Friday, December 31, 2010

2010 Year End Wrap-up: Year Of The Botnet

While the previous two years saw several high-profile investigations, arrests, trials and convictions of several very well-known spammers and their supporters, 2010, even from the very start, was already appearing to be a year where international focus turned to botnets, cyber attacks, cyber crime, and theft via malicious Windows infections. For the first time we saw mainstream news organizations featuring stories about international criminal activity via computers and rogue networks, and for the first time some of these ended up on the front page of newspapers like the Wall Street Journal and the New York Times. This is a very distinct shift from previous years where this type of story would be relegated only to tech news outlets, and only discussed and understood by tech professionals. This is, I must say, a very good sign, because cybercriminal activity's real target is the rest of the public who really are not that tech-savvy.

However, this year we also saw several very highly publicized "takedowns" of some well known botnets, notably Lethic, Waledac, Bredolab, and Mega-D. Not all of these shutdowns were 100% successful, but the volume of activity related to getting specific control servers for one or another botnet is a welcome development, and hopefully will lead to more firm activity on behalf of law enforcement and security researchers around the world. In one particularly interesting case, a series of renowned criminal botnets known as Zeus were shut down and several of their operators were also arrested, pending sentencing as of this writing. This didn't always immediately result in a slowing of criminal activity related to these botnets, and in many cases it didn't appear to have any noticeable effect on the volume of spam received by ordinary email users, but it was still a very notable development in the fight against online criminal activity.

2010 was also the first year where we saw a major international incident caused by a malware infection, which in this case affected Iran's nuclear program. This was a major story and continues to be a genuine concern with regards to international diplomacy and overall relations in the Middle East. Later still, the now-infamous Wikileaks "Cablegate" releases to the media further compromised international diplomacy, as bit by bit thousands and thousands of classified US embassy cables from embassies around the world make their way into the mainstream media. This is an unprecedented event and should continue to be the source of further interesting developments in the years to come.

In more specifically spam-related areas we saw major media also casually refer to operations such as Spamit or Glavmed, identifying them (correctly) as one of the most egregious high-volume criminal spam operations in the world. Even better: a lot of media and law enforcement attention was paid specifically to Spamit and Glavmed, resulting in Spamit closing up shop due to receiving too much heat. That was a development I wasn't expecting to happen so quickly, and it's an indication that the days of criminally operated pharmacy affiliate programs may finally be about to come to an end.

So here we go. Start the popcorn maker...

Jan. | Feb. | Mar. | Apr. | May | Jun. | Jul. | Aug. | Sep. | Oct. | Nov. | Dec.

January:

  • SiL begins 2010 having "won" or "inherited" $15 Billion USD from a 14-month flood of Nigerian scam messages. Within the month of January, SiL "wins" or "inherits" an additional $5 Billion USD, due to a sudden increase in this type of spam.
  • Jan. 4th, in a followup to a previous article he wrote in December 2009, Knujon's Garth Bruen writes about the large number of illicit hosting providers related to the online fake / illicit pharmacy trade. The article comes under fire from many US-based ISP's, but definitely makes some salient points, focusing on the violation of intellectual property rights by pill spammers.
  • On Jan. 11th, renowned security investigative firm M86 coordinate with several ISP's an registrars to take down the "Lethic" botnet, responsible for some 8 - 10% of all spam worldwide. From their research it seems very clear this spambot was dedicated to mailing on behalf of Spamit and Glavmed criminal online pharmacies ("Canadian Pharmacy", "Canadian Healthcare", etc.)
  • On Jan. 11th, the Dallas office of the FBI publishes a press release detailing a new indictment against 19 individuals for participating in a massive cybercrime conspiracy. [Original press release available here.] Four of the defendants - including the two primary individuals originally investigated back in April, 2009 (Michael and Chastity Faulkner) are alleged to have fled the United States to avoid prosecution. If convicted of conspiracy, the defendants face a maximum sentence of 30 years in prison and a $1 million fine. [Also see this coverage.]
  • On Jan. 12th, in what is considered to be a bold statement internationally, the Google Blog divulges that Google as a company has decided to no longer filter their search results from within China after coming under numerous strategic attacks, allegedly from Chinese locations.

    ...we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

    and later:

    These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

    This announcement makes the front page of the New York Times among numerous other international newspapers, not merely tech news outlets.
  • On Jan. 15th, Cornel Ionut Tonita of Galati, Romania pleaded guilty to criminal phishing of bank credentials and faces up to five years in prison for his involvement in the criminal act. Also charged were two other Romanians: Petru Belbita and Ovidiu-Ionut Nicola-Roman, who was the first Romanian suspect convicted in the US for this activity. The phishing operation purported to represent Citibank, Wells Fargo and eBay. Sentencing for Tonita takes place on April 5th.
  • In a series of very public defacements, a group of rogue hackers referring to themselves as the "Iranian Cyber Army" modify the DNS settings of Twitter.com and Baidu.com to point to their own server, presenting a page stating that the site was taken over by them. [See coverage here and here.]
  • On Jan. 28th, Jody M. Smith is sentenced to a year plus one day in federal prison for his part in assisting the notorious AffKing / SanCash / Genbucks affiliate program, known for spamming all manner of fake "male enhancement" pills from 2004 til their court-ordered shutdown in 2008.
  • Brian Krebs, on his fantastic Krebs On Security blog, continues to hear from more and more victims of theft involving the use of the Zeus infection. This continues a very long-running series of stories (going back at least a full year) documenting the losses suffered by a litany of companies, schools, and other organizations.
  • Microsoft and Adobe, starting in January and continuing throughout 2010, issue a larger-than-average number of emergency patches for their products to specifically address a rash of newly-discovered exploits. In three months they issue as many emergency fixes as they did in all of 2008.

February:

  • On Feb. 8th, numerous news outlets report that the Chinese police have shut down a major hacker training site known as "Black Hawk Safety Net".

    The tally is: three people arrested; nine Web servers, five computers and one car confiscated; $249,000 in assets frozen.

    According to China Daily, the website was ran from the Hubei province in Central China, and offered attacking programs and malicious software to its subscribers.

    In theory this could represent some heavy damage to the Chinese hacker community.

    See also this coverage from the Wall Street Journal.
  • On Feb. 17th, CNN airs a multi-hour program which attempts to simulate the US government's reaction to a cyber attack. This results in a series of stories outlining the US's lack of preparedness for such an eventuality. [See one such story here.]
  • Also on Feb. 17th, security organization M86 report that despite a very highly-publicized shutdown last year, the Mega-D botnet is still sending very large amounts of spam.
  • On Feb. 22nd, in a Reuters story, representatives state that the US Government have pinpointed the Chinese developer of the malware used in the attack against Google.
    U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware program used in hacker attacks on Google last year, the Financial Times reported on Monday.

    The man, a security consultant in his 30s, posted sections of the program to a hacking forum where he described it as something he was "working on," the paper said, quoting an unidentified researcher working for the U.S. government.
  • On Feb. 25th, Microsoft posts a story on their security blog detailing their shutdown of the command and control servers for the Waledac botnet. [See also this coverage and this story from the Wall Street Journal.] The project to get the botnet shut down is known internally as "Operation b49". On March 16th, it is independently confirmed that the Waledac botnet had ceased operation.
  • In late February, much of the massive flood of Zeus bot-related spam messages purporting to be from any number of financial or other institutions drops completely out of circulation. This had been slowing by Feb. 22nd, but by the 27th it drops to zero for the first time since June 2009.

March:

  • Further ratcheting up international criticism, on March 2nd the US government considers lodging a complaint with no less than the World Trade Organization (WTO) claiming that China's censorship requirements are an unfair barrier to trade. This is specifically in relation to the requirement that Google.cn must censor any potentially sensitive search terms in order to operate within China.
  • On Mar. 2nd, capping a multi-year investigation and year-long trial preparation, convicted and completely unrepentant stock spammer and all around fraud artist Alan Ralsky reports to the Morgantown Federal Correctional Institute to begin his four year sentence. You can see his prison listing here. His release date is scheduled for November 11th, 2013.
  • On Mar. 10th, with very little explanation to go on, it is reported that dozens of Zeus botnets are knocked offline.

    In an online chat conversation with Krebs on Security, [Zeus researcher Roman] Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.
  • By March 10th, SiL's "winnings" pass the $32 Billion USD mark. That's past double what he started the year with. On average he receives from 40 to 60 of these messages every day, resulting in accumulated "winnings" of $1 Billion USD every two days or so. Who needs a stimulus package? Let's just rely on these Nigerians to pay for everything.
  • On March 10th, it is confirmed that two rogue ISP's were shuttered:
    Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.

    The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks.
    Troyak and Group 3 join McColo and 3fn / Pricewert in the dustbin of rogue ISP's. Yet another blow to criminal botnet operators.

    (Note that there are multiple Zeus botnets, not just one. Any vetted criminal can buy the code to start their own. This was still a very heavy blow to a large number of criminal operators.) [More great coverage by Brian Krebs]
  • March 11th: another shoe drops and another of the co-conspirators in the infamous TJX hacking case is sentenced to 4 years.
    Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

    Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.
    So far, March 2010 looks like one of the worst months in history for cyber criminal operatives. Good to see.
  • On March 11th, a securities attorney, ironically named David B. Stocker, pleaded guilty and was sentenced to two and three-quarter years for his participation in yet another stock spamming and market manipulation scheme. (His mailer was one Justin Medlin, previously unknown to me.) This makes the third straight year we've seen charges, arrests, trials, convictions and actual prison time for this type of crime. You would have to be an outright imbecile to engage in stock spamming.
  • On March 23rd, the FBI's Steven R. Chabinsky gave a Major Executive Speech entitled The Cyber Threat: Who's Doing What to Whom? In it he outlined the very real threat that online crime poses to ordinary citizens but also to governments and businesses.

April:

  • In the first major leak they have released to date, Wikileaks post a classified US military video to their website and numerous other locations [YouTube Link] which depicts a US apache helicopter firing on over a dozen people, most of them non-military personnel. This includes journalists, women and children. This is a very serious leak and sets the stage for far bigger leaks which begin to appear in late 2010. [Further coverage: Collateral Murder Website]
  • On April 17th, National Defense magazine publishes a report on the current status of the threat of online criminal activity. The author quotes liberally from well-known online crime researcher Gar Warner, but it has some interesting insights about the risks and dangers if this activity is allowed to continue.

May:

  • In what may have been a first, M86 actually names "Spamit" (as opposed to "Glavmed") as the subject of one of several spam messages they witness being sent by a new botnet which resembles the Storm botnet. [source]
  • On May 3rd Knujon's Garth Bruen writes a great article entitled When Registrars Look the Other Way, Drug-Dealers Get Paid. The article outlined the key process that supports non-compliant spamming: lazy and non-compliant registrars, and a slow, ineffective ICANN. As a bonus he specifies Bulker.biz / Eva Pharmacy as an especially bothersome spammer affiliate program. This is the first of what would become several blog postings and online magazine articles drawing attention to this rampant problem with so-called "bullet-proof" domain registrars.
  • In what would become a high-water mark for the exposition of the Russian online crime economy, on May 18th Brian Krebs publishes a landmark article regarding several Russian individuals and their involvement with spamming and illicit payment processor Chronopay, sourced from several Russian media articles.
    In an open letter to investigators at the Ministry of Internal Affairs (MVD) of the Russian Federation, Ilya V. Ponomarev, a deputy of the Russian State Duma's Hi-Tech Development Subcommittee, in March called for a criminal inquiry into the activities of one Pavel Vrublevsky, an individual I interviewed last year in an investigative report on rogue security software (a translated PDF version of Ponomarev's letter is here).

    This leads to a lot of open discussion spanning several months on both Russian and English forums related to online security and cybercrime research.
  • On May 19th, notorious rogue ISP 3FN (a.k.a.: Triple Fiber Network or "Pricewert") is shut down by the FTC for providing hosting and other infrastructure to several varieties of online criminal activity.
    The Federal Trade Commission today got a judge to effectively kill off the Internet Service Provider 3FN who the agency said specialized in spam, porn, botnets, phishing and all manner of malicious Web content.

    The ISP's computer servers and other assets have been seized and will be sold by a court and the operation has been ordered to give back $1.08 million to the FTC.

    This caused some sizable financial damage to several criminal elements who profited from these servers' continued availability and marked a small success for law enforcement against some really scummy spammers.

June:

  • On June 10th, Wired Magazine's Threat Level blog publishes an article [source] in which two of their journalists communicate with a hacker named Adrian Lamo who had communicated via a variety of chats with Private Bradley Manning. Manning allegedly downloaded thousands of classified cables and handed them over to WikiLeaks over a lengthy period of time.
  • On June 20th, Igor Gusev, the alleged owner and operator of the notorious Spamit.com affiliate program files a defamation lawsuit against representatives and editors of the Russian "Newsweek" magazine over an article they published in Dec. 2009 entitled "The Evil (Cyber) Empire: Inside the world of Russian hackers." The article, which has since been amended, referred directly to Igor Gusev by name, calling him "one of the world's leading spammers".
  • On June 21st, Knujon posts a report [full report pdf] which directly names Demand Media and their domain registration unit eNom "as a major facilitator of Internet drug crime."
  • On June 28th, the FTC busted a massive online fraud ring which used spam messages, money mules and stolen credit card data to swindle cardholders out of an alleged $10 million USD over many years using "micro transactions" which were then funneled through several shell companies without the cardholders ever noticing. [FTC press release here, Wired Threat Level article here.]

July:

  • On July 8th, an anonymous person using the name "Obivan" posts a comment on a story by Brian Krebs regarding a hack on the Pirate Bay website. The comment announces that the Russia-based payment processing company "Chronopay" has been under a sustained online attack, and that a great deal of data has been lost. At about the same time, numerous anonymous bloggers begin posting several large-scale leaks of insider information regarding the payment processing company "Chronopay", totaling several gigabytes in size.

August:

  • Aug. 3rd: LegitScript, a website which reports on criminal or rogue online pharmacies, publishes a story exposing a hack performed on a US government website which was used to promote yet another Spamit website via "blackhat SEO" (a.k.a.: search engine spamming). [source] These kinds of exploits against the public's servers are not new, but a hack against a US government website by these same Russian criminals highlights how rampant this actviity has become.
  • On August 9th, one of the previously-mentioned Chronopay leak sources, operating under the name "Chronoplay", publishes a comment on porn forum "gfy.com" which reveals that long-time spammer Leo Kuvayev (operator of the original BadCow and later Mailien spam affiliate programs) has been arrested in Russia on 50 counts of juvenile rape. The arrest apparently took place earlier in 2010. Unfortunately the comment and any of Chronoplay's blogs are all offline as of this writing, but the arrest has been confirmed from several sources including Russian law enforcement. [Brian Krebs coverage here.]
  • Russian credit card thief Vladislav Anatolievich Horohorin (a.k.a.: "BadB") was arrested by French authorities on August 12th and charged with the illegal sale of thousands of stolen credit card numbers, known as "dumps".
    Horohorin, in an April 2009 advertisement of his services, said he had been selling "dumps" — compromised credit and debit card numbers — through websites such as the now-closed Cardplanet.com for about eight years.

    Horohorin is charged with access device fraud and aggravated identity theft. He faces a maximum penalty of 10 years in prison and a US$250,000 fine on the count of access device fraud and two years in prison and a fine of up to $250,000 for aggravated identity theft.

    [Dept. of Justice press release here.]
  • On August 25th, ICANN begins an investigation into the operations of domain registrar eNom. [source] This follows a report by HostExploit entitled Demand Media / eNom Report - CyberCrime USA which concludes that 51.5% of all domains that eNom approved were detected in spam traps, and that eNom was considered the #1 rogue domain registrar on the Internet. eNom had been the subject of numerous complaints for many months by security researchers and many members of the team at InBoxRevenge, and was also mentioned in the aforementioned scathing report in June by Knujon.
  • On August 26th, Andrew J. Klein, the White House Senior Adviser for Intellectual Property Enforcement, invited representatives of several domain registrars to attend a three-hour meeting in September to talk about cracking down on criminally-operated rogue online pharmacies. [Brian Krebs coverage here.] This appears to be related to Knujon's previous coverage of domain registrar eNom and their lack of action against several million domain names registered for the purpose of spamming numerous criminal pharmacy websites.

September:

  • On Sep. 21st, following many months of reporting of illicit domain registrations by registrar eNom (see above), LegitScript joins forces with eNom to assist them in identifying the individuals behind the plethora of rogue, fake or otherwise non-compliant domain registrations by predominantly Russian online pharmacy affiliate programs.
  • On Sept. 23rd, numerous media outlets report that Iran's delayed Bushehr nuclear power plant was infected by the Stuxnet virus as far back as June 2010. This story brings to the forefront a scenario which was previously the stuff of movies: that a piece of malware could be used for nefarious purposes to affect real-world infrastructure. Stuxnet is said at the time to be a very complex piece of malware and was likely programmed by several very senior developers and other operatives. This is considered a very serious international incident and finger-pointing ensues, largely blaming the Israeli government for the infection. [More coverage: Switched.com, Wired Threat Level]
  • In a completely unsurprising turn of events, the majority of domains for spammed criminal online pharmacies are now registered via Russian domain registrars.
  • October comes one day early in the arrests and convictions department: on Sep. 30th, 19 individuals of Eastern-European origin are arrested in London on fraud charges related to their long-term Zeus botnet activities.
    He and his team targeted hundreds of victims who had weak security on their computers and accessed their user names and passwords despite tight security systems put in place by the banks on their internet sites.

    Police were alerted by high street banks who were alarmed by a sudden surge in fraud.

    Investigators from Scotland Yard's e-Crime Unit discovered that the gang were hitting vulnerable computers using software which is described in the industry as a 'Trojan horse' because it infiltrates the computer without the user realising.

    London was only the first of many countries which made arrests related to this action. Most notably in the US, more than 60 people were arrested for engaging in identical behavior and operating Zeus botnets.

    This story received very wide coverage, and not only via tech or security news sites or blogs:


October:
Last year I mentioned that November is usually a very high-volume month for announcements of indictments, arrests, convictions and other legal actions against spammers and those who help them. I want to amend that this year to say that it's actually more like October through November. However 2010 was especially fruitful during the month of October. This was another landmark year for legal action against numerous criminal entities related not only to spamming (of any sort, not merely email spamming) but any kind of online criminality, from botnet operation, to the operation of any large-scale criminal pharmacy affiliate program, to money mules, to you name it. As you can see from the story mentioned above, we got a head start this year as well.

  • On Oct. 8th the US Food and Drug Administration (FDA) posts a warning letter specifically naming RX-Promo as an affiliate program which violates numerous FDA regulations and several US laws by selling illicit, fake versions of numerous pharmaceutical products. RX-Promo are a very active spamming affiliate program known to sell fake or dangerous pills online, promoted solely via spamming of one sort or another.
  • On Oct. 21st, James Bragg, a former assistant in Al Ralsky's pump-and-dump spamming operation, who had already served six months in prison for his part in that organized fraud, pleaded guilty to charges of securities fraud and fraud related to new pump-and-dump activity since that arrest. He faces five years in prison and a $500,000 fine. Once a fraudster, always a fraudster...
  • On Oct. 25th, it is reported in the Dutch news media that the High Tech Crime unit had shut down 143 servers which were part of the Bredolab botnet. One day later, F-Secure reported that any affected servers were now redirecting users to a help page describing how to remove the infection. Later on the 26th, it was announced that a 27-year-old Armenian citizen had been arrested in connection with the operation of Bredolab, among other crimes.
  • On Oct. 27th, the New York Times run a story which delves into the workings of Russian email pharmacy spam, specifically naming Spamit and its alleged operator Igor Gusev.
  • Oct. 29th, Igor Gusev makes a statement to the press that he is not a spammer, and has never spammed. This is in response to charges made by the Russian Association of Electronic Commerce [RAEC] and other Russian law enforcement agencies that Gusev has been the operator of the most widely-renowned pharmacy spam affiliate program, Spamit, since at least 2006. Gusev claims this is a smear campaign on behalf of Chronopay's director, Pavel Vrublevsky. Chronopay is Russia's largest online payment processing company. The same day it is reported that Russian police raided Gusev's properties in relation to these charges.
  • On Oct. 30th, Igor Gusev begins writing a blog entitled RedEye Blog (in Russian and English) in which he exposes the inner workings of Chronopay, his business relationship with Pavel Vrublevsky and other interesting items.

November:

  • On Nov. 1st, SiL posts his final update to the running tally of his Nigerian scam "winnings", having hit the $100 Billion USD mark several months ahead of schedule. At the time of that final update, SiL was averaging nearly $1 Billion USD of winnings or inheritances every day of the year. The sheer volume of Nigerian scam spam messages is at its highest point since SiL began tracking, often resulting in several hundreds of messages every day to just one of the accounts he monitors.
  • On Nov. 11th, as the Igor Gusev story continues to unfold, the RAEC hold a press conference in which they claimed they would expose Igor Gusev as "the largest spammer in the world". [Blog posting here, English translation here.] As previously mentioned, Gusev is alleged to be the operator of renowned criminal spamming affiliate program Spamit, and sister site Glavmed.
    Gusev, in this case is called a man who stands for the well-known pharmaceutical affiliate program "GlavMed". A year ago, RAEC, declaring war on pharmaceutical spammers, used as an example of this particular resource, associating it with a brand Canadian Pharmacy, which Spamhaus list, ranked by volume of the world's spam.
  • On Nov. 26th, The UK's Metropolitan Police Central eCrime Unit (PCeU) arrest two 18 year olds (Nicholas Webber and Ryan Thomas) for engaging in widespread credit card theft totalling some £12 million (~$18.6 million USD). [Gar Warner coverage here.] Sentencing, which is expected to be very severe, has been adjourned until Feb. 28th, 2011.
  • In what would become one of the most notorious international incidents, WikiLeaks begin leaking what they claim is a portion of over 200,000 classified US embassy cables in an event which would come to be known as CableGate. Over the following weeks and months, several news outlets report on the vast amount of information contained in the leaked documents, including the Guardian, the New York Times, Der Spiegel and Wired. As of this writing, the cables are still being released in what seems to be batches of just over 1,000 at a time. Weeks later, an international arrest warrant is released for Wikileaks director Julian Assange by Swedish police. [WikiPedia Link] The cables were apparently illegally downloaded by Private Bradley Manning, who allegedly downloaded them from the US's "SIPRNET" system, a network system which allows US embassies to communicate securely. [Cryptome timeline re: Adrian Lamo]

December:

  • On Dec. 5th, an FBI indictment against one Oleg Nikolaenko is leaked to the Smoking Gun. Nikolaenko is alleged to be the main operator of the once-rampant spamming botnet known as Mega-D, a fundamental botnet for the former AffKing affiliate group. The FBI arrested Nikolaenko on Dec. 3rd. [PDF available here.]
  • Dec. 13th, the Chinese government announces a new crackdown on piracy of any copyrighted property, from DVD's to MP3's to (presumably) fake Rolex watches. This is allegedly to smooth trade relations iwth the US who have been attempting to get China on board with this strategy for many years.
  • On Dec. 18th, it is announced that the US government is setting up an initiative that would attempt to shut down fake pharmacy websites. They will certainly have their work cut out for them. This is an addendum to an existing strategy to go after any site which violates patents or copyrights, which was started mid-2010.
  • On Dec. 14th, Bloomberg publishes a story confirming that, among many other major online companies, Google and Microsoft are creating a non-profit organization targeting illegal internet pharmacies, in support of the US government initiative.
    Google Inc. and Microsoft Corp. are helping to establish a nonprofit organization targeting illegal Internet pharmacies in support of Obama administration efforts, according to the White House Office of Management and Budget.

    The group is comprised of companies that serve as Internet choke points and was in response to a call from the administration for private efforts to police illegal pharmacies, said Victoria Espinel, the White House intellectual property enforcement coordinator.
  • On Dec. 16th, several news outlets report that the Stuxnet infection which hit Iran's Bushehr reactor in June was apparently better than a bomb in terms of affecting Iran's nuclear program, possibly setting it back by as much as two years:
    According to a top German computer consultan, the Stuxnet virus, which has attacked Iran's nuclear facilities and which Israel is suspected of creating, has set back the Islamic Republic's nuclear programme by two years.

    The consultant, who was one of the first experts to analyse the program's code and was only identified as "Langer", told The Jerusalem Post that it will take two years for Iran to get back on track.

    "This was nearly as effective as a military strike, but even better since there are no fatalities and no full-blown war. From a military perspective, this was a huge success."

    There have been claims that the virus is still infecting Iran's computer systems at its main uranium enrichment facility at Natanz and its reactor at Bushehr.
  • On Dec. 23rd an independent research blogger named Nart Villeneuve posts a detailed breakdown of how a site is created and configured for the widely-spammed RX-Promotion pharma affiliate program.
  • On Dec. 27th, the website for Chronopay displays a notice that their entire database had been compromised, and all credit card and other payment information, has been downloaded by criminal entities. The notice turns out to have been placed by hackers who have actually redirected the DNS for chronopay.com to the domain "anotherbeast.com". Links are placed to what they claim is a database of all the stolen credit card data, but which is in fact only the credit card information for 800 users, captured between Dec. 25th and 26th.

Phew! That is quite a year.

Here's hoping that online criminal activity remains a high-focus item for world governments and the mainstream media. This is a first for both of those entities paying any kind of attention to these issues and it's been extremely refreshing to see.

Happy New Year, everybody. Stay safe!

SiL / IKS / concerned citizen

Wednesday, September 22, 2010

Spamit.com: Closing down?

After a tip from a few different sources, I was informed that the Spamit.com domain is now showing the following message:

Уважаемые партнеры и коллеги,

В связи с длинной чередой негативных событий последнего года и обострившимся вниманием к деятельности нашей партнерской программы, мы приняли решение свернуть свою деятельность и прекратить прием трафика с 1 октября 2010 года.

Мы считаем, что в создавшейся ситуации такое решение является наиболее правильным, т.к. оно позволяет полностью избежать рисков внезапной, незапланированной остановки, которая обязательно повлекла бы за собой коллапс всей деятельности нашей программы и, скорее всего, привела бы к невыплате заработанных вами средств. В нашем же случае, все заработанные средства будут выплачены в обычном режиме. Кидков не будет.

Пожалуйста, используйте оставшееся время для своевременного перевода трафика на другие партнерские программы.

Спасибо что работали с нами, мы очень ценим ваше доверие!


Dear partners and colleagues!

Because of the numerous negative events happened last year and the risen attention to our affiliate program we’ve decided to stop accepting the traffic from 1.10.2010. We find the decision the most appropriate in this situation. It provides avoiding the sudden work stop which leads to the program collapse and not paying your profit.

In our case the whole profit will be paid normally. All possible frauds are excluded. Please transfer your traffic to other affiliate programs till 1.10.2010.

Thank you for your cooperation! We appreciate your trust very much!
login

Here's a screenshot of Spamit.com from around an hour ago:


This was the output on Spamit.biz and Spamit.com. Now I and many others notice that spamit.com no longer resolves as a domain. Spamit.ru is also down but I don't know if that had been the case prior to today.

Note that no such notice appears anywhere on Glavmed.com (long alleged to be their sister company.)

The #1 criminally-operated spam operation in the world is suddenly shutting down? (Albeit, possibly temporarily. I'll check back on Oct. 1st of course.)

The "numerous negative events" possibly refers to the loss of Mastercard processing which happened several months ago, and "the risen attention to our affiliate program" possibly means coverage from this blog but also several other media outlets, most notably a large amount of coverage in the Russian press.

If Spamit as an affiliate operation were in any way operating legally or legitimately, this media coverage would not be a cause to shut down. This only goes to show you what a scumbag, criminal operation Spamit and Glavmed have always been.

The fact that spamit domains specifically are shutting down the same day a few sources told me to check this page out indicates some Very Bad Things could be underway for the operators of Spamit.

This could be a very interesting few weeks.

SiL

Sunday, July 25, 2010

Blog-Spamming an Anti-Spam Blog = Utter Genius

To all you moron spammers out there who keep submitting spammy comments to this blog:

Are you high?

You keep saying I need a life. Look at yourselves.

SiL

Thursday, June 3, 2010

Anonymous Commenter Claims: "Fake diplomas are 100% legal."

Yet another Anonymous coward decided to comment, this time in response to my previous article on fake diplomas from December 2007: Fake Diplomas Are Illegal.

Here was his comment (dollars to donuts it's a man.):

Anonymous said...

Whomever made this post, isn't that bright!!! Is it illegal to pretend to earn credentials that you didn't, to gain advancement? YES! Absolutely! So, is it illegal to take a fake diploma and use to get a job? Yes. Is it illegal to buy a fake diploma and just hang on your wall? No. Is illegal to joke with your friends about graduating? No. This person is trying to take something that isn't black & white and making it black & white. Fake diplomas are legal. They are legal to buy. A lot of fake diploma companies take major credit cards. If it was illegal, Visa would not accept them! You can't use a Visa to buy meth! haha Fake diplomas are 100% legal. There are illegal acts you can do with it, but people need to be warned about that side of it, without being scared out of simply owning one.

You know, if you want to be taken seriously, "Anonymous", you should really not post anonymously. That and you should get your facts straight. Clearly you didn't read the article.

> Whomever made this post, isn't that bright!!!

Heck of a way to legitimize your post. I will, for now, ignore your stellar lack of skill in grammar and the use of punctuation.

"Whomever made this post?" It's pretty clear who I am. I've been at this for a while.

> Is it illegal to pretend to earn credentials that you
> didn't, to gain advancement? YES! Absolutely! So, is it
> illegal to take a fake diploma and use to get a job? Yes. Is
> it illegal to buy a fake diploma and just hang on your wall?
> No. Is illegal to joke with your friends about graduating?
> No.


Correction (and here it is clear you do not know the law): "Novelty" diplomas, only in a very small number of US states, are legal. The law has a pretty specific definition of that, thus the use of the word "Novelty".

I recommend that you read this website: counterfeitdegrees.com. They are a veritable cornucopia of information regarding the specific legalties of this industry.

On the main page you see the following:

Parallel to the types of fake degree consumer, are two types of fake degree businesses:
  • Fake degree suppliers make no pretense of being colleges or leading consumers to believe their resumes can translate to real degrees. They unabashedly sell, advertise, and fiercely market "fake," "phony," "bogus," and "novelty" degrees.
  • In comparison, diploma mills go to great lengths to create an illusion of reality and authority. Savvy marketing ploys and misleading information draws customers that may believe an evaluation essay or exam, combined with their resume, earns them an academic degree.

So you can't even just say that "selling fake degrees is legal", because that statement is trying to make things "black & white". It depends on how you word how you want to sell them, and for what purposes.

Further, there are indeed very specific federal and state laws covering this type of industry. You should most definitely read this link also, as it outlines each.

Let me show you, really specifically, a couple of very recent examples of this spam.

Subject: Get a diploma for a better job.

BECAUSE YOU DESERVE IT! Is your lack of a degree holding you back from career advancement?
Are you having difficulty finding employment in your field of interest because you don?t have the
paper to back it up ? even though you are qualified?
If you are looking for a fast and effective solution, we can help!
Call us right now for your customized diploma: Inside U.SA.: 1-718-989-5740 Outside U.S.A.: +1-718-989-5740.
Just leave your NAME & TEL. PHONE # (with country-code) on the voicemail and one of our staff members will get back to you promptly!

Subject: Need a diploma? Call us.

BECAUSE YOU DESERVE IT! Is your lack of a degree holding you back from career advancement?
Are you having difficulty finding employment in your field of interest because you don't have the
paper to back it up - even though you are qualified?
If you are looking for a fast and effective solution, we can help!
Call us right now for your customized diploma: Inside U.SA.: 1-718-989-5740 Outside U.S.A.: +1-718-989-5740.
Just leave your NAME & TEL. PHONE # (with country-code) on the voicemail and one of our staff members will get back to you promptly!

Note how the subject line of one of them directly states that this is to be used "for a better job"? Did you notice that? What about the use of the sentence "Is your lack of a degree holding you back from career advancement?". Nothing "jokey" about that, "Anonymous." These spammers - about whom I am specifically writing, because you might have noticed that this is a blog about spamming, and these fake diploma operations are promoted via criminal spamming - are not selling a diploma in the hopes that you just want to "joke with your friends about graduating". They are specifically saying: you "need" this diploma, because you can't advance in your career, or you are unable to get a better job without one.

Many other subject lines in recent messages make the claim that younger candidates are getting the job faster than you, therefor you would (again) "need" this fake diploma to stand out. This is not Novelty. This is a criminal act. It is extremely clear.

What's worse is, we're in a down economy, as you may have noticed. The enticement is even higher to purchase these as "proof" of someone's abilities since there are fewer and fewer jobs available. The spammers behind this know that that's the case, and recent spam volume in this sector is way higher than in previous years. You don't think this is dangerous? You think these spammers are really targetting unemployed professionals because they just want to "joke about" having a degree? Shame on you!

So I have to ask you, "Anonymous", where are the spam messages you apparently seem to be arguing with me about which only sell diplomas so you can "joke with your friends about graduating?" The only spam I've ever seen promoting diplomas are ones which very much get across that these are to be used to "get a better job."

Also: How much, reasonably, does a novelty degree cost? If I want to go to a joke shop and get a "PHd in Beerology", that's probably $20. Money not well spent, but that is probably the extent of that. The diplomas that these criminal diploma spam operations are selling often sell for upwwards of $400 apiece. It depends on the "degree" you want to get.

> This person is trying to take something that isn't black &
> white and making it black & white. Fake diplomas are legal.


On the contrary: you, "Anonymous", are trying to lump diploma spammers in with any other kind of seller of novelty diplomas. My posting was extremely clear, and I think any normal human being with eyes could tell the difference between a joke diploma that costs $20 which claims I have a "Masters in Fishing" and a $400 diploma claiming to be from the University of Arizona which claims I have a PHd in Nuclear Physics and has a pretty convincing looking embossed seal on very carefully watermarked paper.

> There are illegal acts you can do with it, but people need
> to be warned about that side of it, without being scared out
> of simply owning one.


They should sure as hell be scared of other people owning them if they're claiming to be a surgeon, a lawyer, an accountant, etc. Would you want surgery from someone based on their fake diploma?

I didn't say novelty diplomas were illegal, I said fake diplomas are illegal, and my posting went into a great deal of detail explaining why. The law is extremely clear, and the litany of ongoing court cases which have been taking place recently (and on a weekly or monthly basis since my original posting was published) is pretty conclusive evidence that selling fake diplomas is, indeed, illegal. Further: many states are actually now strengthening the law to include the manufacture of fake diplomas as an illegal act.

Quit posting anonymously, and don't be so facile about this topic.

SiL

Further Reading:


P.S. You'll notice I didn't even bother to go into the legality of fake transcripts. Want to try me on that one?

Thursday, April 22, 2010

LowCostLinks.com: Another scumbag forum-spamming operation.

I recently encountered another registration attack against the forums at InBoxRevenge.com. This was one of thousands we see every month.

These registration attacks are executed using automated software such as XRumer, with the hopes that we aren't monitoring registrations, and are automatically approving all new accounts. If that were the case, the process would look like this, all originating from the forum-spamming software itself (usually via a botnet.):

- Visit a topic on the forum. (Usually they choose a fairly low number for the thread id. It's nearly always 1 or 2)
- Visit the registration page
- Agree to the terms
- Create a new registration
- Wait a predetermined amount of time.
- Based on known algorithms used by most forum software, visit the "confirmation URL" which is usually sent to the registration email address.

Because of our particular forum registration requirements, that last portion fails. The software notices this, and often tries a minimum of four times, and (so far) a maximum of on average 14 - 30 times, always using the same username, email address and frequency of registration. Very often the source IP address used in these registrations is dynamic, which very strongly indicates that this software is using a botnet to perform these registrations. This is not always the case, not in every instance, but it is very frequently so.

Yesterday I encountered six such attacks from a domain called LowCostLinks.com, all using bogus email addresses which indicate that whoever it was that was doing this was no fan of either our forum or another well-known cybercrime researcher:

Date Entered / Email
04/20/2010 04:26:24PM / ksforum.inboxrevenge.com.a.dzgrymzusn@lowcostlinks.com
04/20/2010 06:59:33PM / inboxrevenge.com.a.mcdemjtodu@lowcostlinks.com
04/21/2010 06:05:51AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com
04/21/2010 06:06:01AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com
04/21/2010 06:06:09AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com
04/21/2010 06:06:20AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com

Username in all cases was: soepxozk
IP address for all registration attempts was 207.219.37.17, a home DSL account hosted by Telus, located somewhere in British Columbia.

Clearly they have a bone to pick with Brian Krebs as well. That, I can tell you, means they're probably involved in - or at least "fans" of - far worse things than rinky little forum spamming operations.

LowCostLinks.com is easily one of the most bogus operations I've seen in a while, and their administrator didn't do anything to dissuade me from that opinion, as you'll see below.

LowCostLinks is well aware that they engage in forum spamming. Based on an email discussion I had with their anonymous admin, he didn't care whether it bothered me or anyone else. In fact their convenient "How To Stop Forum Spam" page makes it clear that their "opt out" policy (found here) is to instead tell forum operators that it's up to them to block LowCostLinks. He also rested on the misguided opinion that forum spamming isn't spamming, since it isn't performed via email.

Unfortunately for "companies" (and I use the term loosely) like LowCostLinks, they're woefully uninformed about what their actual platform means from a legal perspective. The same way that an individual can be seen to be "attacking" a website by repeatedly attempting to guess the username and password of a specific third-patry account - without authorization - this repeated attempt to register can be perceived, especially in a court of law, as an attack.

Automated registrations can and have been considered a direct form of "attack" againt any third party website, since by its very nature it ignores the terms and conditions of most forum software on the internet today. In our particular case, we've made a very clear amendment to our terms and conditions for new registrants which specifically describe that we consider any automated registrations to be an actual attack against us. We define it pretty specifically as well:

- Automated attacks are expressly forbidden
- Automated registrations mean that usually no actual human being is even reading the terms and conditions, or performing the registration.
- Automated registrations further mean that only very specific pages of our forum would load, but none of the attendant assets such as images, stylesheets or javascript files. This makes it particularly easy to outline the timestamp of the attacks, since it's very obvious in the server logs, then further reinforced by the data captures I've added in.
- If an automated registration occurs more than once, we can assume that they still agreed to our terms and conditions (since you have to click the "agree" button to continue,) which means that they agree we should pursue all means to get their email and other accounts shut down, since they are not only in violation of our terms of service, but those of their email and hosting provider

But even if we hadn't put these very specific clauses in place, a court of law would still perceive this activity to be unauthorized, malicious, and, in some cases, illegal.

The average idiot forum spammer is typically trying to place links within forums for the purposes of boosting the search engine ranking of the site they want our forum, and thousands of others, to link to. This is usually known as "Search Engine Optimization" or "SEO".

Usually, page rank is based on actual useful, valid content. So for example if I write a posting about pharmaceuticals, and it has links to research papers about pharmaceuticals, that means the page rank of those research papers gets a tiny boost, because it's assumed that the content is both related and relevant.

In this case though: we're talking about utter noise: totally unrelated postings on thousands of forums, linking to sites which on its own would not have a very high page ranking at all. Further: we're talking about subverting actual, relevant, content-related search results by flooding forums with totally unrelated links to sites which have no bearing whatsoever on whatever their main focus is.

Now: that part is, just like regular email spam is perceived to be, annoying, and a nuisance, but not by definition illegal.

However the means to make these links appear can most certainly be charged in a court of law as being malicious, unauthorized, and as previously mentioned an actual attack against which the server or servers this scummy operation chooses to execute their auto-registrations.

he administrator of LowCostLinks claimed that my complaint to him would be re-posted on the lowcostlinks.com website because he claimed it would be "great for sales!" Instead I thought I'd post it here to make clear just what type of characters we're dealing with here, and that LowCostLinks is a nuisance about which any forum operator out there should very much be aware.

Date: Wed, 21 Apr 2010 11:05:27 -0400
Subject: Stop auto-registering to my forum!
From: SiL
To: lowcostlinks@gmail.com

Automated registration attempts made at inboxrevenge.com, by date, descending order:

[above-mentioned list of attack entries redacted - SiL]

Explain yourselves!

SiL

Date: Wed, 21 Apr 2010 11:34:29 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

re:"Explain yourselves!"

I think you of all people must know what's up if you managed to find our gmail address. We create posts on forums for a fee. Simply deny access to the @lowcostlinks.com email domain and you will never hear from us again. We are not trying to post on "live" forums, sorry for the inconvenience.

Nice abuse policy, yes? Completely unacceptable.

Also note that he lies about registering to "live" forums. IBR is most definitely live. So are hundreds or thousands of others out there, all featuring fake profiles created by this idiotic organization.

Date: Wed, 21 Apr 2010 11:55:31 -0400
Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

How about instead you stop violating CAN-SPAM law by continuing to allow your scumbag "affiliates" from attempting automated registrations against thousands of forums?

It's pretty clear you're obviously pro-spam, so I'll make sure that my law enforcement contacts know that.

> We are not trying to post on "live" forums, sorry for the inconvenience.

Then what the hell are the automated registrations for?

You should also be aware that under most countries' privacy laws, this constitutes an attack.

SiL

Date: Wed, 21 Apr 2010 11:58:57 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

Go ahead, call your cop buddies, it's hilarious how little you know about
forum "spamming" ;) Have a nice day SiL.

Date: Wed, 21 Apr 2010 12:00:15 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

P.S. you might want to take a read here: http://lowcostlinks.com/how_to_stop_forum_spam.php

So clearly he isn't taking any of this seriously. So be it.

Date: Wed, 21 Apr 2010 12:06:28 -0400
Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

On Wed, Apr 21, 2010 at 11:58 AM, LowCostLinks.com
<lowcostlinks@gmail.com>wrote:

> Go ahead, call your cop buddies, it's hilarious how little you know about
> forum "spamming" ;) Have a nice day

"buddies" you say.

On Wed, Apr 21, 2010 at 12:00 PM, LowCostLinks.com
<lowcostlinks@gmail.com>wrote:

> P.S. you might want to take a read here:
> http://lowcostlinks.com/how_to_stop_forum_spam.php

That is a bullshit response, and you know it. You're actively encouraging your "affiliates" (why not just call them spammers?) to continue automated registration against forums, then leaving it up to forum operators to do the extra work of blocking your domain.

You will regret this.

SiL

Date: Wed, 21 Apr 2010 12:14:37 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

SiL, please stop acting so SiLly. Making idle threats doesn't do anybody any good.

Don't create a forum signup form if you do not want people signing up to it. I am sorry, am I missing something?

1. We do not encourage anybody to make our posts for us.
2. We have an opt out program just like any can spam compliant email posting company does. (But we don't post unsolicited emails, so we don't fall under that law anyways.)
3. We do not attempt to hide our identity.
4. We comply with all "do not post" requests.

Good luck finding another one of the thousands of competitors I have that is as genuinely truthful as us.

Don't worry, we have added all of your domains to our black list, you should not receive any more registrations, please provide any more forums you might have.

Again, no hard feelings, have a nice day!

P.S. this entire thread will be posted on our website, they're great for sales!

In that message he incorrectly linked to the url "http://www.google.com/search?q=forum+backlinks+for+sale" when trying to illustrate how much better his site was than his "competitors", which wasn't anything I mentioned in my original message.

But look at the logic. Honestly. Yeah that's the only reason anyone would put together a forum: so that bogus "companies" like LowCostLinks.com can forum-spam it out of existence. Completely obvious isn't it?

Date: Wed, 21 Apr 2010 12:23:20 -0400
Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

> Don't create a forum signup form if you do not want people signing up to
> it. I am sorry, am I missing something?

Clearly, you are, see below. hat is one of the stupidest answers I have ever received from anyone, ever.

> 1. We do not encourage anybody to make our posts for us.

Sure you don't.

> 2. We have an opt out program just like any can spam compliant email
> posting company does.

you are defining "opting out" as telling the owner of a forum to block your domain. That's not "opting out."

> (But we don't post unsolicited emails, so we don't fall under that law
> anyways.)
>

Yes you do fall under that law. It doesn't just apply to email. Nice to know that you don't read.

> 3. We do not attempt to hide our identity.

Yes you do:

registrant-firstname: Oneandone
registrant-lastname: Private Registration
registrant-organization: 1&1 Internet, Inc. -
http://1and1.com/contact
registrant-street1: 701 Lee Road, Suite 300
registrant-street2: ATTN: lowcostlinks.com
registrant-pcode: 19087
registrant-state: PA
registrant-city: Chesterbrook
registrant-ccode: US
registrant-phone: +1.8772064254
registrant-email: proxy2145160@1and1-private-registration.com

> 4. We comply with all "do not post" requests.

Sure: by telling me to block any registration attempts. How about I and all my colleagues continually, 24 hours a day, keep trying to log in to your affiliate form. Maybe we should do so as many times per second as we can, from numerous randomized IP's I mean it's just up there waiting for thousands of automated attempts to log in right? If you don't like it, why did you create an affiliate login form?

> P.S. this entire thread will be posted on our website, they're great for
> sales!

Hey it's also great for law enforcement investigations, charges, arrests, indictments, and convictions. My team has led several of those since 2005 against operations just like yours. You are violating computer trespassing laws. You don't seem to care, so I will make you care.

SiL

This last email seems to drastically change his tune:

Date: Wed, 21 Apr 2010 12:39:21 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

Content-Type: text/plain; charset=ISO-8859-1

We made a few signups to your forum, our apologies for that. Forum signup forms are meant to be signed up on, are they not? I get plenty of false affiliate signups daily, I just figured it was the way of the net.

Forums are created to post messages on, we post our messages on forums, if the owner deletes the message, or asks us to stop, we do not post anymore. That is basically what we do. Good luck with your future fights, and congratulations on stopping so many spammers out there!

We do not require forum owners to block our email domain to stop posting, it is only an additional option. As well as deleting the very first message, that is another way to stop our posts as well.

Those are not the only opt out methods however, a simple email telling us to "stop posting" will do the trick. I have proof of numerous, kindly worded messages to and fro from such situations, should law enforcement ever find the need to get involved.

Basically we have 3 opt out policies, you took care of two of them, you have already been added to our opt out list, and should not receive anymore registrations.

So suddenly now that I've clarified that we go after operations like his, he's apologizing. He's also suddenly saying that my request was now all I had to do.

He's a liar! (Surprise.)

Also: welcome to the brain of a forum spammer. If they didn't have the internet, they'd just as soon use your bedroom wall or perhaps your car's front seat to plaster thousands of posters announcing where people could get porn for $12, or promoting fake Viagra pills. After all: why else did you buy your house or your car? Your house has a prominent front door which faces the street. It's OBVIOUSLY there for me to put posters on.

Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

On Wed, Apr 21, 2010 at 12:39 PM, LowCostLinks.com
<lowcostlinks@gmail.com>wrote:

> We made a few signups to your forum, our apologies for that. Forum signup
> forms are meant to be signed up on, are they not? I get plenty of false
> affiliate signups daily, I just figured it was the way of the net.

Registration to a forum, by a human being who reads our terms and conditions - which expressly forbid automated attempts - is certainly allowed, with the idea that the human being has a brain, and will recognize that repeated automated attempts will have a habit of looking like an automated attack.

That registration is also assumed to be made by a human being who will actually contribute to said forum. This is true of any forum. Forums don't exist purely for you and your affiliates to auto-register at so you can promote whatever bogus links you want.

Especially since my forum is very clearly against this type of automated promotional activity, especially since it has a habit of being run by organized criminals, it's especially telling that your affiliates chose specifically to auto register to it, since it's extremely clear we disallow that exact type of illicit activity.

> Forums are created to post messages on,

By human beings, for the purposes of contributing to specific topics of discussion.

> we post our messages on forums,

Automatically, using software such as Xrumer or several others.

> if the owner deletes the message, or asks us to stop, we do not post
> anymore.

That is unacceptable. You're in violation of your hosting company's terms of service, which specifically disallows automated attacks against other servers, or unauthorized access to other servers. You are performing both of these acts, which I remind you are also against computer trespassing laws in the US, Canada, the UK, Japan, Hong Kong, China, and several other countries.

> That is basically what we do. Good luck with your future fights, and
> congratulations on stopping so many spammers out there!

You really, really need to investigate other alternatives to what you do.

> We do not require forum owners to block our email domain to stop posting,
> it is only an additional option. As well as deleting the very first message,
> that is another way to stop our posts as well.

That is not what you said in your first reply to me. I'll quote it back to you since you conveniently forgot all about that:

"Simply deny access to
the @lowcostlinks.com email domain and you will never hear from us again. We
are not trying to post on "live" forums, sorry for the inconvenience."

Funny how you never mentioned:

1) Yes, right away, sorry to bother you.

2) We take this email seriously, and will acknowledge your request for us to stop doing this.

Your reply was basically: too bad, it's up to you to block us.

> Those are not the only opt out methods however, a simple email telling us
> to "stop posting" will do the trick.

See above! You did not do that, and you are lying to me now about this being your policy.

> I have proof of numerous, kindly worded messages to and fro from such
> situations, should law enforcement ever find the need to get involved.

Oh so it needs to be "kindly worded". I notice that isn't anywhere on your "how to stop forum spam" message either.

> Basically we have 3 opt out policies, you took care of two of them, you
> have already been added to our opt out list, and should not receive anymore
> registrations.

And it took repeated back-and-forth emails to get this simple answer out of you.

This does not excuse your behavior, and reports have already been sent to numerous authorities outlining not only this offense, but many others by your organization which are not hard to find at all.

Too bad you didn't just take my first email seriously. Oh well.

SiL

So there we have it. Further proof that spammers lie, as usual, all the time. And further proof that spammers essentially see any online entity, no matter who actually owns or operates it, as their own personal promotion vehicle.

I'd like to add that searching for lowcostlinks.com routinely turns up all kinds of bot-monitoring sites which list many, many automated registrations.

How any of this is "great for sales!" is baffling.

I have yet to receive a response from their hosting company, the infamous "1and1.com", who routinely are found to be providing hosting to all manner of spamvertised properties, phishing operations and numerous other unsafe and unsavory properties. Doesn't mean it won't happen.

Forum spamming is just as bad as any other form of spamming, but affiliates who join these programs should be aware: they are an accessory to computer trespassing and unauthorized attacks against forums.

SiL / IKS / concerned citizen

Sunday, April 18, 2010

Marmeladies.com and Lady-Marmelady.com - Updates on this Russian Dating Scam


Just a quick update that I made a brief addendum to my January posting regarding the by-now-well-known "Lady Marmelady" Russian dating spam setup.

In a nutshell:

Marmeladies.com appears to be a fairly recent additional property spammed in precisely the same way.

The URL "littledatenow.com" is a very heavily spammed URL. As with previous "Lady Marmedlady" spam, it never divulges where you will end up, but the confirmation email inevitably leads there should you foolishly complete a registration. (And why would you do that? It was received via spam. Use your brain!)

When the spammers promoting this are not spamming that particular URL, the link in the spam message is nearly always (yet again) an MSN Live Spaces URL, or that of some other free-redirection url. That started in March, but especially in the recent two weeks has instead changed back to the "littledatenow.com" URL. A few hours after I posted that domain, I started receiving notice from numerous recipients that the new domain being spammed is "dateyourgirl.com".

The MSN Live Spaces urls typically redirect or link to an unpronouncable domain name, passing one of a series of affiliate ID's. The domain at the current time is redactjuri.info, and they pass affiliate ID's 132, 134, 135 and 136 (that I have seen or been informed of.)

Here's a list of all the domains that these MSN Live Spaces locations redirect to:

http://united-states-russian-dating.ru/
http://sexy4sex.info/
http://redactjuri.info/index.php?idAff=###
http://pornorate.ru/index.php?idAff=###
http://jink.ru/index.php?idAff=###
http://pove.ru/?idAff=###
http://gerl-007.ru/index.php?action=3
http://sexualmeet.ru/

(Where "###" is any of the aforementioned "affid" values of 132, 134, 135 and 136.)

redactjuri.info is again registered via GoDaddy using totally fake - and, I might add, incomplete - contact information. Hosted on IP address 111.148.252.71, provided by "North Star Information Hi.tech Ltd. Co." in (of course) Beijing, China.

littledatenow.com was registered via Regtime LTD. on April 5th 2010, just in time to be spammed to millions of recipients. It features questionable contact information claiming to be in Russia. The site is hosted on IP address 219.232.228.204 courtesy of course of "CNCITYNET" in Beijing, China. dateyourgirl.com was registered today (April 19th, 2010) using different but more than likely still fake Russian contact information, registered at Regtime.net. It's hosted on the exact same IP address in China.

[I wonder why the sudden change? Possibly reading this blog? Keep it up. I hear from hundreds of angry recipients of your spam, Marmeladies.]

Nobody from Marmeladies has responded to numerous requests into why they continue to use criminal spam operations to promote their service, but their "service" appears to be a 100% scam anyway based on the multiple messages I've received from the victims of their ongoing financial swindling.

Stay far, far away. Marmeladies.com is a complete and utter scam, more than likely run by criminals.

SiL / IKS / concerned citizen

[Edited 04/19/2010 9:23:09 AM to include MSN Live Spaces redirection information.]

[Further edited 04/19/2010 2:34:16 PM to include newer spammed domain, dateyourgirl.com]

[Further edited 04/20/2010 10:32:23 AM to include further MSN Spaces redirection URLs.]

Wednesday, March 31, 2010

My "Winnings" and "Inheritances" Update

Take a look at the dollar total in the right-hand-side of this blog. That number is the running total of how much I am told that I have either "won" or "inherited" since I started keeping track of it in January 2009.

As I write this, I just updated that total to be:

$37,135,922,034.73


That is just over thirty seven Billion USD.

Of course I haven't actually won or inherited anything. That should be obvious. This is based on messages sent by criminals who hope I will believe I won or inherited money, so that they can then tell me to wire them "fees" to ensure the money gets sent to me.

When I first started tabulating this, it was meant to be a one year experiment to see how much I would have "won" if I took seriously the claims of every one of the Nigerian scam emails I receive on a daily basis.

Within the first full year of tabulating, I had "won / inherited" $15,010,243,226.36. (Fifteen Billion USD.) On average I was "winning" 20 - 40 million dollars every single day. I arrived at my first Billion USD of tabulated winnings on Jan. 14th, 2009. The next on Jan. 27th. On average, I was winning a Billion dollars every two to three weeks.

Fast forward to 2010 and what a difference a year makes.

I "won" the equivalent of all I won in 2009 within the first two months of 2010, hitting $30,452,821,816.30 on March 3rd. I now routinely receive from 50 - 90 of these messages every single day. There has never been a single day where I have not received any Nigerian scam messages claiming I have won the "Microsoft Lottery", the "Toyota Lottery", the "Yahoo / Microsoft Lottery", the "Euro Powerball Lottery" or any of the other so-called lotteries these morons keep promoting.

I'm not sure why, suddenly, after new year's eve the volume on this particular type of spam experienced such a drastic spike, but it's officially reached what any normal email recipient would have to think was a ridiculous level.

To the idiots sending this spam: if you send the same "YOU HAVE WON!!!1!!" message more than once a year? People will think you are stupid. More than once a month? Come on.

But several times a day?

Every single day?

How often do people seriously think they can win a lottery?!

Unfortunately, the answer seems to be that at least one person does, because I don't see this trend ending anytime soon.

Some more stats in case anyone out there needs further proof of how utterly stupid the criminals are that send these messages:

- Per day, I now win or inherit around $224 million dollars. Every day.
- The lowest amount I have won in a single day this year: $8,833,127.56.
- The highest amount: $1,726,677,256.77 (That was last week.)
- On average I am winning a Billion dollars every 2 - 5 days. In mid-February it was literally every single day that I was winning one Billion dollars.

Who needs a stimulus package?

I think there greatly needs to be further education of the general, non-tech-savvy public, because as the saying goes, if it didn't work, we wouldn't be seeing this spam.

I'm frankly tired of seeing "soft" news stories about otherwise smart people who get duped into these scams. Literally every one of them ends with the same epilogue: "If it sounds too good to be true, it probably is."

I've got a better line they should start using: "Are you high?!"

Seriously: does anyone really believe that they are actually the "winner" of a lottery every other day?

At this rate, I can't even guess how high this will go. My existing projection tells me that based on today's date, and the average I am winning / inheriting every single day, I will reach the following total on Dec. 31st of this year:


$107,498,721,679.48


Or: nearly one hundred and eight Brillion dollars.

If you found this blog posting while looking to see if "your email has won you $10,000,000.00!!!!!!11!!", please read this:

Use your brain.

No lottery in the world will notify you by email, and they will not require you to ever PAY them any money. Use your brain.

The only way you win a lottery is on the off chance (alleged to be one in several billion) that your number, which you payed for at a lottery booth, has won. Your email address cannot "win" anything. Use your brain.

Similarly, you are very unlikely to be notified at random via email when some long-lost alleged relative has died and left you an inheritance.

But most importantly:

You won't win a lottery or inherit hundreds of millions of dollars every single day. You just won't.

SiL / IKS / concerned citizen

Friday, March 19, 2010

MSN Live Spaces: Wake Up!

Several of you may remember that last year I posted an open letter to Yahoo Groups since, at that time, they were the most abused free services used by spammers.

Over the course of many months, several of my colleagues and I assisted Yahoo's abuse teams to rectify the problem, and now they have a very accurate filtering system in place, as well as other means of stopping mass registrations of new Yahoo Groups entries.

Well here we are, only 8 months later, and we're seeing the same abuse happening on MSN Live Spaces, Microsoft's social media portal.

To be clear, the abuse of MSN Live Spaces has been going on at least as long as Yahoo Groups abuse, but it's only recently that we've seen a noticeable increase in the use of MSN Live Spaces Links in spam messages. For the accounts that I monitor, I'm talking about at least a 500% increase. For friends of mine, the increase is even higher than that. On average I now see over 180 messages every day which feature these links.

Some of my colleagues have had mild success in contacting members of MSN support regarding this. To date there has been only a tiny response to this problem, and the barrage is only increasing.

MSN's abuse process for reporting one single, individual offending MSN Live Spaces account is to fill out a form located here, manually entering as much information as the user can find out about the link, and including information which I guarantee the user will not know at all, such as which MSN account was the creator of the Spaces account in the first place.

Filling out that form for one offending URL is fine, if you're only receiving, say, one or two per day. Nobody I know is receiving fewer than 40 or more of these every single day. This is far from an intuitive method of reporting abuse.

All attempts to contact MSN Spaces abuse teams directly, including via this abuse form, has been met with no response, and no feedback on what happened to my report. In most cases, URL's I have reported remain alive several days or weeks later.

MSN Spaces: Wake up!

As we speak, the predominant spam I'm seeing for this is promoting the bogus (and previously mentioned) "Marmeladies.com" fake Russian Dating scam, but many more recent examples seem to focus on "Elite World Casino", another bogus online casino, possibly featuring malware in its installer software. Other newer spam messages I'm monitoring are now also promoting a Korean-hosted "Auto Warranty Source" website, currently hosted at americanwarrantyexpress.com, but of course that URL changes weekly. It's the same affiliate ID every time, however. This turns out to be a scammy US-only auto-insurance operation promoted by the Russia-based "AffZoo.com" affiliate program.

Prior to this month, the #2 type of spam abusing this service was for "Downloadable Software", a site which sells counterfeit versions of Microsoft Windows, Microsoft Office, and a variety of other popular software titles. The software these sites provide is known to contain malware and will cause your Windows computer to join one or another known botnet, operated by criminals, and actively engaging in illegal activity. MSN Live Spaces was likely chosen as the free-hosting solution for this spam because it's a Microsoft portal, so it would make these patently illegal software websites appear to have an air of legitimacy. I reported some 300 of these in the past two months. Only a very small portion of those URLs were ever shut down. (I just checked again and several dating back to January are still active.)

The point is: MSN is not doing anything about this. It's been going on for at least a full year now, and it's only getting worse. The abuse form provided to users is only going to be used by those who really want to spend a lot of time reporting one single URL. People receiving anything like the same deluge I'm seeing aren't going to bother, and of course MSN offers no bulk-reporting service whatsoever.

An obvious suggestion would be to have a quick, easy-to-click link that reports the MSN Live Spaces URL that you are currently viewing, and there you go. Done. Click on it, provide some details about why you think it's scammy, and submit. Blogger does this. Google Pages does this. Numerous types of forum software do this. MSN Live Spaces does not. Why?

Given that so far only 1% or less of my abuse reports have seen any kind of action taken; I believe it is safe to say that MSN effectively has no abuse process for this issue. As far as I'm concerned, I could block all inbound email messages featuring a "spaces.live.com" URL, and my spam would drop by at least two thirds. I know I'm not the only one thinking this, and already at least one spam blocklist has indeed flagged spaces.live.com as featuring a large amount of spammy URLs.

What will it take for MSN to address this problem? Why isn't anyone from MSN Live Spaces responding to any abuse complaints? Why has there been absolutely no modifications to their abuse form in well over a year, given that this problem has only increased?

I'd like to encourage readers of this posting to provide feedback directly to the MSN Live Spaces team, using their feedback form, especially if you, like me, are continuing to see the majority of your inbound spam messages featuring MSN Live Spaces links. This has to stop.

SiL / IKS / concerned citizen