Tuesday, September 23, 2008

Digital Certificate Spammer Goes for Google Adwords

From late May until last week, the Digital Certificate Malware spammer has been targeting banking brands. That has changed with last week's attack on CareerBuilder, and now a new attack against Google AdWords which began Monday afternoon. Starting at 2:17 PM (US Central Time) the UAB Spam Data Mine began receiving copies of a new Digital Certificate spam for Google AdWords.

The fraudulent webpage encourages users to "download 128-bit Digital Certificate software and enjoy all Google Adwords services security", and features a large "Download now" button:



Thirty different email subject lines have been used so far:

Account Protection! Google Adwords Alert
Account Protection! Google Adwords is dedicated to protecting your privacy
Account Protection! Google Adwords pad lock and encryption features help to ensure you
Account Protection! Google Adwords Security and Identity Protection Newsletter
Account Protection! Google Adwords Security Update
Account Protection! Google Adwords Services
Account Protection! Google Adwords Services Contacts
Account Protection! How does Google Adwords protect my information?
Account Protection! How does Google Adwords protect my privacy and personal information?
Account Protection! Visit a Google Adwords Center
Account Protection! What is Google Adwords Security SSL?
Google Adwords - protect your account
Google Adwords Alert
Google Adwords Customer Service
Google Adwords fraud
Google Adwords Guards and Protects Your Information
Google Adwords is dedicated to protecting your privacy
Google Adwords pad lock and encryption features help to ensure you
Google Adwords Security
Google Adwords Security and Identity Protection Newsletter
Google Adwords Security News
Google Adwords Security Update
Google Adwords Services
Google Adwords Services Contacts
Google Adwords uses a wide variety of fraud
How does Google Adwords protect my information?
How does Google Adwords protect my privacy and personal information?
What is Google Adwords Security SSL?

Regardless of the subject, each email stresses the importance of having a 128-bit SSL security, and says that browsers which do not have it will not be able to login to Google Adwords after September 24th.

Here's one example:


Attention GOOGLE ADWORDS Customers!

For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate

Read more>>

Unprotected browsers will not be able to Log in after September 24, 2008
Sincerely, Jenna Hooper.

2008 Google Adwords, Developing new services



The name at the end has no meaning within Google, and in fact we have seen 299 unique names listed so far, so there is a very high likelihood they are being randomly generated.

So far there are five domain names associated with this attack (we've requested that Register.com shutdown the domains already):

adwrss.com
ggoocom.com
meyolev.com
mitroces.com
spaentri.com

The domains, which were all created on September 22nd, hide behind the "Domain Discrete" service which seems designed to protect criminals:

Example Registrant (adwrss.com):
Domain Discreet
ATTN: adwrss.com
Avenida do Infante 50
Funchal, Madeira 9004-521
PT
Email: 8b09659a0a141150016552e5e91485b1@domaindiscreet.com

The initial file which is downloaded is 6,144 bytes in size. This tiny file, which is only a "dropper" for the real malware proves the relationship between this and other recent digital certificate spam.

GoogleADwordscertSEtup.exe = MD5 54fc18040782d53c9dc7f8365fe26367
SPlusWachoviadigicert.exe = MD5 54fc18040782d53c9dc7f8365fe26367

This is NOT an exact match with last week's CareerBuilder malware, which was also 6,144 bytes, but had a different MD5 hash value, but which matched the recent RBC and SunTrust Bank certificates.

CertEmployersectorSSL.exe = MD5 1dee8e8c891727c0868aa9486165824d
RBCCer_509.exe = MD5 1dee8e8c891727c0868aa9486165824d
SSLSunTrustsetupclient6783492.exe = MD5 1dee8e8c891727c0868aa9486165824d

The Google Adwords malware will download an additional file, called "file.exe" which is the actual keylogger. This keylogger sends its stolen data to the Piradius Network in Malaysia. Admins are encouraged to report any traffic they see leaving their network headed to IP addresses on this block:

124.217.248/24

The current IP address is 124.217.248.174, but several IP addresses on this network receive stolen data for other keyloggers as well.

The Keylogger is "context sensitive". An analysis performed on the malware by UAB Student Brian Tanner indicates that it detects particular login events and sends the data using these patterns:

http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&version=%lu&crc=%.8x
URL: sniffer_ftp_%s
ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
URL: sniffer_pop3_%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
URL: sniffer_imap_%s
imap_server=%s&imap_login=%s&imap_pass=%s
URL: sniffer_icq_%s
icq_user=%s&icq_pass=%s

It is also known to steal "generic" login events for various webpage logins. A machine infected with this keylogger will basically send every type of login data to the criminals who are behind the scheme.

The malware is dropped with "rootkit" capabilities. This means that traditional Windows methods of detecting whether a file is present will fail. The malware uses some of the following filenames:

ntoskrnl.exe
trust.exe
9129837.exe
new_drv.sys <=== a key part of the Root Kit

As with previous versions of Digital Certificate malware, the web pages for these domain names are hosted via the Botnet which the malware creates. For example, at this moment, the IP addresses resolving for adwrss.com are:

116.127.169.178, <= Hanaro Telecom, Korea
121.125.52.212, <= Hanaro Telecom, Korea
121.137.245.201, <= KorNet, Korea
121.175.13.103 <= KorNet, Korea
220.88.91.61, <= KorNet, Korea
75.51.103.215, <= AT&T, Saginaw, Michigan
79.117.195.143, <= RDSNet, Romania
93.1.15.7, <= Groupe N9uf Cegetel, Paris France
99.140.183.32 <= AT&T, Chicago, Illinois
99.227.84.87 <= Rogers Cable, Canada

But this pool shifts every few minutes. Hundreds of machines are part of this "hosting botnet".

Monday, September 22, 2008

Governor Palin's Email: Security Questions in the Facebook Age

Think about how much information the average FaceBooker or blogger shares about himself online. Now consider this, Governor Sarah Palin's Yahoo! email address allowed a password reset by knowing the answer to three Security Questions:

What is your birthdate?
What is your ZIP code?
Where did you meet your spouse?

The answer took a few Google searches. Every celebrity birthdate can be easily found online. Wasila, Alaska only has one ZIP code, and Palin is known to have met her husband in high school. The last took three guesses, with the correct answer being "Wasilla High", according to the post on 4chan.org's /b/ board by someone calling himself Rubico --(rubico10@yahoo.com)-- and now confirmed to be 20-year-old David Kernell who, Republicans are pointing out, is the son of a Democratic State Representative in Tennessee.



Kernell used a publicly available anonymizing server called "Ctunnel" operated by Gabriel Ramuglia in Athens, Georgia to try to protect his identity while hitting the Yahoo! website. Ramuglia is cooperating voluntarily with the FBI, who gained the CTunnel IP address from Yahoo's logs.

Let's consider for a moment some of the other security questions that have been offered as "Security" to some of our accounts. I've complained about these for years, because many of them are trivial to find for even a moderately "online" person. But again, let's consider these in the Facebook Age, and take a moment to reflect on how absolutely broken they are.

Here's a set of Challenge Questions from a very large American bank:

In what city were your born?
What is your favorite hobby?
What high school did you attend?
What was your high school mascot?
What is your father's middle name?
What is your mother's maiden name?
What is the name of your first employer?
What is the first name of your first child?
In what city was your father born?
When is your wedding anniversary? (Enter the full name of month)
In what city was your high school?

What High School? Gee - Look at my Classmates.com account.
First Employer? Not hard to find on my LinkedIn page.
Mother's maiden name? Hello? I run a genealogy mailing list for that surname!
Pet's name? My daughter has created a "DogBook" account for our pet!

So, what do you do when they ask you for a security question? Lie. Be dishonest. DO NOT TELL THE TRUTH. Be imaginative! And then write down your security questions and put them wherever you keep your birth certificate and passport.

Pet's name? Sir Gallahad the Cat-Snuffer
Favorite movie? Pippi Longstockings
Month of your wedding? Octuary
Mother's maiden name? Mugillicutty

In other words - they force you to HAVE a security question, but PLEASE don't make it something the rest of the world can find out with a Google search.

Of course, its worse if you are a celebrity. Governor Palin, after all, has a biography written that will answer most of these questions. The more famous you are, or in some cases the wealthier you are, the more likely it is you will be targeted.

As an illustration, we have the story from back in 2001 of Abraham Abdallah. A 32 year old New York City bus boy. A high school drop out. Who happened to be working his way through the Forbes magazine "400 Richest People" list. At the time of his arrest he had impersonated many of these famous people simply by knowing enough about them to be able to pass a telephone version of the Security Questions above.

See: Forbes rich list falls prey to high-tech fraudster

Friday, September 19, 2008

CareerBuilder Latest Digital Certificate Malware Target

CareerBuilder.com has joined the list of brands targeted by a criminal who spams the news of a new "Digital Certificate" said to protect customers. The spam emails claim that by running a Setup Wizard for the "Microsoft Windows Live ID Certification service", customers will protect themselves better. In reality, its a piece of malware called a "keylogger" that will infect customer machines, and share what they type with criminals seeking login credentials for this online job-hunters site.

The UAB Spam Data Mine received more than 400 copies of the spam yesterday, which used twenty different subject lines to advertise eleven webservers which would carry out the compromise when visited.

The dangerous websites look like this:



These are the subjects used in the nefarious emails:

CareerBuilder Commercial Customer Service
CareerBuilder Employer Security PlusSM
CareerBuilder Employer Services
CareerBuilder Employer Services Contacts
CareerBuilder is dedicated to protecting your privacy
CareerBuilder Job posting Services
CareerBuilder offers a full array of job posting
CareerBuilder Security and Identity Protection
CareerBuilder Security PlusSM Guards and Protects Your Information
CareerBuilder Security PlusSM uses a wide variety of fraud
CareerBuilder's pad lock and encryption features help to ensure you
Employer- CareerBuilder
Employer Services (CareerBuilder at Work)
Employer: With CareerBuilder Security Plus keeping your financial information
Employer: With CareerBuilder Security Plus we regularly monitor accounts through
How does CareerBuilder protect your information
How does CareerBuilderm protect your privacy and personal information
Visit a CareerBuilder Employer Center
What is CareerBuilder Employer Security PlusSM

The websites which are being used by these campaign are currently these:

bniyime.com
btyonro.com
chortom.com
ggolrrle.com
nbviox.com
njieme.com
vcveebnu.com
veeimor.com
vertumru.com

Update!


We reported the bad guys domains, and they were all shut down. Did that stop our bad guys? No. They went and made another batch! We've received 444 more copies of this campaign, now using THESE domain names, created today...

adwornee.com
beriupe.com
carertre.com
mieppeeei.com
pystshdoll.com
uscarer.com




UAB Computer Forensics personnel shared information of the new attack with CareerBuilders fraud prevention staff last night, and are working to terminate these domains immediately.

This is the latest in a family of "Digital Certificate" malware which we've been following since at least May. Some of the other columns we've done on this topic are listed here for your convenience:

Digital Certificate Alert! - May 6th article about the Colonial Bank, Comerica, and Merrill Lynch Digital Certificate Malware

Anti-Virus Products Still Fail on Fresh Viruses - August 12th article using the largely undetectable "Colonial Bank" Digital Certificate Malware as an example

Banking Digital Certificate Malware in Spam - August 30th article about the Bank of America and SunTrust Digital Certificate Malware

The domains above are hosted using "Fast Flux" technology, where the nameservers for the domains are constantly updated so that at any given moment there are at least ten "bot" computers (home users who are already compromised) who act as "Proxy web servers" to complicate the task of finding the actual server. We've already identified more than 200 IP addresses which will resolve these domains.

The same Fast Flux network is also hosting the "Walker & Sons" work-at-home scam to recruit "Money Mules". We warned about this type of scam last week in our column, "Work at Home . . . for a Criminal?". In the current Walker & Sons scam, which has used more than a dozen domain names all registered at "123-reg.co.uk", the Money Mule position is described like this:


Financial Coordinator

Job summary :

As a regional Financial Coordinator for our company you will be responsible to administer customer payments. You will help to fasten customer settlements and payments delivery. You will participate in internal and external company funds flow to speed up maturity of bills and other transactions. We need you to support our international team to be able to raise capital, attract more and more customers and expand into new economical markets and assist in the development of the company in general.

Responsibilities:

Deal with order and bill payment projects
* Receive and manage customer payments and any other business payments ( your existing accounts is to be used for the trial period of first three customer payments and a business account to be opened especially for the company needs in the future)
* Implement calculations regarding each new coming payment project to be dealt with
* Ensure the high-speed delivery of the funds to the final destination through Western Union or Money Gram quick collect services
* Be in a tight collaboration with the Head Office and report directly to the Finance Manager

Required skills and experience:
* Excellent project management skills
* Written and verbal communication skills
* High School diploma or equivalent preferred
* Excellent time management skills
* Excellent organizational and communication skills
* Capable of managing multiple projects and prioritizing deadlines

This position offers part employment (1-2 hours a day) and net 10% commission
If you are interested in this opportunity, click the Apply Now! button.


See the key phrases I've highlighted? You'll be receiving stolen funds into your personal checking account, and then using Western Union and Money Gram to withdraw these funds and ship them overseas. The proper title for this job is "Money Launderer", and holding this job is a crime. If you've been duped into this job, you need to contact law enforcement and explain your situation.

Some of the many domain names being used for this scam include:

salker.co.uk
salker.me.uk
salker.org.uk
swalkeer.me.uk
walkeer.co.uk
walkeer.me.uk
walkeer.org.uk
wallker.co.uk
walsoon.org.uk

CareerBuilder.com is a fine, safe place to find a job. But LOGIN TO THEIR WEBSITE by typing its URL in the browser. Don't follow links in email messages that take you there.

Saturday, September 13, 2008

Internet Landfills: Praise for Brian Krebs

Have you ever played Sim City? One of the problems a City Manager has to deal with is the disposal of waste. One of the possible solutions to that problem, is that you can create a landfill. The next problem is always where to put it, because your Sims will all complain and move away if you put it in their neighborhood. The same thing happens in real life. Google ("public meeting" and landfill) and you'll find tens of thousands of pages about meetings where Citizens get together to complain about the landfill that either is, or has been proposed to be, near their homes.

At the Birmingham InfraGard meeting on September 9th, I shared a presentation called "The Beautification of Internet Landfills". It started out with a couple definitions:

Internet Landfill
A network, hosting site, or registrar which attracts an entirely unlikely percentage of criminal activity
Beautification
Causing such landfills to reform their evil ways, or find themselves in legal trouble, or bandwidth impaired due to “public shunning


The meeting dropped a challenge to the Birmingham InfraGard members to become part of the "Neighborhood Watch" for the Internet.

When you see Badness, as a Corporate Security Professional, what do you do:

  • (A) Protect your own systems from the Badness?
  • (B) Share what you've learned with others, so they can be protected too?
  • (C) Trace the Badness to its origins and attempt to shut it down?
  • (D) Report the Badness to an appropriate Law Enforcement Agency?

The answer should be (E) - All of the above.

If you don't know HOW, I told the InfraGard members, then lets share information together to LEARN how.

One of the best ways to see an example of this in action is to follow the SecurityFix column by Brian Krebs of the Washington Post, and to examine and emulate the work of the fine researchers and security companies that he mentions frequently there.

We've all read the stories about the Russian Business Network, and how they were hosting criminal content all the way back to 2004, primarily under the guise of "Too Coin Software". RBN has been documented as the host of hundreds of child pornography websites, the notorious "iFrameMoney.biz" advertising network, and other badness such as the UrSnif Trojan and the SetSlice exploit. As recently as April 2007, they were infecting visitors with spam-based exploits being pushed by our friends Naked Britney and Paris. After making a ridiculous claim to have relocated to Panama (despite still being fed by upstream provider SBT Telecom in St. Petersburg), RBN continued to host its badness until they were outed by a journalistic campaign of exposure.

While there were some great publications shining a light on RBN, the one that seemed to me to have the greatest impact was the October 13, 2007 piece in Brian Krebs' must read column, SecurityFix.
"Shadowy Russian Firm Seen as Conduit for Cybercrime"
An Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming, and identity theft, according to computer security experts...


Last week, Krebs declared that he was going on a campaign to unmask some other criminal organizations working openly and unafraid on the Internet.

Many people miss perhaps the best part of the first report, which was:

Report Slams US Host as Major Source of Badware

Following this report, the comments lit up like crazy, including, as we were shocked to see, Emil K., the owner of Intercage/Atrivo, who proclaimed his innocence, but also promised quick action on any criminal activity, and posted his ICQ number in case anyone had anything they wanted to report:

It was also interesting to see Konstantin Poltev rise to his defense in the comments, also proclaiming his own innocence, and providing his personal email address (kokach@estdomains.com) and promising to take quick action against any abuse on their site saying "We are going to perform a total clean-up, really total."

Another Intercage employee invited anyone who has problems for a tour of his data center, and reminded that you can email "abuse@intercage.com" with abuse complaints, or "russ@intercage.com" or "emil@intercage.com" if you have suggestions to improve their business.


Some of his columns since then have included:
Scammer-Heavy U.S. ISP Grows More Isolated which reminded us that Atrivo is Bad, and showed how Atrivo's various Internet Connectivity sources have been pulling the plug to avoid being associated with their evil.

A Superlative Scam and Spam Site Registrar which introduced the public to what security researchers have long known: Criminals like to register domains with EstDomain, because they ignore abuse complaints and let the crime continue.


EstDomains: A Sordid History and a Storied CEO which called attention to the well-known criminal career of Vladimir Tsastsin, the CEO of EstDomains, and asked the question if we should have a domain registrar who has done time for credit card fraud, document forgery, and money laundering.

Fake Antispyware Purveyor Doubles as Domain Registrar which focused on the practices of Klikdomains, aka Vivids Media GMBH, which has been behind many of the fake anti-virus and anti-spyware products. Because of Krebs work, Directi Internet Solutions, in India, has changed their business practices, and will no longer allow Klik to use its anonymizing service "PrivacyProtect" when registering domains. Directi's president, Bhavin Turakhia, shared with Krebs that nearly half of the 100,000 domains registered by Klik have eventually been suspended for abuse. After Krebs targeted their domains, Directi terminated another 21,000 sites in 48 hours!

The current series by Krebs resulted from some of the replies he received from another Must Read series, called Web Fraud 2.0, the week of August 17-23. The components of that series were:

Web Fraud 2.0: Cloaking Connections

Web Fraud 2.0: Validating Your Stolen Goods

Web Fraud 2.0: Digital Forgeries

Web Fraud 2.0: Distributing Your Malware



Interesting Sidebar found in WIRED along these same lines:
Online Posse Assembles, to Unmask Russia's Hackers

Friday, September 12, 2008

Protecting Anonymized Religious Speech Overturns Nine Year Spam Sentence

Last night I invited some friends to "Justice Science Movie Night". As my readers know my appointment at the University of Alabama at Birmingham (UAB) is in both the Computer & Information Sciences and the Justice Sciences departments. I arranged a viewing of a movie that takes a look at our corrections system in the United States and poses the question, "Are we trying to reform criminals? or appease society?" In the evenings movie, the demands of a near future society to feel that criminals had been adequately punished greatly outweighed the desire to rehabilitate the wrong-doers. The movie was called "Death Race".

When I hear about court rulings like the one today in the Virginia Supreme Court, I reach the levels of frustration that temporarily make me lack admiration for the fairness of our courts.

The case was the AOL Spamming conviction against Jeremy Jaynes. Jaynes was convicted in 2004, the first case brought using the new Virginia Anti-Spam Law. He was sentenced to nine years in prison as a result of sending tens of thousands of spam messages to AOL subscribers. Listed by Spamhaus as the #8 Worst Spammer on their Register of Known Spam Operations, Jaynes, who was also known as Gaven Stubberfield has been free pending appeal this entire time.

The case focused on 55,472 spam messages sent to AOL email subscribers on three days in July of 2003. According to a December 12, 2003 New York Times story, from July 11th to August 9th of that year more than 100,000 AOL subscribers clicked the "Report as Spam" button on emails sent by Jaynes.

(Image from CNN)

Although Jaynes lawyer in the original case was later convicted of obstructing justice and laundering money for a spammer and disbarred, it seems his client will walk. Currin helped his client hide $689,000 from the IRS, according to the charges of which he was found guilty.

In September of 2006, Jaynes appeal was heard by the Court of Appeals of Virginia, where it was pleaded before Judges Haley, Bumgardner, and Fitzpatrick that his conviction should be overturned on four grounds:
(1) Virginia lacked jurisdiction over the case, as he resided and performed his actions in North Carolina.
(2) the statute violates the First Amendment
(3) the statute violates the Dormant Commerce Clause
(4) the statute is unconstitutionally vague.

The judges found that the arguments had no merit.

The appeal did not question the facts that:
On July 16 he sent 12,197 pieces of unsolicited bulk email with falsified routing and transmission information onto AOL's proprietary network.
On July 19 he sent 24,172 similar emails, and on July 26 he sent 19,104 more.

The messages advertised either a FedEx claims product, a stock picker, or a history eraser.

Jayne's home contained CDs with 176 million email addresses and 1.3 billion user names, as well as zip disks containing 107 million AOL email addresses.

In the Court of Appeals, the claims of the First Amendment were thrown out, because "Each e-mail advertised a commercial product; none contained any content that was personal, political, religious, or otherwise non-commercial." Because the nature of his complaint was "in the nature of a trespass statute", the Court of Appeals declared that Jaynes lacked the standing to raise a First Amendment challenge.

Now, the Supreme Court has found that because the law prohibits anonymous internet emails, without making exception for Freedom of Speech issues, the law is unconstitutional. While the Commonwealth argued that that portion of the law was not in play here, the Supreme Court replied "A successful facial overbreadth challenge precludes the application of the affected statute in all circumstances."

In otherwords, because the Virginia law COULD be used to make it illegal to use an anonymous identity to send political or religious speech, the law is unconstitutional, and because it is unconstitutional, all charges brought under the law are also unconstitutional.

The Court did do us the favor of citing several other State laws which do properly restrict their application to commercial settings. Laws they held out as examples include:

Arizona Revised Statutes Article 16 Commercial Electronic Mail §44-1372.01

Arkansas Code Ann. Unsolicited Commercial and Sexually Explicit Electronic Mail Prevention Act § 4-88-603
California Bus. & Prof. Code § 17538.45

Florida Statutes, Electronic Commerce, Electronic Communications § 668.603

Idaho Code, Unfair Bulk Electronic Mail Advertisement Practices, § 48-603E

Illinois Comp. Stat. tit. 815 § 511/10, Electronic Mail Act

Indiana Code § 24-5-22-7, Deceptive Commercial Electronic Mail

Kansas Stat. Ann § 50-6, 107, Commercial Electronic Mail Act

Maryland Code Ann., Commercial Law § 14-3002

Monday, September 08, 2008

FBI Cyber Agent Shawn Henry Earns Promotion

Today the FBI announced that Shawn Henry has been Named Assistant Director of the FBI Cyber Division. I last saw Mr. Henry last month in the Hoover Building while I was representing the Birmingham InfraGard chapter at an InfraGard program briefing by the Public Private Alliance Unit, which is part of the FBI's Cyber Division. Henry briefly greeted our attendees, around a dozen civilian InfraGard members and their FBI counterparts from their respective cities, but modestly passed on an opportunity to speak at length. Just a brief statement of support for our purpose. Be assured though, his deference in that situation shouldn't be confused for lack of engagement on cyber matters.


(Image from KTUU TV)

Whether he's explaining Wireless Hacking risks to the Wall Street Journal or talking to WIRED Magazine about Botnets, Henry has been the man the Bureau turns to to explain technical cyber issues to the media and the public. When he talks technology, he isn't parroting facts printed by others for him to read. He understands this stuff.

Henry's former boss, Assistant Director James Finch had a long career prior to his appointment, most recently in Wisconsin, but was only at Headquarters a short time before he received his next assignment, as Special Agent in Charge of the FBI's Oklahoma City Field Office.

Henry's own career has also been impressive, working in Public Corruption before serving as the Chief of the Computer Investigations Unit at the National Infrastructure Protection Center (NIPC), perhaps the finest Computer unit in any law enforcement agency in the world at that time, and also a foreshadowing of things to come for Henry. The National Infrastructure Protection Center was directed by Ron Dick, now the President of the civilian side of InfraGard, the InfraGard National Members Alliance. The NIPC's Interagency Coordination Cell helped to resolve conflicts between as many as 15 Federal agencies represented at NIPC, as Ron Dick explained to Congress two weeks after 9/11. In Dick's briefing he shared the basic tenets used at the NIPC, derived from Clinton's "Presidential Commission on Critical Infrastructure Protection" (PCCIP):

First, that the government can only respond effectively to information technology threats by focusing on protecting systems against attack while simultaneously identifying and responding to those who nonetheless would attempt or succeed in launching those attacks. And second, that the government can only help protect this nation's most critical infrastructures by building and promoting a coalition of trust, one . . . amongst all government agencies, two . . . between the government and the private sector, three . . . amongst the different business interests within the private sector itself, and four . . . in concert with the greater international community


That mind-set is what attracted me to InfraGard in 2001, and seems to be something Henry kept in mind as he progressed through the rungs of leadership at the Bureau, leaving the NIPC to serve as the Supervisory Special Agent over the Baltimore Computer Crimes Squad in 2001, serving at Headquarters in the Inspection Division, and being promoted "back to the field" as the Assistant Special Agent in Charge of the Philadelphia Field Office.

In 2007, Henry returned to Headquarters as the Deputy Assistant Director of the FBI's Cyber Division, responsible for all FBI computer investigations worldwide, and has been praised in the media as the leader of a new National Cyber Investigative Joint Task Force, which is something he's a perfect candidate for, given his formative time at the NIPC, and his time in the National Executive Service.

As a CyberCrime Researcher, and as an InfraGard Member, I'm very pleased to learn of Mr. Henry's promotion. We look forward to following your leadership, sir!

Gary Warner
Director of Research
UAB Computer Forensics
Vice President Birmingham InfraGard

Sunday, September 07, 2008

Is The Analyzer Really Back? (The return of Ehud Tenenbaum)

The hacker behind one of the most famous hacks in history, "Solar Sunrise", was
arrested yesterday along with three Canadians, on charges of breaking into a Calgary based financial services company and withdrawing nearly $2 Million in Canadian dollars. (Calgary TV has a Video story with details of the new case.)



Tenenbaum's own mother is now confirming this is the same Ehud Tenenbaum . . . who she says has been "framed by the FBI". The charges are that they conducted their fraud by altering a database in a financial services company so their debit cards had a higher face value then they really contained, and using these altered cards to obtain funds. According to CTV, the target company offered "prepaid debit cards" that could be used like cash. Sergeant Gordon Bull, interviewed in the video above, described the seven month investigation and thanked the US Secret Service for their help in the investigation.

Today we'll review that earlier attack by Ehud Tenenbaum, The Analyzer, and how news of the attack reshaped the Cyber Posture of the United States Government.

In February of 1998 the US Pentagon experienced a series of attacks which came to be called "Solar Sunrise". The hacks were big news at the time, and some, including L0pht hackers, tried to use them to raise awareness, such as in this Jim Lehrer NewsHour segment on PBS. Then Deputy Secretary of Defense John Hamre said of the attacks they were "widespread, systematic, and showed a pattern that indicated they might be the preparation for a coordinated attack on the Defense Information Structure", in testimony to Congress on February 23, 1999. That same month, Ehud Tenebaum, who used the hacker handle "The Analyzer" was arrested in Israel for the attacks, while in the US a California teenager who used the handle "Makaveli" was also arrested.

He boasted at the time of his arrest that he knew ways to break into more than four hundred US Defense Department computer systems.

Even post-9/11, Hamre still talked about the importance of this hack, as well as the Penetration Test/Cyber Exercise "Eligible Receiver", and another hack, "Moonlight Maze", as part of the wake-up call that caused the US government to change the way they thought about cyber security.

What was the motivation of Ehud? "Chaos, I think it is a nice idea", he told the press after being arrested. He did it "because I hate organizations".

Most of us followed the original story as it was unfolding by watching AntiOnline.com. In a series of articles called "The Pentagon Hacker", John Vranesevich (JP), gave us the facts we needed to know, and helped the media of the time understand what was going on with articles like "Confused About What IRC Really Is? Find Out More Here" and "Description Of Some Common Hacker Jargon", along with his interviews with the various players.

AntiOnline's JP also interviewed Makaveli by telephone, the day the FBI raided his home.

Mak describes:

They came into my house, took me in the living room, and starting taking all
of the computer equipment from my room. They didn't even leave the phone line
leading from the wall to the modem." he began. "They took all of my cd's music
cd's, data cd's, my printer, speakers, everything..."


But Makaveli revealed that what they really wanted was one file on his computer revealing over 200 servers that he had hacked into, including one at Lawrence Livermore National Laboratories.

Mak confirmed that "TooShort" was the handle of the other American hacker they
sought, but that his mentor in the Middle East was who the FBI was really after.
(That would be Analyzer, as we all later learned.)



(Picture from original at AntiOnline.com, March 1998)

Gadi Shimshon did a face to face interview with Analyzer, discussing his informal
hacking organization, the IIU or Israeli Internet Underground. The IIU had recently defaced the homepage of the Knesset, ironically, to show their love for the new Israeli President, Ezer Weizman, who had just been elected. The page they defaced still had information about the previous president. He also told how he met the two Americans who helped with the DOD break-ins.

Analyzer met his two students in a multinational group that hangs out
in chat channels on the web, known as the "Enforces". The main goal and
ideal of the Enforces, he said, is to fight pedophilic and racist sites
on the web. Analyzer said that he once altered www.whitepower.com.,
a center for skinhead and neo-nazi cyber activity.

Despite his patriotic and policing activities, Analyzer boasted of having "system manager access" to more than 1,000 internet servers, where he had created more than 12,000 accounts. He gave Pentagon userid and password lists to JP at Anti-Online with instructions to share them with the FBI after his arrest. The accounts were confirmed to be live.

JP asked Analyzer at the time "I don't understand how hacking into Lawrence National Labs or JPL.NASA helps fight racism or pedophilia?"

Analyzer replied:

well, let me explain ... from there I had lots of power as Denial of Service attack power and threat power. I could lots of stuff from those servers.

JP asked him to clarify: "So you used the processing power of government servers to do denial of service attacks?"

Analyzer replied: "in part of it...also for lots of uses like fake email and also to scare them.."

But he confessed there were lots of "unjustifiable" attacks as well. He liked having very strong boxes, and claimed "i have ALL big universities", listing among his victims, Yale, Harvard, Cal Tech, Berkeley, Stanford, and MIT. He even claimed to control the DNS servers at Harvard, naming one computer he controlled "Analyzer.harvard.edu".

James Glave of WIRED magazine broke the news of Analyzers ultimate arrest, March 18, 1998. Glave contacted several members of the Enforcers, who confirmed that most of the IIU had been taken into "house arrest". Hackers such as "paralyse", "FallLine", "KuRuPTioN", "mindphasr", and others described to Glave what they knew of the arrests, but confirmed Analyzer's guilt, and his fear that he would be killed for his activities.

It would not be until January 2001 that Tenebaum would stand trial in Tel Aviv and plead guilty to these crimes, as described by Kevin Poulson in this article in The Register.



Update: (From The Calgary Herald (thanks for the link, Spamhaus!):
The charges and names of those arrested in Montreal and charged in Calgary are:

Tenenbaum, who has been charged with six counts of fraudulent use of credit card data and one count of fraud over $5,000, is the only one who remains in custody.

Priscilla Mastrangelo, 30, of Montreal, has been charged with 23 counts of fraudulent use of credit-card data and one count of fraud over $5,000.

Jean Francois Ralph, also known as Ralph Jean-Francois, 28, of Montreal, has been charged with four counts of fraudulent use of credit-card data and two counts of fraud over $5,000.

Spyros Xenoulis, 33, of Montreal, has been charged with one count of fraudulent use of credit-card data and one count of fraud under $5,000.

A question mark remains as to how the headline reporting a $1.8 Million loss coincides with the dollars charged against each of the above. Mastrangelo is charged with taking $32,082, Jean-Francois with $6,585, and Xenoulis of $1,001.

Direct Cash Management was named as the vitim company in this story in the Calgary Herald. Sergeant Gordon Bull confirms that while Tenenbaum did the hack, the others withdrew the money.



Gary Warner
Director of Research
UAB Computer Forensics

Thursday, September 04, 2008

Work at Home . . . for a Criminal?

How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I thought I would take a look at the various "Work at Home" plans that have been arriving in the UAB Spam Data Mine this week. Some days we have a better chance than others to get a job online, but recently we've been offered as many as 100 new jobs per day!

There are clearly many questions about "Work at Home". According to a Better Business Bureau report released last month, Work at Home companies were the #5 most common inquiry they received in 2007. Slightly behind Roofing Contractors and slightly ahead of Auto Dealers.


We'll start with scammers who just con you out of your money, and then move on to the ones who want YOU to be a criminal with them!

A special reminder to new college students: It doesn't have to be online to be a scam! Business opportunities on telephone poles, sidewalks, and taped on walls around campus can be scams too!

Rebate Processor


The primary Work-at-Home spam we're receiving currently is for "Rebate Processors" as part of a group of scammers who use this mailing address in their emails:

8721 St. Monica Blvd., Los Angeles, CA, 90069, US. Also known as "Angel Stevens Processors".

Just today we have samples that point to the websites:

http://broad-edition.com/
http://intuitivecourse.net/
http://reliablelead.net/
http://surprisinglyspaces.com/

The websites in the spam vary because they get shut down for spam so frequently. All of them actually forward to the same website.





Like most of these Work At Home jobs, the first step is that you have to buy some training from the scammers. In this case, it takes 7 weeks of training and multiple purchased lessons before you receive your "Certificate" to be a Rebate Processor. The only problem is that once you receive your certificate, you never get any work. Others who have been in the program say the "secret" is to buy products yourself, keeping the "referral fee" that some affiliate programs provide, and then resell the products at below the going price. If you buy a $50 product, and receive a 20% commission on the sale, you really got the book for $40. Now find a sucker on eBay who will pay you $45 for the $50 book, and you make $5 profit! Only 2,000 other suckers are trying to do the same thing.

Suckers who buy the $197 training on how to do the above will often then be offered an even better work at home job that requires taking an $8000 class on how to make websites.

Before you consider joining, you might wish to read this Rip-Off Report from one of the many people who've been scammed by these con men.

Other complaints are listed at Complaints Board.

Freelance Home Writers


Another popular recent scam is the Freelance Homewriters. This scam promises you that you can set your own income, because their exclusive members only area has a list of thousands of companies that will pay you to write short articles, blog posts, or short stories. If you are a motivated writer, you can earn as much as $4,000 per week writing these short articles. You can even get a "trial" access to their database for $2.95. The actual wording says:


For only $2.95 you will have unlimited access to the same money making tools that thousands of our other members have for 7 days. Monthly membership is only $47 dollars which is a fraction of what you will make with the Freelance Home Writers system.




After you pay your $2.95, seven days later your card gets hit for another $47 for the first monthly charge. Although the website says "The writing jobs are so simple even an 8-year-old child could do them" many victims are claiming they couldn't get any work at all.

This company also has to send their spam from many "forwarding" domains, since they are shut down for illegal spamming so quickly. Here are some they used today:

http://in-imports.net/
http://frontline-techs.com/
http://primarybits.com/

At Home Typers



You've probably seen this one as well. "Can you type 30 WPM? Then Earn a Living Typing at Home!" If you go to the website, you soon learn that the guy offering this scam can make $30,000 per month, just typing at his house!



From the numerous comments online, the people who paid their $49 to learn how to type at home don't seem nearly as happy as the people on this scammer's website.

An interesting tid-bit regarding the numerous domains which "forward" to these scams. Each of the domain owners is a spammer who gets money for referring you to join the service. So, for instance, At Home Typers is an affiliate program managed by "SalesPayouts.com". If the spammer manages to get one person to join this program, they receive $20. So, of the $49 that you spend to join At Home Typers, FORTY PERCENT of that money is sent directly to the spammer. In reality though, it probably isn't. SalesPayouts.com has the option of just keeping the spammers money at any time, as spelled out in their Terms of Service:


YOUR SERVICE WILL BE TERMINATED IMMEDIATELY AND WITHOUT WARNING SHOULD YOU USE OUR SYSTEM AS PART OF ANY BULK EMAIL CAMPAIGN. You may also be subject to fines and legal actions as a result of your bulk email promotion..


This gives them plausible deniability. They can say to the CAN-SPAM folks "oh really? someone is sending spam? They sure didn't get that idea from us!" and terminate the spammers account, pocketing their commissions. The only people POSSIBLY really making that much money from AtHomeTypers are the spammers who earn $20 for each sucker they deliver. Hmmm... could the secret to stopping AtHomeTypers be quickly reporting every spammer to both them and the FTC???

SEO Fraud - Search Engine Optimization Fraud


Why do these typing scams say "an 8-year-old" could write well enough to do them? Because what you are being paid to type is sometimes called "Form Spam" or "Blog Spam" or "Guestbook Spam". Have you ever been to a website where someone signed the guest book, "Viagra Cialis Cheap Drugs Click Here!"? If people DO click there, and then buy the drugs, the owner of the website thus advertised is going to get paid by an illegal pills site. If you type an ad somewhere that gets that webmaster lots of money, he might pay you to type the ads. Porn sites will also pay to have you write stories or post blog articles, and they don't care if the story is "Mary had a little hot sex lamb, whose hot sex fleece was hot sex as white as hot sex!" If they have enough "stories" like that on their web page, they will go up higher in the search engine rankings, such as Google, for the term "hot sex". If they cover their website with pornographic ads, and more people come to their site because of your stories, they get paid more by their advertisers.

This is called Search Engine Optimization Fraud, and while it might get the site banned by Google, its currently not against the law. *THIS* is what a "work at home typer" is getting paid to do. SEO Fraud. Don't be tempted. Even if some people get paid for it, the odds of YOU making $30,000 a month typing at home are almost exactly Zero.



All of the jobs above this line are over-promising and under-delivering according to many published accounts around the Internet. The Federal Trade Commission offers advice on spotting fake "Business Opportunities" on their website at: www.ftc.gov/bizopps/. You can learn more about a wide range of this type of business who had charges filed against them in 2006 in Project Fal$e Hope$ which charged more than 100 companies with deceptive "work at home" or other business opportunities.

For a more light-hearted approach, you might enjoy the FTC's production of Easy Money is a Fairy Tale.



And now, on to the real criminals . . .

Money Laundering



When job offers mention "foreign currency transactions", or "financial services", they are often looking for people to be what we call a "Money Mule". The job of a Money Mule is to receive stolen funds into your personal checking account, and then wire the money overseas, keeping a small portion as your commission. The part they often forget to mention in the job ads is that the money is stolen. If you are involved in a Work At Home job that involves making wire transfers to European countries, you really need to contact law enforcement. You have been tricked into working for a criminal enterprise!

The main offer we're currently receiving in this category is from WorldWide Offshore Integrated Systems.

They promise that I'll earn $2500 every two weeks working at home, and all I need is the ability to use Word and Excel and Excellent Communications Skills. My job will be to "help clients understand how to save money on foreign currency transactions, and develop new business through referrals". Email Katrin Olley at incjobs17@yahoo.com for more details.

I'm also supposed to email Katrin Olley at jobsworldwide31@gmail.com
and worldwide61@yahoo.com
and jobsworldwide31@yahoo.com
and jobs351@yahoo.com
and jobswide@gmail.com
and Freejobs777@yahoo.com

Poor confused Katrin has offered us this job more than fifty times this week!


Luksus Team, headquartered in Helsinki Finland, will pay me $1200 per month, plus commission, for working three hours per day to "Administer day-to-day financial responsibilities for clients". Sandra.Collins@luksus-jobs.org wants to hire me.

This is actually about the fifth website that Sandra Collins has had in as many weeks. Sandra is nearly as confused as Katrin. She has offered us the job more than a dozen times this week, but strangely neither she nor Katrin send the email from their own accounts. Just today they sent their offers to me from computers in Brasil, Colombia, Turkey. Its confusing to get a job offer in Helsinki from a Swedish email address sent from a computer in Colombia. Nothing suspicious there, oh no!

Reshipping


In a reshipping scheme, criminals buy goods online using stolen credit cards. American companies have learned not to ship to certain European and African countries, which has really hurt their ability to receive the stolen goods. The criminals' solution? Ship the goods to someone who lives in the same place as the stolen credit card was from! That's probably why we've received more than forty job offers this week from the company below. If they are using a credit card belonging to someone in Alabama, they look up one of their "employees" in Alabama, use his delivery address, and tell the online company they are sending it as a gift. You receive the package, repack it into another box, and then send it on its way . . . to Romania, the Ukraine, Nigeria, or whatever destination the criminal has designated. As with the Money Mule schemes, if you are participating in this type of Work at Home business, you need to contact law enforcement. This is "receipt of stolen goods". If enough people come forward, we may gain the evidence we need to catch these bad guys!

Here's our top offer in this category today:

Cosco Transport Company needs me to receive packages of electronics, (digital cameras, laptops, audio) at my home, which I will then repackage and mail to another location. I'll be paid $1300 per week, but can earn an extra $30-$50 bonus every time I reship the package the same day I receive it.

Ronald Rosinski is offering that job - us1work@gmail.com
He also offered me the job from - onlineworkus@gmail.com
and - open1vacancy@gmail.com
and - openvacansy@gmail.com



Do you wonder if the email you received is related to a fraud? I highly recommend the website:

http://www.lookstoogoodtobetrue.com/

The website also provides links where you can report online crime, if you believe you are the victim of a fraud, including the Internet Crime and Complaint Center -- http://www.ic3.gov/ -- as well as the Postal Inspection Service and the Federal Trade Commission.

http://www.lookstoogoodtobetrue.com/complaint.aspx





Gary Warner
Director of Research
UAB Computer Forensics
http://www.cis.uab.edu/forensics/

Tuesday, September 02, 2008

Hurricane Gustav: Fraud Watch Day Three

This is our third day of listing the newly registered domains for Hurricane Gustav. On August 31st there were Fifty-four new Gustav domains, and yesterday there were an additional One hundred forty-six new Gustav domains. Today we add One hundred seventy-five more Gustav domains. As with previous disasters, the vast majority of these domains have been purchased by two categories of domain speculators and will never be used in a meaningful way. Some are people who purchased the domains to be sold to legitimate organizations.

For instance:

Now displaying "Samaritan's Purse" charity pages, but not registered by Samaritan's Purse. No reason to suspect foul play, but Dan Brown's email address makes them "interesting".

gustavcharities.com
gustavcharity.com
gustavdonation.com
gustavrelieffund.com

Each says it is owned by "Dan Brown" with the email address, companyone@cash-evolutions.com. Dan owns more than 2,000 domain names. The real Samaritan's Purse website is registered to Jeff Chandler, jchandler@samaritan.org. It certainly appaers that Dan has made exact duplicates of the Samaritan's Purse website on these websites in order to help people find these worthy charities. This may be his own act of charity, and if so, that's great. He has made no edits to the content, he is simply loading the real charity site inside a frame. Clicking the "GIVE" button, really does give money to Samaritan's Purse. But each of these new charity domains has to checked out to be sure.

The first type of Speculator is someone who buys a domain to sell to someone. The second type of Speculator is someone who buys the domain and then sells advertising on it. The latter seems to be one of the most popular ways to make money on your domain. For instance:

gustavhurricaneblog.com is owned by Ryan Blankenship of Bakersfield, California. Were you in the Hurricane, Ryan? Then why do you need a website about it? The page is currently covered with advertising, so if you need a "Gustav Hurricane Lawyer", and you click on BloomLegal.com, presumably Mr. Blankenship gets paid. Need Wind Storm Insurance in Texas? Click txwindstorminsurance.com, and Mr. Blankenship gets paid again. (Ryan also owns: gustavstorm.info, gustavhurricanesite.com, hurricanegustaveinfo.com, hurricanegustaveinfosite.com)

Some of the new domains are real sites that anyone interested in or experiencing Gustav might want to build or participate in.

Photosites:

gustavimages.com
gustavphotos.com
gustavpictures.com
gustavrelief.net

Other types of real sites:

gustavneworleans.com
gustavpeoplesearch.com
gustavpeoplesearch.net

But there are plenty of sites with a Donate Button that are not so easy to figure out . . .

gustavpets.com is building a Twitter network for people who are helping find lost pets after Gustav. They suggest we donate to a charity that has brought 3,000 pet carriers to the area to help gather strays. Real? We need to find out.

gustavsolidarity.org has information on many local charities who may be deserving of your help.

donate2gustav.org does the same, with more well-known charities.

gustavnow.com says its going to list local charities soon . . .

Some we don't understand yet, for instance, Bob Dunlap, long-time owner of "beui.com", which has always just been a family photos website for his New Orleans family (example), but now owns the domains:

Aid4gustav.com
Gustavaid.us
Gustavrelief.us
Gustavvictims.us
Help4gustav.com
Help4gustav.org
Helpgustav.com

Domain speculator? Charity benefactor? We don't know.

Some of the most popular domain owners from last night's run include:

Anito Caro of Toledo, Ohio, who owns:

gustavrecovery.info
hurricanegustav2008.info
hurricanegustavrecovery.org
gustavimpact.info
hurricanegustavhelp.info
hurricanegustavla.info
hurricanegustavrecovery.info
hurricanegustavrecovery.net

Greg Greene of Mishawaka, Indiana, who owns:

helpwithgustav.org
gustavrescue.org
gustavvictimassistance.org
gustavvictimhelp.org
gustavfoundpets.org
gustavsangels.org
gustavvictimcare.org
gustavfoundpets.com
gustavsangels.com
gustavvictimhelp.com
gustavvictimassistance.com
gustavvictimcare.com
helpwithgustav.com

Of course the "Privacy" sites, which hide WHOIS information so that people have no opportunity to use it to figure out if the domain is legitimate or not, have scored quite a bit of traffic.

GoDaddy's "Registration Privacy" service, "Domains by Proxy", lists:

gustav08.org
gustav-ala.info
gustav-ala.org
gustav-alabama.info
gustav-alabama.org
gustavclaims.info
gustavclaims.org
gustavclaims-ala.org
gustavclaims-alabama.org
gustavclaims-houma.org
gustavclaims-la.org
gustavclaims-lafayette.org
gustavclaims-louisiana.org
gustavclaims-mississippi.org
gustavclaims-ms.org
gustavclaims-nola.org
gustavclaims-texas.org
gustavclaims-tx.org
gustav-la.info
gustav-la.org
gustav-louisiana.info
gustav-louisiana.org
gustav-mississippi.info
gustav-mississippi.org
gustav-ms.info
gustav-ms.org
gustavreliefnow.info
gustavrelief-now.info
gustavreliefnow.org
gustavrelief-now.org
gustavsite.info
gustavsite.org
gustav-texas.info
gustav-texas.org
gustav-tx.info
gustav-tx.org
gustav-ala.com
gustav-alabama.com
gustavclaims-houma.com
gustavclaims-lafayette.com
gustavclaims-ms.com
gustavclaims-nola.com
gustavclaimsnow.com
gustavclaimsonline.com
gustavclaimssite.com
gustavclaims-tx.com
gustav-la.com
gustav-louisiana.com
gustav-mississippi.com
gustav-ms.com
gustavreliefnow.com
gustavrelief-now.com
gustavshop.com
gustavsite.com
gustavsite.net
gustav-texas.com
gustav-tx.com
newgustavclaims.com
gustavclaims-ala.com
gustavclaims-alabama.com
gustavclaims-la.com
gustavclaims-louisiana.com
gustavclaims-mississippi.com
gustavclaims-texas.com




Here are the new domains that need to be checked out today:

assistgustav.com
assistgustav.org
donate2gustav.com
evacuate-hurricane-gustav.info
fuckgustav.com
giantgustav.com
gustav-2008.com
gustav-ala.com
gustav-ala.info
gustav-ala.org
gustav-alabama.com
gustav-alabama.info
gustav-alabama.org
gustav-help.com
gustav-images.com
gustav-la.com
gustav-la.info
gustav-la.org
gustav-louisiana.com
gustav-louisiana.info
gustav-louisiana.org
gustav-mississippi.com
gustav-mississippi.info
gustav-mississippi.org
gustav-ms.com
gustav-ms.info
gustav-ms.org
gustav-pictures.com
gustav-texas.com
gustav-texas.info
gustav-texas.org
gustav-tx.com
gustav-tx.info
gustav-tx.org
gustav08.org
gustavaidnow.com
gustavangels.com
gustavassist.com
gustavclaims-ala.com
gustavclaims-ala.org
gustavclaims-alabama.com
gustavclaims-alabama.org
gustavclaims-houma.com
gustavclaims-houma.org
gustavclaims-la.com
gustavclaims-la.org
gustavclaims-lafayette.com
gustavclaims-lafayette.org
gustavclaims-louisiana.com
gustavclaims-louisiana.org
gustavclaims-mississippi.com
gustavclaims-mississippi.org
gustavclaims-ms.com
gustavclaims-ms.org
gustavclaims-nola.com
gustavclaims-nola.org
gustavclaims-texas.com
gustavclaims-texas.org
gustavclaims-tx.com
gustavclaims-tx.org
gustavclaims.info
gustavclaims.org
gustavclaimsnow.com
gustavclaimsonline.com
gustavclaimssite.com
gustavcleanup.org
gustavdatarecovery.com
gustavdatarecovery.org
gustavdisaster.net
gustavdisaster.org
gustavdisasterfund.com
gustavdisastersupport.com
gustavemergency.com
gustavemergencyrelieffund.com
gustavfirstaid.com
gustavfoundpets.com
gustavfoundpets.org
gustavfund.info
gustavhope.com
gustavhope.org
gustavhurricaneaid.com
gustavhurricaneblog.com
gustavhurricanepictures.com
gustavhurricanesite.com
gustavimpact.info
gustavjohannesson.com
gustavkatrina.com
gustavlegal.com
gustavlegalhelp.com
gustavlooters.com
gustavonline.com
gustavpost.com
gustavrecovery.info
gustavrelief-now.com
gustavrelief-now.info
gustavrelief-now.org
gustavrelief2008.com
gustavrelief2008.org
gustavrelieffund.net
gustavreliefnow.com
gustavreliefnow.info
gustavreliefnow.org
gustavreliefonline.com
gustavrescue.com
gustavrescue.org
gustavsangels.com
gustavsangels.org
gustavshelter.org
gustavshop.com
gustavsite.com
gustavsite.info
gustavsite.net
gustavsite.org
gustavsite.us
gustavsrf.com
gustavsrf.net
gustavsrf.org
gustavstories.com
gustavstorm.info
gustavsurvivor.com
gustavsurvivor.net
gustavveterans.com
gustavveterans.info
gustavveterans.net
gustavveterans.org
gustavvictimassistance.com
gustavvictimassistance.org
gustavvictimcare.com
gustavvictimcare.org
gustavvictimhelp.com
gustavvictimhelp.org
gustavvictimsfund.com
gustavvictimsfund.org
gustavvictoms.com
gustavvideos.com
gustavwind.com
helpgustav.net
helphurriancegustav.com
helpwithgustav.com
helpwithgustav.org
hurricanegustav-firstaid.com
hurricanegustav-relief.com
hurricanegustav2008.info
hurricanegustavaid.com
hurricanegustavaid.net
hurricanegustavassistance.com
hurricanegustave.com
hurricanegustaveinfo.com
hurricanegustaveinfosite.com
hurricanegustavhelp.info
hurricanegustavla.info
hurricanegustavlawyers.com
hurricanegustavlawyers.net
hurricanegustavrecovery.info
hurricanegustavrecovery.net
hurricanegustavrecovery.org
hurricanegustavsupport.com
hurricangustavrelief.com
lagustavclaims.com
newgustavclaims.com
nogustav.com
nomegustav.com
obamagustav.com
olivergustav.com
ouragangustav.com
thegustavfund.com
uraganogustav.com
victimofhurricanegustav.com
victimsofhurricanegustav.com
voicesofgustav.org
volunteergustav.com
flavioegustavo.net
gustav-recovery.com
gustavodepaula.com
gustavorobledoisaza.com

Again, Probably none of these are fraud. During Katrina less than 1% were. But there's always that 1% . . .

Monday, September 01, 2008

Hurricane Gustav: Fraud Watch

Yesterday we reported on 54 newly registered Gustav domains. In the past we have seen disaster-related domains tied to fake charities and other forms of fraud. The concern is whether some of these new domains will also be used for fraud.

Yesterday evening, we rechecked the domains from the morning report, and found that several had been "picked up" by legitimate charities in two groups:

(1) ContributeGustav.org now forwards to:

http://www.braf.org/site/c.jfISK0OxFkG/b.4453149/
(Baton Rouge Area Foundation)

Which has a "Click Here to Donate to the Hurricane Gustav Relief and
Recovery Fund" button, which takes you to:

https://www.kintera.org/site/c.jfISK0OxFkG/b.4453155/apps/ka/sd/donor.asp?c=jfISK0OxFkG&b=4453155&en=8gJNIVPuHfKIIPPwH8IDLOMxHkJZL1PzGdIJJTOwFdIKIWPJKuF

(Kintera is a known fund-raising site)

(2) contributiongustav.org (Same as (1))
(3) donategustav.org (Same as (1))
(4) donationgustav.org (same as (1))
(6) gustavassistance.org (same as (1))
(9) gustavcontribution.org (same as (1))
(13) gustavlouisiana.org (same as (1))
(14) gustavneworleans.org (same as (1))
(16) gustavrecovery.org (same as (1))



(20) gustavcharities.com = Samaritan's Purse Give Links go to
"giving.samaritanspurse.org", a known charity.

(21) gustavcharity.com (same as (20))
(22) gustavdonation.com (Same as (20))
(23) gustavrelieffund.com (same as (20))

More domains



More than 140 more new Gustav domains have been added since yesterday, with more than 200 total Gustav domains to be watching. The new group is listed here (we'll sort and update content soon, watch for an update):

aid4gustav.com
cleanupgustav.com
cleanupgustav.info
cleanupgustav.net
cleanupgustav.org
contributegustav.com
contributiongustav.com
donate2gustav.org
donationgustav.com
givetogustav.com
givetogustav.org
gustav-relief.com
gustav08.info
gustavadjuster.com
gustavadvocacy.com
gustavadvocacy.net
gustavadvocacy.org
gustavaftermath.com
gustavaftermath.info
gustavaftermath.net
gustavaftermath.org
gustavaid.us
gustavaidnow.org
gustavalert.com
gustavangels.org
gustavassistance.com
gustavcare.com
gustavcare.org
gustavcleanup.com
gustavconstruction.com
gustavcontractors.com
gustavcontractorsstore.com
gustavcontribution.com
gustavcuba.com
gustavdestruction.com
gustavdisaster.com
gustavdisasterfund.org
gustaverelief.com
gustavevacuation.com
gustavevacuation.info
gustavevacuation.net
gustavevacuation.org
gustavevacuations.com
gustavfund.net
gustavgear.com
gustavgetaway.com
gustavgive.com
gustavgive.org
gustavhelp.info
gustavhelpers.com
gustavhelpers.info
gustavhelpers.net
gustavhelpfund.com
gustavhelpfund.org
gustavhelpinfo.com
gustavhelpinfo.org
gustavhouston.com
gustavimages.com
gustavinfo.org
gustavla.com
gustavlive.com
gustavlouisiana.com
gustavmississippi.com
gustavmodels.com
gustavnow.com
gustavpeoplesearch.com
gustavpeoplesearch.net
gustavpets.com
gustavphotos.com
gustavpics.com
gustavpublicadjuster.com
gustavreferrals.com
gustavreferrals.info
gustavreferrals.net
gustavreferrals.org
gustavrefugees.com
gustavrefugees.net
gustavrefugees.org
gustavrelief.net
gustavrelief.us
gustavreliefhelp.us
gustavreport.com
gustavsolidarity.org
gustavstorm.biz
gustavstorm.us
gustavsucks.com
gustavsurvivor.org
gustavsurvivors.com
gustavupdate.com
gustavvictims.info
gustavvictims.org
gustavvictims.us
gustavvideo.com
gustavwiki.com
help4gustav.com
help4gustav.org
helpgustav.com
helphurriancegustav.org
helphurricanegustavvictims.com
huracangustav.net
huracangustav.org
huricane-gustav.com
hurricane-gustav-recovery.com
hurricane-gustav.info
hurricanegustav2008.net
hurricanegustav2008.org
hurricanegustavaftermath.com
hurricanegustavaid.org
hurricanegustavblog.com
hurricanegustavcare.com
hurricanegustavcontractor.com
hurricanegustavdisaster.com
hurricanegustavfacts.com
hurricanegustavforum.com
hurricanegustavfund.com
hurricanegustavhelp.com
hurricanegustavhelp.org
hurricanegustavinfo.com
hurricanegustavinfo.org
hurricanegustavinformation.com
hurricanegustavrelieffund.com
hurricanegustavstories.com
hurricanegustavstory.com
hurricanegustavvictims.com
hurricanegustavvictims.net
hurricanegustavvideo.com
hurricanegustavvideos.com
hurricanevictimsgustav.com
hurricangustav08.com
leadershipaugustavolunteers.com
neworleansgustav.com
rebuildinggustav.com
rncgustavfund.com
rncgustavrelief.com
rncgustavrelief.net
rncgustavrelief.org
spelmanoperationgustav.com
supportgustavvictims.org
survivedgustav.org
thegustavblog.com
waitingforgustav.com
women-childrens-gustav.com
womens-childrens-gustav.com
wwwgustav.com
gustavtrack.com
tsgustav.com