or to dump all of your Windows hashes, by the time they had cracked the passwords, they would all be obsolete.  Now many Windows passwords can be cracked in seconds and most in less than a day.

There are still times to change the passwords more frequently.  Specifically:
  • any time you feel that someone may have observed you enter your password 
  • any time you have been exposed to malware or phishing
  • any time you have a change in administrative/trusted computing personnel (people who may know 'shared passwords' or passwords to routers/switches/servers)
  • whenever you are changing hardware or lose control of your devices (lost/stolen/sold computer/laptop/phone)
 Other than those times, there is really no reason to change your passwords, but an annual refresh still seems reasonable. 

Classes of Password Problems

Password re-use

One of the biggest problems that we face today with passwords is that people use the same passwords everywhere! Some studies have suggested that as many as 55% of adults use a single password on all websites! (See, for example, this 2013 UK study, or this June 2015 study by Harris Interactive, showing that 59% of Americans re-use passwords because it is too hard to remember them!)
Why is password re-use such a big deal? Because of the common problem of even the largest websites getting hacked and losing passwords!

  • 000Webhost - Just this week a major provider of free webhosting services had 13 million userids and passwords stolen (See story in Forbes or from Troy Hunt).
  • Ashley Madison - 11 million passwords have been cracked! CNN Ashley Madison passwords cracked, including the most popular passwords: 123456, password, 12345, 2345678, and qwerty. Other common passwords were "helpme", "midnight", and "yamaha".
  • Adobe - in 2013 150 million Adobe software users (that is YOU if you have ever downloaded Adobe's PDF Reader or Flash Player) had their userids, password hashes, and password "hints" leaked. Crackers soon made short work of millions of those passwords by matching hashes of leaked passwords and combining multiple hints to determine the underlying password.
  • LinkedIn - in 2012, hackers revealed that they had stolen 6.5 million userids and passwords from LinkedIn!

It is now generally accepted that every time one of these "major password dumps" hits the Internet, criminals use automated programs to test these userid and password combinations at all of the other bank, credit card, and merchant shops where you may have used the same userid and password on another account.  Many people make the error of treating their Email password as an "unimportant" account, failing to recognize that if I have your email password I now know where you bank (if you receive electronic statements), who you communicate with (and with your password, I *AM* you), and when you will be traveling!

Overly simple passwords
Many people who think they are being clever actually choose common passwords used by other people who thought they were being clever. A study in 2008 listed the 500 most common passwords at that time, and many of the continue to be widely used, including "clever" passwords such as "ncc1701" (the number of the Starship Enterprise), "bond007", and "qwertyui".)

One of my first exposures to the password problem came from the notorious "Morris Worm" which crashed the entire Internet back in the 1980s by using a simple password guessing list to break in to servers on the Internet. After each server was compromised, it would then try to break in to every other server it could find, starting by testing the 432 hard-coded passwords against every account it could find, and moving on to more complex cracking techniques. Robert Morris the Hacker, was the son of Robert Morris the Unix pioneer at Bell Labs. The Senior Morris had published a paper in 1979 called Password Security: A Case Study. After his death, a slashdotter revealed that he had discovered the senior Morris capturing other Bell Labs employees' passwords -- which may actually have been the source of the password list the younger Morris ended up using in his worm!

When I was a young Systems Programmer working at Samford (in 1989) I used the Morris Password list to require users at Samford to change their password if they were using any of those words. We added a few other common passwords to the list that we found our local users liked, including: bulldogs, bulldog!, ROLLTIDE, samford, and aubie1.

Password Cracking

 Let's talk about cracking alphabets:

If you have a one character password, and you restrict your password to only using the 26 lowercase alphabetic characters, guessing your password will take 26 guesses. abcdefghijklmnopqrstuvwxyz. Done! We've guessed your password!

If you have a TWO character password, how many guesses will it take? 26 SQUARED or 26^2 = 676 guesses, from aa, ab, ac to zx, zy, zz.

By raising the LENGTH of the password, we change the exponent. a 3 character password is 26^3, 4 characters = 26^4, 5 character = 26^5, etc.

By raising the SIZE of the alphabet, we change the BASE.
Lowercase = 26
Uppercase = 26
Numeric = 10
Special characters = 33
`~!@#$%^&*() -_=+[{]}\|;:'",<.>/?
(including the "space")

If we combine all of these, 26 + 26 + 10 + 33 = 95, we have a strong "alphabet" that resists crackers who have only been guessing "all lowercase" or "all lowercase plus numbers".

All the way back in the 1979 paper, Robert Morris warned about the dangers of password cracking and how simple passwords could be easily guessed by computers. In 1979, he calculated the time to crack various passwords, based on a combination of the length of the password and the size of the alphabet.

Now let's look at 1979 cracking times from the paper by Mr. Morris Senior:
n26 lower36 lower + numbers62 alpha + numbers95 printable charsall 128 ASCII chars
1 char 30 msec40 msec80 msec120 msec160 msec
2 chars800 msec2 sec5 sec11 sec20 sec
3 chars22 sec58 sec5 min17 min sec44 min
4 chars10 min35 min5 hrs28 hrs93 hrs
5 chars4 hrs21 hrs318 hrs112 days500 days
6 chars107 hrs760 hrs2.2 years29 yrs174 yrs

In 1979, a six character password with upper+lower+numeric+symbol would protect us from cracking for 29 years!  But today's computers are FAR faster than that! How does that compare to today's password cracking speeds?

To guess all 7-character lowercase passwords would be 26^7 guesses, or 8,031,810,176 (8 billion guesses!)

A secret about Windows passwords comes into play here. In environments that still use Windows XP, Windows defaults to a password storage mechanism called "LanMan Compatibility." That means that if your password is LONGER than 7 characters, Windows actually splits the password into two parts and hashes the first 7 characters as one hash, and the remaining 1-7 characters as a second hash. So, instead of a 14-character Windows XP password having a complexity:

26^14 = 64,509,974,703,297,150,976 (64 QUINTILLION guesses!)

It actually is stored as:

26^7 + 26^7 = 8 billion + 8 billion = 16 billion

Of course no one in their right mind is still running Windows XP! (right?)

Still, 16 billion guesses sounds like a lot, right? Unfortunately, not anymore.  How long would it take to crack a password that required 16 billion guesses?  If you have the right computer, LESS THAN ONE SECOND.

In December 2012, Ars Technica ran a story called 25 GPU Cluster Cracks Every Standard Windows Password in 6 hours!. The story is about a 5-server setup built with 25 Graphical Processing Unit cards (the video cards that the gamers love) that can guess 350 BILLION PASSWORDS PER SECOND!

So what do we do?

Even in Windows XP though, if we went to FIFTEEN characters, LanMan compatibility was broken, and we no longer divided the password, meaning that we now have:

26^15 if we use only lower case characters, or 95^15 if we use UPPER+lower+numeric+special characters!

95^15 = 463,291,230,159,753,366,058,349,609,375 (463 OCTILLION guesses!!!!)

463 OCTILLION divided by 350 Billion Passwords per second means . . .

1,323,689,229,027,866,760 seconds or
22,061,487,150,464,446 minutes or
367,691,452,507,740 hours or
15,320,477,187,822 days or
41,973,910,103 years

At UAB, we've decided that anyone who can wait 41 BILLION YEARS to crack your password is welcome to have all your data.

Of course we have to remember Moore's Law.

 Moore's Law suggests that computers double in speed every 18 months. While that doesn't sound like much, that means in 18 months it would only take 20.5 billion years. 18 months after that it would take 10.25 billion years. So in thirty-six 18 month periods, or 54 years, we would be able to crack that password in less than a year. That doesn't even take into consideration the fact that we will be able to harness additional computers together to use larger networks of computer to do the guessing.

Pass Phrases = 15 characters? How will I remember!?!?!

Remember that we not only need a LONG password, with a COMPLEX character set, we also need to make sure we don't re-use passwords across multiple sites!

There are two theories on how to do that.

One is to use password management software -- something like "LastPass" or "LogMeInOnce" -- I'm not going to address those packages here, other than to link to one review at PC Magazine -- The Best Password Managers for 2015 and to caution that MANY of the mobile phone apps that claim to be password managers are RIDICULOUSLY insecure! (See the article: ElcomSoft analyzes 17 Smartphones’ Secure Password Managers, Finds No Security).

The other theory, the one I like and use, is to use Pass phrases.

A pass phrase is a combination of words that is memorable TO YOU but that would not be something anyone else would know or use. Remember that the main trick criminals use to try to get your password is guessing commonly used passwords from a password list or dictionary BEFORE they start "brute-forcing" or guessing every combination of letters, numbers, and symbols. Password crackers come with dictionary files such as "10,000 most common passwords" and "100,000 most common passwords" and "English language names and places" and "Oxford English Dictionary Word List". We need to make sure OUR pass phrase is not on any of those lists.

Think of a memorable event. Or something you are unlikely to forget. Or a favorite book or movie. I'll give you an example of each of those.

Memorable Events
When my son got married we had an interesting situation. He hates cake. Always has. And yet WEDDING CAKES and GROOM'S CAKES are a major part of a wedding. My son did cookies instead of a groom's cake. So a password I used at about that time was:

theGROOMprefer$c00kies -- 22 characters. upper, lower, symbols, and numbers.

A common mistake people make with the numbers and symbols is to just put a "1!" at the end of their chosen word. Hackers know this, and cracking programs automatically check for that! I use common symbol and number substitions, such as replacing the letter "o" with the number zero (0), or replacing an "s" with a "$". E = 3, S = 5, A = @ are also some common substitions that are still easy to remember.

Unlikely to Forget
As many Christians do, I like to memorize scripture. I will often choose a password that relates to the site I'm visiting and invokes a Bible verse. For example, "" is a family tree website. One of my favorite Psalms, Psalms 1, says that people who meditate on God's word are "like a tree planted by rivers of water" so a good pass phrase for Ancestry for me might be:

th@tTR33fromPsalms1 -- 19 characters (That tree from Psalms 1). Upper, lower, symbols, number.

I also use passwords to remind myself or motivate myself. When my brother was adopting two sons from the Ukraine I had a password:


One of my Computer Forensics graduate students, Ran Sun, shared a presentation on passwords that included a link to this great article How a Password Changed My Life, where the author uses his passwords to remind himself to forgive someone, to encourage himself to stop smoking, and many other 'self-improvement' motivators.

Movies, Books, and Other tricks
One of my earliest password tricks was using a favorite book or movie title as a password. I remember telling one class about pass phrases and saying that one of my early passwords was "Robert Heinlein says the Moon is a Harsh Mistress". A bright student said "Oh! I see, take the first letter of every word to make your password -- RHstmiahm!" No. My password was actually: "RobertHeinleinsaysthemoonisaharshmistress". At that time 52^40. I don't care that it didn't use numbers or symbols.

Maybe your password is something related to an action by your favorite character: "Darth$@y$LukeIAMyourfather!"

or a combination of the author and his title "Hemingway&the0ldman&thesea"

or the year you first saw the movie: "1977.isawStarWarswithChad"

There are tons of ways to make a memorable pass phrase that will be memorable ONLY TO YOU!

The future of Password anti-cracking

The next technological trick to countering password cracking is to store the password hashes in a way that is more computationally complex. If an array of GPUs can guess 350 billion passwords per second, what is necessary is to make the process of guessing a SINGLE password require more computation time. Because a "real" user is only going to enter the password once, if it were to take even a full second for the password to be checked, that would be acceptable in most cases -- and yet it would make it much harder to "brute force" the account. bcrypt, an algorithm by Niels Provos and David Mazieres, is one such algorithm. Depending on the settings, it can reduce the number of password guesses per second down to under 20 even with a very fast computer! 20 vs. 350,000,000,000 will give the attacker a distinct disadvantage!

Last year at Password 2014 Conference in Norway, Thorsten Kranz presented a paper called On Password Guessing with GPUs and FPGAs (click for video of his presentation). This annual academic conference on passwords includes the "Password Hashing Competition" that discusses why bcrypt and scrypt are the best ways to store passwords.  For the uber-geeks, you will enjoy watching that!

Saturday, October 03, 2015

Hillary's Email Server and the New York City malware

Wednesday night (September 30th) I had a strange Tweet in my notifications from a journalist at ForeignPolicy:
Elias explained that he was wanting some quotes in response to a "hyperbolic AP story" by Bradley Klapper, Jack Gillum and Stephen Braun that had posted on the AP wire. (The same story has been posted in the Washington Post, US News & World Report and other top news sources.
The story begins with the opening paragraph:

Russia-linked hackers tried at least five times in August 2011 to trick Hillary Rodham Clinton into infecting her computer systems while she was secretary of state, according to newly released emails from the State Department.
The New York Times version of the story is far more sensational (and far more incorrect) in their telling of the story. Given the victim of all this attention, you would have thought these stories were from Fox News! Here's NYT making up scary security-sounding stuff:

Still, the evidence that Mrs. Clinton's personal account had been on the receiving end of a "spear phishing" attempt, revealed in a batch of her emails released by the State Department on Wednesday, raises the same question the F.B.I. is trying to answer as it combs through the forensic evidence from the server that was once in Mrs. Clinton's basement.
In fact, a disclaimer on the bottom of the NYT news story now reads:
A headline on Friday with an article about Hillary Rodham Clinton's email server overstated what is known about an investigation into the server's security. As the article correctly noted, Mrs. Clinton received spam email that was intended to place malware on her computer network; the investigation has not yet determined that the malware effort was successful.

What Elias did that apparently the AP reporters and the NYT reporters did NOT do was a simple Google search. If they had, they would have seen the story on this blog, dated August 17, 2011, with the headline New York City "Uniform Traffic Ticket" tops spammed malware. The image that accompanied that story, shown below, reveals why the email was turned over to the government:

 As Politico suggests in their story Most Clinton spam messages likely deleted, the workers tasked with finding "work-related" emails to turn over probably started with a few simple rules like "turn over all the emails that are from .gov addresses" -- which would include this spam, which claimed to be from

The point of that CyberCrime & Doing Time blog post was to share that this was one of the highest volume spam campaigns we had seen that summer!  Just in the UAB Spam Data Mine, we had received 11,000 copies of this email!  Spear-Phishing, which the New York Times wrongly suggests happened here, is when an email message is personalized to target a particular high-wealth or high value target.  If Hillary Clinton was targeted, so were about 11,000 mostly entirely fictitious people whose spam goes into the UAB Spam Data Mine, as well as a few hundred people who chose to share their emails with us!

What is ChepVil?

It isn't a mystery at all.  In fact, we have that documented in the blog post as well.  The malware is not mysterious at all.  It was part of a "pay-per-install" malware ring that was very popular at that time.  When my lab at UAB reported the malware to VirusTotal, it was detected by 18 of 43 anti-virus programs, with both Microsoft and Sophos detecting the malware and calling it "Chepvil" (Microsoft called it "TrojanDownloader: Win32/Chepvil.N" while Sophos called it "Mal/ChepVil-A" - we were using the name "FraudLoad" for this malware at that time).  You can see that August 17, 2011 VirusTotal report as it looked the day we reported it.  (And you can see in the comment there, also from that day, that we explained the source of the malware and gave a link back to our blog post.)

ChepVil is a type of malware that was heavily based on the BredoLab malware, although by August 2011, the BredoLab original author was already in jail.  Armenian programmer, Georgy Avanesov,  was arrested in October of 2010 when the Dutch High Tech Crime Team police seized 143 servers located at LeaseWeb in the Netherlands that he used to control his world-wide spamming operations.  At the time of his arrest, BredoLab was infecting 3 million computer per month and being used to send approximately 3.6 billion spam messages per day.  Despite this massive seizure, because his source code was already known by other malware criminals, the attacks quickly resumed following his arrest.

The August 17, 2011 version of this malware made a connection back to the Russian domain name, (associated with BredoLab, according to Sophos, see for example this Sophos report from August 4, 2011.)

We reported malware communicating to that server to the Microsoft Malware Protection Center on August 11, 2011 -- pointing out that it was hosted on the IP address, one of several IP addresses on that same netblock that took turns hosting during August 2011, all  hosted in Mykolayiv, Ukraine.   The first time we saw this family of malware communicating with that server was in a big campaign imitating the FBI on May 5, 2011.  The same malware family pretended to be the United Parcel Service on June 9, 2011, sending my lab at UAB more than 54,000 copies of the malware.  We produced a map of the computers that sent us both the May 5 FBI spam and the June 9 UPS spam and shared it with law enforcement at that time:

The point is - it wasn't "targeted" and it wasn't "spear-phishing" and it isn't a "mystery" about how it  came to be sent to Mrs. Clinton.   This wasn't a clever Russian master mind sitting in his evil lair dreaming of taking over the State Department.  One of the millions of spam bots that were part of this network (or actually probably FIVE of them) asked the Command & Control server "Who shall I spam next?" and happened to draw Mrs. Clinton's email address.

But What COULD the Malware Do? 

In August of 2011, the primary thing that Chepvil did was deliver "Fake Anti-Virus" software.  That's it.  The malware would connect to the server and ask "What additional malware would you like to infect me with?"  The server would then see who was currently paying the highest commission to have their malware installed, and whether the daily quota for installing that additional malware had already been fulfilled, and install whatever it was told to install.

In August of 2011 - the only thing we saw Chepvil install was Fake Anti-Virus, and a near cousin "Fake System Alert".  So, *IF* Mrs. Clinton had actually been infected by this malware, it would have caused a pop-up animation to play, claiming she was infected with dozens of nasty viruses, and that she needed to pay the criminals $59 to get rid of the malware.  None of that is true -- the malware is actually just "ScareWare" -- intended to irritate you with pop-up warnings about being infected until you finally give up and pay the "license fee" or have the malware professionally removed from your PC.

The Daily Malware Report

Olivia Foust Vining (now at PhishLabs, Hi Olivia!) was the student malware analyst in my lab who brought this malware to my attention that day in her "Daily Malware Report" (a research project sponsored by UPS!)  By the end of her shift, we had actually seen 45,377 copies of the malware!  Her report gave every 15 minute breakdowns of how many copies we received during the morning hours.

count |        mbox         
   326 | 2011-08-17 03:30:00
   264 | 2011-08-17 03:45:00
  1880 | 2011-08-17 04:00:00
   756 | 2011-08-17 04:15:00
  1930 | 2011-08-17 04:30:00
  2608 | 2011-08-17 04:45:00
  5982 | 2011-08-17 05:00:00
  4364 | 2011-08-17 05:15:00
  3544 | 2011-08-17 05:30:00
  2418 | 2011-08-17 05:45:00
  2262 | 2011-08-17 06:00:00
   999 | 2011-08-17 06:15:00
   870 | 2011-08-17 06:30:00
   972 | 2011-08-17 06:45:00
   643 | 2011-08-17 07:00:00
   277 | 2011-08-17 07:15:00
   354 | 2011-08-17 07:30:00
   200 | 2011-08-17 07:45:00
  4571 | 2011-08-17 08:00:00
  3974 | 2011-08-17 08:15:00
  3109 | 2011-08-17 08:30:00
  2047 | 2011-08-17 08:45:00
  1617 | 2011-08-17 09:00:00
(23 rows)

For comparison, here is the count of the other high malware volumes for that day:

count |             md5_hex              
 45377 | 1c2b06a9fbbea641ae09529e52f29b96 <= the "Uniform traffic ticket" malware
  3484 | e7b48c4421a68740dfd321dade6fd5e6 <= "End of July Statement" malware
  2627 | c1f67a7542359397544bd0af0b546166 <= "Your credit card has been blocked" malware
  1021 | d22eadfda41fcbeb692c600c97d10ff5 <= "Money Transfer Information" malware

But how did Spammers learn Mrs. Clinton's email address?

There are four primary ways that spammers gather email addresses.

The first is specialized software programs that scour the web looking for email addresses on websites.  One of the richest sources of these is actually "archives" of large email lists.  When email lists provide web access to their history, many do so publicly, allowing these scraping tools to learn the email addresses of every person mentioned on the mailing list.  Spammers also JOIN tons of mailing lists to be able to gather the email addresses posted there.

Data dumps are another rich source of email addresses.  Do you recall, for example, the Adobe breach in 2013 when 38 million people who had ever used an email address to register for the free download of Adobe reader or any other Adobe product had their email addresses publicly revealed?  Such events are great days for the spammer community!

Next, we have malware on other people's computers. Many malware programs have as one "module" code that will scan a computer for email addresses.  If even ONE of Hillary's regular correspondents became infected with malware, her email address would have been discovered that way.

Lastly, we have SMTP harvesters.  These programs scan for mail servers, enumerate the domains served by that server, and then begin asking "do you deliver email for amos@? ann@? ... zach@?" The more intense of these servers will ask for every single letter and number combination, until it has a complete list of the "known" email addresses for the given domain.

So . . . it isn't surprising at all that even "secret" email addresses receive spam.

Thanks, Foreign Policy, for getting it right! 

I was pleasantly surprised by how well Elias Groll handled the details on this story.  He quickly identified the scare-mongering going on over at the AP, and reached out for the facts.  Obviously what I shared above is far too much technical detail for the readers of FP, but I do want to commend the level-headed reporting in their story:

Clinton's Private Emails Show Aides Worried About the Security of Her Correspondence

Wednesday, August 26, 2015

Hackers vs. Drones: ISIS Cyber Caliphate Leader Junaid Hussain

In what may be a first move in the new escalation of cyber warfare with kinetic results, Junaid Hussain, the 20-something hacker who fled to ISIS after being charged with hacking Tony Blair's email accounts, has been killed by a drone strike.

CNN is running with the exclusive at this time claiming "The U.S. military and intelligence community is in the final stages of confirming that a U.S. drone strike this week killed Junaid Hussain."

(Click for CNN Story)

CNN quotes "several U.S. officials" that "the drone strike was specifically targeting Hussain traveling in a vehicle in Syria after the U.S. got intelligence on where he was and watched him to confirm his presence before striking."

Those who follow the defacement community will be well-familiar with Hussain's previous shenanigans online as the leader of Team Poison.  He gradually drifted from target-of-opportunity defacing to more difficult "called target" defacing, and was eventually jailed at age 18 by the British government after publishing the details of Tony Blair's email accounts, as broadly documented in July of 2012.

Click for Telegraph story

Hussain, who hacked under the name "Trick" during his Team Poison days in England, was sentenced to six months imprisonment for "conspiring to commit public nuisance," "causing a computer to perform a function to gain unauthorized access to data or programs" and "defacing numerous websites" between January 1, 2010 and April 14, 2012.  After his release he was arrested again for his cyber activities and fled the country while out on bail.

2012 - TeaMp0ison hacks NATO
 Hacking governments and militaries was something TeamPoison (TeaMp0isoN) had been doing for years prior to Trick's run-in with the UK authorities.  Above is a typical rant from Trick decrying NATO, BAE Systems, BP Oil, and Rupert Murdoch.

On August 3, 2015, the Mirror ran the headline "ISIS: British computer hacker who fled to Syria is third on US hit list of key Islamist militants".  At that time, he was using his new jihadi-friendly hacking name of "Abu Hussain al-Britani".  According to the Mirror article, only Jihadi John (Mohammed Emwazi) and ISIS Leader Abu Bakr al-Baghdadi were more wanted on the US "kill list."

Among his crimes, Hussain was identified as the man suspected in hacking the Twitter and Facebook accounts of US Central Command.Their most recent Twitter accounts @UmmHussain_18 and @AbuHussain_23 were created after their August 13th leak of US government personnel contact information caused #17 and #22 to be deleted by Twitter.

His 45-year-old rock-musician wife Sally Jones, now "Umm Hussain Al-Britani" and their 10-year-old son also lived with him in Syria.  As of 14AUG2015, there was concern that she may have been seen back in England:

Click for "Mrs. Terror Back in Britain?"

Tuesday, August 25, 2015

The Case of Spamford Wallace: Guilty at Last!

My anti-spam community friends were all abuzz today with the news that Spamford Wallace had pleaded guilty in a Las Vegas court to "compromising approximately 500,000 Facebook accounts" in order to deliver "more than 27 million spam messages."

What might amaze the General Reader is that this is the SAME Spamford Wallace case that began with an indictment on July 6, 2011.

The Spamford Wallace Indictment

July 6, 2011 Original Charges

According to the Indictment, Wallace created an account on November 4, 2008 under the name "David Frederix" and then tested posting spam messages to his 'real' wall "Sanford MasterWeb Wallace" experimenting with which posts would best evade Facebook's filters.

He then made a script that would automate the process of logging in to a Facebook account, obtaining a list of all of the Friends of that account, and then posting his advertising message to each of those friends' walls.  Spamford then created a domain registrar account at Moniker Online and another at Dynadot (using the name Laura Frederix) and between the two created 2,500 domain names that would be used in these spamming attacks against Facebook users.

On November 5 and 6, 2008, Sanford sent approximately 125,000 spam messages to Facebook users using this method.  On December 28, 2008, another run was made, posting nearly 300,000 spam messages, by logging in through 143 different IP addresses that were used as proxies to disguise his origins.  On February 17, 2009, another 125,000 messages were posted.

At this point, a civil injunction was served on Sanford Wallace in the case of Facebook Inc v. Sanford Wallace (Northern District of California No 09-00798 JF) where Judge Jeremy Fogel ordered Sanford Wallace to no longer access Facebook's computer network.  (Orders issued on March 2, 2009 and March 24, 2009).  Sanford logged in on April 17, 2009, in violation of this order, while flying on a Virgin Airlines flight  from Las Vegas to New York.

In 2011, Sanford was back on Facebook, using a profile called "David Sinful-Saturdays Fredericks"

Counts 1,3, 7 - Fraud and Related Activity in Connection with Electronic Mail, carry a possibility of 3 years imprisonment.

2, 6, and 9 - Intentional Damage to a Protected Computer, carries a maximum sentence of 10 years imprisonment.

4, 5 and 8 - Fraud and Related Activity in Connection with Electronic Mail, carries a 3 year imprisonment possibility, and a possible $250,000 fine.

Counts 10 and 11  - Criminal Contempt, have unspecified potential penalties.

What's Happened Since?

Lots and lots of lawyering. . . behold the process of a Fair and Speedy Trial!!!!
  • 04AUG2011 - the indictment was unsealed
  • 04AUG2011 - notice of related cases was received.  These included:
  1. the case of Facebook v. Sanford Wallace, Adam Arzoomanian, Scott Shaw, and John Does 1 through 25, for Violation of the CAN-SPAM ACT, violation of the Computer Fraud and Abuse Act, Violation of the California Business Code Section 229489 AKA the California Anti-Phishing Act, and Violation of California Penal Code section 502, the California Comprehensive Data Access and Fraud Act.  That case describes:  "At least one of the Defendants, Sanford (aka "Spamford") Wallace, is a notorious Internet scam artist who has been involved in various illegal spamming and malware activities since the mid 90s.  Indeed, Mr. Wallace has both Federal Trade Commission and civil judgements against him for these activities that total in excell of $235 million."  Myspace, Inc. v. Wallace; FTC v. Seismic Entertainment Prod., Inc; CompuServe v. CyberPromotions, Inc (Ohio, 1997)
  2. This case resulted in a Default Judgement in favor of Facebook signed by Judge Jeremy Fogel on 29OCT2009. 
  • 22AUG2011 - bail hearing
  • 28SEP2011 - case reassigned to a new Judge (Judge D. Lowell Jensen)
  • 30SEP2011 - Order to Waive Appearance proposed )amd gramted_
  • 03OCT2011 - Status hearing held
  • 04OCT2011 - case reassigned to Judge Edward J. Davila
  • 31OCT2011 - Pretrial services form 8 submitted.
  • 28NOV2011 - Status hearing held
  • 09JAN2012 - "Fair and Speedy Trial Act" exemption requested due to AUSA Attorney being engaged in another trial, and for additional time for the defendant's need for effective preparation of counsel. "The ends of justice served by granting the requested continuance outweight the best interest of the public and the defendant in a speedy trial." - extension granted until 09APR2012.
  • 02APR2012 - extended to 07MAY2012 by mutual consent.
  • and again to 06AUG2012, and again to 01OCT2012, and again to 19NOV2012
  • Status hearings held 14JAN2013, 11MAR2013
  • 11MAR2013 - hearing grants a modification to pretrial release conditions to allow Spamford to travel to Albuquerque, New Mexico for work.
  •  More delays 31MAY2013, 08AUG2013, 20SEP2013, in each case ordering that time be "excluded" from consideration in the Fair and Speedy Trial Act to allow for effective preparation for the case.
  • 02NOV2013 - Sanford's attorney (K.C. Maxwell) files a sealed document asking to be relieved from the case 09DEC2013.
  • Extension granted to 03FEB2014
  • 17MAR2014 set as the date to hear the Motion to Withdraw as Counsel.
  • Continued to 31MAR2014, when Wallace assigns his new counsel, William W. Burns, Esquire.
  • 25JUN2014 new counsel asks for more time to prepare
  • 18JUL2014 William Burns petitions the court to withdraw as counsel
  • 21JUL2014 Burns Relieved
  • 21JUL2014 a Financial affidavit is delivered to the court pertaining to Spamford Wallace
  • 01AUG2014 - "The individual named above as defendant, having testified under oaht or having otherwise satisfied this court that he or she (1) is financially unable to employ counsel and (2) does not wish to waive counsel, and because the interests of justice so require, the Court finds that the defendant is indigent, therefore, IT IS ORDERED that the attorney whose name, address and telephone number are listed below is appointed to represent the above defendant." (Wm. Michael Whelan, Jr. / 95 South Market St, Ste 300 / San Jose, CA 95113 / (650) 319-5554 cell)
  • 19AUG2014 - time extended to allow Whelan to prepare
  • 22SEP2014 Status conference held, Jury Trial date set for 05MAY2015 through 22MAY2015.
  • 29SEP2014 Whelan petitions the court that drug testing no longer be required since Sanford has never tested positive. (Granted 15OCT2014)
  • 02MAR2015, status hearing extends case until an 08JUN2015 status hearing
  • 12JUN2015 - new financial affidavit entered under seal
  • 30JUN2015 - a change of plea hearing is requested for 27JUL2015
  • 24AUG2015 - Sanford Wallace pleas guilty to a single count - Count 3.  Sentencing scheduled for 07DEC2015 at 1:30 PM

Guilty of Count Three

So, if we go back to the indictment, what does this mean that Sanford has plead guilty to?

COUNT THREE: (18 U.S.C.  §§1037(a)(1) and (b)(2)(A) - Fraud and Related Activity in Connection with Electronic Mail.

22. The factual allegations contained in Paragraphs One through Eleven above are realleged and incorporated herein as if set forth in full.

23.  On or about December 28, 2008, in the Northern of California and elsewhere, the defendant, SANFORD WALLACE, knowingly accessed a protected computer without authorization, and intentionally initiated the transmission of multiple commercial electronic mail messages from or through such computer, in and affecting interstate and foreign commerce, to wit: the defendant accessed Facebook's computer network in order to initate the transmission of program that resulted in nearly 300,000 spam messages being sent to Facebook users.

What were 1 through 11?  The only really important paragraph is number 5:

5. From approximately November 2008 through March 2009, WALLACE developed and executed a scheme to send spam messages to Facebook users that compromised approximately 500,000 legitimate Facebook accounts, and resulted in over 27 million spam messages being sent through Facebook's servers.)

Monday, August 24, 2015

Darkode guilty pleas: Phastman, Loki, & Strife

So far there have been three guilty pleas related to the Darkode hacking forum.  Although the case, which used the name "Operation Shrouded Horizon" resulted in 70 arrests worldwide, only twelve individuals have been indicted so far by the Department of Justice, and several of those individuals are overseas.  When the site was taken over, it displayed this graphic, showing the many foreign law enforcement agencies that cooperated with the takedown and the arrests.

Johan Gudmunds / Mafi

Image from ArrestTracker

The main administrator of Darkode is Johan Anders Gudmunds.  Gudmunds used three hacker aliases: Mafi, Crim, and Synthet!c.  According to DOJ, he resides in Sweden.   According to the indictment "From around September 2008 until about January 23, 2015" Gudmuns "knowingly and willfully did aid and abet and conspire, combine, confederate and agree together with other persons" ... "to commit offenses against the United States" including:

  • intentionally accessing a computer without authorization and exceeding authorized access to a protected computer, committing the offense for purposes of commercial advantage and private financial gain in furtherance of a criminal and tortious act in violation of the Constituion and the laws of the United States to obtain a thing of value exceeding $5,000 -- 18 USC Sections 1030(a)(2)(C) and (c)(2)(B)(i)-(iii).
  • knowingly and with intent to defraud accessed a protected computer and by means of such conduct intended to commit fraud or obtain something of value -- 18 USC Section 1030(a)(4) and (c)(3)(A)
  • knowingly caused the transmission of a program, information, code, and commands that as a result of such conduct intentionally caused damage affecting 10 or more protected computers during a 1-year period -- 18 USC Sections 1030(a)(5)(A) and (c)(4)(B).
  • knowingly and with intent to defraud trafficked in passwords and similar information through which a computer may be accessed without authorization affecting interstate and foreign commerce -- 18 USC Sections 1030(a)(6)(A) and (c)(2)(A).
Gudmunds wrote a botnet called "Blazebot" that compromised computers that he later sold access to. His price for access was $80 per 1,000 compromised machines, or 8 cents per computer.  Yes, that is how much your PC is worth!  Gudmunds also sold root access on computers at universities in Europe for $50 per server, and to at least 200 other servers for between $10 and $50.  The Zeus malware that he controlled logged more than 200,000,000 credential thefts from 60,000 compromised computers that made up his botnet.  (This would include many repeated credentials, obviously.)  Gudmunds also wrote an Exploit Kit called "CrimePack" that he sold on his forum, as well as an MSN Messenger spreader.  He was still authoring and selling code much more recently, including his package called "Pandemiya 2014"

Some of Gudmunds online ids included the jabber account "mafioso@xmpp.jb" and the email account "".  He began using the Synthet!c alias in January 2012.

Daniel Placek / Loki

According to the Gudmunds indictment, the original forum was created by "Iserdo" and "nocen / Loki".  We know from the charges against Daniel Placek of Glendale, Wisconsin, that he was the one who used the aliases Nocen, Loki, Juggernaut, and M1rro0r.

Loki's charges say that "in or about June 2008, Daniel Placek and Martjaz Skorjanc (AKA Iserdo)  created the Internet forum with the domain with the intention of bringing together computer hackers and other criminals to facilitate the production and sharing of malicious software, and later led to forum discussion about the creation and dissemination of botnets and the sending of spam."   Placek was an administrator on the forum, and in January 5, 2010, agreed to sell malware that he designed for harvesting network traffic for email addresses and passwords to a user named Dethan.78 for $500.  Dehtan.78 was an FBI agent.  Oops!

When Placek's computer was raided, all the way back in 2010, it was found to contain 74,190 credit card numbers and 297 bank account numbers.  In his guilty plea on July 31, 2015, Placek agreed to plea to one charge in exchange for prosecutors agreeing to seek a sentence of "six to twelve months".  This agreement carefully considered the fact that Placek has provided full cooperation regarding law enforcement queries and access to Darkode FOR MORE THAN FIVE YEARS!

From all reports, Placek has left his black hat ways behind him and has not participated in crime since his 2010 activities.   He has been working as a network engineer for a company named Swick Technologies, and neither law enforcement nor his employer has had any reason to doubt that he is reformed.  (More from this article:  Placek to plead guilty for role in creating Darkode hacker marketplace  )

Eric Croker AKA Phastman

Eric L. Crocker, a 39-year old resident of New York, (some sources say 29) was the first to plea guilty from the charges that came out of the Darkode forum seizure.  His primary plea is that he violated the CAN-SPAM ACT.  Phastman's primary activity that he is charged with is the creation of a hacking tool called the Facebook Spreader.  Although he is only directly charged for breaking into "at least 77,000 computers" and his indictment indicates he sold access to computers his botnets controlled for $200 to $300 per 10,000 (2 to 3 cents per machine) some news sources are reporting that his hacking earned Crocker "upwards of $21 Million." 

Phillip Fleitz, AKA Strife

Phillip Fleitz photo from ArrestTracker
 Phillip Fleitz was the most recent person to plead guilty on the Darkode case.  Fleitz is named along with two others in an indictment from the Western District of Pennsylvania.  The three were:

  • Naveed Ahmed (AKA "Nav" AKA "Semaph0re")
  • Phillip R. Fleitz (AKA "Strife")
  • Dewayne Watts (AKA "m3t4lh34d" AKA "metal"
The conspiracy that these three are charged with involves leasing at least two "bullet-proof hosting" servers in China that were used to scan Internet-connected routers to identify places that would allow them to use those routers as Proxies to reroute commercial email messages to hide their true source.  The spam that was sent was primarily using "email-to-SMS gateways" so that the emails sent would show up as text messages on cell phones of the recipients.  The spam was primarily "gift card scams" with the indictment giving the particular example of Best Buy Gift Card spam.  A couple examples include:
  • "Congratulations, your 4th place code is H7G0 -"
  • "Congratulations! You've finished Fifth!  Your code is: WM154 -"
  • "Your entry placed 8 out of 10!  Claim the prize with this Code: U0V2 -"

Still to Come

The people who are still named by the Department of Justice, but have not yet plead guilty are:

  •     Johan Anders Gudmunds - see above
  •     Morgan C Culbertson - the "FireEye Intern" / Carnegie Mellon student
  •     Naveed Ahmed -
  •     Dewayne Watts - M3t4lh34d / metal
  •     Murtaza Saifuddin
  •     Matjaz Skorjanc - rzor from Pakistan
  •     Florencio Carro Ruiz - NetK, Netkairo from Spain
  •     Mentor Leniqi - Iceman from Slovenia
  •     Rory Stephen Guidry - selling botnets,
 Of those, the only individual who has received much US-based press was Morgan, who is the author of a Remote Administration Trojan known as Dendroid.            

If any more guilty pleas come through, we'll try to update this page!

By the way, much praise to a site I was not previously familiar with called "Arrest Tracker" from the people that run  His page "Mass Arrest #24"  here has a great summary of what's going on with Darkode, but I know many of my readers will be interested in regularly following the regular updates from his page!

Thursday, July 23, 2015

Pump-n-Dump Spammers Arrested in Israel

A trio of Pump-n-Dump spammers have had their indictments unsealed and two have been arrested in Israel. The charges were brought against:
  • Joshua Samuel Aaron, aka Mike Shields, age 31, US Citizen living in Israel
  • Gery Shalon, aka Phillipe Mousset aka Christopher Engeham, age 31, native of Republic of Georgia, Israeli citizen
  • Zvi Orenstein, aka Aviv Stein aka John Avery, age 41, Israeli citizen
Shalon and Orenstein were arrested July 21, 2015 in Israel. Aaron remains at large.
Some of the symbols they are charged with pumping include:

  • SHOM = Southern Home Medical Equipment -- 1800% increase - sold 15 million shares for $300,000 profit
  • GRAS = Greenfield Farms Grassfed Beef, Inc. -- 286% increase - sold 286,000 shares for $123,000 profit
  • NGMC = Next Generation Energy Corporation -- 93% increase - sold 93,000 shares for $36,000 profit
  • MSTG = Mustang Alliances, Inc -- 65% increase - sold 4.4 million shares for $2.2 Million profit
  • IDOI = IDO Security, Inc -- sold 900,000 shares for $580,000 profit
  • BRND = Premier Brands, Inc -- sold 275,000 shares for at least $216,000 profit
From the indictment:

In 2011 and 2012, the Defendants controlled at least twenty stock promotion websites as well as various email address lists. In a typical promotional campaign, the Defendents sent multiple emails touting the same issuer, purporting to come from different, seemingly unrelated sources. Many of these email urged recipients to buy shares of the issuers as soon as possible.
Aaron wrote, created, and helped design the email and website promotions.
Shalon contributed to the email content, sent out the promotional emails, and approved the use of funds by Orenstein to purchase domain names.
Orenstein handled back-office duties, such as setting up websites, maintaining brokerage accounts using aliases, directing payments to third parties; and often communicating with the financial firms about these accounts on behalf of the Defendants.

Here are a couple example stock charts showing the increased activity that the "Pump" of the stock via email spam generated.

This is one of several high profile Stock Pump-n-Dump scams indicted recently by the FBI.  Here are some of their recent arrests and indictments:

The 19-page indictment is available here.

Another recent case, the first guilty plea among nine pump-n-dumpers indicted in 2013, was also announced last week:

"Canadian Citizen Pleads Guilty to Leading an International Fraud Scheme" - July 17, 2015 - the accused, Sandy Winick, age 57 from Ontario, Canada, plead guilty after being extradited from Thailand to stand charges.  Sandy was aka Jerry Sarrano, John Peter Smith, Abdiel Vergara, Robin Cheer, Glen Forman, Kyle Bendford, and Stephen Thompson.  27 charges were made, including Conspiracy to Commit Securities Fraud, Conspiracy to Commit Wire Fraud, Conspiracy to Commit Mail Fraud, Wire Fraud, Securities Fruad, and False Impersonation of an Officer and Employee of the United States (for pretending to be Trevor Duncan and Daniel Summers).

Thursday, June 11, 2015

A Nigerian in Spain arrested for phishing and online shopping with stolen credentials

From Spanish news source "ElComercio" we bring you this phishing story - about a Nigerian citizen arrested in Spain.  Click the Spanish headline for the original story.   A Google-translate-assisted version of the story is shared below for the convenience of our English-speaking readers with permission from Olaya!)

Detenido un nigeriano por realizar compras 'on line' con datos robados a cien víctimas

(A Nigerian Arrested locally for online shopping with a hundred victims' stolen data)
Olaya Suarez, Gijon @OlayaSuarez0

 A 44 year-old Nigerian citizen was arrested locally for defrauding hundreds of people by using their bank details to make purchases online and then resell these products on the black market. The National Police estimates that he gained more than 50,000 euros in this way.
The investigation began in September 2014 after receiving the first reports of victims whose banking data had been used illegally for various internet shopping portals. Police work was arduous and complex, but eventually determine that all the fraud in Spain was the work of a single author, but that he used different identities and operated using WIFI connections in private homes, cafes and public  spaces, thus trying to hinder their location.

After months of investigations, officers of the Economic Crime group of the Brigade of Judicial Police Station Gijon found that the suspect had fixed his residence in Gijon, "where he received shipments getting their illicit activity," sources said the police station.

A job as a lure

"The person under investigation belonged to a criminal organization operating transnational nature of the internet and dedicated to credit card fraud and debit cards. The network operated by credentials and numbers for bank cards using different methods, from cloning, 'phishing' or 'hacking' of online data, "says the police.
After obtaining this data, the fraud is facilitated through servers and private links to other members of the organization in exchange for financial compensation. The Nigerian resident in Gijon, allegedly, took this information and using it, effected purchases of technological devices such as televisions, tablets, laptops or mobile phones.
Each week they conducted three or four purchases of items using many identities and facilitating different directions for collection, "but always expecting the dealers on the street to avoid the reliable verification of your address." "Under the pretext of facilitating the work identified in the street before the workers of delivery companies and so getting the immediate delivery of the item, the cost would be charged to the person who had fraudulently obtained card information» , reports the National Police.
All of the material obtained in this way coming back into the virtual market since it was offering immediately in Internet-based ad pages to people unaware of its illicit origin and not belonging to this criminal network. Despite all the precautions taken by the investigation to hide his true location, the officers managed to identify and establish a means for his arrest. His precise location was noted when he was picking up one of his orders and he was taken to the police station.

49 Corporate Email Phishers arrested in Operation Triangle

The Europen Union's Judicial Cooperation Unit, EUROJUST, along with Europol's European Cybercrime Center (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) have announced one of their most successful cyber actions to date.   The case, known internally as Operation Triangle, involves three lead agencies - Italy's Postal and Telecommunications Police through its office in Perugia, Spain's Investigative Court no. 24 in Barcelona, and Poland.  (EUROJUST Press Release: "Eurojust and Europol in massive joint action against cybercriminals")

(Click for article:J-CAT operations)
58 search warrants were executed in Spain, Poland, Italy, Belgium, Georgia, and the United Kingdom, resulting in 20 arrests in Italy, 18 arrests in Poland, 10 arrests in Spain, and 1 arrest in Belgium.  Most of those arrested were from Nigeria and Cameroon. 

By gaining control of the email accounts of well-placed individuals in corporations across Europe, the criminals were able to alter requests for payment to send the payments to themselves rather than the business bank accounts that were the intended destinations.  In a short period of time, more than 6 million euros were transferred to accounts controlled by the criminals.

In the United Kingdom, where the J-CAT task force is headquartered, recent government reports indicated that 81% of large businesses (>250 employees) and 60% of small businesses (less than 50 employees) experienced an information security breach in 2013.
(Report available here)

Next week, many European governments will be represented in the Octopus Conference 2015: Cooperation Against Cybercrime. Through the work of Octopus and others, European agencies are gradually coming into agreement on how to address multi-jurisdictional cybercrime.  At last year's Octopus conference, delegates were encouraged to work together through 18 Cybercrime Scenarios.  Fascinating puzzles that we NEED agreement on if we are truly going to stand a chance against the multi-national criminals who steal from our citizens.

UPDATE!  La Stampa article -- 

(Click for LaStampa article, which includes a short video of Italy's Polizia di Stato Cybercrime group)


For the convenience of my mostly English-speaking readers, I offer an English translation via Google Translate below.  This article is available to the Italian reader by clicking the story headline in Italian:

Phishing contro aziende: 62 arresti in Italia e all’estero, smantellata rete internazionale

Phishing Against Companies:  62 arrested in Italy and Abroad, International network dismantled: 
An operation that goes from Perugia to Turin and expands throughout Europe.  Here's how the scammers did it.

Via "LaStampa" journalist Carola Frediani and Google Translate -- 

It all started with a payment of 33 thousand euro. A routine, a transfer made ​​by a company of the Venetian food, which through its Spanish subsidiary had paid a supplier. Or rather, what he thought to be a provider, not suspecting that behind the request for a change of code Iban which paid the money was concealed an organization dedicated to computer fraud to the detriment of businesses and recycling. He had before hacked supplier and now he was impersonating online through email.
So that money, rather than to the real suppliers of the Veneto, end up on a postal account in Perugia made ​​out to a citizen of Cameroon. Which in turn has contacts with a criminal group based in Turin, specializes in money laundering and run by Nigerians, as revealed recently in an investigation of Europol and the Guardia di Finanza Piedmont.

 Operation Phishing 2.0

This episode started then the footage of another Italian international investigation, codenamed Phishing 2.0, which has once again at the center of the fraud against companies, and this morning has resulted in 62 arrest warrants in various countries, including 29 issued by prosecutors in Perugia.
An investigation then born and coordinated in Perugia, bounced on Turin had already been identified where a hub of illicit proceeds, and extended between Italy, Spain and Poland, with the support of Europol and Eurojust, the judicial cooperation unit of 'European Union.

The victims

Fifty (7 of which are Italian) companies all over the world were victims of digital fraud, 800 scam transfers were identified, 800 thousand euro taken away from businesses and recovered during the investigation, around 5 million euro estimate of the economic damage caused by the group in its business that dates back to 2012. The offenses: unauthorized access to computer systems, impersonation, aggravated fraud, and receiving stolen property.

How did it work

The mechanism of the scam started with a series of computer intrusions in the mailboxes of the companies targeted - characterized by having many foreign relations - through an advanced form of phishing, a technique that consists of sending email fake trying to trick the recipient, and then infect and / or [carpirgli] information. After obtaining the credentials of the emails of employees of a company, cybercriminals were monitoring the exchange of mail identifying commercial relationships, creditors and debtors; then they sent an email to the debtor to turn communicating a change of Iban [online payment destination address?]. Iban that actually corresponded to an account managed by a member of the organization.
To manage the assets of phishing was a network of Nigerians, Cameroonians and Senegalese, some of whom were residents in Italy. Once at the bank, also on many giro Italian, the money were taken quickly and redistributed abroad through various systems, including money transfer. "There was a division of roles," he told La Stampa Anna Lisa Lillini, assistant chief of the police post Umbrian added. "Who identified the victims took 50 percent of the amount; who was offering the bill received 30%; and the mediator that the hacker got in touch and took the 20%. " The amount stolen went from 800 up to 250 thousand euro. "In one case we have intercepted one wire of 300 thousand euro from America to  Turin," explains Lillini.

Between Umbria and Piedmont

Turin made ​​from recycling center, and here the investigation Perugia converges with what we previously reported from Turin, [LaStampa's article "Nigerian Drops: Women and Companies Cheated Online"] . In that system, the money stolen from the companies were sent to other parties, with dozens of credit transfers and of people involved, up to a stage where cash was taken piecemeal. A branched system, which were scattered in many streams ([ribattezzatto] precisely Nigerian Drops by investigators) and that has been traced through some specific analysis tools used by Europol. "In one case, one person has taken 150 thousand euro in eight hours making dozens of drops in different branches," says La Stampa Captain David Giangiorgi of the Financial Police of Turin. "The fraud was perpetrated by persons residing in Nigeria. The money was sent in the form of assets purchased with the proceeds of the scam and then shipped to the African country. "

A growing phenomenon

This kind of scams are increasingly common. "Just this week, carrying out a survey of defense on behalf of an Italian company that had lost many thousands of euro through a similar system, we were able to triangulate who had sent the phishing emails, and these seem to come just from Lagos (Nigeria) ", explains Paolo Dal Checco, the Turin studio of computer forensics, Digital Forensics Bureau (Di. Fo. B) that has long followed precisely such cases.
The interesting aspect is that the story in question fraudsters had been in touch with the company through Skype, as well as email. And through the program of VoIP (and with some tracking systems of the email), computer forensic experts have identified the IP address of the interlocutors. "By now using increasingly sophisticated techniques," says Dal Checco. "In some cases they go even to call pretending to be a creditor of the company contacted."

UPDATE #2 -- The News from Spain

The Spanish National Police have also released information about this case, in their press release of June 10, 2015.   As with the Italian article above, click the Spanish headline below for the original article.  For the convenience of English-speaking readers, we share a Google-translate-assisted version below:

Operación simultánea en España, Italia, Bélgica y Polonia contra una red de fraude cibernético

 (Images, courtesy of Spanish National Police press office -
Spanish National Police perform on-site mobile forensics during one of their raids

Two suspects detained by Spanish National Police

Simultaneous operation in Spain, Italy, Belgium and Poland against cyber fraud network

National Police
Spain, Italy, Belgium, Poland, 06/10/2015
Joint operation of the National Police, NCA and the British Police in Italy and Belgium, coordinated by Europol and Eurojust
There are 49 detainees -10 of them in Spain and there have been 28 homes in which 9,000 euros have been seized along with laptops, hard disks, phones, tablets, credit cards and extensive documentation on the activities of the network.
Those arrested by means of intrusion techniques and social engineering, were able to control corporate email accounts and to interfere in international financial transactions between different companies and thus were able to modify the target bank accounts and thus appropriating money illegally
National Police agents have participated in a simultaneous operation conducted in Spain, Italy, Belgium and Poland against a network of cyber fraud. In this joint operation coordinated by Europol and Eurojust also they participated British NCA agents and police in Italy and Belgium. There are 49 detainees -10 of them in Spain and there have been 28 homes in which 9,000 euros have been seized laptops, hard disks, phones, tablets, credit cards and extensive documentation on the activities of the network. Those arrested by intrusion techniques and social engineering, were made to the control of corporate email accounts to interfere in international financial transactions between different companies. Thus they managed to change the target bank accounts and thus appropriate the money illegally.
The international coordination was established effectively through Europol headquarters in The Hague and link to cybercrime agent of the National Police. In this way it has enabled the operation has been developed jointly and simultaneously in all countries where they lived active members of the criminal structure dismantled. It also has received support personnel and Europol mobile office moved to places where it has intervened.
Modus operandi
The cyber attack used by this criminal group is called man-in-the-middle, which is to control email accounts, in the case of medium and large European companies. The members of the network were reviewing the messages sent and received from corporate accounts to detect requests for payment. Then modified the messages for payments were transferred to bank accounts controlled by the criminal group.
These payments were charged by the criminal organization immediately through different means. The investigation, originating mainly from Nigeria, Cameroon and Spain, then transferred the money out of the European Union through a sophisticated network of money laundering transactions.
The investigation culminated with the arrest of 49 people in Spain (10), Italy, Belgium and Poland. In addition there have been 28 homes, 8 in Spain, 2 in the UK and 18 in Italy, where agents have seized 9,000 euros in cash (5000 in Italy and 4000 in Spain), laptops, hard drives, mobile tablets, credit cards and extensive documentation on the activities of the network.
The operation was carried out by officers of the Unit for Technological Research and the Police Headquarters of Catalonia of the National Police, the Italian Polizia di Stato, the Polish National Police and the British National Crime Agency.  

UPDATE #3 -- The News From Poland

The Polish National Police have also issued a press release about the arrests made in Poland.  Click the Polish language headline below for the original article.  A Google-translate assisted version follows for the benefit of our English-speaking readers.  (stills from video )

Police in Poland prepare for a raid.

The Phishing suspect is apprehended

Laptops, passports, cell phones, and cash seized in the raid

Międzynarodowa operacja Europolu i Eurojustu - w sumie zatrzymano 49 cyberprzestępców

(International Operation of Europol and Eurojust - a Total of 49 Criminals Arrested)

Officers Coordination Team Central Bureau of Investigation Police and Border Guard as well as police officers Municipal Police Headquarters in Krakow and the Department for Combating Cybercrime Regional Police Headquarters in Krakow, acting under the supervision of Appellate Prosecutor's Office in Krakow together with the police and law enforcement authorities from Italy and Spain, with collaboration with investigators from Belgium, Georgia and the UK and support of Europol and Eurojust, figured out an international organized criminal group, engaged in money laundering, originating, inter alia from phishing attacks carried out against citizens of European countries. On the Polish territory had been detained this matter for a total of 18 people.
On June 9th and 10th,  Europol and Eurojust conducted an international action against cyber criminals. A total of 49 suspects have been detained. The activities were also conducted in Poland.
Yesterday, in the province of Malopolska police activity was carried out in this case, one of the most important leading to the arrest of five people, including the man who organized criminal dealings on Polish territory. The Central Investigation Bureau Police seized more than 160 thousand from phishing.
In total, the Polish were detained in that case 18 people. According to estimates investigators, members of criminal group could "launder" a total of over 7.7 million (this amount coming only from the crimes committed in our country).
Detained charges of fraud, money laundering and participation in an organized criminal group.
On account of the suspect threatened penalties and fines secured property value of 1.8 million.
Results of "Operation Triangle" are the result of large-scale investigations carried out in Italy, Spain and Poland (Central Bureau of Investigation Police Department with the participation of cybercrime Police Headquarters in Krakow under the supervision of Appellate Prosecutor's Office in Krakow). The aim was to break organized crime groups engaged in phishing on the Internet. These types of crimes are carried out by specialized criminals who use the Internet to commit fraud. In addition criminals from exploiting cyberspace to "laundering" of money, proceeds of crime. In this way, embezzlement made substantial amounts of money from victims throughout Europe.
In parallel, the investigation showed the existence of international fraud on a massive scale, extortion million in short time. The suspects, mainly from Nigeria and Cameroon, upload illegal profits outside the European Union through a complex network of transactions related to money laundering.
In preparation for the run yesterday and today operations, Eurojust coordinated the gathering of information from various law enforcement agencies, as well as organized several coordination meetings with representatives of national authorities from Italy, Spain, Polish, Belgium and Great Britain. With all these joint efforts, coordination center was established who carried out the operation with the support Team. Analysis Affairs Eurojust, the European Centre for the fight against Cybercrime Europol (EC3) and the Joint Task d. Cybercrime (JCAT) - a new European institution created to assist investigations to combat cybercrime.
Joint action brought excellent results, while she realized that joining forces selected EU agencies and national authorities can successfully contribute to the fight against one of the most difficult to detect forms of contemporary crime.
Teresa-Angela Camelio, National Assistant Representative of Italy to Eurojust, commented: "Eurojust played a key role in promoting the agendas of EU efforts in combating this type of crime, which requires knowledge, cooperation and coordination between all involved national and international actors. The results of the two-day operation are a clear signal to criminals that they will be prosecuted in every jurisdiction. "
Phishing on the Internet: This type of cybercrime, carried out by organized criminal groups, depends on gaining access to passwords and names (nicknames) of users for illegal activities. Criminals replace respective owners information through "phishing" their data and thereby gain access to their accounts, which means access to the money the victims and their customers. Credentials obtained in this way by organized criminal groups hurts many Internet clients, while generating billions of euros of profits for organized crime groups.