Thursday, December 31, 2009

2009: Year Three Of Consistent Action Against Cybercriminal Activity

Another year, another series of scumbag criminals trying their best to grab all the money of ordinary people around the world. But also: another series of arrests, shutdowns, and more and more media exposure of cyber criminals and their illicit activities.

Here's to still more pressure against cybercriminals who think they can constantly get away with selling fake and dangerous pills to us, swindling the public, and avoiding law enforcement. Certainly some of them still have, but it's clear from the past three years that their days are numbered.

For a change, I want to send out best wishes to some of the extremely diligent researchers and reporters out there who have remained a consistent sharp eye on the illegal activities of numerous groups and individuals, and recommend their blogs to you

» All the researchers at FireEye Malware Intelligence Lab.

» Brian Krebs, Security Fix at the Washington Post.

» Gar Warner, Cybercrime and Doing Time.

» All the contributors to the Threat Level Blog at Wired.

» Dancho Danchev, Mind Streams of Information Security Knowledge.

And of course:

» All of the contributors to the Forums at InBoxRevenge.

All of you have helped make life extremely difficult for cyber criminals this year and in previous years, and I think it's safe to say that your continued shining of bright lights on their activities may one day lead to a serious shutdown of cyber crime activities. (Well, or more so than even this year. You'll see what I mean below.)

I should apologize in advance because the length of this post is far more than any average posting on this blog. In this particular case, long is good. This was an unprecedented year.

Here we go...

January:

  • Jan. 8th: Maksym Yastremskiy (aka: "Maksik") is sentenced to 30-years in prison by a Turkish court for his part in the infamous TJ Maxx hack which stole some 45 million credit cards from point of sale network data at a variety of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores across the US. There are 10 others still pending trial.
  • On Jan. 14th, SiL's "winnings" total from Nigerian scammers [visible in the right-side section of this blog] hits $1 Billion USD. He had begun tabulating every fake "lottery" or "inheritance" message starting on Nov. 17th, 2008. It only took 59 days to reach his first billion USD.
  • Jan. 30th: Ukrainian web hosting provider UkrTeleGroup Ltd., another in a series of "bad actor" hosting companies (remember Atrivo and McColo?), is taken offline. This is as a result of the continued exposition of their illicit activities by members of the tech media.
  • On Jan 27th, SiL's "winnings" total from Nigerian scammers hits $2 Billion USD. That only took 13 days.

February:

  • Feb. 12th: FireEye Security begins a series uncovering further companies who clearly support illegal activity online, starting with a comprehensive report on Starline Web Services, hosted in Estonia.
  • Also on Feb. 12th, a news story is posted claiming that Microsoft, Symantec and other corporations are offering a $250,000 reward for information leading to the arrest of whoever is behind the malicious "Conficker" worm, which is extremely virulent and widespread. This leads to some doubtful discussions within the anti-spam community, since whoever it is most likely is living in Russia or Ukraine, and likely very well-protected and hard to find. [See also this story.]
  • On Feb. 14th, a news story appeared that (finally!) one of the numerous Nigerian scammers had been arrested for fraud in Mumbai, India:

    The incident started when Mmereole had e-mailed a message to the Mumbai businessman in November 2008 saying that he could obtain unclaimed money amounting US$ 8.6 Million from one Oceanic Bank located in Nigeria by paying US$ 8,780 as processing fees, police said.

    The message said that the bank's director would personally collect the fees from the businessman. However, the businessman sought police help by lodging a complaint at the CCIC.

    He subsequently contacted Mmereole and falsely expressed his willingness to pay the processing fees. After that, they chalked out a plan to meet at the hotel where police caught the Nigerian fraudster while taking the money, officials said.
  • On Feb. 18th at approximately 4:00pm EST, the forum at InBoxRevenge is the target of an SQL injection attack. The attack was vaguely warned about via a spam message worded identically to those for well known illegal pharmacy site Canadian Pharmacy. The attack was effective for approximately 12 minutes, after which the forum continued operation unfazed. Following this attack, numerous automated attempts to register were logged. All of them originated from Russia, Ukraine, Israel and Croatia. The operators of Glavmed / Spamit (the affiliate program and sponsor group behind Canadian Pharmacy spamming activity) are believed to be the perpetrators.
  • On Feb. 25th, SiL's "winnings" total from Nigerian scammers hits $3 Billion USD.

March:
  • On March 3rd, renowned and unrepentant spammer Sanford Wallace is sued by Facebook for (guess what?) spamming Facebook members.

    ...the suit covers allegations that Wallace and his business associates spammed Facebook members with wall posts that posed as messages from their friends. The gang allegedly hacked into accounts using phishing techniques before sending the offending messages.

    This comes nearly a full year after Wallace was ordered to pay $230 million dollars to MySpace for precisely the same activity. (See also this coverage.)
  • March 4th, renowned cybercrime investigator and blogger Dancho Danchev notes that pro-gay Russian websites have been under sustained DDOS attack for a week. This is somewhat ironic, given the sheer volume of spam messages originating from Russia featuring message bodies with multiple occurrences of the word "penis".
  • On March 10th, Sergei Markov, a member of Vladimir Putin's Unified Russia Party, jokes that his assistant was responsible for the 2007 cyber attack against Estonia.

    During a discussion on information warfare in the 21st century, moderated by US-based Russian journalist Nargiz Asadova, Markov unexpectedly went into a Boris Yeltsin-style rant, Radio Free Europe reports.

    "About the cyberattack on Estonia... don't worry, that attack was carried out by my assistant. I won't tell you his name, because then he might not be able to get visas," he said.
  • On March 5th, SiL's "winnings" total from Nigerian scammers hits $4 Billion USD.
  • On March 7th, the most widely-spread new virus known as Conficker and Downadup upgrades all infected PC's in the first "push" style update ever witnessed regarding a large-scale botnet.

    In a couple of ways, the new component is designed to harden infected machines against an industry consortium that is actively trying to contain the prolific worm. For one, the update targets antivirus software and security analysis tools to prevent them from removing the malware. Not only does it try to disable anti-malware titles, it also goes after programs such as Wireshark and regmon.

    And for another, it also greatly expands the number of domain names infected machines contact on a daily basis.

    A few days later, a group known as "Bit Defender" releases their own Conficker removal tool.
  • On March 13th, Konstantin Goloskokov, a "commissar" in the Kremlin-backed youth movement known as Nashe (or Nashi, depending on the report you read) claimed responsibility for the 2007 cyber attack against governmental and other sites in Estonia.

    Mr. Goloskokov said: "We did not do anything illegal. We just visited the various internet sites, over and over, and they stopped working.

    "We didn't block them: they were blocked by themselves because of their own technical limitations in handling the traffic they encountered."
  • On March 13th, the BBC program "Click" receives lots of tech media attention when they demonstrate the functionality of a botnet which they had temporarily gained control of. British investigators consider whether what they did was illegal even though they didn't use the botnet for any actual malicious intent.
  • March 16th, internetnews.com reports that cybercriminal and spamming activity is rising as it never has before.

    Expect more spam later this year. IronPort's Bandhari said that botnet owners are building vast bot armies with the capability of sending even more spam but are not yet using them to their full capacity. "We see two or three botnets that are set up but not fully monetized yet," he said. "There have been some spam and malware attacks hosted from there, but they are trying to stay under the radar."

    Botnets and cybercrime appear to be receiving much more press attention since November, 2008. This is mostly a good sign.
  • On March. 19th, renowned, long-time stock spamming relatives Darrel and Jack Uselton settled with the SEC regarding charges filed against them by the SEC way back in July 2007 regarding their rampant stock spamming and market manipulation.

    Without admitting or denying the SEC's allegations, the Useltons agreed to be permanently banned from selling penny stock in the future. Out of $4.2m seized by authorities, Darrell Uselton will pay more than $2.8m in disgorgement and prejudgement interest. The SEC will also collect a $1m penalty.

    Darrel Uselton still faces charges for engaging in organized criminal activity.
  • On March 20th, rogue fake antivirus affiliate portal trafficconverter2.biz is shuttered after Visa and MasterCard report massive chargebacks for their card processing accounts. The story is reported both by F-Secure and Brian Krebs' Security Fix blog at the Washington Post. The Krebs story in particular references several connections to the Conficker worm, which may have been purposely flooding that site in the hopes of stifling competition with another unknown fake antivirus site.
  • Also on March 20th, Trend Micro's security blog itemizes all of the spam brands being spammed via the Waledac virus. The spam is clearly from several affiliate programs, notably Spamit, Bulkerbiz.com and AffConnect. This only clarifies that any individual can use whichever botnet they choose, to spam on behalf of any rogue affiliate program.
  • On March 24th, SiL's "winnings" total from Nigerian scammers hits $5 Billion USD.
  • March 26th, 25-year-old Charlie Blount Jr. of West Haven, CT is sentenced to four years for his participation in a phishing and identity theft scheme against users of AOL.
  • Also from West Haven, CT, 24-year-old Thomas Taylor of West Haven, CT, (what is it about that city?) managed to avoid doing any jail time for his participation in the same malware scheme.

April:
  • On April 7th, SiL's "winnings" total from Nigerian scammers hits $6 Billion USD.
  • At the RSA conference on April 21st, cybercriminal researcher Joe Stewart makes an open call to take a new approach in fighting the numerous criminal organizations which perpetrate most of the cybercriminal activities around the world. The following day, he is interviewed by security reporter Brian Krebs (story)

    What we really need is to form teams that focus on tracking specific adversaries, trying multiple tactics to affect these guys' criminal enterprises. The idea is to escalate the technical measures they have to go through to keep their businesses up and running.
  • April 23rd, Darkreading.com reports that a very large-scale Ukraine-based botnet has infected 70 US Government domains.
    The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains -- 51 of which are U.S. government ones, according to Ophir Shalitin, marketing director of Finjan, which recently found the botnet. Shalitin says the botnet is controlled by six individuals and is hosted in Ukraine.

    Details of the botnet and what it does can be found on the Finjan website, who were the ones who discovered it.
  • On April 30th a US District court in Missouri indicted four men in a "Giant College Spam Operation":

    A federal grand jury in Missouri has indicted two brothers and two other people on charges related to an alleged e-mail spamming case that targeted more than 2,000 U.S. colleges and sold more than US$4.1 million worth of products to students, the U.S. Department of Justice announced.
  • On April 24th, SiL's "winnings" total from Nigerian scammers hits $7 Billion USD.
  • It also comes to light on April 30th that a list of backers of Hillary Clinton and her presidential campaign were sold to some 21 buyers for an alleged $4.5 million.

    In the first three months of 2009, Mrs. Clinton's presidential campaign brought in $4.5 million by selling or renting out the list, which has contact information for more than a million people. Among the 21 customers for the list were political entities closely connected with Mrs. Clinton, according to first quarter filings with the Federal Election Commission. They included her political action committee, her Senate campaign committee and her husband Bill Clinton's charitable foundation, which together paid more than $3.5 million to use the list, the FEC filing showed.
  • On April 25th, the Canadian Government tables their first-ever legislation regarding spam and online crime. Titled "The Canadian Electronic Commerce Protection Act" (CECPA?!), the bill purports to protect Canadians against numerous forms of online criminal activity, including spamming.

    The Honourable Tony Clement, Minister of Industry, today announced that the Government of Canada is delivering on its commitment to protect consumers and businesses from the most dangerous and damaging forms of spam. The government has introduced legislation in Parliament that aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.

    The proposed Electronic Commerce Protection Act (ECPA) will deter the most dangerous forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and will help drive spammers out of Canada.

May:
  • On May 8th, in a bizarre story, "someone" operating a very large botnet known as the "Zeus botnet" (one of many such Zeus botnets, by the way) sends a command to "kill operating system", or "kos", causing some 100,000 infected Windows PC's to shut down completely. Zeus is known to harvest financial and identity data, and the theory is that whoever commanded this botnet to shut down did so in the hopes that they could use the vast amounts of credit card and other data they had harvested.
  • May 18th, Sergiu Daniel Popa, 23, originally from Romania, is sentenced to eight and a half years for running numerous phishing websites claiming to be Sun Trust Bank, Citibank and PayPal. Popa also (of course!) sold several phishing kits to other criminals. See also further coverage by the Register.

    He pleaded guilty last year, so the long prison term Popa received took some security watchers by surprise.

    In sentencing, Judge John Tunheim said the long jail sentence he was imposing against Popa reflected the scope and longevity of his offences, as well as the many victims affected by his crimes.
June:
  • On June 2nd, SiL's "winnings" total from Nigerian scammers hits $8 Billion USD. This latest "Billion" took longer than average [40 days], possibly due to SiL reporting some 750 free-mail accounts to their providers.
  • Throughout June, and continuing to this day, spam is seen in the wild claiming to be from Microsoft, Adobe, and a variety of governmental, financial and other agencies in the hopes of infecting (or perhaps "re-infecting") as many people as possible with the Zeus bot (remember the shutdown that took place earlier?) Numerous researchers write several reports and track down the hundreds of thousands of domains this crew register, and this further raises the question of when ICANN will actually start enforcing their registrar accreditation regulations, given that so many rogue affiliates continue to allow domains to be registered "en masse", with either no contact information or completely fake contact information.

    This same group of spammers or individual spammer (unknown) also attempts to sell one or another of a growing number of fake Antivirus products which are essentially ransomeware.

    Numerous stories tied to this one, and the research continues to this day, but this one covers all the bases.
  • On June 22nd, the FBI put out a press release announcing that Alan Ralsky, long-time fraudster and unrepentant spammer, has pleaded guilty along with four of his accomplices, to numerous charges including those directly pertaining to criminal spamming activity. The charges include conspiracy to commit wire fraud, making false statements to federal officers, and (obviously) violating the CAN-SPAM act. Each face from 2 - 3 years in federal prison. Score another win for law enforcement.
  • A few news organizations publish a story alleging that well-known spammer Ron Scelson has been arrested on rape and molestation charges.

    Slidell Police seized over a dozen computers on Tuesday from the business and home of a man who allegedly molested a teenager.

    The bust comes after a several month investigation looking into claims that 36-year-old Ronald Scelson handcuffed a 14-year-old girl to a chair and molested her.

    There is no further coverage of this story for the rest of the year, so it's unknown whether these charges were sustained or not.
  • On June 30th, SiL's "winnings" total from Nigerian scammers hits $9 Billion USD.
July:
  • On July 28th, a report entitled HTTP, Web Browsers and Web 2.0 - A Criminal's Dream is presented at a Cisco / Ironport event in Thailand. It directly names Glavmed, Spamit, and Canadian Pharmacy as having direct links to each other and a variety of website infections as well the ubiquitous Storm worm.
  • On July 21st, cybercrime research group FireEye publish their discovery that yet another rogue ISP which is allowing criminal activity to thrive known as "3fn" has also lost its connectivity. (3fn stands for "Triple Fiber Networks", and was apparently related to a company named "Pricewert LLC".) This is the fourth shutdown that we know of, and exposes a huge amount of criminal activity related to payment processing (notably on behalf of several child pornography sites), hosting of child porn, command and control of botnets, distribution of malware, and of course the hosting and processing for numerous illegal online pharmacies. There's lots more that probably wasn't published.

    The shutdown was executed by the US Federal Trade Commission [press release] and marks another win for law enforcement against these criminal entities.
  • On July 8th, David S. Patton pleads guilty to creating botnet software which was previously used by renowned spammer Alan Ralsky. This is merely the latest in a series of guilty pleas and sentences which followed the arrests of Ralsky and several of his cohorts in 2008.
August
  • August 4th, The Canadian Press publishes what must be the first mainstream media story (i.e.: not specifically a technology blog or media entity) regarding the criminal nature of "Canadian Pharmacy", making specific mention of GlavMed.

    GlavMed.com - whose logo is a googly-eyed snake wrapped around a martini glass containing colourful pills - is registered under the name Pharmos Limited, with an address listed in Great Britain.

    The phone number provided offers no identification when called, and accepts voice mail; but no call was returned when a message was left. While the majority of the GlavMed site is in English, the frequently asked questions are in Russian.
  • On August 8th, Twitter, Facebook and many other social networking sites suffer a fairly large-scale DDOS attack from persons unknown.

    "On this otherwise happy Thursday morning, Twitter is the target of a denial of service attack," wrote Stone. "Attacks such as this are malicious efforts orchestrated to disrupt and make unavailable services such as online banks, credit card payment gateways, and in this case, Twitter for intended customers or users. We are defending against this attack now and will continue to update our status blog as we continue to defend and later investigate."
  • Also see this coverage from the Washington Post's Brian Krebs.
  • On August 10th, SiL's "winnings" total from Nigerian scammers hits $10 Billion USD.
  • August 17th: Jody Smith, the third individual previously charged in the shutdown of AffKing (responsible for huge, huge amounts of spam until their shuttering in October 2008) pleads guilty to the charges laid against him.

    Jody M. Smith, 30, of McKinney, Texas, has pleaded guilty in federal court here of conspiracy charges that said he helped manage an international business that sold counterfeit goods and illegal pharmaceuticals online in 2004-08.

    Officials said Friday that the business used spam e-mails to sell in eastern Missouri and elsewhere.

    Unfortunately he only faces fines of $250,000, but he also does face up to five years in federal prison. Sentencing is scheduled for October 23rd.
  • On August 19th, Harpo, Inc., Oprah Winfrey's production company, filed a trademark infringement suit against more than 50 online marketers of bogus dietary supplements such as "acai berry".

    Harpo, Inc. has filed this lawsuit to let consumers know that these internet marketers are willfully using the names of well-known figures to deceive the public. Neither Ms. Winfrey nor Dr. Oz has ever sponsored or endorsed any acai, resveratrol or dietary supplement product and cannot vouch for their safety or effectiveness. It is our intention to put an end to these companies’ false claims and increasingly deceptive practices.

    The marketing company behind this operation known as FWM Laboratories state that their affiliates are the problem, completely ignoring the fact that those affiliates are representing their products, which makes FWM legally liable.
  • August 27th, Real Host, based in Riga, Latvia, loses its upstream network connectivity due to rampant, relentless criminal activity taking place throughout its domains.

    Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious "rogue" antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site. "This is maybe one of the top European centers of crap," he said in an e-mail interview.

    "It was a cesspool of criminal activity," said Paul Ferguson a researcher with Trend Micro.

    Also see this excellent documentation. This follows in the line of other disconnections of online "bad actors" which started in October 2008.
  • In late August a mini-documentary entitled Stop H*Commerce is produced by computer security company MacAfee. This documentary is a must-see for anyone intrigued by how a typical Nigerian scam operates, and how cyber criminal activity is perpetrated generally.
September:
  • On September 1st, SiL's "winnings" total from Nigerian scammers hits $11 Billion USD.
  • The ongoing "Zeus bot" phishing / malware attacks continue, this time under the guise of an IRS message claiming that the recipient has "underreported income" [source]. Brian Krebs continues to monitor and report on these attacks, and ties them to a very large scale money mule operation [source], as well as the theft of hundreds of thousands of dollars from the accounts of several small businesses and US School Districts. The spam barrage continues, and this has the effect of exposing numerous holes in the US business banking industry as well as the money wire industries (Western Union, etc.) [source]
  • Sept. 29th, a very comprehensive report is presented at the Virus Bulleting Conference in Geneva, Switzerland entitled The Partnerka - What Is It, And Why Should You Care? It discusses spamming as a popular cultural entity within Russia, its ties to Russian organized crime, and again names Glavmed as being directly responsible for the plethora of Canadian Pharmacy spam flooding the Internet.
  • September 29th: Petru Belbita, 25, and Cornel Tonita, 28, both of Romania, are extradited to the U.S. for their execution of a number of phishing attacks claiming to represent Citibank, Wells Fargo, eBay and a slew of others. Both face more than 30 years in prison.
October:
  • On October 19th, SiL's "winnings" total from Nigerian scammers hits $12 Billion USD.
  • Starting on October 28th and continuing throughout November, the InBoxRevenge forum becomes the target of a series of large-scale DDOS attacks by persons unknown. This has very little effect on the stable communication of its members, or on the communication of its members with media and tech contacts or law enforcement.
  • Also on October 28th - and very possibly linked to the above-mentioned attack against InBoxRevenge - several domains crucial to payment processing for Spamit and Glavmed are shut down, including spamdot.biz and spamdot.info. This is briefly mentioned in a sweeeping report (dated Nov. 7th) on behalf of the Russian Association of Electronic Communication (RAEC) which draws a lot of the same conclusions numerous spam researchers have been arriving at for years:
    Experts estimate that the lion's share of spam market players have provided service for such pharmaceutical resources as Glavmed.com which sells counterfeit goods, including counterfeit Viagra. As of November 15, 2009, this affiliate programme tops Spamhaus list under the name of http://www.spamhaus.org/statistics/spammers.lasso">Canadian Pharmacy (Glavmed.com), #1 spammer in the world.

    This does not stop or even appear to slow the onslaught of spam promoting the bogus "Canadian Pharmacy", but it certainly must have made some of their affiliate ranks lose considerable profits. Nobody at InBoxRevenge had anything whatsoever to do with the shutdown of any of these processing domains. (Though we wish we did.)
  • The zeus / zbot spam continues, claiming over numerous weeks to be on behalf of Gmail, Towernet / CapitalOne, "your email provider", the FDIC, Facebook and MySpace. Many media outlets report on this (not merely tech media) and most of the dozens of domains the criminals behind these attacks have registered end up being shut down quickly, often before the phishing spam is even received.
  • On October 30th, a California Judge awarded Facebook $700 Million in damages against Sanford Wallace (see original lawsuit entry in March.)

    In addition to the damages, Judge Jeremy Fogel of U.S. District Court in Northern California's San Jose division banned Wallace, and anyone affiliated with him, from accessing Facebook.

    Facebook acknowledged that it doesn't expect to get much money out of the bankrupt Wallace, but it said that he could end up behind bars.
November: Let me just say that over the past three years, the month of November has seemed to be the key month out of the year in which a large number of arrests, indictments, shutdowns and other negative impacts against the infrastructure of cybercriminals and spammers takes place. This November was easily among the most active ever seen.
  • On Nov. 2nd, Shane Atkinson and Roland Smits, of the infamous AffKing / SanCash / GenBucks spamming affiliate program, are ordered by a New Zealand court to pay fines of $100,000 NZD and $50,000 NZD, respectively.
  • Nov. 6th, renowned network security organization FireEye investigate and subsequently take action to shut down the persistent Mega-D botnet, also known as Ozdok. Mega-D is widely known for sending some 30% or more of all spam worldwide. Their planning and execution of this shutdown is reported in numerous media outlets.
  • On November 9th, SiL's "winnings" total from Nigerian scammers hits $13 Billion USD. This is just shy of a year from the date he first started tabulating the amount.
  • Nov. 10th, four men are indicted by the U.S. Attorney's office for the Northern District of Georgia, in Atlanta for their part in the theft in Nov. 2008 of 9 million dollars (USD) via hacked ATM pay cards. They hail from Ukraine, Estonia and Romania. A fourth individual's identity and location remain unknown. Definitely also read coverage by Gar Warner and the Washington Post's Brian Krebs on this story. [Also see: USDOJ press release.]
    Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as "Hacker 3" were indicted by a federal grand jury in what's being described as "perhaps the most sophisticated and organized computer fraud attack ever conducted."

    The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack.
  • In further follow-up to the previous Mega-D botnet takeover, FireEye hands over control and monitoring of the "sinkhole" domains to renowned security research organization Shadowserver [source] who will continue to monitor and report on any further discoveries regarding this now-defunct spamming botnet. [See also this story.]
  • InBoxRevenge undergoes its third major SYN Flood attack during an additional 2 days in late November. Again this does absolutely nothing to stop that group from continuing to analyze and report on criminal spamming and other cybercriminal activity. Clearly somebody is upset, and only a few days later do we discover that it may have been due to the above-mentioned shutdowns of Spamit / GlavMed payment processing servers.
  • On Nov. 18th, after receiving and analyzing spam attempting to spread the Zeus or Zbot infection for many months [see above], Gar Warner coordinates with law enforcement and other agencies to strategically shut down what is known as the "Avalanche" phishing community. This is yet another major blow to online criminals who had been sending this type of criminal spam for at least six months in 2009, claiming to be on behalf of the IRS, Capital One, Facebook, MySpace and a variety of other organizations. Good riddance. Of course: a new infection campaign - known as Sasfis, which is far more widely detected - begins in its place...
  • On the same day (coincidence?) two individuals from Manchester, England are arrested for their part in the dissemination of the Zeus / Zbot infections. This is the first arrest of its kind, and begins to finally chip away at this widespread, internationally executed crime.
  • On Nov. 19th, numerous news sources quote a press release from the US Food and Drug Administration (FDA) which specifically calls out a large number of domain owners and operators representing what are deemed to be illegal pharmacy affiliate websites.

    The agency issued 22 warning letters to the operators of these Web sites and notified Internet service providers and domain name registrars that the Web sites were selling products in violation of U.S. law. In many cases, because of these violations, Internet service providers and domain name registrars may have grounds to terminate the Web sites and suspend the use of domain names.

    "The FDA works in close collaboration with our regulatory and law enforcement counterparts in the United States and throughout the world to protect the public," said FDA Commissioner Margaret A. Hamburg, M.D. "Many U.S. consumers are being misled in the hopes of saving money by purchasing prescription drugs over the Internet from illegal pharmacies. Unfortunately, these drugs are often counterfeit, contaminated, or unapproved products, or contain an inconsistent amount of the active ingredient. Taking these drugs can pose a danger to consumers."

    Shockingly, one specific affiliate program is singled out, known as Rx-commission.com, ignoring several of the other far more widely-promoted programs such as (duh) Spamit / Glavmed, promoters of the completely illegal "Canadian Pharmacy" set of websites. Still good news.
  • Also on Nov. 19th, in what appear to be a series of very welcome announcements, Interpol issues a press release outlining the widespread, large scale shutdown of numerous bogus pharmacy operations, including multiple arrests in several countries.

    An international week of action targeting the online sale of counterfeit and illicit medicines has resulted in a series of arrests and the seizure of thousands of potentially harmful medical products.

    In response to an ever-increasing number of websites supplying dangerous and illegal medicines, Operation Pangea II involving 24 countries was co-ordinated by INTERPOL and the World Health Organization's (WHO) International Medical Products Anti-Counterfeiting Taskforce (IMPACT) to highlight the dangers of buying medicines online.

    This affects more than mere spamming operations. This affects a large sector of the black market which sells these drugs, only part of which has to do with criminal spam operations. This is a huge win not just for cybercriminal investigators, but for unwitting consumers of these clearly very dangerous fake pharmaceutical products.
  • On Nov. 23rd, Alan Ralsky is sentenced to more than four years in prison for leading a large-scale criminal spamming operation and engaging in stock manipulation. This case has, of course, been discussed here many times.
    Ralsky, 64, from West Bloomfield, near Detroit, Michigan, was sentenced to 51 months while his son-in-law, Scott Bradley, 48, was imprisoned for 40 months over the same pump and dump stock fraud conspiracy involving thinly-traded stocks.

    Each pleaded guilty to wire fraud, money laundering and violations of the CAN-SPAM Act. Two other co-conspirators, who also confessed their involvement in the scam, were sentenced on Monday. Five others face a sentencing hearing later on Tuesday.

    From the US Dept. of Justice press release:

    "Today's sentencing sends a powerful message to spammers whose goal is to manipulate financial transactions and the stock market through illegal e-mail advertisements," said Assistant Attorney General Lanny A. Breuer. "People who use fraudulent e-mails to drive up stock prices and reap illicit profits will be prosecuted, and they will face significant prison time."

    Cases against three other co-conspirators were still pending...
  • ...Uuuuuntil November 24th. :)

    The remaining six co-conspirators were sentenced to anywhere from one day in prison (David Patton) to four and a half years in prison (Frank Tribble) for their part in assisting Ralsky with his ongoing fraudulent activities. They all face several years of supervised release following their sentences, and they each had to either forfeit hundreds of thousands of dollars, or were fined similar amounts.

    In total, all of the guilty parties forfeited $1,866,100.00 to the US government from their ill-gotten gains, and are fined a total of $10,500.00. On average, they will serve ~3 years in federal prison (longest sentence: 3.3 years for Ralsky and his son Scott Bradley, shortest sentence: 1 day for David Patton.

    It's also notable that four of the accomplices were given additional jail time and supervisory release time due to what was termed "committing a substantive violation of the CAN-SPAM Act". This is the first time the actual CAN-SPAM law has been brought to bear, and the first court precedent in sentencing for this particular violation. Certainly a step in the right direction.

    Good riddance.
  • On Nov. 26th, a press release states that police in Germany and Austria shut down a fairly major credit card theft operation:

    In raids throughout Germany and Austria, police closed down a web gang which stole private credit-card data and used viruses to create a network of 100,000 robot computers, Germany's Federal Crime Office said Wednesday.

    In Germany, three persons were detained during the Tuesday raids on 46 homes. One was held in Austria. Many computers were seized.

    This is not necessarily related to spam (and in SiL's opinion, spam is really just one of many outlets of the type of crime he and others investigate and report on) but it's still a very significant series of arrests.
  • On November 27th, in what appears to be a later-than-usual discovery, numerous news outlets - notable several Russian outlets - declare Glavmed (aka: Spamit) to be the #1 criminal spamming operation in the world. The Russian Association of Electronic Communication (RAEC) state the following:

    Experts estimate that the lion's share of spam market players have provided service for such pharmaceutical resources as Glavmed.com which sells counterfeit goods, including counterfeit Viagra. As of November 15, 2009, this affiliate programme tops Spamhaus list under the name of Canadian Pharmacy (Glavmed.com), #1 spammer in the world.

    With regard to the trans-frontier nature of cyber-crime RAEC urges the international community to synchronize activities aimed at spam prevention. The clampdown on spam in the Russian Internet (RuNet) will most likely result in spammers moving their servers to other countries. This assumption is confirmed by the fact that SPAMDOT.BIZ (Glavmed.com) has physically moved its server to Germany (spamdot.INFO, spamdot.ORG) after it has been closed down in Russia.

    As it happens, the shutdown of Spamdot.biz, a recruiting site for Spamit, occured on October 28th, the same day as the first of a series of large-scale attacks against the InBoxRevenge forum. (Coincidence?) A Google Translation is available here. Of course, Glavmed's only response is to deny, deny, deny, despite the fact that they openly promote the widely-spammed "Canadian Pharmacy" brand of illegal online pharmacy, and have never hired pharmacists to fulfill the prescription drugs they illegally export to the US and other non-Russian countries.
  • On Nov. 30th, things get worse for the AffKing / SanCash / Genbucks spammers when Lance and Shane Atkinson are ordered to pay $15.5 million USD by the US Federal Trade Commission (FTC). This is nearly a year to the day after their extremely high-volume spam operation was shut down as a result of several restraining orders.

    A U.S. district court last fall ordered an asset freeze and a halt to the spam gang's operation, which was responsible for sending potentially billions of illegal spam messages, and has accounted for more than three million complaints.

    The court has since issued a default judgment against Atkinson, his company, and three companies affiliated with Smith. In addition to the $15.15 million that Atkinson and his company have been ordered to pay, the three companies affiliated with Smith are liable for $3.77 million. All five defendants are prohibited from making unlawful claims about male enhancement products, hoodia products, and any dietary supplement, food, drug, or service purported to provide health-related benefits; from misrepresenting that they can lawfully sell prescription drugs or pharmacy services over the Internet; from misrepresenting the data security measures they provide on their Web sites; and from violating the CAN-SPAM Act.
December:
  • On Dec. 4th, SiL's "winnings" total from Nigerian scammers hits $14 Billion USD.
  • Dec. 9th, following several weeks of inbound spam asking the question "Is Working Online At Home The New Gold Rush?" and linking to a variety of sites implying that Google was somehow promoting some type of pyramid scheme (Original story, documenting hundreds of abused links and third-party properties), Gar Warner reports that Google had finally had enough and was filing suit against "Pacific Webworks", the company behind the scam. [He cites the Sophos blog, but a few other sources also reported it.] Much more information on the company and their scam available here.
  • Also on Dec. 9th, Project HoneyPot, an initiative to track IP addresses of all known spam which harvests addresses from public websites, received it's billionth spam message.
    The message, a picture of which is displayed below, was a United States Internal Revenue Service (IRS) phishing scam. The spam email was sent by a bot running on a compromised machine in India (122.167.68.1). The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester (74.53.249.34) that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot.
    The report lists a variety of statistics regarding how much time it takes from harvesting to receipt of spam, and generally describes which botnets are involved, and which properties they spam.
  • On December 10th, news outlets report that one Pavel Valkovitch has pleaded guilty to solicitation to commit murder for trying to have an informant killed. Valkovitch was arrested in 2008 on bank fraud charges, essentially for stealing people's money via a variety of PayPal accounts. He will be sentenced in Feb. 2010. [See also the Wired Threat Level story.]
  • On or around December 11th, a notice is sent from the China Internet Network Information Center (CNNIC), China's regulator of domain name registrations, informing registrars that they must not allow domains to be registered using fake contact information, and must take steps to purge their systems of any offending domain names. This should seem obvious to any legitimate person registering any domain name, but this sets a very strong precedent for Chinese registrars who for many years have been abused by spammers and their cohorts who register thousands of domains using arguably fake contact info. Gar Warner's blog also has some very in-depth analysis, calling out two very common offenders: Xin Net and Namerich.cn. This should prove to be a very big hit to the profits of spammers from any major criminal affiliate group, notably Bulker.biz and Spamit.
  • In a surprising but very much welcome development, on Dec. 11th, domain registrar GoDaddy change their terms of service to specifically disallow domain registration for any site which sells pharmaceutical products without a prescription. This leads to many angry postings from individuals who operate such websites within the US, apparently unaware that this has actually always been of questionable legality in the first place. In 2008, GoDaddy also changed their terms of service to disallow similar registrations related to the sale of anabolic steroids, causing similar angry responses.
  • On Dec. 17th, in an intriguing report, Symantec reports that 2010 could be the year we see our first autonomous, intelligent botnet [pdf], claiming that the earlier shutdowns of badware hosting companies McColo and Real Host did little to stave off this progresion.
    As we move into 2010, it is expected that botnets will become more autonomous or artificially intelligent, perhaps even exhibiting the characteristics of swarm intelligence, where each compromised computer will have built-in self-sufficient coding in order to coordinate and extend its own survival. This will mean the botnet controllers will have more time to focus on driving the bots use in spamming and other criminal activities, rather than dedicate resources to extending the lifecycle of the botnet.
    In general this makes for interesting reading, and makes clear that despite a year full of successes, there are still some major threats to take care of in 2010.
  • On Dec. 22nd, Lance Atkinson is fined $210,000.00 AUS ($184,239.93 USD) and ordered to refrain from any spam-related activity for seven years:
    ...Justice Andrew Greenwood agreed with the proposed penalty, adding a seven year injunction from sending spam and ordering Atkinson not to knowingly associate with any person involved in sending spam.

    In his judgment, Justice Greenwood labelled the spam as "annoying and irritating".

    He forgot to add "potentially lethal", since many dangerous particles were found in sample orders shipped from the manufacturers of these pills in India. By any measure this fine is far from a deterrent. Atkinson and his cohorts probably made that much inside of half a day. Also see this TimesOnline article
  • On Dec. 29th, in what appears to be a rather sudden move, Brian Krebs leaves the Washington Post to begin his own security blog, krebsonsecurity.com. For the past three years Krebs has been instrumental in exposing bad actors involved in cybercriminal activity, and assisting ISP's and law enforcement in tracking down and prosecuting them.

2009 would appear to have been an incredibly bad year to be in the scamming business, even if in previous years these criminals "got away" with their crimes originally. As you may have noticed over the past year, this blog has become less concerned specifically with spamming and more concerned with what spamming is a part of: organized criminal activity which puts the public at risk, no matter which country the perpetrators live in.

Legal action may be slow, but when it all comes together, we end up with a year much like 2009. This is extremely good news. Here's hoping 2010 shows even more progress, especially against the largely Chinese, Eastern European and Russian operatives behind the flood of illegal spam, promoting criminal organizations and the "products" they continue to try to foist upon us.

Happy Holidays everyone. Stay safe!

SiL / IKS / concerned citizen

Tuesday, December 8, 2009

Merry Nigerian Christmas.

A friend of mine came up with a great (and seasonal) way to illustrate to the average non-tech person why Nigerian scams are so easy to spot, which could help them stay away in droves.

I'll use an example I just received.

From: "John Mensah" <jchaka51@gmail.com>
Subject: Genuine Investment Proposal
To: undisclosed-recipients:;

Dear Sir,

My name is John Mensah from Ghana. I represent a group of a Government Certified Local Gold Dust Miner in Ghana. We have just concluded gold dust deals with foreign gold trading companies in Ghana and realised some funds out of the deals. The funds are now kept in security companies in Ghana and Cote D'Ivoire respectively. We would want to invest the funds outside Africa and if you are interested to assist us in this venture, please respond immediately so that we will discuss details on how to handle the transaction.

Yours faithfully,
John Mensah

Now let's switch the identity:

From: "Santa Claus" <santaclaus@gmail.com>
Subject: Genuine Investment Proposal
To: undisclosed-recipients:;

Dear Sir,

My name is Santa Claus from The North Pole. I represent a group of a Gift-Making Elves in The North Pole. We have just concluded manufacturing of toys in The North Pole and are ready to begin distribution. The toys are now kept in safe places in The North Pole and my sleigh respectively. We would want to distribute the toys outside The North Pole and if you are interested to assist us in this venture, please respond immediately so that we will discuss details on how to handle the transaction.

Yours faithfully,
Santa Claus

Even if you don't celebrate Christmas, you know that Santa Claus doesn't "need assistance" in providing toys that he freely distributes to children around the world. He just does it. So why would you need to send him anything? (Well: aside from a Christmas list I mean...)

More importantly, assuming you responded to this criminal, he'd immediately come up with some story that you somehow needed to send him a "fee" to begin with your "assistance."

The same is true of our "John Mensah", and unfortunately just like Santa Claus, he doesn't exist.

This holiday season, remind your loved ones not to participate in Nigerian scams. Many, many people still fall for these. An analogy like this one might make it much clearer how to spot these scams.

SiL / IKS / concerned citizen

[Edited Dec. 17th for stupid spelling error. Apologies to Mr. Claus and wife...]