Tuesday, April 02, 2019

Twitter Mystery Followers: ? GarBot ?

I'm one of those people who tends to review the people who are following me on Twitter and to block a great number of them.  Why?  Because many of them aren't real people!

Here are a few examples:

@Juliettemasker

Juliette only has one tweet and it says "Just setting up my Twitter.  #myfirstTweet"

Gosh, the pretty blonde whose random mashup of bio statement says "Author, Musician, Harry Potter Lover, Idea Agent, Troll King, You're beautiful" must be a cyber security fan who has read some of my tweets and was inspired to follow me, right?

More likely, she is part of the botnet that has been assigned to search for the three character string "GAR" and follow people who come up in the search results.  Like these folks:



This has been going on for some time . . . in fact, the shortcut for me is to look at the followers of "@gar" (the "communist socialist libertarian anarchist who likes tacos") on that last row.  Almost all of this guy's recent followers are part of this bot:


How can we be sure?  Well, they do have something in common . . . besides a desire to follow people with "Gar" in their name or bio.  See if you can spot the pattern?








Many of the images are coming from "royalty free stock images" sites, which might imply someone is trying to be "legal" with their bot ... not sure.




And lest you think this is just a "pretty girls who follow you" bot, there are male accounts as well, although recently the males seem to be primarily Spanish (or Catalan):



And these accounts also share their passion for people named "Gar"  . . . 


More Tweets of Wisdom

Over time, the accounts do tweet things other than "Just setting up my Twitter. #myfirstTweet".  They share great wisdom such as:

"Love sees no faults" ... "Hope is life"  ... "Every bird loves to listen to himself sing"


I don't know if you can call Shery's post "wisdom" -- "i hate #cats" and "i love #dogs" and "i don't think there is such thing as too much #coffee"



StonerBot Variant

One odd variation of this bot is something I think of as "StonerBot" ... it starts out the same way.  @Janecarrson started with "Just setting up my Twitter #myfirstTweet" and following a bunch of Gar accounts:




But then things quickly go off the tracks ... in a decidedly marijuana friendly way:





StonerBotJane has posted 20 photos, instead of just one liners, and expanded beyond her "Gar" following to follow many other accounts, several of which feature nudity in their profile pictures.  Also, unlike my "GarBot" followers, StonerBotJane has a cover photo.

Looking at some of the other people's accounts that were followed by "GarBot" it was easy to spot many other "StonerBot" variants.  These all follow "@ColegSirGar" 

Victoria, Deirdre, Maria, Jane, and Leah, all behave like StonerBotJane, while Sarah, Olivia, and Julia are all more like the original "GarBot" (which surely must follow people with other names as well, but the version I am most familiar with, for obvious reasons, I refer to in my head as "GarBot."

Actually, Sarah Black is a good bot going stoner ... she still hasn't gone to posting drug photos, but her two most recent follows were 'non-Gar' accounts of questionable topics, and although she still hasn't chosen a cover photo, she did post a photo in a tweet with a drug reference.


Sarah's path to corruption includes forsaking the following of "Gar" accounts and choosing to follow two pornographic Twitter accounts ... 


Her last tweet was "Gonna roll a jay before I eat this beauty."

I think I'll stop there ... but I would certainly be interested in hearing from you if you have found your own version of a "GarBot" following you and others with similar names.  I'm genuinely curious how far this thing goes.  If you happen to know what research team is behind this project, please feel free to send me a note about that as well!

Thanks! 

A few more of my "GarBots" . . . just in case more examples help anyone who is researching this trend themselves . . . 




















Thursday, March 28, 2019

Dissect Cyber wins major DHS S&T Award for their BEC Work

Congratulations to our great friends at Dissect Cyber for receiving the DHS S&T Global Award for their work on BEC scams!

The FBI has been warning companies for several years now of the growing prominence of Business Email Compromise (BEC) scams as being one of the top forms of cyber crime based on the volume of dollars stolen.  A single BEC scam can often lead to six-figure and even seven-figure losses!  According to a June 2018 BEC report from the Internet Crimes Complaint Center, so far the FBI has documented $12,536,948,299 in losses stolen from 78,617 businesses.

Dissect Cyber decided that the best way to attack these scams and help protect those at-risk companies was to create an early warning system called Cyber Notify, based on their analysis of the vulnerable (and detectable) points of a BEC scam that is ABOUT TO HAPPEN!  To understand why their solution is so powerful, let's look at how a BEC fraud group is structured.

BEC Org Charts

Some of the leading experts in Business Email Compromise have documented the significant role in these scams played by West African cyber criminals.  Experts such as John Wilson, Crane Hassold, and Ronnie Tokazowski at Agari are doing some great work Investigating BEC Scams actors to learn more about how they commit their crimes.  The SecureWorks experts are documenting the role of malware in BEC crimes, and produced a great chart explaining the roles of the various actors, reproduced here from their report "Golden Galleon: How A Nigerian Cybercrime Crew Plunders the Shipping Industry."

SecureWorks BEC Org Chart
In that document, American researchers assigned names to each of the roles that make up a BEC scam.  One of those roles in the SecureWorks report is "Cloner" which is described as the person who "Registers domain names for impersonating email addresses."

The West African fraud experts at AA419 (Artists Against 419) provide a similar chart, but label their content based on the names the fraudsters use themselves.  In their diagram, the "Cloner" role is called within the West African fraudster community, a "Faker Maker."  While they do create domain names that closely imitate real organization names to be used in email, they often are also responsible for creating entire fraudulent organizations, complete with corresponding web sites, in order to facilitate their fraud, including fake travel agencies, fake government organizations, fake shipping companies, fake job websites, and fake lotteries.

AA419 BEC Org Chart
The AA419 staff did an excellent blog post explaining the critical role of The Faker Maker in December 2017.

Enter Dissect Cyber and Cyber Notify

I've known and worked with April Lorenzen, the founder of Dissect Cyber and Zetalytics, and her staff and products for many years.  She has been passionate about building tools for law enforcement and investigators to quickly understand the relationships between domain names, their name servers, and the IP addresses which host them.  She's also been generous enough to share her tools with researchers in my lab, including sharing them with our UAB Cyber Detective Camp last summer!  Whether we are doing phishing investigations, malware investigations, or illicit pharmaceutical investigations, Dissect Cyber has been a great partner!

Based on the organizational charts above, what Dissect Cyber realized was that part of the PRECURSOR events to having a new BEC attack often involve the creation of a "look-alike domain" that will imitate the company being targeted.  We've blogged many times about how BEC attacks work, such as our article "Business Email Compromise: Putting a Wisconsin Case Under the Microsope." Often, such as in two of the victim cases described in the Wisconsin case, the criminals are monitoring the emails of key executives, having already planted email-stealing malware on their computers, watching for an opportunity when they are traveling or otherwise unavailable.  During that scheduled outage, an employee will receive an "urgent command" that they must quickly pay an invoice, wire some funds for a merger, or some other large financial transaction.  By having the email come from a domain that is VERY SIMILAR to the true email domain, the employee often does not realize that this is not really The Big Boss, and they will comply with the financial transfer order they receive.

This is where Dissect Cyber comes in.  Because they have full visibility of EVERY NEWLY CREATED DOMAIN ON THE INTERNET, they created the Cyber Notify system to check each new domain to see if it might be a counterfeit look-alike domain. If so, their team of highly trained and vetted professionals (at the moment, all members of the alert team are military veterans), reach out to the imitated organization to help them understand that they may be about to be targeted with a BEC attack.

According to the press release from Dissect Cyber, this work has helped 1,500 companies prevent themselves from losing $407 million dollars which was requested to be wire transferred by the scammers who had created these fake domains!  Priority notifications are given to those companies that are part of the nation's Critical Infrastructure as defined by DHS.  Why?  While the techniques that have been broadly been used to steal money by West African scammers are the majority of the financial losses as reported by the IC3.gov team, the scarier fake domain attacks may be foreign nation state actors who are using the techniques refined by the West Africans to send dangerous emails that could have an impact on anything from our power grids to our water supply to employees of those critical infrastructure companies!

Congratulations, Dissect Cyber!  I hope that Cyber Notify (cybernotify.org) will grow, expand, and continue to innovate in ways to help us all protect our vulnerable small and medium-sized businesses from fraud, while also protecting our Critical Infrastructure businesses from nation state espionage hackers!


Wednesday, March 27, 2019

FTC shutters four Robocalling services that made billions of calls in 2018


The Federal Trade Commission announced settlements this week that could result in many fewer of those annoying Robocalls we've all been receiving.  Who did they sanction and what were those companies doing?

NetDotSolutions (James Christiano)

James Christiano ran a company that provided and operated softwarea called "TelWeb," a call spamming platform.  His software violated several laws, including places marketing calls to people on the "Do Not Call" list, and using a spoofed caller id, intending to deceive call recipients.


Of 883 Million robocalls per year, on the average, 157 million of the calls placed by TelWeb went to numbers on the National Do Not Call Registry.  At least 54 Million calls, just in the first half of 2016, had spoofed caller ID numbers.  The FTC received almost 8,000 consumer complaints against this company, which contributed greatly to choosing to pursue this lawsuit!

His companies, NetDotSolutions and TeraMESH Networks, were both named in the suit.  Additionally, Aaron Michael Jones and Andy Salisbury, two resellers of TelWeb, are both also named in the suit.  Which brings up one problem with these types of suits.  Jones was already "permanently banned" from doing telemarketing.  Salisbury and World Connection were each fined $2.7 million dollars. Nine of his previous companies were also subject to the ban previously:   1) Allorey, Inc.; 2) Audacity LLC; 3) Data World Technologies, Inc.; 4) Dial Soft Technologies, Inc.; 5) Digital Marketing Solutions, Inc.; 6) Savilo Support Services, Inc.; 7) Secure Alliance, Inc.; 8) Velocity Information Corp.; and 9) World Access Media.
Jones was also one of those charged in the Point Break Media case, where callers were told to "Press 1 to speak to a Google Specialist" who told them they were about to be "unlisted" from Google and charged them at least $169 to not be deleted from Google search results.

Higher Goals Marketing

Have you had the Robocall about reducing your credit card interest rate?  It may have been coming from Higher Goals Marketing. " According to the FTC’s complaint, Higher Goals Marketing LLC, Sunshine Freedom Services LLC, Brandun L. Anderson, Lea A. Brownell, Melissa M. Deese, Gerald D. Starr, Jr., and Travis L. Teel, have engaged in a telemarketing scheme that has deceived financially distressed consumers nationwide by pitching bogus credit-card interest-rate-reduction services."
Unfortunately, this is another case demonstrating that to robocallers, a multi-million dollar fine is just a slap on the wrist.  The defendants were helped with setting up their service just weeks by Wayne Norris, just weeks after he was put out of business by a previous FTC settlement against the company he was working for,Life Management Services, back in 2016. He is charged with violating the Telemarketing Sales Rule by helping the other defendants organize the telemarketing infrastructure they used to bombard consumers with illegal robocalls, putting a team of managers together to oversee the entire robocall operation, and helping to set up a shell company to collect illegal up-front fees from consumers.

In the case of Life Management Services, Wayne was asked to handle registering the new company for his boss, Steven Guise, because Guise was permanently banned from telemarketing.  He did so by asking a friend of his wife's to register the company in Florida. (See p.6 of this 51 page order .. https://www.ftc.gov/system/files/documents/cases/life_management_order_and_permanent_injunction_kevin_guice.pdf )

Wayne is behind the calls that start "This is Rachel, from Cardholder Services?"  In 2012, the FTC Chairman Jon Leibowitz declared Rachel from Cardholder Services "public enemy number one."  Back then, Wayne worked for Ambrosia Web Services.

Travis Deloy Peterson

You'll probably also be familiar with Peterson's "Veteran scams".  Using many different fake charity names, including Veterans of America, Vehicles for Veterans LLC, Saving Our Soldiers, Donate Your Car, Donate That Car LLC, Act of Valor, and Medal of Honor, Peterson made millions of calls asking people to donate a vehicle to help a veteran. In addition to paying more than a $500,000 fine, Peterson also has to return 88 vehicles that he's stolen under the guise of a charitable donation.

Point Break Media

A fourth settlement by the FTC this week targeted people offering false Google Business services.  Point Break, and several related companies and "d/b/a" aliases, were calling customers to inform them that if they didn't take action immediately, their company would no longer be able to be found in Google searches.

Dustin Pillonato; Justin Ramsey; Aaron Michael Jones, a/k/a Michael Aaron Jones and Mike Jones; Ricardo Diaz; Michael Pocker; Steffan Molina, Vincent Yates, and Daniel Carver were all charged individually in the case.   Three primary defendants in this case have agreed to settle.

As part of the settlement, the defendants will pay the FTC $3,637,386.57 and agree to forego any further work in the telemarketing industry.