Tuesday, December 30, 2008

2008: A Significant Year In The Fight Against Illegal Spammers

Note: Edits and corrections have been made to this posting. Thank you to those with sharp editorial eyes who responded with small fixes and updates. Also note that, sadly, all links to CastleCops as of this writing are non-functioning. I am keeping them in place in the hope that the site is re-started sometime in the next year.

The year of 2008 represented the highest strings of arrests, prosecutions, sentencings and imprisonments of illegal spammers in the history of illegal spamming. 2007 was already a very bad year for spammers. 2008 continued this trend, all of which underscores the fact that people really are fed up with hearing from spammers, and that spammers will go to jail if they continue to spam illegally or engage in identity theft or fraud.

Here is the basic run-down of 2008. Enjoy!

January:


  • We begin the year still revelling in the arrest of Robert Soloway, and the investigation into the computers and properties of Shane Atkinson, known spammer and sponsor representative for SanCash and VPXL. Intensive investigations are ongoing into both of these cases as the year begins.

  • Alan Ralsky, and several of his colleagues (notably one James E. Fite, aka "buba" on bulkerforum.biz), are indicted. The indictment carries 41 counts including Fraud, Wire Fraud and Money Laundering. He faces a sentence of 26 years in jail for the tax evasion charge alone.

  • SpamInMyInbox continues his investigation into what is now known to be SanCash.



February:


  • Several colleagues commence an intensive communications campaign between ICANN and XIN NET (also known as "paycentre") in the hopes of waking them up to the mass amount of illegal abuse they are supporting by allowing domains to be registered using 100% fictitious contact information, in violation of ICANN accreditation policies. It sounds dry, but this is a huge achilles heel for spammers, and more importantly the sponsors who pay them. Without a large supply of illicitly-registered domains, spammers have nothing to promote, and sponsors lose money. This campaign would turn out to take many weeks and months. Red Dwarf, AlphaCentauri and (most notably) trobbins file literally hundreds of thousands of complaints using Red's "Complainterator."



March:


  • Renowned unrepentant criminal spammer Robert Soloway pleaded guilty to charges of felony mail fraud, fraud in connection with electronic mail and failing to file a tax return in 2005.



April:

  • SpamInMyInbox's investigation into SanCash, GenBucks, Tulip Lab and "VPXL / Express Herbal" continues. Tulip Lab serves him no notice while launching a lawsuit claiming (we think) libel. He later removes several references to Tulip Lab. Meanwhile New Zealand law enforcement firm up their plans to charge Shane and Lance Atkinson for illegal spamming pending their continuing investigation into several computers they seized in December, 2007 following the BBC4 investigation into the same operation.



May:

  • SpamInMyInbox is placed under a temporary injunction thanks to the Tulip Lab complaint. He removes all mention of Tulip Lab from his blog.

  • The criminal charges keep on coming! On May 19th, 2008, US Attorney General Michael B. Mukasey holds a press conference in Bucharest, Romania announcing the indictment of 38 individuals, from numerous countries, all of whom were involved in phishing scams based out of California and Connecticut. This is fairly big news since it involved the cooperation of Romanian law enforcement officials, and communication between several international law enforcement agencies including the FBI.

    Other links to this story: New Haven FBI Press Release, Overview of the Law Enforcement Strategy to Combat International Organized Crime [pdf], US DOJ Indictment, and coverage by GarWarner's blog.

  • SiL's Blog (the very one you are reading now, ikillspammerz.blogspot.com) gets listed in The Industry Standard's Top 25 B-to-Z List Blogs.

  • SiL creates a new entry in the Spam Wiki which outlines in relatively good detail the perceived infrastructure and hierarchy of a typical pharmacy or replica email spam operation. He also firms up quite a bit of evidence regarding each of the known sponsors of illegal spam, including Spamit, Bulker.biz and SanCash (also known as AffKing.)

  • TodayNIC, long a haven for the registration of thousands of spamvertised domains per year, suddenly take decisive action and shut down a very large list of domains which have been registered using completely fake contact information, and which are used in spam campaigns for properties such as Canadian Pharmacy, ED Pill Store, Downloadable Software, Prestige Replica, Exquisite Replica, etc. etc. etc. They even go so far as to automate the verification and shutdown process against any domains listed in the uribl list under their registration. This is a huge blow to spammers and their sponsors as it slam a door shut on a previous aider and abetter of illegal spammers. [Original link to the archive of takedowns was here.]



June:


  • More criminal charges! Robert Matthew Bentley of Panama City is sentenced to three and a half years (41 months) in jail and fined $65,000USD for hijacking hundreds of PC's for use in a botnet which was used in attacks and popup ad fraud. This is the result of nearly two full years of investigation as part of "Operation Bot Roast II"

  • Paul Laudanski leaves castlecops to become a full time Internet Safety Investigator for Microsoft's Live Consumer Services.

  • Greg King, renowned for DDOS'ing Castlecops in February 2007, pleads guilty to two felony counts of transmitting code to cause damage to protected computers. He faces a maximum of 20 years in prison and a fine of $500,000USD.

  • XIN NET finally (FINALLY!) takes action on not just a few, not just a few dozen, not just a few hundred, but several tens of thousands of illicitly-registered domains. This has a devastating effect on several spam sponsors, notably Spamit and SanCash. None of the spammers or sponsors dares complain publicy, but the effect is obvious and we notice several mailers suddenly switch 100% from mailing PowerEnlarge, Prestige Replicas, MaxGain+, VPXL and Canadian Pharmacy, to instead spamming long-in-the-tooth pump and dump stock symbols. (CYHD, then AGSM.)

  • Almost overnight, sponsors and domain registration mules switch from XIN NET and Todaynic to otherwise unknown domain registrar "Xiamen Chinasource Internet Service Co., Ltd." Red Dwarf and trobbins lead the charge to informing them of this shift in the spammer's (or their sponsor's) activity and they immediately also begin shutting down and nullrouting several hundreds of new domains per day, all of which feature verifiably fake contact information and are used, of course, in illegal spam campaigns supporting bogus or dangerous products.

  • Research by Ironport correctly identifies the operators of the Storm Worm as the same group responsible for the rampant spamming on behalf of "Canadian Pharmacy". Most domains used for Canadian Pharmacy are also hosted on fast-flux botnet hosting, further digging the hole for that operation. The Register reports on it, further expanding the audience for this important research.

  • Martin Heller receives a memo from Garth Bruen of KnujOn detailing why XIN NET should be issued a breach notice from ICANN. His timing is a little late, but it further raises the lingering issues with XIN NET in the public eye. Heller also draws a direct relationship between XIN NET and several well-known SanCash spamvertised properties including Wondercum and Diamond Replica.

  • Between June and July, a very large spate of Storm worm spam attempts to convince unwitting Internet users to click on links leading to hijacked websites with the hopes of greatly increasing the number of usable bots in the Storm botnet. Spam messages initially take the form of winsome (if illiterate) love letters with subject lines like "Always with you" or "Always in my heart". Shortly thereafter, they exploit breaking news of the earthquake that hit China in late June, claiming "Millions dead in China Quake". Then still later, they take on a variety of totally fake "news headlines" such as "The beginning of World War III", "Angelina Jolie dies during childbirth" and "USA declares war on Iran." For whatever reason, recipients appear to click on the links anyway and the Storm worm gains in numbers. [source]
  • SanCash debuts their "Exquisite Footwear" brand of fake designer goods. SiL creates the Exquisite FootWearErator to counteract these spam messages. Later on, in July, spam for this brand diminishes significantly. :) (Coincidence?)



July:


  • The CastleCops Bulk Spam Reporting Wiki Entry is created and swiftly becomes a valuable evidentiary tool for domain registrars, hosting providers and law enforcement. Within a very short time, several domain registrars begin to take notice and investigate the fraudulent registration of thousands of domains used in the spamming of all manner of bogus or illegal sites. The wiki entries are regularly updated by numerous CastleCops staff members.

  • Sentencing begins for Robert Allen Soloway, who is (at the time) expected to get from 14 to 20 years behind bars after pleading guilty to mail fraud, e-mail fraud, and tax evasion.

    "The government asks for nine years in prison, three years probation, complete forfeiture of everything Soloway ever made from spamming, 624 hours of community service, and that Soloway be barred from the internet until his sentence is complete."

  • Romanian authorities, again in cooperation with the FBI and other international law enforcement agencies, arrest an additional 22 Romanian citizens in connection with eBay fraud.

  • On or around July 14th, literally all Chinese domain registrars cooperate fully with takedown notices from Knujon, Spamcop, and numerous independent recipients of illegal spam, impacting virtually every spamvertised brand from all known spam Sponsors. Following this, the influx of Storm worm spam grows exponentially, becoming the primary topic of most inbound spam for most recipients.

  • More spammer convictions continue to pour in. After pleading guilty to to breaking anti-spam laws a year previously, Adam Vitale is sentenced on July 19th in a New York federal court to two and a half years in prison and ordered to pay $180,000 to AOL in restitution.

  • On July 22nd, the Denver Post reports that former stock spammer Eddie Davidson "walked away from a minium security prison camp in Florence". Discussion on several anti-spam forums indicate that this is among the stupidest moves Mr. Davidson could have made, since (if captured) he would face more severe jail time in at least a medium-security prison. (But then: see spammer rule #3.) In a very tragic turn of events, two days later he, his wife and his daughter are found dead of an apparent murder-suicide. Davidson, it turns out, was also an informant in cases relating to Alan Ralsky, among many others.

  • Yet another conviction, and this one is a big fish: On July 22nd, Robert Alan Soloway was sentenced to 47 month (3 years, 11 months) in prison, following his aforementioned guilty plea on charges of felony mail fraud, fraud in connection with electronic mail and failing to file a tax return in 2005. In a Seattle Times story he apologized to the court:

    "I built my entire life around a facade," Soloway told the court. "I'm very embarrassed and I'm ashamed."


    And in a PCWorld story, assistant U.S. attorney Kathryn Warma was quoted as saying:

    "None of those cases, not one, comes close to this case in terms of the duration of the maliciousness, the harassment techniques, the high level of spamming activity that we have in this case..."


    Following his prison term, Soloway is expected to serve three years of probation and has been ordered to do 200 hours of community service.

    Although the sentence is considered mild in comparison to what he was eligible for, it still sends a significant message to illegal spammers everywhere: you can get caught, and you will do time. See also the US DOJ Press Release.



August



  • It's interesting to note that by August of 2008, virtually no stock spam is seen by anyone. Obviously the legal ramifications have finally hit home to the remaining spammers stupid enough to bother doing it anymore.


  • More arrests! On August 2nd, the FBI arrested two individuals in relation to the illegal sale of identities from the subprime databases of Countrywide Financial.

    Rene Rebollo, a 36 year old former Countrywide employee from Pasadena, has been charged by the FBI and taken into custody with a co-conspirator Wahid Siddiqi, a 25 year old from Thousand Oaks. Its alleged that Rebollo would come into the office every Sunday and download data from Countrywide's subprime mortgage system, Full Spectrum Lending.


    There's also a great recap of the whole bust, plus further digging over at the GarWarner blog.


  • Even more arrests! On August 5th, Albert Gonzalez of Miami, known by his nickname "Segvec", was charged along with a total of 10 others in relation to the TJ Maxx identity theft case from 2007 in which millions of credit and debit card numbers were stolen. See also the Wired news coverage.


  • During the widely-reported Russian invasion of Georgia, several byline stories start to crop up regarding the cyberwarfare tactics also employed by Russia against Georgia. Very large-scale DDOS attacks against government websites and the website of Georgia President Mikheil Saakashvili's are reported even in mainstream news outlets. This would mark the second time that Russia has been directly linked to a DDOS attack against a country's websites and infrastructure, and the second time that the shadowy "Russian Business Network" (RBN) has been fingered as the possible group behind the attacks, under direct orders either from Russian government officials or Russian military personnel.

    Further reading: here, here, here and here.

    Later research, however, (especially that of Gary Warner) makes it clear that this was largely a "populist" attack, since several Russian forums and message boards encourage ordinary citizens to run a batch script on their Windows pc's, resulting in a sustained DDOS attack, run manually, by ordinary citizens (in addition to using a botnet, which was borne out by subsequent research.)

  • More arrests! On August 13th, the US Dept. of Justice announced the indictment by a federal grand jury of seven residents of Pulaski County, MO. involved in an illegal online pharmacy. Anthony D. Holman is the alleged ringleader of the group, and also designed the templates for the sites his affiliates would use to promote the online pharmacy. The seven individuals allegedly made $3.4 million (USD) of profit via their "PersonalizedRx, LLC" online pharmacy, which sold many controlled pharmaceuticals. Holman and his partner Arcelia Holman were also charged with five counts of money laundering.

    "Narcotics sold over the Internet have led to deaths, overdoses, and addiction nationwide. We are determined to shut down these dangerous and illegal Web sites and prosecute those who profit from them."

    The federal indictment alleges that, beginning sometime in 2005 and continuing to Oct. 16, 2007, all seven co-defendants participated in a conspiracy to distribute such prescription drugs as hydrocodone, alprazolam and zolpidem by using fraudulent prescriptions obtained through the Web sites they operated.

  • August 14th, 2008 sees the sentencing of renowned AOL spammer Michael Dolan to seven years in prison on charges of fraud and aggravated identity theft related to repeated harvesting of AOL accounts who he would then send malware to steal account details and other personal information. He also participated in numerous phishing exploits on AOL members. Following his seven year sentence he will face three years of supervised release. Dolan appears to have followed in the footsteps of the likes of Chris "Rizler" Smith, engaging in witness tampering and other extremely illegal practices.

  • August 22nd, 2008: Still more arrests!

    Leni de Abreu Neto, from Taubate, Brazil, faces up to five years in prison and a fine of more than $250,000 for allegedly running and leasing access to a botnet of 100,000 compromised computers around the world for the purposes of sending spam.


    This has to be some kind of record. :)




September:


  • In a scathing post on his Security Fix blog on Sept 3rd, Brian Krebs exposes Atrivo and Intercage, a pair of US-based hosting providers, as what he refers to as "a major source of spyware, adware, viruses and fake anti-virus products."

    He then exposes ESTDomains as being one of the major providers of domain registration for all manner of illegally-spammed porn, casino and (of course) illegally-operated pharmacy websites.

    This leads to some very swift and widespread action on a variety of fronts, all of which Mr. Krebs reports on.

  • In related news, and on the same day, The Register posts a story about domain registrar Directi, referring to a June 17th, 2008 story on the Security Fix blog) alleging their ties to controversial malware domain registrar ESTDomains. The story alleges that Directi, using several alias company names, was responsible for tens of thousands of illicitly-registered domains, used for all sorts of criminal and spamming activity.

  • In a stunning show of action related to the above media activity, Directi severs all ties with ESTDomains, and immediately goes on a media offensive, taking abuse reports from anyone who cares to send them, and acting upon them immediately. Further feedback from a number of sources to Directi leads to the shuttering of several thousand domains, many of which had been listed by the likes of Spamhaus and Knujon (who raised this issue in the first place) since June of 2008. This is a very good response and it makes Directi a bad place to register domains if you're a spammer. I and several of my colleagues also provided a great deal of historical data and research to guide them in preventing further new registrations for domains specific to any known illegal spam sponsor. We eventually see many thousands of domains get cancelled or suspended.

  • Still more bad news for cybercriminals and spammers: further investigation and media exposure leads ultimately to hosting provider Atrivo [aka: Intercage] losing all of their upstream network providers, shuttering tens of thousands of illegally-operated sites related to cybercrime, identity theft, fraud, porn and illegal online pharmacies. [also see coverage here and here.]

  • In late September, a Kentucky judge (Franklin County Circuit Judge Thomas Wingate) orders the seizure of 141 domain names tied to online gambling. This is perhaps marginally related to spamming, but it's another blow against cybercriminals as well. Domains included FullTiltPoker.com, Doylesroom.com, Bodoglife.com, and Microgaming.com. Bodog is a renowned shady operation with ties to offshore gambling and the music industry.A few weeks later on Oct. 21st, that same judge upheld the domain seizures.

  • On September 22nd, Robert L. Soloway was scheduled to begin his 47 month (3.9 year) prison sentence.

  • Among the domains which get shut down during the Directi actions earlier in the month is the affiliate portal bulker.biz, which later returns as bulkerbiz.com. As anyone who reads this blog is aware, bulker.biz is the program responsible for My Canadian Pharmacy, Canadian Health&Care Mall, Men+Drugs and International Legal Rx, all illegally-operating pharmacies selling completely bogus products which harm the general public. They regroup quickly and continue to spam, setting up new domains at a variety of other less diligent domain registrars.

  • In a similar vein, several diligent reporters of spamvertised websites finally make solid and fruitful contact at TodayNIC, another domain registrar commonly used by spammers. This results in still further shutdown of tens of thousands of domains used in spam runs on behalf of Canadian Pharmacy and numerous others.



October:


  • On or around Oct. 4th, bulkerforum.biz goes offline without any notice. Several spam investigators assume that a new, invitation-only forum must have been set up in its wake. No mention of this forum's demise is made on any of the other known spammer-friendly forums.

  • On Oct. 7th, two European men are indicted in the US for allegedly orchestrating DDOS attacks against two websites. (Axel Gembe of Germany, and Lee Graham Walker of England.) Axel Gembe is alleged to be the creator of the Agobot exploit. They were hired by Jay R. Echouafni to carry out these attacks for two weeks in 2003. See also the US Dept. of Justice press release.

  • The same day, a federal court judge orders Henry Perez and his wife Suzanne Bartok "to pay more than US$236 million for sending millions of spam messages to a small Iowa ISP (Internet service provider)." [source] This case dates back to 2001. These were some particularly obtuse spammers, who thought they were spamming Compuserve servers when in fact they spammed a much smaller domain.

  • Oct. 13th, The shadowy forum known as "Darkmarket.ws" turns out to have been an FBI sting operation.

    Reports from the German national police obtained by the Südwestrundfunk, Southwest Germany public radio, blow the lid off the long running sting by revealing its role in nabbing a German credit card forger active on DarkMarket. The FBI agent is identified in the documents as J. Keith Mularski, a senior cybercrime agent based at the National Cyber Forensics Training Alliance in Pittsburgh, who ran the site under the hacker handle Master Splynter.


    [Note: Master Splynter was known as "Master Splyntr" on the assumedly defunct bulkerforum.biz, which has by this time been down for several months.] He was previously assumed to be "Pavel Kaminski" on Spamhaus, information which was removed once this report came to light. There's further reading here, including mention of 56 arrests resulting from the shutdown.

  • Oct. 14, 2008: Fantastic news regarding the nearly year-long investigation into Shane Atkinson, SanCash, AffKing, GenBucks and Tulip Lab.

    New Zealand law enforcement ask the NZ High Court to "impose financial penalties of $200,000 on each of three New Zealanders involved in a major international spamming operation."

    Its Statement of Claim alleges that company directors, Shane Atkinson of Christchurch, his brother Lance Atkinson of Pelican Waters in Queensland and Roland Smits, a courier of Christchurch, were involved in sending over 2 million emails to New Zealand addresses alone between September 5 and December 31 2007. The trio allegedly earned sales commissions of more than $US2 million from their global operation.

    The emails marketed Herbal King, Elite Herbal and Express Herbal-branded pharmaceutical products, manufactured and shipped by Tulip Lab of India, through a business known as the Genbucks Affiliate Programme. This business was operated by Genbucks Ltd, a company incorporated in the Republic of Mauritius.

    The Department says that Shane Atkinson was co-manager of the Genbucks Affiliate Programme; Lance Atkinson, trading under the name of Sancash, recruited and paid spammers to market Genbucks products, adult sex toys and replica watches...


    This is very bad news for Tulip Lab, who widely claimed that they had nothing to do with illegal spamming, and who threatened a well-known blogger with a defamation lawsuit for making precisely these claims, based on his own diligent investigative work. It turns out that he was exactly right. [Further coverage here, here and here.]

    It gets worse for SanCash affiliates however, because moments after that press release hit the wires, the FTC also made a press release of their own:

    A U.S. district court has ordered a halt to the operations of a vast international spam network that peddled prescription drugs and bogus male-enhancement products. The network has been identified as the largest "spam gang" in the world by the anti-spam organization Spamhaus. The Federal Trade Commission has received more than three million complaints about spam messages connected to this operation, and estimates that it may be responsible for sending billions of illegal spam messages. At the request of the FTC, the court has issued a temporary injunction prohibiting defendants from spamming and making false product claims, and has frozen the defendants' assets to preserve them for consumer redress pending trial. Authorities in New Zealand also have taken legal action, working in tandem with the FTC.


    There are some really damning statements in this press release. More exerpts:

    One product called "VPXL" was touted as an herbal male-enhancement pill. Advertised as "100% herbal and safe," it supposedly caused a permanent increase in the size of a user's penis. The agency alleged that not only did the pills not work, but they were neither "100% herbal" nor "safe," because they contained sildenafil – the active ingredient in Viagra. At the FTC's request, the pills were tested by the FDA. According to medical experts, men taking nitrate-containing drugs – which are commonly prescribed to treat diabetes, high blood pressure, high cholesterol, or heart disease – can experience an unsafe drop in their blood pressure when they also take sildenafil.


    This is of course great news for anyone with an email address, since something approaching 40% of inbound spam was promoting these "products".

    Court documents outline numerous chat transcripts between Lance Atkinson and his cohorts which made it extremely clear that he was well aware that what he was doing was illegal, and violated FTC statutes, among other things.

    Did I mention that it's a bad time to be an illegal spammer?


  • More legal activity in Alan Ralsky's case. On Oct. 15th, Judy Devenow, an accomplice in Alan Ralsky's stock spamming operation, pleads guilty and agrees to assist law enforcement investigators. At the time she faces from 33 to 41 years in prison related to charges of assisting in Ralsky's stock manipulation, money laundering and wire fraud operation. Her sentence could be reduced based on how much she assists prosecutors.


  • On October 23rd, a Dutch newspaper releases a story claiming that three hackers from Russia and Ukraine were arrested. [Image of English translation available here.]

    Google translated:

    International cooperation of the High Tech Crime Team of the National Forensic police and security forces has led to the arrest of three hackers in Russia and Ukraine, which presumably involved in digital attacks on bank accounts in Western Europe.

    The operation announced yesterday in Ukraine and Russia stems from an investigation by the High Tech Crime Team to a virus attack on account of ABN AMRO Bank in 2007. Customers of the bank in March 2007 received a SPAMmail with a virus. Account holders were then no longer on the real website of the bank, but were redirected to a very similar spoof abroad.


    Assuming the investigation is ongoing, this is explosive news, and marks one of the extremely few times that Russian cybercriminal entities have ever been prosecuted.

  • On Oct. 28th, several media outlets pick up the story that EST Domains lost their ICANN accreditation. (And Gar Warner's blog features a concise breakdown of what happened.) This loss of accreditation is a result of the company's owner, Vladimir Tsastsin, was convicted of money laundering and credit card fraud in February, 2008. (Shouldn't it have been because of the fact that most of the 281,000 domains registered at EST were used for illegal purposes?) Either way: good riddance.

  • Starting on Oct. 27th, numerous email users begin receiving spam pointing to phishing sites which are posing as the login page of enom.com, a well-known domain registrar. This is an obvious attempt to steal people's domains and use them for, we assume, "very bad things." This starts (or in some cases, continues) a series of large-scale investigations into who is behind these domains, and indicates that whoever it is is also involved in the registration of several domains used in child porn websites and forums. This individual is not new to those of us in the cybercrime investigative community. He was previously using several email addresses on the "cocainmail.com" domain for his domain registrations, but since that domain got shut down, he now uses a safe-mail.net account. The investigation continues..."


November:


  • Nov. 12th, the Washington Post's Brian Krebs reports that McColo has lost their upstream connectivity. This after providing boatloads of evidence to several providers. This allegedly knocks out 75% of illicit or illegal online activity, since McColo was providing hosting for several domains used as the command and control centre (C&C) for several large-scale botnets, notably the Srizby botnet.

    Multiple security researchers have recently published data naming McColo as a mother ship for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online.

    Joe Stewart, director of malware research for Atlanta based SecureWorks, said that these known criminal botnets: "Mega-D," "Srizbi," "Pushdo,"Rustock" and "Warezov," have their master servers hosted at McColo.

    Collectively, these botnets are responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity.

  • Nov. 14th, ESTdomains loses their accreditation.

  • On Nov. 15th (a Saturday), McColo regains network connectivity for approximately 12 to 24 hours, allowing them to update several infected members of the Rustock botnet with new command and control location information, located in (where else?) Russia. Several media outlets report on this development. Spam levels remain down at least 60 - 70% in the meantime.

  • The respite from mass amounts of spam of course turned out to be shortlived, and on Nov. 26th several hundreds of thousands of bots began coming back online again. Researchers at many security groups, but especially at FireEye, monitored the reconnection and hinted that there was a reason that they didn't take more decisive action (such as commanding all the bots to uninstall themselves, something they were in a position to do.) Almost immediately, spam levels begin to rise again — though it's important to note that they still remain lower, generally-speaking, than they were prior to the media attention and subsequent shut downs.

  • On Nov. 17th or so, everybody begins receiving hundreds of new spam messages promoting sites for what were previously SanCash properties. (Notably Prestige Replica and King Replica.) Several new properties also appear, using identical website design to previous VPXL and PowerEnlarge sites. (Now named V.E.P. [Virility Enlarge Pills] and PowerGain+ respectively.) If this is SanCash returning to business as usual, it is a profoundly stupid move, since the FTC and numerous law enforcement agencies are watching every move they make.

  • Later in November, SiL starts an experiment to see how many "lotteries" he will "win" via illegally sent Nigerian scam messages. [Hint: these are not genuine lotteries, especially a "Microsoft / Yahoo Lottery", which SiL "wins" at least four times a week.] His first 2-day total is over $56 million USD. Within less than two weeks, that total is nearly $400 million USD, from a total of 65 "lottery" messages. Within less than a month, the "total" is $700 million. The likelihood of anyone winning so many lotteries, so close together, in such a short space of time, are virtually zero. Apparently the Nigerian scammers out there don't seem to care how stupid they appear to be.

  • Beginning in late November and continuing throughout December, several anti-spam activists begin methodically reporting every Google docs and MSN Live Spaces domain they receive via spam. Following months of inaction on behalf of MSN, several spam blocklists begin adding MSN Live Spaces to the ranks of domains to block. Very slowly, MSN abuse team members begin finally removing these offending links, but not at a rate fast enough to deter the spammers who continue to abuse them. Google docs will remove entries if enough individuals flag them as abusive. In a mere two weeks, several Google docs links used in spam runs are rendered useless. (400 at last count, with reporting still continuing.)



December:


  • Ecatel, the latest network provider to take over connectivity for the botnet C&C servers previously hosted at McColo, also has its network shut down, enraging several of its otherwise legitimate customers. This leads to the very public outing of the rogue individual who was brokering the deal, one Ganesh Rao, who is very well known to spam fighting organizations. Rao is among the operators of infinitetech.in, a "bulletproof hosting" provider.

  • In what appears to be a potential reflection of the harmful impact of illegal spammers on consumers at large, numerous news outlets report that deaths due to overdoses of addictive painkillers are on the rise. This should hardly be surprising when all of us, every day of the past several years, have been receiving relentless amounts of spam promoting precisely these products, with no need to ever get a prescription. [See also this story.]


  • On Dec. 10th, the FTC orders a pair of companies related to a series of bogus antivirus products to shut down and freezes their assets. (The companies were known as Innovative Marketing, Inc. and ByteHosting Internet Services, LLC but operated under numerous aliases.) For many months this company and its affiliate program had been duping unsuspecting consumers into believing their computer had become infected with hundreds of viruses, trojans, and other malware, encouraging them to download and install their alleged antivirus product, which went by a variety of names such as "WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus". Of course installing that software led to no genuine protection against any malware, and the company profited massively from this frauduelent activity. One such operation was dissected in October 2008 by the SecureWorks team. [source.

  • In a related story, on Dec. 10th, Microsoft releases Security Intelligence Report 5, in which they detail a rather large list of infections which the Microsoft security updates had removed over the past several months. Gar Warners blog delves into the data and explains how massive a removal this really is, numbering in the millions of removals of the Zlob infection, among many others. Looks like it's a bad time to be in the fake antivirus business.

  • Dec. 17th, How Wai John Hui pleads guilty to federal fraud and money laundering charges related directly to the Alan Ralsky case. Hui stands to benefit greatly by cooperating with investigators. Even if Hui significantly cooperates with the ongoing investigation into Ralsky and his "business" dealings, he stands to serve from 32 to 39 months (just over ~2 - 3 years) in federal prison, and must "forfeit $500,000 in illegal earnings." This, in addition to October's news of accomplice Judy Devenow cooperating with police, is extremely bad news for Ralsky.

  • On Dec. 19th, SiL's "winnings tally" surpasses One Billion Dollars US. It has only been 33 days since he started keeping track of the monetary totals he was allegedly "winning" or "inheriting" via fake Nigerian scam letters.

  • On Dec. 22nd, New Zealand court documents are unsealed stating that Lance Atkinson has "admitted his part in a major international spamming operation and will pay a financial penalty of $100,000 plus costs of $7666." [source] His fine is reduced from the $200,000 maximum due to his cooperation with law enforcement and the fact that when he began SanCash, spamming itself was not illegal in New Zealand. Shane Atkinson and Roland Smits have instead chosen to defend themselves against these charges. No word on a court date at this time, and no word on the still-pending FTC charges.See also this press release, which goes into further detail and specifically mentions Tulip Labs as being directly involved with this illegal operation.

  • In some additional followup, the author of SpamInMyInBox.com writes a year-end roundup regarding his investigation into SanCash, GenBucks, and Tulip Lab, indicating he is interested in pursuing the charges against him on behalf of Tulip Lab:

    Regarding the case against me in Delhi High Court, India, then currently all of my research is being evaluated by NASSCOM (because of the techincal dept of parts of it) who will report back to Delhi High Court, and the next hearing will be in the end of february 2009, which can be read in the following court document: http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=171295&yr=2008


    He further states that apparently Tulip Lab is currently "interested" in withdrawing their charges against him. (I just bet they are.) This indicates that there will likely be a lot more interesting stuff in 2009 regarding this case.

  • In some very disappointing news, at midnight on the morning of Dec. 24th, 2008, revered Anti-spam and Anti-cybercrime site CastleCops.com, which for several years had been instrumental in collating and organizing criminal evidence related to illegal spamming, cybercrime, malware and phishing, closed up indefinitely. As of this writing it is unknown whether the site will ever reappear. The operators of the site had been struggling to maintain it even under crushing workloads at other jobs. That coupled with further complications ultimately led to its demise. Members of the site had to discover or create other means of connecting to each other, and in its wake several wikis, forums and blogs started up, with more very likely to start up in the new year.

  • From Dec. 4th through Dec. 26th, "trobbins", a long time collector and mass-reporter of illegally registered domain names, successfully shuts down just over 12,000 domains used in spam campaigns for the usual variety of bogus "products" promoted via illegal spammers and their sponsors. Much of these domains were registered via domain providers located in China (35 Technology, BizCN, Xin Net, etc.) trobbins is by no means the only individual reporting these domains to registrars around the world, but he has a striking ability to convince even previously non-responsive domain registrars to take action on large numbers of illicit domains, registered using 100% fake contact information. Most of these registrars were previously considered bullet-proof by spammers and their sponsoring companies.



Phew! That's a lot of activity! Way more than occured in 2007. Mostly all of it good news for people who hate spam and the people who profit from it. A very great deal of it completely bad news for most operators within distributed spam operations.

Clearly we're entering a more mature phase with regards to legislation of illegal activities and how they relate to online means of execution. To see the sheer breadth of international cooperation between disparate law enforcement agencies is a very encouraging sign, and one that points to even more arrests and other legal action against illegal spammers.

I'll still say it, since it's always worth repeating:

DO NOT PURCHASE ANYTHING FROM A WEBSITE YOU RECEIVED IN A SPAM MESSAGE OF ANY TYPE!

To do so is to basically give away your personal data to criminals, to risk having your identity stolen, and to risk personal harm to yourself, or even death.

Happy Holidays everyone. Stay safe!

SiL / IKS / concerned citizen