Thursday, December 31, 2009

2009: Year Three Of Consistent Action Against Cybercriminal Activity

Another year, another series of scumbag criminals trying their best to grab all the money of ordinary people around the world. But also: another series of arrests, shutdowns, and more and more media exposure of cyber criminals and their illicit activities.

Here's to still more pressure against cybercriminals who think they can constantly get away with selling fake and dangerous pills to us, swindling the public, and avoiding law enforcement. Certainly some of them still have, but it's clear from the past three years that their days are numbered.

For a change, I want to send out best wishes to some of the extremely diligent researchers and reporters out there who have remained a consistent sharp eye on the illegal activities of numerous groups and individuals, and recommend their blogs to you

» All the researchers at FireEye Malware Intelligence Lab.

» Brian Krebs, Security Fix at the Washington Post.

» Gar Warner, Cybercrime and Doing Time.

» All the contributors to the Threat Level Blog at Wired.

» Dancho Danchev, Mind Streams of Information Security Knowledge.

And of course:

» All of the contributors to the Forums at InBoxRevenge.

All of you have helped make life extremely difficult for cyber criminals this year and in previous years, and I think it's safe to say that your continued shining of bright lights on their activities may one day lead to a serious shutdown of cyber crime activities. (Well, or more so than even this year. You'll see what I mean below.)

I should apologize in advance because the length of this post is far more than any average posting on this blog. In this particular case, long is good. This was an unprecedented year.

Here we go...


  • Jan. 8th: Maksym Yastremskiy (aka: "Maksik") is sentenced to 30-years in prison by a Turkish court for his part in the infamous TJ Maxx hack which stole some 45 million credit cards from point of sale network data at a variety of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores across the US. There are 10 others still pending trial.
  • On Jan. 14th, SiL's "winnings" total from Nigerian scammers [visible in the right-side section of this blog] hits $1 Billion USD. He had begun tabulating every fake "lottery" or "inheritance" message starting on Nov. 17th, 2008. It only took 59 days to reach his first billion USD.
  • Jan. 30th: Ukrainian web hosting provider UkrTeleGroup Ltd., another in a series of "bad actor" hosting companies (remember Atrivo and McColo?), is taken offline. This is as a result of the continued exposition of their illicit activities by members of the tech media.
  • On Jan 27th, SiL's "winnings" total from Nigerian scammers hits $2 Billion USD. That only took 13 days.


  • Feb. 12th: FireEye Security begins a series uncovering further companies who clearly support illegal activity online, starting with a comprehensive report on Starline Web Services, hosted in Estonia.
  • Also on Feb. 12th, a news story is posted claiming that Microsoft, Symantec and other corporations are offering a $250,000 reward for information leading to the arrest of whoever is behind the malicious "Conficker" worm, which is extremely virulent and widespread. This leads to some doubtful discussions within the anti-spam community, since whoever it is most likely is living in Russia or Ukraine, and likely very well-protected and hard to find. [See also this story.]
  • On Feb. 14th, a news story appeared that (finally!) one of the numerous Nigerian scammers had been arrested for fraud in Mumbai, India:

    The incident started when Mmereole had e-mailed a message to the Mumbai businessman in November 2008 saying that he could obtain unclaimed money amounting US$ 8.6 Million from one Oceanic Bank located in Nigeria by paying US$ 8,780 as processing fees, police said.

    The message said that the bank's director would personally collect the fees from the businessman. However, the businessman sought police help by lodging a complaint at the CCIC.

    He subsequently contacted Mmereole and falsely expressed his willingness to pay the processing fees. After that, they chalked out a plan to meet at the hotel where police caught the Nigerian fraudster while taking the money, officials said.
  • On Feb. 18th at approximately 4:00pm EST, the forum at InBoxRevenge is the target of an SQL injection attack. The attack was vaguely warned about via a spam message worded identically to those for well known illegal pharmacy site Canadian Pharmacy. The attack was effective for approximately 12 minutes, after which the forum continued operation unfazed. Following this attack, numerous automated attempts to register were logged. All of them originated from Russia, Ukraine, Israel and Croatia. The operators of Glavmed / Spamit (the affiliate program and sponsor group behind Canadian Pharmacy spamming activity) are believed to be the perpetrators.
  • On Feb. 25th, SiL's "winnings" total from Nigerian scammers hits $3 Billion USD.

  • On March 3rd, renowned and unrepentant spammer Sanford Wallace is sued by Facebook for (guess what?) spamming Facebook members.

    ...the suit covers allegations that Wallace and his business associates spammed Facebook members with wall posts that posed as messages from their friends. The gang allegedly hacked into accounts using phishing techniques before sending the offending messages.

    This comes nearly a full year after Wallace was ordered to pay $230 million dollars to MySpace for precisely the same activity. (See also this coverage.)
  • March 4th, renowned cybercrime investigator and blogger Dancho Danchev notes that pro-gay Russian websites have been under sustained DDOS attack for a week. This is somewhat ironic, given the sheer volume of spam messages originating from Russia featuring message bodies with multiple occurrences of the word "penis".
  • On March 10th, Sergei Markov, a member of Vladimir Putin's Unified Russia Party, jokes that his assistant was responsible for the 2007 cyber attack against Estonia.

    During a discussion on information warfare in the 21st century, moderated by US-based Russian journalist Nargiz Asadova, Markov unexpectedly went into a Boris Yeltsin-style rant, Radio Free Europe reports.

    "About the cyberattack on Estonia... don't worry, that attack was carried out by my assistant. I won't tell you his name, because then he might not be able to get visas," he said.
  • On March 5th, SiL's "winnings" total from Nigerian scammers hits $4 Billion USD.
  • On March 7th, the most widely-spread new virus known as Conficker and Downadup upgrades all infected PC's in the first "push" style update ever witnessed regarding a large-scale botnet.

    In a couple of ways, the new component is designed to harden infected machines against an industry consortium that is actively trying to contain the prolific worm. For one, the update targets antivirus software and security analysis tools to prevent them from removing the malware. Not only does it try to disable anti-malware titles, it also goes after programs such as Wireshark and regmon.

    And for another, it also greatly expands the number of domain names infected machines contact on a daily basis.

    A few days later, a group known as "Bit Defender" releases their own Conficker removal tool.
  • On March 13th, Konstantin Goloskokov, a "commissar" in the Kremlin-backed youth movement known as Nashe (or Nashi, depending on the report you read) claimed responsibility for the 2007 cyber attack against governmental and other sites in Estonia.

    Mr. Goloskokov said: "We did not do anything illegal. We just visited the various internet sites, over and over, and they stopped working.

    "We didn't block them: they were blocked by themselves because of their own technical limitations in handling the traffic they encountered."
  • On March 13th, the BBC program "Click" receives lots of tech media attention when they demonstrate the functionality of a botnet which they had temporarily gained control of. British investigators consider whether what they did was illegal even though they didn't use the botnet for any actual malicious intent.
  • March 16th, reports that cybercriminal and spamming activity is rising as it never has before.

    Expect more spam later this year. IronPort's Bandhari said that botnet owners are building vast bot armies with the capability of sending even more spam but are not yet using them to their full capacity. "We see two or three botnets that are set up but not fully monetized yet," he said. "There have been some spam and malware attacks hosted from there, but they are trying to stay under the radar."

    Botnets and cybercrime appear to be receiving much more press attention since November, 2008. This is mostly a good sign.
  • On March. 19th, renowned, long-time stock spamming relatives Darrel and Jack Uselton settled with the SEC regarding charges filed against them by the SEC way back in July 2007 regarding their rampant stock spamming and market manipulation.

    Without admitting or denying the SEC's allegations, the Useltons agreed to be permanently banned from selling penny stock in the future. Out of $4.2m seized by authorities, Darrell Uselton will pay more than $2.8m in disgorgement and prejudgement interest. The SEC will also collect a $1m penalty.

    Darrel Uselton still faces charges for engaging in organized criminal activity.
  • On March 20th, rogue fake antivirus affiliate portal is shuttered after Visa and MasterCard report massive chargebacks for their card processing accounts. The story is reported both by F-Secure and Brian Krebs' Security Fix blog at the Washington Post. The Krebs story in particular references several connections to the Conficker worm, which may have been purposely flooding that site in the hopes of stifling competition with another unknown fake antivirus site.
  • Also on March 20th, Trend Micro's security blog itemizes all of the spam brands being spammed via the Waledac virus. The spam is clearly from several affiliate programs, notably Spamit, and AffConnect. This only clarifies that any individual can use whichever botnet they choose, to spam on behalf of any rogue affiliate program.
  • On March 24th, SiL's "winnings" total from Nigerian scammers hits $5 Billion USD.
  • March 26th, 25-year-old Charlie Blount Jr. of West Haven, CT is sentenced to four years for his participation in a phishing and identity theft scheme against users of AOL.
  • Also from West Haven, CT, 24-year-old Thomas Taylor of West Haven, CT, (what is it about that city?) managed to avoid doing any jail time for his participation in the same malware scheme.

  • On April 7th, SiL's "winnings" total from Nigerian scammers hits $6 Billion USD.
  • At the RSA conference on April 21st, cybercriminal researcher Joe Stewart makes an open call to take a new approach in fighting the numerous criminal organizations which perpetrate most of the cybercriminal activities around the world. The following day, he is interviewed by security reporter Brian Krebs (story)

    What we really need is to form teams that focus on tracking specific adversaries, trying multiple tactics to affect these guys' criminal enterprises. The idea is to escalate the technical measures they have to go through to keep their businesses up and running.
  • April 23rd, reports that a very large-scale Ukraine-based botnet has infected 70 US Government domains.
    The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains -- 51 of which are U.S. government ones, according to Ophir Shalitin, marketing director of Finjan, which recently found the botnet. Shalitin says the botnet is controlled by six individuals and is hosted in Ukraine.

    Details of the botnet and what it does can be found on the Finjan website, who were the ones who discovered it.
  • On April 30th a US District court in Missouri indicted four men in a "Giant College Spam Operation":

    A federal grand jury in Missouri has indicted two brothers and two other people on charges related to an alleged e-mail spamming case that targeted more than 2,000 U.S. colleges and sold more than US$4.1 million worth of products to students, the U.S. Department of Justice announced.
  • On April 24th, SiL's "winnings" total from Nigerian scammers hits $7 Billion USD.
  • It also comes to light on April 30th that a list of backers of Hillary Clinton and her presidential campaign were sold to some 21 buyers for an alleged $4.5 million.

    In the first three months of 2009, Mrs. Clinton's presidential campaign brought in $4.5 million by selling or renting out the list, which has contact information for more than a million people. Among the 21 customers for the list were political entities closely connected with Mrs. Clinton, according to first quarter filings with the Federal Election Commission. They included her political action committee, her Senate campaign committee and her husband Bill Clinton's charitable foundation, which together paid more than $3.5 million to use the list, the FEC filing showed.
  • On April 25th, the Canadian Government tables their first-ever legislation regarding spam and online crime. Titled "The Canadian Electronic Commerce Protection Act" (CECPA?!), the bill purports to protect Canadians against numerous forms of online criminal activity, including spamming.

    The Honourable Tony Clement, Minister of Industry, today announced that the Government of Canada is delivering on its commitment to protect consumers and businesses from the most dangerous and damaging forms of spam. The government has introduced legislation in Parliament that aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.

    The proposed Electronic Commerce Protection Act (ECPA) will deter the most dangerous forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and will help drive spammers out of Canada.

  • On May 8th, in a bizarre story, "someone" operating a very large botnet known as the "Zeus botnet" (one of many such Zeus botnets, by the way) sends a command to "kill operating system", or "kos", causing some 100,000 infected Windows PC's to shut down completely. Zeus is known to harvest financial and identity data, and the theory is that whoever commanded this botnet to shut down did so in the hopes that they could use the vast amounts of credit card and other data they had harvested.
  • May 18th, Sergiu Daniel Popa, 23, originally from Romania, is sentenced to eight and a half years for running numerous phishing websites claiming to be Sun Trust Bank, Citibank and PayPal. Popa also (of course!) sold several phishing kits to other criminals. See also further coverage by the Register.

    He pleaded guilty last year, so the long prison term Popa received took some security watchers by surprise.

    In sentencing, Judge John Tunheim said the long jail sentence he was imposing against Popa reflected the scope and longevity of his offences, as well as the many victims affected by his crimes.
  • On June 2nd, SiL's "winnings" total from Nigerian scammers hits $8 Billion USD. This latest "Billion" took longer than average [40 days], possibly due to SiL reporting some 750 free-mail accounts to their providers.
  • Throughout June, and continuing to this day, spam is seen in the wild claiming to be from Microsoft, Adobe, and a variety of governmental, financial and other agencies in the hopes of infecting (or perhaps "re-infecting") as many people as possible with the Zeus bot (remember the shutdown that took place earlier?) Numerous researchers write several reports and track down the hundreds of thousands of domains this crew register, and this further raises the question of when ICANN will actually start enforcing their registrar accreditation regulations, given that so many rogue affiliates continue to allow domains to be registered "en masse", with either no contact information or completely fake contact information.

    This same group of spammers or individual spammer (unknown) also attempts to sell one or another of a growing number of fake Antivirus products which are essentially ransomeware.

    Numerous stories tied to this one, and the research continues to this day, but this one covers all the bases.
  • On June 22nd, the FBI put out a press release announcing that Alan Ralsky, long-time fraudster and unrepentant spammer, has pleaded guilty along with four of his accomplices, to numerous charges including those directly pertaining to criminal spamming activity. The charges include conspiracy to commit wire fraud, making false statements to federal officers, and (obviously) violating the CAN-SPAM act. Each face from 2 - 3 years in federal prison. Score another win for law enforcement.
  • A few news organizations publish a story alleging that well-known spammer Ron Scelson has been arrested on rape and molestation charges.

    Slidell Police seized over a dozen computers on Tuesday from the business and home of a man who allegedly molested a teenager.

    The bust comes after a several month investigation looking into claims that 36-year-old Ronald Scelson handcuffed a 14-year-old girl to a chair and molested her.

    There is no further coverage of this story for the rest of the year, so it's unknown whether these charges were sustained or not.
  • On June 30th, SiL's "winnings" total from Nigerian scammers hits $9 Billion USD.
  • On July 28th, a report entitled HTTP, Web Browsers and Web 2.0 - A Criminal's Dream is presented at a Cisco / Ironport event in Thailand. It directly names Glavmed, Spamit, and Canadian Pharmacy as having direct links to each other and a variety of website infections as well the ubiquitous Storm worm.
  • On July 21st, cybercrime research group FireEye publish their discovery that yet another rogue ISP which is allowing criminal activity to thrive known as "3fn" has also lost its connectivity. (3fn stands for "Triple Fiber Networks", and was apparently related to a company named "Pricewert LLC".) This is the fourth shutdown that we know of, and exposes a huge amount of criminal activity related to payment processing (notably on behalf of several child pornography sites), hosting of child porn, command and control of botnets, distribution of malware, and of course the hosting and processing for numerous illegal online pharmacies. There's lots more that probably wasn't published.

    The shutdown was executed by the US Federal Trade Commission [press release] and marks another win for law enforcement against these criminal entities.
  • On July 8th, David S. Patton pleads guilty to creating botnet software which was previously used by renowned spammer Alan Ralsky. This is merely the latest in a series of guilty pleas and sentences which followed the arrests of Ralsky and several of his cohorts in 2008.
  • August 4th, The Canadian Press publishes what must be the first mainstream media story (i.e.: not specifically a technology blog or media entity) regarding the criminal nature of "Canadian Pharmacy", making specific mention of GlavMed. - whose logo is a googly-eyed snake wrapped around a martini glass containing colourful pills - is registered under the name Pharmos Limited, with an address listed in Great Britain.

    The phone number provided offers no identification when called, and accepts voice mail; but no call was returned when a message was left. While the majority of the GlavMed site is in English, the frequently asked questions are in Russian.
  • On August 8th, Twitter, Facebook and many other social networking sites suffer a fairly large-scale DDOS attack from persons unknown.

    "On this otherwise happy Thursday morning, Twitter is the target of a denial of service attack," wrote Stone. "Attacks such as this are malicious efforts orchestrated to disrupt and make unavailable services such as online banks, credit card payment gateways, and in this case, Twitter for intended customers or users. We are defending against this attack now and will continue to update our status blog as we continue to defend and later investigate."
  • Also see this coverage from the Washington Post's Brian Krebs.
  • On August 10th, SiL's "winnings" total from Nigerian scammers hits $10 Billion USD.
  • August 17th: Jody Smith, the third individual previously charged in the shutdown of AffKing (responsible for huge, huge amounts of spam until their shuttering in October 2008) pleads guilty to the charges laid against him.

    Jody M. Smith, 30, of McKinney, Texas, has pleaded guilty in federal court here of conspiracy charges that said he helped manage an international business that sold counterfeit goods and illegal pharmaceuticals online in 2004-08.

    Officials said Friday that the business used spam e-mails to sell in eastern Missouri and elsewhere.

    Unfortunately he only faces fines of $250,000, but he also does face up to five years in federal prison. Sentencing is scheduled for October 23rd.
  • On August 19th, Harpo, Inc., Oprah Winfrey's production company, filed a trademark infringement suit against more than 50 online marketers of bogus dietary supplements such as "acai berry".

    Harpo, Inc. has filed this lawsuit to let consumers know that these internet marketers are willfully using the names of well-known figures to deceive the public. Neither Ms. Winfrey nor Dr. Oz has ever sponsored or endorsed any acai, resveratrol or dietary supplement product and cannot vouch for their safety or effectiveness. It is our intention to put an end to these companies’ false claims and increasingly deceptive practices.

    The marketing company behind this operation known as FWM Laboratories state that their affiliates are the problem, completely ignoring the fact that those affiliates are representing their products, which makes FWM legally liable.
  • August 27th, Real Host, based in Riga, Latvia, loses its upstream network connectivity due to rampant, relentless criminal activity taking place throughout its domains.

    Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious "rogue" antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Web site. "This is maybe one of the top European centers of crap," he said in an e-mail interview.

    "It was a cesspool of criminal activity," said Paul Ferguson a researcher with Trend Micro.

    Also see this excellent documentation. This follows in the line of other disconnections of online "bad actors" which started in October 2008.
  • In late August a mini-documentary entitled Stop H*Commerce is produced by computer security company MacAfee. This documentary is a must-see for anyone intrigued by how a typical Nigerian scam operates, and how cyber criminal activity is perpetrated generally.
  • On September 1st, SiL's "winnings" total from Nigerian scammers hits $11 Billion USD.
  • The ongoing "Zeus bot" phishing / malware attacks continue, this time under the guise of an IRS message claiming that the recipient has "underreported income" [source]. Brian Krebs continues to monitor and report on these attacks, and ties them to a very large scale money mule operation [source], as well as the theft of hundreds of thousands of dollars from the accounts of several small businesses and US School Districts. The spam barrage continues, and this has the effect of exposing numerous holes in the US business banking industry as well as the money wire industries (Western Union, etc.) [source]
  • Sept. 29th, a very comprehensive report is presented at the Virus Bulleting Conference in Geneva, Switzerland entitled The Partnerka - What Is It, And Why Should You Care? It discusses spamming as a popular cultural entity within Russia, its ties to Russian organized crime, and again names Glavmed as being directly responsible for the plethora of Canadian Pharmacy spam flooding the Internet.
  • September 29th: Petru Belbita, 25, and Cornel Tonita, 28, both of Romania, are extradited to the U.S. for their execution of a number of phishing attacks claiming to represent Citibank, Wells Fargo, eBay and a slew of others. Both face more than 30 years in prison.
  • On October 19th, SiL's "winnings" total from Nigerian scammers hits $12 Billion USD.
  • Starting on October 28th and continuing throughout November, the InBoxRevenge forum becomes the target of a series of large-scale DDOS attacks by persons unknown. This has very little effect on the stable communication of its members, or on the communication of its members with media and tech contacts or law enforcement.
  • Also on October 28th - and very possibly linked to the above-mentioned attack against InBoxRevenge - several domains crucial to payment processing for Spamit and Glavmed are shut down, including and This is briefly mentioned in a sweeeping report (dated Nov. 7th) on behalf of the Russian Association of Electronic Communication (RAEC) which draws a lot of the same conclusions numerous spam researchers have been arriving at for years:
    Experts estimate that the lion's share of spam market players have provided service for such pharmaceutical resources as which sells counterfeit goods, including counterfeit Viagra. As of November 15, 2009, this affiliate programme tops Spamhaus list under the name of">Canadian Pharmacy (, #1 spammer in the world.

    This does not stop or even appear to slow the onslaught of spam promoting the bogus "Canadian Pharmacy", but it certainly must have made some of their affiliate ranks lose considerable profits. Nobody at InBoxRevenge had anything whatsoever to do with the shutdown of any of these processing domains. (Though we wish we did.)
  • The zeus / zbot spam continues, claiming over numerous weeks to be on behalf of Gmail, Towernet / CapitalOne, "your email provider", the FDIC, Facebook and MySpace. Many media outlets report on this (not merely tech media) and most of the dozens of domains the criminals behind these attacks have registered end up being shut down quickly, often before the phishing spam is even received.
  • On October 30th, a California Judge awarded Facebook $700 Million in damages against Sanford Wallace (see original lawsuit entry in March.)

    In addition to the damages, Judge Jeremy Fogel of U.S. District Court in Northern California's San Jose division banned Wallace, and anyone affiliated with him, from accessing Facebook.

    Facebook acknowledged that it doesn't expect to get much money out of the bankrupt Wallace, but it said that he could end up behind bars.
November: Let me just say that over the past three years, the month of November has seemed to be the key month out of the year in which a large number of arrests, indictments, shutdowns and other negative impacts against the infrastructure of cybercriminals and spammers takes place. This November was easily among the most active ever seen.
  • On Nov. 2nd, Shane Atkinson and Roland Smits, of the infamous AffKing / SanCash / GenBucks spamming affiliate program, are ordered by a New Zealand court to pay fines of $100,000 NZD and $50,000 NZD, respectively.
  • Nov. 6th, renowned network security organization FireEye investigate and subsequently take action to shut down the persistent Mega-D botnet, also known as Ozdok. Mega-D is widely known for sending some 30% or more of all spam worldwide. Their planning and execution of this shutdown is reported in numerous media outlets.
  • On November 9th, SiL's "winnings" total from Nigerian scammers hits $13 Billion USD. This is just shy of a year from the date he first started tabulating the amount.
  • Nov. 10th, four men are indicted by the U.S. Attorney's office for the Northern District of Georgia, in Atlanta for their part in the theft in Nov. 2008 of 9 million dollars (USD) via hacked ATM pay cards. They hail from Ukraine, Estonia and Romania. A fourth individual's identity and location remain unknown. Definitely also read coverage by Gar Warner and the Washington Post's Brian Krebs on this story. [Also see: USDOJ press release.]
    Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as "Hacker 3" were indicted by a federal grand jury in what's being described as "perhaps the most sophisticated and organized computer fraud attack ever conducted."

    The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack.
  • In further follow-up to the previous Mega-D botnet takeover, FireEye hands over control and monitoring of the "sinkhole" domains to renowned security research organization Shadowserver [source] who will continue to monitor and report on any further discoveries regarding this now-defunct spamming botnet. [See also this story.]
  • InBoxRevenge undergoes its third major SYN Flood attack during an additional 2 days in late November. Again this does absolutely nothing to stop that group from continuing to analyze and report on criminal spamming and other cybercriminal activity. Clearly somebody is upset, and only a few days later do we discover that it may have been due to the above-mentioned shutdowns of Spamit / GlavMed payment processing servers.
  • On Nov. 18th, after receiving and analyzing spam attempting to spread the Zeus or Zbot infection for many months [see above], Gar Warner coordinates with law enforcement and other agencies to strategically shut down what is known as the "Avalanche" phishing community. This is yet another major blow to online criminals who had been sending this type of criminal spam for at least six months in 2009, claiming to be on behalf of the IRS, Capital One, Facebook, MySpace and a variety of other organizations. Good riddance. Of course: a new infection campaign - known as Sasfis, which is far more widely detected - begins in its place...
  • On the same day (coincidence?) two individuals from Manchester, England are arrested for their part in the dissemination of the Zeus / Zbot infections. This is the first arrest of its kind, and begins to finally chip away at this widespread, internationally executed crime.
  • On Nov. 19th, numerous news sources quote a press release from the US Food and Drug Administration (FDA) which specifically calls out a large number of domain owners and operators representing what are deemed to be illegal pharmacy affiliate websites.

    The agency issued 22 warning letters to the operators of these Web sites and notified Internet service providers and domain name registrars that the Web sites were selling products in violation of U.S. law. In many cases, because of these violations, Internet service providers and domain name registrars may have grounds to terminate the Web sites and suspend the use of domain names.

    "The FDA works in close collaboration with our regulatory and law enforcement counterparts in the United States and throughout the world to protect the public," said FDA Commissioner Margaret A. Hamburg, M.D. "Many U.S. consumers are being misled in the hopes of saving money by purchasing prescription drugs over the Internet from illegal pharmacies. Unfortunately, these drugs are often counterfeit, contaminated, or unapproved products, or contain an inconsistent amount of the active ingredient. Taking these drugs can pose a danger to consumers."

    Shockingly, one specific affiliate program is singled out, known as, ignoring several of the other far more widely-promoted programs such as (duh) Spamit / Glavmed, promoters of the completely illegal "Canadian Pharmacy" set of websites. Still good news.
  • Also on Nov. 19th, in what appear to be a series of very welcome announcements, Interpol issues a press release outlining the widespread, large scale shutdown of numerous bogus pharmacy operations, including multiple arrests in several countries.

    An international week of action targeting the online sale of counterfeit and illicit medicines has resulted in a series of arrests and the seizure of thousands of potentially harmful medical products.

    In response to an ever-increasing number of websites supplying dangerous and illegal medicines, Operation Pangea II involving 24 countries was co-ordinated by INTERPOL and the World Health Organization's (WHO) International Medical Products Anti-Counterfeiting Taskforce (IMPACT) to highlight the dangers of buying medicines online.

    This affects more than mere spamming operations. This affects a large sector of the black market which sells these drugs, only part of which has to do with criminal spam operations. This is a huge win not just for cybercriminal investigators, but for unwitting consumers of these clearly very dangerous fake pharmaceutical products.
  • On Nov. 23rd, Alan Ralsky is sentenced to more than four years in prison for leading a large-scale criminal spamming operation and engaging in stock manipulation. This case has, of course, been discussed here many times.
    Ralsky, 64, from West Bloomfield, near Detroit, Michigan, was sentenced to 51 months while his son-in-law, Scott Bradley, 48, was imprisoned for 40 months over the same pump and dump stock fraud conspiracy involving thinly-traded stocks.

    Each pleaded guilty to wire fraud, money laundering and violations of the CAN-SPAM Act. Two other co-conspirators, who also confessed their involvement in the scam, were sentenced on Monday. Five others face a sentencing hearing later on Tuesday.

    From the US Dept. of Justice press release:

    "Today's sentencing sends a powerful message to spammers whose goal is to manipulate financial transactions and the stock market through illegal e-mail advertisements," said Assistant Attorney General Lanny A. Breuer. "People who use fraudulent e-mails to drive up stock prices and reap illicit profits will be prosecuted, and they will face significant prison time."

    Cases against three other co-conspirators were still pending...
  • ...Uuuuuntil November 24th. :)

    The remaining six co-conspirators were sentenced to anywhere from one day in prison (David Patton) to four and a half years in prison (Frank Tribble) for their part in assisting Ralsky with his ongoing fraudulent activities. They all face several years of supervised release following their sentences, and they each had to either forfeit hundreds of thousands of dollars, or were fined similar amounts.

    In total, all of the guilty parties forfeited $1,866,100.00 to the US government from their ill-gotten gains, and are fined a total of $10,500.00. On average, they will serve ~3 years in federal prison (longest sentence: 3.3 years for Ralsky and his son Scott Bradley, shortest sentence: 1 day for David Patton.

    It's also notable that four of the accomplices were given additional jail time and supervisory release time due to what was termed "committing a substantive violation of the CAN-SPAM Act". This is the first time the actual CAN-SPAM law has been brought to bear, and the first court precedent in sentencing for this particular violation. Certainly a step in the right direction.

    Good riddance.
  • On Nov. 26th, a press release states that police in Germany and Austria shut down a fairly major credit card theft operation:

    In raids throughout Germany and Austria, police closed down a web gang which stole private credit-card data and used viruses to create a network of 100,000 robot computers, Germany's Federal Crime Office said Wednesday.

    In Germany, three persons were detained during the Tuesday raids on 46 homes. One was held in Austria. Many computers were seized.

    This is not necessarily related to spam (and in SiL's opinion, spam is really just one of many outlets of the type of crime he and others investigate and report on) but it's still a very significant series of arrests.
  • On November 27th, in what appears to be a later-than-usual discovery, numerous news outlets - notable several Russian outlets - declare Glavmed (aka: Spamit) to be the #1 criminal spamming operation in the world. The Russian Association of Electronic Communication (RAEC) state the following:

    Experts estimate that the lion's share of spam market players have provided service for such pharmaceutical resources as which sells counterfeit goods, including counterfeit Viagra. As of November 15, 2009, this affiliate programme tops Spamhaus list under the name of Canadian Pharmacy (, #1 spammer in the world.

    With regard to the trans-frontier nature of cyber-crime RAEC urges the international community to synchronize activities aimed at spam prevention. The clampdown on spam in the Russian Internet (RuNet) will most likely result in spammers moving their servers to other countries. This assumption is confirmed by the fact that SPAMDOT.BIZ ( has physically moved its server to Germany (spamdot.INFO, spamdot.ORG) after it has been closed down in Russia.

    As it happens, the shutdown of, a recruiting site for Spamit, occured on October 28th, the same day as the first of a series of large-scale attacks against the InBoxRevenge forum. (Coincidence?) A Google Translation is available here. Of course, Glavmed's only response is to deny, deny, deny, despite the fact that they openly promote the widely-spammed "Canadian Pharmacy" brand of illegal online pharmacy, and have never hired pharmacists to fulfill the prescription drugs they illegally export to the US and other non-Russian countries.
  • On Nov. 30th, things get worse for the AffKing / SanCash / Genbucks spammers when Lance and Shane Atkinson are ordered to pay $15.5 million USD by the US Federal Trade Commission (FTC). This is nearly a year to the day after their extremely high-volume spam operation was shut down as a result of several restraining orders.

    A U.S. district court last fall ordered an asset freeze and a halt to the spam gang's operation, which was responsible for sending potentially billions of illegal spam messages, and has accounted for more than three million complaints.

    The court has since issued a default judgment against Atkinson, his company, and three companies affiliated with Smith. In addition to the $15.15 million that Atkinson and his company have been ordered to pay, the three companies affiliated with Smith are liable for $3.77 million. All five defendants are prohibited from making unlawful claims about male enhancement products, hoodia products, and any dietary supplement, food, drug, or service purported to provide health-related benefits; from misrepresenting that they can lawfully sell prescription drugs or pharmacy services over the Internet; from misrepresenting the data security measures they provide on their Web sites; and from violating the CAN-SPAM Act.
  • On Dec. 4th, SiL's "winnings" total from Nigerian scammers hits $14 Billion USD.
  • Dec. 9th, following several weeks of inbound spam asking the question "Is Working Online At Home The New Gold Rush?" and linking to a variety of sites implying that Google was somehow promoting some type of pyramid scheme (Original story, documenting hundreds of abused links and third-party properties), Gar Warner reports that Google had finally had enough and was filing suit against "Pacific Webworks", the company behind the scam. [He cites the Sophos blog, but a few other sources also reported it.] Much more information on the company and their scam available here.
  • Also on Dec. 9th, Project HoneyPot, an initiative to track IP addresses of all known spam which harvests addresses from public websites, received it's billionth spam message.
    The message, a picture of which is displayed below, was a United States Internal Revenue Service (IRS) phishing scam. The spam email was sent by a bot running on a compromised machine in India ( The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester ( that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot.
    The report lists a variety of statistics regarding how much time it takes from harvesting to receipt of spam, and generally describes which botnets are involved, and which properties they spam.
  • On December 10th, news outlets report that one Pavel Valkovitch has pleaded guilty to solicitation to commit murder for trying to have an informant killed. Valkovitch was arrested in 2008 on bank fraud charges, essentially for stealing people's money via a variety of PayPal accounts. He will be sentenced in Feb. 2010. [See also the Wired Threat Level story.]
  • On or around December 11th, a notice is sent from the China Internet Network Information Center (CNNIC), China's regulator of domain name registrations, informing registrars that they must not allow domains to be registered using fake contact information, and must take steps to purge their systems of any offending domain names. This should seem obvious to any legitimate person registering any domain name, but this sets a very strong precedent for Chinese registrars who for many years have been abused by spammers and their cohorts who register thousands of domains using arguably fake contact info. Gar Warner's blog also has some very in-depth analysis, calling out two very common offenders: Xin Net and This should prove to be a very big hit to the profits of spammers from any major criminal affiliate group, notably and Spamit.
  • In a surprising but very much welcome development, on Dec. 11th, domain registrar GoDaddy change their terms of service to specifically disallow domain registration for any site which sells pharmaceutical products without a prescription. This leads to many angry postings from individuals who operate such websites within the US, apparently unaware that this has actually always been of questionable legality in the first place. In 2008, GoDaddy also changed their terms of service to disallow similar registrations related to the sale of anabolic steroids, causing similar angry responses.
  • On Dec. 17th, in an intriguing report, Symantec reports that 2010 could be the year we see our first autonomous, intelligent botnet [pdf], claiming that the earlier shutdowns of badware hosting companies McColo and Real Host did little to stave off this progresion.
    As we move into 2010, it is expected that botnets will become more autonomous or artificially intelligent, perhaps even exhibiting the characteristics of swarm intelligence, where each compromised computer will have built-in self-sufficient coding in order to coordinate and extend its own survival. This will mean the botnet controllers will have more time to focus on driving the bots use in spamming and other criminal activities, rather than dedicate resources to extending the lifecycle of the botnet.
    In general this makes for interesting reading, and makes clear that despite a year full of successes, there are still some major threats to take care of in 2010.
  • On Dec. 22nd, Lance Atkinson is fined $210,000.00 AUS ($184,239.93 USD) and ordered to refrain from any spam-related activity for seven years:
    ...Justice Andrew Greenwood agreed with the proposed penalty, adding a seven year injunction from sending spam and ordering Atkinson not to knowingly associate with any person involved in sending spam.

    In his judgment, Justice Greenwood labelled the spam as "annoying and irritating".

    He forgot to add "potentially lethal", since many dangerous particles were found in sample orders shipped from the manufacturers of these pills in India. By any measure this fine is far from a deterrent. Atkinson and his cohorts probably made that much inside of half a day. Also see this TimesOnline article
  • On Dec. 29th, in what appears to be a rather sudden move, Brian Krebs leaves the Washington Post to begin his own security blog, For the past three years Krebs has been instrumental in exposing bad actors involved in cybercriminal activity, and assisting ISP's and law enforcement in tracking down and prosecuting them.

2009 would appear to have been an incredibly bad year to be in the scamming business, even if in previous years these criminals "got away" with their crimes originally. As you may have noticed over the past year, this blog has become less concerned specifically with spamming and more concerned with what spamming is a part of: organized criminal activity which puts the public at risk, no matter which country the perpetrators live in.

Legal action may be slow, but when it all comes together, we end up with a year much like 2009. This is extremely good news. Here's hoping 2010 shows even more progress, especially against the largely Chinese, Eastern European and Russian operatives behind the flood of illegal spam, promoting criminal organizations and the "products" they continue to try to foist upon us.

Happy Holidays everyone. Stay safe!

SiL / IKS / concerned citizen

Tuesday, December 8, 2009

Merry Nigerian Christmas.

A friend of mine came up with a great (and seasonal) way to illustrate to the average non-tech person why Nigerian scams are so easy to spot, which could help them stay away in droves.

I'll use an example I just received.

From: "John Mensah" <>
Subject: Genuine Investment Proposal
To: undisclosed-recipients:;

Dear Sir,

My name is John Mensah from Ghana. I represent a group of a Government Certified Local Gold Dust Miner in Ghana. We have just concluded gold dust deals with foreign gold trading companies in Ghana and realised some funds out of the deals. The funds are now kept in security companies in Ghana and Cote D'Ivoire respectively. We would want to invest the funds outside Africa and if you are interested to assist us in this venture, please respond immediately so that we will discuss details on how to handle the transaction.

Yours faithfully,
John Mensah

Now let's switch the identity:

From: "Santa Claus" <>
Subject: Genuine Investment Proposal
To: undisclosed-recipients:;

Dear Sir,

My name is Santa Claus from The North Pole. I represent a group of a Gift-Making Elves in The North Pole. We have just concluded manufacturing of toys in The North Pole and are ready to begin distribution. The toys are now kept in safe places in The North Pole and my sleigh respectively. We would want to distribute the toys outside The North Pole and if you are interested to assist us in this venture, please respond immediately so that we will discuss details on how to handle the transaction.

Yours faithfully,
Santa Claus

Even if you don't celebrate Christmas, you know that Santa Claus doesn't "need assistance" in providing toys that he freely distributes to children around the world. He just does it. So why would you need to send him anything? (Well: aside from a Christmas list I mean...)

More importantly, assuming you responded to this criminal, he'd immediately come up with some story that you somehow needed to send him a "fee" to begin with your "assistance."

The same is true of our "John Mensah", and unfortunately just like Santa Claus, he doesn't exist.

This holiday season, remind your loved ones not to participate in Nigerian scams. Many, many people still fall for these. An analogy like this one might make it much clearer how to spot these scams.

SiL / IKS / concerned citizen

[Edited Dec. 17th for stupid spelling error. Apologies to Mr. Claus and wife...]

Friday, November 20, 2009

FDA To Criminal Pharmacy Affiliate Programs: Stop.

Some great news this morning from the Food and Drug Administration.

Yesterday the FDA's office of criminal investigations sent out warning letters to operators of several domains which present websites selling pharmaceuticals illegally. Brian Krebs has the full story including links to the specific letters and the FDA press release, and the full list of warning letters sent by the FDA to several rogue website operators. That is a significant amount of reading, and essentially echos what people like me have been trying to tell the public since at least 2005.

This is definitely a case of "No sh*t, Sherlock", since the FDA was arguably in a position to do this as far back as 2006, but it's better late than never. Letters were sent to 136 website operators, and specifically describe the precise illegal nature of each of the sites, which should be obvious to anyone who reads this blog or follows any ongoing spam-related illegal online pharmacies.

I am also a bit surprised that the main "affiliate program" being called out is, since we all know that the #1 criminal promoter of these bogus websites is Spamit aka Glavmed, who continue to pummel the Internet at large with their criminal websites promoting what we know to be completely bogus and dangerous versions of pharmaceutical products. But it's still good news.

One of the key, KEY quotes from the press release:

The agency issued 22 warning letters to the operators of these Web sites and notified Internet service providers and domain name registrars that the Web sites were selling products in violation of U.S. law. In many cases, because of these violations, Internet service providers and domain name registrars may have grounds to terminate the Web sites and suspend the use of domain names.

That one is pretty significant: if you allow a domain name to be registered, and that domain is then used to promote any of these rogue pharmacy sites, YOU can shut it down - period. I should hope that this means far-off companies such as XIN Net, Ename, Beijing Innovative Link, etc., will finally get the message: you can now be held as criminally responsible as the individuals whose websites you allow to be registered. My colleagues and I have been trying to get this message across to these organizations for at least the past three years. This press release from the FDA adds considerable weight to our communications to these companies.

"The FDA works in close collaboration with our regulatory and law enforcement counterparts in the United States and throughout the world to protect the public," said FDA Commissioner Margaret A. Hamburg, M.D. "Many U.S. consumers are being misled in the hopes of saving money by purchasing prescription drugs over the Internet from illegal pharmacies. Unfortunately, these drugs are often counterfeit, contaminated, or unapproved products, or contain an inconsistent amount of the active ingredient. Taking these drugs can pose a danger to consumers."

Again: no surprise to anyone reading this blog, but great that they put it in black and white so that (hopefully at least) the average consumer can now be made aware of this action.

The individual warning letters do not mince words:

The United States Food and Drug Administration (FDA) has reviewed your websites [...] and has determined that you are offering products for sale in violation of the Federal Food, Drug, and Cosmetic Act (the Act). These products include, but are not limited to "Xanax (Generic)," "Valium (Generic)," "Viagra (Brand)," "Acomplia (Generic)," "Acomplia (Brand)," "Rimonabant," "Herbal Xanax," and "Herbal Viagra." We request that you immediately cease marketing violative products.

These products, are drugs under section 201 (g) of the Act, 21 U.S.C. § 321 (g), because they are intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease and/or because they are intended to affect the structure or function of the body. Your marketing and distribution of these drugs violate various provisions of the Act, as described below:[...]

You can't get more clear than that.

I fully expect to see a large number of questions on support forums related to Glavmed or Spamit, saying things like "but you told me this was perfectly legitimate?!?!" I'm certain the responses should be highly entertaining.

Let's see what the next year or so holds in terms of this statement having any real effectiveness in the fight against organized criminals and the websites they continue to push onto unsuspecting consumers.

SiL / IKS / concerned citizen

Tuesday, November 10, 2009

Earth4Energy Appears On Criminal Spam Radar.

In light of recent wins against a variety of Russian-based pharmaceutical spammers, and assistance from Yahoo in getting those pesky Yahoo Groups URLs, I was interested to see what ridiculous trends would start to appear from the same morons who insist on sending spam to people who clearly don't want it.

Enter "Earth4Energy", a site I had never heard of until (you guessed it) people started sharing their samples of inbound, unwanted spam promoting it.

Researching this rather dubious "product" turned out to be pretty interesting, because whoever is behind Earth4Energy has taken great care in registering as many domains as possible - including those which would imply that the product is a scam - and then employing them in all manner of seemingly blackhat SEO (search engine optimization) techniques. This obscures any genuine discussion of this "product", which is why I thought it was probably worth posting here.

Let's start at the beginning. Here's a recently-received sample of the spam being sent, which I have only mildly cleaned up (this particular idiot didn't bother to clean up the formatting for readability):

From: "Dan Kittles"
To: <[spamrecipient]@[domain].com>
Subject: Create a windmill & solar power @ home!

Discover now how to create electricity at home. No gimmicks! It's just a simple science, and I believe you knew it. This is exactly what you need if you are interested of knowing how to generate power and reduce electricity bills at home.

All it takes are guts, the eagerness to read the manual and apply it real life.

Earth4Energy is the solution for our needs. It can reduce our power bills or even completely eliminate it. So why would you follow others who pay $1400 for the installation of Windmill & Solar Power at home? You can actually build your own!

See it on this site to discover it now!

Best Regards,
Dan Kittles

Notice: List is taken from "Dan's Corner". So this e-mail is NEVER sent unsolicited. You are receiving it
because you, or somebody purporting to be you and using your e-mail address, has asked to be added to this mailing list.

To be remove, please reply so. Then we'll remove you from the database.

Boy. Way to go on the copy writing there, moron.

You can see a full example also being reported for spamming at this website. Note that that version, from August 2009, didn't have to use URL shorteners, probably because they had yet to become blacklisted.

The line that says "See it on this site" links to a URL shortener, for obfuscation purposes, in violation of their terms of service regarding spamming:

That in turn redirects to:

With the ultimate goal being to get you to purchase their "manual" via ClickBank's shopping cart functionality:

The site of course contains more breathless testimonials and unsubstantiated claims than even the most bogus pharmacy spam I've seen. That should be red flag #1 to anybody.

So that exposes the "thrust" of this spam campaign, and also the affiliate ID.

Note that not one person who has reported this to me has ever subscribed to "Dan's Corner", nor had they ever heard of either that list or this "product".

Any attempt to "opt out", has also been unsuccessful, as expected.

ClickBank is a fairly well-known "Pay Per Click" affiliate program, and they appear to offer affiliate promotion services for a wide array of products and services.

They also offer a shopping cart service, which is what this particular scam is out to abuse.

Note their extremely specific anti-spam clause in their terms of service:

You shall not directly or indirectly:

a Send, initiate or procure the sending of an Email to any Person who has either not explicitly requested to receive such messages specifically from You, including without limitation for the purposes of sending unsolicited bulk email, executing any "mass mailings" or "email blasts," or for the purpose of spamming any public forum, including without limitation, any blog, message board, classified listings, auction sites, altnet, newsnet, newsgroups, or similar service.

b Send, initiate or procure the sending of an Email to any Person who has explicitly requested to receive no further Emails from You or Your company.

c Employ any false or deceptive information regarding Your identity, or regarding the intent, subject, or origin of the message or fail to include accurate information regarding Your identity, and the intent, subject, and origin of the Email.


It continues from there, but we can see already: This message violates all three of those. There is no "Dan Kittles", and a search for that email address only returns further discussion of this particular spam campaign.

They began their SEO campaign at least as early as October 2007. The first research I could find regarding this dates from November 2008:

This disease is really getting out of control. Earth4Energy now gets 222,000 hits on Google (October 24, 2008), and it is all a fraud. There are even thousands of fake negatives, like "Don't buy Earth4Energy" and "Earth4Energy Sucks" that lead you to yet more sales pages. Negative reviews are totally drowned out by the massive, cancerous marketing campaign.


That same author has set up an extremely detailed page specifically criticizing all of this company's claims regarding Earth4Energy, and in my opinion it's definitely worth a read, especially the completely bold-faced threats that they against the author make regarding his negative review. (Read on, you'll see that his dissection is pretty much spot-on.)

Affiliates for this scam have also spammed Craigslist repeatedly, and continue to do so now. [example]

There is, of course, a link to the Earth4Energy affiliate program [], and it becomes extremely obvious that this group do not care how you promote this crap. They don't care if you paint some random person's house with your domain name. There is no abuse process, no terms of service, nada. Just sign up, and (they allege) you can "start making money now!"

I tested out a signup, and their process doesn't include anything verifying that you have solid, opt-in-only lists, that you have whitelisted domains, etc. They just ask for a name and email, and you're in. Period.

Their "product" list looks like a veritable megastore of utterly useless crap. "Hair Extensions DIY", "Zero Chemicals", "DIY Hot Water", and of course the only product I or any of the people had contacted me had heard of, "Earth4Energy".

Note that in these examples they plainly list a ClickBank url. They don't reiterate ClickBank's terms of service, they don't say anything about not spamming people, and they don't warn against flooding other sites or forums with links to these promotional urls.

Now: add to this that I've actually been sent a copy of this alleged "manual". Let me tell you: it is extremely slim on any kind of technical details regarding the construction of either a solar panel or a windmill. It has very cursory descriptions of how to build each piece, but no schematics, no detailed parts lists with sample pricing, etc.

Check out this excerpt regarding how to secure your windmill in the event of strong winds:

but how do we stop it from rotating wildly during high winds or severe storms? This is not something we want as it could tangle the wires and damage them. The easiest home fix for this is to use a bungee cord. You may think this sounds like a cheap little fix, and you are right! It is a cheap fix and it works very well.

Ignoring for the moment that this would violate numerous building and safety codes, there is no legitimate construction manual I have ever seen in my life that would recommend this solution. Especially not one that is a digital download being sold for $49 USD.

It is also rife with spelling and grammatical mistakes which make it clear that this is definitely a money grab.

In comparison to the plethora of actual forums and discussions regarding DIY electrical generation (there are dozens of them out there,) I find it very hard to believe that anyone would seriously think that this "manual" is worth the money being paid. It certainly appears that more than mere "guts" are required, and the manual itself makes it extremely unlikely that anyone would "apply it real life."

The affiliate company behind this operation has been extremely active at responding to any negative commentary regarding this product. (Again: note their threats against a detailed analysis of why their product could be bogus.) The moment anyone complains about it being a scam, there is immediately a response saying that perhaps they didn't do it right, or stating that the person complaining just didn't bother to build it. This of course seeds doubt regarding the claims, so the sites are continually allowed to exist and be promoted. You can see a series of examples of this here.

I would have to say in the strongest possible terms: this product is a scam. It is worthless. Do not waste your money on it. As with any "product" being promoted via unwanted spam, it is utter crap, and not worth anyone's time, energy, or money.

SiL / IKS / concerned citizen

P.S. Update: it turns out that the dissection already included lots of info from the actual pdf file these scammers sell. He does a very thorough job of refuting literally every claim in this so-called "manual." Again: do not waste your money. Thanks to readers who sent me this update.

Thursday, November 5, 2009 DDOS #3

As many of you may now be aware, the forum I assist in maintaining known as InBox Revenge is down at the moment.

That's because someone out there (you can imagine who) seems to have randomly gotten pissed off at my team's research. Which research in particular? I have no idea. It wasn't a particularly busy month so far.

The attack is ongoing and likely costing someone lots of money. The good news about that is: this has become a great means of logging the attack as much as possible for both law enforcement agencies and the security community.

If you're a member of that community, feel free to contact me via comments. (I won't publish them if you don't want me to.) This attack already answers several questions that a lot of security websites were asking back in February.

As for our research: it's still ongoing. The forum has only been one of numerous ways we stay in touch.

Thanks to those who got in touch with me already about this, and thanks for your patience if you're a regular reader of that forum.

I'd also like to recommend our hosting company,, who provide excellent uptime as well as fantastic security and support services.

More as it happens.

SiL / IKS / concerned citizen

Wednesday, November 4, 2009

SEO Comment Spammer Without A Clue

Looks like some "SEO" spammers have decided to bombard this blog with "comments" to boost their sites' page rankings.

Let's take a look shall we?

Starting on Nov. 2nd, I began receiving comment postings as follows:

deepak has left a new comment on your post "I just won the Microsoft, Toyota, Yahoo and MSN Lo...":

it's a really nice blog thanks for add my comment...

Welcome to Thebettingonline. We are here for to be the most online betting. For read our online casino gambling and betting guide click on We also suggest you types of betting action Opening bets, Calling, Rising, Checking, it will help you to win the Bet.Online Poker Betting

Then on Nov. 4th, the same idea only with a different Blogger account:

mukesh has left a new comment on your post "I just won the Microsoft, Toyota, Yahoo and MSN Lo...":

it's a really nice blog thanks for add my comment...

Club casino online is a place where you can play the best and most popular online casino games. Here you will enjoy the very finest in online casino entertainment presented today, you may be sure of a secure and sound, helpful and friendly environment. If you want to play Blackjack, Pontoon, Baccarat, Casino War, Desert Treasure, A night Out, Ways Royal, 4 Line Jacks Or Better, Aces and Faces and more online casino games then just visit on Casino Games

In each case the spammer was of course attempting to get this blog to link to each of his domains:

Deepak's profile is here:

Mukesh's profile is here:

Both were created solely to create these annoying, repetitive comments in an attempt to boost page ranks. (Though with such ridiculous copy, I can't imagine anyone having the slightest interest in clicking on anything this moron posts.)

The sites themselves don't "do" anything. They just sit there, being linked to via comment spam.

A bit further digging shows that my blog is not the only one affected by this mentally-challenged individual. A search for one of the phrases turns up ten entries which have the same posting. A search for the other turns up only four.

Further searches for the domains he's trying to link to pulls up even further sites where he's comment spammed repeatedly.

Notice of course that none of these sites that this idiot is "commenting" on have the slightest thing to do with gambling.

Of course, this blog comment spammer also uses Google Analytics on that first domain to track the inbound traffic to his scammy little setup. His account id is UA-10919767-14

But without links to anything, what is the point?

The second site lists yet another domain name -- -- but doesn't link to it. Why? (That site is also using his Google Analytics account, using id: UA-10919767-16)

All of this is a roundabout attempt to... create traffic. For what?

This is one of the stupidest attempts I've seen by anyone to try to drum up linked traffic with no monetization. Keep up the horrible work, "Deepak".

SiL / IKS / concerned citizen

Wednesday, October 28, 2009

New Flash: Fake Pill Sites Don't Even Bother To Lie Very Effectively

After just receiving another of the plethora of bogus black-market pill sites via (you guessed it) criminally-sent spam, I think we've hit a new threshold for obvious, retarded lying practices on behalf of these moronic criminal fake pharmacy sites.

Can you spot the obvious problem with the following screenshot?

Highest security level guaranteed

This is a Secure page. Your Data is safely encrypted and is protected from an unauthorized access. All transactions are 100% secure.

That's right: never mind that "75% secure" crap: this site claims to be "100% secure", and even shows you how to verify this. All of which completely negates the fact that none of this is true, and that any person with a pair of eyes can tell that they're lying to you. There is no "https", of course (thanks for the tip, idiots) and there is also no padlock present anywhere it normally would be in any  browser in use today.

What else are they lying about? Oh: everything of course.

This one comes on behalf of what appears to be the newest member of the former SanCash / AffKing group: Canadian Online Pharmacy. ("Canadian", of course, meaning "located in China, with drugs most likely shipped from India.")

Not that it needs to be said again * but: don't buy anything you have to ingest from a "company" you've never heard of, especially one that lies to you with every breath they take.

SiL / IKS / concerned citizen

* Actually it probably does need to be said, because these idiot criminals are STILL profiting thanks to what are arguably stupid and / or desperate "customers".

Friday, October 2, 2009

Happy National Cybersecurity Awareness Month!

This was news to me but possibly not to everyone.

Read more about this special month here.

SiL / IKS / concerned citizen

Monday, September 14, 2009

Following The Money (Mule)

This year has seen an interesting cross section of what seem on the surface to be distinct and separate spam campaigns, but are in fact connected, and part of a very coordinated cybercriminal enterprise.

In the past two years, we have seen numerous spam messages arrive which claim to offer "personal shopper" or "work from home" schemes. These are actually money mule messages used to recruit individuals to receive money, purchase products, and then ship the products to (at the moment) unknown addresses.

There have also been a variety of fake "corporate" websites put together for the purpose of recruiting these money mules, nearly always hosted in Russia. Renowned security researcher Bob Harrison has reported several of these websites, and documented their criminality in great detail. [source]

In the past six months we have now also started to see a variety of stories which describe the mass withdrawal of large sums of money from a variety of companies and other organizations. The most recent comes from Brian Krebs of the Washington Post, who has been covering this in some detail. [source]

In this story he uncovers that several businesses, and most recently a school district, have noticed very large withdrawals occuring from their bank accounts, and has made the connection that this is where the money for the "Secret shopper" purchases is coming from.

This was made possible by a specific computer exploit known as "clampi" that these same criminals, or possibly someone they hired specifically, were able to create to specifically record any banking details used by anyone who used any computer within the company or organization's network. [source] You can read some great research on Clampi (and its other varient names) written by the well-known security researcher Joe Stewart here. The companies affected are extremely varied (construction companies, electronics testing companies, demolition, at least one other US-based school district), but I guess it really doesn't matter where they get the banking information from. If the money is there, who cares what they happen to do?

The problem with this latest fraudulent banking activity is that it was from a fairly meagre school district - the Sanford School District, located in Sanford Colorado - which services just 340 students. I recognize that the scumbag criminals behind this activity could care less who they affect with their criminal acts, but this is reprehensible on many levels. But this is also only one of what appears to be a very large number of these events, and there doesn't seem to be any sign that this activity will slow down in the slightest.

This particular crime exposes a serious shortfall in general staffing and infrastructure of most small businesses and governmental or civic organizations. The key piece of information that these criminals were counting on was that each of these companies were small, and most likely had negligible IT or network security staff, if they had any at all. This is a huge, gaping hole which many colleagues and I have felt was inevitable given the costs and considerations of staffing and maintaining an organization such as a school district, or any other governmental office.

IT Security staff, if it is an item of any consideration at all for any governmental or civic budgetary office, must be near the absolute bottom of the list of things which are considered important to fund and maintain. Since most qualified IT security staff are often outside of the salary budgets of most governmental or civic comptrollers, it is hardly surprising that we now find ourselves in this predicament. Having a decent staff to support and protect the networks used by these companies could have identified any rogue traffic resulting from the clampi infection. It might have also stopped the ability of the clampi exploit to replicate itself across the entire network. It might also have assisted in the data and evidence gathering which will now be required to pursue this in a court of law.

Mr. Krebs noted that the US Senate Homeland Security and Governmental Affairs Committee was holding a hearing regarding this specific issue and its ongoing effect on small businesses and organizations. [source] I should like to think that each of the following items would be addressed by this hearing:

1) Increased funding and infrastructure for IT security staff, especially for governmental or civic organizations.
2) Following the trail to the inevitable Russian or Eastern European criminals who executed this crime.
3) Greater stringency on the part of banks or other financial institutions regarding processing of funds on behalf of any company, but especially smaller businesses or civic organizations.

If you run a small business and are profitable, it is very strongly recommended that you get an expert to take a look at your current computer setup for any PC running windows, which may have been used at any time to login to any financial institution used to process any funds on behalf of your company.

I expect to see several more of this type of story, and I expect the criminals to get away with this for the foreseeable future, and that is extremely disappointing.

I wish this would lead to any kind of sanctions against Russia or the Eastern European countries involved in these crimes, but that is another story on its own. This makes several years now that individuals from Russia especially have been involved in widespread online criminal activity. No US-based initiative has gone after them, no law enforcement has been brought to bear, no governmental sanctions have ever been imposed, nor does it appear that they will be in the near future. Given Russia's intent to join the World Trade Organization, and its preparations to meet their guidelines (such as the mock-shutdown of, specifically related to this WTO acceptance,) it is frankly baffling that no such action has been taken against Russia as a country, or the Russian government generally. There are hundreds if not thousands of research reports all pointing directly to Russian individuals as being involved in extremely indepth and varied cybercriminal activity including distribution and sale of child pornography, illegal sale and distribution pharmaceuticals, illegal sale of patented software and trademarked products, and of course widespread infection of computers around the world. One of these days - probably not soon, unfortunately - this will result in some extremely bad news for Russia as a country, and especially Russia as a potential member of the WTO. That it hasn't happened already is simply unacceptable.

Unsurprisingly, Mr. Krebs has also written about this topic as recently as March 2009. [source] That's worth a read, as is the Slashdot posting which resulted. The same discussion should apply to any country which continues to allow this rampant criminal activity to continue to occur. (Russia is obviously a key contributor to this, possibly the key contributor.)

SiL / IKS / concerned citizen