Wednesday, October 15, 2008

SanCash (Affking) taken down in New Zealand

It was great of the Federal Trade Commission to up an arrest that can be announced at this years eCrime Researchers Summit that I'm attending this week in Atlanta. Right after the afternoon break, a spam researcher from McAfee shared the good news with me: the New Zealand government and the Federal Trade Commission had both taken action againt AffKing / SanCash.

SiL from I Kill SPammers did a column in his blog back on March 3, 2008 called On The Trail of SanCash and Infinity Secure. At the end, he mentions his evidence linking SanCash to GenBucks, Tulip Labs, and Elite Herbal. He mentions that besides SanCash in India, there were representatives located in Christchurch, New Zealand, and issues a warning:


SanCash: your days as a sponsor of illegal spammers are numbered. Spammers in the SanCash Program: we will find you and you will lose everything.


Apparently SiL was right. According the FTC and New Zealand documents, the ring was actually run from Australia and the United States, but had links to ChristChurch. Here's the FTC's intro to the topic from their "Memorandum Supporting Plaintiff's ex parte Motion for a Temporary Restraining Order with Asset Freeze, Other Equitable Relief, and Order to Show Cause Why a Preliminary Injunction Should not Issue":


The FTC asks the Court to take immediate action to shut down an international "spam" enterprise that deceptively markets and sells bogus "male enhancement" pills and "generic" prescription drugs that are falsely claimed to be FDA-approved. Defendants' ongoing deceptive product sales are defrauding consumers out of millions of dollars, and the network of "spammers" that they pay to promote their product is causing considerable harm. Despite taking great efforts to avoid detection, the evidence shows that Australia-based Lance Atkinson and U.S.-based Jody Smith control, and profit from, this operation.

This enterprise -- which operates on the Internet under the name "AffKing" -- is responsible for likely billions of illegal commercial e-mail messages and is one of the largest spam organizations in the world. The FTC has received over three million complaints regarding spam messages connected to this operation. The spam messages sent on behalf of the operation falsify information that would identify the true sender in violation of the federal CAN-SPAM law regulating e-mail marketing. The messages also illegally fail to offer a mechanism by which consumers can opt-out from receiving further email messages.


The FTC had previously placed a permanent injunction ordering Lance Atkinson to cease making false claims about "herbal" products and utilizing illegal spam messages. If the name Lance Thomas Atkinson was familiar, it should! He and his colleague Michael John Anthony Van Essen were charged in the Global Web Promotions Pty Ltd case in 2004, which was called, on April 29, 2004, in this FTC Press Release, "the first criminal action under CAN-SPAM". The FTC had, at that time, received 399,000 email messages that they linked back to Global Web Promotions. Global Web was at that time selling a diet patch and a "Natural Human Growth Hormone" product, which sold at $80 and $74.95 each. Files related to that case may be found Under FTC File No 042-3086, which ended on September 20, 2005 with an order for the pair to pay $2.2 Million dollars. ($490,280 for selling bogus products, and $1,709,982.74 for sending illegal spam).

The current FTC case, FTC File No 072 3085, is against Lance Thomas Atkinson, Inet Ventures Pty Ltd, an Australian proprietary company, Jody Michael Smith, Tango Pay Inc., a Delaware corporation, Click Fusion Inc., a Delaware corporation, and TwoBucks Trading Limited, a Cyprus limited liability company.

The players in the case and their roles, seem to break down like this:

Lance Atkinson, aka "SanCash", sold herbal products and hired spammers to promote them from October 2006 through December 2007. He controlled the website "sancash.com", where his "affiliates" could log in to check their earnings.

The New Zealand Police have many chat logs of Lance talking with his co-conspirators, including one where he recruits Roland Smits to help him run Global Web Promotions. In the chat, Atkinson says "well hopefully it doesn't end in the FTC again."

Other excerpts from the log include Shane telling Lance things like "I have a dude in India who employs 50 people to manually spam people from gmail / hotmail" and "The Russians want to do some serious spamming this weekend".

Just in his ePassporte account, Atkinson received over $1.7 million from the Genbucks account, and transferred over $1.8 Million to others to cover their commissions.

Despite living in Australia, Lance logged in regularly to his "sancash@gmail.com" email address from his home IP.

Things started heating up in December 2007, when an intercepted chat message reveals Shane telling Lance "I had bbc world call my home. i think you need to stop spamming asap."

The Archive.org Wayback machine has archives of sancash from June 29, 2007 to December 11, 2007.

After that time period, Lance partnered with his new US buddy, Jody Smith, to form "affking.com", which replaced the sancash site. Affiliates were paid for their spam services on behalf of "King Replica" and "VPXL" male enhancement pills, as well as "Target Pharmacy" and "Canadian Healthcare".

Revenues for the new operation exceeded $500,000 per month only in payments from Visa. MasterCard charges would presumably make the payment even higher.

Tango Pay received $3.3 Million between September 2007 and May 2008.

Jody Smith ran Tango Pay and Click Fusion operations, using the fake names "Gerald Causey" and "Nicholas Santos"

In addition to the FTC charges, Lance and Shane Atkinson and Roland Smits, are being fined $200,000 by the New Zealanders. More details from New Zealand can be found in this Scoop Politics article.

Chat logs obtained by the New Zealand police reveal that Lance's brother Shane contorlled the company Genbucks.

This weekend, we'll examine our UAB Spam Data Mine to see what types of volumes we may have been dealing with, and some of the domains that were used in the scam.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.