UAB's Director of Research in Computer Forensics

In a bold new spam campaign, the criminals behind the Zeus Botnet have been distributing a spam email with a link to an executable file.

We first noticed this campaign in the UAB Spam Data Mine with a spam email message with the subject "you vacancy".

The body of that email read:

Thank you for the chat yesterday, it really helped me get a clearer idea
of recruitment as well as exploring any potential opportunity.

I have just spotted a mistake on the CV I sent in which my email was incorrect.

Apologies for any inconvenience caused if you have already sent me any information on anything we discussed.

My CV is an updated!
CV with the correct email on this link: http://good-resume.info/mycv.docx

The exact same email has also been seen in the UAB Spam Data Mine with several other subjects today:

908	you vacancy
869	Re: CV
864	for CV
370	Welcoming speech
115	Greetings
112	Hello
111	Compliments
110	Salutation
108	Speech of welcome
100	Civilities
99	Hello message

The final link there that LOOKS like its going to download a Microsoft Word document, actually retrieves a file with the name:

mycv.doc.exe

The properties on that document claim to be:

BitDefender Management Console
SOFTWIN S.R.L.

The current detection rate on the malware at VirusTotal is 16/43, meaning that only 16 of 43 anti-virus products identify this as malware, although only one is calling it "zbot". Here's the VirusTotal Report for md5 = 10fd124206b15f878240f22a30eaf9fe

Our copy of the malware came from a computer with the IP address 58.222.143.148, which has been in bad company for some time. The IP is located on China Beijing Chinanet Jiangsu Province Network. Another example of Russian-speaking crooks hosting their malicious servers in China.

According to those great guys at ZeusTracker, that IP has been used for some really bad stuff.

caseoffinance.cc
dowsonstoke.cc
leadingcase.cc (Confirmed Zeus)
goldfieldforu.cc (Confirmed Zeus 8/24)
youmoneyway.cc (Confirmed Zeus 8/24)
a8228djjnedu7e8hd83ndd43d3d3.com
mikkymouse.com
first-wave-aug.com
iwfybfywi.com (Confirmed Zeus 8/19)
whiteagngo.com (Confirmed Zeus 9/2)
ekuns.com
fasterbuyers.com
hotsku.com (COnfirmed Zeus 9/1)
askuv.com (Confirmed Zeus 9/2)
good-resume.info
roundhome.net (Confirmed Zeus 8/24)
caramelloinze.net (Confirmed Zeus 9/2)
plitkinski.net
olandik.net (Confirmed Zeus 8/20)
instamfan.net (Confirmed Zeus 7/28)
tjkleen.net (Confirmed Zeus 8/9)
incornew.net (Confirmed Zeus 7/30)
autasienga.ru
jocudaidie.ru (Confirmed Zeus 7/15)
dahzunaeye.ru (Confirmed Zeus 6/23)
vohphozeeg.ru
eexiziedai.ru
railuhocal.ru (Confirmed Zeus 6/11)
blackfuril.ru
purplepron.ru (Confirmed Zeus 8/15)
cahgofoneu.ru (Confirmed Zeus 8/31)
iveeteepew.ru (Confirmed Zeus 6/23)
hazelpay.ru (Confirmed Zeus = 5/27)

We've got quite a few more details that we've already shared with law enforcement, but we wanted the public to be advised as well.

If you are a spam researcher and can tell me what botnet this is, please shoot me a note at 'gar at cis dot uab dot edu'. Here are some of the top sending IPs for this group:

72.16.178.42
81.180.66.34
187.36.133.238
186.82.57.113
186.112.107.35
77.127.135.151
195.135.239.5
76.97.210.124
195.228.164.14
24.36.173.168
93.32.50.228
211.17.116.17
24.80.8.180
190.48.237.121
212.29.192.202

{ Comments on this entry are closed }

Yesterday Taiwanese Criminal Investigation Bureau Commissioner Lin Teh-hua announced the largest cybercrime operation in the history of his organization. (The Criminal Investigation Bureau's report, in Chinese, is here). 548 Taiwanese police officers and 2,720 Chinese police officers took part in the operation which resulted in 450 fraudsters being arrested throughout Taiwan and in the Chinese provinces of Fujian, Huanan, Hubei, Anhui, Guangdong and Guangxi. After a joint operations agreement was signed between Chinese and Taiwanese authorities, more than 16 joint raids have been conducted leading to more than 1,000 arrests.

In this case, the activity particularly focused on telephone fraud and internet auction fraud. The arrests come close on the heels of the break up of a similar fraud ring in Ho Chi Minh City where 99 fraudsters from Taiwan and China were arrested. In the Vietnamese fraud, where 76 Taiwanese and 23 Chinese citizens were arrested, fraudsters would take over entire hotels, booking as many as 30 to 40 hotel rooms for their fraud. They would place randome phone calls, posing as telecom officials, police officers, or prosecutors, and urge people to wire money to specified accounts. Some individuals lost millions of dollars in that fraud. The Ho Chi Minh case made note that on July 1st there had been a related raid where 32 Taiwanese and 14 Chinese were arrested. Major General Huynh Huu Chien of the Ministry of Public Security called it the largest foreign hacker ring ever in Vietnam, saying that they also had been doing ATM fraud, hacking into foreign banks and using ATM card readers to steal from more than 200 foreign bank accounts and financial institutions.

The Vietnam case continued on August 13th, when police arrested eleven Taiwanese men and two women in Can Tho. In that case, the police seized laptops, phones, walkie-talkies, and most intriguingly more than 50 "fraud scripts" that guided the fraudsters through the "play" of imitating a police officer or state agency official in order to further their fraud.

The Taiwanese-Chinese arrests this week seem to be more of the same, as police explain that the groups formed temporary "Telephone Fraud Centers" where the scammers placed calls following elaborate scripts that helped them to perpetrate their frauds. In Taiwan, in addition to the seizure of laptops, cell phones, and fraud manuals, fake courier uniforms were found.

This raid began to be built after a large meeting in China's Fujian Province where police from across China came together in Ningde to address illegal telecom operations, money laundering, impersonation of public agencies for fraud, and online shopping scams, but the case actually originated with the arrest of "Rong Yu" who was arrested back in April when police discovered he had been operating a fraud from the Taizhong Emperor Hotel, pretending to be a Shen Fuwen law clerk. By tracing the criminal contacts of this phony law clerk, more than seven other similar groups were identified, including the identification of the group's headquarters in Hunan Province.

The group was also found to be related to a fake online auction group - the Wuhan Pride network (www.dey100.com). This group, which claimed to be an online trading company, was involved in both the sale of goods that were never actually delivered, but also ATM fraud conducted after stealing banking information from the buyers of those fake goods! Some of the victims report getting very strange deliveries, such as ordering goods online and receiving an empty CD box or a package of soap instead of what they ordered. When they called to complain, this allowed the fraudsters to gather additional personal information about them that allowed further fraud to occur.

I hope more details of this fraud will be revealed in the next few days, but for now, I want to offer congratulations to the investigators who are helping to clean up online crime throughout China and Taiwan!

{ Comments on this entry are closed }

According to my spam inbox, today was a horrible day to be a celebrity:

Alicia Keys died
Angelina Jolie died
Beyonce Knowles died
Bon Jovi died
Brad Pitt died
Cameron Diaz died
David Beckham died
Gwen Stefani died
J.K. Rowling died
Jay-Z died
Jennifer Aniston died
Jennifer Lopez died
Johnny Depp died
Justin Timberlake died
Kanye West died
Madonna died
Miley Cyrus died
Nicole Kidman died
Oprah Winfrey died
Ronaldinho died
Tiger Woods died
Tom Cruise died

In the UAB Spam Data Mine we received between 450 and 539 copies of each of these spam messages.

The body of the email has the same text for each, with only the name varying. The name used in the body of the email doesn't necessarily match the name in the subject line. Here's an example:

Cameron Diaz died along with 34 other people when the Air Force CT-43 "Bobcat" passenger plane carrying the group on a trip crashed into a mountainside while approaching the Dubrovnik airport in Croatia during heavy rain and poor visibility.

Please see attachment

The attachment is called "News.html" is "base64" encoded, but if you click on it, it will launch in a web browser.

The HTML is composed of javascript functions which takes substrings of pieces of code and composes them together to make a URL:

new String("hre3y9b".substr(0,3)+"hv5f5hv".substr(3,1))]=
new String("http:P5v".substr(0,5)+ "//panHSOY".substr(0,5)+
"3aPiplusP3a".substr(3,5) + ".com.V4Hq".substr(0,5)+
"mx/1.0Xq".substr(0,5) + "HFkhtmlFHk".substr(3,4))

So, the "hre3y9b" becomes "hre" the "hv5f5hv" becomes an "f" for "href" etc . . .

It eventually turns into:

hxxp://paniplus.com.mx/1.html

(the "xx" instead of "tt" is to prevent this from being live)

That page has two URLs on it, one pointing to the free domain website 'cz.cc':

cetogilco.cz.cc / scanner10 / ?afid=24

This page goes to a fake anti-virus site . . .

The second URL points to:

analyticspool.in / wiki / index.php ?sid=151 &search=ecard &refresh=on


From cetogilco.cz.cc the file "antivirus.exe" is downloaded.

A VirusTotal Report for this malware, showing 18 of 41 detects, is available. The MD5 is cb38da67e9a96afb0b3674eddee26472.

{ Comments on this entry are closed }

By now you're certainly well aware of the fact that the CAN-SPAM ACT is basically ignored by law enforcement with an occasional exception once or twice a year where someone actually goes to jail.

The question remains, how do we convince the limited resources of law enforcement that a spammer is more than "just another spammer" and is actually someone who should be pursued?

As we were looking through spam clusters on the UAB Spam Data Mine this weekend, one interesting pattern stood out, because it seemed to be an indication that a particular viagra spammer may actually be breaking in to websites (that is, committing violations of Title 18 Section 1030, "Computer Intrusion") in order to avoid being caught as a spammer.

This particular spammer sent us 359,205 spam messages between July 14, 2009 and July 30, 2009. While some were part of the group that uses the pattern:

drug-word first-name ## single-letter.ru

such as:

drugsearlie81n.ru
drugsevered38n.ru
drugsgalen74d.ru
drugshewitt18d.ru
drugsjeffry83k.ru
drugskingsley84h.ru
drugslars14n.ru
drugspembroke96s.ru
drugsriley58y.ru
drugswelby44f.ru
erectemmy70j.ru
erectkendricks53f.ru
erectkipp65u.ru
erectlin78m.ru
erectmateo49r.ru
erectmontague29s.ru
erectnorman26y.ru
erectoates91h.ru
erectrochester45v.ru
erectvirgil32q.ru
erectzebadiah53f.ru
medeugene90r.ru
medhallsy90l.ru
medhaydon28m.ru
medirv71r.ru
medkerr99f.ru
medmarkus92g.ru
medmarve20c.ru
mednathan34i.ru
medorion83c.ru
medrodolfo70p.ru
medstanislas30w.ru
medwright43k.ru
onlinedionysus67o.ru
onlinedomenic30y.ru
onlinedonal35s.ru
onlineevered63q.ru
onlinehiram95x.ru
onlinelennie29g.ru
onlinemichel76v.ru
onlineputnem18s.ru
onlinerex79v.ru
onlineric66x.ru
onlinewashington74m.ru
pharmdennison39g.ru
pharmdmitri100w.ru
pharmduke37h.ru
pharmedvard64m.ru
pharmedward90e.ru
pharmfranky22b.ru
pharmharmon55g.ru
pharmmassimiliano76l.ru
pharmmerv65b.ru
pharmvasilis56n.ru
pharmwillis62s.ru
pilldouglas96s.ru
pillgalvin35u.ru
pillgilles66p.ru
pillnevil74n.ru
pillozzy100m.ru
pillperceval95p.ru
pillrafael62w.ru
pillrand38w.ru
pillrich68f.ru
pilltait46y.ru
pillwylie79b.ru
refilleuell67g.ru
refillgodfry93b.ru
refillhaley40t.ru
refilljeddy66n.ru
refillmikol21g.ru
refillparrnell52y.ru
refillpaxon50v.ru
refillpincus65o.ru
refilltamas79f.ru
refillulberto61u.ru
tabdaven30a.ru
tabdonny22g.ru
tabev81y.ru
tabgeorg44n.ru
tabholly40z.ru
tabiosep71x.ru
tabkillian87i.ru
tablorrie41x.ru
tabmicah54i.ru
tabrutger42l.ru
tabshay90s.ru
tabtitos57s.ru
tabtom34o.ru



I was actually far more interested in another subgroup from this spammer.

The 498 websites listed below are each a pre-existing website which has been hacked in the same manner that a phisher may hack a website. In this case a single file has been placed on each server, and it is that file that is used in the spam messages. Although the spam that I used to generate this group was all from July 14 to July 30, 299 of the websites remain "hacked" as of this writing.

If you are a webmaster for one of the sites listed below, we would be very interested in three facts from you:

1) do you have any log or theory showing how your website was hacked?

2) do you have logs that we could review to count how many people "clicked through" your site?

3) have you experienced other forms of defacement since being hacked by the "viagra hacker?"

Please feel free to email me with this type of information at:

g a r @ c i s . u a b . e d u


s2k.dyndns.org /~administrator/court48.html
homes.ieu.edu.tr /~ayamuc/army41.html
mis.im.tku.edu.tw /~benboy21c/alum38.html
banana3306.maido3.com /~bj1461/jejune21.html
siteground222.com /~bjsa1/kike16.html
home.planet.nl /~boend165/pectic60.html
www.ravangrad.net /~brankovica/behalf19.html
c07.future-shop.jp /~c07develop/blimp15.html
www.muslim.org /~convention/zeal34.html
www.createam.hu /~createam.hu_reckitt/pluck65.html
hoanganh.com.vn /~datsach/spicy86.html
www.island.net /~dkay/barbel70.html
cheap-nursery-furniture.info /~epyzul/solar65.html
pshgroup.net /~eusfellt/soviet52.html
gumpert.maiatech.com /~fgpaguest/tweedy86.html
www.sergipehost.com.br /~fotos/unsaid62.html
ns3.bilgehosting.com /~globalko/waylay19.html
www.telusplanet.net /~grimjack/mind98.html
wzserwis.pl /~het/sludge72.html
www.pateco.ch /~island/sleeve27.html
hosting.czechowice.net.pl /~janusz/nephew74.html
strw.net /~jskim/afresh35.html
k-ow.net /~kostek/slat87.html
blinkb.vn /~live/option62.html
www.lqehv.nl /~lqehv/ketch26.html
sv86.wadax.ne.jp /~m-mobius-co-jp/seraph13.html
www.mtvk.pl /~pietrowska/severe15.html
willow.lunarbreeze.com /~rosar5/follow61.html
stu.ntue.edu.tw /~s109613015/frost15.html
intranet.wahyan.edu.hk /~s21881/ashcan48.html
fs2.just.edu.tw /~s9546135/resin84.html
FTP.simonis-web.org /~simonisw/uncork87.html
strony.toya.net.pl /~szatan13/snoot95.html
www6.ocn.ne.jp /~takajolo/nestle48.html
xserver.dfmk.hu /~tigrincs/fillip73.html
www.jagruktimes.com /~tledgeda/namely13.html
aqua.mech.upatras.gr /~tsinop/fluent99.html
www.pinnaclecad.com /~upload/crook50.html
www.imperialprod.fr /~videolfsm/cliff77.html
www.kolumbus.fi /~w496735/punic90.html
master.pl /~wojts/detest79.html
watt22.hu /accede98.html
www.adrrportal.com.br /acrid33.html
burhan94.www.burhan94.bu.funpic.de /addict83.html
www.adixsprawdz.yoyo.pl /amour85.html
www.mieszkanie-warszawa.info /anchor41.html
www.secretsquirrelsports.com /annul73.html
www.enerbat.com.py /arise33.html
jct.co.in /armful48.html
www.orlandogoinggreen.com /arrow86.html
www.webshree.com /arty90.html
evrikashop.gr /ascend68.html
foliyuentech.com /assort66.html
earthbilisim.org /assort83.html
www.bohemiancharm.com /astray90.html
www.gemuender-park-restaurant.de /aura32.html
911-omsk.ru /baccy80.html
www.cracklsat.com /bade71.html
www.webtasarimyazilim.com /baker14.html
solmed.by.ru /ballot24.html
webactive.qupis.com /banal84.html
paketwebhosting.com /bantam97.html
portal.miele.pt /barbel46.html
foundationtattoo.com /baron32.html
theweddingbutler.com /basics88.html
al7anmoon.com /baste31.html
pftf.w.interia.pl /batik60.html
www.deadeternity.hu /bazaar93.html
www.greenpixel.com.ar /beady58.html
www.isiolcum.com /beery93.html
www.pvcontabil.com.br /behalf24.html
www.cortextra.com /belly81.html
www.japastudionet.com.br /besom49.html
abgirl.com.br /bethel98.html
www.themisstisdale.net /better32.html
kvdeoria.org /bias90.html
www.celebicatering.com /bilk91.html
bossmanautos.com /birch66.html
sch-22.by.ru /blase86.html
www.qtech.com.pk /blot34.html
www.recyklaceplastu.cz /bodily41.html
mucraiova.srw.ro /bony48.html
www.mactabilisarts.com /boom18.html
vaojogar.www.webng.com /boot89.html
www.pccel.com.br /boss53.html
www.sonde2000.nl /bowls20.html
mygold.atspace.com /bowser99.html
acornwarehousestorage.com /breeze21.html
sloniki.by.ru /bright10.html
www.drapak.eu /budget78.html
www.kuantosmesescare.pt /bully67.html
igoraha.by.ru /bungle69.html
www.lagerlokal.nu /bursar23.html
obsidianzero.tweakdsl.nl /bylaw63.html
choisis-ta-vie.com /came97.html
www.puma86.yoyo.pl /cancel55.html
assutech.com /canon13.html
www.swedengoinggreen.com /card10.html
www.mucevhermuzayedesi.com /caste13.html
www.elaynafernandez.com /caster73.html
www.alquimiaperfume.com.br /cavil43.html
takumi1067.sakura.ne.jp /cent65.html
mototribo.com.br /center91.html
sieuthigo.com /chalk52.html
adrenaline.mysite4now.net /cheek63.html
strawberrysquare.com /child39.html
barwex.whshost.com /chop22.html
www.moduhall.com /choral11.html
sprng-worck.by.ru /chrome78.html
www.notcommon.com.br /cite33.html
www.cs-fpg.yoyo.pl /clef29.html
villagenorthwest.org /cocoa28.html
filatelista.prodejce.cz /cocoon21.html
ppapaknorthern.com /codger71.html
www.kosmet-udruzenje.net /coir54.html
atmaxlink.com /cola93.html
gravisenergy.com /comfy87.html
www.musiknytt.se /coop23.html
www.daffodilspreschool.in /corbel76.html
adrianpiatek.w.interia.pl /corny90.html
osiris.userclub.be /corpse88.html
choosingdiamonds.com /covet13.html
aiti.runride.com /creamy72.html
bazzar.t35.com /crock63.html
s186623472.onlinehome.us /crummy28.html
jawa50-typ05.czweb.org /crunch36.html
tumbaiball555.freehostia.com /crutch17.html
safensureindia.com /cubit24.html
www.altunbasinsaat.net /cumber96.html
islaminur.awardspace.biz /cupric89.html
www.48film.co.th /curfew63.html
www.linearunit.com /curtsy29.html
www.washingtongoinggreen.com /cutout18.html
www.taslicayliyiz.biz /cyst42.html
lesovik.euweb.cz /darken97.html
slotha.homepage.dk /days66.html
wl2www911.webland.ch /decor73.html
www.pavelmalon.unas.cz /defeat54.html
www.kohalalhub.com.my /deism33.html
www.diamantschleifer.de /deism80.html
canalsims.awardspace.co.uk /delta87.html
doliveira.com.br /derive73.html
www.mark4polo.ch /devil18.html
www.pracadom.yoyo.pl /devout21.html
www.andrewplynch.com /dogged15.html
bublaci.unas.cz /dogs10.html
www.atelier-epure.ca /donor46.html
ftp2.matsonmultimedia.com /dottle73.html
www.napfenystudio.hu /drafty65.html
www.gumuselbetonboru.com /drag91.html
nuntab.50webs.com /ducat69.html
1300visahelp.com /duffel58.html
www.nail-wire.com /duly53.html
www.cardsolutions.us /earful94.html
macius210.w.interia.pl /earthy52.html
www.pharmdmand.com /eats78.html
danielconsultancy.com /egoism77.html
gluskonline.by.ru /emblem45.html
www.pasa.fr /emboss55.html
akuzmin.100webspace.net /encore66.html
kurumsalofis.com /enjoin86.html
netxplor.3x.ro /enter72.html
12popugaev.vndv.com /entice57.html
rafael.3x.ro /entity59.html
www.alpaltay.com /escort80.html
reklama-spb.by.ru /ethics14.html
www.gizliarkadas.net /evade74.html
cangkal.com /evil23.html
www.enlytetheworld.com /except15.html
www.kiss-mezeskalacs.hu /exhale52.html
www.navkarstationers.in /exhort18.html
katya-nail.by.ru /exhume77.html
www.ayseyildirim.com /eyeful47.html
mechuleyolculuk.com /famed99.html
chevalierglobalng.com /fiasco48.html
airplanegear.com /filter31.html
www.naasty.com /finite99.html
topido.365managed.net /firm92.html
markterlbach-ditib.freewebhostx.com /first64.html
www.ace-online.yoyo.pl /fleecy91.html
surf-roma.by.ru /foeman21.html
olajos.net /folio47.html
www.HolidayClassic.com /follow16.html
gazgaz.by.ru /freak58.html
www.pctools.com /free-antivirus/
www.eliteweb.com.br /frigid65.html
intelligender.com /frond96.html
www.yumurtakabugu.com /frothy99.html
www.dewfrm.net /gaff81.html
www.cxiome.es /gasman93.html
sistemweb.tk /gent33.html
lockerzinvite.kolgames.us /giggle12.html
gagankalra.vndv.com /girdle89.html
www.teamkreativ.net /gladly87.html
sirokujira.s79.coreserver.jp /glebe63.html
snezhena.by.ru /glide45.html
neaster.bplaced.net /goer74.html
www.unicaro.pt /grate79.html
www.4wd1.com /grey99.html
www.rbmphoto.altervista.org /grin16.html
www.bioplastica.it /grouse72.html
novah.by.ru /growl35.html
myped.com.tr /gunnel71.html
xox.awardspace.us /halma11.html
www.2gservis.cz /halve17.html
www.tucsoncondominiumsguide.com /haver48.html
shaoz3.hosting.paran.com /heel17.html
www.hunermund.dk /hereof79.html
www.auto-gric.info /hewn37.html
davetiyeniz.net /hewn51.html
webart.unas.cz /hippy95.html
erkeh.com /hoary69.html
www.enginerge.com /hobo23.html
www.dj-alih.fr /homily41.html
ferdiii.vndv.com /homing82.html
mujtaba316.www.mujtaba316.webng.com /husky74.html
seslinur.com /ikon10.html
amorequartet.com /impair93.html
kamadokura.com /impose72.html
www.tcskolkata.com /inert67.html
www.mgfsrl.it /input63.html
www.mobiliaria.com.br /inside49.html
www.nti.nagaloka.org /insult85.html
myhotels.com.my /intent54.html
coleqa.www.coleqa.co.funpic.de /inward75.html
golonka.unas.cz /italic58.html
www.kaderkarakus.tk /item56.html
lkw7854.com.ne.kr /jabber50.html
www.cle-is.be /jaunty26.html
bioedem.gr /jersey38.html
www.karproduksiyon.com /jigger60.html
shent.kbs.seoul.kr /joyous14.html
lingua-dz.com /karate21.html
www.rajaahaider.com /khan89.html
detalirovka.ru /kidney94.html
read4us.50webs.com /kilo91.html
alphabtech.com /kinky25.html
akj-sbk-production.com /kitten33.html
www.rainmakerfg.com /kneel50.html
samsam.wippiespace.com /late12.html
www.cognitoconcepts.com /launch64.html
hammermap.by.ru /leech83.html
rangelmuebles.mx /leek89.html
teplograd.by.ru /leer31.html
www.bware.se /letup92.html
ilios.pl /liable65.html
tuga-information.frag-power.com /lights23.html
rsanacona.bplaced.net /lilac35.html
www.lsac.com /lint37.html
pridehomecare.com /lisle70.html
www.genyas123.chat.ru /lisp91.html
www.sardunyabar.com /lobby92.html
teplieokna.by.ru /lobe45.html
www.tsdpierron.es /locker89.html
zajosi.borec.cz /lollop18.html
www.expressodasnove.pt /lusty88.html
michaelastastna.euweb.cz /malt37.html
www.offre-emploi-php.fr /mantle29.html
www.roti4u.com /maraud76.html
eonlinecash.50webs.com /marmot29.html
www.4652323.com /marvel94.html
gim5.by.ru /masked69.html
www.4thirds.co.za /mason86.html
carrieall.com /medic25.html
newteknik.com /meed78.html
www.tesfe.yoyo.pl /menses75.html
www.sabitkanat.com /merge38.html
unmicrc.org /midway47.html
www.kubzavod.com /mimosa13.html
www.newarkgoinggreen.com /mingle81.html
www.crin.es /mingy35.html
www.creativeplacement.org /misled28.html
lpg.sml.by /mock52.html
www.savethelight.wz.cz /moiety61.html
www.cruzdasalmas.ba.gov.br /mores15.html
bskdou27.by.ru /mouser59.html
inventosweb.freehostia.com /mugger88.html
www.foxmind.yoyo.pl /mulch52.html
trojka.s3.pl /mullah16.html
voyrising.com /mumble54.html
www.ewebvision.co.in /munch83.html
poortal.ru /musky91.html
musegallery.co.il /muted56.html
www.villederigaud.com /nabob97.html
www.saribekir.com /napalm59.html
cleaningcontractor.com.au /napalm93.html
phonies.cz /nibs38.html
qlkt39a.com /niter51.html
leandromauricio.com /noble52.html
heblakostravice.unas.cz /nodal83.html
mob39.by.ru /norman26.html
www.sonodyne.com /notice73.html
botom.piwko.pl /obtain92.html
www.garlandgoinggreen.com /odium81.html
teplovent.by.ru /office19.html
nifia.net /olive82.html
soysaldanismanlik.com /omega68.html
wl31www162.webland.ch /opener76.html
edisongame.com /orgasm67.html
atlanta.webservis.ru /orgy39.html
www.sinaitech.net /other69.html
vensalabs.com /otter10.html
arlabrise.be /ozone26.html
www.polskanet.yoyo.pl /pail72.html
all4mlm.com /pain55.html
hotelhindustaninternational.net /pall42.html
www.mojserwisik.yoyo.pl /palter17.html
zvi.by.ru /pansy88.html
temptingcareers.com.sg /panty12.html
www.wwqccertifications.com /parry79.html
www.judgesworld.de /parse13.html
bettymude.h800051.serverkompetenz.net /passim82.html
www.haixingbaby.com /pasty11.html
www.hoteldemunck.com /pasty95.html
www.lifestyleweightmanagement.com /patter26.html
www.gateway-riga.com /pawn66.html
www.lumutwaterfrontvilla.com /peahen41.html
finodezhda.ru /pebble45.html
mahacandu.com /peek92.html
sola2379.avafreehost.com /perk16.html
strempacklaw.com /pewit91.html
dmkmusic.by.ru /pick11.html
www.a-d-c.fr /pierce14.html
www.colorschemepainting.com /pivot68.html
www.jasprabh.com /planet40.html
legacy-studios.co.uk /plexus75.html
vsxwebdesign.com /polish66.html
vakum.com.tr /pomade34.html
profit-group.org /pommel87.html
www.eriegoinggreen.com /pommy11.html
www.lorenz-frank-privat.de /pong93.html
agapoll.com /pother64.html
cwr.uz /pram55.html
cyber-work.by.ru /prig62.html
greyhawk.by.ru /prison31.html
arnaldofoto.com.br /prole60.html
apexkarting.com /psych56.html
www.ramatci.com /pukka63.html
kinfo.110mb.com /puny76.html
www.arditech.es /purge79.html
www.svetcollege.com /purify67.html
sweetart-ist.com /python95.html
www.garykonet.com /quaint15.html
aerion.by.ru /quaver48.html
www.pazalocristiano.com /quell43.html
home.netsocius.com /quilt87.html
www.drjoshicancercentre.com /quiz77.html
videorelax.by.ru /rabies33.html
eddieth.info /ragbag98.html
www.gamesjockey.com /rail88.html
www.maxlks.info /rake18.html
www.callbihar.com /rally64.html
kucirkova.borec.cz /rascal34.html
baktianggun.com /ratter25.html
www.bassoy.com /raven45.html
www.legasolv.com /rear40.html
www.rdsfacades.fr /reborn40.html
www.anacatarinamendes.net /redden13.html
www.cevizfidan.com /redden14.html
www.team04.net /redo65.html
krumovgrad.cult.bg /reecho89.html
visual-identity.tv /regime82.html
amerginconsulting.com /rejoin16.html
oportal.czweb.org /relive14.html
ntw.com.vn /remake47.html
npf.dev.mvisolutions.com /repent34.html
www.zacariasdecarvalho.pt /reset14.html
www.subbucmda.com /revers28.html
www.gigiorosapromotions.it /revile54.html
www.bondwest.com.hk /revoke32.html
lepes.com.ar /ribald23.html
virazh-shin.by.ru /ribbed74.html
arora360.com /rigor81.html
www.hkz-zgorzelec.yoyo.pl /ring75.html
www.sanskriti.asia /role87.html
www.homemadeworkshops.nl /rota47.html
software.hso.uk.com /rough14.html
www.jab.com.br /rounds29.html
www.viasae.it /rowdy24.html
stronghold.aspweb.cz /royal56.html
www.piramithouse.com /ruling50.html
www.mystars.by.ru /rumple99.html
www.rikaret.com.tr /rust36.html
dropbox.literacywings.com /sahib60.html
orhanerdem.co.cc /satrap74.html
intimtempmor.racyspace.com /save52.html
www.roubenky.kvalitne.cz /saver47.html
www.novusyapitasarim.com /savoy44.html
asianhotelhcmvn.com /scow49.html
www.decaclub.com.br /scrap42.html
www.clevelandgoinggreen.com /script91.html
www.energieplomberie.fr /second92.html
mmorpgword.altervista.org /sepsis28.html
la155-13.by.ru /shabby69.html
tecompressor.com /shame95.html
interdoors.by.ru /shelf34.html
www.home-interiors.net /shine32.html
sumitelectronic.com /shoe52.html
www.goldsmithinfantschool.co.uk /shore30.html
sdzp.php5.cz /sifter23.html
4bike.cz.cr /silver65.html
www.voteforcars.com /sixths94.html
www.iepse.com.ar /skied30.html
ganyeladim.co.il /skive30.html
model.awardspace.biz /slangy75.html
www.artgemeos.com.br /slime75.html
www.gtamm.yoyo.pl /slip64.html
www.ubranka-karasek.yoyo.pl /slunk65.html
gaelle.100webspace.net /snag46.html
www.sesagold.com /snore42.html
client.sakura.ne.jp /snow70.html
www.ozgurcay.com.tr /soften42.html
www.aquamatik.hu /softy64.html
collection.symmes.ca /sonic74.html
www.xtreamxat.iglu.cz /soot31.html
vivresansetre.fr /sore76.html
a-vt.chytrak.cz /spiky17.html
shelden.by.ru /spill67.html
cibersport.by.ru /spume57.html
hsami.ir /stakes13.html
www.kaplandoors.com /stalls19.html
www.phuromanwojcik.pl /steep59.html
borinqueneers.com /stores43.html
ftpservice.vtsclima.com /strafe58.html
www.esolzdemos.com /stun71.html
transportgodek.home.pl /subtle17.html
www.boonsiriplace.com /suffer98.html
www.e-gmp.home.ro /sulk53.html
www.sunfavorite.com /sulk89.html
www.pibtoledo.org.br /sunray86.html
grze.no.eu.interia.pl /superb22.html
www.cirkusdannebrog.dk /synod29.html
www.kleine-wienker.net /tale38.html
sahyogsociety.com /tampon63.html
preposted.voteplayer.com /tandem40.html
www.amgrafica.it /tansy93.html
www.cambridgegoinggreen.com /tare12.html
www.g5interlinks.com /tattle97.html
waubonsiehockey.com /telfer37.html
hottdotnet.com /tenet16.html
files.fastand.it /that92.html
checkmatepictures.com /thief58.html
rojek.ro.funpic.de /thong34.html
www.ravas.be /thrive31.html
tarjasubory.euweb.cz /thwack31.html
auroraproduccionesdigitales.com.mx /tickle12.html
for-mina.110mb.com /tiepin12.html
www.wetwellsoftware.com /titan54.html
austsecurityfencing.com.au /titter34.html
www.desafioactivia.com.br /togs78.html
tr-al5jal.com /toot39.html
fuzzcats.com /toot89.html
ivms.by.ru /tooth67.html
lesalitedeicampioni.com /topple96.html
softpro.vov.ru /tory36.html
garceslaw.com /tour34.html
www.pattisongc.com /trawl29.html
fejeshangszer.hu /tsar40.html
impresscreations.com /tube21.html
www.asce-ymf.org /tummy12.html
school1115811.web.fc2.com /tumult25.html
www.inz.cz /twang64.html
www.forestgarden.kr /twice11.html
www.italianpeople-lifestyle.com /twine30.html
www.huubdanst.nl /twinge91.html
batya.euro.ru /unison29.html
freelanceblacklist.by.ru /unkind61.html
filonw.w.interia.pl /unless35.html
fsmobility.com.tr /unzip42.html
www.unephoto.fr /uphold75.html
www.smsleaders.com /upland46.html
www.dimextranet.com.br /uptake56.html
abekawamochi.t35.com /user84.html
www.scaraniboats.com /valse64.html
ptberkahcitra.com /veldt68.html
www.okutanayakkabi.com /verb66.html
www.style-polish.co.il /vice85.html
www.gismovitale.com /virgin13.html
www.zoomelece.be /vulgar98.html
raida.s162.coreserver.jp /wart95.html
www.filmyfilmy.yoyo.pl /wave96.html
www.efekorgida.com.tr /weeds15.html
sever7.s277.xrea.com /weedy29.html
clan.grom.eu.interia.pl /week60.html
pousadaserradamantiqueira.com.br /welch75.html
kongsiblog.org /whaler37.html
daythi.69server.net /whites70.html
ceeshunit.atspace.com /whys96.html
vtech.p9.pl /widely56.html
guu-15.by.ru /wigged68.html
hotelconxions.com /wilful18.html
karmabilgisayar.com /will96.html
artvin.tsf.org.tr /winner68.html
rockinsesi.com /wonder83.html
www.as-vclub.com /woozy54.html
gb.comuse.org /wrung18.html
www.cuneytergun.com /yank71.html
wisdommbc.go.ro /yeah13.html
www.magnesat.com.br /yeast50.html

The websites which remain in their "hacked" state redirect to one of the following 35 viagra-sales websites:

count redirection URL
====== ===================================
4 http://bestviagracenter.com:8080/
6 http://bestviagrapills.com:8080/
24 http://buyviagraworld.com:8080/
9 http://chpmedic.com/
4 http://dedcanadadrugs.com/
11 http://esuperviagra.com/
9 http://expressviagraonline.com:8080/
7 http://lemedic.com/
26 http://mybestviagra.com:8080/
8 http://naturalviagraonline.com:8080/
1 http://thenaturalviagra.com:8080/
18 http://theviagrapills.com:8080/
1 http://viagrapriceline.com:8080
23 http://viagrapriceline.com:8080/
107 http://www.czmedicine.com/
2 http://www.fepharmacy.com/
2 http://www.hypharmacy.com/
1 http://www.kepharmacy.com/
8 http://www.litmedic.com/
6 http://www.mamedic.com/
1 http://www.medicineac.com/
2 http://www.medicinecy.com/
1 http://www.medicinegl.com/
1 http://www.medicinelo.com/
2 http://www.medicinelu.com/
2 http://www.medicineor.com/
1 http://www.medicineps.com/
1 http://www.papharmacy.com/
1 http://www.pharmacyan.com/
4 http://www.pharmacydg.com/
2 http://www.pharmacyry.com/
1 http://www.pharmacyth.com/
1 http://www.pharmacytl.com/
1 http://www.phmedicine.com/
1 http://www.tepharmacy.com/

{ Comments on this entry are closed }

Yesterday I had the pleasure of speaking on the subject of phishing to the Association of Certified Fraud Examiners Alabama chapter conference, hosted at the UAB School of Business, where my friend Tommie Singleton teaches Forensic Accounting.

After talking about the traditional phishing, and the statistics that we have about phishing through our UAB Phishing Operations and UAB Phishing Intelligence teams, I shared with the group that while phishing is continuing to be on the rise, compromise of banking credentials through malware is an ever growing threat.

To demonstrate the problem with malware, I opened one of my spam receiving email accounts as a user and clicked on several email messages.

I clicked on an email from July 30th that warned me that "FDIC has officially named your bank failed bank", clicked the attachment, and demonstrated my anti-virus product (on this machine I was using Microsoft Forefront) successfully protected me from the malware.

Then I clicked on an email from July 31st that claimed to have details on "Your order from Amazon.com". Again, my AV popped on the attachment.

Then I clicked on an email from August 2nd with the subject "DHL Tracking number 080231". Pop! Virus!

Then I clicked on an email from August 3rd with the subject "Notice of Underreported Incomeir" - "yeah, Incomeir" not Income. Those guys at IRS apparently don't have a spell-checker. Pop! Virus!

Then I clicked on an email that was about four hours old - "You have received a file from (email) via YouSendIt." No warning. So we unpacked the zip file and sent it to VirusTotal. 11 of 42 detections. Note that at VirusTotal, Microsoft was described as being a product that detected the malware, but VirusTotal was running a slightly newer (by a few hours) version of the AV than my laptop. Symantec and Trend and several other "big players" weren't detecting yet, but I told my audience that really didn't mean one was better than another - it was more or less a shooting of the dice who would be the "first detector."

So, what's going on with all of these new malware attachments? I would describe it as a "Zeus's Greatest Hits" campaign. Some of the most successful "Zbot spreading" spam campaigns are all being re-issued, only as attached-malware spam instead of "sending to website" spam. I've linked previous blog posts about Zeus campaigns to some of the top spam subjects in the list below. If we just look at spam for this week in the UAB Spam Data Mine, we see things like:

515 copies - "An unauthorized transaction billed to your bank account"
16,606 copies - DHL Tracking number #######
353 copies - FDIC has officially named your bank failed bank
17,143 copies - Hello
553 copies - Notice of Underreported Incomeir
10,829 copies - report
2,089 copies - Review your annual Social Security statement
166 copies - SALE OF BUSINESS Document
6,256 copies - Scan from a Xerox WorkCentre Pro N #######
412 copies - Unauthorized ACH transaction
387 copies - Welcome to Friendster
10,852 copies - You have received a file from (email) via YouSendIt.
2,479 copies - You have received an Greeting eCard
1,224 copies - Your Flight Ticket #####
301 copies - Your internet access is going to get suspended
7,513 copies - Your Order with Amazon.com
4736 - YOUR SALE TO CAN PTY LIMITED

How do we know that these emails might be related to one another? The primary reason is how I selected the list that you see above. In the UAB Spam Data Mine, I picked one of the common subjects that are being used to spread this malware, and said "Show me all the email subjects sent from the same IP address as emails which sent me the subject 'You have received an Greeting eCard' and limit myself to only consider emails from August 2010."

All of the subjects in the list above were part of the response. Now, there were also hundreds of thousands of other emails - mostly selling Viagra and watches, but ALL of the subjects above were sent from computers that also sent at least one email with the "You have received an Greeting eCard" email.

What is the malware? If you are "into" MD5s, you can check them out yourself. In the emails above, the technique is to send an executable file within a ZIP file attached to the email. Here are the most popular '.zip' attachments so far in August:

11075 | 21c4690e291dfa09cc2eef89501fd9b9 | dhl_viewer (35)
10415 | 3e11b5374aaf019fc091d51be43bfdfc | yousendit_reader (23)
7403 | a170953b22815478083d4853f7ebfe57 | report (33)
6018 | 3a88a7fdeac36395bd6b1f6185b13b2c | report.document.doc (33)
5332 | 57eaeb400b49774533c45099877911f8 | dhl_viewer (33)
4738 | bae1fff9774a4366ef73247fcf6cb394 | 08-05-2010(10).pdf (30)
3234 | d0c9552a39d20576f50bbcdc692a187c | amazon_invoice_viewer (30)
3212 | 8f025c1c63e1d11d3a5444eaba978ce7 | xerox workcentrereader (31)
2509 | ccf81bcb37af7cc0835904ec2a49c6ce | report (33)
1617 | 347d3c44ba6c3f6501406e697170192c | statement (32)
1099 | d8fbbf60aafaf400f008b3b8f2b32a41 | transaction report (28)
736 | 02154aba2c9ad2e2bcbe80b7a31246f3 | ecard (34)
576 | 4fa198977d4d3a10a7282a71cb315955 | invoice_viewer (30)
563 | 5cbcc4e1a1f1c2c37149e8db953213b0 | statement (29)
421 | 58d62a8c7fc5a690d4ff18c752a20eb6 | doc (27)
409 | 1c4031ae6c0e327f86dc4201a3532468 | facebook_passw_31.07.2010 (21)
393 | 7ce7bdbc4ce52261ba2f8773d2c196e7 | statement (27)
371 | 02857e7260d3e73811093c8826efe37e | tax report (28)
367 | 802871fdc77c47ff398de9bae8548635 | invoice_viewer (32)
362 | d410ba8345407ab17f2f3b0c98b225d0 | invoice_viewer (26)
361 | 8f0e7810523e1f9d715f951150e9c845 | tax statement (29)
341 | 5eab651ded4b0f9f949beac0dda62146 | report (28)
275 | 0acdecd08273284ce26cd99a0beed1fe | tax statement (33)
202 | 83234d04953e4b8e3f5688ec62567fe1 | changelog_30.07.2010 (35)
198 | 9a02b55cb88acf80b840504d672c21da | resume (23)
179 | d747c2928f1205c69e459b308a35fe1e | transaction report (14)
177 | 8b357aca247a729e07f0ee935c578c81 | transaction report (33)
175 | d5083f3dfefe3d6a9dc3ccd9c2fd622f | changelog_30.07.2010 (26)
138 | 3100bc960f80e8b078c3f8dd6d53de7b | dhl_tracking_ (24)
76 | 5e5b596bdf2f39b1fdfeb23821c75f41 | dhl_viewer (2)
73 | 68b13b6ecbb24322c9fe183b064eef9d | financial summary.xls (27)
51 | 5667dba64be7749c23148b564303fd11 | invoice (11)
37 | 5f2515a06e45acf9e3429ed78447e6a7 | core business advice notice ccc[1].doc (12)
33 | bbc7b06a0f0e6b09b8b7b07f3dab3b6b | statement (7)
31 | 489e4d09253414a8884fcf70326c81b9 | 090508 ccc equipment inventory v4.xls (11)
30 | 477a292406bfbbc474c35efdc92462a6 | business report.doc (12)
30 | 5bd1fb667558da6945518c28d485a37d | tax report (31)
28 | aaead684fe45133c628d3388451b7b6e | invoice_viewer (29)

The ones with low counts are mostly going to be the very newest versions (or ones that were sent in July and ended early on August 1st).

Some detects are pretty good ... for instance, that final "invoice_viewer" was first seen on August 5th (yesterday) and currently as 29 of 42 detects at VirusTotal. However, the number of malware detections on VirusTotal - RIGHT NOW - is the number in Parentheses after the malware attachment name. See the 7? and the 11? Remember that these are WORST when the email is FRESH. Some of these are from August 1st.

What about RIGHT NOW?

I'm going to scan the next two email atttached zips that arrive and show you the detections of FRESH email-delivered malware.

Oh - since the three most recent ".zip" attached emails were in this category, I'll mention this here. Another current email-delivered .zip campaign is "Your private photo attached" and contains a zip named with a random word (My last one was "accosting.zip"). It had a zero of 42 detect as a zip file.

That's because it's not malware. Its the "randomly created image" showing that I should buy pills from "yes82.ru".



Here are some of the emails from the campaign above:

{ Comments on this entry are closed }

Tonight I had a message from one of my Facebook friends who was concerned that someone may have hacked her Facebook account. She was worried that she might get a virus by looking at the links they had posted on her behalf. I assured her not to worry -- if her Facebook account was sending links to other people's walls, she probably already had a virus. After digging a bit deeper, I'm not so sure.

The "One-Two" punch of this current Facebook attack is similar to some of the spamming malware. Some of the messages it sends are to generate profit for the cybercriminal, and some of the messages are to infect more users to build the criminal's delivery network.

Here is the first type of message -- the "profit" message:



This reminds me of a current "work at home mom" trend that some of my other friends are engaging in. There really is a weight loss multi-level marketing scheme right now where the participants are encouraged to make a website telling about "the plan" and then are told that making money is as easy as following the plan yourself, and posting your weight loss reports to all your Facebook friends. (Hope your happy and skinny, DG, I wouldn't know, I blocked you on facebook as soon as you started that crap!)

What happens if you follow the link? The link doesn't go to my friend's weight loss page. It goes to an Acai Berry affiliate sales "news" page that is supposed to look like a real "news" site that just happens to be featuring a story about the miracle of the Acai Berry.



Clicking anywhere on the "news" page takes you first to an affiliate tracker page:

tracker.cpaprosperity.net/affe?offer_id=500&aff_id=1161

and then to the sales page for their diet plan:

acaioptimum.com/?afil=az1007

The diet scam page is hosted by Black Rock Hosting on the IP address 64.38.201.205.

That was the "One" . . . here comes the "Two" of our One-Two Punch:



What's the other important purpose for Facebook besides getting your friends to join your Multi-Level Marketing Weightloss plan? Sending stupid videos to one another, right? Everyone knows that when one of your friends posts a link, you are required to immediately click on it, and the click the "Like" button. This is how people know that we are their friends. We "Like" all their stupid videos.

(Actually, I'm a big Facebook fan. My family communicates like crazy with it, and I enjoy sharing pictures with my friends and playing Bejeweled Blitz. But this is the part where I'm supposed to be all sarcastic...)

So, when my friend BG posted this message to all of her friends' walls, what would happen if they clicked on it?

The first thing is that it sends you to a website called "securitymeassures3.co.tv". That page is going to call some Javascript to find out what country you are in:



If you are in the US, you then load the webpage "explororjones.com/deel/deeus/"

If you are anywhere else in the world, you then load the webpage "explororjones.com/deel/deeint/"

Either way, the page that loads looks like this:



WAIT! How did I get logged out of Facebook? (you are supposed to say to yourself...) then you quickly type in your userid and password for Facebook on this other page, which is actually at "explororjones.com"

ExplororJones is hosted on that excellent Netherlands hosting company Worldstream. I don't recall Facebook moving their operations there. When a webpage that isn't really the company you are trying to log in to tries to convince you to login on the fake web page we call that phishing.

That's why I'm calling this particular attack "PhacePhish" - most phishing attacks start with a spam message that sends you a scary reason that you really need to log in to your bank RIGHT NOW. This one starts with a spammy Facebook message instead.

Sooo...does my friend have a virus?

No, its very very probable that my friend clicked on a "funny baby" or some other leading video on one of her friends' Facebook posts, believed she was logged out of Facebook, and logged back in, giving her password to the criminals. The criminals then can login as my friend and repost the message on all of their facebook pages. If they fall for it, then they'll tell their friends, and they'll tell their friends, and they'll tell their friends, and pretty soon we'll all be skinny and rich! Happy ending!

I'd call my friend and tell her all of this, but its 3:00 AM. I'll let her sleep a bit more while the criminals spread their message through her Facebook account. Wonder if the Facebook guys are awake . . . hmmmmmmmm....

{ Comments on this entry are closed }

On July 15th, the US House of Representatives' Committee on Science and Technology's Subcommittee on Technology & Innovation held a hearing called Planning for the Future of Cyber Attack Attribution.

I was drawn to the topic, having a great deal of experience with the puzzles of finding bad guys on the Internet who need badly to spend some time deprived of freedom as a consequence for their actions. Unfortunately, the hearings really stressed the problem that using technology to make attribution certain creates human rights issues around the globe. Conversely, the creation of privacy tools can grant bullet-proof privacy to child pornographers, terrorists, and cyber criminals.

Finding almost no mention of this hearing in any media source, I wanted to at least give a brief outline of what happened.

Chairman David Wu, an advocate for cybersecurity, and co-author of the excellent Cybersecurity Enhancement Act of 2010, made the Opening Statement to kick off the hearings, putting this hearing in context in the overall series of hearings on cyber threats that have been held over the past two years. Wu said that "Now more than ever, we need to be focused on the development of tools and technologies to prevent, detect, and respond to cyber attacks." Wu went on to say that one method of deterrence, the focus of the hearings on this day, was "the ability to attribute an attack to a particular person, party, or system" and that this could be "vital to defending against cyber attack." The desire for attribution though was tempered by a reminder that Chairman Wu was "personally very concerned about the potential implications to privacy and internet freedom posed by attribution technologies."

Mr. Wu had to apologize for the lack of attendance by his committee, but ensured the panelists that the full committee will have read their written testimony, although at least one attending member admitted he had "browsed through" their testimony and "read some of it." It seems that only seven Congressmen were able to attend.

Each of the four witnesses below had been given four questions to answer in their written testimony:

Q1: As has been stated by many experts, deterrence is a productive way to prevent physical attacks. How can attack attribution play a role in deterring cyber attacks?

Q2: What are the proper roles of both the government and private industry in developing and improving attack attribution capabilities? What R&D is needed to address capability gaps in attack attribution and who should be responsible for completing that R&D?

Q3: What are the distinguishing factors between anonymity and privacy? How should we account for both in the development and use of attribution technologies?

Q4: Is there a need for standards in the development and implementation of attack attribution technologies? Is there a specific need for privacy standards and if so, what should be the government’s role in the development of these standards?

---

The video of the spoken testimony and Q&A is available. I encourage interested parties to avail themselves of the video and the written testimony. The notes below are my personal "sketchy" notes as I tried to reduce an hour of video and 150 pages or so of testimony into a blog entry.

The witnesses for the hearing were each given five minutes to make an opening statement. I took a few notes below, but would again recommend interested parties to the originals:

Dr. David A. Wheeler

- the Institute for Defense Analyses: Information Technology and Systems Division - I have to say that Wheeler's written "testimony" was quite disappointing. Introduced into a Senate hearing in 2010 is Wheeler's 85 page DARPA paper for the "Defense-Wide Information Assurance Program" called "Techniques for Cyber Attack Attribution", which was an excellent, thorough, and timely report, when it was authored in October of 2003. While it does provide a nice framework for possible forms of attribution, the paper is about fifty years old in "Internet years", making the relevance of much of the paper questionable. It was the only one of the four responses that actually talked about what could be done technologically with attribution, but most of the papers cited as references are from the late 90s or early 2000s, including things like Staniford-Chen's work from 1995, Stefan Savage's work from 2000 on "IP Network Traceback", and Jelena Mirkovic and Dave Dittrich writing about DDOS attacks in 2001. Good stuff, but quite dated.

The paper in fact specifically excuses itself from addressing nearly every modern form of cyber attack when it declares (p. 20 of the testimony):

This paper does not cover identifying or locating people who are not DIRECTLY ATTACKING the defender.

So, if they are attacking via a botnet, via a proxy, via malware already installed in the attacking organization, this paper doesn't address any of that. It also excludes itself from social engineering, determining HOW an attacker attacked. Another useful feature of this particular "testimony" is that most of the URLs referenced in the paper don't work. Nice.

Dr. Wheeler began his spoken testimony by cautioning about 4th amendment protection from "unreasonable search". One point he made was that if we cannot make attribution, then there is no chance of making a successful counter-attack, either over the network or using a "kinetic attack."

Mr. Robert Knake

- International Affairs Fellow at the Council on Foreign Relations. Mr. Knake started his spoken testimony by saying that the problem of attribution is "largely overstated", and went on to say that no more than 100 groups, and possibly as few as FOUR possess the capability to cause "real world" harm through cyber attacks.

Knake suggests that labeling all packets with a so-called "Internet license plate" would be more useful for authoritative regimes to deny their citizens any anonymity or freedom of speech, while criminals would probably find a way to work around these identifying mechanisms. He also gives the current example from China that even when we positively identify the attacking system, the owner of the system, or in this case the Chinese government, can say that while the attack traffic originated on that system, it was probably a case of that system having poor security itself and being used as a proxy. Because of the lack of our ability to overcome these doubts, attribution will likely never reach a level where a kinetic counter-attack can be justified.

Mr. Knake's Written Testimony contained one fairly interesting graphic, which I share here:



Mr. Knake's written testimony asks three main questions:

- what degree of certainty in attribution is necessary to take action?
- what would that action look like?
- how will we make potential adversaries understand the answer to those questions - because if they don't understand, they will not be deterred!

He goes on to discuss espionage, crime, terrorism, and the fact that you can't actually LEGISLATE this successfully, mentioning that the CAN-SPAM act made it a law that email marketers are required to "attribute" emails to themselves, yet 9 of every 10 emails on the Internet do not do so!

Mr. Ed Giorgio

- President and Co-Founder of Ponte Technologies - Mr Giorgio's testimony spoke of the need for Internet users to be allowed to create as many identities as they like, with some certificates positively identifying the real user, while other certificates guaranteed their anonymity or privacy. Mr. Giorgio said that a "trusted third party" would have to take the role of assigning these certificates, as government had so far not demonstrated the capability to do so in a trustworthy manner.

Mr. Giorgio's Written Testimony specifically mentions a number of threats:

whether it is the Chinese stealing our American innovations to produce less expensive versions, the Russians engaging in financial crimes, the Israelis' stealing our political intentions, the French stealing our competition-sensitive materials, the Nigerians conning our elderly, and so on.

He then goes on to mention that reference to foreign threats has been used in the past to justify "gross violations of domestic civil liberties" and warns that we must be cautious in this area of "dangerous constitutional grounds."

After answering the four questions, stressing the fear of government control, in an Appendix, Mr. Giorgio describes a "New Privacy Standards Framework". Remember "Alice and Bob" from crypto talks? In the new Privacy Standard we have a buyer, Bob, and a search agent, Goliath. Could Goliath = Google, Mr. Giorgio? The Framework was an interesting read, although it actually answered the opposite of what the committee was asking. It answers "how can individuals have their privacy protected?" when the question at hand was "how can we attribute attack traffic to its origins?"

Mr. Marc Rotenberg

- President of the Electronic Privacy Information Center - spoke of the fact that China has the most rigorous attribution capabilities, including a requirement that Internet users provide their true names, email addresses, and a list of news sources from which they receive information. Chinese ISPs are required to keep logs of all their activities, and Cyber cafes are required to log activities for sixty days of all users within their cafe. ".cn" domain owners have to provide both their real name and a photograph to create a domain name. "There is a real risk that attribution techniques will be used not for purposes of cyber security but in ways that have a real impact on human rights and freedom of expression. What attribution also does is make people think twice before saying something controversial. In the United States we have a strong constitutional right to speak anonymously," which Rotenburg says came from the use of anonymity in the publication of the Federalist Papers by our founding fathers.

I have to say that Mr. Rotenberg's written testimony was extremely well researched and had a fantastic list of eighty very current references, especially with great insights into China's censorship and monitoring activities. I found myself reading quite a few great papers that I hadn't seen previously as I followed the excellent footnotes prepared by EPIC's legal staff.

---

Q&A

Mr. Wu began the Q&A by saying that "as is often the case, when there are two flies flying in the Grand Canyon, they collide," apologizing that he had to go vote on another committee and would have to leave his own hearing. He also greeted "Russia Today" who was covering the committee hearings despite the absence of interest from American media.

Question from Chairman Wu: The role of Deterrence and Attribution may be over-stated. Comments?

Mr. Rotenberg - for non-state actors, attribution outside the US would be very difficult, and response may be very difficult for reasons of national sovereignty.

Mr. Giorgio mentions that even if we can't identify the PERSON at the keyboard, it is often enough to be able to block the COMPUTER at the other end in order to disrupt an attack.

Dr. Wheeler mentions that there is value to attribution, but there are serious limitations to attribution including delayed and intermediary attacks. Attribution should only be part of a larger strategy.

Mr. Knake - our strategy for preventing terrorism in the USA focuses on prevention, protection, and resiliency rather than deterring particular cyber actors. In many cases we do not lack attribution, we lack response options. Even when we know who the attacker is, we are limited in our ability to act. Whether they are Chinese national actors, Russian cyber criminals, or Nigerian scammers, knowing the identity of the attacker does not actually assist in having a means of acting.

Question from Chairman Wu - specifically to Mr. Giorgio - if we built attribution into the backbone of the Internet, we would be limiting privacy options.

All panelists agreed that anonymity was important. One speaker talked about the current noise about Blizzard requiring true identities for World of Warcraft players. Mr. Knake talks about the need for the government to actually step in and require Internet companies to disclose how they use personally identifiable information in the form of cookies and other information to target the internet user with customized advertising.

Ranking Member Smith asked the question "What are our current methods of being able to trace attacks?"

Dr. Wheeler mentions that there are many ways of doing so (in his written testimony, he had 17 categories of methods of identifying an attacker, and he states that surely there are more since then.)

Congressman Chris Smith then asked "if attribution is futile, what are our other methods to defend ourselves?"

Congresswoman Donna Edwards asked about the balance between Privacy and Attribution, specifically asking about internet cookies.

Congressman Dana Rohrabacher asked about the capability for "automatic counter attack" to be developed, and was warned off of the subject by multiple replies, stating that actually some forms of attack may be generated specifically to cause MIS-attribution in the hopes that a counter attack may be launched against a wrongful target.

In response to another question from Mr. Rohrabacher, Mr. Knake went back to a point that was well-articulated in his written testimony. He gave the example of the Taliban in Afghanistan, and pointed out that the warning we gave the Taliban after 9/11 was that if terrorist activities occurred from their soil, we would hold them responsible for refusing to cooperate with identifying and bringing to justice the criminals and terrorists they were protecting. In a similar way, Mr. Knake suggests that we have to hold foreign countries responsible when they thwart our abilities to identify various forms of cyber attackers in their countries.

Congresswoman Edwards then asked about the creation and establishment of new standards that would assist with these attribution standards.

Mr. Wu returned to his committee, and immediately cautioned that there were only seven more minutes before they had to adjourn for a floor vote. I really felt sorry for the panelists to see that there was so little time afforded to this very important topic.

Mr. Wu mentioned several questions that he hoped could be addressed in writing in the future, especially what role International committees, treaties, and standards may play in defining what is an attack, and how attacks should be responded to.

{ Comments on this entry are closed }

(Thanks to Twitter friends - @nartv, @cedricpernet, @HostExploit - for setting me onto this story mostly by pointing to this article by Lucian Constantin over at SoftPedia, who had the English Language Scoop, as he often does.)

For Pakistani Hackers, July 7, 2010 will be remembered as the beginning of a fearful period in their lives. On that day, Mr. Shahid Nadeem Baloch, the Director of Cyber Crime Investigations for the Federal Information Agency announced the arrest of five ring leaders of the popular hacker forum "PAKBugs" in this release from the Press Information Department. Among those praised by FIA's Director General, Mr. Zafar Ullah Khan, for their roles in the investigation are Mr. Muhammad Idress Mian, who directs the National Response Center for Cyber Crimes (NR3C), Mr. Muhammad Raza, Cyber Crime Circle sub-inspector for the Rawalpindi Police, and NR3C Technical Officers Mr. Aun Abbas, and Mr. Amjad Abbasi.

The hackers arrested or wanted include:

Jawad Ehsan, alias Humza, still at large in Riyadh, Saudi Arabia.
Jawad uses the hacker handle ZombiE_Ksa, and is the founder of PakBugs and probably the most famous of all the PakBugs hackers. He is charged with 169 website defacements.

Ahmad Hafeez, arrested in Lahore.
Ahmad uses the hacker handle vergil, and is a moderator on the boards Pakbugs and Pakhaxorz. He is charged with 480 website defacements.

Hassan Khan, arrested in Peshawar.
Hassan uses the hacker handle x00mx00m, and is a co-founder of Pakbugs. He is charged with 8,697 website defacements.

Farman Ullah Khan, arrested in Bannu.
Farman uses the hacker handle Farman, and was a VIP-member of Pakbugs. Charges against Farman are unknown.

Malik Hammad Khalid, arrested in Rawalpindi.
Malik uses the hacker handle inject0r, and was a "super moderator" at Pakbugs. He is charged with 134 website defacements.

Taimoor Zafar Bhatti, arrested in Rawalpindi.
Taimoor uses the hacker handle h4v0c-, and was a "super moderator" at Pakbugs. He is charged with 105 website defacements.

Also wanted by the FIA Cyber Crimes Department are:
BiG^Smoke
Cyber-Criminal
spo0feR
and [a]

According to the press release:

These individuals have expertise in following techniques:
1) Linux
2) SQL Injection
3) Trojan horses
4) Phishing
5) Rooting
6) Access to various servers
7) Botnets
8) PHP Scripts
9) Stealers
10) ASP scripts (self writing)
11) JSP scripts (self writing)
12) Key loggers
13) Credit Cards Jacking and usage of stolen Credit Cards

What the press release doesn't mention is that the NR3C's own website was hacked by these website defacers in January of this year. (image from MastiKorner.com - click image to see original defacement courtesy of Zone-H archive)

In that defacement the Pakbugs hackers suggest that if Pakistani citizens want help with security issues they should turn to Pakbugs rather than the NR3C.

The NR3C defacement was signed:

We are L33t Pakistani H4x0rZ,
www.Pakbugs.com
We are PAKbugs, We keep it real:
Zombie_Ksa::Spo0feR::x00mx00m::Cyber-Criminal
Special Greetz: BiG^Smoke
Greetz: Agd_Scorp :aB0 M0h4mM3d : The Moorish

That is actually the last website defacement credited to ZombiE_Ksa in the Zone-H archives, although his activities in 2009 included hacking numerous ".gov.pk" websites, temporarily taking over nameservers on the ".ug" registrar to allow defacements of the Ugandan websites for Microsoft, Toshiba, CNN, Citibank, and Google, and hacking the websites of the Saudi "Bank Al Bilad".

Zombie_KSA (KSA = Kingdom of Saudi Arabia) uses the hotmail addresses "Zombie_KsA@hotmail.com" and "mr.lonely420@hotmail.com".

TrendMicro posted screenshots obtained from Zombie_KSA proving that he not only had defaced the website, but actually had control of the email systems of the NR3C.

Despite the ZombiE_KsA hack, the Pakistani government is to be highly praised for taking on Cybercrime in such a proactive way. Pakistanis are encouraged to report cybercrime by emailing helpdesk@nr3c.gov.pk. The 2007 "Prevention of Electronic Crimes Bill (english language PDF) offers penalties from six months imprisonment all the way up to Capital punishment for 17 types of cyber crimes, with the most significant being "Cyber terrorism".


Other articles show that Zombie_KsA and Cyber-Criminal hacked the Pakistani Air Force website.

Unfortunately for the PakBugs hackers, in addition to having the Pakistani government after them, they had a bigger problem. Greyhat vigilante hacker "catch.them@live.com" posted the entire user database of the PakBugs forums to the mailing list Full-Disclosure back on September 14, 2009. That report revealed the email addresses used by all 12,640 members of PakBugs, including many of the hackers on the FIA wanted list including:

ZombiE_KsA = mr.lonely420@hotmail.com
x00mx00m = x00mx00m@gmail.com
Farman = farmanullahkhan@gmail.com
vergil = hotpoint-001@hotmail.com
Injector = lovedontcostapenny_1@live.com
h4v0c- = amilliondollarsmile@hotmail.com

The FIA may want to check out the history of website "loverzpoint.net", which has been "Greeted" several times by ZombiE_KsA, and where two of their "still at large" hackers have email accounts:

Cyb3r-Criminal = cyber-criminal420@loverzpoint.net
BiG Smoke = bigsmoke@loverzpoint.net
spo0fer = outlaw41@live.com
[a] = ahmed.kamal29@gmail.com

loverzpoint.net was originally registered to "big_smoke_boom@yahoo.com" with a fraudulent US-based address. In October 2008 that changed to "loverzpoint@gmail.com" with a Riyadh address and the name "Syed Jawad Shah".

(According to the Hack, userids 1, 12, 99, 1628 and 3844 all had "Admin" privileges at PakBugs. That would be users = ZombiE_KsA, spo0fer, Maximus, Test User, and Big Smoke, the last of those being the original owner of LoverzPoint.net)


The website "Propakistani.pk" has run a message regarding these arrests which is said to be from the "Pakistan Cyber Army". The PCA was active in a clash between Pakistani and Indian hackers in November of 2008. The message reads:

“Message from Pakistan Cyber Army on arrest of Pakbugs Members

If anyone has doubt that we are not the one who defaced ONGC then get a life first. If people have forgotten, then we are the same guys who Defaced ONGC in response to the attack on OGRA. After which we did a peace deal with the groups involved on both sides of borders including “Pakbugs” and “ICW” but kids didn’t keep their promise and got arrested.

We told PakBugs many (many, many, many) times to not to deface/destroy Pakistani websites and infrastructure. We told them to take FIA and NR3C seriously – as these agencies are not bunch of NOOBS, we had warned Pakbugs that you people don’t know about the power and the resources that NR3C has got but they gave a damn to our words and ended up in their custody.

I feel sad about the kids but… it happened due to their carelessness and childish attitude, which eventually landed them in the jail.

If you people are upcoming hackers and don’t know about Prevention of Electronic Crimes Ordinance then go and read it on NR3C website. I fear that Pakbugs would have a jail of 7 years if they got trialed and if FIA bail them out with some punishment they should thank Allah and concentrate on their studies.

We always told Jawad (HUMZA) and other kids about the consequences that they may face if arrested. [Jawad correct me if I am wrong.

Request to FIA/NR3C

“It is our humble request to FIA (NR3C) authorities to consider the case realistically and don’t give the kids the capital punishment as they are kids and can improve if given a chance. If they got the capital punishment as mentioned in Prevention of Electronic Crimes Ordinance then their future will be ruined. Sir these are our kids and our force if given a direction“

Message for upcoming Hackers

Our message to upcoming hackers or people who are interested in this field is that there is nothing bad to have the knowledge of hacking or hacking techniques, what’s bad is the usage of such knowledge and skill against our own country, National and international organizations or departments – that may cause damage to our country and its repute in the world. Don’t push your efforts to get famous. The fame will come by the time.

Some of your kids out there think that organizations in the west give opportunity to the hackers, if that’s the case then you are living in a heaven of fools.

Don’t believe in such stories that hackers will have a good future. The person who has a criminal record cannot fly from the country or he can’t enter into a country legally – go and ask your elders about it.

Message for Indian Hackers

If Indian hackers think that the game is over then read our message once again “Don’t mess with Pakistan else you will lose both your Name and this Game”. If you think that “Pakbugs” got arrested and you have a chance to play then give it a second thought.

Regards,

Pakistan Zindabad,
We are still awake for our country.
Haroon aka D45H & Hamza aka r4yd3n
Pakistan Cyber Army

(someone named R4yd3n was a member at PAKBugs as well, using the email sana2005@fastmail.fm)

{ Comments on this entry are closed }

On June 28, 2010, the Federal Trade Commission unveiled a law suit againt unknown credit card fraudsters, seizing the assets of 16 companies run by at least fourteen "money mules". The companies named were: API Trade, LLC; ARA Auto Parts Trading LLC; Bend Transfer Services, LLC; B-Texas European, LLC; CBTC, LLC; CMG Global, LLC; Confident Incorporation; HDPL Trade LLC; Hometown Homebuyers, LLC; IAS Group LLC; IHC Trade LLC; MZ Services, LLC; New World Enterprizes, LLC; Parts Imports LLC; SMI Imports, LLC; SVT Services, LLC. Each of these companies was run by a money mule recruited for the job via a spam email message. Each of them was instructed to establish their LLC to receive payments from small transactions, which they would then aggregate and wire to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. Before the law suit hit, a Preliminary Injunction had already been issued back in March to freeze the assets of the company in question.

This is the sort of case that raises strongly a point that I continually preach at UAB: Modern cybercrime law enforcement is not possible without strong computer science and data mining skills. At UAB, I work as the "Director of Research in Computer Forensics". My normal pitch about the program is that Computer Scientists solve problems by applying technology and algorithms. Criminal Justice professionals are facing more and more crimes that can only be solved by the application of Computer Science. In our program, we introduce the two to each other. Some of our graduates will be tool users -- law enforcement and corporate investigators who now know the range of technology solutions that might be possible to make them better cybercrime investigators. Other graduates will be tool makers -- computer scientists who now understand the range of problems being faced by modern law enforcement and who are now equipped to design solutions to those problems.

In this case, the criminals, who have been active since at least 2006, are documented to have placed at least 1.3 million credit and debit card charges without the authorization of the card holder. Can you imagine working a case with 1.3 million fraudulent charges without the benefit of data mining technology? The defendants "somehow obtain the consumers' account numbers and proceed to sneak the charges onto the accounts. Defendants purposely make their unauthorized charges less than $10 in the hopes that consumers will not notice them or will choose not to contest the charges." (Quoted from the FTC Memorandum of Support.

Unknown defendants, referred to as "the Doe Defendants", manage the creators of the sixteen fake LLCs, referred to as the "Money Cashing Defendants" from somewhere in Eastern Europe. The Doe Defendants create hundreds of fake companies and corresponding websites which are named in ways that come close to the names of real organizations, making them difficult to search. Often the listed addresses and phone numbers are also similar to a real organization.

The consumers are charged as little as 20 cents in a single fraudulent transaction, and as much as $10. 90% of the charges were never disputed. Those that were received instructions to call non-existent telephone numbers, or answering services from which calls were never returned. More than 1000 consumers have filed complaints with the FTC about these illegal practices.

How much effort would YOU go to to right the wrong of an illegal $3 charge on your credit card?

The Memorandum of Support filed by the FTC describes three roles of various criminal groups in this action:

A. The Money Mules

This group is described as "an expansive network of money mules in the United States to cash out the unauthorized charges." The Doe Defendants sent out emails to recruit their money mules "announcing that an international financial services company is seeking a US finance manager to process transactions and cash checks, money orders, and international wire transfers." The claim is that there is a tax benefit to the company to have many tiny charges aggregated in the United States. In order to realize this tax savings, the Does will send the payments from their US customers to the Money Mules, who receive the payments and send them on to the "international financial services company."

B. The Money Cashing Defendants

The "international financial services company" required that the money mules form corporate entitites and establish bank accounts in the names of these corporate entities. Between the sixteen corporations established, more than three hundred merchant bank accounts were opened. While this sounds like the same group of people as Group A, Group A is the people themselves, while defendant Group B is actually the group of corporations formed by the people in Group A.

These companies then established merchant accounts at numerous "credit card clearing companies" in order to have charges processed by a clearing company and have the cash placed into their bank accounts. The companies used "virtual offices" through a company that sells "non-PO box" addresses to give the company a sense of legitimacy. Rather than establish their own Employer Identification Numbers (tax numbers required to be on file for merchant banking accounts), the companies "borrowed" the EINs of existing organizations with similar sounding names.

In order to pass the "due diligence" checks used when establishing merchant accounts, fake websites were created for each of the companies, claiming they sold various types of office supplies, and providing business and "home" telephone numbers for each of the organizations. All of the numbers forwarded to a cell phone number in Belarus. The "Owners" of these companies were real people, who included their name, social security number, and date of birth on the merchant account applications. The Defendant Does ran credit checks on each of the "borrowed" identities to make sure their credit scores were good before using their identities.

FTC: All Your Base Are Belong To Us

After reviewing the data, the FTC ruled against the defendants in the form of a Preliminary Injunction which freezes assets of all defendants as well as prevents them from sharing or selling the identity data they may have acquired about their victims. Here's the Asset Freeze language.

IT IS FURTHER ORDERED that Defendants, and their officers, agents, servants,
employees, and attorneys, and all other persons in acti ve concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any trust, corporation, subsidiary, division, or other device, or any of them, except as provided herein, as stipulated by the parties, or as directed by further order of the Court, are hereby restrained and enjoined from:

A. Transferring, liquidating, converting, encumbering, pledging, loaning, selling, concealing, dissipating, disbursing, assigning, spending, withdrawing, granting a lien or security interest or other interest in, or otherwise disposing of any funds, credit instruments, real or personal property, accounts, contracts, shares of stock, lists of consumer names, or other assets,
or any interest therein, wherever located, including outside the territorial United States, that are:

1. Owned, controlled, or held by, in whole or in part, for the benefit of, or subject to access by, or belonging to, any Defendant;
2. In the actual or constructive possession of any Defendant; or
3. In the actual or constructive possession of, or owned, controlled, or held by, or subject to access by, or belonging to, any other corporation, partnership, trust, or any other entity directly or indirectly owned, managed, or controlled by, or under
common control with, any Defendant, including, but not limited to, any assets held by or for any Defendant in any account at any bank or savings and loan institution, or with any credit card processing agent, automated clearing house processor, network transaction processor, bank debit processing agent, customer service agent, commercial mail receiving agency, or mail holding or forwarding company, or any credit union, retirement fund custodian, money market or mutual fund, storage company, trustee, or with any broker-dealer, escrow agent, title company, commodity trading company, precious metal dealer, or other financial institution or depository of any kind, either within or outside the territorial United States;

B.Opening or causing to be opened any safe deposit boxes, commercial mail boxes, or storage facilities titled in the name of any Defendant, or subject to access by any Defendant or under any Defendant's control, without providing the Commission prior notice and an opportunity to inspect the contents in order to determine that they contain no assets covered by
this Section;

C. Cashing any checks or depositing any payments from customers of Defendants;

D. Incurring charges or cash advances on any credit card issued in the name, singly or jointly, of any Defendant;

E. Incurring liens or encumbrances on real property, personal property, or other assets in the name, singly or jointly, of any Defendant or of any corporation, partnership, or other entity directly or indirectly owned, managed, or controlled by any Defendant; or

F. Transferring any funds or other assets subject to this Order for attorney's fees or living expenses, except from accounts or other assets identified by prior written agreement with the Commission; provided that no attorney's fees or living expenses shall be paid from funds or other assets subject to this Order until the financial statements required by Section V are provided to counsel for the Commission.

I love it when the bad guys lose their toys!

Long Boring Lists

OK, I know this is the boring part, but here are all the companies listed in the order, followed by a list of the vendor names that may have showed up on your fake credit card charges if you are a victim. Both lists are drawn from the FTC documents already mentioned:

• API Trade, LLC, a Pennsylvania limited liability company incorporated in 2006, which has at least four bank accounts in its name; API's registered office address is 9926 Haldeman Avenue, #45 B, Philadelphia, Pennsylvania 19115

• ARA Auto Parts Trading LLC, a limited liability company, which has at least two bank accounts in its name; ARA's principal address is 14202 Barcalow Avenue, Philadelphia, Pennsylvania 19116

• Bend Transfer Services, LLC, a Nevada limited liability company incorporated in 2007, which has at least thirty bank accounts in its name; Bend's registered office address is 21285 East Highway 20, #169, Bend, Oregon 97701.

• B-Texas European, LLC, a Texas limited liability company incorporated in 2006, which has at least sixteen bank accounts in its name; B-Texas' registered office address is 701 Brazos Street, Suite 1050, Austin, Texas 78701. B-Texas also conducts business at 8070 County Road, 603, Brownwood, Texas 76801.

• CBTC, LLC, a Delaware limited liability company incorporated in 2007, which has at least four bank accounts in its name; CBTC's registered office address is 151 Evergreen Drive, Dover, Delaware 19901. It also conducts business at 9926 Haldeman Avenue, #45 B, Philadelphia, Pennsylvania 19115.

• CMG Global, LLC, a Pennsylvania limited liability company incorporated in 2006, which has at least eleven bank accounts in its name; CMG's registered office address is 7400 Roosevelt Boulevard, #52602, Philadelphia, Pennsylvania 19115. It also conducts business at 7400 Roosevelt Boulevard, Apartment A303, Philadelphia, Pennsylvania 19152 and P.O. Box 52602, Philadelphia, Pennsylvania 19115.

• Confident Incorporation, a California company incorporated in 2002, which has at least three bank accounts in its name; Confident's registered office address is 17800 Castleton Street, Suite 386, City of Industry, California 91748. Confident also conducts business at 30616 Sand Trap Drive, Agoura Hills, California 91301.

• HDPL Trade LLC, a Pennsylvania limited liability company incorporated in 2008, which has at least nine bank accounts in its name; HDPL's registered office address is 1143 Northern Boulevard, #263, Clarks Summit, Pennsylvania 18411.

• Hometown Homebuyers, LLC, a Texas limited liability company incorporated in 2002, which has at least thirty-seven bank accounts in its name; Hometown's registered office address is 413 East Highway 121, Lewisville, Texas 75057. It also conducts business at 8070 County Road 603, Brownwood, Texas 7680l.

• IAS Group LLC, a California limited liability company incorporated in 2008, which has at least five bank accounts in its name; Highway 121, Lewisville, Texas 75057. It also conducts business at 8070 County Road 603, Brownwood, Texas 7680l.

• IHC Trade LLC, a New York limited liability company incorporated in 2007, which has at least seventy-one bank accounts in its name; IHC's registered office address is 5823 North Burdick Street, East Syracuse, New York 13057.

• MZ Services, LLC, an Arizona limited liability company incorporated in 2004, which has at least fifty-three bank accounts in its name; MZ Services's registered office address is located at 2910 North Casa Tomas Court, Phoenix, Arizona 85016.

• New World Enterprizes, LLC, a New Jersey limited liability company incorporated in 2005, which has at least fourteen bank accounts in its name; New World's registered office address is 115 Magnolia Avenue, Suite 10, Jersey City, New Jersey 07306. New World also conducts business using the following addresses: (1) 441 Tomlinson Road, Apartment G 12, Philadelphia, Pennsylvania 19116, (2) P.O. Box 2645, Newark, New Jersey 07114, (3) 2400 East 3rd Street, Apartment 705, Brooklyn, New York 11223, and (4) 504 Florida Grove Road, Keasby, New Jersey 08832.

• Parts Imports LLC, a Louisiana limited liability company incorporated in 2006, which has at least forty-two bank accounts in its name; Parts Imports' registered office address is 617 Elm Drive, Bogalusa, Louisiana 70427.

• SMI Imports, LLC, a Florida limited liability company incorporated in 2006, which has at least fourteen bank accounts in its name; SMI's registered office address is 2329 North Tamiami Trail, Apartment #10, Sarasota, Florida 34234. SMI also conducts business at 8122 45th Court East, Apartment 7, Sarasota, Florida 34243.

• SVT Services, LLC, a New York limited liability company incorporated in 2008, which has at least eight bank accounts in its name. SVT's registered office address is 800 East 13th Street, Apartment K, Brooklyn, New York 11230.

The fraudulent charges seen by the consumers actually The mark of the scam is to see fraudulent credit card charges from one of the following companies:

ACM
Adele Services
Advanced Global Tech
AEI
Albion Group
Alpha Cell
ALS
ALS LLC
BEI
BIT
BusinessWorks
Center Company
Centrum Group
CFM
CFR
COS
Data Services
Den Enterprises
Dgen
Digest Limited
Don Partners
DwellTech
Edge
ESTA
Eureka
Extra Path
Form Limited
Foto Fast
Gamma
GFDL
GLOBO
Green Stone
Harry Dean
HBS
Home Port
Homebase
ICH Services
IHS
Image Company
Image Services
IPS
ISSO
IVA
Lang Group
Light Flow
Link Group
Link Services
List Services
Mark Silver
MARX
Mera
MFG
Name Services
NETT
New Eight
Office Development
Office Services
OM Extra
ONE
Online Group
Prc Services
Presi
Rasna
RSIPartners
RSS Inc.
Safeworks
Search Company
Search Management
Search Services
SFR
Sigma
Site Group
Site Management
Site Services
Source Limited
Standard Six
SYS INC
System Development
Terra
THQ
TIMO
TLC Inc.
Union Green
United Services
VIVOS
WELLE
Will Services
World Trade
World Wide Services
YES

{ Comments on this entry are closed }