Tuesday, December 30, 2008

2008: A Significant Year In The Fight Against Illegal Spammers

Note: Edits and corrections have been made to this posting. Thank you to those with sharp editorial eyes who responded with small fixes and updates. Also note that, sadly, all links to CastleCops as of this writing are non-functioning. I am keeping them in place in the hope that the site is re-started sometime in the next year.

The year of 2008 represented the highest strings of arrests, prosecutions, sentencings and imprisonments of illegal spammers in the history of illegal spamming. 2007 was already a very bad year for spammers. 2008 continued this trend, all of which underscores the fact that people really are fed up with hearing from spammers, and that spammers will go to jail if they continue to spam illegally or engage in identity theft or fraud.

Here is the basic run-down of 2008. Enjoy!

January:


  • We begin the year still revelling in the arrest of Robert Soloway, and the investigation into the computers and properties of Shane Atkinson, known spammer and sponsor representative for SanCash and VPXL. Intensive investigations are ongoing into both of these cases as the year begins.

  • Alan Ralsky, and several of his colleagues (notably one James E. Fite, aka "buba" on bulkerforum.biz), are indicted. The indictment carries 41 counts including Fraud, Wire Fraud and Money Laundering. He faces a sentence of 26 years in jail for the tax evasion charge alone.

  • SpamInMyInbox continues his investigation into what is now known to be SanCash.



February:


  • Several colleagues commence an intensive communications campaign between ICANN and XIN NET (also known as "paycentre") in the hopes of waking them up to the mass amount of illegal abuse they are supporting by allowing domains to be registered using 100% fictitious contact information, in violation of ICANN accreditation policies. It sounds dry, but this is a huge achilles heel for spammers, and more importantly the sponsors who pay them. Without a large supply of illicitly-registered domains, spammers have nothing to promote, and sponsors lose money. This campaign would turn out to take many weeks and months. Red Dwarf, AlphaCentauri and (most notably) trobbins file literally hundreds of thousands of complaints using Red's "Complainterator."



March:


  • Renowned unrepentant criminal spammer Robert Soloway pleaded guilty to charges of felony mail fraud, fraud in connection with electronic mail and failing to file a tax return in 2005.



April:

  • SpamInMyInbox's investigation into SanCash, GenBucks, Tulip Lab and "VPXL / Express Herbal" continues. Tulip Lab serves him no notice while launching a lawsuit claiming (we think) libel. He later removes several references to Tulip Lab. Meanwhile New Zealand law enforcement firm up their plans to charge Shane and Lance Atkinson for illegal spamming pending their continuing investigation into several computers they seized in December, 2007 following the BBC4 investigation into the same operation.



May:

  • SpamInMyInbox is placed under a temporary injunction thanks to the Tulip Lab complaint. He removes all mention of Tulip Lab from his blog.

  • The criminal charges keep on coming! On May 19th, 2008, US Attorney General Michael B. Mukasey holds a press conference in Bucharest, Romania announcing the indictment of 38 individuals, from numerous countries, all of whom were involved in phishing scams based out of California and Connecticut. This is fairly big news since it involved the cooperation of Romanian law enforcement officials, and communication between several international law enforcement agencies including the FBI.

    Other links to this story: New Haven FBI Press Release, Overview of the Law Enforcement Strategy to Combat International Organized Crime [pdf], US DOJ Indictment, and coverage by GarWarner's blog.

  • SiL's Blog (the very one you are reading now, ikillspammerz.blogspot.com) gets listed in The Industry Standard's Top 25 B-to-Z List Blogs.

  • SiL creates a new entry in the Spam Wiki which outlines in relatively good detail the perceived infrastructure and hierarchy of a typical pharmacy or replica email spam operation. He also firms up quite a bit of evidence regarding each of the known sponsors of illegal spam, including Spamit, Bulker.biz and SanCash (also known as AffKing.)

  • TodayNIC, long a haven for the registration of thousands of spamvertised domains per year, suddenly take decisive action and shut down a very large list of domains which have been registered using completely fake contact information, and which are used in spam campaigns for properties such as Canadian Pharmacy, ED Pill Store, Downloadable Software, Prestige Replica, Exquisite Replica, etc. etc. etc. They even go so far as to automate the verification and shutdown process against any domains listed in the uribl list under their registration. This is a huge blow to spammers and their sponsors as it slam a door shut on a previous aider and abetter of illegal spammers. [Original link to the archive of takedowns was here.]



June:


  • More criminal charges! Robert Matthew Bentley of Panama City is sentenced to three and a half years (41 months) in jail and fined $65,000USD for hijacking hundreds of PC's for use in a botnet which was used in attacks and popup ad fraud. This is the result of nearly two full years of investigation as part of "Operation Bot Roast II"

  • Paul Laudanski leaves castlecops to become a full time Internet Safety Investigator for Microsoft's Live Consumer Services.

  • Greg King, renowned for DDOS'ing Castlecops in February 2007, pleads guilty to two felony counts of transmitting code to cause damage to protected computers. He faces a maximum of 20 years in prison and a fine of $500,000USD.

  • XIN NET finally (FINALLY!) takes action on not just a few, not just a few dozen, not just a few hundred, but several tens of thousands of illicitly-registered domains. This has a devastating effect on several spam sponsors, notably Spamit and SanCash. None of the spammers or sponsors dares complain publicy, but the effect is obvious and we notice several mailers suddenly switch 100% from mailing PowerEnlarge, Prestige Replicas, MaxGain+, VPXL and Canadian Pharmacy, to instead spamming long-in-the-tooth pump and dump stock symbols. (CYHD, then AGSM.)

  • Almost overnight, sponsors and domain registration mules switch from XIN NET and Todaynic to otherwise unknown domain registrar "Xiamen Chinasource Internet Service Co., Ltd." Red Dwarf and trobbins lead the charge to informing them of this shift in the spammer's (or their sponsor's) activity and they immediately also begin shutting down and nullrouting several hundreds of new domains per day, all of which feature verifiably fake contact information and are used, of course, in illegal spam campaigns supporting bogus or dangerous products.

  • Research by Ironport correctly identifies the operators of the Storm Worm as the same group responsible for the rampant spamming on behalf of "Canadian Pharmacy". Most domains used for Canadian Pharmacy are also hosted on fast-flux botnet hosting, further digging the hole for that operation. The Register reports on it, further expanding the audience for this important research.

  • Martin Heller receives a memo from Garth Bruen of KnujOn detailing why XIN NET should be issued a breach notice from ICANN. His timing is a little late, but it further raises the lingering issues with XIN NET in the public eye. Heller also draws a direct relationship between XIN NET and several well-known SanCash spamvertised properties including Wondercum and Diamond Replica.

  • Between June and July, a very large spate of Storm worm spam attempts to convince unwitting Internet users to click on links leading to hijacked websites with the hopes of greatly increasing the number of usable bots in the Storm botnet. Spam messages initially take the form of winsome (if illiterate) love letters with subject lines like "Always with you" or "Always in my heart". Shortly thereafter, they exploit breaking news of the earthquake that hit China in late June, claiming "Millions dead in China Quake". Then still later, they take on a variety of totally fake "news headlines" such as "The beginning of World War III", "Angelina Jolie dies during childbirth" and "USA declares war on Iran." For whatever reason, recipients appear to click on the links anyway and the Storm worm gains in numbers. [source]
  • SanCash debuts their "Exquisite Footwear" brand of fake designer goods. SiL creates the Exquisite FootWearErator to counteract these spam messages. Later on, in July, spam for this brand diminishes significantly. :) (Coincidence?)



July:


  • The CastleCops Bulk Spam Reporting Wiki Entry is created and swiftly becomes a valuable evidentiary tool for domain registrars, hosting providers and law enforcement. Within a very short time, several domain registrars begin to take notice and investigate the fraudulent registration of thousands of domains used in the spamming of all manner of bogus or illegal sites. The wiki entries are regularly updated by numerous CastleCops staff members.

  • Sentencing begins for Robert Allen Soloway, who is (at the time) expected to get from 14 to 20 years behind bars after pleading guilty to mail fraud, e-mail fraud, and tax evasion.

    "The government asks for nine years in prison, three years probation, complete forfeiture of everything Soloway ever made from spamming, 624 hours of community service, and that Soloway be barred from the internet until his sentence is complete."

  • Romanian authorities, again in cooperation with the FBI and other international law enforcement agencies, arrest an additional 22 Romanian citizens in connection with eBay fraud.

  • On or around July 14th, literally all Chinese domain registrars cooperate fully with takedown notices from Knujon, Spamcop, and numerous independent recipients of illegal spam, impacting virtually every spamvertised brand from all known spam Sponsors. Following this, the influx of Storm worm spam grows exponentially, becoming the primary topic of most inbound spam for most recipients.

  • More spammer convictions continue to pour in. After pleading guilty to to breaking anti-spam laws a year previously, Adam Vitale is sentenced on July 19th in a New York federal court to two and a half years in prison and ordered to pay $180,000 to AOL in restitution.

  • On July 22nd, the Denver Post reports that former stock spammer Eddie Davidson "walked away from a minium security prison camp in Florence". Discussion on several anti-spam forums indicate that this is among the stupidest moves Mr. Davidson could have made, since (if captured) he would face more severe jail time in at least a medium-security prison. (But then: see spammer rule #3.) In a very tragic turn of events, two days later he, his wife and his daughter are found dead of an apparent murder-suicide. Davidson, it turns out, was also an informant in cases relating to Alan Ralsky, among many others.

  • Yet another conviction, and this one is a big fish: On July 22nd, Robert Alan Soloway was sentenced to 47 month (3 years, 11 months) in prison, following his aforementioned guilty plea on charges of felony mail fraud, fraud in connection with electronic mail and failing to file a tax return in 2005. In a Seattle Times story he apologized to the court:

    "I built my entire life around a facade," Soloway told the court. "I'm very embarrassed and I'm ashamed."


    And in a PCWorld story, assistant U.S. attorney Kathryn Warma was quoted as saying:

    "None of those cases, not one, comes close to this case in terms of the duration of the maliciousness, the harassment techniques, the high level of spamming activity that we have in this case..."


    Following his prison term, Soloway is expected to serve three years of probation and has been ordered to do 200 hours of community service.

    Although the sentence is considered mild in comparison to what he was eligible for, it still sends a significant message to illegal spammers everywhere: you can get caught, and you will do time. See also the US DOJ Press Release.



August



  • It's interesting to note that by August of 2008, virtually no stock spam is seen by anyone. Obviously the legal ramifications have finally hit home to the remaining spammers stupid enough to bother doing it anymore.


  • More arrests! On August 2nd, the FBI arrested two individuals in relation to the illegal sale of identities from the subprime databases of Countrywide Financial.

    Rene Rebollo, a 36 year old former Countrywide employee from Pasadena, has been charged by the FBI and taken into custody with a co-conspirator Wahid Siddiqi, a 25 year old from Thousand Oaks. Its alleged that Rebollo would come into the office every Sunday and download data from Countrywide's subprime mortgage system, Full Spectrum Lending.


    There's also a great recap of the whole bust, plus further digging over at the GarWarner blog.


  • Even more arrests! On August 5th, Albert Gonzalez of Miami, known by his nickname "Segvec", was charged along with a total of 10 others in relation to the TJ Maxx identity theft case from 2007 in which millions of credit and debit card numbers were stolen. See also the Wired news coverage.


  • During the widely-reported Russian invasion of Georgia, several byline stories start to crop up regarding the cyberwarfare tactics also employed by Russia against Georgia. Very large-scale DDOS attacks against government websites and the website of Georgia President Mikheil Saakashvili's are reported even in mainstream news outlets. This would mark the second time that Russia has been directly linked to a DDOS attack against a country's websites and infrastructure, and the second time that the shadowy "Russian Business Network" (RBN) has been fingered as the possible group behind the attacks, under direct orders either from Russian government officials or Russian military personnel.

    Further reading: here, here, here and here.

    Later research, however, (especially that of Gary Warner) makes it clear that this was largely a "populist" attack, since several Russian forums and message boards encourage ordinary citizens to run a batch script on their Windows pc's, resulting in a sustained DDOS attack, run manually, by ordinary citizens (in addition to using a botnet, which was borne out by subsequent research.)

  • More arrests! On August 13th, the US Dept. of Justice announced the indictment by a federal grand jury of seven residents of Pulaski County, MO. involved in an illegal online pharmacy. Anthony D. Holman is the alleged ringleader of the group, and also designed the templates for the sites his affiliates would use to promote the online pharmacy. The seven individuals allegedly made $3.4 million (USD) of profit via their "PersonalizedRx, LLC" online pharmacy, which sold many controlled pharmaceuticals. Holman and his partner Arcelia Holman were also charged with five counts of money laundering.

    "Narcotics sold over the Internet have led to deaths, overdoses, and addiction nationwide. We are determined to shut down these dangerous and illegal Web sites and prosecute those who profit from them."

    The federal indictment alleges that, beginning sometime in 2005 and continuing to Oct. 16, 2007, all seven co-defendants participated in a conspiracy to distribute such prescription drugs as hydrocodone, alprazolam and zolpidem by using fraudulent prescriptions obtained through the Web sites they operated.

  • August 14th, 2008 sees the sentencing of renowned AOL spammer Michael Dolan to seven years in prison on charges of fraud and aggravated identity theft related to repeated harvesting of AOL accounts who he would then send malware to steal account details and other personal information. He also participated in numerous phishing exploits on AOL members. Following his seven year sentence he will face three years of supervised release. Dolan appears to have followed in the footsteps of the likes of Chris "Rizler" Smith, engaging in witness tampering and other extremely illegal practices.

  • August 22nd, 2008: Still more arrests!

    Leni de Abreu Neto, from Taubate, Brazil, faces up to five years in prison and a fine of more than $250,000 for allegedly running and leasing access to a botnet of 100,000 compromised computers around the world for the purposes of sending spam.


    This has to be some kind of record. :)




September:


  • In a scathing post on his Security Fix blog on Sept 3rd, Brian Krebs exposes Atrivo and Intercage, a pair of US-based hosting providers, as what he refers to as "a major source of spyware, adware, viruses and fake anti-virus products."

    He then exposes ESTDomains as being one of the major providers of domain registration for all manner of illegally-spammed porn, casino and (of course) illegally-operated pharmacy websites.

    This leads to some very swift and widespread action on a variety of fronts, all of which Mr. Krebs reports on.

  • In related news, and on the same day, The Register posts a story about domain registrar Directi, referring to a June 17th, 2008 story on the Security Fix blog) alleging their ties to controversial malware domain registrar ESTDomains. The story alleges that Directi, using several alias company names, was responsible for tens of thousands of illicitly-registered domains, used for all sorts of criminal and spamming activity.

  • In a stunning show of action related to the above media activity, Directi severs all ties with ESTDomains, and immediately goes on a media offensive, taking abuse reports from anyone who cares to send them, and acting upon them immediately. Further feedback from a number of sources to Directi leads to the shuttering of several thousand domains, many of which had been listed by the likes of Spamhaus and Knujon (who raised this issue in the first place) since June of 2008. This is a very good response and it makes Directi a bad place to register domains if you're a spammer. I and several of my colleagues also provided a great deal of historical data and research to guide them in preventing further new registrations for domains specific to any known illegal spam sponsor. We eventually see many thousands of domains get cancelled or suspended.

  • Still more bad news for cybercriminals and spammers: further investigation and media exposure leads ultimately to hosting provider Atrivo [aka: Intercage] losing all of their upstream network providers, shuttering tens of thousands of illegally-operated sites related to cybercrime, identity theft, fraud, porn and illegal online pharmacies. [also see coverage here and here.]

  • In late September, a Kentucky judge (Franklin County Circuit Judge Thomas Wingate) orders the seizure of 141 domain names tied to online gambling. This is perhaps marginally related to spamming, but it's another blow against cybercriminals as well. Domains included FullTiltPoker.com, Doylesroom.com, Bodoglife.com, and Microgaming.com. Bodog is a renowned shady operation with ties to offshore gambling and the music industry.A few weeks later on Oct. 21st, that same judge upheld the domain seizures.

  • On September 22nd, Robert L. Soloway was scheduled to begin his 47 month (3.9 year) prison sentence.

  • Among the domains which get shut down during the Directi actions earlier in the month is the affiliate portal bulker.biz, which later returns as bulkerbiz.com. As anyone who reads this blog is aware, bulker.biz is the program responsible for My Canadian Pharmacy, Canadian Health&Care Mall, Men+Drugs and International Legal Rx, all illegally-operating pharmacies selling completely bogus products which harm the general public. They regroup quickly and continue to spam, setting up new domains at a variety of other less diligent domain registrars.

  • In a similar vein, several diligent reporters of spamvertised websites finally make solid and fruitful contact at TodayNIC, another domain registrar commonly used by spammers. This results in still further shutdown of tens of thousands of domains used in spam runs on behalf of Canadian Pharmacy and numerous others.



October:


  • On or around Oct. 4th, bulkerforum.biz goes offline without any notice. Several spam investigators assume that a new, invitation-only forum must have been set up in its wake. No mention of this forum's demise is made on any of the other known spammer-friendly forums.

  • On Oct. 7th, two European men are indicted in the US for allegedly orchestrating DDOS attacks against two websites. (Axel Gembe of Germany, and Lee Graham Walker of England.) Axel Gembe is alleged to be the creator of the Agobot exploit. They were hired by Jay R. Echouafni to carry out these attacks for two weeks in 2003. See also the US Dept. of Justice press release.

  • The same day, a federal court judge orders Henry Perez and his wife Suzanne Bartok "to pay more than US$236 million for sending millions of spam messages to a small Iowa ISP (Internet service provider)." [source] This case dates back to 2001. These were some particularly obtuse spammers, who thought they were spamming Compuserve servers when in fact they spammed a much smaller domain.

  • Oct. 13th, The shadowy forum known as "Darkmarket.ws" turns out to have been an FBI sting operation.

    Reports from the German national police obtained by the S├╝dwestrundfunk, Southwest Germany public radio, blow the lid off the long running sting by revealing its role in nabbing a German credit card forger active on DarkMarket. The FBI agent is identified in the documents as J. Keith Mularski, a senior cybercrime agent based at the National Cyber Forensics Training Alliance in Pittsburgh, who ran the site under the hacker handle Master Splynter.


    [Note: Master Splynter was known as "Master Splyntr" on the assumedly defunct bulkerforum.biz, which has by this time been down for several months.] He was previously assumed to be "Pavel Kaminski" on Spamhaus, information which was removed once this report came to light. There's further reading here, including mention of 56 arrests resulting from the shutdown.

  • Oct. 14, 2008: Fantastic news regarding the nearly year-long investigation into Shane Atkinson, SanCash, AffKing, GenBucks and Tulip Lab.

    New Zealand law enforcement ask the NZ High Court to "impose financial penalties of $200,000 on each of three New Zealanders involved in a major international spamming operation."

    Its Statement of Claim alleges that company directors, Shane Atkinson of Christchurch, his brother Lance Atkinson of Pelican Waters in Queensland and Roland Smits, a courier of Christchurch, were involved in sending over 2 million emails to New Zealand addresses alone between September 5 and December 31 2007. The trio allegedly earned sales commissions of more than $US2 million from their global operation.

    The emails marketed Herbal King, Elite Herbal and Express Herbal-branded pharmaceutical products, manufactured and shipped by Tulip Lab of India, through a business known as the Genbucks Affiliate Programme. This business was operated by Genbucks Ltd, a company incorporated in the Republic of Mauritius.

    The Department says that Shane Atkinson was co-manager of the Genbucks Affiliate Programme; Lance Atkinson, trading under the name of Sancash, recruited and paid spammers to market Genbucks products, adult sex toys and replica watches...


    This is very bad news for Tulip Lab, who widely claimed that they had nothing to do with illegal spamming, and who threatened a well-known blogger with a defamation lawsuit for making precisely these claims, based on his own diligent investigative work. It turns out that he was exactly right. [Further coverage here, here and here.]

    It gets worse for SanCash affiliates however, because moments after that press release hit the wires, the FTC also made a press release of their own:

    A U.S. district court has ordered a halt to the operations of a vast international spam network that peddled prescription drugs and bogus male-enhancement products. The network has been identified as the largest "spam gang" in the world by the anti-spam organization Spamhaus. The Federal Trade Commission has received more than three million complaints about spam messages connected to this operation, and estimates that it may be responsible for sending billions of illegal spam messages. At the request of the FTC, the court has issued a temporary injunction prohibiting defendants from spamming and making false product claims, and has frozen the defendants' assets to preserve them for consumer redress pending trial. Authorities in New Zealand also have taken legal action, working in tandem with the FTC.


    There are some really damning statements in this press release. More exerpts:

    One product called "VPXL" was touted as an herbal male-enhancement pill. Advertised as "100% herbal and safe," it supposedly caused a permanent increase in the size of a user's penis. The agency alleged that not only did the pills not work, but they were neither "100% herbal" nor "safe," because they contained sildenafil – the active ingredient in Viagra. At the FTC's request, the pills were tested by the FDA. According to medical experts, men taking nitrate-containing drugs – which are commonly prescribed to treat diabetes, high blood pressure, high cholesterol, or heart disease – can experience an unsafe drop in their blood pressure when they also take sildenafil.


    This is of course great news for anyone with an email address, since something approaching 40% of inbound spam was promoting these "products".

    Court documents outline numerous chat transcripts between Lance Atkinson and his cohorts which made it extremely clear that he was well aware that what he was doing was illegal, and violated FTC statutes, among other things.

    Did I mention that it's a bad time to be an illegal spammer?


  • More legal activity in Alan Ralsky's case. On Oct. 15th, Judy Devenow, an accomplice in Alan Ralsky's stock spamming operation, pleads guilty and agrees to assist law enforcement investigators. At the time she faces from 33 to 41 years in prison related to charges of assisting in Ralsky's stock manipulation, money laundering and wire fraud operation. Her sentence could be reduced based on how much she assists prosecutors.


  • On October 23rd, a Dutch newspaper releases a story claiming that three hackers from Russia and Ukraine were arrested. [Image of English translation available here.]

    Google translated:

    International cooperation of the High Tech Crime Team of the National Forensic police and security forces has led to the arrest of three hackers in Russia and Ukraine, which presumably involved in digital attacks on bank accounts in Western Europe.

    The operation announced yesterday in Ukraine and Russia stems from an investigation by the High Tech Crime Team to a virus attack on account of ABN AMRO Bank in 2007. Customers of the bank in March 2007 received a SPAMmail with a virus. Account holders were then no longer on the real website of the bank, but were redirected to a very similar spoof abroad.


    Assuming the investigation is ongoing, this is explosive news, and marks one of the extremely few times that Russian cybercriminal entities have ever been prosecuted.

  • On Oct. 28th, several media outlets pick up the story that EST Domains lost their ICANN accreditation. (And Gar Warner's blog features a concise breakdown of what happened.) This loss of accreditation is a result of the company's owner, Vladimir Tsastsin, was convicted of money laundering and credit card fraud in February, 2008. (Shouldn't it have been because of the fact that most of the 281,000 domains registered at EST were used for illegal purposes?) Either way: good riddance.

  • Starting on Oct. 27th, numerous email users begin receiving spam pointing to phishing sites which are posing as the login page of enom.com, a well-known domain registrar. This is an obvious attempt to steal people's domains and use them for, we assume, "very bad things." This starts (or in some cases, continues) a series of large-scale investigations into who is behind these domains, and indicates that whoever it is is also involved in the registration of several domains used in child porn websites and forums. This individual is not new to those of us in the cybercrime investigative community. He was previously using several email addresses on the "cocainmail.com" domain for his domain registrations, but since that domain got shut down, he now uses a safe-mail.net account. The investigation continues..."


November:


  • Nov. 12th, the Washington Post's Brian Krebs reports that McColo has lost their upstream connectivity. This after providing boatloads of evidence to several providers. This allegedly knocks out 75% of illicit or illegal online activity, since McColo was providing hosting for several domains used as the command and control centre (C&C) for several large-scale botnets, notably the Srizby botnet.

    Multiple security researchers have recently published data naming McColo as a mother ship for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online.

    Joe Stewart, director of malware research for Atlanta based SecureWorks, said that these known criminal botnets: "Mega-D," "Srizbi," "Pushdo,"Rustock" and "Warezov," have their master servers hosted at McColo.

    Collectively, these botnets are responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity.

  • Nov. 14th, ESTdomains loses their accreditation.

  • On Nov. 15th (a Saturday), McColo regains network connectivity for approximately 12 to 24 hours, allowing them to update several infected members of the Rustock botnet with new command and control location information, located in (where else?) Russia. Several media outlets report on this development. Spam levels remain down at least 60 - 70% in the meantime.

  • The respite from mass amounts of spam of course turned out to be shortlived, and on Nov. 26th several hundreds of thousands of bots began coming back online again. Researchers at many security groups, but especially at FireEye, monitored the reconnection and hinted that there was a reason that they didn't take more decisive action (such as commanding all the bots to uninstall themselves, something they were in a position to do.) Almost immediately, spam levels begin to rise again — though it's important to note that they still remain lower, generally-speaking, than they were prior to the media attention and subsequent shut downs.

  • On Nov. 17th or so, everybody begins receiving hundreds of new spam messages promoting sites for what were previously SanCash properties. (Notably Prestige Replica and King Replica.) Several new properties also appear, using identical website design to previous VPXL and PowerEnlarge sites. (Now named V.E.P. [Virility Enlarge Pills] and PowerGain+ respectively.) If this is SanCash returning to business as usual, it is a profoundly stupid move, since the FTC and numerous law enforcement agencies are watching every move they make.

  • Later in November, SiL starts an experiment to see how many "lotteries" he will "win" via illegally sent Nigerian scam messages. [Hint: these are not genuine lotteries, especially a "Microsoft / Yahoo Lottery", which SiL "wins" at least four times a week.] His first 2-day total is over $56 million USD. Within less than two weeks, that total is nearly $400 million USD, from a total of 65 "lottery" messages. Within less than a month, the "total" is $700 million. The likelihood of anyone winning so many lotteries, so close together, in such a short space of time, are virtually zero. Apparently the Nigerian scammers out there don't seem to care how stupid they appear to be.

  • Beginning in late November and continuing throughout December, several anti-spam activists begin methodically reporting every Google docs and MSN Live Spaces domain they receive via spam. Following months of inaction on behalf of MSN, several spam blocklists begin adding MSN Live Spaces to the ranks of domains to block. Very slowly, MSN abuse team members begin finally removing these offending links, but not at a rate fast enough to deter the spammers who continue to abuse them. Google docs will remove entries if enough individuals flag them as abusive. In a mere two weeks, several Google docs links used in spam runs are rendered useless. (400 at last count, with reporting still continuing.)



December:


  • Ecatel, the latest network provider to take over connectivity for the botnet C&C servers previously hosted at McColo, also has its network shut down, enraging several of its otherwise legitimate customers. This leads to the very public outing of the rogue individual who was brokering the deal, one Ganesh Rao, who is very well known to spam fighting organizations. Rao is among the operators of infinitetech.in, a "bulletproof hosting" provider.

  • In what appears to be a potential reflection of the harmful impact of illegal spammers on consumers at large, numerous news outlets report that deaths due to overdoses of addictive painkillers are on the rise. This should hardly be surprising when all of us, every day of the past several years, have been receiving relentless amounts of spam promoting precisely these products, with no need to ever get a prescription. [See also this story.]


  • On Dec. 10th, the FTC orders a pair of companies related to a series of bogus antivirus products to shut down and freezes their assets. (The companies were known as Innovative Marketing, Inc. and ByteHosting Internet Services, LLC but operated under numerous aliases.) For many months this company and its affiliate program had been duping unsuspecting consumers into believing their computer had become infected with hundreds of viruses, trojans, and other malware, encouraging them to download and install their alleged antivirus product, which went by a variety of names such as "WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus". Of course installing that software led to no genuine protection against any malware, and the company profited massively from this frauduelent activity. One such operation was dissected in October 2008 by the SecureWorks team. [source.

  • In a related story, on Dec. 10th, Microsoft releases Security Intelligence Report 5, in which they detail a rather large list of infections which the Microsoft security updates had removed over the past several months. Gar Warners blog delves into the data and explains how massive a removal this really is, numbering in the millions of removals of the Zlob infection, among many others. Looks like it's a bad time to be in the fake antivirus business.

  • Dec. 17th, How Wai John Hui pleads guilty to federal fraud and money laundering charges related directly to the Alan Ralsky case. Hui stands to benefit greatly by cooperating with investigators. Even if Hui significantly cooperates with the ongoing investigation into Ralsky and his "business" dealings, he stands to serve from 32 to 39 months (just over ~2 - 3 years) in federal prison, and must "forfeit $500,000 in illegal earnings." This, in addition to October's news of accomplice Judy Devenow cooperating with police, is extremely bad news for Ralsky.

  • On Dec. 19th, SiL's "winnings tally" surpasses One Billion Dollars US. It has only been 33 days since he started keeping track of the monetary totals he was allegedly "winning" or "inheriting" via fake Nigerian scam letters.

  • On Dec. 22nd, New Zealand court documents are unsealed stating that Lance Atkinson has "admitted his part in a major international spamming operation and will pay a financial penalty of $100,000 plus costs of $7666." [source] His fine is reduced from the $200,000 maximum due to his cooperation with law enforcement and the fact that when he began SanCash, spamming itself was not illegal in New Zealand. Shane Atkinson and Roland Smits have instead chosen to defend themselves against these charges. No word on a court date at this time, and no word on the still-pending FTC charges.See also this press release, which goes into further detail and specifically mentions Tulip Labs as being directly involved with this illegal operation.

  • In some additional followup, the author of SpamInMyInBox.com writes a year-end roundup regarding his investigation into SanCash, GenBucks, and Tulip Lab, indicating he is interested in pursuing the charges against him on behalf of Tulip Lab:

    Regarding the case against me in Delhi High Court, India, then currently all of my research is being evaluated by NASSCOM (because of the techincal dept of parts of it) who will report back to Delhi High Court, and the next hearing will be in the end of february 2009, which can be read in the following court document: http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=171295&yr=2008


    He further states that apparently Tulip Lab is currently "interested" in withdrawing their charges against him. (I just bet they are.) This indicates that there will likely be a lot more interesting stuff in 2009 regarding this case.

  • In some very disappointing news, at midnight on the morning of Dec. 24th, 2008, revered Anti-spam and Anti-cybercrime site CastleCops.com, which for several years had been instrumental in collating and organizing criminal evidence related to illegal spamming, cybercrime, malware and phishing, closed up indefinitely. As of this writing it is unknown whether the site will ever reappear. The operators of the site had been struggling to maintain it even under crushing workloads at other jobs. That coupled with further complications ultimately led to its demise. Members of the site had to discover or create other means of connecting to each other, and in its wake several wikis, forums and blogs started up, with more very likely to start up in the new year.

  • From Dec. 4th through Dec. 26th, "trobbins", a long time collector and mass-reporter of illegally registered domain names, successfully shuts down just over 12,000 domains used in spam campaigns for the usual variety of bogus "products" promoted via illegal spammers and their sponsors. Much of these domains were registered via domain providers located in China (35 Technology, BizCN, Xin Net, etc.) trobbins is by no means the only individual reporting these domains to registrars around the world, but he has a striking ability to convince even previously non-responsive domain registrars to take action on large numbers of illicit domains, registered using 100% fake contact information. Most of these registrars were previously considered bullet-proof by spammers and their sponsoring companies.



Phew! That's a lot of activity! Way more than occured in 2007. Mostly all of it good news for people who hate spam and the people who profit from it. A very great deal of it completely bad news for most operators within distributed spam operations.

Clearly we're entering a more mature phase with regards to legislation of illegal activities and how they relate to online means of execution. To see the sheer breadth of international cooperation between disparate law enforcement agencies is a very encouraging sign, and one that points to even more arrests and other legal action against illegal spammers.

I'll still say it, since it's always worth repeating:

DO NOT PURCHASE ANYTHING FROM A WEBSITE YOU RECEIVED IN A SPAM MESSAGE OF ANY TYPE!

To do so is to basically give away your personal data to criminals, to risk having your identity stolen, and to risk personal harm to yourself, or even death.

Happy Holidays everyone. Stay safe!

SiL / IKS / concerned citizen

Thursday, November 20, 2008

SanCash and AffKing are Back To Spamming Everyone On The Planet

Well look who's back. It's SanCash / AffKing again!

With this incredible scientific breakthrough formula, massive gains can be achieved is just a few short weeks.

As advertised on TV and FHM. Rediscover your male verve and virility, with the same product as seen on TV and FHm. Results indicate 97% of men report rapid growth within weeks.

http://xnmatuj.com/


Link is promoting "PowerGain+", the latest iteration of VPXL / Express Herbal / PowerEnlarge / Elite Herbal / MaxGain+ / Manster / ManXL / etc. etc. etc.

And also look at this:

Impress your business colleagues and stun the ladies at the club today with that incredibly expensive timepiece today!

The ultimate in making a fashion and wealth statement: a branded timepiece on your wrist. Nothing says success more than a $50,000 bling watch strapped around your wrist, to go along with your party clothes or your power business suit.

http://mntocef.com/


Prestige Replicas, back from the grave. Yet another SanCash property. I've also seen spam for King Replica, another of their multiple replica watch sites.

To whoever is sending this spam: Are you utterly without a single brain cell? Do you really think this is a wise idea?

There are numerous standing court orders and injunctions from several countries specifically demanding that this activity stop. You haven't stopped. You're operating in violation of the law. If you really want to go to jail that much quicker, or at least have all of your ill-gotten profits removed more rapidly, then perhaps I understand why you'd suddenly begin sending this crap again.

Especially in light of this past year's events regarding the shutdown of illegal spammers: whoever you are, you're exhibiting an astonishing lack of intelligence (and greed) by continuing to send unwanted, illegal spam promoting these "products."

Every single one of these messages are being backed up and sent to numerous law enforcement agencies (and the FTC), who I assure you will have no difficulty in finding you, shutting you down, and seizing all of your income from this activity.

SanCash spammers are among the stupidest people on this planet, and they have just proven it again.

SiL / IKS / concerned citizen

Monday, November 17, 2008

CONGRATULATION! / Winning Notification!!! / Payment Notification / Re: STATUTORY ANOMALIES ON YOUR FUND TRANSFER

To anyone who's been investigating spam, or even vaguely following the transformation of illegal spam over the years, the concept of the Nigerian scam seems ludicrous and pathetic. It seems impossible that anybody would NOT know about this scam in this day and age. (They've been received by millions starting in around 2002. How people could not be aware of this scam is beyond me.)

I'm not going to describe what this scam is because there are already thousands of places which do so very effectively. Google the term "Nigerian scam" or "419 scam" and read any of the results you get back.

Numerous websites engage in the "baiting" of the criminals behind these scam messages, often keeping them on the hook for months at a time, wasting considerable time and energy. I highly recommend reading any of the baits going on as we speak on TheScamBaiter.com. If you don't know what a Nigerian scam is, read the "recommended reading" in the postscript. (And tell your friends. More people need to be made aware of how this scam works.)

Since the freezing of SanCash a month ago (which appears to have not slowed them down any, more on that in a subsequent post) my spam intake initially slowed to a crawl across numerous accounts I monitor. Then suddenly all I was seeing was one or another variety of lottery, inheritance or other money exchange scams. They've been abusing every free mail system on the Internet, and I and several colleagues have had numerous successes in getting their email addresses shut down quite rapidly.

However it isn't stopping the influx of spam, and it's now to the point where I am seeing several dozen such emails every single day, often with four to six of them received within the same hour.

Ignoring for the moment the utter stupidity of whoever is mailing this (how could you possibly think anyone would be fooled when they're told they've simultaneously "won" 12 "lotteries" within the same day?), or the effectiveness of these scams, this type of influx in illegal cheque fraud attempts raises numerous questions about how to report this spam, not all of which is very straightforward at all.

Of course, there is no "lottery". I have not "won". There is no "inheritance". It's a scam to get me to send money for any number of "fees" which must be paid first to ensure the money makes its way to my account. It's illegal, and it's most commonly known as check fraud.

Prior to October 2008, reporting abuse of any freemail system was a straightforward affair. Each company has their own contact addresses or abuse processing forms. But you would be surprised at just how ineffective each of these can be when trying to report these abuses, something that takes a bit of extra effort to do in the first place.

I'll itemize the current state of abuse reporting and my experiences with each. I would also like to put out an open call to the abuse teams of Yahoo, Hotmail and Gmail with regards to how to make this abuse reporting process more seamless and effortless for the average user, most of whom have absolutely no idea how to report this abuse to your teams. Further: Hotmail - seriously - wtf? Your abuse team is now among the absolute worst I have ever dealt with. We'll see why in a second.

Gmail



Gmail has arguably the very best method of reporting, and given that they're very much aware of what this scam entails, they are really, really fast at investigating and shutting down offending accounts.

Where to report it: Their abuse reporting form is located here. Make a point of outlining what kind of scam this is. If it's one of those "you have won" messages, that's cheque fraud (aka: Nigerian fraud, "419" fraud.) If it's a "work from home" message, that's money laundering. Make a point of outlining that this is illegal, and abuses their terms of service.

Expected response: Automated single email with a ticket ID. States they are looking into it. Often this is the only response you'll get from Gmail, but guaranteed you'll never see another spam using that Gmail account as the response address.

Yahoo



Yahoo also has an abuse form, but their responses lately lead me to believe that, honestly, that entire abuse team is asleep at the wheel.

After months of successful reports throughout 2008, I suddenly noticed that whoever it is that responds to these abuse reports doesn't really read the reports at all.

Anyone reporting any kind of spam knows that the headers are usually 99% forged. Yahoo apparently focuses solely on the headers, and if they determine that the message wasn't sent using Yahoo mail, they'll conclude that there's nothing wrong with the account, even if the message body says "I want to steal your money and kill your family, so email me at myillegalaccount@yahoo.com". They will, almost to a person, completely ignore the message body and the complaint. This HAS to change. This is not 1999 anymore. This scam should be extremely well-known to every free-mail provider on the planet. I spend more time explaining this scam to abuse handlers than should ever be necessary.

Where to report it: The Yahoo abuse form is located here. As mentioned above, you really have to spell out not only that this is illegal, you have to try to get their attention that the headers are not necessarily how to tell that Yahoo's mail service is being abused.

Expected response: Automated single email with a ticket ID, followed anywhere from 2 to 6 days later with a followup as to what their conclusion was. If that conclusion is "we saw that Yahoo was not used to send this message", you have to reply to that message and clarify that 1) they need to learn how to handle a nigerian fraud message and 2) They need to look beyond the headers.

Why this is the case now is baffling. Yahoo: clean up your act!

AOL



AOL is quite long-in-the-tooth at handling abuse requests - which isn't surprising, since they originated a lot of the filtering and other abuse processes we now all take for granted. They appear to have a decent, if slightly slow, abuse team. In light of recent successes in shutting down Gmail and Yahoo addresses, AOL is fast becoming the free-mail provider of choice for Nigerian scammers.

Where to report it: Send the entire message, including full headers, to: TOSEmail1@aol.com.

Expected response: Automated single email. I often don't hear anything else after that, but I also don't appear to receive any further messages sporting the offending address.

Sify.com Email



I know what you're thinking: Sify.com??

Sify is the Indian equivalent of Hotmail or Yahoo mail. It's an independent portal located in Mumbai. Over the past year I have seen a shift from Gmail and Yahoo to Sify, which indicates there have been enough successful shutdowns that now they're really looking for any free-mail port in a storm. Sify has an abuse reporting address, but, as far as I can tell, no defined abuse process.

Where to report it: Send the entire message, including full headers, to: customercare@sify.com.

Expected response: [crickets...] I've never received any response from Sify mail. It's really sporadic when I do see an inbound scam message featuring a sify.com address.

Hotmail



Here's where I begin to lose my mind, and I'd have to say at this point that Hotmail effectively has no abuse reporting process for this type of scam, or indeed for any abuse of Hotmail involved with spam.

For years I was reporting these scams to abuse@hotmail.com, but then last year they introduced report_spam@hotmail.com. Reports sent to that address went unanswered, but then in June would send an automated message claiming that I should instead report the abuse to abuse@hotmail.com. (Huh?)

I later discovered that MSN also has the same two addresses, so I began reporting every such abused address to all four:

abuse@hotmail.com
report_spam@hotmail.com
abuse@msn.com
report_spam@msn.com

That resulted in four of the same automated messages, but it did finally also result in a followup message stating that the account had been terminated.

Starting in October 2008, however, all messages reporting abuse sent to those four addresses were all bounced. The reason?

They contained content which appeared to be spam.

Honestly: Hotmail abuse team - HOW do we report this abuse to you? If anyone at Hotmail abuse is reading this, I would very much appreciate you responding by posting a comment here (I won't publish it if you want to just reach me directly.) This has GOT to change.

Hotmail and MSN Live Spaces are, as we speak, essentially owned by criminals. The only sites I am ever referred to on MSN live spaces featured content which has been automatically generated for use in spam campaigns, by "users" who have clearly also been created via some automated means.

If anyone at Hotmail / MSN abuse is reading this: we as angry recipients of illegal spam would like an explanation. You're clearly falling way, way behind in handling this type of abuse, and it's leading to many people being scammed out of their life savings. What gives?

In closing, here's the recent tally of my "lottery winnings" from just this past Friday (Nov. 15, 2008) and today (Nov. 17, 2008)


  • $1.500,000.00 in cash [Apparently waiting for me in a package being held at the FEDEX DELIVERY COURIER COMPANY.]

  • Six million US Dollars [Waiting to be invested "into profitable areas of business in your country"]

  • US$2,500, 000.00 [My prize from the SOUTH AFRICA WORLD CUP LOTTERY 2010 Sweepstake Award Promo]

  • 5,000,000.00 GBP [MICROSOFT MEGA JACKPOT LOTTERY]

  • a cash prize of One Million British Pounds [£1, 000,000.00] [from the South Africa FIFA 2010 World Cup Organizing Lottery Promotion - I won twice?!?! In one day?!?!]

  • $4.2Million USD [from the nondesript CONTRACT AWARD COMMITTEE]

  • USD18M {EIGHTEEN MILLION UNITED STATES DOLLARS} [an inheritance from the death of one "MR.TONY.RAYMOND"]

  • £3,000,000.00 (THREE MILLION POUNDS STERLING) [won from the COCA-COLA LOTTERY PROMOTION.]

  • £850,000,00 POUNDS (Eight Hundred And Fifty Thousand Pounds Sterling) [THE CASINO-WEB LOTTERY PROMO]

  • US$ 2Million (TWO MILLION UNITED STATES DOLLARS) [International Human Rights Organization (IHRO) in Nigeria, West Africa]

  • US$3,600,000.00 [UN Fund recovery Committee]

  • £1.500,000 GBP (One million five hundred thousand) Pound Sterling [Online Sweepstakes® I.P Award Department.]

  • US$3,600,000.00 [CCH & Securities (Advancing Payment Solution WorldWide)]

  • $5,000,000.00 USD [DIPLOMAT HIETER HAENSGEN / RESERVE BANK OF AUSTRALIA, European Terminal]


Grand total as of this writing (in USD): $55,925,912.79

If I wait two more hours I guarantee I will win at the bare minimum another million dollars USD. The best part is: it looks like everyone's a winner (they are always sent to "multiple recipients", never just to me.) Let's buy each other a drink shall we?

I'll see about including a tally widget on the sideline of this blog. Any wagers that I "win" a billion dollars by Xmas?

Don't believe these stupid, pathetic and desperate messages.

SiL / IKS / concerned citizen

P.S. Recommended reading:

Nigeria cracks down on e-mail scams
The 'yahoo-yahoo boys' who are behind the country's infamous export have few job prospects.

Wikipedia: Advance-Fee Fraud

FOXNews.com: Oregon Woman Loses $400,000 to Nigerian E-Mail Scam

Wednesday, October 29, 2008

eNom Phishing, Child Porn and Avalonpay.com

Lots of spam suddenly showing up claiming to be on behalf of eNom.com, a well-known domain registrar.

Investigating these phishing attempts leads down a very dark hole indeed.

The eNom phishing sites are attempting to gather up domain information. For what purposes exactly is unsure, but I'm sure you could imagine: theft of a large number of domains, redirection of previously "good" domains to harmful content.

The contact information on these sites is all identical, and should be familiar to anyone who investigates this crap. Let's take one example domain, sys82.net:

Whois sys82.net

Domain Name: SYS82.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.KOLBERACN.COM
Name Server: NS2.KOLBERACN.COM
Name Server: NS3.KOLBERACN.COM
Name Server: NS4.KOLBERACN.COM
Name Server: NS5.KOLBERACN.COM
Status: ok
Updated Date: 25-oct-2008
Creation Date: 25-oct-2008
Expiration Date: 25-oct-2009

...

Domain servers in listed order:
ns1.kolberacn.com ns2.kolberacn.com

Administrator:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

Technical Contactor:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422

Billing Contactor:
Name-- Shestakov Yuriy
EMail-: (alexeyvas@safe-mail.net)
tel --: +7.9218839910
org: Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422


Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:


Let's examine what else those dns servers are supporting:

ns1.kolberacn.com

lolita-bbs.name NS ns1.kolberacn.com
ns1.kolberacn.com A 68.48.197.101
ns1.kolberacn.com A 68.80.158.76
ns1.kolberacn.com A 72.2.13.24
ns1.kolberacn.com A 75.60.192.242
ns1.kolberacn.com A 75.187.202.144
ns1.kolberacn.com A 97.82.229.170
ns1.kolberacn.com A 98.229.69.62
ns1.kolberacn.com A 99.245.182.179
xlpreview.com NS ns1.kolberacn.com
sys82.net NS ns1.kolberacn.com
com94.net NS ns1.kolberacn.com
weblola.net NS ns1.kolberacn.com
littlelolita.net NS ns1.kolberacn.com
nude-kids.net NS ns1.kolberacn.com
xlsites.net NS ns1.kolberacn.com

The server state is: 201 Okay


ns2.kolberacn.com

lolita-bbs.name NS ns2.kolberacn.com
ns2.kolberacn.com A 65.182.248.145
ns2.kolberacn.com A 66.30.49.194
ns2.kolberacn.com A 68.48.197.101
ns2.kolberacn.com A 68.80.158.76
ns2.kolberacn.com A 69.208.85.23
ns2.kolberacn.com A 72.2.13.24
ns2.kolberacn.com A 75.60.192.242
ns2.kolberacn.com A 76.112.161.176
ns2.kolberacn.com A 99.245.182.179
ns2.kolberacn.com A 209.60.226.164
ns2.kolberacn.com A 209.252.169.130
xlpreview.com NS ns2.kolberacn.com
sys82.net NS ns2.kolberacn.com
com94.net NS ns2.kolberacn.com
weblola.net NS ns2.kolberacn.com
littlelolita.net NS ns2.kolberacn.com
nude-kids.net NS ns2.kolberacn.com
xlsites.net NS ns2.kolberacn.com

The server state is: 201 Okay


And the rest are supporting several other domains featuring the enom phishing setup.

Note the diversity of the ip addresses associated with those domains: every single one of these is being hosted via a botnet, assumedly home computers infected with the Asprox infection. I had been reading up on several investigations into that exploit, and now it appears it's directly a part of my own spam investigations.

Many of the domains supported by those name servers are, of course, sites which promote, sell, and distribute child pornography. Fortunately, as I write this, all of these sites are not responding. (Good work on getting those shut down, whoever you are.)

A quick investigation of one of those sites leads to a payment processing site known as Avalonpay.com. A quick search on that domain turns up an interesting blog entry on matchent.com concerning a similar investigation. The registrant contact data for that domain includes the company name "Absolutee Corp. Ltd.", allegedly based in Hong Kong:

Note the company name used, ABSOLUTEE CORP. LTD.
Compare with an article in Wired News, http://www.wired.com/politics/security/news/2007/10/russian_network , about the Russian Business Network from October 2007, quote:

"Jaret [note: speaking on behalf of RBN] also says there's no mystery about the company's ownership. According to Jaret, an offshore company called First Connect Telecom Limited Inc. owns RBN, though the company's principals remain anonymous. The registration information for the company's website lists a company called Absolutee Corp. LTD as the owner of the domain name. "

The article also mentioned that the whois info for RBN was changed later. And it has now expired.


So:

- eNom Phishing sites (all featuring alexeyvas@safe-mail.net contact email in whois.)
- Rogue DNS servers (All featuring fake Chinese registrant information in whois.)
- Child porn sites (All featuring absolutee.com registrant information in whois.)
- Avalonpay.com (Payment processor for child porn sites, also featuring absolutee.com registrant information in whois.)

ALL hosted using botnet-supported fast-flux servers.

You would think that this guy's days in this industry were numbered, but sadly you'd be wrong, at least to gauge it from how long he's maintained these operations.

I would love it if anyone from Russian law enforcement would investigate this scumbag. I guess I would first have to figure out how much they charge to do that. (Pardon my cynicism.)

Stay far, far away from any email related to these eNom "securiy bulletin" emails.

SiL / IKS / concerned citizen

Thursday, October 23, 2008

Is UADreams the new VPXL?

UADreams (Formerly UALadys) is back to spamming everybody whether they want it or not with 100% bogus "Russian dating" messages. Here's a sampling from mere moments ago:

Subject: RE: Message 00

Im a charming blue-eyed blonde, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

Don't loose time and come get registered FREE at: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 61

I'm a beautiful girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

I have registered my profile at: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 11

I'm a beautiful girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 54

I'm a hot brunette girl, who looks for a male pen friend, or just a man to talk with on Skype or in real life!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5


Subject: RE: Message 30

I am an atractive blonde, and I'm searching for a man to chat with by email or by Skype, or even meet in reality!

My home page: http://el1te-russ1an-g1rls.com/?idAff=5


Of course I never initiated any communication with anyone in Russia (thus: why would there be a "Re:" in the subject in the first place?) This same affiliate (idAff=5) is sending me, on average, five to ten of these per hour, and the wording makes it clear he has utterly no idea what he's doing. Nobody should be dumb enough to click on any of these messages, especially since they all arrived virtually simultaneously.

Ignoring all of that: who describes themselves this way? There's just no basis of reality in any of these messages. Also: nobody is dumb enough to assume they are the sole object of this "woman's" affection. Literally everyone I discuss spam with has received these messages, and continue to do so.

This affiliate was previously sending me non-stop VPXL spam (prior to the shutdown of SanCash / AffKing, of course.) I can tell simply because he's applying the same template and frequency to this "UADreams" spam run. He also mails on behalf of GlavMed / Spamit and is among the mailers sending four times as much "Canadian Pharmacy" spam to everyone on the planet.

I've blogged about UALadys in the past. They clearly have no problem paying mailers to send millions of messages illegally to anybody. This idiot has no idea who's in his lists, and he doesn't care. I could be a 98 year old woman or a five year old boy. He will still assume I am interested in meeting a Russian woman to date and / or marry. This is the typical intellect of the average mailer. Not only do they not segment their lists or clean them, they just flat-out have no idea whatsoever of who is in their lists. Yet they believe it's up to us to take care of that by "just deleting" the millions -- or billions, as we've seen recently -- of messages they clog the Internet with on a daily basis.

Needless to say: you should never join ANY dating site which uses unsolicited email to promote itself.

SiL / IKS / concerned citizen

Tuesday, October 14, 2008

GenBucks + SanCash + AffKing + Tulip Lab + Shane and Lance Atkinson: BUH BYE!

A quick note today about some recent news which I think we've all been expecting for some time now.

Shane Atkinson, his brother Lance, and several others are currently the subject of intense legal action against the by-know well known spam operation SanCash, aka GenBucks.

If you caught any of the news last year regarding this setup, you might remember the BBC4 report which connected several dots between Atkinson, GenBucks, a product called "Manster" and a company called Tulip Lab.

Well two very big announcements today confirm, and place in the public record, that this investigative work was definitely on the right track.

This story, posted mere minutes ago, outlines pending fines of $200,000 per person against each of Shane and Lance Atkinson (together the foundation of SanCash), Roland Smits, and also confirms that they ran both GenBucks and SanCash, to promote what are now confirmed to be bogus and / or dangerous products which were manufactured and distributed by Tulip Lab, most notably Express Herbal (called approximately a dozen names over the past two years.)

It gets better: The US Federal Trade Commission also has taken action against the abovementioned operators of GenBucks / SanCash, as well as Jody Smith, a resident of Texas, and four companies they operate. They further make mention of the widespread illegality of how they sent their messages (using an internationally-seeded botnet), and also mention AffKing, which is what SanCash used to be called.

Assets for all of the above entities have been frozen, effectively cutting off the profit source for any mailers who still insist on promoting these bogus, dangerous products.

The FTC press release puts a very fine point on the rampant falsehoods perpetrated on a daily (hell: hourly) basis by these criminals:

One product called "VPXL" was touted as an herbal male-enhancement pill. Advertised as "100% herbal and safe," it supposedly caused a permanent increase in the size of a user's penis. The agency alleged that not only did the pills not work, but they were neither "100% herbal" nor "safe," because they contained sildenafil – the active ingredient in Viagra. At the FTC's request, the pills were tested by the FDA. According to medical experts, men taking nitrate-containing drugs – which are commonly prescribed to treat diabetes, high blood pressure, high cholesterol, or heart disease – can experience an unsafe drop in their blood pressure when they also take sildenafil.


And more:

The FTC also alleges that the defendants made false claims about the security of consumers' credit card information and the other data they were required to provide to buy goods. In operating the online pharmacy, which was called "Target Pharmacy" and later "Canadian Healthcare," the defendants' Web site assured potential consumers that "TARGET PHARMACY treats your personal information (including credit card data) with the highest level of security," according to papers filed with the court. The Web site went on to describe its encryption process, which supposedly involved "Secure Socket Layer (SSL) technology." FTC investigators, however, found no indication that the Web sites were encrypted using SSL technology.

The FTC also challenged claims made for a weight-loss supplement pill purportedly containing Hoodia gordonii, a cactus-like plant found in southern Africa that supposedly could cause users to lose up to six pounds a week. The FTC charged that the claims were false and violated federal law.


Really: just read the whole thing. It'll bring a huge smile to your face. If you have an email address, you've most likely (98% chance) received spam for these "products", and anybody with half a brain already knows most of what was just quoted above.

This is a good day, and makes this among the worst years ever for illegal spammers, as well as their sponsors and supply chain operators.

I fully expect to see lots of nonchalant postings on any of the remaining underground spam forums (whatever happened to Bulkerforum.biz anyway?) They can all claim that we should have all "just deleted" all of the billions of inbound messages that these scumbags continually pumped into everybody's inboxes with impugnity. They're wrong. [How does one "just delete" 3000 of these per day without throwing the baby out with the bathwater? They've essentially ruined email as a usable form of communication.]

My congratulations and gratitude go out to members of New Zealand law enforcement who worked so diligently over the past 9 months to fully investigate these cretins. Also: kudos to the author of spaminmyinbox.com who did such great investigative work on his own, as well as Simon Cox from the BBC.

SiL / IKS / concerned citizen

Monday, August 18, 2008

Some Spammers Are "Getting Out Of The Business"

If you've been reading any tech news sites lately, you've probably noticed two distinct trends:

1) Lots of reporting of the storm worm, with sub-stories related to mass hijacks of publicly-owned websites for the purposes of infecting the public's PC's with the Storm worm. (With still further subsets focusing on the "Russian Business Network" (or "RBN") being behind the whole setup.)
2) Lots of arrests, convictions, and imprisonments of large-scale illegal spammers. (Including one murder-suicide of a previously incarcerated illegal spammer.)
3) More raids in Romania of online scammers, predominantly eBay scammers.
4) Lots of arrests and indictments related to the TJ Maxx identity theft incidents from last year.

As with last year, 2008 is proving to be an extremely bad year for illegal spammers.

I define an illegal spammer as the following, which is more specific than CAN-SPAM:

- They don't care who they send to, or whether they actually ever wanted to hear from them in the first place.
- Further to that point: they actively seek out email addresses of total strangers to start spamming them. They know that these email addresses are not actively seeking to be sent spam. They don't care.
- They try to get as much deliverability out of their messages whenever they know that their messages are being specifically filtered against (remember: they know these people don't want the messages in the first place.)
- They spam the same individual numerous times per day. (And in many cases: per hour.)
- They spam urls representing largely illegal or fraudulent websites, selling either fake or counterfeit products, in violation of international law.
- They never opt anyone out, ever, and never honor any inbound communication regarding spamming.
- In many cases, their sites actively filter for any words related to spamming in their email or contact forms. They are well aware that they operate in violation of the law, and the public's privacy.
- Their "opt-out policy" is to tell anyone who complains to "find your delete key."

Robert Soloway was just such an individual. He knowingly spammed millions of people, several times per day, promoting "products" which either didn't work (his so-called "turnkey email marketing solution") or a variety of other bogus products. He ignored, and then later actively retaliated against any complaints regarding spamming.

Soloway was recently quoted as saying "I can honestly say, even though I'm going to federal prison, for once in my life, I have a focus. I'm very sorry for what I did. I'm hoping people can forgive me." (source) This is in very stark contrast to previous statements he had made in chat rooms and web forums. e.g.: "I always win ... regardless of the judgment amount ... losing is not an option, and I never ever, ever have to pay a single cent to anyone." (source)

Well we now know just how wrong he was.

I'm not going to comment on the Eddie Davidson murder suicide. It was very tragic and ultimately had very little to do with his prior spamming exploits (other than the fact that he escaped from the prison he was sent to for doing so.) What I will comment on is that Davidson was an active and willing informant to the FBI and other law enforcement agencies, something very few press outlets covered. He was already providing lots of information on how stock spamming worked, and was allegedly assisting in the case against his former business partner Darrel Uselton, known to be a rampant, unrepentant stock spammers for years. Jack and Darrel Uselton are both awaiting trial on Sept. 29th and continue to be under investigation by several states and the US Securities and Exchange Commission (SEC). (See the Texas AG's press release dated July 9, 2008.)

That doesn't bode well for many spammers, and could also have the ancilliary effect of further damaging Alan Ralsky, currently under a similar indictment in Michigan related to his repeated stock spamming activities, and profiting from stock market manipulation.

There was also the conviction of Michael Dolan relating to his AOL phishing and spamming practices.

All of this is summed up rather nicely in a recent forum thread I was made privy to in the past few weeks.

If You Live In The U.s.a - Please Stop Spamming, It's just not worth it anymore

gerogeyboy0101
Posted: Jul 16 2008, 03:45 PM

On a roll...
*

Group: Members
Posts: 253
Member No.: 1368
Joined: 21-September 04

I have met online and dealt with many of you throughout the years, and some of you are simply terrific people who got caught up into something a long time ago that used to be innocent and legal, but now has been blown into astronomical proportions of bad.

People all over the USA are going down for illegal activity related to spam. I myself became a target for the IRS and was questioned by the fbi all because I told the truth about the fact that I had received 1099's from two spammers that had spam lawsuits against them.

Surveillance technology and the Patriot Act and further bills being signed into being are completely destroying liberal, human, and privacy rights for citizens in the united states.

I don't know if some of you guys realize it but these guys do not close, they do not stop. They take our tax dollars and get paid to sit in rooms and spy and follow leads, and investigate and do whatever it takes to catch whoever they can whenever they can. They are relentless and uncaring. If you're going to spam and you have to, hey, a man (or woman) has gotta do what they gotta do. But using proxys or botnets or unauthorized access on anyones computer is simply not worth it anymore.

They will put you away for years, no ifs, ands, or buts about it. I'm not trying to scare anyone, Im just saying, be careful, and watch your asses, because they are out to get you 24/7.


The thread contnues with a lot of basically "shrugging" comments about how this has always been the case, followed by general agreement that everybody should be careful not to use their real identities when "doing business", and then referring to the US as a "fascist" country.

They are all missing the point.

All of these recent arrests are pointing to a rather obvious point: if you commit crimes, no matter where you are or who you claim to be, you will be found, you will be arrested, you will be prosecuted, and you will be convicted. The few times this has not happened, it still results in suspects vastly changing their lives by moving to a completely different geographic location, and setting up whole new identities. If you're spamming illegally, and especially if that spamming is surrounded by other illegal acts (hacking, hijacking of public computers, infection of public computers, fraud, wire fraud, computer trespassing, unauthorized sale of controlled substances, securities fraud, etc. etc. etc.) trust me: you are going down. Maybe not today. Maybe not this year. But you will.

Regarding the Russian Business Network: this shadowy group are continuing to erode the public perception of the country of Russia. Russian cybercriminals are behind perhaps 90% of the virus-laden emails the general public has been receiving. There are several reports that have linked them to the following:


  • Recent attacks against websites and network infrastructure of the country of Georgia, starting at precisely the same moment as the attacks on the ground.

  • Spam messages claiming to be from either MSNBC or CNN featuring links to bogus "breaking news" stories.

  • Server hijacks and exploits causing them to deliver these same infections.

  • Spam for "Canadian Pharmacy", a known Spamit / Glavmed sponsored property.



And of course there are the less-substantiated claims that they also have been behind spam campaigns and hijacked hosting for a variety of child pornography website operations, and that they were also involved in the cyber-attack against Estonia last year.

Prosecution of whoever is behind this group, especially within Russia, is unlikely. But that's soon going to become less of a problem since much of their target audience is actually geographically located within the US, as are (it is believed) several of their operatives. Also: a lot of the people who spam on behalf of these Russian groups and individuals (notably Spamit / Glavmed) are located in the US, Canada, and several countries in Europe. Arresting them can cut off a major source of cashflow and infrastructure. It also can draw out further details of where these individuals can be found, and subsequently arrested, if not by Russian police, then by international law enforcement. It's a pretty small planet, after all.

The cyber-attacks against Georgia have garnered some very widely viewed headlines, and not just in tech publications. This does not help the Russian government in its bid for entry into the WTO. That was previously hindered by the renowned shuttering and resurrection of AllOfMP3.com. (Which now alternately operates as MP3Sparks and MemphisMembers.) It also isn't doing any favors for Russia in terms of how international law enforcement sees them, which I'm sure is of no consequence to the Russian government anyway. That the recent cyberattacks have gained significant news attention is now raising some questions for other governments: if they can attack Estonia and Georgia, who's to say they can't attack a larger western power? Or a specific government, or utility, or financial network? The fact is: they can. Illegal spammers and their supporters have killed off any site which gets close enough to the truth to make them uncomfortable: the KillSpammers forum (which is not completely gone, just on hiatus. :) ,) spam-court, castlecops, blue frog, etc. They will do it whenever it suits them, or when they feel that the evidence is such that it will cause problems with their cashflow. I don't doubt that they'd eventually try to attack Citibank, or PayPal, or the US Federal Reserve if it suited their needs at the time.

But that can only keep going for so long. A very bright light has been shone upon the RBN, and they are certainly aware of it. One day, inevitably, something's gotta give, one way or the other.

In any case, the past two years have made two things abundantly clear:

1) While the process may be slow, law enforcement and the courts do enforce laws against these criminals, and apply penalties resulting in real jail time
2) The public at large is definitely fed up with continually receiving email spam (or really spam of any type.)

The tally so far this year:


  • Indicted:

    • Alan Ralsky

    • Scott Bradley

    • Judy Devenow

    • John Bown

    • William Neil

    • Anki Neil

    • James Bragg

    • James Fite

    • Peter Severa

    • How Wai John Hui

    • Francis Tribble

    • Albert Gonzalez, AKA Segvec

    • Christopher Scott

    • Damon Patrick Toey

    • Maksym Yastremskiy, AKA Maksik

    • Dzmitry Burak

    • Sergey Storchak

    • Aleksander Suvorov, AKA Jonny Hell

    • Hung-Ming Chiu

    • Zhi Zhi Wang

    • Sergey Pavolvich

    • An unknown hacker named "Delpiero"



  • Arrested:

    • Alan M. Ralsky [but out on bail]

    • Albert Gonzalez, AKA Segvec

    • Maksym Yastremskiy, AKA Maksik


  • Convicted and Imprisoned:

    • Robert Soloway

    • Michael Dolan





That's 25 total. And that's actually an incomplete total since there were an additional 22 arrested back in April, notably including "Vladuz", a Romanian cybercriminal behind rampant amounts of eBay phishing attempts. So for 2008 alone, we're nearing 50 criminal prosecutions against these criminals, and it's only August.

So I think I would have to agree with ol' "gerogeyboy0101" up there: if you're spamming at all, do us all a favor and get the hell out of "the business."

SiL / IKS / concerned citizen

Oh and P.S.: anybody notice that a lot of inbound spam purporting to be for VPXL or "Canadian Healthcare" now redirect to the SpamWiki entry for SanCash? :)

e.g.:

chipadd.com [a king replica site]

now points to:

http://www.spamtrackers.eu/wiki/index.php?title=King_Replica

Hehe. Nicely done, whoever you are.

SiL

Monday, July 14, 2008

Storm Of Stupidity

I'm pretty certain that if you're reading this blog, you're well aware of these messages promoting "news stories" which are in fact links to hijacked servers pushing out new Storm Worm infections.

For the inbound spam I received over the past several days, 100% of what used to be spam for VPXL (or its bogus new names "PowerEnlarge" or "MaxGain+") is now spam promoting hijacked websites which will attempt to infect you with the Storm worm. But the idiot who's sending it has confused his subject lines and message bodies. More on that later.

Check out this utterly retarded listings of "headlines" the criminals behind the Storm Worm want us to believe are true. (Subject line and body are in sequential order):

Subject lines:


  • Even politicians need a day off

  • Cheap fuel available in Texas

  • Dark Knight free tickets up for grabs

  • Barack Obama pulls out from Presidential Race

  • Orgies discovered in Hollywood

  • Baby borned with 2 privates

  • Barack Obama graft trial begins

  • Afghan captial in mourning

  • Stray javelin kills promising US sprinter

  • Charred bodies found near White House

  • Obama's karma over slip of tongue

  • Local family found hidden gold

  • Best prediction for upcoming lottery

  • Bomb scare in JFK causes delays

  • Google-Yahoo merger announced

  • Microsoft takes over Yahoo Inc



Message Bodies:


  • Osama bin Laden spotted in Texas, vows revenge on US

  • China pulls out of hosting 2008 Olympic games

  • Picture of boss doing secretary

  • Floods in Bahamas claims hundreds of lives

  • Women love it long and hard up their love hole.

  • Don't let your kids out late - 12 juveniles missing in Connecticut

  • Hilary Clinton screams bloody murder over loss, vows revenge on Obama

  • All the best techniques to bed a girl recordered right here.

  • Tasty come is very important to women, enhance its flavor here

  • She likes her kitty stretched and do you have the capability to do it?

  • Dying for a flaming hottie, ram the slutty devil tills she cry foul.

  • Guess the right number and win 10000

  • Magic Johnson dies of AIDS at 49

  • Global warming declared a hoax by US Senate

  • Louis Vuitton gives out free bags to poor in New York

  • Celebrity blogger reveals all



This is to the tune of several hundred messages received per day.

In every single case: these are obvious, outright lies. Not only that: they're extremely poor attempts at outright lies. I know of six-year-olds who would be far more convincing at writing this stuff.

If they genuinely wanted to pique the public's interest in actual, legitimate news (something they were trying before by referring to genuine news stories, claiming that you would be downloading a video) then maybe I wouldn't be so pissed off at receiving this crap. But if they have to stoop to outright bold-faced lies, with no care whatsoever that they be taken the slightest bit seriously, I think I have to ask: who are you idiots who keep clicking on these stupid links in these emails?! How out of touch are you, exactly?

Are you that disconnected that you seriously believe that Osama Bin Laden would actually expose himself to the media in Texas? Or that after the past year and a half of campaigning (and millions of dollars spent,) that Barak Obama would pull out of the US presidential race? And what legitimate news service would ever use the word "borned" in an actual headline?

Who are you people?!

Note also that in several cases this complete moron of a mailer has confused his subject lines for the Storm worm, with message bodies promoting VPXL or PowerEnlarge. It's so obvious that this is the same mailer that it might as well be considered a fingerprint. And in the last case, the subject and body are identical to those for a VPXL spam message received last month. But the link is pointing to a storm site (again: a hijacked site, which has illegally been used for this purpose.)

Here's a sampling (far from complete I'm sure) of the infected servers which are being used in today's spam attacks promoting the Storm worm:


  • http://activiteitenclubs.info/

  • http://tatianavidal.com.br/

  • http://www.asto.sk/

  • http://www.stirparo.net/

  • http://laovejanegraylg.com/

  • http://sweetcharitygifts.org/

  • http://dc-nfz.de/

  • http://www.testforum.familien-cafe.de/

  • http://sohodesign-ec.com/

  • http://www.noniforlife.de/

  • http://neoma-interactive.com/

  • http://franjaderecho.com.ar/

  • http://216.120.229.16/

  • http://def.livenet.pl/

  • http://solscreen.com/

  • http://test-djs.com/



I'm omitting any mention of the target html or exe files which the Russian group has placed on all of these sites. (If you've received these messages, you know what they are already.)

In every case, the resulting page is attempting to mimic the infamous "PornTube" website, featuring what appears to be an underage nude female and several completely bogus (but still offensive) comments. It's most definitely not safe for work, and it's an unconvincing template.

Speaking of which:

If you actually were stupid enough to click on one of these links, assuming you'd be seeing news footage of "floods in the Bahamas": why on earth would you continue to allow this download to take place even after you discovered (essentially) that the site was instead pornographic?

Why are you people using a computer at all?

If you are reading this and you are the operator of one of these domains, you should be aware that the spammer behind this (or more likely his sponsor) have complete control over your server. If you're the ISP who is hosting one of these sites: you should really upgrade your systems.

You can discover a variety of methods this criminal group has used to gain full access to your web server at the following url:

http://www.malwaredomainlist.com/forums/index.php?topic=1878.0

That research is ongoing of course.

Spammers and their supporters love to boast about how stupid Westerners are (or basically: non-Russian's / non-Romanian's.) If you've gotten infected by knowingly clicking on links in these completely idiotic messages: you are only proving their point.

I have to ask again: Who are you people?!

Stop clicking on links within spam messages!! Whenever you do so, you are supporting known criminal organizations. Turn your computer off now.

Honestly, people...

SiL / IKS / concerned citizen