Monday, May 19, 2008

38 Indicted in Los Angeles and Connecticut Phishing Cases

On April 23rd, Attorney General Michael B. Mukasey gave a speech in Washington DC where he revealed his new stance on International Organized Crime. He said in the speech that in the days of Robert Kennedy it was said mobsters would be "prosecuted for spitting on the sidewalk", and promised that he had 120 prosecutors and 500 FBI agents today who were going to be just as tough. He released a strategy document called Overview of the Law Enforcement Strategy to Combat International Organized Crime. In this document, he stresses that they are going to "Marshal Information and Intelligence" to "Prioritize and Target the Most Significant IOC Threats", and "Attack From All Angles". today's phishing indictments have turned out to be. To make it clear that this includes cybercrime, Threat #5 and the accompanying example from that document are given here:

THREAT 5: International organized criminals use cyberspace to target U.S. victims and infrastructure. International organized criminals use an endless variety of cyberspace schemes to steal hundreds of millions of dollars at a cost to consumers and the U.S. economy. These schemes also jeopardize the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.

One example of the intersection between organized crime and cybercrime is found in Romania. There, traditional Romanian organized crime figures, previously arrested for crimes such as extortion, drug trafficking and human smuggling, are collaborating with other criminals to bring segments of the young hacker community under their control. They organize these new recruits into cells based on their cyber-crime specialty and they routinely target U.S. businesses and citizens in a variety of fraud schemes.

One of the most lucrative schemes involves online auction fraud, where U.S. citizens are tricked into buying or selling goods, and never receive the funds or merchandise. One particular online criminal, using the online nickname “Vladuz” engaged in multiple fraud schemes, including hacking into the computers of eBay, the largest online auction retailer. On April 17, 2008, Vlad Duiculescu, a/k/a “Vladuz” was arrested in Romania by Romanian police officials and charged with crimes related to these schemes. It is believed that Vladuz is a participant in a ring of Romanian hackers who work together to develop joint U.S. targets for online frauds, share hacking techniques and launder proceeds from multiple crimes committed in the United States. U.S. prosecutors and law enforcement agents worked in Romania with Romanian officials to ensure that a case could be successfully prosecuted in Romania.

I've just reviewed the 77-page indictment unsealed today, and its clear the Attorney General is making good on his promise. To make sure the Romanians didn't miss it, Deputy Attorney General Mark Filip was in Bucharest Romania to do the press release alongside his Romanian counterparts. Here is a copy of the press release in Romanian.

At his Press Conference in Bucharest the DAG said:

The anonymity of the Internet makes it an ideal tool for this kind of fraud, and law enforcement agencies in the United States have conducted several recent investigations in partnership with our Romanian colleagues. We are proud to do so, and we are learning from each other as we jointly help to protect our citizens and people in other countries from this sort of theft and crime.

For the people arrested today, the indictments charge that the defendants sent out mass quantities of e-mails, known as "spam," to lure victims to go to fraudulent Websites that appeared to be legitimate banking or financial businesses. At those sites, victims were tricked into entering personal information such as financial and identity information and personal passwords—a scheme known as "phishing." That information was then harvested by “suppliers” who, in turn, sent the information to “cashiers” via real-time Internet chat sessions.

The cashiers used hardware encoders and related software to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards. They then directed “runners” to withdraw money from automated teller machines. A portion of the withdrawals was wired by money transfer services, such as Western Union, back to the supplier. We believe these criminals defrauded literally thousands of individual victims out of several million dollars.

These arrests and charges are the result of a joint operation by the FBI and the Romanian General Inspectorate of Police, and the cases demonstrate the close cooperation our two countries have developed to fight international organized crime.

Some of the schemes were quite interesting. In a "Smishing" scam described in the indictment, an SMS Text Message would be received that says "We're confirming that you've signed up for our service. You will be charged $2 per day unless you cancel your order on this URL: -- this would result in malware being planted on the visitor's browser.

Chat logs were included in the indictment, such as Panait sending a message to Tran, telling him "bro this are from my spam . . . super fresh . . . I will spam more . . . spammed like hell . . . used 7 remote desktops and 13 smtp servers, 5 root, and sent over 1.3 million emails."

Logs from August 2006 all the way up to January 2008 were included, that make it clear the roles of each of the defendants. Discussions and logs include counterfeit cards made for:

Allegheny Federal Credit Union, American National Bank of Texas, Arizona Federal Credit Union, Artesian City Federal Credit Union, Bank of America, BB&T (Banker's Bank & Trust), Boeing Employee's Credit Union, Bowdoinham Federal Credit Union, Capital One Bank, Citibank, Credit Union One, Downey Savings & Loan, epassporte, E-Trade, First Merit Bank, Flagstar Bank, Franklin Mint Federal Credit Union, Iowa League Corporate Central Credit Union, Jeffco Schools Credit Union, Langley Federal Credit Union, Mountain America Credit Union, NASA Federal Credit Union, North Island Credit Union, PointBank, Premier Credit Union, Premier Credit Union, Southern Lakes Credit Union, Southwest Federal Credit Union, Teacher's Credit Union, Telco Credit Union & Affiliates, Valley National Bank, Washington State Employees Credit Union, and the Waterbury Teachers' Federal Credit Union.

Caroline Tath and Tran were making their cash cards with laptop computers, Tath had a Dell Inspiron and an HP laptop, Gigatech flash drives, an MSR-206 encoder, an Operah card reader, and a software system called "CC2Bank 1.3", which was used to make the cards. Tran used a Sony Vaio laptop, and also provided software to defendant Lee, including a program called "TheJermMSR206". Lee used a Sony Vaio laptop and an MSR505C encoder.

Some of the defendants used their counterfeit cards to buy goods at WalMart and CostCo. Others purchased stock on E-Trade accounts, or used E-Trade accounts to purchase Postal Money Orders. Many cards were used to withdraw cash from ATM's in Los Angeles and Orange County. Some of those funds were transferred via Western Union or MoneyGram to Romania, where the data to make the cards had been received from on a "50/50" cashier's deal.

At least one defendant also shipped "refurbished notebook computers" to co-defendants in Romania.

Some of the ATM withdrawals were made using hotel room keys with the PINs written on the back in sharpie.

Romanians (indicted in Los Angeles):

Ovidiu-Ionut Nicola-Roman
Petru Bogdan Belbita
Stefan Sorin Ilinca, AKA AzZ, AKA Kahn, AKA Kahnpath
Sorin Alin Panait, AKA scumpic4u
Costel Bulugea, AKA The.Vortex
Nicolae Dragos Draghici, AKA Marius Bogdan, AKA Nonick
Florin Georgel Spiru, AKA niggaplease
Marian Daniel Ciulean, AKA spuickeru
Irinel Nicusor Stancu, AKA sicaalex
Didi Gabriel Constantin, AKA StauLaSoare, AKA Estaulasoare, AKA snoop
Mihai Draghici
Marius Sorin Tomescu, AKA Andrei
Lucian Zamfirache, AKA Krobelus
Laurentiu Cristian Busca, AKA italianu
Dan Ionescu, AKA m1nja
Marius (Last Name Unknown), AKA 13081981
Alex Gabriel Paralescu, AKA paraiul
Andreea Nicoleta Stancuta, AKA godfather

Romanians indicted in Connecticut:
(See FBI New Haven's Press Release )

residents of Craiova:
Ciprian Dumitru Tudor
Ovidiu-Ionut Nicola-Roman
Mihai Cristian Dumitru
Petru Bogdan Belbita, AKA "CA is SK", AKA Robert Wilson

residents of Galati
Radu Mihai Dobrica
Cornel Ionut Tonita
Cristian Navodaru

Perhaps more interesting would be the international partners who were also indicted, including:

Hiep Thanh Tran, AKA John Tran, AKA Sam Lam -- a US resident from Vietnam

Hassan Parvez, AKA XID - from Pakistan

US Citizens:
Sonny Duc Vo, Alex Chung Luong, and
Leonard Gonzales, AKA Bonecrusher

Vietnam Citizens:
Nga Ngo, AKA Christina Ngo
Thai Hoang Nguyen, Loi Tan Dang, Dung Phan - Vietnam

Cambodian Citizen:
Caroline Tath

Rolando Soriano, AKA Loco, AKA Danny Villalopez - from Mexico

Four other hackers remain at large, known only by their aliases:

Cryptmaster, PaulXSS, euro_pin_atm, and SeleQtor

We can look forward to the next big bust, because there seems no indication these fools are slowing down. When we visit some of the chat rooms where "kahnpath", for example, used to advertise his wares, we are immediately greeted with ads for people looking for "Cashout partners", and trying to sell an MSR-206 card writer for $400.

Saturday, May 17, 2008

Spanish Arrest D.O.M. Team

Spanish police announced the arrest today of five members of a prolific hacking team known as "D.O.M.". The D.O.M. team has been a political activism team active for quite some time. Zone-H, the "scoreboard of the underground", lists D.O.M as being #5 in prevalence of "Special" defacements - those against governments or major corporations or organizations. For all types of attacks, D.O.M is listed as #26, with 21,191 attacks credited to their account.

Update: Press Release from Spanish Police shows that the arrest operation was coordinated by "el Grupo de Seguridad Lógica de la Brigada de Investigación Tecnológica de la Policía Nacional" with cooperation from " agentes de la Brigada Provincial de Policía Judicial de Burgos, Málaga, Valencia y Sabadell". Congratulations to them all on their police work!

Recent defacements by the group list their members as:

an0de, ka0x, Xarnuz, and Piker

while hacks from earlier in the year listed:

crane0x, ka0x, Xarnuz, and S0cratex

We're not sure yet which were actually arrested, as the Spanish are protecting the identities of the group who are mostly minors, with two of those arrested being only 16 years old, and the other three being 19 and 20. Those arrested resided in four Spanish cities - Barcelona, Malaga, Valencia, and Burgos.

A Spanish speaking group, the actual membership has varied over time to include members from Spain, Argentina, and Mexico. For a short time a Brazilian hacker, "nwx0x" was also a member of their group, and "vpn0" and "Nitronet" have also been seen to claim membership. Their recent defacements have been Environmental Activism, decrying the pollution of rivers and the building of paper mills. The Spanish investigation began after a member of the group hacked the "Izquierda Unida" website and left supposedly "obscene messages" and caricatures of politicians on the site on March 3rd, a week prior to the March 9th election.

The actually words were:

"Tenemos algo en común, le dijo un presidente a un embustero..."
(roughly, "we have something in common, said the President to the liar/cheater" - which doesn't sound nearly as nasty as "obscene messages").

and the caricature may still be found on ImageShack, where it was originally hosted:

A spanish blogger at the time provided some clues as to what happened, including giving links to ka0x's profile on "" (now offline) and pointing them to the current "D.O.M" website --

Some of the more high-profile attacks credited to the group, at least from an American perspective, would include having hit the US government's National Cancer Institute with an SQL injection attack back in July of 2007, ( archived from Zone-H). In February, an0de defaced an MIT server with an anti-American, anti-Bush message, archive from Zone-H .

Members of the group are said to have hit NASA back in March, but it is unclear whether "Spanish Hackers Team"'s March defacement of "" is the same reference. Certainly its the same server that the closely allied hacker "SSH-2" hit as recently as April 25th, but we do have a positive reference of D.O.M member "an0de" hitting the NASA server "" back in August 2007.

In a typical environmentally-motivated hack of Groton South Dakota's government website by the group in April 2007, the hacker used a gmail address: and posted the message:

Defaced by ka0x

This is a cyber-protest against climatic change!!
Stop contamination!
(censored) to all governs that allow the contamination of the world!

we are: [ Arp; ka0x; an0nyph; xarnuz; Tequila ]

(SPain - Mexico - Argentina}

The spanish police say they are responsible for more than 21,000 website defacements including many government sites. (A statistic they surely got from Zone-H!) That matches what we see in the Zone-H archives, where hacks against the governments of India, Thailand, Turkey, Columbia, China, Malaysia, and others are readily found in the archives.

For several years the team ran a website, called "", although their hosting was sketchy at best as they were run off numerous webservers. The original registration, from back in September of 2005, shows the email address "" as the contact address. "ATH" was another hacker group called "Arrow Team Hispanic", where Arcax partnered with KingMetal to cause script-kiddie type trouble to websites.

From the whois data from October of 2005, we find the meaning of the "D.O.M" name, as the whois information was changed to being registered to "Dark Owned Mafia". The members actually listed themselves in the WHOIS information later in 2005, when the whois "Street Address" was given as: "XgdnX - Davidu - Rootbox - ArCaX-ATH", the then current members of the group. That would remain the team's street address until November of 2007 when the domain was shut down by the Registrar (Melbourne IT).

ArCaX-ATH posted his "retirement from the underground" message on April 4, 2007, claiming at that time that he had been personally responsible for 10,880 website defacements. Here's that farewell message:

Bueno esto es algo que notaba desde hace algunos meses, mi poco tiempo para hacer las cosas del grupo D.O.M... y que muchos estaban anciosos de poder leer, así que hay les otorgo el siguiente regalo, baj la una reunión de costumbre. el domingo pasado he decidido delante de todos los miembros del grupo y con aprobación de los mimos, he decidido retirarme completamente de la scene Underground sin aviso por nuevo reintegro ni nada por el estilo, tenia pensado en hacerlo en octubre de este año cuando el team cumpliera los 2 años ... pero ya no podía tener en espera a los demás compañeros del grupo, aunque el echo de mi retirada no quiere decir que el grupo también se pare, se que anonyph los demás lo llevaran por el buen camino; agradezco en especial a her0 y ka0x que me llevaron a tomar la decisión correcta para el team. también se ha decido que la web de DOM no seguiría con portal ya que un portal requiere un cuidado exhaustivo con los foros y demás, se ha decido que me quedase con los 2 dominios (INFO y BIZ) para utilizarlo en mi blog personal, y otros proyectos personales... de ArCaX-ATH tendrán para rato eso sí, solo que con menos frecuencia que antes....

Although he was withdrawing, he states that "anonyph" will carry the team forward in the right direction.

ka0x was the one, however, who took the reins to set up the new website on January 31, 2008, and we find his gmail account listed in the registration for "" -- "", with a (probably fake) Peruvian street address.

Using the same email, ka0x posted several exploits that he had written to the milw0rm collection of attack tools, including Remote SQL injection programs written in Perl, and a program to insert your own user information into an LDAP directory, which was bannered with this:

Title: LDAP injections
Author: ka0x
contact: ka0x01[!]
D.O.M TEAM 2007
we: ka0x, an0de, xarnuz, s0cratex
from spain

Ten exploits and two papers are credited to ka0x on his milw0rm author page, including an 11 page paper on "Blind MySQL Injection" where he also lists the gmail address of one of his fellow team members, Piker, at

an0de also kept a blog at:

Thursday, May 15, 2008

Certificate Dangers?

The German Import House has a catalog where you can by a Dirndl dress or an Oktoberfest Party Hat.

The catalog gives its visitors the added sense of security by turning the address bar in my Firefox browser yellow, and adding a padlock to the address bar. When I float my mouse over the padlock, I get the "Authenticated by Equifax" popup.

When I click on it, it says:

SSL Server Certificate

Issued to
Common Name *
Serial Number: 08:90:D2

Issued By
Equifax Secure Certificate Authority

Issued On: 1/11/1008
Expires On: 2/10/2010

Unfortunately, someone put a Meadows Credit Union phish in a subdirectory of the catalog.

Visitors to that phishing site will see the same "warm fuzzy" yellow bar, and the same "Authenticated by Equifax" message.

Which brings me to the point of this article. We are all talking about Extended Validation Certificates, which will turn your address bar green, "proving" that the site is legitimate. What proof do we have that someone hasn't hacked the legitimate site and used it for an illegitimate purpose. That's what we see here with a "pre-" EV Certificate. German Import House is a legitimate site, and paid for an Equifax Certificate to prove so. However, the visitor to the Meadows Credit Union phishing site is ALSO going to see the Certificate behavior. But what does that prove?

How much danger are we in when we train our users that a colored address bar means they are safe - and then phishers hack those sites to host phishing content? The user sees a colored bar and a padlock -- one that really has a corresponding certificate on file -- and decides that its a safe site. Are EV Certs the answer? or just another way to train users that they don't have to think?


Wednesday, May 14, 2008

Indictments reveal $77 Million in Illegal Pill Sales

Congratulations to the Daytona Beach FBI, US Attorney Robert O'Neill, and their colleagues at IRS and FDA.

The Daytona Beach News reported the arrest of three Volusia county ringleaders with the headline Locals accused in $77 million Internet drug ring.

According to the indictment, Jive Network distributed approximately 4.8 million dosage units of Schedule III controlled substances and approximately 39.2 million dosage units of Schedule IV controlled substnaces to Internet customers who had no valid prescriptions. They serviced over 500,000 customer orders and generated more than $77 Million in revenues over a three year period.

Charged in the indictment were:

Jude LaCour, 35, Daytona Beach, Florida (Jive Network Owner)
Jeffrey LaCour, 60, South Daytona, Florida (Jive Network Director of Operations)

whose charges included money laundering and drug trafficking offenses involving the sale of controlled substances over the Internet. (The elder LaCour was profiled May 11th in this story: Rx Suspect has Mixed Local History

Hudsen Smith, 36, Deland, Florida (Jive Network Director of Pharmacy/Physician Operations)

and the following physicians, who were paid to do the "medical reviews" for patients who had no prescriptions.

Christopher Tobin, 41, Wilmington, North Carolina (Physician)
Akhil Baranwal*, 34, Pennsylvania (Physician)
Alexis Roman Torres, 54, Puerto Rico (Physician)
Andrew DeSonia, 47, Indiana (Physician)
Marget Fulmore (McIntosh), 52, Charlotte, North Carolina (Physician)
Abel Lau, 36, Tulsa, Oklahoma (Physician)
James Pickens, 72, Midvale, Utah (Physician)

The prescriptions were filled by several pharmacists, but the only one charged in this indictment is:

Geunnet Chebssi, 56, Spencerville, Maryland (Pharmacist)

Customers, who had no prescriptions, accessed the websites and purchased the controlled substances after completing a short health history questionnaire. Identities were not verified and medical records were not submitted.

The announcement of this indictment has been a long time coming. Online drug stores have known that The Jive Network, also known as "Celestial Group Inc", has been in trouble since at least April of 2005. A note from one such online drugstore dated April 24, 2005, read:

The Jive Network, also trading as Celestial Group Inc, were closed on the morning of April 19, 2005 as part of an investigation by DEA and FBI. To date no charges have been laid and the owner of the online pharmacy group, Jude LaCour is not in custody and has not been charged with any offences. (...) The pharmacy sites that are affected are: ePharmacist, Pillvalue, Pillstore, InstantPills, and Cyberpills.

An update on May 12, 2005 added this:

We believe Jive Network are trying to get back online and are clearing ePharmacist, PillStore, PillValue, and CyberPill orders that were held up around April 19th. Over the past 2 weeks, they seem to be either refunding customers or sending product.

At that time, Jive sent a letter to their affiliates explaining the situation. (Quoted from the "rx-affiliate" forum at "", posted April 29, 2005):

Dear Affiliate,

You may have heard the news that our offices were served with a search warrant last Tuesday, April 19th, 2005.

However, NO ARRESTS were made. No Charges were filed.

This is an obvious attempt by the DEA and FBI to try and lump us in with a group of 20 other companies/individuals that had been under
investigation, and who WERE arrested around the same time.

We want to share with you that we are NOT related to nor connected with these 20 in any way.

Jive Network has ALWAYS done everything by the book and beyond.

We have broken no laws.

We know that some of your checks have bounced. This is because the search warrant also allowed them to seize all bank accounts. When we say all,
we do mean ALL! We realize that apologizing for the difficulty this has caused you does very little, but we want to assure you of this: As soon as we are able to correct it, we will.

As to the current status, late last week, we put the websites back online. We have our internet connections and the equipment we need to start
processing orders again. However, until our accounts and other matters are operational, we are not taking orders at this time.

Additionally, something is going on with our phone lines. This is likely part of this defamatory attempt on us, so we are working to uncover and
resolve that problem as well.

When we are fully operational, we will immediately begin processing orders.

Lastly, to those of you that have emailed us telling us that you are with us, we want to express how sincerely all of us appreciate that support.
We have read comments such as, "You guys are the best ever in the industry, just let me know when I can switch my links back".

This kind of response is more than encouraging to us, and the truth is that we want to be here for as much as you are here for us. We do understand
what you are experiencing.

Please understand that the delay in sending you some kind of direct communication has been due to the circumstances of this situation, NOT

You can be sure that this situation will not stop us. We might "look" much different in the future, we will still be us, the same "Jive Network
Team" working hard for you.

While we are uncertain as to when we will come back online, you can be certain that when we do, our entire business will be stronger and even better
than before. A team that has been through an event like this and stands firm, is a team that can accomplish anything.

Stand firm with us. We will accomplish great things, together.


Jive Network

(The same letter can also be found here)

In February 2006 the note was updated again that "XL Pharmacy" had acquired the chain of online drugstores, and was standing by to fill your needs. "XLPharmacy prescriptions drugs are made by world renowned International pharmaceutical companies such as Novartis, Cipla Abbot, Aventis, Bayer, Cipla, Dr. Reddy's, Merck, Eli Lily, GlaxoSmithKline, and Ranbaxy. All prescription drugs are shipped in the manufacturers' original package and have the manufacturers' original seal for your safety.

The link provided is still live: The helpful FAQ on that site, which claims to have been online since 2004, says:

In all cases orders require a prescription prior to shipment. If you do not have a prior prescription you will be asked to complete a online medical consultation and it will them be reviewed by a licensed physician who may or may not issue a medical prescription based upon your medical consultation. If your online medical consultation was not approved by the physician you will then need to provide a medical prescription from your local physician by fax to us prior to the shipment of your order.

And yes, this replacement pharmacy is still recruiting . . .according to their website:

Experience the highest payout commission and the best Affiliate Support by telephone, live chat and email. pays the highest direct commission and the highest second tier commissions in the industry. Payments are made by bank transfer or epassporte weekly. Please contact the program manager to arrange for your preferred payment options and commissions structure. Commissions are paid up to 45%.

I can't swear that to be accurate. There were several competing affiliate programs who apparently were believed to have purchased Jive Networks customer list. LaCour and Jive Network were also the feature of an issue of The Ripoff Report claiming they had gone back into business operating ",," and others. The owner of "Secure Medical" posted a rebuttal to this though claiming they were not related, and that their database had been compromised.

In a letter written by Haden Smith back on Aug 20, 2004, he claims there are more than 100 online prescription websites using their fulfillment services, and that their pharmacies earn between $3,000 and $10,000 per day profit.

The chat boards used by the online pharmacies and their customers are lighting up with news stories about the arrests:

Rx Affiliate Forum posters want to know "are affiliates next"? In reply, the poster was reminded "What about the 8 affpower affiliates" who were arrested? Several posters say that advertising is not illegal as long as the affiliates don't take the payments or touch or ship the drugs they are "just like Google or Yahoo" - only advertisers., which provides this list of online pharmacies and their associated "Consultation Fees" and user ratings. Their conversation forum for talking about US-based online pharmacies has over 100,000 posts! The site has 117,791 registered users as of this morning. It will be interesting to see if their reaction to the news goes beyond mere reporting of the indictments.

* - curious coincidence in names here . . . this name, and city, came from court documents, but there is an Akhil Baranwai in Georgia accused of the same sort of behavior (i vs L at the end of the last name)

Monday, May 12, 2008

TJX and Dave & Busters

If you've visited a Dave & Busters, you know these are a great place for grown-ups to go out and play. I've been to several events at the Atlanta location, and enjoy the Virtual Reality games there. I never thought I would see a Dave & Busters story come up on the news-ticker that I have watching for new TJX stories, but that is what happened this morning.

You will probably recall the story of Maksym Yastremskiy (Maksik), a Ukrainian citizen arrested in Turkey for his role in trading enormous volumes of credit cards which could all be traced back to the TJX debacle. He was back in the news today with two other hackers, Aleksandr Suvorov (JonnyHell) from Estonia, and Albert Gonzales (Segvec). The charges are that the first two ran a scam involving the installation of packet sniffers into thte cash register systems at 11 Dave & Buster's restaurants. Just the Islandia, New York location was credited with 5,000 customer's credit card data leading to more than $600,000 in fraudulent purchases. Segvec is charged only with "wire fraud conspiracy", in that he purchased some of this data from Maksik.

The indictment was posted on the ABC News website.

The 27 counts against the first two are:

Count One: Conspiracy to Commit Wire Fraud
(knowingly and intentionally conspiring to devise a scheme and artifice to defraud D&B, its customers, and the financial institutions that issued the customers' credit and debit cards, and to obtain money and means of materially false and fraudulent pretenses, representations and promises, and attempting to do so by means of wire communication in interstate and foreign commerce . . . )

Counts 2-5: Wire Fraud
(installing a packet sniffer, and reactivating it at D&B Store #2 in Islandia, New York, on 5/18/07, 6/9/07, 7/23/07, 8/14/07.)

Count 6: Conspiracy to Possess Unauthorized Access Devices

Count 7-9: Possession of Unauthorized Access Devices
(the "access device" in question being log files containing "15 or more credit and debit card account numbers".)
(Title 18, Section 1029(a)(3))
(Title 18, Section 1029(c)(1)(A)(i))

Count 10-12: Aggravated Identity Theft
(Title 18 Section 1028A(a)(1), (b), (c)(5))

Count 13: Conspiracy to Commit Computer Fraud
(Title 18 Section 371 and 3551)

Count 14-16: Unauthorized Computer Access Involving an Interstate Communication
(Title 18 Section 1030(a)(2)(C))
(Title 18 Section 1030(c)(2)(B)(i))

Count 17-19: Unauthorized Computer Access to Obtain Things of Value
(Title 18 Section 1030(a)(4))
(Title 18 Section 1030(c)(3)(A))

Count 20-23: Unlawful Transmission of Computer Codes
(Title 18 Section 1030(a)(5)(A)(i))
(Title 18 Section 1030(a)(5)(B)(i))
(Title 18 Section 1030(c)(4)(A))

Count 24-27: Interception of Electronic Communications
(Title 18 Section 2511(1)(a))
(Title 18 Section 2511(4)(a))

Oh yeah, and they are going to go for Criminal Forfeiture of all losses.

All the way back in June 2007, Maksik and Segvec are on the way towards losing their e-gold accounts, according to this testimony from US Secret Service agent Roy Dotson, who names e-gold account number 1751848 as belonging to Maksik, and 3584940 as belonging to Segvec.

From that affadavit:

“Segvec”: “Segvec” is a vendor of stolen financial information on the carding
website Makafaka and accepts payment for his contraband in e-gold. A search and review of the e-gold database revealed number 2464856 – which has as its contact name “segvec.” According to information related to me from agents of New Scotland Yard’s National Terrorist Financial Investigation Unit regarding email communications they had with Douglas Jackson in April 2007, Douglas Jackson was aware that “segvec” was a Ukrainian carder.

An analysis of “segvec”’s account number 2464856 yielded the following results:
The account was created in October 2005. There were 93 transfers into the account with a value of 1524.80951 grams ($845,545.60).

20 of the 90 transactions, which total 726.623113 grams ($410,750.00) and occur between February and May 2006, are transfer of funds from account 1751848, “Maksik’s Job”

“Maksik”: “Maksik” is a known vendor of stolen credit card information, stolen
financial accounts, and fraudulent Ukranian passports on the Shadowcrew, Mazafaka, and Carderplanet carding websites and accepts payment for this contraband in e-gold. A search and review of the e-gold database revealed account number 1751848, with the account name “Maksik’s Job,” and contact email addresses of and Several memo fields in the transaction record for e-gold account number 1751848 indicate carding activity, including, for example, “1-27 order amex” (i.e., an order for a stolen American Express credit card number), “Happy H4xOr Dumps” (i.e., stolen credit card information), “For 20 classics” (i.e., a type of credit card). A search and review of the e-gold database also revealed e-gold account number 3399565, with the account name “Maksik’s account,” and containing a contact email address of A review of this account also shows many transactions with other e-gold accounts controlled by known carders, including e-gold account number 2567183 (controlled by “Lord kaisersose” – a known vendor of stolen credit card information), and e-gold account number 2874688 (controlled by “u26" – a provider of credit card pre-authorization services to vendors)

Yastremskiy was arrested in Turkey in July 2007, where he remains in jail.

Suvorov was arrested in Germany in March 2008.

Gonzalez was arrested in Miami in May 2008 by the US Secret Service.

Friday, May 09, 2008

Digital Certificates Update

A quick update from the previous post.

The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be recovering their lead. Of the 9 domain names used in the spam campaign last night:

only one was live when my morning report was run this morning.

did load the web page shown in the previous blog entry, and attempted to download the file:


but this time the download was detected by McAfee anti-virus and blocked as ""

Much better. We'll see if we can make go away shortly.

Tuesday, May 06, 2008

Digital Certificate Alert!

UAB Computer Forensics is investigating yet another "Digital Certificate" phishing attack -- this time with Merrill Lynch as the target.

The traditional definition of phishing requires the website that the customer visits to request personal information, such as the userid and password to an online account, or credit card or bank account information. In this case, no personally identifiable information is requested. Instead, the emails and the destination website tell the potential victim that Digital Certificates will make their online financial experiences safer. This rings true with consumers, who are certain to have heard about the advantages of certificates, especially as the "Extended Validation Certificates" (the ones that turn your browser address bar green if you are on a real site?) are increasingly proclaimed by companies like DigiCert,
and Thawte to be the Next Big Thing in security.

It is this increased consumer awareness that is leading to the current rounds of victimization. In this scheme, the consumer receives an email, informing him that his financial accounts will be more secure if they upgrade to digital certificates, or that their current digital certificate has expired and needs to be upgraded. If they follow the link, they are taken to a website where they receive more information about the importance of the upgrade, and are given instructions to "install" their digital certificate, with a link to download the installation program.

The installation program is of course a virus. The first Digital Certificate malware we investigated, against Bank of America, ended in early April, but the new round, which includes Comerica Bank, Colonial Bank, and now Merrill Lynch, is still going strong, with Comerica being a nearly daily target with more than 250 domain names used in the fraud. Colonial Bank has only been targeted on two days, with 22 domain names used, and now Merrill Lynch, which launched yesterday with the domain names and

(I confirmed that both websites were taken offline before publishing this article.)

The Merrill Lynch version of the Malware is called "" by most of the anti-virus programs that detect it. The first version of the Colonial Bank trojan was called "Papras.dh", and the first version of the Comerica Bank trojan that we looked at was called "Papras.dc". More evidence that these are originating from a common source.

As with most emerging threats, common anti-virus products are not immediately blocking the threat. For instance, F-Prot, McAfee, and Symantec, do not show on VirusTotal as having detection for this threat. McAfee engineers have previously complained to me that VirusTotal is not an accurate way of knowing whether they have detection. I run McAfee on my own work desktop though, (for balance, I run Symantec at home), and when I do an AV update (to DAT version 5289.0000, dated May 6 2008), and then scan the file, it does not detect.

The sad part about the failure of common AV engines to detect this virus is that this file is a BINARY IDENTICAL MATCH for the Colonial Bank version of the trojan that we analyzed and reported on April 30. One week later, and the two largest AV companies still have no detection.

The current email looks like this:


Merrill Lynch develops new solutions that deliver instant,
comprehensive online banking and protection against evolving
computer security threats.

Dear Merrill Lynch Business Center Customer:

In an effort to better serve you, the following changes to the
daily processing procedures will go into effect on Tuesday, May 6th:
We’ll be launching new Business Centre homepage

In addition to a fresh look, the new Merrill Lynch website will provide:
-Easier access to login
-Easier ways to contact and locate us
-Access to more information on what we offer and what we do Online
Please discover new Business Centre homepage now:

Copyright 2008 Merrill Lynch & Co., Inc.

And the website that it pointed us to looked like this:

Now, put on your Sherlocke Holmes hat and try this one yourselves. Can you detect any similarities with this email?

Comerica TM Connect Web Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert & Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date - 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten
days and 3 hours before the certificate is due to expire, if it has not been renewed.
Upon receiving the renewal notice, certificate owner is required to connect to
Comerica Bank Certificate Management System and present the client certificate.
Secure Server e-Cert & Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date.
Successful renewed application will receive an email notification from Comerica Bank.
Applicant can just browse to the URL stated in the email and then download the certificate.

Download now>>

2008 Comerica Treasury Management Connect Web (SM) Version 4.2

How about this email?

Connection-Colonial Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert & Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date - 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten
days and 3 hours before the certificate is due to expire, if it has not been renewed.
Upon receiving the renewal notice, certificate owner is required to connect to
Colonial Bank Certificate Management System and present the client certificate.
Secure Server e-Cert & Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date.
Successful renewed application will receive an email notification from Colonial Bank.
Applicant can just browse to the URL stated in the email and then download the certificate.

Download now>>

2003 Colonial Bank, N.A.