Saturday, December 31, 2011

SiL's 2011 Year-End Recap

Well here we are. The end of the year has arrived and again there is a lot to recap in terms of the ongoing fight against online crime in all its forms.

2011 was a busy year in terms of law enforcement action against predominantly overseas spamming criminals, and also for further leaks of valuable data, chat logs, email accounts and other information that exposed the inner workings of several mostly Russian spam operations. This is a continuation of the same leaks and law enforcement action which we saw in 2010. It also was a year that saw unprecedented cooperation between several international law enforcement agencies to shut down everything from botnets to financial fraud gangs to fake pharmaceutical manufacturers and promoters. There were also some incredibly detailed and in-depth investigative reports into the financial operations of large-scale pharmacy spam operations. So well done to all law enforcement agencies and investigators for an incredibly successful year.

Spam is still with us, but it's swiftly becoming a less popular and riskier method of making a quick buck. This is all good to see.

So here we go. Get some popcorn, enjoy, and have a happy new year.

Jan. | Feb. | Mar. | Apr. | May | Jun. | Jul. | Aug. | Sep. | Oct. | Nov. | Dec.

January:
  • On Jan. 20th, an insightful article is posted on RussiaProfile.org by Svetlana Kononova. The article outlines several new trends in online crime originating from Russia, and makes specific mention of the demise of the criminal online pharmacy affiliate program Spamit.
  • On Jan. 26th it is announced via several media outlets that Russian hosting company Volgahost was de-peered from the internet by their upstream provider RUNNet.ru. This is due to several investigations identifying VolgaHost as a source of a great deal of online criminal activity including the control and command setups for several botnets, including several Zeus botnets. January is already off to a great start.
  • The same day, an article in the New Zealand Herald announces that an unnamed 32-year-old Chinese man has been arrested in Auckland, New Zealand charged with international distribution of counterfeit drugs. This followed a three year investigation by the Auckland Metro Crime and Operations Support (AMCOS).
  • A headline in the Toronto Star announces Canada no longer synonymous with spam. It's an odd "consumer affairs" piece but it does outline the difficulties of trying to run a genuine online pharmacy from Canada against the unending barrage of fake, Russia-based, criminally operated sites.
  • On Jan. 28th, social networking website Facebook is awarded $360,500,000.00 USD in statutory damages as the result of charges of spamming activity against the site by one Philip Porembski. This is the third major award to be granted by a court in Facebook's favor since it started going after spammers on its site in 2006. As for actually collecting the money? That's another story. But it continues to set a very strong precedent for any future spammers who think that Facebook is still worth flooding with spam.
February:
  • In the "gift that keeps on giving" department, on Feb. 7th it is announced that Gregg Burger of Yonkers, New York has been arrested for acting as convicted stock spammer Alan Ralsky's stock broker. The SEC has also filed fraud and other charges against Burger and 10 other accomplices. Burger faces up to 25 years in prison and significant fines if convicted. (No followup story has been posted regarding this case.) See also the SEC Filing.
  • On Feb. 17th, another court action is announced, this time against repeat spamming offender Brendan Battles. The Australia Dept. of Internal Affairs seeks penalties of $200,000 AUD against Battles, and $500,000 AUD against his company, Image Marketing Group Limited. The court alleges that sent nearly 45,000 SMS text messages to Vodafone mobile customers in March of 2009, and later also engaged in email spamming. This makes the fifth year in a row where Mr. Battles has either been publicly exposed as a repeat spammer or has been charged directly.
  • In what would be the first of a series of great, great articles from Brian Krebs throughout 2011, on Feb. 21st "Krebs On Security" publishes an interview with renowned Chronopay operator Pavel Vrublevsky. The story is insightful, and inevitably outlines a raid on a party held by Russian online pharmacy "RX-Promotion". It's an insightful read, and marks the beginning of a lot of unwanted exposure for Vrublevsky throughout 2011.
  • On Feb. 24th the US Federal Trade Commission (FTC) asks a court to shut down a high volume text message spamming operation run by a man named Phillip A. Flora. [Court document PDF]. According to the court document, "During one 40-day period, beginning in August 2009, Flora's operation sent more than 5.5 million spam texts, a "mind boggling" rate of about 85 a minute".
  • Also on Feb. 24th, Krebs On Security posts a pair of engaging articles about the twin illicit online pharmacy affiliate programs Spamit and Glavmed. (Spamit as most of you will remember shuttered its operation in October 2010.) This begins a series he titles "Pharma Wars". The first article outlines how Spamit came to be investigated by law enforcement and others, and also makes a connection between the leak of Spamit data and Pavel Vrublevsky. The other documents a large-scale leak of the entire Spamit database in mid-2010 by someone named "Despduck". The database makes clear that both programs were operated and maintained by the same people, and generated millions of dollars of illegal profits from the sale of fake pharmaceutical products. This is a good peek behind the scenes of how a large-scale pharmacy spam operation works and how much money is generated from their illegal spamming activity.
  • In what appears to be a dubious article from Feb. 26th, TechWorld reports that China has been effectively clamping down on spam activity within its borders. Eight months later, we all still continue to see all kinds of spam volume originating from China, but the report is correct in stating that its activity has "dropped" compared to previous years.
March:
  • Mar. 3rd, Wired Magazine's "Epicenter" blog reports on the release of career spammer Robert Soloway from federal prison, following his three year sentence. Soloway makes it clear that he is never going to spam again.
  • Also On Mar. 3rd, Krebs on Security posts another in a series of investigative articles regarding Chronopay and its involvement in the rogue antivirus / scareware industry, something Chronopay appears to support a great deal. In retaliation, a childish "press release" is sent to numerous security blogs, notably F-Secure, making the ridiculous claim that Brian Krebs and "his boyfriend" F-Secure's Myko Hipponen had both been "arrested" in relation to an online credit card theft ring. Absolutely nobody takes the article seriously, and sites which published the fake story immediately retract it. This is a good indication that the accurate reporting of Mr. Krebs is definitely ruffling all the right feathers.
April:
  • On Apr. 3rd, Krebs on Security posts a story about another in a continuing series of large-scale data leaks, this time affecting customers of supermarket giant "Kroger Co." In this case the compromise was the result of criminal activity, but throughout 2011 various groups of online hacktivists, notably "LulzSec", would repeatedly, publicly release numerous large caches of data to illustrate the lack of security in place at common companies used by millions of people every day.
  • On Apr. 8th, Germans news website Welt Online publishes a story about the dismantling [Google Translation] of a fake pharmacy site operated in Potsdam, Germany. The fake pharmacy generated "at least 18 million euros" in earnings.
  • On Apr. 13th the US Dept. of Justice posts a press release announcing that the DOJ and the FBI acted together to shut down the "Coreflood" botnet, which infected more than 2 million computers at the time of the action. This takedown was unique in that not only were the command and control (C&C) servers taken over by law enforcement, but commands were also sent from the compromised C&C server to send commands to individual infected bot computers to stop sending any further data and to shut down. They also provided large lists of infected IP addresses to the respective Internet Service Providers so that the customers behind them could be notified of the infection of their computers, and what steps to take to remove the infection. This was an unprecedented legal action and would raise the bar for several future botnet shutdowns in 2011. This story was widely covered by numerous news outlets, blogs and websites, notably Reuters, Krebs on Security, ComputerWorld and Slashdot
  • On Apr. 19th, the FTC and other US federal regulators filed a lawsuit against a series of "online marketers" for fraudulently creating fake "news websites" used in spam campaigns to promote bogus Acai Berry weight loss products. They also charge that the claims made on these fake sites are completely false and represent a definite danger to consumers. Despite this action, we all continue to see this exact same "fake news website" technique used to promote numerous completely bogus "make money for free at home" websites via spam.
May:
  • On May 23rd, an indepth report authored by a team of researchers at the University of California at San Diego (UCSD) is published which essentially "follows the money" through a typical criminal online pharmacy affiliate operation, and identifying just three banks which process all of the orders. The paper, entitled "Click Trajectories: End-to-End Analysis of the Spam Value Chain", was presented at the IEEE Symposium on Security and Privacy in Oakland, Calif. This is by far some of the most effective reporting on the profit structure of an illegal online pharmacy. This further causes lots of public investigation into the three banks which processed payments for this operation, notably Azerigazbank Joint-Stock Investment Bank in Baku, Azerbaijan.
  • McAfee publishes an insightful article in late May outlining how a "blackhat SEO" campaign (a.k.a.: forum spamming) can generate income from an illegal online pharmacy affiliate program.
June:
  • Leonid "Leo" Kuvayev, renowned operator of numerous child porn sites and the "Mailien" criminal online pharmacy, "admits child abuse" on Jun. 1st in a court appearance after having been arrested back in December 2009. Police discovered a sex dungeon in a property of Kuvayev's while investigating him for illegal spam charges. He now faces up to 20 years in prison. More details, in Russian, available here.
  • On Jun. 2nd the UK's Telegraph reports that Google is publicly naming and shaming the Chinese government for "Spear phishing" as part of a series of attacks launched by China against Google's Gmail service in 2010. The Chinese government responds, calling Google's claims "unacceptable".
  • In some fairly major news, on Jun. 23rd, Russian authorities arrested Chronopay co-founder Pavel Vrublevsky "for allegedly hiring a hacker to attack his company’s rivals."
July:
  • On Jul. 19th, Joseph Mercier, an IT Security supervisor from Laval, Québec, Canada, is arrested by Canada's RCMP (the Canadian equivalent of the FBI) for "allegedly coordinating an international computer hacking scheme." Mercier essentially crafted his own botnet, including the virus malware, and managed to infect computers in several countries. The report doesn't make clear what the purpose of the botnet actually was, but one can most likely imagine.
August:
  • Long-renowned career spammer Sanford Wallace is again charged with spamming activity, this time coupled with a phishing attack. Spamford has been indicted numerous times since the late 1990's for his ongoing, unrelenting, malicious spamming activities. More coverage here.
  • Brian Krebs continues his highly informative "Pharma Wars" investigative series with a posting on Aug. 19th which exposes a leaked chat session between Spamit owner and operator Igor Gusev and a senior member of his technical team, Dmitri Stupin.
  • On Aug. 20th, ICANN begins an investigation into domain registrar eNom and their parent company "Demand Media" for predominantly providing domain registration services to online criminal organizations. This was in reaction to a detailed report by Hostexploit.com identifying eNom as a preferred domain registrar for all manner of criminal activity for many years, referring to them as the #1 most abusive domain registrar.
  • In an interesting turn of events, Google forfeits $500 million USD on Aug. 24th, "generated from Canadian pharmacies targeting US customers through its AdWords program".
September:
  • After years in legal limbo, the ill-fated lawsuit on behalf of E360 Insight against Spamhaus is vacated on Sep. 3rd, with the result being that Spamhaus must pay a total of $3.00 USD to E360, but also making E360 liable for all legal costs. A judgement document skewers E360 owner and plaintiff David Lindhart, calling his testimony throughout the lengthy trial process "inherently unreliable" and outlining several "systemic problems" with much of the financial information he produced during the trial.
  • With the year 2011 not yet over, Brendan Battles again shows up on the spamming radar, this time charged with selling 50,000 email addresses without the owners' permission. His company, the notorious "Image Marketing Group Limited", now faces a $700,000 AUD fine for selling the addresses to an unnamed "businessman" via (you guessed it) spam. "The businessman alleges that when he bought the database, IMG assured him it complied with the necessary legislation and the email holders had given their permission to be contacted, said senior investigator Toni Demetriou."
October:
  • On Oct. 4th, Krebs on Security (among others) reports on the conviction of the 13th defendant from a group which operated a Zeus botnet for the purposes of financial fraud against numerous victims. All 13 members of this gang were indicted, arrested, and convicted of operating a Zeus botnet which resulted in the theft of £3 million ($4,657,050.00 USD) from banks in the UK between Sept. 2009 and Mar. 2010.
  • Also on Oct. 4th (quite the day!), INTERPOL announces the results of an unprecedented international law enforcement action code-named "Operation Pangea IV", which took place between Sept. 20th and 27th. "In the largest operation of its kind, 81 countries have taken part in an international week of action targeting the sale on the Internet of counterfeit and illegal medicines, resulting in dozens of arrests and the seizure of 2.4 million potentially harmful medicines worldwide worth USD 6.3 million." This is definitely one of the largest international law enforcement actions in years, and certainly the largest action related directly to spamming and illegal online pharmacies.
  • In a related story, domain registrar, in direct response to the INTERPOL actions, "shut down DNS resolution for hundreds of domains to cut off access to over 13,500 websites peddling fake pharmaceuticals."
  • In a great recap article, Ars Technica reports on Microsoft's combined efforts to target, trap and reduce spam traffic, specifially phishing, malware and other dangerous elements.
November:
  • In another installment in his "Pharma Wars" series, on Nov. 11th Brian Krebs posts another leaked chat session between Igor Gusev and Dmitri Stupin. Not long after the story is posted, KrebsOnSecurity.com is the target of a sustained DDOS attack, which he subsequently reports on in some detail thanks to the investigative assistance of Joe Stewart from Dell Secureworks. The operators and affiliates of Spamit and Glavmed have to be suffering financially for them to take this kind of action against a security blog with such a wide readership.
December:
  • On Dec. 16th, Krebs on Security reports that (among a few others) former Ukranian General Verliu Gaichuk is arrested in Romania "suspected of being part of an organized cybercrime gang that laundered at least $1.4 million stolen from U.S. and Italian firms." This was another large-scale international law enforcement investigation which comprised Romanian authorities, the FBI and Italian special forces. Since 2010 we have seen more and more of this type of coordinated law enforcement coordination and cooperation, and it's very good to see.
  • On Dec. 8th, four Romanian nationals are indicted in the District of New Hampshire on charges of compromising the credit card data of more than 80,000 customers of the Subway restaurant chain - among others - covering nearly three and a half years. Three of the criminals were arrested and a fourth remains at large.

Happy Holidays everyone. Stay safe, and thanks again for reading.

SiL / IKS / concerned citizen

Tuesday, November 22, 2011

Lotto Black Book: Another Completely Fake Product Promoted By Spammers

In the ongoing battle against career spammers, affiliate marketing companies are often a gateway for non-compliant spammers to attempt to get some quick, if fleeting, cash.

The product range many of these affiliate programs offer nearly always sound "too good to be true" but they do make them money. Career spammers essentially join, ignore any zero-tolerance policies the affiliate program has for email spamming (or any other spamming for that matter), get an affiliate id, and start up their email deployment system.

The products include a product that will turn your PC into an HDTV receiver using (they claim) only software, a book that tells you how to build your own solar cells, a book that tells you how to make thousands of dollars from home "instantly", and - my most recent favorite - a book called the "Lotto Black Book".

I decided to examine each of the claims this spam campaign makes, and especially the completely fake claims they make on their websites. Nearly every single statement on these websites is 100% false, and that's a big no-no pretty much anywhere in the world, but it's an especially eggregious offense in the US.

Here is a spam message I receive a few days ago from another career affiliate-progam-abusing spammer:

From: The LottoBlackbook support@thelottoblackbooksecret.com
Subject: Win a lottery everyday- Secret exposed
"They Kept Asking Me:

"How The Heck Did You Do It? What's Your Secret For Winning The Lottery?
Tell Us Or We'll Kill You" I Managed To Escape But I Got Shot In The Left Foot"

They Would Have Killed Me If I Didn't Tell Them My Lottery Secret…

But Today, It is yours:

===> http://gettingpaidinstantnow.info/lottowinningsecret/

Can Anyone Win The Lottery? ...Or How Did I Manage To "Kill" The Lottery 5 Out Of 10 Times?

I was searching for a lotto PATTERN...

Winning The Lottery Is Not ROCKET Science.

Anyone can do it. That's why I decided to publish all my secrets in a book.

Click below:

===> http://gettingpaidinstantnow.info/lottowinningsecret/

Best Regards,

Larry B.


Wow. That is quite the story, isn't it? The protagonist of this ridiculous spam campaign, "Larry B." (on the website it links to he says he is "Larry B****" but the footer says the site is made by "Larry Blair") is so good at winning lotteries that he's receiving threats.

It links to an affiliate website:

http://gettingpaidinstantnow.info/lottowinningsecret/

That might not exist for long, but if you've ever researched this type of spam you can spot it a mile away. One single, length, rambling page making a series of ridiculous or outright false claims. It's the HTML page version of a 3:30am infomercial on tv. They just repeat the same claim in numerous ways while telling an (arguably) outlandish story, then back it up with a series of "testimonials", which are also very easily proven to be false.

Here's the first thing you see when you visit this site:


Again I have to say: wow.

80 point masthead type shouting out "Oklahoma professor gets shot in the leg after winning the big lotto prize".

Before I dive into this particular site, let's just get a feeling for how many of these websites are out there. I did a quick google search for that first line and Google (as of this writing) returned "About 320,000 results" for that phrase with no quotation marks around it. If I add quotation marks, which looks for that exact phrase, it returns "about 10,200 results". So this site is not unique at all. Keeping in mind that it's also pulling up sites which ridicule this product - possibly this very website as well - the majority of the results are actually trying to sell you the Lotto Blackbook product.

A little further down, it claims that this is one of the people who shot him in the leg in order to gain his "secret" about winning lotteries.

"They Kept Asking Me:
"How The Heck Did You Do It? What's Your Secret For Winning The Lottery? Tell Us Or We'll Kill You…"
…I Managed To Escape But I Got Shot In The Left Foot"

Here is the robot portrait of one of the aggressors. it's the same picture that was presented to the police. They were never apprehended..."


It shows a police sketch:

Anyone can easily disprove this. A simple reverse image search (Thanks Tineye and Google!) shows that this is actually a police sketch of a crimnal wanted in Tennessee and Alabama for a string of armed robberies at check cashing facilities in several counties in that area:

http://blog.al.com/breaking/2008/04/check_cashing_bandit_sought.html

That dates back to April of 2008.

You'll notice that there is absolutely no mention of shooting anyone in the leg in order to expose "lottery secrets".

It doesn't appear that he was caught, but it seems unlikely that the story would fail to mention that he shot someone in the leg. We can file this detail under "unlikely".

The writing about this (probably) completely fake scenario is written with way too much melodramatic flair. ("All you think about is your wife and children..." - so true, man... so... true.)

After an awful lot of copy about how he felt "blessed" for having his lotto-winning "secret" and claiming to donate it to charity, the story continues that he had to use a lot of paper and books for his research, and that his wife was concerned, and took a photo of what he claims was his desk:

That image is easily recognizable to a select batch of online nerds as being the winning entry to the 1999 "messy desk contest" which was held, at that time, at a site called bash.org:

http://linuxreviews.org/howtos/l33t/382128_PinkFuzzyBunny.sized.jpg

That can be found on this page:

http://linuxreviews.org/howtos/l33t/

The original contest is of course long gone. If you search for that image (thanks again Google) you get "About 9,370 results". So again: not at all a rare image. Is it our lotto-secret-wielding hero? Again: filing that under "unlikely".

Further still, an image that he claims is of him "winning" his first lottery, after trying his alleged theory for 8 years:


That photo is actually a picture of December 2006 Powerball winner Michael Anderson:

http://www.lottery.ok.gov/press_reader.asp?sourceFile=press_december112006

Wait - Michael Anderson? That doesn't even rhyme with the name "Larry B." So that's basically just an outright lie.

But did Michael Anderson use some hidden secret method to win his prize? The story doesn't say.

So let's look a little further down:


Google searching for that image, unfortunately, only turns up results of competing "lotto blackbook" websites. But if you look closely it doesn't appear to be the same person.

I would basically call bullshit on pretty much every facet of "Larry B."'s story. The police sketch doesn't add up; the first image of him is not him, it's Michael Anderson; the photo of the messy desk is unlikely to be his, and the second image of him "winning" again is unlikely to be him.

So let's talk about his so-called testimonials:

The first image shows someone he refers to as "Alain M."

Larry B's testimonial copy:
Larry, Thanks to your system, I managed to give up my day job. Now all day long I’m preparing for the weekend lotto drawings. This is the big prize I won. Sometimes I get a couple of thousand, sometimes hundreds … but one thing is for sure: I won almost every time.

Again a very simple search turns up this story:

http://www.nelsoncountylife.com/wp-content/uploads/2009/02/alain-lotto1-300x199.jpg

The name of this winner is actually Alain San Giorgio, not Alain M. (Another outright lie.)

How did Alain actually win? Let's search for that too:

http://www.valottery.com/news/press_article.asp?artid=2391

When asked by Virginia Lottery officials how it happened, he replied simply, "I'm just lucky, that's all."

The winning numbers for that drawing were 4-8-20-22-34. He selected the numbers on his ticket at random.
At random.

Now: Alain might be trying to hide the so-called secret method Larry over here is talking about, but you would think we would have heard of him winning numerous times, since this is the claim made on the Lotto Black Book site. There is no mention.

Let me add that when a person wins the lottery, if they want to accept the money they have to give the lottery the right to use their name, their likeness and other identifying elements to promote the lottery. If Mr. San Giorgio actually had won the lottery that many times, there would be several press releases from the lotteries all saying so.

But there aren't. There's only one. Dating from Feb. 2009.

You would also see a series of personal interest stories in several newspapers commentingon how unlikely it was that such a person could win so many lotteries all the time. But in this case: zero.

So: another outright lie.

A companion site mentioned in the footer of this website - thelottoblackbook.com - features most of the same claims and testimonials, but also references just such a news story. They only show a screen grab of the story, but don't link to it:

The story is about a person named Joan R. Ginther

http://www.dailymail.co.uk/news/article-2023514/Joan-R-Ginther-won-lottery-4-times-Stanford-University-statistics-PhD.html#ixzz1VLtSFuuR

And I quote:

Three of her wins, all in two-year intervals, were by scratch-off tickets bought at the same mini mart in the town of Bishop.

Mr Rich details the myriad ways in which Ms Ginther could have gamed the system - including the fact that she may have figured out the algorithm that determines where a winner is placed in each run of scratch-off tickets.
This entire time this website has been claiming that it will teach you how to beat lotteries like the Powerball, a lottery where a series of winning numbers are pulled completely at random, and tickets are purchased which have user-selected numbers on them.

Scratch tickets don't work that way. They are pre-printed and have serial numbers, and there are numerous stores of people who have foiled these systems. The two systems are completely different.

The site again claims that this person shared the same Lotto Blackbook method for winning lotteries, but the real article about Ms. Ginther states otherwise.

In short: it's really easy to assume a product is a scam in the first place, but when the websites promoting them (and the spam messages promoting the websites) are so chock-full of such easily disproven lies, it's time to question why the FTC and other consumer protection organizations haven't gone after companies like this one.

Of course he only receives payment via PayPal, so attempting to get your money back from this scam operation is probably a laborious and potentially fruitless exercise.

As usual it's up to the consumers themselves to be cautious about any claims a website makes - especially one promoted via unsolicited non-CAN-SPAM-compliant spamming - and I would hope this single posting provides enough proof that consumers should probably assume that any claim made by a spamvertised website is likely to be an outright fabrication.

My advice: If a company is lying to you once, you shouldn't waste your money on them. But if they lie to you numerous times like this one is? Not only should you never send them your money, the company behind these fraudulent spamvertisements should be completely shut down. That should be obvious to anybody.

Here are some links to discussions which debunk this obviously fraudulent operation:

Thursday, September 22, 2011

New stock spam?! Are you insane? [CSOC.OB]



Over the past two days, only my spam-fighting email addresses have begun to receive a ridiculous amount of stock spam promoting a company called Caduceus Software Systems Corp. Stock symbol CSOC.OB.

Unless this individual has a serious desire to join Al Ralsky in prison, I fail to see the attraction of trying a new stock spam campaign. Ever since Al Ralsky's arrest and conviction, and especially after the SEC's shaming after the Bernie Madoff affair, the attention to this type of fraud has gone up significantly. This is a particularly stupid and very public move on behalf of this moron spammer.

But it also indicates a few things, just as stock spamming has for years.

Stock spamming has routinely been a "quick fix" replacement for any other type of spam campaign which gets shut down or severely hindered. In 2006 prior o the shutdown of AffKing and the indictments and fines against Shane and Lance Atkinson, numerous spammers promoting AffKing would switch immediately to stock spamming whenever the money dried up for any AffKing spamming, or especially when AffKing had to lay low to fix one or another problem. You could practically set your watch to it, it was that consistent.

My recently developed Nigerian ScamerAtor™ is a tool that I had been using for a long while to report up to 200 or so Nigerian scamming email addresses. I ramped up my own reporting over the past four months, and decided to make that tool public. Is it a coincidence that I now see stock spam so soon after putting that utility into the public domain? (Probably.)

The good news is: stock spam means that the spammer probably lost money, or is in the midst of losing money. It may also indicate a wish to get caught. (As mentioned: this is a particularly stupid thing to do as a spammer.)

Never buy a stock promoted by someone you've never heard of, especially if they're sending you 70 - 100 spam messages over only a few hours.

Note also that they have done some Google-jacking to make sure any mention of this company only shows articles which support the spam campaign. This indicates that this is an experience stock spammer. I wouldn't be surprised to hear that this somehow relates back to the same crew that Ralsky was using for years.

To whoever you are: good luck in jail.

SiL / IKS / concerned citizen

Thursday, September 15, 2011

The Nigerian ScamerAtor™!

The Nigerian ScamerAtor™!

Over the past ten years or so I have been sporadically reporting "Nigerian Scam" spam messages to the email vendors these criminals abuse.

I'm going to assume that you know what a Nigerian Scam is. They've been in existence since the mid-90's, and they re-use a lot of the same ruses to entice their victims to part with some - and in some cases nearly all - of their money. Many of you may remember my experiment over the past two years to tabulate how much I would have "won" from these alleged inheritances, lotteries, funds and other ridiculous scams. I also kept tabs on how much I would have "inherited" or "won" from November 2009 to the end of 2010. The final total was $100,319,915,673.22 USD (100.3 Billion dollars.)

In November 2008 I wrote a detailed posting describing how anyone could report these scam messages, and about the reliability and timeliness of the responses and cancellations of these offending accounts. At that time, Hotmail and Yahoo were two of the worst at getting accounts removed which were actively being used in this patently criminal activity. Fast forward to today - and especially the past six months - and that situation has greatly changed for the better.

Hotmail is now cancelling these offending account in as little as ten minutes of receiving my report. This is a huge, huge difference and I applaud this drastic change in their responses to these reports. I would report a new scammer's Hotmail / MSN Live Mail account within a few seconds of receiving one of them, and 10 - 15 minutes later it would be shut down.

It's important to note that they won't shut down just any account. You have to explain to them why the account is being used fraudulently, and explain where in the message the offending account appears. If your reporting to them is consistent, they shut the account down, simple as that.

Per day, I was receiving from 60 - 80 of these scam messages every single day. Once I started cc'ing the criminal's account on my reports, that account saw a precipitous drop in the volume of Nigerian Scam spam messages received every day. Now it's one or two a day. For that account, Nigerian scam messages are the only spam it receives. All the pharmacy spammers gave up on that account two years ago.

I also received a small handful of replies from the criminals on the other side of these accounts. Some of them demanded that I stop reporting them. I replied that they shouldn't have me in their lists in the first place. Some boasted that this would do nothing, that they would just create thousands of other new accounts. But then after a few weeks I received another message pleading for me to stop. All of this indicates that these reports work, even if it's just one person doing them.

So I decided to create a tool that automates the creation of these detailed reports so that a lot more people could join me in trying to put a major dent in this malicious activity, and I called it the Nigerian ScamerAtor™.

You can download it here:

http://www.spamtrackers.eu/downloads/files.php?fid=90
[Link last updated Jun. 24th, 2012 - v.1.6]

Instructions:
  • Download the file
  • Unzip the file
  • Open the html file in a browser of your choice (as always, I recommend FireFox.)
  • Choose the email vendor this criminal is abusing from the drop-down list.
  • Enter the offending email address
  • (Optional) Choose which fake scenario this criminal is claiming to present. (Lottery, fund, FBI, UN, etc.)
  • Choose where this email address appears (headers, body, both.)
  • Enter the message headers
  • Enter the message body
  • Click on the "Go!" button
  • A message will be generated for you including the "to", "subject" and a detailed message for the abuse team you wish to send it to.
  • Copy that into an actual email and send.
I'm discovering that some of the lesser-known of these email vendors - Blumail.org, Superposta, Globomail, etc. - are far less responsive, so it's unclear whether this will ultimately have any effect at all on these messages, but I figure with more volume of these complains coming in, somebody would have to take notice.

Both Gmail and Yahoo now only process these abuse reports via online forms. No emails, period. They also do not respond to any reports but I did some randomized testing and it appears that within 24 hours the reported accounts are indeed terminated. I wish that they would be more communicative of this but at least they do shut the accounts down.

I welcome responses as to further features you think this tool could use, and especially any reports of major successes.

As always, thanks for reading.

SiL / IKS / concerned citizen

Monday, August 8, 2011

On The Changing Landscape For Non-Compliant Career Spammers

Hello, faithful readers of this blog.

As you all have no doubt been aware, updates here have been very few and far between for a while now. I wanted to post a quick update to let you know that yes, I'm still alive, and yes, many things are still underway in the fight against online criminals and the spamming they engage in, among other things.

When I started this blog, email spam was definitely a major scourge, and a vast amount of criminality stemmed from spam itself, which eventually led me further and further up the food chain. That meant that over time, email spam itself (or spam of any sort really) became less of a focus of investigation for me than more meaty subjects like the hosting infrastructure of one or another criminally-operated pharmacy affiliate program, or investigations into one or another botnet's infrastructure and command and control.

Over the past several years, my role in these investigations has been one of a disseminator of collected research and intelligence, handing over as much of the indepth analysis and research as I could supply to a larger and larger number of researchers and investigators.

As the last two years have shown, that's lead to a much greater set of eyes becoming focused on all manner of online crime, and the results have been pretty fascinating to see. I am not saying that my research specifically has directly led to legal action - I have no way of knowing - but it's part of a collected mass of research which may have assisted several organizations in deciding which action (or actions) to take against the operators of these large-scale spam operations.

I'll just itemize a few of these investigations here to get the idea across. Much of this has been covered in greater detail and with more background research by many other more established journalists, security researchers and bloggers than I would have been able to do here.

Microsoft managed to shut down the infamous Rustock botnet - responsible for the majority of spam sent on behalf of Spamit - via some extremely strategic legal and subsequently technical means. That led to a massive drop in spam of any sort (but especially fake pharma) being greatly, greatly reduced. It's also more recently led to a very public notification to the public, especially in Russia, where most recently they've offered a new $250,000 reward for the "identification, arrest and criminal conviction of whoever is responsible" for the Rustock botnet. (If you know who it is, you can file your own report at avreward[at]microsoft[ot]com.)

This is a big deal to anyone who has been researching spamming via botnets, since Rustock was the botnet responsible for the vast majority of this spam.

Since Rustock was shut down, the statistics for spam overall have seen a dramatic drop. I mean a seriously dramatic drop. It's still there (there are other botnets of course) but it's nowhere near the high volume enterprise that it once was. This is a monumental shift from how things were even a year or so ago, but especially when compared with spam volumes from 2006 through 2010.

As previously mentioned, Spamit themselves pulled the plug on their fake pharmacy affiliate program in October of 2010. Very shortly after this, the alleged owner and operator of Spamit (and, one might logically assume, Glavmed) - Igor Gusev - fled Russia where he began a blog outlining the criminal activities of Russian payment processor Chronopay. Renowned security blogger Brian Krebs has written about all of this at great length, and continues to cover more recent legal activity against Chronopay and its (now former) CEO, Pavel Vrublevsky.

I haven't written about any of that here, again because it's been covered in extremely deep detail by both Russian and North American bloggers and journalists. The litany of public leaks of internal Chronopay emails, documents and other items between 2010 and 2011 has been breathtaking and it most recently led to a large scale raid of the Chronopay offices, and the arrest of Mr. Vrublevsky. That is pretty huge news and I encourage any of my readers to dig into the stories covering that raid and the previous links because it's a pretty big eye openener into one of the largest online criminal operations I've seen in my time covering this subject. The leaked documents have revealed that Chronopay was the operator of one of the first taregted Mac-only fake antivirus scams, MacDefender, and further shows that Chronopay's direct statement insisting that they had no relationship with MacDefender whatsoever was an outright lie. The leaked documents further outline Chronopay as a company creating several new companies specifically to sell other types of fake antivirus "products" over many months. Vrublevsky is the co-founder of one of the larger fake pharmacy operations known as RX-Promotion. Rx-Promotion was formerly in third place after Spamit and what is now known as Eva Pharmacy (formerly Bulker.biz and Bulkerbiz.com.) Since the raids, rx-promotion.com no longer resolves, and other criminal online programs which used Chronopay as their payment processor (notably, other fake-antivirus affiliate groups) have had to recently announce that they were no longer able to pay affiliates in a timely manner.

In the midst of all of this, Pavel Vrublevsky is arrested for having ordered or engaged in a DDOS attack against his competitors.

An additional interesting occurrence was the publishing of a couple of very well-researched reports and the subsequent widespread publicity of the same. Two very gifted researchers at the University of California at San Diego published two reports - "Click Trajectories: End-to-End Analysis of the Spam Value Chain" and "Show Me the Money: Characterizing Spam-advertised Revenue" - which I cannot recommend more strongly as a must-read for anyone interested in discovering how an online criminal spam operation works and who profits from them. These two scholarly reports, each of which have been linked to, Slashdotted, quoted, reported on by the New York Times and many other large-scale media organizations, investigate in very great detail and organize the research into every facet of how a typical criminally-run spam operation works.

So what does this mean for the spam landscape? Generally it appears that spamming, as a scummy way of making money, is way down the list of things a burgeoning online criminal or otherwise unscrupulous "marketing" affiliate would choose to engage in. In fact, forum spamming - euphemistically referred to as "SEO marketing" - has very quickly come in to take its place. There are numerous existing researchers and monitoring operations which report on this activity, and many companies such as Google (especially Google!) have already begun to put processes in place to make this type of search engine gaming less and less effective.

Based on feedback from many individuals out there, the majority of email spam that now routinely appears in anyone's mailbox (if indeed it appears there at all, given how good some spam filters have become, again most notably Gmail's) are for Nigerian scams. This has to mean that whoever is still sending any volume of spam today has definitely run short on options of what to send their stolen or harvested lists of recipients. That's mostly a good sign, since there's a lot of very public stories about how to avoid Nigerian scams, and most of the content of the messages promoting these scams haven't changed significantly since 2003.

Today, for the first time in several years, I received a stock spam message. I can only see this as a further indication of outright desperation on the part of whoever's lists I'm on. Stock spam, when it was sent regularly at all (2006 through 2008) only rose in volume once some facet of a fake pharmacy operation experienced major issues either in terms of their ability to keep sites up or to process transactions. Receiving a single stock spam message in the current climate, when most people are seeing very small numbers of pharma or replica watch spam, is something I personally see as a cry for help.

So: taken together we see several fairly big breakthroughs in only the past 10 months or so:

  • Spamit closes their doors
  • Spamit operator (Igor Gusev) flees
  • Gusev starts an anti-Chronopay blog
  • Numerous sources leak internal emails and lots of internal documentation from Chronopay
  • Many researchers and bloggers, Russian and otherwise, examine and report on findings from the leaked Chronopay documents and emails
  • Chronopay is linked to RX-Promotion directly
  • Chronopay is linked directly to one or more fake antivirus scams
  • Chronopay is identified as the payment processor of choice for numerous other fake antivirus scams
  • The Rustock botnet is shut down via legal and technical efforts from Microsoft
  • The creator of the Rustock botnet is currently a wanted man, and has a new bounty on his head
  • Chronopay offices are raided and its CEO, Pavel Brublevsky, is arrested for DDOS attacks against his competitors
  • Several fake-antivirus affiliate programs indicate that they can no longer process payments for their affiliates
  • RX-Promotion's website and affiliate portal shut down with no public explanation (but we can all take a wild guess.)

That's a lot of activity in such a short amount of time. In all the years I've been researching the multitude of online criminal activities, this is the first year where it looks like the options for online criminals are finally dwindling. It hasn't disappeared completely, and I don't think I should ever expect that to happen. But the fight against the people who thrive on this illicit activity is turning a corner.

I'd like to add a separate item which is mostly speculation on my part. Since the recent devastating earthquake in New Zealand, spamming for a variety of fake pharmacy, "herbal" penis enlargement, diet and fake replica products have seen a massive decrease as well. These were all products which were virtually identical to ones previously promoted via the former "AffKing" affiliate program, operated by Shane and Lance Atkinson, who both still have restraining orders and very heavy fines against them for promoting those products via spam (well: and for the products being, you know, fake.) The spam hasn't stopped 100% but it's clear that the earthquake affected the ability for this particular type of spam to be sent.

My involvement in the exposition of these operations has been reduced mostly due to my desire to get the proper research into the hands of people who can accelerate the fight against this activity. That's proven to be the best use of my time over the past couple of years. I still research it. I still document what I find. I still participate in the many online communities which engage in this research, sharing ideas, discovering how things work in the online criminal world. But my use of this research is better served by being shared with broader groups of researchers, and it's encouraging to see so many more researchers (or even better: large groups of researchers) who are making a difference with the data they uncover.

I think it will be interesting to see if certain parts of the spam landscape resuscitate themselves or not, or if they morph into some newer or unexpected form of scammy operation. I also think it is heartening to know that a large number of career spammers are now left with far less of their regular illicit income, and most importantly that law enforcement agencies, internationally, are working together to get this activity shut down on a very large scale.

If I do have more to report I definitely will do so, even if that means I ultimately link to someone else's report. The battle continues, and from where I sit I hope that you would agree that the developments in that battle have been very interesting indeed.

SiL / IKS / concerned citizen

Thursday, February 17, 2011

Flying Croc Promotes Its Webcam Sites with Even More Lies and Messenger Spamming

Several readers (and others who found my blog via numerous searches) have complained to me for several months about a site known as "MyWebCamCrush.com."

This domain, among several others (camsecret.com, camsecretcrush.com, camsecretcrush2.com, yourprivateshow.com, many, many more), is being spammed via MSN Messenger and Yahoo Instant Messenger in much the same way that the renowned "SlickCams" webcam dating sites were spammed since 2007. (SlickCams is part of a very large number of companies and properties owned and operated by Flying Croc, who have a history that dates back several years of malicious adult-content spamming of one sort or another, but predominantly via MSN Messenger.)

It turns out that FlyingCroc.net has never stopped this practice, and appears to now control a large variety of similar adult webcam dating sites and affiliate programs, with no intention of stopping the ongoing practice of spamming total strangers (and probably minors) with automated MSN chat sessions promoting webcam porn dating sites. The most prominent of their spammed properties since 2008 has been StreaMate.com. I'll outline that setup here, but there are others.

At first it was assumed that this particular spammer was engaging in this malicious activity on behalf of only one webcam affiliate program. It turns out: he / they are doing this on behalf of at least two distinct affiliate programs, but probably more.

Here's how the StreaMate scam works:
  • An unsuspecting user of either Yahoo Messenger or MSN Messenger receives notice that an unknown user has added them to their list of Messenger friends / "Buddies"
  • They accept the invite
  • They initiate a messenger session with the anonymous "person"
  • The anonymous person goes through a predictable script
  • The messenger chat always mentions a specific link that the victim should click on to see this "person" on their webcam
  • The link is always to one of the above-mentioned domains
There are several examples of these fake chat sessions which make it clear that these are in fact MSN bots, not real people. (Examples: here and here.)

Here's a sample:

<[redacted] 4:19:15pm> hello
<princesstera200 4:19:38pm> hey :-)
<[redacted] 4:22:11pm> someone told me to IM you
<princesstera200 4:22:18pm> im good how are you?
<[redacted] 4:22:30pm> oh it's a bot
<princesstera200 4:22:40pm> looks like you got my message? whats up with you?
<[redacted] 4:22:50pm> you're a bot yo

...

<princesstera200 4:26:12pm> do you think i should wear a thong?
<[redacted] 4:26:17pm> no
<princesstera200 4:26:30pm> lol great choice well i want to give you a free courtesy pass to view me on my cam?
<[redacted] 4:26:40pm> chii would never wear a thong
<princesstera200 4:26:54pm> i want to give it to you k babe?
<[redacted] 4:27:06pm> k fine
<princesstera200 4:27:18pm> Ok go to http://www.camsecretcrush.com/kiss***** and create a free profile
<[redacted] 4:27:32pm> k thx
<[redacted] 4:27:44pm> bot

Very obviously an automated chat session.

So here's where we end up if we follow that link [click to enlarge]:


Visiting the site we see a page that presents a few things which appear to be real, but actually are not.

The first is a countdown, indicating that this invitation from our MSN bot has a time limit, and therefore some urgency is implied with your immediate registration.


The second is that there is what appears to be a live chat window, which it turns out is a pre-recorded 1 minute video of a girl pretending to engage in conversation with the victim.


If you attempt to type into the fake chat field, the page refreshed with a totally different video of a totally different girl.


Note the inclusion of the blinking words "Live Now" on the top right corner of the video window. Also utterly fake.

It turns out that video is provided in an iframe by the camsecretcrush.com website itself:

http://www.camsecret.com/exports/golive/iframe/?chat=0&input=0&AFNO=1-0-1&

But that iframe is in fact pulling all of its content from a site called camsecret.com

http://www.camsecret.com/exports/golive/iframe/?AFNO=1-0-1&chat=0&input=0&rlc=1&timer=5

Each of these pass the affiliate id of "1-0-1". This is probably irrelevant since the only time I or anyone else have seen these is via spammers, so one could assume that every single affiliate of this program is probably a spammer via MSN, and that this company fully condones MSN or Yahoo Messenger spamming. (Some have also complained that this is also occurring on Skype.)

If you load that camsecret.com iframe url on its own you see a completely random choice of fake videos depicting several women. It lies to you and says it's "Live Now", but in reality these are all pre-made videos which stream to it in real-time from the domain naiadsystems.com:

http://www.naiadsystems.com/flash/generic/20110112/avchatpure.swf

naiadsystems.com uses flyingcroc name servers:

Domain Name: NAIADSYSTEMS.COM
   Registrar: TLDS, LLC DBA SRSPLUS
   Whois Server: whois.srsplus.com
   Referral URL: http://www.srsplus.com
   Name Server: NS1.FLYINGCROC.NET
   Name Server: NS2.FLYINGCROC.NET
   Status: clientTransferProhibited
   Updated Date: 02-apr-2007
   Creation Date: 27-apr-2005
   Expiration Date: 27-apr-2012

Surprise surprise. Welcome back, former SlickCam.com spammers.

Its contact information in the WHOIS points to StreaMates, allegedly in Cyprus:

Registrant:
         Streamates Limited Streamates Limited  (hostmaster@streamates.com)
        Streamates Limited
        196 Arch Makarios Avenue, Ariel Corner 1st Floor, Office 102, PO Box 57528
        3316 Limassol,   3316
        CY
        00357-25820280

StreaMate has had affiliates spamming via MSN on their behalf for something like two full years as of this writing.

The chat itself (if it occurs) is also completely fake. We can see this by looking at the JavaScript within the page of these throwaway sites this spammer has registered. They make no attempt to hide the fact that this whole setup is fake.

<script type="text/javascript">
var spoof_cam = '';
var start_minutes = 5;
var start_seconds = 30;
var current_minutes = start_minutes;
var current_seconds = start_seconds;
var splashpage_name = 'Sam';
var random_message_start = 3;
var random_message_end = 6;
var random_message_interval = (random_message_start + Math.floor(Math.random() * (random_message_end - random_message_start))) * 1000;
var random_message_text = 'hurry im waiting for u..';
var ad_categories = '';
</script>

"spoof_cam". "random_message_text". This is so clearly a scam. Not a single real event is taking place here. The spammers know this.

When the 1 minute video is completed, a link appears in the flash video window only, an attempt to further obscure where this spammer wants you to click.

In the example I'm presenting here, the link goes to:

http://www.camsecret.com/signup/?smid=5844090&AFNO=1-0-1

[Notice: no secure "https://", just plain "http://"]

CamSecret is also operated by FlyingCroc:

Registrant:
         FCI, Inc. FCI, Inc.  (hostmaster@flyingcroc.net)
        FCI, Inc.
        2019 3rd Ave Ste 200
        Seattle, WA  98121
        US
        206.374.0374

Note that at the top of that page, it claims that you can "Sign-up safely at Camsecret"


This is of course also a lie. None of these domains offer any SSL or other security. CamSecret.com makes this statement boldly on a page which is very obviously not secure.

Just to be 100% sure: attempting to load:

https://www.camsecret.com/signup/?smid=5844090&AFNO=1-0-1

Results in a "not found" error.

Liars. So far numerous lies from beginning to end and we haven't even joined yet. Exactly how "real" do you these so called "webcam girls" are going to be?

As with all of these spamvertised domains, whois information for one of the numerous spammed domains, webcamcrush.com, was originally protected by Privacy Protection provided by GoDaddy.com. However one intrepid researcher decided to raise this case with the Arizona State Attorney General's office, who apparently managed to convince GoDaddy to identify who had registered this domain. It turns out to be one Yaniv Mindell, from the domain "DefiniteDollars.com":

Registrant:
YMIND, Ltd.

Amory Building, Victoria Road
Basseterre, 3979
Saint Kitts and Nevis

Administrative Contact:
Mindell, Yaniv yaniv@definitedollars.com
YMIND, Ltd.
Amory Building, Victoria Road
Basseterre, 3979
Saint Kitts and Nevis
+1.9544788981

Another shell company. First Cyprus, now Saint Kitts and Nevis.

webcamcrush.com is also suspended as a domain.

mywebcamcrush.com's whois information is still protected via GoDaddy. (Aside: When are registrars going to stop providing this for repeat offenders? This is year #4 of this activity. GoDaddy should know better by now.)


DefiniteDollars.com has all the markings of an underground affiliate program. No FAQ, a terms of service that states that they don't allow spamming, but of course no contact gets any response from this company.

I would like to cast an open invitation to anyone who has been affected by this group's ongoing MSN or Yahoo Messenger spamming, and I'd also like to put out an open invitation to both the Yahoo Messenger and Microsoft Live Messenger Team specifically, since I have been attempting to raise any attention whatsoever with that team since 2007, with absolutely no effect.

I'd also like to openly ask GoDaddy why it is that four years on they still allow this group to register dozens-to-hundreds of domains with their company, an continue to hide their contact information despite numerous abuses of their terms of service.

As with all previous spam activity on behalf of Flying Croc, the risk is very high that minors are being exposed to this content. Whoever harvested these MSN and Yahoo accounts had absolutely no concern for how old the unwitting recipient of these invitations might be. They just send out the invitation to however many thousands of these accounts they can unearth, and begin the automated chat to get them into what is clearly an adults-only website. I would assume that the Arizona State Attorney General's office would be aware of this detail, but if not they certainly should be.

Somebody has to start a class-action suit against the owners and operators of Flying Croc. They've been getting away with this crap for years and people are sick of hearing from them.

SiL / IKS / concerned citizen

Monday, January 31, 2011

Spammers Are Now Using Verified By Visa

It's been a while since I posted anything here. It's been a really busy two years, all in really good ways.

I've begun receiving tons (as usual) of spam promoting a new "Viagrow" site setup. This same spammer also sends me Ultimate Replica spam and spam messages promoting "Online Pharmacy" (I don't know the affiliate program for that one.)

Viagrow is of course yet another in a long line of utterly fake penis enlargement products. (I have to wonder why these spammers, all predominantly Russian, have such a fixation on penises, but that's probably a topic for another day.)

I decided to check out the new "Viagrow" site setup in terms of examining their order processing methods and was stunned to discover that they actually use the Verified by Visa process. This is a first, and is especially surprising given how frequently spam affiliate programs have been abusing the Verified by Visa brand over the past six years.

Spammed site:

http://[randomtext].change-your-life1.com/

Presents two forms to the user to capture personal details including full credit card details. It does so (of course) using no security whatsoever.

Posting the second form leads to this spam operation's custom payment processing domain:

http://cyber-pay.biz/paynet/payment.html

Which in turn passes the form's values to the actual Verified by Visa domain, using Visa's proprietary encryption.

Since I began researching criminal spam operations and the forms their sites use to snare personal details from victims (ahem) "customers", Visa - or more likely the third-party "high-risk" merchants who perform the processing - has never canceled any processing for these sites. This is going all the way back to 2002 or earlier. MasterCard and American Express have repeatedly denied service to pro-spam websites, but never Visa.

Now the Verified by Visa program, one which is directly operated by Visa itself, is allowing payments to be processed directly, essentially sending the message that Visa as a company is a-ok with criminals using their services.

cyber-pay.biz is registered with Directi and hosted on 67.228.177.168, provided by SoftLayer. Softlayer is now owned by ThePlanet. Softlayer has provided hosting, dns and domain registration to online criminals for many years now, so it's probably not going down anytime soon. Directi, in my experience, has been very helpful with spam complaints so we'll see what happens in that department.

change-your-life1.com is registered with bizcn, hosted on 93.114.40.213 by Voxility in Bucharest, Romania.

If anyone knows of any Verified by Visa contacts I'd be extremely interested to see if anyone over there would care to respond regarding their support of a criminal spamming operation.

SiL / IKS / concerned citizen