Thursday, September 17, 2009

FBI Director Mueller, and remember Special Agent Sang Jun

Director Mueller gave a briefing to Congress yesterday that you can read here.

Director Mueller briefs Congress


Mueller outlined the work and challenges of the FBI in the areas of:

CounterTerrorism,

Counter Intelligence,

Cyber Attacks (including the National Investigative Joint Task Force)

White Collar (including Public Corruption, Mortgage Fraud, Health Care Fraud, Corporate Fraud)

Violent Crime (including Criminal Gangs, Border Violence, and Crimes Against Children)

If you aren't familiar with the National Cyber Investigative Joint Task Force, there's a pretty decent article describing it from Internet Business Law Services. As they point out, the NCIJTF was in a line item in the DOJ 2009 budget that read like this, although we can't tell how much of it was for the NCIJTF alone:

15. Comprehensive National Cybersecurity Initiative
The FBI requests 211 positions (35 Agents and 113 Intelligence Analysts) and $38,648,000 in personnel and non-personnel funding in support of investigative, intelligence, and technical requirements of the Comprehensive National Cybersecurity Initiative. Included in this request are resources for counterintelligence/computer intrusions investigatory requirements, National Cyber Investigative Joint Task Force (NCIJTF) infrastructure requirements, cyber training, intelligence/information sharing and analysis resource requirements, equipment funding for the continued operations and maintenance costs of its Consolidated Collection CALEA Cell Site Server and Carrier Records Digital Interfacing efforts. FY 2009 Current Services for this program are 89 positions (33 agents), 89 FTE, and $36,000,000.

There's also an interesting chart from the White House showing How the NCIJTF links to other Federal Cyber Centers. Despite that chart, the NCIJTF is a real item and moving forward. The FY10 Intelligence Appropriations bill authorizes a greater involvement in the JTF from the Intelligence community, and I believe this year we will see even greater accomplishments, although its possible we'll never learn about their best work, as is true in so much of the activities of the FBI and others as they defend our nation from attack.

Fallen Agents


At the end of Mueller's remarks, he shared the fact that since his last annual address to Congress, the FBI lost three agents, and he asked that they be remembered:

Special Agent Sam Hicks, "a decorated Baltimore police officer who was part of the Pittsburgh Joint Terrorism Task Force";

Special Agent Sang Jun, "a top-notch cyber agent who served in the El Paso Division";

Special Agent Paul Sorce, "a lifelong street agent who worked on the Detroit Violent Crimes Task Force"

---

I wanted to mention Sang Jun, because he actually re-arrested my very first cyber-criminal, Robert Lyttle, when he got out the first time and hacked NASA, which gave me a tiny connection to him.

-----------
Here's a picture of Sang Jun (right) with Sung-ki Lim, who also went "from geek to g-man":



Sang Jun was a cybercrimes agent who was interviewed by the San Francisco Chronicle in 2005, along with his co-worker Sung-ki Lim, about his new job working in cyberterrorism investigations. At the time, Jun said he took a 25% cut in pay to walk away from a great computer job to join the FBI.

In that interview, it describes his decision making process like this (which I've added and re-ordered slightly):

Jun took a somewhat different route. A high school teacher persuaded him to join the computer club, and he took an advanced Pascal class "and fell in love with it."

In 1994, he graduated from Jacksonville University in his native Florida with a degree in computer science. He worked for three years as a systems analyst with Blue Cross/Blue Shield, then for a year in a similar job at Merrill Lynch. He then joined consulting giant Capgemini, traveling to many Fortune 500 firms.

During that time, he applied to the FBI, but ultimately rejected a job because the salary couldn't compete. He jumped from Capgemini to Andersen Consulting and kept up his glamorous high-flying career.

Until Sept. 11. "That hit me," he said. "I did a lot of traveling on the airlines. I said, 'That could have been me. I want to do something. I want to contribute.' "

He called the FBI again and was hired in 2003.

Both men loved the training. Jun dropped 35 pounds just getting in shape for the training.

Now that they're full-fledged special agents, they can't talk much about their jobs. In Jun's time on the computer intrusions squad, he helped bring down the "Deceptive Duo," a case in which Robert Lyttle, 21, of Pleasant Hill pleaded guilty in March to hacking into computer systems at NASA Ames Research Center and other government sites.

Now Jun works on cyberterrorism, which is the FBI computer unit's top priority. Although cyberterrorism can be defined in many ways, the FBI is particularly concerned with terrorists who might use computer systems to compromise real world infrastructure, such as dams or the power grid.

Much of Jun's work in that arena is pro-active, meaning it involves securing those systems before an attack, rather than waiting until they've been hit.

Now, as a special agent assigned to combating cyberterrorism, Jun said, "You can't beat this. There, I was making a difference on a small scale. Here, I'm protecting the country. ... At the end of the day, all in all, I feel like I accomplished something."


Citizens like Sang Jun deserve our highest respect, and should challenge us to ask ourselves what we are doing to protect the country we love. When Jun thought about September 11th, he walked away from his ten years in a comfortable job at Accenture/Anderson to serve our country in a greater mission. How will you help your country?

Sang died in El Paso on October 22, 2008. His friends and family made a memorial page for him. His best friend, Mel, remembers teasing him about driving to Quantico in his convertible BMW. His sister remembers playing together at their home in Korea and the long plane ride to the US when they were children, and his other sister says because of his inspiration she finished college.

Monday, September 14, 2009

In Brief: The New York Times fake anti-virus redirect

Several people have emailed asking if the fake anti-virus products I mentioned in today's blog article, US Open and VMAs top rogue anti-virus efforts, was the same fake anti-virus that was reported as being launched from advertisements at the New York Times website over the weekend. The truth is, I didn't know! So I looked into it.

The New York Times fessed up that they were having problems in This note on September 13th:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.


A second NYT story today tells only SLIGHTLY more information:
http://bits.blogs.nytimes.com/2009/09/14/times-site-was-victim-of-a-malicious-ad-swap/?hpw, see also: http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/


A new advertising network that fed ads to the NYT ran "normal" ads for about a week, then suddenly started advertising malware sites over the weekend. An ad, that at least part of the time redirected to russell-brand.cn, contained hostile javascript, which redirected to the actual fake AV site.

Some of the domains involved included:

protection-check07.com which resolved to IP address 88.198.107.25. That IP was also used by:

antivirusonlinescan03.com
antispywarescanner07.com
antispywarescanner08.com
best-antivirus03.com
best-spyware-scan01.com
best-spyware-scan03.com
intellectual-vir-scan08.com
intellectual-vir-scan09.com
malwareinternetscanner03.com
online-antivir-scan09.com
protection-check07.com
quick-virus-scanner01.com
quick-virus-scanner02.com
quick-virus-scanner08.com
reliable-scanner02.com
reliable-scanner05.com


These actually were shared across several IPs, including:

78.46.251.43 - Berlin, Germany, "your-server.de"
88.198.107.25 - Sweden, - "your-server.de"
88.198.120.177 - your-server.de
91.212.107.5 - Cyprus - Ricomm
91.212.127.200 - UK - Telos Solutions
94.102.51.26 - Netherlands - Ecatel

As I was not a first-hand witness, I'm going to wrap this up short as promised by pointing to a few other blogs:

http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html


http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com

US Open and Video Music Awards top rogue anti-virus efforts

Saturday night I got an email from Brian Tanner, the leader of our UAB Malware Analysis team. Brian plays a bit of tennis, and was doing a search for the "US Open Finals Schedule" in Google, when he noticed some strange links in the top ten results. He wrote me a note to tell me that for some reason "conklinsystems.com" and "mauiwedding.net" were both showing up as top sites on Google for his search, but when he tried to follow either link, it took him to a fake anti-virus product instead.

After a little digging Monday morning, and with some helpful pointers from some fellow researchers, it looks like we have a fairly complete story of what's going on here.

On one level, we start with the fact that several webservers have been hacked, and loaded up with extremely powerful Search Engine Optimization terms, what we call "Black SEO" in the community. In this case, the hackers have searched some news sites for their top headlines, and then repeated the search with those headlines as the search terms to pull other related headlines. Then they've created webpages which are loaded with all of those headlines. That's how they are getting into the top searches. By doing some searches with "inurl" and "site" tags on Google, we're able to pull a pretty complete list of the headlines which are being seeded by this Black SEO technique.

For example, here are four sites which are coming up regularly in the searches, with whatever string we are looking for showing up after the question mark in the URL:

conklinsystems.com/xmarks/index.php?(string)
mauiwedding.net/ssp_director/albums/?(string)
www.kerryjohnson.com/images/look/?(string)

Just as an example, I did the Google search:

inurl:look site:kerryjohnson.com US Open

and received 210 results, including:

Us Open Mens Final 2009
Us Open Final Schedule
Us Open 2009 Mens Final
Us Open Womens Final 2009
Us Open Final 2009
Roger Federer Us Open
Serena Williams Outburst Transcript
Us Open Final
You Tube Serena Wililams
Serena Williams Outburst What Did She Say
Serena Williams Outburst Video

Then I did the same search, without the "US Open" to learn what other headlines this Black SEO technique was trying to capture, and found these headlines:

Tory Shulman
Jay Z VMA
ESPN Boston
Roger Federer US Open
Megan Fox Thumb Pictures
Avaya Nortel
Chicago Bears 2009 schedule
Megan Fox VMA
Beyonce Twitter
VMA Outfits
New Moon Trailer 3 Leaked
Kay Perry Vma Dress
Lil Mama Vma
Kim Clijsters Baby
This is it
Music Awards Taylor Swift
Federer Between the Legs
Beyonce Vma 2009
Defying Gravity Cancelled
Jawbone 2 Review
The Ruins MTV
VMAs
Bears vs Packers
Lauren London Baby
Lauren London Baby Pictures
Pink Vmas

Students kindly informed me what VMAs are - apparently some people like watching music videos so much they have their own awards show, the Video Music Awards. Most of the top hits in the resulting headlines (more than 1,000 of them) from KerryJohnson.com were either for the VMAs or the US Open.

Some other sites, that we aren't going to dig into as deeply, include:

24blackbirds.net
86queensgate.com
desertstarlimo.com
envision-ren.com
filmgenius.com
harmonyhall.com
homeremediesweb.com
mawawrestling.ca
mcd4x4.com
packetslave.com
penupdesigns.com
real-ism.com
resilience-europe.com
saintbrigids.ca
sandpointidahoinfo.com
stuartkinmond.com
uglyoutfitsnyc.com
unchain-vu.net
vinhhuynh.com
yakultpuebla.com

First, I'd like to acknowledge a pair of great blog articles from the Unmask Parasites Blog:
Unmasking the Antivirus 2009 .htaccess Exploit
and
Bogus Antivirus 2009 .htaccess Exploit.

The "guts of it" are that the Apache .htaccess includes:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://(BadSiteHere) [R,L]


What this means is that if I visit the webpage by accessing it directly, I see the webpage. But if I visit the page after having been referred by a search engine, I get sent to the hacker's page instead.

Currently the main websites that websearchers are landing on are:

#1. best-virus-scanner5.com
#2. online-systemscan.net
#3. searchscan-online.com
#4. securityscantooldirect.com
#5. mysecuredsystem.net

#1. Best-virus-scanner5.com is hosted on the IP addresses 91.213.126.100 and 193.169.12.70.

Some of the live sites also hosted on 91.213.126.100 include:

best-virus-scanner5.com
clean-all-spyware01.com
clean-all-spyware10.com
fast-virus-scan01.com
fast-virus-scan2.com
fast-virus-scan7.com
fast-virus-scan9.com
remove-all-adware10.com
remove-all-spyware03.com
remove-all-spyware07.com

Several of those domains, including best-virus-scanner5.com
are also hosted on the IP address, 193.169.12.70, which also
hosts the following domains:

becomemybestfriend.com
bestinvestmentssolution.com
best-virus-scanner5.com
bravemousepride.com
chooseyourluck.com
clean-all-spyware01.com
clean-all-spyware10.com
fast-virus-scan01.com
fast-virus-scan2.com
fast-virus-scan7.com
fast-virus-scan9.com
getbestusprices.com
imbade-yourself.com
indianapolis-sales.com
jurassic-secrets.com
justintimberlakestream.com
justseethisonline.com
justthingsyouneedtoknow.com
lounge-officers.com
madonnasecretphoto.com
movies-hidden-places.com
newcellphones-overview.com
news-feedster.com
newsoverworldhot.com
obamanewterror.com
obbeytheriver.com
overviewforexbids.com
perky-videos.com
remove-all-adware01.com
remove-all-spyware03.com
remove-all-spyware07.com
spacestations-online.com
storyofthesuccess1.com

#2. online-systemscan.net was hosted on 64.86.16.11, a Canadian-based address belonging to Velcom, a customer of TATA Communications (AS6453).

That ip is also hosting:

gosearchguard.net
and
itgosearch.net

#3 searchscan-online.com was hosted on 64.86.16.9, also Velcom.

That IP is also hosting:

search-win.com
fastscan-protection.com
safetysystem-protect.com
go-searchandsecure.net


#4. securityscantooldirect.com was hosted on 62.90.136.237, an Israeli based address belonging to "Loads Internet Solutions", a customer of Netvision.net.il (AS1680). How bold can they be? "Loading" is the term criminals use for the merchandising and monetizing of botnets by using them to download other people's malware. "Loads" are the malware someone else pays you to put on your botnet.

That IP is also hosting:

securityscantoolguide.com
scantoolsite.com
safetyscantool.com
bestsecurityjobs.com
bestwebsitesecurity.com
yourcommunitysecurity.com

#5. mysecuredsystem.net was also a VELCOM IP address, 64.86.16.49.

That IP address was used to host:

searchsecureguard.com
mysecured-zone.com
ptotectmy-system.com
newscan-protect.com
windowsprotection-zone.net
fastsearchandsecure.net
mysecuredsystem.net
online-securescanner.net

Gee . . . at this point I'm tempted to scan this whole Class C (64.86.16.0/24) and see what other forms of badness reside there . . . Sadly, Velcom's phone number listed in their IP whois data has been disconnected or is not in service. We went ahead and called their upstream, who asked us to send them an email. Hello, TataCommunications! I hope you read this! Thank you for your help!

Here's some I found on IPs 64.86.16.1 through 64.86.16.50:

checkviruszone.com
checkvirus-zone.com
fastscan-protection.com
fastsearchandsecure.net
go-scanandsecure.com
go-scanandsecure.net
goscan-protect.net
go-searchandprotect.com
go-searchandsecure.com
go-searchandsecure.net
gosearchguard.net
gosearch-protection.net
itgosearch.net
mysecuredsystem.com
mysecured-system.com
mysecuredsystem.net
mysecured-zone.com
mysecured-zone.net
mysecurityshield.net
newpcguard.net
newscan-protect.com
onlinescansystem.com
onlinescansystem.net
online-scansystem.net
onlinesearch-protection.com
onlinesecurescanner.net
online-securescanner.net
online-systemscan.com
online-systemscan.net
pconlinescan.net
protect-andsecure.com
protectand-secure.com
ptotectmy-system.com
safetysystem-guard.net
safetysystem-protect.com
safetysystem-protect.net
scanandsecure.net
scansystem-online.com
searchsafetyprotection.net
searchscan-online.com
searchsecureguard.com
search-win.com
systemguard-zone.com
systemscan-secure.com
virusfilter-zone.net
windowsprotection-zone.net

And here are some nameservers from the same range . . .

ns1.100booth.com
ns1.10gala.com
ns1.1ingeen.com
ns1.2009elf.com
ns1.2flipflop.com
ns1.7sevenseas.com
ns1.adriafin.com
ns1.adviceswarning.com
ns1.alleips.com
ns1.alphabet10.com
ns1.antivirusfilter-zone.com
ns1.applic137.net
ns1.as34as.com
ns1.ascoprguide.net
ns1.bestbewell.com
ns1.bigbestbbb.com
ns1.bigbestbbb.net
ns1.brovobing.com
ns1.casabl10.net
ns1.champions100.com
ns1.checkviruszone.net
ns1.checkvirus-zone.net
ns1.clarksinfact.com
ns1.cosmoset.net
ns1.coverlight.net
ns1.creamesfl.com
ns1.displayclub.net
ns1.displaylive.net
ns1.earring0.com
ns1.entrotus.com
ns1.factoria6.com
ns1.farfar5.com
ns1.fastantivir.net
ns1.fastscan-protection.com
ns1.fastsearchandsecure.net
ns1.fistano4r.com
ns1.freehostwap.com
ns1.gavaring1.com
ns1.go-checkvirus.com
ns1.go-checkvirus.net
ns1.goprotection.net
ns1.go-scanandprotect.com
ns1.go-scanandsearch.com
ns1.go-scanandsecure.com
ns1.goscansystem.com
ns1.go-scansystem.com
ns1.go-scansystem.net
ns1.go-searchandscan.net
ns1.go-searchandsecure.com
ns1.go-searchandsecure.net
ns1.gosearchguard.net
ns1.gosearchinweb.com
ns1.go-searchprotection.com
ns1.gosearch-protection.com
ns1.gosearch-protection.net
ns1.gosearchsecurity.net
ns1.gotomyprotectedzone.com
ns1.gotomyprotectedzone.net
ns1.gotospace7.com
ns1.go-virusscanner.com
ns1.hilotavus.com
ns1.hot2009.net
ns1.immitations-all.net
ns1.ironins.com
ns1.ispscenter.com
ns1.ispspartners.com
ns1.itgosearch.net
ns1.jetztips.com
ns1.lanacess.com
ns1.limestee.com
ns1.magnoliastr.com
ns1.mmdmm.net
ns1.mycataloge.com
ns1.myofficeguard.com
ns1.myonlineguard.com
ns1.myprotectedsystem.net
ns1.myprotected-zone.com
ns1.myprotectedzone.net
ns1.myprotected-zone.net
ns1.my-safetyprotection.net
ns1.mysecuredsystem.com
ns1.mysecured-system.com
ns1.mysecurityzone.net
ns1.mysystemdefender.com
ns1.mysystemguard.com
ns1.my-systemprotection.com
ns1.mysystemshield.com
ns1.mysystemshield.net
ns1.myvirusscanner.com
ns1.myvirusscanner.net
ns1.new-onlinescanner.com
ns1.new-onlinescanner.net
ns1.new-systemguard.com
ns1.new-systemguard.net
ns1.new-systemprotection.net
ns1.new-systemshield.com
ns1.onlineguardgo.com
ns1.online-scanandsecure.com
ns1.onlinescansystem.com
ns1.online-scansystem.com
ns1.onlinescansystem.net
ns1.online-scansystem.net
ns1.online-securescanner.com
ns1.onlinesecurescanner.net
ns1.onlinesystemscan.com
ns1.pconlinescan.net
ns1.pcscanneronline.net
ns1.protectedfield.com
ns1.protection-secure.com
ns1.protectionsecure.net
ns1.protectsystem.net
ns1.ptotectmy-system.com
ns1.realsystemguard.com
ns1.rumba200.com
ns1.safeguardshield.com
ns1.safetydefender.net
ns1.safetyscanner.net
ns1.safetysystem-guard.net
ns1.safetysystem-shield.com
ns1.safetysystem-shield.net
ns1.scanandprotect-zone.com
ns1.scanandsecure.net
ns1.scaninfo.net
ns1.scanonline-protect.net
ns1.scan-secure.com
ns1.scan-secure.net
ns1.scansystemonline.com
ns1.scansystem-online.com
ns1.scansystem-online.net
ns1.scan-virus.net
ns1.searchandprotect.net
ns1.searchdefender.net
ns1.searchpcguard.com
ns1.searchpcguard.net
ns1.searchsafetyprotection.net
ns1.searchscanner.net
ns1.searchscan-online.com
ns1.searchsecureguard.com
ns1.searchsecureshield.com
ns1.search-security.net
ns1.search-systemprotection.net
ns1.search-systemshield.com
ns1.search-win.com
ns1.securepcshield.com
ns1.secure-systemguard.com
ns1.securesystemguard.net
ns1.secure-systemshield.com
ns1.secure-systemshield.net
ns1.securitypath.net
ns1.shieldinfo.net
ns1.shieldsystem.net
ns1.system-protection.net
ns1.systemscan-secure.com
ns1.system-shield.com
ns1.system-shield.net
ns1.thelocatemissing.com
ns1.timeforfuck.com
ns1.ultimaguard.com
ns1.virusfilter-zone.net
ns1.webssearch.net
ns1.webssecurity.net
ns1.windowsprotection-suite.com
ns1.windows-protectonline.com
ns1.windows-protectonline.net
ns1.windows-systemguard.com
ns1.windows-systemshield.com
ns1.windows-systemshield.net
ns1.winprotectionsuite.com
ns1.winprotection-suite.net
ns1.winsecuritysuite-pro.com

Saturday, September 12, 2009

IRS Version of Zeus Bot continues

Update - 16SEP09 - the Zeus Bot trojan, or Zbot, continues to be spread

The extremely heavy spam campaign described below continues. A list of 130 more domains being used to spread this malware is appended to the bottom of this article. Current detection rate of this malware at VirusTotal? ONE of forty-one Anti-virus products detect this malware. MD5 = 34cee60590817be6f8dd1115c6a1883f

Researchers at the University of Alabama at Birmingham continue to study the Zeus Bot trojan this week as a new spam campaign seeks to extend this already prolific bank robbery malware. This is the fourth major Zeus-spreading spam campaign that we've seen hit the UAB Spam Data Mine in the past few months.

On July 24th, we reported on the "1001 Postcards" spam campaign in our story From Russia, With Love...new Postcard spam spies on your PC.

On June 30th, we reported on the "Michael Jackson" spam campaign in our story Michael Jackson headline used in Password Stealing.

On June 24th, we reported on the "Microsoft Outlook Update" spam campaign in our story Malware in the Mail (Email that is!).

The current spam campaign has been proven by malware analysts on the UAB Computer Forensics research team to be in the same family as each of these additional versions. On September 9th and 10th, we received 1281 copies of the current Zeus spreading email, this time pretending to be an email from the Internal Revenue Service. On September 11th we received 764 more copies of the email, some of which point to websites which are still live on the morning of September 12th as I write this.



The email, which uses a subject line "Notice of Underreported Income" and claims to be sent from "Internal Revenue Service" claims that you need to visit a website to review an issue of "Unreported/Underreported Income" which seems to have been detected by the "Fraud Application" at the IRS.

The website you are sent to contains your email address, and claims that you need to download and execute a program to review the problem with your tax statement.



The image above was taken from one of the several sites which are still live as of this writing on the morning of September 12, 2009. Many websites have been created by the criminal, and many of them have already been shutdown.

During the first 24 hours of the spam campaign, we saw these websites used in the spam email:

www.irs.gov.hyg12zi.eu
www.irs.gov.hyg12zk.eu
www.irs.gov.hyg12zo.eu
www.irs.gov.hyg12zq.eu
www.irs.gov.hyg12zr.eu
www.irs.gov.hyg12zu.eu
www.irs.gov.hyg12zw.eu
www.irs.gov.hyu11hea.eu
www.irs.gov.hyu11heb.eu
www.irs.gov.hyu11hec.eu
www.irs.gov.hyu11heg.eu
www.irs.gov.hyu11heh.eu
www.irs.gov.hyu11hej.eu
www.irs.gov.hyu11hem.eu
www.irs.gov.hyu11hep.eu
www.irs.gov.hyu11her.eu
www.irs.gov.hyu11hes.eu
www.irs.gov.hyu11heu.eu
www.irs.gov.hyu11hew.eu
www.irs.gov.hyu11hez.eu
www.irs.gov.hyu11hic.eu
www.irs.gov.nyusa2a.eu
www.irs.gov.nyusa2b.eu
www.irs.gov.nyusa2e.eu
www.irs.gov.nyusa2i.eu
www.irs.gov.nyusa2l.eu
www.irs.gov.nyusa2s.eu
www.irs.gov.nyusa2y.eu
www.irs.gov.ringrins.co.uk

After all of these were successfully terminated, the spammer took almost 26 hours to regroup and relaunch, using these additional websites during the September 11th version of his spam campaign:

www.irs.gov.ger11zd.com
www.irs.gov.ger11zd.net
www.irs.gov.ger11zf.com
www.irs.gov.ger11zf.net
www.irs.gov.ger11zh.com
www.irs.gov.ger11zh.net
www.irs.gov.ger11zr.com
www.irs.gov.ger11zr.net
www.irs.gov.ger11zx.com
www.irs.gov.ger11zx.eu
www.irs.gov.ger11zx.net
www.irs.gov.losawza.cn
www.irs.gov.losawza.eu
www.irs.gov.losawzd.cn
www.irs.gov.losawzd.eu
www.irs.gov.losawze.cn
www.irs.gov.losawze.eu
www.irs.gov.losawzf.cn
www.irs.gov.losawzf.eu
www.irs.gov.losawzg.cn
www.irs.gov.losawzg.eu
www.irs.gov.losawzs.cn
www.irs.gov.losawzs.eu
www.irs.gov.losawzx.cn
www.irs.gov.losawzx.eu
www.irs.gov.merfaslo.biz
www.irs.gov.merfaslo.com
www.irs.gov.merfaslo.info
www.irs.gov.merfaslo.net
www.irs.gov.tersab1.cn
www.irs.gov.tersab1.eu
www.irs.gov.tersac1.cn
www.irs.gov.tersad1.cn
www.irs.gov.tersad1.eu
www.irs.gov.tersan1.cn
www.irs.gov.tersan1.eu
www.irs.gov.tersav1.eu
www.irs.gov.tersaw1.eu
www.irs.gov.tersax1.eu
www.irs.gov.tersaz1.cn
www.irs.gov.tersaz1.eu
www.irs.gov.yh1ferz.com
www.irs.gov.yh1ferz.info
www.irs.gov.yh1ferz.net
www.irs.gov.yh1ferz.org

The malware itself has also been modified to be MUCH more difficult to detect. When we first scanned the copy of the Zeus bot on September 9th, it was already detected as Zeus by 21 of the 41 anti-virus products at VirusTotal, and the detection continued to rise through the day.

When we scanned the current malware during the evening of September 11th, we found that only 6 of the 41 anti-virus products at VirusTotal were able to detect the malware as being the Zeus bot. See this VirusTotal Report for the current malware with MD5: 04eb70edf674d7bf376994aec68785ee (file size = 96,256 bytes). Rescanning this morning - more than 12 hours after our initial submission - still only shows 6 of 41 products detecting the malware:

BitDefender and GData call it "Trojan.Spy.Zbot.BFK"
Kaspersky calls it: "Trojan-Spy.Win32.Zbot.gen"
McAfee+Artemis calls it: "Suspect-29"
NOD32 calls it: "a variant of Win32/Kryptik.AET"
Sunbelt calls it: "Trojan-Downloader.Tibs.gen"

That detection was so poor, we really wondered if it was corrupt or broken malware.

So, what do you do if you want to know if your malware is real? Fire it up!

I'm not in the lab today, but I have the Malware Analysis VM that UAB Malware Analyst Brian Tanner put together for my team, so I fired it up. I self-infected the VM by visiting the website above, confirming that my MD5 was the same as I did so. Within a couple seconds, I was making HTTP Post messages to:

nerinsk.com on the path /livs/gate.php

The traffic was flowing to 91.213.72.51, an IP address that was used by the "gorodu.com" domain name in the malware earlier this week. "gate.php" is a file name we've seen repeatedly associated with Zeus Malware.

I'm going to call this "Confirmed Badness", and say that despite the HORRIBLE AV detection on this one, we have a confirmed, live, Zeus Bot trojan / ZBot trojan that people need to worry about.

UPDATED September 28th . . . here are the domain names we've seen, and the number of spam samples we've received for each of these domains, and the dates on which those domains were used in spam.

receiving_date | count | machine
----------------+-------+-----------------------------
2009-09-09 | 18 | www.irs.gov.hyg12zi.eu
2009-09-09 | 16 | www.irs.gov.hyg12zk.eu
2009-09-09 | 21 | www.irs.gov.hyg12zo.eu
2009-09-09 | 19 | www.irs.gov.hyg12zq.eu
2009-09-09 | 11 | www.irs.gov.hyg12zr.eu
2009-09-09 | 15 | www.irs.gov.hyg12zu.eu
2009-09-09 | 24 | www.irs.gov.hyg12zw.eu
2009-09-09 | 10 | www.irs.gov.hyu11hea.eu
2009-09-09 | 17 | www.irs.gov.hyu11heb.eu
2009-09-09 | 37 | www.irs.gov.hyu11hec.eu
2009-09-09 | 9 | www.irs.gov.hyu11heg.eu
2009-09-09 | 27 | www.irs.gov.hyu11heh.eu
2009-09-09 | 44 | www.irs.gov.hyu11hej.eu
2009-09-09 | 9 | www.irs.gov.hyu11hem.eu
2009-09-09 | 431 | www.irs.gov.hyu11hep.eu
2009-09-09 | 11 | www.irs.gov.hyu11her.eu
2009-09-09 | 9 | www.irs.gov.hyu11hes.eu
2009-09-09 | 38 | www.irs.gov.hyu11heu.eu
2009-09-09 | 17 | www.irs.gov.hyu11hew.eu
2009-09-09 | 6 | www.irs.gov.hyu11hez.eu
2009-09-09 | 8 | www.irs.gov.hyu11hic.eu
2009-09-09 | 15 | www.irs.gov.nyusa2a.eu
2009-09-09 | 13 | www.irs.gov.nyusa2b.eu
2009-09-09 | 16 | www.irs.gov.nyusa2e.eu
2009-09-09 | 13 | www.irs.gov.nyusa2i.eu
2009-09-09 | 9 | www.irs.gov.nyusa2l.eu
2009-09-09 | 17 | www.irs.gov.nyusa2s.eu
2009-09-09 | 16 | www.irs.gov.nyusa2y.eu
2009-09-09 | 47 | www.irs.gov.ringrins.co.uk
2009-09-10 | 152 | www.irs.gov.hyu11hep.eu
2009-09-10 | 523 | www.irs.gov.ringrins.co.uk
2009-09-11 | 35 | www.irs.gov.ger11zd.com
2009-09-11 | 36 | www.irs.gov.ger11zd.net
2009-09-11 | 45 | www.irs.gov.ger11zf.com
2009-09-11 | 45 | www.irs.gov.ger11zf.net
2009-09-11 | 57 | www.irs.gov.ger11zh.com
2009-09-11 | 54 | www.irs.gov.ger11zh.net
2009-09-11 | 50 | www.irs.gov.ger11zr.com
2009-09-11 | 40 | www.irs.gov.ger11zr.net
2009-09-11 | 38 | www.irs.gov.ger11zx.com
2009-09-11 | 48 | www.irs.gov.ger11zx.eu
2009-09-11 | 40 | www.irs.gov.ger11zx.net
2009-09-11 | 5 | www.irs.gov.losawza.cn
2009-09-11 | 4 | www.irs.gov.losawza.eu
2009-09-11 | 11 | www.irs.gov.losawzd.cn
2009-09-11 | 6 | www.irs.gov.losawzd.eu
2009-09-11 | 10 | www.irs.gov.losawze.cn
2009-09-11 | 8 | www.irs.gov.losawze.eu
2009-09-11 | 7 | www.irs.gov.losawzf.cn
2009-09-11 | 3 | www.irs.gov.losawzf.eu
2009-09-11 | 4 | www.irs.gov.losawzg.cn
2009-09-11 | 8 | www.irs.gov.losawzg.eu
2009-09-11 | 6 | www.irs.gov.losawzs.cn
2009-09-11 | 4 | www.irs.gov.losawzs.eu
2009-09-11 | 7 | www.irs.gov.losawzx.cn
2009-09-11 | 8 | www.irs.gov.losawzx.eu
2009-09-11 | 14 | www.irs.gov.merfaslo.biz
2009-09-11 | 13 | www.irs.gov.merfaslo.com
2009-09-11 | 10 | www.irs.gov.merfaslo.info
2009-09-11 | 11 | www.irs.gov.merfaslo.net
2009-09-11 | 7 | www.irs.gov.tersab1.cn
2009-09-11 | 6 | www.irs.gov.tersab1.eu
2009-09-11 | 4 | www.irs.gov.tersac1.cn
2009-09-11 | 10 | www.irs.gov.tersad1.cn
2009-09-11 | 7 | www.irs.gov.tersad1.eu
2009-09-11 | 8 | www.irs.gov.tersan1.cn
2009-09-11 | 10 | www.irs.gov.tersan1.eu
2009-09-11 | 5 | www.irs.gov.tersav1.eu
2009-09-11 | 5 | www.irs.gov.tersaw1.eu
2009-09-11 | 6 | www.irs.gov.tersax1.eu
2009-09-11 | 10 | www.irs.gov.tersaz1.cn
2009-09-11 | 8 | www.irs.gov.tersaz1.eu
2009-09-11 | 19 | www.irs.gov.yh1ferz.com
2009-09-11 | 10 | www.irs.gov.yh1ferz.info
2009-09-11 | 15 | www.irs.gov.yh1ferz.net
2009-09-11 | 10 | www.irs.gov.yh1ferz.org
2009-09-12 | 1 | www.irs.gov.ger11zx.eu
2009-09-14 | 13 | www.irs.gov.1kikyd.cn
2009-09-14 | 27 | www.irs.gov.1kikyf.cn
2009-09-14 | 15 | www.irs.gov.1kikys.cn
2009-09-14 | 19 | www.irs.gov.1kikyt.cn
2009-09-14 | 26 | www.irs.gov.1kikyt.eu
2009-09-14 | 21 | www.irs.gov.ersawe1.net
2009-09-14 | 3 | www.irs.gov.ersawec.com
2009-09-14 | 5 | www.irs.gov.ersawec.net
2009-09-14 | 1 | www.irs.gov.ersaweq.com
2009-09-14 | 3 | www.irs.gov.ersaweq.net
2009-09-14 | 3 | www.irs.gov.ersawet.net
2009-09-14 | 4 | www.irs.gov.ersaweu.com
2009-09-14 | 1 | www.irs.gov.ersaweu.net
2009-09-14 | 1 | www.irs.gov.ersawew.com
2009-09-14 | 8 | www.irs.gov.ersawew.net
2009-09-14 | 3 | www.irs.gov.ersawey.com
2009-09-14 | 17 | www.irs.gov.ersawey.net
2009-09-14 | 2 | www.irs.gov.ersawez.net
2009-09-14 | 16 | www.irs.gov.ikhrtyg1.com
2009-09-14 | 9 | www.irs.gov.ikhrtyg1.net
2009-09-14 | 17 | www.irs.gov.ikhrtygf.com
2009-09-14 | 16 | www.irs.gov.ikhrtygf.net
2009-09-14 | 21 | www.irs.gov.ikhrtyrf.com
2009-09-14 | 22 | www.irs.gov.ikhrtyrf.net
2009-09-14 | 18 | www.irs.gov.ikhrtysa.com
2009-09-14 | 23 | www.irs.gov.ikhrtysa.net
2009-09-14 | 16 | www.irs.gov.ikhrtyth.com
2009-09-14 | 13 | www.irs.gov.ikhrtyth.eu
2009-09-14 | 18 | www.irs.gov.ikhrtyth.net
2009-09-14 | 10 | www.irs.gov.muk11de.cn
2009-09-14 | 24 | www.irs.gov.muk11de.eu
2009-09-14 | 6 | www.irs.gov.muk11do.cn
2009-09-14 | 12 | www.irs.gov.muk11dp.cn
2009-09-14 | 51 | www.irs.gov.muk11dp.eu
2009-09-14 | 14 | www.irs.gov.muk11dq.cn
2009-09-14 | 9 | www.irs.gov.muk11dr.cn
2009-09-14 | 9 | www.irs.gov.muk11du.cn
2009-09-14 | 20 | www.irs.gov.muk11du.eu
2009-09-14 | 5 | www.irs.gov.muk11dy.cn
2009-09-14 | 29 | www.irs.gov.muk11dy.eu
2009-09-14 | 22 | www.irs.gov.olrfder.com
2009-09-14 | 8 | www.irs.gov.oolqj.cn
2009-09-14 | 6 | www.irs.gov.oolqp.cn
2009-09-14 | 18 | www.irs.gov.oolqp.eu
2009-09-14 | 27 | www.irs.gov.oolqq.eu
2009-09-14 | 6 | www.irs.gov.oolqw.cn
2009-09-14 | 11 | www.irs.gov.oolqx.cn
2009-09-14 | 7 | www.irs.gov.oolqy.cn
2009-09-14 | 11 | www.irs.gov.oolqz.cn
2009-09-14 | 38 | www.irs.gov.oolqz.eu
2009-09-14 | 28 | www.irs.gov.strmodesa.com
2009-09-14 | 25 | www.irs.gov.strmodesa.co.uk
2009-09-14 | 49 | www.irs.gov.strmodesa.eu
2009-09-15 | 27 | www.irs.gov.dirvsdl.co.kr
2009-09-15 | 38 | www.irs.gov.dirvsdl.kr
2009-09-15 | 26 | www.irs.gov.dirvsdl.ne.kr
2009-09-15 | 35 | www.irs.gov.dirvsdl.or.kr
2009-09-15 | 7 | www.irs.gov.ersawe1.net
2009-09-15 | 8 | www.irs.gov.ersawey.net
2009-09-15 | 23 | www.irs.gov.fhqw1sae.eu
2009-09-15 | 8 | www.irs.gov.fhqw1say.eu
2009-09-15 | 16 | www.irs.gov.fhw1sa1.eu
2009-09-15 | 11 | www.irs.gov.fhw1sae.eu
2009-09-15 | 29 | www.irs.gov.hrtfe11l.eu
2009-09-15 | 32 | www.irs.gov.hrtfe11l.mn
2009-09-15 | 28 | www.irs.gov.hrtfe11q.mn
2009-09-15 | 9 | www.irs.gov.hrtfe11s.eu
2009-09-15 | 22 | www.irs.gov.hrtfe11s.mn
2009-09-15 | 8 | www.irs.gov.hrtfe11u.eu
2009-09-15 | 10 | www.irs.gov.hrtfe11u.mn
2009-09-15 | 26 | www.irs.gov.hrtfe11y.mn
2009-09-15 | 3 | www.irs.gov.ikhrtyg1.com
2009-09-15 | 2 | www.irs.gov.ikhrtyg1.net
2009-09-15 | 7 | www.irs.gov.ikhrtygf.com
2009-09-15 | 8 | www.irs.gov.ikhrtygf.net
2009-09-15 | 8 | www.irs.gov.ikhrtyrf.com
2009-09-15 | 4 | www.irs.gov.ikhrtyrf.net
2009-09-15 | 4 | www.irs.gov.ikhrtysa.com
2009-09-15 | 6 | www.irs.gov.ikhrtysa.net
2009-09-15 | 7 | www.irs.gov.ikhrtyth.com
2009-09-15 | 10 | www.irs.gov.ikhrtyth.eu
2009-09-15 | 10 | www.irs.gov.ikhrtyth.net
2009-09-15 | 15 | www.irs.gov.mtkstrip.co.kr
2009-09-15 | 26 | www.irs.gov.mtkstrip.com
2009-09-15 | 24 | www.irs.gov.mtkstrip.kr
2009-09-15 | 9 | www.irs.gov.nyh11de.me
2009-09-15 | 10 | www.irs.gov.nyh11di.me
2009-09-15 | 7 | www.irs.gov.nyh11do.me
2009-09-15 | 9 | www.irs.gov.nyh11dq.me
2009-09-15 | 15 | www.irs.gov.nyh11dr.me
2009-09-15 | 7 | www.irs.gov.nyh11dt.me
2009-09-15 | 6 | www.irs.gov.nyh11du.me
2009-09-15 | 8 | www.irs.gov.nyh11dw.me
2009-09-15 | 6 | www.irs.gov.nyh11dx.me
2009-09-15 | 9 | www.irs.gov.nyh11dy.me
2009-09-15 | 22 | www.irs.gov.vstdrrr.com.cn
2009-09-15 | 15 | www.irs.gov.vstdrrr.mn
2009-09-15 | 20 | www.irs.gov.vstdrrr.us
2009-09-15 | 13 | www.irs.gov.yh11asd.eu
2009-09-15 | 13 | www.irs.gov.yh11asf.eu
2009-09-15 | 7 | www.irs.gov.yh11asg.eu
2009-09-15 | 3 | www.irs.gov.yh11ash.eu
2009-09-15 | 3 | www.irs.gov.yh11asq.eu
2009-09-15 | 10 | www.irs.gov.yh11asr.eu
2009-09-15 | 10 | www.irs.gov.yh11asu.eu
2009-09-15 | 3 | www.irs.gov.yh11asw.eu
2009-09-15 | 10 | www.irs.gov.yh11asy.eu
2009-09-15 | 5 | www.irs.gov.yhqw1sa1.eu
2009-09-15 | 8 | www.irs.gov.yhqw1saw.eu
2009-09-16 | 1 | www.irs.gov.dirvsdl.kr
2009-09-16 | 1 | www.irs.gov.dirvsdl.ne.kr
2009-09-16 | 1 | www.irs.gov.dirvsdl.or.kr
2009-09-16 | 1 | www.irs.gov.hrtfe11u.eu
2009-09-16 | 36 | www.irs.gov.hyuae1d.me
2009-09-16 | 43 | www.irs.gov.hyuae1e.me
2009-09-16 | 3 | www.irs.gov.hyuae1r.me
2009-09-16 | 42 | www.irs.gov.hyuae1u.me
2009-09-16 | 6 | www.irs.gov.hyuae1y.eu
2009-09-16 | 100 | www.irs.gov.jezz1f.eu
2009-09-16 | 24 | www.irs.gov.mdtsrv.bz
2009-09-16 | 6 | www.irs.gov.mdtsrv.com
2009-09-16 | 6 | www.irs.gov.mdtsrv.me
2009-09-16 | 14 | www.irs.gov.mdtsrv.mn
2009-09-16 | 15 | www.irs.gov.modesrv.bz
2009-09-16 | 62 | www.irs.gov.modesrv.com
2009-09-16 | 53 | www.irs.gov.modesrv.me
2009-09-16 | 11 | www.irs.gov.modesrv.mn
2009-09-16 | 1 | www.irs.gov.mtkstrip.co.kr
2009-09-16 | 3 | www.irs.gov.mtkstrip.com
2009-09-16 | 1 | www.irs.gov.mtkstrip.kr
2009-09-16 | 3 | www.irs.gov.nyh11de.me
2009-09-16 | 3 | www.irs.gov.nyh11di.me
2009-09-16 | 2 | www.irs.gov.nyh11do.me
2009-09-16 | 1 | www.irs.gov.nyh11dq.me
2009-09-16 | 4 | www.irs.gov.nyh11dr.me
2009-09-16 | 3 | www.irs.gov.nyh11dt.me
2009-09-16 | 1 | www.irs.gov.nyh11du.me
2009-09-16 | 4 | www.irs.gov.nyh11dw.me
2009-09-16 | 3 | www.irs.gov.nyh11dx.me
2009-09-16 | 3 | www.irs.gov.nyh11dy.me
2009-09-16 | 43 | www.irs.gov.rawq12qe.eu
2009-09-16 | 3 | www.irs.gov.rawq12qe.me
2009-09-16 | 43 | www.irs.gov.rawq12qi.me
2009-09-16 | 46 | www.irs.gov.rawq12qr.me
2009-09-16 | 42 | www.irs.gov.rawq12qt.me
2009-09-16 | 48 | www.irs.gov.rawq12qy.me
2009-09-16 | 14 | www.irs.gov.srvmode.bz
2009-09-16 | 13 | www.irs.gov.srvmode.com
2009-09-16 | 13 | www.irs.gov.srvmode.me
2009-09-16 | 20 | www.irs.gov.srvmode.mn
2009-09-16 | 6 | www.irs.gov.vsdsrv.bz
2009-09-16 | 7 | www.irs.gov.vsdsrv.com
2009-09-16 | 17 | www.irs.gov.vsdsrv.eu
2009-09-16 | 15 | www.irs.gov.vsdsrv.me
2009-09-16 | 17 | www.irs.gov.vsdsrv.mn
2009-09-16 | 13 | www.irs.gov.yh11asd.eu
2009-09-16 | 16 | www.irs.gov.yh11asf.eu
2009-09-16 | 13 | www.irs.gov.yh11asg.eu
2009-09-16 | 2 | www.irs.gov.yh11ash.eu
2009-09-16 | 21 | www.irs.gov.yh11asr.eu
2009-09-16 | 11 | www.irs.gov.yh11ast.eu
2009-09-16 | 15 | www.irs.gov.yh11asu.eu
2009-09-16 | 2 | www.irs.gov.yh11asw.eu
2009-09-16 | 4 | www.irs.gov.yh11asy.eu
2009-09-16 | 11 | www.irs.gov.yhferdh.eu
2009-09-16 | 19 | www.irs.gov.yhferdj.eu
2009-09-16 | 12 | www.irs.gov.yhferdk.eu
2009-09-16 | 15 | www.irs.gov.yhferdo.eu
2009-09-16 | 8 | www.irs.gov.yhferdp.eu
2009-09-16 | 5 | www.irs.gov.yhferdw.eu
2009-09-17 | 17 | www.irs.gov.akmas1.eu
2009-09-17 | 31 | www.irs.gov.hyu11db.eu
2009-09-17 | 24 | www.irs.gov.hyu11db.me
2009-09-17 | 33 | www.irs.gov.hyu11dc.me
2009-09-17 | 16 | www.irs.gov.hyu11de.eu
2009-09-17 | 35 | www.irs.gov.hyu11df.eu
2009-09-17 | 23 | www.irs.gov.hyu11df.me
2009-09-17 | 25 | www.irs.gov.hyu11dg.eu
2009-09-17 | 39 | www.irs.gov.hyu11dg.me
2009-09-17 | 41 | www.irs.gov.hyu11dn.eu
2009-09-17 | 24 | www.irs.gov.hyu11dn.me
2009-09-17 | 51 | www.irs.gov.hyu11dv.eu
2009-09-17 | 24 | www.irs.gov.hyu11dv.me
2009-09-17 | 24 | www.irs.gov.hyu11dx.eu
2009-09-17 | 28 | www.irs.gov.hyu11dx.me
2009-09-17 | 13 | www.irs.gov.ihmas1.eu
2009-09-17 | 16 | www.irs.gov.ikbas1.eu
2009-09-17 | 11 | www.irs.gov.ikmas1.eu
2009-09-17 | 9 | www.irs.gov.ikmls1.eu
2009-09-17 | 20 | www.irs.gov.ikmps1.eu
2009-09-17 | 16 | www.irs.gov.iktas1.eu
2009-09-17 | 17 | www.irs.gov.illas1.eu
2009-09-17 | 7 | www.irs.gov.iwmas1.eu
2009-09-17 | 57 | www.irs.gov.jezz1f.eu
2009-09-17 | 40 | www.irs.gov.lamsa1.com
2009-09-17 | 1 | www.irs.gov.uh1ahq.eu
2009-09-17 | 9 | www.irs.gov.uh1ahx.eu
2009-09-17 | 2 | www.irs.gov.uh1ahy.eu
2009-09-17 | 11 | www.irs.gov.uh1as1.eu
2009-09-17 | 10 | www.irs.gov.uh1asd.eu
2009-09-17 | 9 | www.irs.gov.uh1ase.eu
2009-09-17 | 12 | www.irs.gov.uh1ask.eu
2009-09-17 | 4 | www.irs.gov.uh1asm.eu
2009-09-17 | 4 | www.irs.gov.uh1aso.eu
2009-09-17 | 5 | www.irs.gov.uh1asp.eu
2009-09-17 | 7 | www.irs.gov.uh1asq.eu
2009-09-17 | 4 | www.irs.gov.uh1asr.eu
2009-09-17 | 13 | www.irs.gov.uh1ast.eu
2009-09-17 | 7 | www.irs.gov.uh1asu.eu
2009-09-17 | 8 | www.irs.gov.uh1asv.eu
2009-09-17 | 7 | www.irs.gov.uh1asx.eu
2009-09-17 | 6 | www.irs.gov.uh1asy.eu
2009-09-17 | 8 | www.irs.gov.uh1asz.eu
2009-09-17 | 21 | www.irs.gov.yh1wed.eu
2009-09-17 | 14 | www.irs.gov.yh1wee.eu
2009-09-17 | 19 | www.irs.gov.yh1wee.me
2009-09-17 | 21 | www.irs.gov.yh1wef.eu
2009-09-17 | 16 | www.irs.gov.yh1wej.eu
2009-09-17 | 18 | www.irs.gov.yh1wek.eu
2009-09-17 | 18 | www.irs.gov.yh1wel.eu
2009-09-17 | 25 | www.irs.gov.yh1weq.eu
2009-09-17 | 23 | www.irs.gov.yh1weq.me
2009-09-17 | 26 | www.irs.gov.yh1wes.eu
2009-09-17 | 18 | www.irs.gov.yh1wet.eu
2009-09-17 | 17 | www.irs.gov.yh1wet.me
2009-09-17 | 24 | www.irs.gov.yh1wew.eu
2009-09-17 | 25 | www.irs.gov.yh1wew.me
2009-09-17 | 9 | www.irs.gov.zkmas1.eu
2009-09-18 | 78 | www.irs.gov.kid1ax.eu
2009-09-18 | 66 | www.irs.gov.kid1bx.eu
2009-09-18 | 60 | www.irs.gov.kid1cx.eu
2009-09-18 | 39 | www.irs.gov.kid1ex.eu
2009-09-18 | 66 | www.irs.gov.kid1hx.eu
2009-09-18 | 58 | www.irs.gov.kid1ix.eu
2009-09-18 | 57 | www.irs.gov.kid1nx.eu
2009-09-18 | 13 | www.irs.gov.kid1ox.eu
2009-09-18 | 68 | www.irs.gov.kid1qx.eu
2009-09-18 | 64 | www.irs.gov.kid1sx.eu
2009-09-18 | 24 | www.irs.gov.kid1vx.eu
2009-09-18 | 63 | www.irs.gov.kid1xx.eu
2009-09-18 | 47 | www.irs.gov.kid1zx.eu
2009-09-18 | 77 | www.irs.gov.uh1ahq.eu
2009-09-18 | 46 | www.irs.gov.uh1ahx.eu
2009-09-18 | 31 | www.irs.gov.uh1ahy.eu
2009-09-18 | 30 | www.irs.gov.uh1as1.eu
2009-09-18 | 112 | www.irs.gov.uh1asd.eu
2009-09-18 | 94 | www.irs.gov.uh1ase.eu
2009-09-18 | 30 | www.irs.gov.uh1ask.eu
2009-09-18 | 27 | www.irs.gov.uh1asm.eu
2009-09-18 | 40 | www.irs.gov.uh1aso.eu
2009-09-18 | 111 | www.irs.gov.uh1asp.eu
2009-09-18 | 69 | www.irs.gov.uh1asq.eu
2009-09-18 | 119 | www.irs.gov.uh1asr.eu
2009-09-18 | 60 | www.irs.gov.uh1ast.eu
2009-09-18 | 76 | www.irs.gov.uh1asu.eu
2009-09-18 | 107 | www.irs.gov.uh1asv.eu
2009-09-18 | 26 | www.irs.gov.uh1asx.eu
2009-09-18 | 21 | www.irs.gov.uh1asy.eu
2009-09-18 | 68 | www.irs.gov.uh1asz.eu
2009-09-18 | 67 | www.irs.gov.yh1wed.eu
2009-09-18 | 67 | www.irs.gov.yh1wee.eu
2009-09-18 | 34 | www.irs.gov.yh1wee.me
2009-09-18 | 73 | www.irs.gov.yh1wef.eu
2009-09-18 | 38 | www.irs.gov.yh1wej.eu
2009-09-18 | 32 | www.irs.gov.yh1wek.eu
2009-09-18 | 33 | www.irs.gov.yh1wel.eu
2009-09-18 | 77 | www.irs.gov.yh1weq.eu
2009-09-18 | 22 | www.irs.gov.yh1weq.me
2009-09-18 | 105 | www.irs.gov.yh1wes.eu
2009-09-18 | 65 | www.irs.gov.yh1wet.eu
2009-09-18 | 23 | www.irs.gov.yh1wet.me
2009-09-18 | 69 | www.irs.gov.yh1wew.eu
2009-09-18 | 37 | www.irs.gov.yh1wew.me
2009-09-19 | 105 | www.irs.gov.kid1ax.eu
2009-09-19 | 97 | www.irs.gov.kid1bx.eu
2009-09-19 | 43 | www.irs.gov.kid1cx.eu
2009-09-19 | 27 | www.irs.gov.kid1ex.eu
2009-09-19 | 102 | www.irs.gov.kid1hx.eu
2009-09-19 | 22 | www.irs.gov.kid1ix.eu
2009-09-19 | 103 | www.irs.gov.kid1nx.eu
2009-09-19 | 15 | www.irs.gov.kid1ox.eu
2009-09-19 | 62 | www.irs.gov.kid1qx.eu
2009-09-19 | 59 | www.irs.gov.kid1sx.eu
2009-09-19 | 48 | www.irs.gov.kid1vx.eu
2009-09-19 | 61 | www.irs.gov.kid1xx.eu
2009-09-19 | 78 | www.irs.gov.kid1zx.eu
2009-09-19 | 43 | www.irs.gov.uh1asq.eu
2009-09-20 | 1 | www.irs.gov.her1da.eu
2009-09-20 | 3 | www.irs.gov.her1de.eu
2009-09-20 | 4 | www.irs.gov.her1df.eu
2009-09-20 | 1 | www.irs.gov.her1di.eu
2009-09-20 | 3 | www.irs.gov.her1dj.eu
2009-09-20 | 1 | www.irs.gov.her1dk.eu
2009-09-20 | 5 | www.irs.gov.her1do.eu
2009-09-20 | 4 | www.irs.gov.her1dp.eu
2009-09-20 | 3 | www.irs.gov.her1dq.eu
2009-09-20 | 1 | www.irs.gov.her1dr.eu
2009-09-20 | 2 | www.irs.gov.her1dt.eu
2009-09-20 | 1 | www.irs.gov.her1du.eu
2009-09-20 | 1 | www.irs.gov.her1dw.eu
2009-09-20 | 3 | www.irs.gov.her1dy.eu
2009-09-20 | 4 | www.irs.gov.her1dz.eu
2009-09-20 | 2 | www.irs.gov.jaha1ws.eu
2009-09-20 | 2 | www.irs.gov.jbha1ws.eu
2009-09-20 | 3 | www.irs.gov.jgha1ws.eu
2009-09-20 | 2 | www.irs.gov.jjha1ws.eu
2009-09-20 | 3 | www.irs.gov.jkha1ws.eu
2009-09-20 | 4 | www.irs.gov.jmha1ws.eu
2009-09-20 | 3 | www.irs.gov.jpha1ws.eu
2009-09-20 | 1 | www.irs.gov.jqha1ws.eu
2009-09-20 | 1 | www.irs.gov.jrha1ws.eu
2009-09-20 | 4 | www.irs.gov.jtha1ws.eu
2009-09-20 | 3 | www.irs.gov.juha1ws.eu
2009-09-20 | 3 | www.irs.gov.jvha1ws.eu
2009-09-20 | 3 | www.irs.gov.jwha1ws.eu
2009-09-20 | 1 | www.irs.gov.poi1qwa.eu
2009-09-20 | 3 | www.irs.gov.poi1qwb.eu
2009-09-20 | 1 | www.irs.gov.poi1qwd.eu
2009-09-20 | 6 | www.irs.gov.poi1qwf.eu
2009-09-20 | 4 | www.irs.gov.poi1qwg.eu
2009-09-20 | 1 | www.irs.gov.poi1qwm.eu
2009-09-20 | 1 | www.irs.gov.poi1qwq.eu
2009-09-20 | 3 | www.irs.gov.poi1qwr.eu
2009-09-20 | 3 | www.irs.gov.poi1qwt.eu
2009-09-20 | 5 | www.irs.gov.poi1qwv.eu
2009-09-20 | 3 | www.irs.gov.poi1qww.eu
2009-09-20 | 1 | www.irs.gov.poi1qwy.eu
2009-09-20 | 417 | www.irs.gov.uh1asq.eu
2009-09-21 | 4 | www.irs.gov.akuja1.eu
2009-09-21 | 10 | www.irs.gov.gkuja1.eu
2009-09-21 | 10 | www.irs.gov.her1da.eu
2009-09-21 | 12 | www.irs.gov.her1de.eu
2009-09-21 | 36 | www.irs.gov.her1di.eu
2009-09-21 | 2 | www.irs.gov.her1dj.eu
2009-09-21 | 1 | www.irs.gov.her1dk.eu
2009-09-21 | 21 | www.irs.gov.her1do.eu
2009-09-21 | 3 | www.irs.gov.her1dp.eu
2009-09-21 | 15 | www.irs.gov.her1dq.eu
2009-09-21 | 16 | www.irs.gov.her1dr.eu
2009-09-21 | 19 | www.irs.gov.her1dt.eu
2009-09-21 | 22 | www.irs.gov.her1du.eu
2009-09-21 | 18 | www.irs.gov.her1dw.eu
2009-09-21 | 13 | www.irs.gov.her1dy.eu
2009-09-21 | 4 | www.irs.gov.her1dz.eu
2009-09-21 | 15 | www.irs.gov.hkuja1.eu
2009-09-21 | 9 | www.irs.gov.hou1ma.eu
2009-09-21 | 17 | www.irs.gov.hou1me.eu
2009-09-21 | 4 | www.irs.gov.hou1mg.eu
2009-09-21 | 9 | www.irs.gov.hou1mi.eu
2009-09-21 | 2 | www.irs.gov.hou1mj.eu
2009-09-21 | 4 | www.irs.gov.hou1mk.eu
2009-09-21 | 1 | www.irs.gov.hou1ml.eu
2009-09-21 | 4 | www.irs.gov.hou1mo.eu
2009-09-21 | 3 | www.irs.gov.hou1mp.eu
2009-09-21 | 13 | www.irs.gov.hou1mq.eu
2009-09-21 | 11 | www.irs.gov.hou1mr.eu
2009-09-21 | 20 | www.irs.gov.hou1mt.eu
2009-09-21 | 4 | www.irs.gov.hou1mu.eu
2009-09-21 | 14 | www.irs.gov.hou1mw.eu
2009-09-21 | 3 | www.irs.gov.hou1my.eu
2009-09-21 | 4 | www.irs.gov.jaha1ws.eu
2009-09-21 | 40 | www.irs.gov.jdha1ws.eu
2009-09-21 | 22 | www.irs.gov.jgha1ws.eu
2009-09-21 | 23 | www.irs.gov.jjha1ws.eu
2009-09-21 | 17 | www.irs.gov.jkha1ws.eu
2009-09-21 | 10 | www.irs.gov.jkuja1.eu
2009-09-21 | 14 | www.irs.gov.jmha1ws.eu
2009-09-21 | 7 | www.irs.gov.jnha1ws.eu
2009-09-21 | 9 | www.irs.gov.jpha1ws.eu
2009-09-21 | 18 | www.irs.gov.jqha1ws.eu
2009-09-21 | 7 | www.irs.gov.jrha1ws.eu
2009-09-21 | 4 | www.irs.gov.jtha1ws.eu
2009-09-21 | 8 | www.irs.gov.juha1ws.eu
2009-09-21 | 6 | www.irs.gov.jvha1ws.eu
2009-09-21 | 19 | www.irs.gov.jwha1ws.eu
2009-09-21 | 14 | www.irs.gov.kkuja1.eu
2009-09-21 | 4 | www.irs.gov.lkuja1.eu
2009-09-21 | 17 | www.irs.gov.naj1za.eu
2009-09-21 | 5 | www.irs.gov.ncj1za.eu
2009-09-21 | 8 | www.irs.gov.nej1za.eu
2009-09-21 | 6 | www.irs.gov.nij1za.eu
2009-09-21 | 18 | www.irs.gov.nkuja1.eu
2009-09-21 | 13 | www.irs.gov.noj1za.eu
2009-09-21 | 13 | www.irs.gov.nuj1za.eu
2009-09-21 | 2 | www.irs.gov.nxj1za.eu
2009-09-21 | 2 | www.irs.gov.nye1za.eu
2009-09-21 | 10 | www.irs.gov.nyj1za.eu
2009-09-21 | 1 | www.irs.gov.nym1za.eu
2009-09-21 | 1 | www.irs.gov.nyo1za.eu
2009-09-21 | 2 | www.irs.gov.nyq1za.eu
2009-09-21 | 15 | www.irs.gov.pkuja1.eu
2009-09-21 | 32 | www.irs.gov.poi1qwa.eu
2009-09-21 | 13 | www.irs.gov.poi1qwb.eu
2009-09-21 | 25 | www.irs.gov.poi1qwd.eu
2009-09-21 | 10 | www.irs.gov.poi1qwf.eu
2009-09-21 | 20 | www.irs.gov.poi1qwg.eu
2009-09-21 | 22 | www.irs.gov.poi1qwm.eu
2009-09-21 | 16 | www.irs.gov.poi1qwn.eu
2009-09-21 | 1 | www.irs.gov.poi1qwq.eu
2009-09-21 | 1 | www.irs.gov.poi1qwr.eu
2009-09-21 | 12 | www.irs.gov.poi1qwt.eu
2009-09-21 | 13 | www.irs.gov.poi1qwv.eu
2009-09-21 | 1 | www.irs.gov.poi1qww.eu
2009-09-21 | 21 | www.irs.gov.poi1qwy.eu
2009-09-21 | 32 | www.irs.gov.poi1qwz.eu
2009-09-21 | 3 | www.irs.gov.qkuja1.eu
2009-09-21 | 10 | www.irs.gov.tkuja1.eu
2009-09-21 | 20 | www.irs.gov.ykuja1.eu
2009-09-21 | 1 | www.irs.gov.zkuja1.eu
2009-09-22 | 5 | www.irs.gov.akuja1.eu
2009-09-22 | 3 | www.irs.gov.gkuja1.eu
2009-09-22 | 1 | www.irs.gov.her1do.eu
2009-09-22 | 5 | www.irs.gov.herd1a.eu
2009-09-22 | 1 | www.irs.gov.here1a.eu
2009-09-22 | 4 | www.irs.gov.herf1a.eu
2009-09-22 | 4 | www.irs.gov.herq1a.eu
2009-09-22 | 3 | www.irs.gov.herr1a.eu
2009-09-22 | 6 | www.irs.gov.hert1a.eu
2009-09-22 | 2 | www.irs.gov.herw1a.eu
2009-09-22 | 1 | www.irs.gov.hery1a.eu
2009-09-22 | 5 | www.irs.gov.hkuja1.eu
2009-09-22 | 3 | www.irs.gov.hou1ma.eu
2009-09-22 | 7 | www.irs.gov.hou1me.eu
2009-09-22 | 8 | www.irs.gov.hou1mg.eu
2009-09-22 | 4 | www.irs.gov.hou1mi.eu
2009-09-22 | 7 | www.irs.gov.hou1mj.eu
2009-09-22 | 3 | www.irs.gov.hou1mk.eu
2009-09-22 | 5 | www.irs.gov.hou1ml.eu
2009-09-22 | 6 | www.irs.gov.hou1mo.eu
2009-09-22 | 7 | www.irs.gov.hou1mp.eu
2009-09-22 | 4 | www.irs.gov.hou1mr.eu
2009-09-22 | 4 | www.irs.gov.hou1mt.eu
2009-09-22 | 3 | www.irs.gov.hou1mu.eu
2009-09-22 | 8 | www.irs.gov.hou1mw.eu
2009-09-22 | 9 | www.irs.gov.hou1my.eu
2009-09-22 | 167 | www.irs.gov.ipdotfl.com
2009-09-22 | 4 | www.irs.gov.jkuja1.eu
2009-09-22 | 4 | www.irs.gov.kkuja1.eu
2009-09-22 | 19 | www.irs.gov.likka1.eu
2009-09-22 | 14 | www.irs.gov.likkb1.eu
2009-09-22 | 14 | www.irs.gov.likkc1.eu
2009-09-22 | 13 | www.irs.gov.likkd1.eu
2009-09-22 | 20 | www.irs.gov.likke1.eu
2009-09-22 | 19 | www.irs.gov.likkh1.eu
2009-09-22 | 15 | www.irs.gov.likkm1.eu
2009-09-22 | 9 | www.irs.gov.likkn1.eu
2009-09-22 | 11 | www.irs.gov.likko1.eu
2009-09-22 | 16 | www.irs.gov.likkt1.eu
2009-09-22 | 21 | www.irs.gov.likkv1.eu
2009-09-22 | 14 | www.irs.gov.likkx1.eu
2009-09-22 | 11 | www.irs.gov.likky1.eu
2009-09-22 | 15 | www.irs.gov.likkz1.eu
2009-09-22 | 15 | www.irs.gov.likzn1.eu
2009-09-22 | 4 | www.irs.gov.lkuja1.eu
2009-09-22 | 2 | www.irs.gov.naj1za.eu
2009-09-22 | 5 | www.irs.gov.ncj1za.eu
2009-09-22 | 3 | www.irs.gov.nej1za.eu
2009-09-22 | 5 | www.irs.gov.nij1za.eu
2009-09-22 | 7 | www.irs.gov.nkuja1.eu
2009-09-22 | 3 | www.irs.gov.noj1za.eu
2009-09-22 | 19 | www.irs.gov.nuhh1b.eu
2009-09-22 | 15 | www.irs.gov.nuhh1c.eu
2009-09-22 | 5 | www.irs.gov.nuhh1d.eu
2009-09-22 | 17 | www.irs.gov.nuhh1f.eu
2009-09-22 | 14 | www.irs.gov.nuhh1g.eu
2009-09-22 | 17 | www.irs.gov.nuhh1h.eu
2009-09-22 | 14 | www.irs.gov.nuhh1k.eu
2009-09-22 | 18 | www.irs.gov.nuhh1l.eu
2009-09-22 | 22 | www.irs.gov.nuhh1m.eu
2009-09-22 | 24 | www.irs.gov.nuhh1n.eu
2009-09-22 | 3 | www.irs.gov.nuhh1s.eu
2009-09-22 | 20 | www.irs.gov.nuhh1v.eu
2009-09-22 | 10 | www.irs.gov.nuhh1x.eu
2009-09-22 | 14 | www.irs.gov.nuhh1z.eu
2009-09-22 | 3 | www.irs.gov.nuj1za.eu
2009-09-22 | 4 | www.irs.gov.nxj1za.eu
2009-09-22 | 2 | www.irs.gov.nye1za.eu
2009-09-22 | 6 | www.irs.gov.nyj1za.eu
2009-09-22 | 3 | www.irs.gov.nyjnza.eu
2009-09-22 | 2 | www.irs.gov.nym1za.eu
2009-09-22 | 5 | www.irs.gov.nyo1za.eu
2009-09-22 | 6 | www.irs.gov.nyq1za.eu
2009-09-22 | 3 | www.irs.gov.nzj1za.eu
2009-09-22 | 6 | www.irs.gov.pkuja1.eu
2009-09-22 | 1 | www.irs.gov.poi1qwz.eu
2009-09-22 | 6 | www.irs.gov.qkuja1.eu
2009-09-22 | 128 | www.irs.gov.strmodefs.bz
2009-09-22 | 123 | www.irs.gov.strmodefs.com
2009-09-22 | 6 | www.irs.gov.tkuja1.eu
2009-09-22 | 19 | www.irs.gov.xyg1qe.eu
2009-09-22 | 9 | www.irs.gov.xyg1qq.eu
2009-09-22 | 8 | www.irs.gov.xyg1qr.eu
2009-09-22 | 4 | www.irs.gov.xyg1qt.eu
2009-09-22 | 18 | www.irs.gov.xyg1qu.eu
2009-09-22 | 15 | www.irs.gov.xyg1qw.eu
2009-09-22 | 22 | www.irs.gov.xyg1qy.eu
2009-09-22 | 5 | www.irs.gov.ykuja1.eu
2009-09-22 | 6 | www.irs.gov.zkuja1.eu
2009-09-23 | 5 | www.irs.gov.ea1asb.eu
2009-09-23 | 8 | www.irs.gov.ea1asc.eu
2009-09-23 | 4 | www.irs.gov.ea1asd.eu
2009-09-23 | 2 | www.irs.gov.ea1ase.eu
2009-09-23 | 6 | www.irs.gov.ea1asf.eu
2009-09-23 | 6 | www.irs.gov.ea1asg.eu
2009-09-23 | 1 | www.irs.gov.ea1ash.eu
2009-09-23 | 6 | www.irs.gov.ea1ask.eu
2009-09-23 | 3 | www.irs.gov.ea1asm.eu
2009-09-23 | 3 | www.irs.gov.ea1asn.eu
2009-09-23 | 4 | www.irs.gov.ea1aso.eu
2009-09-23 | 7 | www.irs.gov.ea1asu.eu
2009-09-23 | 1 | www.irs.gov.ea1asv.eu
2009-09-23 | 5 | www.irs.gov.ea1asx.eu
2009-09-23 | 4 | www.irs.gov.ea1asz.eu
2009-09-23 | 7 | www.irs.gov.herd1a.eu
2009-09-23 | 6 | www.irs.gov.here1a.eu
2009-09-23 | 9 | www.irs.gov.herf1a.eu
2009-09-23 | 11 | www.irs.gov.herq1a.eu
2009-09-23 | 9 | www.irs.gov.herr1a.eu
2009-09-23 | 10 | www.irs.gov.hert1a.eu
2009-09-23 | 6 | www.irs.gov.herw1a.eu
2009-09-23 | 9 | www.irs.gov.hery1a.eu
2009-09-23 | 5 | www.irs.gov.ipdotfl.com
2009-09-23 | 11 | www.irs.gov.likka1.eu
2009-09-23 | 11 | www.irs.gov.likkb1.eu
2009-09-23 | 9 | www.irs.gov.likkc1.eu
2009-09-23 | 9 | www.irs.gov.likkd1.eu
2009-09-23 | 7 | www.irs.gov.likke1.eu
2009-09-23 | 16 | www.irs.gov.likkh1.eu
2009-09-23 | 10 | www.irs.gov.likkm1.eu
2009-09-23 | 7 | www.irs.gov.likkn1.eu
2009-09-23 | 2 | www.irs.gov.likko1.eu
2009-09-23 | 8 | www.irs.gov.likkt1.eu
2009-09-23 | 8 | www.irs.gov.likkv1.eu
2009-09-23 | 3 | www.irs.gov.likkx1.eu
2009-09-23 | 3 | www.irs.gov.likky1.eu
2009-09-23 | 5 | www.irs.gov.likkz1.eu
2009-09-23 | 7 | www.irs.gov.likzn1.eu
2009-09-23 | 7 | www.irs.gov.nuhh1b.eu
2009-09-23 | 4 | www.irs.gov.nuhh1c.eu
2009-09-23 | 7 | www.irs.gov.nuhh1d.eu
2009-09-23 | 7 | www.irs.gov.nuhh1f.eu
2009-09-23 | 4 | www.irs.gov.nuhh1g.eu
2009-09-23 | 2 | www.irs.gov.nuhh1h.eu
2009-09-23 | 10 | www.irs.gov.nuhh1k.eu
2009-09-23 | 2 | www.irs.gov.nuhh1l.eu
2009-09-23 | 6 | www.irs.gov.nuhh1m.eu
2009-09-23 | 10 | www.irs.gov.nuhh1n.eu
2009-09-23 | 7 | www.irs.gov.nuhh1s.eu
2009-09-23 | 10 | www.irs.gov.nuhh1v.eu
2009-09-23 | 10 | www.irs.gov.nuhh1x.eu
2009-09-23 | 6 | www.irs.gov.nuhh1z.eu
2009-09-23 | 11 | www.irs.gov.xyg1qe.eu
2009-09-23 | 7 | www.irs.gov.xyg1qq.eu
2009-09-23 | 6 | www.irs.gov.xyg1qr.eu
2009-09-23 | 11 | www.irs.gov.xyg1qt.eu
2009-09-23 | 9 | www.irs.gov.xyg1qu.eu
2009-09-23 | 7 | www.irs.gov.xyg1qw.eu
2009-09-23 | 11 | www.irs.gov.xyg1qy.eu
2009-09-24 | 10 | www.irs.gov.awh7kio.eu
2009-09-24 | 6 | www.irs.gov.do11juy.eu
2009-09-24 | 2 | www.irs.gov.fo11juy.eu
2009-09-24 | 8 | www.irs.gov.ger11sa.com
2009-09-24 | 3 | www.irs.gov.ger11se.com
2009-09-24 | 2 | www.irs.gov.ger11si.com
2009-09-24 | 3 | www.irs.gov.ger11so.com
2009-09-24 | 4 | www.irs.gov.ger11sy.com
2009-09-24 | 7 | www.irs.gov.ger11za.com
2009-09-24 | 1 | www.irs.gov.ger11ze.com
2009-09-24 | 6 | www.irs.gov.ger11zi.com
2009-09-24 | 11 | www.irs.gov.ger11zo.com
2009-09-24 | 4 | www.irs.gov.ger11zy.com
2009-09-24 | 7 | www.irs.gov.go11juy.eu
2009-09-24 | 14 | www.irs.gov.hu1wev.eu
2009-09-24 | 7 | www.irs.gov.i11ate.eu
2009-09-24 | 3 | www.irs.gov.i11bte.eu
2009-09-24 | 4 | www.irs.gov.i11ete.eu
2009-09-24 | 1 | www.irs.gov.i11hte.eu
2009-09-24 | 7 | www.irs.gov.i11ite.eu
2009-09-24 | 8 | www.irs.gov.i11mte.eu
2009-09-24 | 4 | www.irs.gov.i11nte.eu
2009-09-24 | 4 | www.irs.gov.i11ote.eu
2009-09-24 | 4 | www.irs.gov.i11pte.eu
2009-09-24 | 7 | www.irs.gov.i11rte.eu
2009-09-24 | 7 | www.irs.gov.i11tte.eu
2009-09-24 | 7 | www.irs.gov.i11ute.eu
2009-09-24 | 7 | www.irs.gov.i11wte.eu
2009-09-24 | 3 | www.irs.gov.i11xte.eu
2009-09-24 | 6 | www.irs.gov.i11zte.eu
2009-09-24 | 18 | www.irs.gov.ijh7kio.eu
2009-09-24 | 4 | www.irs.gov.ikh7kio.eu
2009-09-24 | 6 | www.irs.gov.io11juy.eu
2009-09-24 | 12 | www.irs.gov.iz1fd2.eu
2009-09-24 | 10 | www.irs.gov.iz1ff2.eu
2009-09-24 | 9 | www.irs.gov.iz1gf2.eu
2009-09-24 | 10 | www.irs.gov.iz1hf2.eu
2009-09-24 | 14 | www.irs.gov.iz1if2.eu
2009-09-24 | 15 | www.irs.gov.iz1jf2.eu
2009-09-24 | 4 | www.irs.gov.iz1kf2.eu
2009-09-24 | 8 | www.irs.gov.iz1lf2.eu
2009-09-24 | 5 | www.irs.gov.iz1pf2.eu
2009-09-24 | 12 | www.irs.gov.iz1qf2.eu
2009-09-24 | 7 | www.irs.gov.iz1rf2.eu
2009-09-24 | 10 | www.irs.gov.iz1tf2.eu
2009-09-24 | 8 | www.irs.gov.iz1uf2.eu
2009-09-24 | 7 | www.irs.gov.iz1wf2.eu
2009-09-24 | 9 | www.irs.gov.iz1yf2.eu
2009-09-24 | 3 | www.irs.gov.jo11juy.eu
2009-09-24 | 11 | www.irs.gov.mah7kio.eu
2009-09-24 | 4 | www.irs.gov.mi11f1.eu
2009-09-24 | 6 | www.irs.gov.mi11fa.eu
2009-09-24 | 6 | www.irs.gov.mi11fd.eu
2009-09-24 | 5 | www.irs.gov.mi11fe.eu
2009-09-24 | 8 | www.irs.gov.mi11ff.eu
2009-09-24 | 3 | www.irs.gov.mi11fi.eu
2009-09-24 | 5 | www.irs.gov.mi11fo.eu
2009-09-24 | 7 | www.irs.gov.mi11fp.eu
2009-09-24 | 2 | www.irs.gov.mi11fq.eu
2009-09-24 | 6 | www.irs.gov.mi11fr.eu
2009-09-24 | 3 | www.irs.gov.mi11fs.eu
2009-09-24 | 2 | www.irs.gov.mi11ft.eu
2009-09-24 | 6 | www.irs.gov.mi11fu.eu
2009-09-24 | 2 | www.irs.gov.mi11fw.eu
2009-09-24 | 4 | www.irs.gov.mi11fy.eu
2009-09-24 | 5 | www.irs.gov.nuh7kio.eu
2009-09-24 | 4 | www.irs.gov.nuko7u1.eu
2009-09-24 | 8 | www.irs.gov.nuko7ue.eu
2009-09-24 | 3 | www.irs.gov.nuko7ug.eu
2009-09-24 | 3 | www.irs.gov.nuko7uh.eu
2009-09-24 | 4 | www.irs.gov.nuko7ui.eu
2009-09-24 | 11 | www.irs.gov.nuko7uj.eu
2009-09-24 | 6 | www.irs.gov.nuko7uk.eu
2009-09-24 | 6 | www.irs.gov.nuko7uo.eu
2009-09-24 | 7 | www.irs.gov.nuko7up.eu
2009-09-24 | 7 | www.irs.gov.nuko7uq.eu
2009-09-24 | 14 | www.irs.gov.nuko7ur.eu
2009-09-24 | 3 | www.irs.gov.nuko7ut.eu
2009-09-24 | 7 | www.irs.gov.nuko7uu.eu
2009-09-24 | 7 | www.irs.gov.nuko7uw.eu
2009-09-24 | 7 | www.irs.gov.nuko7uy.eu
2009-09-24 | 2 | www.irs.gov.oo11juy.eu
2009-09-24 | 1 | www.irs.gov.po11juy.eu
2009-09-24 | 17 | www.irs.gov.poh7kio.eu
2009-09-24 | 16 | www.irs.gov.qyh7kio.eu
2009-09-24 | 5 | www.irs.gov.ro11juy.eu
2009-09-24 | 4 | www.irs.gov.so11juy.eu
2009-09-24 | 3 | www.irs.gov.to11juy.eu
2009-09-24 | 2 | www.irs.gov.uij7yj.eu
2009-09-24 | 2 | www.irs.gov.uij7yl.eu
2009-09-24 | 1 | www.irs.gov.uij7ym.eu
2009-09-24 | 2 | www.irs.gov.uij7yq.eu
2009-09-24 | 3 | www.irs.gov.uij7yt.eu
2009-09-24 | 2 | www.irs.gov.uij7yy.eu
2009-09-24 | 2 | www.irs.gov.uij7yz.eu
2009-09-24 | 4 | www.irs.gov.uo11juy.eu
2009-09-24 | 14 | www.irs.gov.veh7kio.eu
2009-09-24 | 4 | www.irs.gov.xo11juy.eu
2009-09-24 | 7 | www.irs.gov.yoky1a.eu
2009-09-24 | 2 | www.irs.gov.yoky1c.eu
2009-09-24 | 3 | www.irs.gov.yoky1d.eu
2009-09-24 | 4 | www.irs.gov.yoky1e.eu
2009-09-24 | 2 | www.irs.gov.yoky1f.eu
2009-09-24 | 7 | www.irs.gov.yoky1g.eu
2009-09-24 | 4 | www.irs.gov.yoky1n.eu
2009-09-24 | 3 | www.irs.gov.yoky1r.eu
2009-09-24 | 6 | www.irs.gov.yoky1s.eu
2009-09-24 | 4 | www.irs.gov.yoky1t.eu
2009-09-24 | 3 | www.irs.gov.yoky1w.eu
2009-09-24 | 5 | www.irs.gov.yoky1x.eu
2009-09-24 | 2 | www.irs.gov.yoky1y.eu
2009-09-24 | 5 | www.irs.gov.yoky1z.eu
2009-09-24 | 4 | www.irs.gov.zah7kio.eu
2009-09-24 | 18 | www.irs.gov.zuh7kio.eu
2009-09-25 | 2 | www.irs.gov.bbasza.com
2009-09-25 | 2 | www.irs.gov.bbaszb.com
2009-09-25 | 3 | www.irs.gov.bbaszc.com
2009-09-25 | 3 | www.irs.gov.bbaszd.com
2009-09-25 | 3 | www.irs.gov.bbasze.com
2009-09-25 | 5 | www.irs.gov.bbaszf.com
2009-09-25 | 2 | www.irs.gov.bbaszg.com
2009-09-25 | 3 | www.irs.gov.bbaszl.com
2009-09-25 | 2 | www.irs.gov.bbaszq.com
2009-09-25 | 3 | www.irs.gov.bbaszs.com
2009-09-25 | 4 | www.irs.gov.bbaszt.com
2009-09-25 | 3 | www.irs.gov.bbaszv.com
2009-09-25 | 2 | www.irs.gov.bbaszw.com
2009-09-25 | 3 | www.irs.gov.bbaszx.com
2009-09-25 | 4 | www.irs.gov.bbaszz.com
2009-09-25 | 1 | www.irs.gov.fedas1ah.com
2009-09-25 | 15 | www.irs.gov.ger11sa.com
2009-09-25 | 12 | www.irs.gov.ger11se.com
2009-09-25 | 4 | www.irs.gov.ger11si.com
2009-09-25 | 14 | www.irs.gov.ger11so.com
2009-09-25 | 16 | www.irs.gov.ger11sy.com
2009-09-25 | 8 | www.irs.gov.ger11za.com
2009-09-25 | 4 | www.irs.gov.ger11ze.com
2009-09-25 | 21 | www.irs.gov.ger11zi.com
2009-09-25 | 19 | www.irs.gov.ger11zo.com
2009-09-25 | 11 | www.irs.gov.ger11zy.com
2009-09-25 | 14 | www.irs.gov.nuko7u1.eu
2009-09-25 | 17 | www.irs.gov.nuko7ue.eu
2009-09-25 | 13 | www.irs.gov.nuko7ug.eu
2009-09-25 | 27 | www.irs.gov.nuko7uh.eu
2009-09-25 | 29 | www.irs.gov.nuko7ui.eu
2009-09-25 | 15 | www.irs.gov.nuko7uj.eu
2009-09-25 | 14 | www.irs.gov.nuko7uk.eu
2009-09-25 | 28 | www.irs.gov.nuko7uo.eu
2009-09-25 | 12 | www.irs.gov.nuko7up.eu
2009-09-25 | 16 | www.irs.gov.nuko7uq.eu
2009-09-25 | 19 | www.irs.gov.nuko7ur.eu
2009-09-25 | 11 | www.irs.gov.nuko7ut.eu
2009-09-25 | 24 | www.irs.gov.nuko7uu.eu
2009-09-25 | 14 | www.irs.gov.nuko7uw.eu
2009-09-25 | 15 | www.irs.gov.nuko7uy.eu
2009-09-25 | 1 | www.irs.gov.nuya1ze.eu
2009-09-25 | 14 | www.irs.gov.nuya1zg.eu
2009-09-25 | 6 | www.irs.gov.nuya1zh.eu
2009-09-25 | 3 | www.irs.gov.nuya1zi.eu
2009-09-25 | 3 | www.irs.gov.nuya1zl.eu
2009-09-25 | 9 | www.irs.gov.nuya1zo.eu
2009-09-25 | 7 | www.irs.gov.nuya1zp.eu
2009-09-25 | 9 | www.irs.gov.nuya1zq.eu
2009-09-25 | 9 | www.irs.gov.nuya1zt.eu
2009-09-25 | 6 | www.irs.gov.nuya1zw.eu
2009-09-25 | 2 | www.irs.gov.nuya1zy.eu
2009-09-25 | 26 | www.irs.gov.y11dera.com
2009-09-25 | 28 | www.irs.gov.y11derc.com
2009-09-25 | 24 | www.irs.gov.y11derd.com
2009-09-25 | 15 | www.irs.gov.y11dere.com
2009-09-25 | 34 | www.irs.gov.y11derf.com
2009-09-25 | 12 | www.irs.gov.y11derq.com
2009-09-25 | 7 | www.irs.gov.y11derr.com
2009-09-25 | 4 | www.irs.gov.y11ders.com
2009-09-25 | 20 | www.irs.gov.y11derv.com
2009-09-25 | 19 | www.irs.gov.y11derw.com
2009-09-25 | 8 | www.irs.gov.y11derx.com
2009-09-25 | 14 | www.irs.gov.y11derz.com
2009-09-26 | 1 | www.irs.gov.berfa1b.com
2009-09-26 | 1 | www.irs.gov.berfa1j.com
2009-09-26 | 2 | www.irs.gov.berfa1k.com
2009-09-26 | 7 | www.irs.gov.berfa1m.com
2009-09-26 | 3 | www.irs.gov.berfa1p.com
2009-09-26 | 1 | www.irs.gov.berfa1q.com
2009-09-26 | 8 | www.irs.gov.berfa1r.com
2009-09-26 | 2 | www.irs.gov.berfa1s.com
2009-09-26 | 3 | www.irs.gov.berfa1w.com
2009-09-26 | 1 | www.irs.gov.berfa1z.com
2009-09-26 | 7 | www.irs.gov.fedas1aa.com
2009-09-26 | 3 | www.irs.gov.fedas1ab.com
2009-09-26 | 5 | www.irs.gov.fedas1ad.com
2009-09-26 | 8 | www.irs.gov.fedas1af.com
2009-09-26 | 5 | www.irs.gov.fedas1ag.com
2009-09-26 | 7 | www.irs.gov.fedas1ah.com
2009-09-26 | 6 | www.irs.gov.fedas1ak.com
2009-09-26 | 7 | www.irs.gov.fedas1am.com
2009-09-26 | 8 | www.irs.gov.fedas1an.com
2009-09-26 | 3 | www.irs.gov.fedas1ao.com
2009-09-26 | 6 | www.irs.gov.fedas1aq.com
2009-09-26 | 2 | www.irs.gov.fedas1ar.com
2009-09-26 | 6 | www.irs.gov.fedas1as.com
2009-09-26 | 2 | www.irs.gov.fedas1av.com
2009-09-26 | 5 | www.irs.gov.fedas1az.com
2009-09-26 | 5 | www.irs.gov.juhh1we.com
2009-09-26 | 6 | www.irs.gov.juhh1wf.com
2009-09-26 | 3 | www.irs.gov.juhh1wg.com
2009-09-26 | 4 | www.irs.gov.juhh1wh.com
2009-09-26 | 4 | www.irs.gov.juhh1wi.com
2009-09-26 | 5 | www.irs.gov.juhh1wj.com
2009-09-26 | 3 | www.irs.gov.juhh1wn.com
2009-09-26 | 5 | www.irs.gov.juhh1wo.com
2009-09-26 | 5 | www.irs.gov.juhh1wp.com
2009-09-26 | 3 | www.irs.gov.juhh1wq.com
2009-09-26 | 2 | www.irs.gov.juhh1wr.com
2009-09-26 | 3 | www.irs.gov.juhh1wt.com
2009-09-26 | 5 | www.irs.gov.juhh1wu.com
2009-09-26 | 2 | www.irs.gov.juhh1wy.com
2009-09-26 | 47 | www.irs.gov.y11dera.com
2009-09-26 | 46 | www.irs.gov.y11derc.com
2009-09-26 | 38 | www.irs.gov.y11derd.com
2009-09-26 | 36 | www.irs.gov.y11dere.com
2009-09-26 | 35 | www.irs.gov.y11derf.com
2009-09-26 | 49 | www.irs.gov.y11derq.com
2009-09-26 | 39 | www.irs.gov.y11derr.com
2009-09-26 | 34 | www.irs.gov.y11ders.com
2009-09-26 | 47 | www.irs.gov.y11derv.com
2009-09-26 | 50 | www.irs.gov.y11derw.com
2009-09-26 | 40 | www.irs.gov.y11derx.com
2009-09-26 | 44 | www.irs.gov.y11derz.com
2009-09-27 | 17 | www.irs.gov.fedas1aa.com
2009-09-27 | 22 | www.irs.gov.fedas1ab.com
2009-09-27 | 10 | www.irs.gov.fedas1ad.com
2009-09-27 | 17 | www.irs.gov.fedas1af.com
2009-09-27 | 16 | www.irs.gov.fedas1ag.com
2009-09-27 | 16 | www.irs.gov.fedas1ah.com
2009-09-27 | 15 | www.irs.gov.fedas1ak.com
2009-09-27 | 20 | www.irs.gov.fedas1am.com
2009-09-27 | 23 | www.irs.gov.fedas1an.com
2009-09-27 | 17 | www.irs.gov.fedas1ao.com
2009-09-27 | 13 | www.irs.gov.fedas1aq.com
2009-09-27 | 17 | www.irs.gov.fedas1ar.com
2009-09-27 | 16 | www.irs.gov.fedas1as.com
2009-09-27 | 18 | www.irs.gov.fedas1av.com
2009-09-27 | 17 | www.irs.gov.fedas1az.com
2009-09-27 | 29 | www.irs.gov.juhh1we.com
2009-09-27 | 15 | www.irs.gov.juhh1wf.com
2009-09-27 | 12 | www.irs.gov.juhh1wg.com
2009-09-27 | 18 | www.irs.gov.juhh1wh.com
2009-09-27 | 23 | www.irs.gov.juhh1wi.com
2009-09-27 | 17 | www.irs.gov.juhh1wj.com
2009-09-27 | 22 | www.irs.gov.juhh1wn.com
2009-09-27 | 28 | www.irs.gov.juhh1wo.com
2009-09-27 | 19 | www.irs.gov.juhh1wp.com
2009-09-27 | 24 | www.irs.gov.juhh1wq.com
2009-09-27 | 17 | www.irs.gov.juhh1wr.com
2009-09-27 | 26 | www.irs.gov.juhh1wt.com
2009-09-27 | 15 | www.irs.gov.juhh1wu.com
2009-09-27 | 24 | www.irs.gov.juhh1wy.com
2009-09-27 | 19 | www.irs.gov.y11dera.com
2009-09-27 | 23 | www.irs.gov.y11derc.com
2009-09-27 | 15 | www.irs.gov.y11derd.com
2009-09-27 | 18 | www.irs.gov.y11dere.com
2009-09-27 | 24 | www.irs.gov.y11derf.com
2009-09-27 | 17 | www.irs.gov.y11derq.com
2009-09-27 | 16 | www.irs.gov.y11derr.com
2009-09-27 | 17 | www.irs.gov.y11ders.com
2009-09-27 | 13 | www.irs.gov.y11derv.com
2009-09-27 | 25 | www.irs.gov.y11derw.com
2009-09-27 | 22 | www.irs.gov.y11derx.com
2009-09-27 | 24 | www.irs.gov.y11derz.com
2009-09-28 | 5 | www.irs.gov.fedas1aa.com
2009-09-28 | 5 | www.irs.gov.fedas1ab.com
2009-09-28 | 4 | www.irs.gov.fedas1ad.com
2009-09-28 | 5 | www.irs.gov.fedas1af.com
2009-09-28 | 5 | www.irs.gov.fedas1ag.com
2009-09-28 | 4 | www.irs.gov.fedas1ah.com
2009-09-28 | 12 | www.irs.gov.fedas1ak.com
2009-09-28 | 8 | www.irs.gov.fedas1am.com
2009-09-28 | 7 | www.irs.gov.fedas1an.com
2009-09-28 | 9 | www.irs.gov.fedas1ao.com
2009-09-28 | 3 | www.irs.gov.fedas1aq.com
2009-09-28 | 4 | www.irs.gov.fedas1ar.com
2009-09-28 | 2 | www.irs.gov.fedas1as.com
2009-09-28 | 5 | www.irs.gov.fedas1av.com
2009-09-28 | 6 | www.irs.gov.fedas1az.com
2009-09-28 | 7 | www.irs.gov.juhh1we.com
2009-09-28 | 4 | www.irs.gov.juhh1wf.com
2009-09-28 | 8 | www.irs.gov.juhh1wg.com
2009-09-28 | 4 | www.irs.gov.juhh1wh.com
2009-09-28 | 7 | www.irs.gov.juhh1wi.com
2009-09-28 | 6 | www.irs.gov.juhh1wj.com
2009-09-28 | 7 | www.irs.gov.juhh1wn.com
2009-09-28 | 12 | www.irs.gov.juhh1wo.com
2009-09-28 | 9 | www.irs.gov.juhh1wp.com
2009-09-28 | 6 | www.irs.gov.juhh1wq.com
2009-09-28 | 4 | www.irs.gov.juhh1wr.com
2009-09-28 | 8 | www.irs.gov.juhh1wt.com
2009-09-28 | 9 | www.irs.gov.juhh1wu.com
2009-09-28 | 5 | www.irs.gov.juhh1wy.com
2009-09-28 | 6 | www.irs.gov.y11dera.com
2009-09-28 | 3 | www.irs.gov.y11derc.com
2009-09-28 | 7 | www.irs.gov.y11derd.com
2009-09-28 | 8 | www.irs.gov.y11dere.com
2009-09-28 | 9 | www.irs.gov.y11derf.com
2009-09-28 | 3 | www.irs.gov.y11derq.com
2009-09-28 | 9 | www.irs.gov.y11derr.com
2009-09-28 | 9 | www.irs.gov.y11ders.com
2009-09-28 | 7 | www.irs.gov.y11derv.com
2009-09-28 | 2 | www.irs.gov.y11derw.com
2009-09-28 | 5 | www.irs.gov.y11derx.com
2009-09-28 | 5 | www.irs.gov.y11derz.com
(946 rows)

Thursday, September 10, 2009

Tien Truong Nguyen pleads Guilty

In April of 2007, the Eastern District of California sent out a Press Release titled "SACRAMENTO MAN CHARGED WITH COMPUTER FRAUD AND AGGRAVATED IDENTITY THEFT" with the description, "Internet Phishing Scheme Used to Steal Thousands of Credit and Debit Card Numbers, Social Security Numbers."

At the University of Alabama at Birmingham, our UAB Computer Forensics program has a mix of Computer & Information Science and Criminal Justice students who are working together to research how phishing investigations are performed. When I saw this story back in the news today, I thought we might have another agent who could help us understand how the US Secret Service investigates phishing. While I'm very glad that Nguyen was picked up, and it looks like ECSAP-trained Senior Special Agent Brian Korbs did an excellent job on the Computer Forensics aspects of this case, unfortunately this wasn't a "phishing investigation."

Several of my students learned about the US Secret Service Electronic Crimes Special Agent Program (ECSAP) while visiting the National Computer Forensics Institute in Hoover, Alabama, about ten miles from our campus, earlier this month. Housed at the NCFI, the Electronic Crimes Task Force for the Birmingham field office of the Secret Service maintains a computer forensics lab where computer forensics examiners from the US Secret Service and the Alabama Bureau of Investigation work side-by-side with examiners from the Alabama District Attorneys Association and the Hoover Police Department to perform examinations and provide training and forensic services to all manner of law enforcement cases. The NCFI provides the equivalent of the Secret Service ECSAP training for state and local law enforcement officers across the country. ECSAP-based courses available in Hoover include "Basic Investigation of Computer and Electronic Crimes Program (BICEP)", "Network Intrusion Responder Program (NITRO)", "Basic Computer Evidence Recovery Training (BCERT)", and "Advanced Computer Evidence Recovery Training (ACERT)", which is ten full weeks of very hands-on training! The NCFI also offers two "Computer Forensics in Court" classes, CFC-J for Judges, and CFC-P for Prosecutors.

Back to the story . . . According to the Affidavit of SSA Brian Korbs, Nguyen was clearly involved in phishing. He was able to establish that from at least October 15, 2005 through January 26, 2007, Nguyen was involved in multiple identity theft, phishing, and credit card fraud activities.

The forensics examination covered:

A Dell Laptop Computer "Latitude" Serial Number 8P530B1
A Toshiba Laptop Computer "M-45" with black thumb drive Serial Number 26234221Q
A Hewlett Packard Laptop Computer "Pavilion D1000" with Serial Number CNF5382K5T
two black USB thumb drives and
A Dell Computer Model 470 Serial Number 37NQC61

These showed that Nguyen was regularly communicating with Eastern Europeans to acquire credit card and debit card numbers, social security numbers, and other personal identification information. Files on the computer were used to create phishing websites, including sites against eBay, Fairwinds Credit Union (Florida), Heritage Bank (Olympia, Washington), Honolulu City and County Employees Credit Union, and others. A program for encoding credit cards, lists of account information, a magnetic card writer, and a laminator were found. Thousands of email addresses, sorted by the state in which they were located, were found to be used for sending out phishing emails state-by-state. (For example, it would make sense to only send "Honolulu City and County Employees Credit Union" phishing emails to people who live in Hawaii.)

The fruit of the phishing was "thousands of pages of customer information" from companies "such as eBay, Western Union, and others." Korbs reported finding
"Hundreds of files of credit card numbers, many with PINs, as well as the true cardholders name, address, email address, password, bank account information, social security number, driver's license number, telephone number, etc." Korbs estimates that "tens of thousands" of identities were on the computer, which is certainly "more than 15" as described in the Federal statute (see below).

Yahoo! chat logs were also found on the computer, which, if printed, would be 16,000 pages of logs. Many of the chats related to buying and selling credit cards, and exchanging email addresses for phish targeting.

In Nguyen's case, the whole story seems to be that he worked with several Romanians to build phishing sites and steal personally identifiable information. Then he provided that information to local accomplices who cashed out in an interesting manner. Apparently GE Capital runs a system of kiosks in California Wal-Mart stores where you can enter your information and be approved for an instant line of credit, which is provided as Wal-Mart coupons that can be used to shop in the store. According to Special Agent Korbs, they did this for more than $200,000 worth of merchandise. In the full indictment, it lists many of the items purchased with these cards, including laptops, monitors, satellite radio systems, 8 ipods, infrared night light, a "Nightowl" night vision scope, CB radios, GPS units, watches, televisions, a radar detector, etc.

When Detective Jim Hudson, from the Placer County Sheriff, and Special Agent Korbs talked to Tien Nguyen after he was arrested on January 26, 2007, he waived his Miranda rights and told them pretty much everything. He admitted to using his computer to trade identities and credit card information, and he explained the GE Capital / Wal Mart scheme.

Enter the 9th Circuit


So, why after all this time is Nguyen just now pleading guilty? Apparently the defense's plan all along has been to say that all of the evidence that was obtained from Nguyen, INCLUDING HIS CONFESSION, was based on a warrantless search of the premises, which meant all of the evidence should be suppressed. After the recent 9th Circuit ruling, Nguyen's lawyer, Micheal K. Cernyar of Long Beach, California, thought he had fresh evidence, and on September 8, 2009 a hearing was held before the Honorable Morrison C. England, Jr, to hear this a plea to establish a new hearing for a new motion to suppress. Here are the basics outlined in the Motion to Suppress:

* Mr. Nguyen was arrested on or about January 26, 2007 on a Ramey Warrant at his residence located at 8225 & 8229 Gerber Road, Sacramento, California. "A warrantless search of the residence" uncovered all of the information, while Nguyen and his companion were detained in the living room of the home.

* On March 27, 2007, Special Agent Korbs applied for a federal search warrant seeking the items seized on January 26, 2007. After receiving this search warrant, Nguyen was indicted April 26, 2007.

* Nguyen moved "to suppress all evidence and any statements obtained" claiming his Fourth Amendment rights were violated, and his motion was denied October 15, 2008.

Here's the new part . . .

7. Last week, in United States v. Gonzalez -- F.3d --, (9th Cir. 2009) (D.C. No. 07-30098), the Ninth Circuit reversed a matter regarding suppression of evidence based upon a warrentless search when applying the recent ruling in Arizona v. Gant. The Ninth Circuit held that Mr. Gonzalez was entitled to benefit from the Supreme Court's ruling in Gant.

8. Counsel believes that the facts in Mr. Nguyen's warrentless search incident to arrest are at the very list similarly situated to those in the Gant and Gonzalez matter.


Rodney Joseph Gant v. Arizona was a case where a man was arrested, and after his arrest police went and searched his vehicle, which he was not in at the time of the arrest. In the car, they found cocaine, not related to the charges for which he had just been arrested, and expanded the charges to include drug possession. Because they did not have a warrant for the vehicular search, and because the perp was not in the vehicle, the Supreme Court ruled that they should not have searched the vehicle without a warrant. (This has been standard practice, called "The Bright Line rule" since 1981 . . .)

How does this relate to the 9th Circuit decision in US. v. Gonzales? It is well-established practice that police can perform a warrantless search "incident to arrest", meaning that after I've arrested you, it is "not unreasonable" to search for evidence related to the crime for which you have been arrested, both on your person, as well as in the immediate vicinity. The question of what is meant by the immediate vicinity is one that has had the legal scholars appealing searches on Fourth Amendment grounds over and over. In this case, it all starts with Chimel v. California. The Supreme Court held that when someone is arrested in their home, officers would be reasonable to search not only the room of the arrest, but other "sufficiently large spaces" where someone might be hiding that could be a risk to officer safety. So, the idea was, if I arrest you in your living room, but I feel that someone might be hiding in the closet, I can look in the closet, without a warrant, to see if your brother is hiding in their with a shotgun planning to jump out and shoot me. I couldn't search the drawer in the end-table, because it is unlikely a potential attacker is hiding in that drawer. Several arguments since then have argued whether you should only be able to do such a search if there was a suspicion that such a risk to officer safety was probable, and then, only in certain "reasonable areas", with three cases helping define those boundaries and expectations -- Maryland v. Buie, Belton v. New York, and Thornton v. United States. Arizona v. Gant reset those expectations by overruling some of those prior standards of when it was reasonable to do an "suspicionless search", which lead to the 9th Circuit Decision.

The judge rightly denied the motion to suppress, since this WAS a search "INCIDENT TO ARREST", and there was EVERY REASON to believe that the computers held relevant evidence of the crime for which Nguyen was being arrested, based on his own statements, and his own permission to search, meaning that NONE of those prior cases really had anything to do with this case.

With his last hope extinguished, Nguyen pleaded guilty, but even then went all the way to the wire. I really thought he was going to go to trial! His lawyer had submitted Questions for the Jury (Voire Dire) as recently as September 2, 2009! I had to chuckle as I read through them . . . he asks if they Bank Online, if they use their Debit Card online, if they have purchased online items in the past year . . . I thought the next question might be "Please state your debit card number slowly, and tell us your PIN." When it came down to the start of the Jury Trial, at 9:00 am on September 8th, the Courtroom minutes tell us that Nguyen asked for a five minute recess, and came back in and pleaded guilty to counts 1-4. He then asked for another recess, and came back and pleaded guilty to count 5.

The Penalty Slip with the indictment includes the charges. Especially sweet that the Aggravated Identity Theft adds an automatic +2 years. Nguyen was found to have a shotgun in his bedroom as well, a Remington 870 Express Magnum.

18 USC § 371 - Conspiracy to Commit Computer Fraud and Access Device Fraud:
- Not more than $250,000 or notmore than gross gain or loss;
- Not more than 5 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 1029(a)(2) - Access Device Fraud
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 5 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 1029(a)(3) - Possession of More than 15 Unauthorized Access Devices
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 10 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 1028A(a)(1) - Aggravated Identity Theft
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 2 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 922(g)(1) - Felon in Possession of a Firearm or Ammunition
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 10 years imprisonment, or both
- Not more than 3 years of supervised release

(Nguyen had already spent "more than a year" in jail back in 1999 for "Receipt of Stolen Property" and "Making and Passing Fictitious Checks", but these were state of California crimes rather than Federal crimes.)

The sentencing for Nguyen will be on November 19th, at 9:00 am.

The question for my student's research project is - "Was this a phishing investigation?" We haven't talked to Special Agent Korbs yet, but from a reading of the court documents, I believe the answer will be "No." This was a credit card fraud investigation, which uncovered a phishing case after the Computer Forensics evidence was evaluated.

The on-going and unsolved question for our research is, "Could this case have been worked the other way around?" If we had started with the Honolulu City and County Employees Credit Union phishing site, would we have still ended up at Tien Truong Nguyen's front door? If you are a law enforcement officer with first-hand experience in phishing investigations, we'd love to talk with you and get your opinion.

References: Stranger than Dictum: Why Arizona v. Gant Compels the Conclusion that Suspicionless Buie Searches Incident to Lawful Arrests are Unconstitutional by Colin Miller, Assistant Professor of the John Marshall Law School.

Wednesday, September 02, 2009

Bell Canada phish - still about the Cards

As I was reviewing new spam categories from yesterday's mail to the UAB Spam Data Mine, I noticed a new phishing campaign against Bell Canada. It is important that consumers, who have been trained to believe that "phishing emails pretend to be banks" understand that ANY sort of company can send you a phishing email.

Apparently someone really wanted us to visit this phishing site, since we received more than 200 copies of the spam message. The site, which was still live this morning, more than 24 hours after the campaign had begun, looks like this:



I know what you're thinking. Why would anyone go to the trouble to steal the userid and password to my home telephone service? Perhaps the second page of questions will help answer that question:



After the phisher gets your Visa or Mastercard number, complete with Expiry date and Security Code, then we try for the Identity Theft Trifecta: Mother's Maiden Name, Date of Birth, and Social Insurance Number (the Canadian version of our Social Security Number). Of course they get a complete home address with home phone and employer just for good measure.

Phishing builds trust, by imitating a trusting relationship, and then asks more personal details. As consumers become more aware of "bank phishing", we will likely see more "non-bank phishing", hoping that the cautious behavior learned by banking customers doesn't generalize to the relationship with their phone company.

Truthfully, this was the second time that we have seen a Bell Canada phish, but the professionalism of this site is a huge improvement over the phish of July 28th. In the July 28th email, we were addressed as "Dear costumer" with a website that pointed to "ns2.e-karnet.net/home/Home_L-Login.pagelanguage=en®ion=ON.htm". That previous email came from "privacy@bell.ca" while the current email comes from "notification@bell-biling.ca". There were quite a few similarities however.

The target domain advertised in the new phishing campaign is:

upgrade-accounts.com

which was registered on August 30th with that most untrustworthy registrar, China Springboard. The computer on which this domain resides is 203.213.76.12, in Australia. According to DomainTools, that same computer is also the host of:

alliance-leicester056.com
alliance-leicester259.com
alliance-leicester304.com
alliance-leicester423.com
alliance-leicester603.com
alliance-leicester620.com
alliance-leicester628.com
alliance-leicester860.com
alliance-leicester907.com
my-pictures-downloads.com
and upgrade-accounts.com

DomainTools says that Upgrade-accounts.com has also been recently associated with the IP address 65.202.231.12, which has also served as the host of:

account-verifications.com
alliance-leicester076.com
alliance-leicester508.com
alliance-leicester528.com
alliance-leicester551.com

The account-verifications.com domain is the big news though! It has been mostly associated with a recent paypal phish using the host name paypal.account-verifications.com. Once that little piece of evidence slips in, we now see that this is actually a Fast Flux hosting botnet that specializes in phishing. Knowing that the bell.ca.upgrade-accounts.com may be a Fast Flux address, we switch modes to check for that, and come up with a HUGE list of computers - more than 120 computers, all of which have acted as the "webserver" for this phishing campaign.

Running quickly through the 128 IP addresses looking for additional hosts, we find a few big nameserver groups that tie the Bell Canada phishing campaign to other phishing campaigns hosted on the same Fast Flux network. Very significantly, however, this is NOT the same Fast Flux network currently being used to abuse Bank of America and KeyBank.

Some nameserver groups on this network:

ns3.the-breakfast-dreams.com used by:

alliance-leicester830.com
alliance-leicester860.com
alliance-leicester890.com
alliance-leicester551.com
alliance-leicester851.com
alliance-leicester312.com
alliance-leicester304.com
alliance-leicester174.com
alliance-leicester076.com
alliance-leicester727.com
alliance-leicester547.com
alliance-leicester508.com
alliance-leicester028.com
alliance-leicester528.com
alliance-leicester038.com
alliance-leicester068.com
alliance-leicester259.com

ns2.my-toshi-dns.com used by:

alliance-leicester620.com
alliance-leicester830.com
alliance-leicester850.com
alliance-leicester860.com
alliance-leicester890.com
alliance-leicester851.com
alliance-leicester312.com
alliance-leicester882.com
alliance-leicester603.com
alliance-leicester423.com
alliance-leicester963.com
alliance-leicester174.com
alliance-leicester065.com
alliance-leicester446.com
alliance-leicester056.com
alliance-leicester076.com
alliance-leicester547.com
alliance-leicester508.com
alliance-leicester718.com
alliance-leicester528.com
alliance-leicester628.com
alliance-leicester038.com
alliance-leicester259.com
verification-processing.com

ns2.the-tzone-strip.com used by:

my-pictures-downloads.com (such as doc_v1.my-pictures-downloads.com)

Other than the correction of the mis-spelled "Costumer" to "Customer", both emails have the same wording:




This e-mail was sent by Bell Canada to notify you that we have temporarily prevented access to your account.

We have reasons to believe that your account may have been accessed by someone else.

Please verify your details by following the link below :

http://www.bell.ca/account-activation?id=539933

© Bell Canada
( Please do not reply to this e-mail , this account is not monitored. Follow the instructions in the e-mail )





We only received one copy of the first email, sent from a single computer in Peoria, Illinois attached to the OmniLec network: 207.152.69.115

The new email came from botnet computers all over the world, including computers in Argentina, Belgium, Brazil, Chile, Germany, Hong Kong, India, Israel, Italy, Portugal, Russia, Singapore, Spain, Taiwan, Uruguay, Vietnam, as well as US based networks large and small.

The spamming program seems to be doing "false received lines" in the mail. So for instance, a computer in Spain has mail header lines that seem quite troubling at face value. "mail.royalbank-usa.com" or "mxe.jpmchase.com"? On further review these "trusted" mail senders have been falsely injected into the mail headers.


Received: from home (cm-85-152-241-195.telecable.es [85.152.241.195])
by [Gary's Server] (8.11.6/8.11.0) with ESMTP id n81JLV015681;
Tue, 1 Sep 2009 19:21:33 GMT
(envelope-from busybodiesoc8@home.com)
Received: from 85.152.241.195 by mxe.jpmchase.com; Tue, 1 Sep 2009 13:21:45 -0600
Date: Tue, 1 Sep 2009 13:21:45 -0600
From: Bell
X-Mailer: The Bat! (v2.00.2) Business
Reply-To: busybodiesoc8@home.com
X-Priority: 3 (Normal)
Message-ID: <236508618.53500285241073@home>
To: [Gary's spam trap]
Subject: Bell Online Notification
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1252
Content-Transfer-Encoding: 7bit




Some computers associated with hosting this campaign:

bell.ca.upgrade-accounts.com 121.221.140.248
bell.ca.upgrade-accounts.com 121.221.214.232
bell.ca.upgrade-accounts.com 121.221.238.162
bell.ca.upgrade-accounts.com 124.13.162.53
bell.ca.upgrade-accounts.com 129.93.154.62
bell.ca.upgrade-accounts.com 129.93.176.255
bell.ca.upgrade-accounts.com 138.210.154.36
bell.ca.upgrade-accounts.com 149.84.93.20
bell.ca.upgrade-accounts.com 174.103.124.144
bell.ca.upgrade-accounts.com 200.87.22.27
bell.ca.upgrade-accounts.com 202.181.203.146
bell.ca.upgrade-accounts.com 202.77.97.227
bell.ca.upgrade-accounts.com 203.213.76.12
bell.ca.upgrade-accounts.com 204.118.0.2
bell.ca.upgrade-accounts.com 207.112.105.241
bell.ca.upgrade-accounts.com 207.255.141.194
bell.ca.upgrade-accounts.com 209.204.65.148
bell.ca.upgrade-accounts.com 209.204.65.155
bell.ca.upgrade-accounts.com 209.204.65.225
bell.ca.upgrade-accounts.com 209.204.73.181
bell.ca.upgrade-accounts.com 209.204.76.245
bell.ca.upgrade-accounts.com 212.183.199.25
bell.ca.upgrade-accounts.com 213.77.79.30
bell.ca.upgrade-accounts.com 213.94.231.25
bell.ca.upgrade-accounts.com 216.16.111.15
bell.ca.upgrade-accounts.com 216.209.249.145
bell.ca.upgrade-accounts.com 216.63.106.83
bell.ca.upgrade-accounts.com 217.166.213.26
bell.ca.upgrade-accounts.com 219.83.125.242
bell.ca.upgrade-accounts.com 220.253.17.133
bell.ca.upgrade-accounts.com 220.253.52.194
bell.ca.upgrade-accounts.com 220.253.7.121
bell.ca.upgrade-accounts.com 24.164.252.40
bell.ca.upgrade-accounts.com 24.176.238.10
bell.ca.upgrade-accounts.com 24.2.218.189
bell.ca.upgrade-accounts.com 24.224.130.181
bell.ca.upgrade-accounts.com 24.231.38.216
bell.ca.upgrade-accounts.com 24.24.222.220
bell.ca.upgrade-accounts.com 58.179.58.93
bell.ca.upgrade-accounts.com 60.51.55.131
bell.ca.upgrade-accounts.com 60.53.164.146
bell.ca.upgrade-accounts.com 60.53.50.130
bell.ca.upgrade-accounts.com 62.219.139.9
bell.ca.upgrade-accounts.com 64.150.244.50
bell.ca.upgrade-accounts.com 64.77.247.214
bell.ca.upgrade-accounts.com 65.202.231.12
bell.ca.upgrade-accounts.com 65.64.101.64
bell.ca.upgrade-accounts.com 65.75.110.66
bell.ca.upgrade-accounts.com 66.140.75.206
bell.ca.upgrade-accounts.com 66.169.38.6
bell.ca.upgrade-accounts.com 66.41.35.61
bell.ca.upgrade-accounts.com 66.56.48.61
bell.ca.upgrade-accounts.com 67.110.218.85
bell.ca.upgrade-accounts.com 67.176.38.186
bell.ca.upgrade-accounts.com 67.189.218.254
bell.ca.upgrade-accounts.com 67.244.94.2
bell.ca.upgrade-accounts.com 67.55.133.223
bell.ca.upgrade-accounts.com 67.77.32.172
bell.ca.upgrade-accounts.com 68.112.23.119
bell.ca.upgrade-accounts.com 68.127.17.153
bell.ca.upgrade-accounts.com 68.89.235.44
bell.ca.upgrade-accounts.com 69.228.83.3
bell.ca.upgrade-accounts.com 69.65.178.183
bell.ca.upgrade-accounts.com 69.88.210.46
bell.ca.upgrade-accounts.com 70.211.102.143
bell.ca.upgrade-accounts.com 70.220.79.109
bell.ca.upgrade-accounts.com 71.198.190.25
bell.ca.upgrade-accounts.com 71.205.3.107
bell.ca.upgrade-accounts.com 71.235.236.26
bell.ca.upgrade-accounts.com 71.236.171.101
bell.ca.upgrade-accounts.com 71.9.74.21
bell.ca.upgrade-accounts.com 72.188.10.131
bell.ca.upgrade-accounts.com 74.210.179.153
bell.ca.upgrade-accounts.com 75.198.56.175
bell.ca.upgrade-accounts.com 75.254.58.29
bell.ca.upgrade-accounts.com 75.26.163.159
bell.ca.upgrade-accounts.com 75.53.216.199
bell.ca.upgrade-accounts.com 75.64.12.251
bell.ca.upgrade-accounts.com 75.71.206.166
bell.ca.upgrade-accounts.com 76.106.45.169
bell.ca.upgrade-accounts.com 76.121.95.161
bell.ca.upgrade-accounts.com 76.211.231.228
bell.ca.upgrade-accounts.com 76.226.3.189
bell.ca.upgrade-accounts.com 77.126.129.61
bell.ca.upgrade-accounts.com 78.106.15.143
bell.ca.upgrade-accounts.com 79.179.121.187
bell.ca.upgrade-accounts.com 79.182.107.157
bell.ca.upgrade-accounts.com 79.78.247.155
bell.ca.upgrade-accounts.com 79.78.250.33
bell.ca.upgrade-accounts.com 80.186.4.160
bell.ca.upgrade-accounts.com 80.243.252.246
bell.ca.upgrade-accounts.com 81.56.250.159
bell.ca.upgrade-accounts.com 81.56.67.245
bell.ca.upgrade-accounts.com 81.57.3.231
bell.ca.upgrade-accounts.com 82.192.130.213
bell.ca.upgrade-accounts.com 82.224.8.132
bell.ca.upgrade-accounts.com 82.54.130.181
bell.ca.upgrade-accounts.com 83.217.136.210
bell.ca.upgrade-accounts.com 84.215.65.58
bell.ca.upgrade-accounts.com 84.224.17.130
bell.ca.upgrade-accounts.com 84.224.21.84
bell.ca.upgrade-accounts.com 84.224.59.118
bell.ca.upgrade-accounts.com 84.224.74.194
bell.ca.upgrade-accounts.com 84.224.82.197
bell.ca.upgrade-accounts.com 84.99.95.231
bell.ca.upgrade-accounts.com 86.20.198.55
bell.ca.upgrade-accounts.com 86.52.55.254
bell.ca.upgrade-accounts.com 88.169.2.156
bell.ca.upgrade-accounts.com 88.185.146.240
bell.ca.upgrade-accounts.com 88.61.120.136
bell.ca.upgrade-accounts.com 89.195.11.101
bell.ca.upgrade-accounts.com 89.195.203.163
bell.ca.upgrade-accounts.com 89.195.69.140
bell.ca.upgrade-accounts.com 91.67.60.242
bell.ca.upgrade-accounts.com 92.11.210.200
bell.ca.upgrade-accounts.com 92.15.0.90
bell.ca.upgrade-accounts.com 92.41.10.236
bell.ca.upgrade-accounts.com 92.49.112.66
bell.ca.upgrade-accounts.com 93.80.43.196
bell.ca.upgrade-accounts.com 93.81.219.84
bell.ca.upgrade-accounts.com 95.221.8.233
bell.ca.upgrade-accounts.com 98.154.121.106
bell.ca.upgrade-accounts.com 98.193.136.121
bell.ca.upgrade-accounts.com 98.208.170.143
bell.ca.upgrade-accounts.com 98.239.34.67
bell.ca.upgrade-accounts.com 99.144.178.98
ns2.my-toshi-dns.com 216.16.111.15
ns2.my-toshi-dns.com 24.164.252.40
ns2.my-toshi-dns.com 64.150.244.50
ns2.my-toshi-dns.com 66.41.35.61
ns2.my-toshi-dns.com 67.60.51.148
ns2.my-toshi-dns.com 68.61.133.232
ns2.my-toshi-dns.com 69.88.210.46
ns2.my-toshi-dns.com 72.188.10.131
ns2.my-toshi-dns.com 74.137.209.179
ns2.my-toshi-dns.com 76.106.45.169
ns2.my-toshi-dns.com 76.226.3.189
ns2.my-toshi-dns.com 79.182.107.157
ns2.my-toshi-dns.com 82.81.59.108
ns2.my-toshi-dns.com 98.231.216.148
ns2.my-toshi-dns.com 99.144.178.98
ns2.my-toshi-dns.com 99.145.1.33
ns3.the-breakfast-dreams.com 138.210.154.36
ns3.the-breakfast-dreams.com 204.118.0.2
ns3.the-breakfast-dreams.com 216.16.111.15
ns3.the-breakfast-dreams.com 24.224.130.181
ns3.the-breakfast-dreams.com 24.24.222.220
ns3.the-breakfast-dreams.com 64.150.244.50
ns3.the-breakfast-dreams.com 66.56.48.61
ns3.the-breakfast-dreams.com 67.176.38.186
ns3.the-breakfast-dreams.com 67.189.218.254
ns3.the-breakfast-dreams.com 69.88.210.46
ns3.the-breakfast-dreams.com 71.9.74.21
ns3.the-breakfast-dreams.com 75.53.216.199
ns3.the-breakfast-dreams.com 76.106.45.169
ns3.the-breakfast-dreams.com 76.226.3.189
ns3.the-breakfast-dreams.com 79.182.107.157
ns3.the-breakfast-dreams.com 99.144.178.98

Here is a sample of the Paypal version of this phishing campaign . . . the samples received on 02SEP09 actually give the red-letter due date of September 4, 2009.



And this is what the destination website looks like:



paypal.account-verifications.com 121.221.178.220
paypal.account-verifications.com 121.221.27.162
paypal.account-verifications.com 121.221.38.55
paypal.account-verifications.com 124.13.161.90
paypal.account-verifications.com 124.178.143.91
paypal.account-verifications.com 124.178.61.167
paypal.account-verifications.com 138.210.154.36
paypal.account-verifications.com 143.238.217.216
paypal.account-verifications.com 149.84.93.20
paypal.account-verifications.com 173.24.196.107
paypal.account-verifications.com 174.103.124.144
paypal.account-verifications.com 174.112.140.242
paypal.account-verifications.com 189.100.238.142
paypal.account-verifications.com 189.102.0.4
paypal.account-verifications.com 200.181.232.149
paypal.account-verifications.com 200.87.22.27
paypal.account-verifications.com 202.131.190.199
paypal.account-verifications.com 202.181.203.146
paypal.account-verifications.com 202.77.97.227
paypal.account-verifications.com 203.213.76.12
paypal.account-verifications.com 204.118.0.2
paypal.account-verifications.com 207.112.105.241
paypal.account-verifications.com 207.255.141.194
paypal.account-verifications.com 209.226.103.11
paypal.account-verifications.com 212.183.199.25
paypal.account-verifications.com 213.213.224.71
paypal.account-verifications.com 213.77.79.30
paypal.account-verifications.com 213.94.231.25
paypal.account-verifications.com 216.16.111.15
paypal.account-verifications.com 216.209.249.45
paypal.account-verifications.com 216.209.249.62
paypal.account-verifications.com 217.166.213.26
paypal.account-verifications.com 219.83.125.242
paypal.account-verifications.com 220.253.150.163
paypal.account-verifications.com 220.253.17.133
paypal.account-verifications.com 220.253.34.101
paypal.account-verifications.com 220.253.5.151
paypal.account-verifications.com 24.11.189.120
paypal.account-verifications.com 24.161.9.69
paypal.account-verifications.com 24.164.252.40
paypal.account-verifications.com 24.167.235.62
paypal.account-verifications.com 24.176.238.10
paypal.account-verifications.com 24.2.218.189
paypal.account-verifications.com 24.205.113.172
paypal.account-verifications.com 24.215.216.188
paypal.account-verifications.com 24.224.130.181
paypal.account-verifications.com 24.244.131.150
paypal.account-verifications.com 24.95.71.28
paypal.account-verifications.com 58.175.18.110
paypal.account-verifications.com 58.179.58.219
paypal.account-verifications.com 60.53.167.111
paypal.account-verifications.com 64.150.244.50
paypal.account-verifications.com 64.212.203.42
paypal.account-verifications.com 65.202.231.12
paypal.account-verifications.com 65.64.101.64
paypal.account-verifications.com 65.75.110.66
paypal.account-verifications.com 66.169.38.6
paypal.account-verifications.com 66.38.128.32
paypal.account-verifications.com 66.56.48.61
paypal.account-verifications.com 66.68.181.143
paypal.account-verifications.com 67.110.218.85
paypal.account-verifications.com 67.176.38.186
paypal.account-verifications.com 67.189.218.254
paypal.account-verifications.com 67.203.215.110
paypal.account-verifications.com 67.206.200.69
paypal.account-verifications.com 67.206.217.237
paypal.account-verifications.com 67.206.253.9
paypal.account-verifications.com 67.244.94.2
paypal.account-verifications.com 67.55.133.223
paypal.account-verifications.com 67.60.51.148
paypal.account-verifications.com 67.77.32.172
paypal.account-verifications.com 68.127.17.153
paypal.account-verifications.com 68.61.133.232
paypal.account-verifications.com 69.228.200.191
paypal.account-verifications.com 69.228.93.155
paypal.account-verifications.com 69.249.191.186
paypal.account-verifications.com 69.65.178.183
paypal.account-verifications.com 69.88.210.46
paypal.account-verifications.com 70.208.53.169
paypal.account-verifications.com 70.220.128.146
paypal.account-verifications.com 71.198.190.25
paypal.account-verifications.com 71.205.3.107
paypal.account-verifications.com 71.59.170.64
paypal.account-verifications.com 72.188.10.131
paypal.account-verifications.com 72.191.126.193
paypal.account-verifications.com 72.228.110.6
paypal.account-verifications.com 74.137.209.179
paypal.account-verifications.com 74.138.241.23
paypal.account-verifications.com 74.138.245.15
paypal.account-verifications.com 74.210.179.153
paypal.account-verifications.com 74.76.198.115
paypal.account-verifications.com 74.76.201.187
paypal.account-verifications.com 75.198.244.63
paypal.account-verifications.com 75.199.44.68
paypal.account-verifications.com 75.53.213.231
paypal.account-verifications.com 75.64.12.251
paypal.account-verifications.com 75.71.206.166
paypal.account-verifications.com 76.106.45.169
paypal.account-verifications.com 76.121.95.161
paypal.account-verifications.com 76.211.231.228
paypal.account-verifications.com 76.226.3.189
paypal.account-verifications.com 76.251.30.161
paypal.account-verifications.com 76.251.30.217
paypal.account-verifications.com 77.126.129.61
paypal.account-verifications.com 77.126.224.30
paypal.account-verifications.com 77.98.104.107
paypal.account-verifications.com 78.106.150.21
paypal.account-verifications.com 78.106.36.178
paypal.account-verifications.com 79.182.107.157
paypal.account-verifications.com 79.78.132.207
paypal.account-verifications.com 79.78.174.115
paypal.account-verifications.com 79.78.194.155
paypal.account-verifications.com 80.2.198.148
paypal.account-verifications.com 80.243.252.246
paypal.account-verifications.com 80.243.255.209
paypal.account-verifications.com 81.56.250.159
paypal.account-verifications.com 81.56.67.245
paypal.account-verifications.com 81.57.3.231
paypal.account-verifications.com 82.192.130.213
paypal.account-verifications.com 82.224.8.132
paypal.account-verifications.com 82.54.130.181
paypal.account-verifications.com 82.81.59.108
paypal.account-verifications.com 83.217.136.210
paypal.account-verifications.com 84.215.65.58
paypal.account-verifications.com 84.224.110.22
paypal.account-verifications.com 84.224.123.17
paypal.account-verifications.com 84.224.41.3
paypal.account-verifications.com 84.224.79.166
paypal.account-verifications.com 84.224.86.75
paypal.account-verifications.com 84.99.63.200
paypal.account-verifications.com 85.156.144.24
paypal.account-verifications.com 85.156.191.12
paypal.account-verifications.com 85.218.15.247
paypal.account-verifications.com 86.20.198.55
paypal.account-verifications.com 88.169.2.156
paypal.account-verifications.com 88.185.146.240
paypal.account-verifications.com 89.178.117.148
paypal.account-verifications.com 89.195.143.55
paypal.account-verifications.com 89.195.70.163
paypal.account-verifications.com 89.242.111.217
paypal.account-verifications.com 91.107.224.186
paypal.account-verifications.com 91.67.60.242
paypal.account-verifications.com 93.80.41.163
paypal.account-verifications.com 94.197.114.111
paypal.account-verifications.com 98.151.171.171
paypal.account-verifications.com 98.154.122.245
paypal.account-verifications.com 98.193.136.121
paypal.account-verifications.com 98.208.170.143
paypal.account-verifications.com 98.231.216.148
paypal.account-verifications.com 98.239.34.67
paypal.account-verifications.com 98.249.93.67
paypal.account-verifications.com 99.139.126.44
paypal.account-verifications.com 99.141.212.29
paypal.account-verifications.com 99.144.178.98
paypal.account-verifications.com 99.145.1.33
paypal.account-verifications.com 99.154.247.41