Saturday, May 19, 2012

What about the Social Security Numbers? (The Utah Data Breach and your SSN)

The Utah Data Breach

This week the continuing saga of the Utah Medicaid Data Breach continued to unfold.

If you haven't been following the story, here's the play-by-play:

That is an amazing story. Remember that Utah only has 2.8 million people according to the US Census. So in this single data breach 28% of the residents of Utah had their personal information stolen from them, and 10% of them had their Social Security Number stolen.

The good news, if there is any, is that Utah is now Very Serious about Identity Theft, launching its new IRIS: Identity Theft Reporting Information System in response. What will it take for the other states to get serious about identity theft?

What About Social Security Numbers?

The Utah story was only intended to be a vehicle for asking this question. What are we doing about Social Security Number theft? If hackers get your password, you can have your password reset. If hackers steal your credit card number, the bank will issue you a new one. If your bank account is breached, it is not uncommon to have the bank CLOSE your account and open a new account for you. But what if you the hackers steal your Social Security Number?

The first place that seemed reasonable to check was the Social Security website. They have a page about Identity Theft called Identity Theft and Your Social Security Number (SSA Publication No. 05-10064, ICN 463270, August 2009).

That form asks "What if an identity thief is creating credit problems for you?" and answers the question:

If someone has misused your Social Security number or other personal information to create credit or other problems for you, Social Security cannot resolve these problems.

They have several recommendations:

But read on . . . IT IS POSSIBLE to get a new Social Security Number, and Social Security will work with you to do that IF YOUR NUMBER IS BEING ACTIVELY ABUSED, but they warn that getting a new number may actually be worse than the abuse. For example, in the United States, the key to your credit history is your Social Security Number. If you get a new number, congratulations, you now have Zero Credit History. You won't be able to get a credit card or a loan without a lengthy ordeal or a co-signer.

So what is the answer? Despite all the controversy, it may be time to go back to the discussion of a National Identity Card. I visited Spain last summer and my banking security friends marveled at how the US clung to our antiquated system. They have a National Identity Card (DNI - Documento nacional de identidad) that is carried at all times. The chip in the card contains a digitized version of a photo of the bearer, plus a digital version of their signature and finger prints! There is no value to having only the Number -- my friend who was explaining it to me said you can write your number on your business cards, because there is NOTHING ANYONE CAN DO by simply having the number. It is the CARD that has value. If you have my number, but not the chip in my card, it is worthless to you.

I'd like to see this discussion move forward. If criminals don't already have your Social Security Number, it is certainly only a matter of time. Even if it is only a theoretical question right now, it is extremely likely that this question will be a personal matter to you or someone you love in the near future.

Especially if you live in Utah.

Lessons from the First Cyber Cops

I was so excited to see Bob Gourley's blog post "A Lesson From the First Cyber Cops" which is how I learned about an event on May 16th hosted by the Atlantic Council. As part of a program called the Cyber Statecraft Initiative, Jason Healey moderated a discussion called: ”Lessons from Our Cyber Past: The First Cyber Cops”.

The panelists were all people that I have met and been very impressed with over the years: Steven Chabinsky was the lawyer who served as Senior Counsel to FBI's Cyber Division and advised our InfraGard national board when I served in 2002-2003. He was the first lawyer I met who actually understood what cyber was all about. He's currently the Assistant Deputy Director of National Intelligence for Cyber.

Shawn Henry, former FBI Executive Assistant Director of Criminal, Cyber, Response, and Services Branch, and now a principal at CrowdStrike. I saw him last sharing his passion for the InfraGard program up in DC last November.

Christopher Painter, the Coordinator for Cyber Issues at State and former U.S. Attorney, Computer Crime and Intellectual Property Section of the Department of Justice, who I first met as I was learning about the "24/7 network" of international information sharing that he helped to build.

What I've done here is listened to the audio recording of this panel session, and done my best to accurately transcribe what I heard. I think you'll find it as fascinating as I did, but encourage you to Listen to the MP3 if you have time. There were about forty minutes of Q&A from the audience at the end that I have not transcribed. Any errors in transcription are mine, please take this as "gary's notes" and use the MP3 as your authoritative source.

Getting Started in CyberCrime Investigations

Q: What got you started in Cybercrime?

A: (Chris Painter) Always interested in technology, while I was in college and law school. In 1991 went to the US Attorney's office in California. This was before the web, but many companies, and the government, and the military and others were certainly relying on computers.

I was working with Scott Charney who had started the first Computer Crime unit. There were several companies experiencing theft of source code, including cellular phone companies, and the University of Southern California, where they had data losses, but also someone storing stolen data there. That turned out to be Kevin Mitnick. We had great FBI agents here, Trent Teyema, Ken McGuire and others. In the course of investigating Kevin, I had to learn Linux, and how to review log files. Worked with the first Stock manipulation cases, the first eBay case, which was the Mafia Boy DDOS case, which was the first case I worked with Shawn on. Back in that day a plane was circling the court house with a banner reading "FREE KEVIN!"

A: (Steven Chabinsky) The way I got into computers was with games. In 1979 or 1980 I had a cousin that had a TRS-80. He was signing in to a service called "The Source" and he allowed me to play "Adventure". One of those games where you typed "Turn Right" and it says "You see a nasty elf, what do you do?" and you type "Fight Elf" and it says "The nasty elf killed you!" I was fascinated. I was the kid that worked every day after school, not to save money to buy a car, but to buy an Apple computer. The one I wanted was 1200 bucks and it didn't come with a floppy drive. A floppy drive was another 400 bucks. It came with 48k. I had to buy another 16k just to be able to program, in Fortran at the time. I end up joining the FBI. Fast forward. In 1998 President Clinton had PDD-63, and the FBI was put in the lead of the National Infrastructure Protection Center. The concept was that multi-agency and private sector had to work together. They needed another lawyer, and I raised my hand immediately. It had to do with Cyber. In 1996, Cleveland, Columbus, and Toledo had started InfraGard. I really need your help. How would we nationalize this program? We took this group of a couple hundred people and today it has 50,000 members. The FBI only has 30,000 members. After September 11th, it grew to be beyond Cyber and to include Critical Infrastructure. And in that time I began to give legal advice, and began to give legal advice on all sorts of intrusion cases, which is how I met Shawn Henry.

A: (Shawn Henry) I'm honored to be with two of my closest friends. Our relationships developed because we were on the front line in this space in 1999 and 2000. There were not a lot of things known at this time. I latched on to these two attorneys who were working in this space and who were most importantly innovative. My start was very similar to Steve's only instead of playing with an elf, mine was Star Trek. You see a Klingon ship. Turn right. That was my interest as a freshman in high school. When I joined the Bureau there were some linux courses and cyber courses available and I took them. There was a vacancy as Chief of the Cyber Investigations Unit and this was a natural route for me to take.. I had spent a couple years at headquarters as a supervisor. I wanted to take the things we did in the physical world, the things we learned fighting organized crime and terrorist groups, white collar crime, and apply them in the Cyber realm. I had a lot of experience using authorized intercepts, wiretaps, informants, that sort of thing. This was 1998. I remember sitting there with Steve in the command post at 11:59 PM on New Year's Eve watching the countdown, 9, 8, 7, ... when it hit zero, the lights went off. Because someone had flipped the switch off as a prank. But Steve and I started working the very first undercover case in the Computer Intrusion environment. We had hundreds of cases at the time but we had never used this technique. It was the first time Steve and I had met to chat about the legal consequences. We had an undercover agent who joined a hacking group, who actually did some hacking - all segmented and legally authorized - it gave us great insight into the group and is now common practice for us. That would have been February or March of 2000. We did get a prosecution, but I can't say what group.

What were the Wake Up Call events?

Q: The DOD has been through several "wake up call" events, the latest being Buckshot Yankee. Has DOJ been through that as well?

A: (Steve) Yes, with Solar Sunrise we see military computers, .mil computers, being intruded upon coming from abroad. It was happening during the conflict with Iraq. The traffic is coming in from a middle eastern country, and it really looks like this is an attack coming from a nation state. There was the obvious real possibility that we were under attack. If we are, how do we handle attribution, how do we respond. Of course the FBI does their investigations constitutionally, by the rules, regulations, statutes, and constitutional requirements of the US, not traveling easily in ways that would impact the sovereignty of other nations. Dealing with probable cause and beyond a reasonable doubt. Is there enough to justify a military response. We were at the table saying that we don't think there is enough attribution at this time. Of course we know the end of the story. A couple kids in Cloverdale, California, working with a young adult in Israel, purposely routing their traffic to make it appear to be coming from another country. (Gar-note: we blogged about The Analyzer, the Israeli in Solar Sunrise.) What was the moral of the story? Our .mil had been intruded upon. It could have been used to launch attacks on other countries. Will our adversaries show the same restraint if they were to see our computers attacking them? Another incident involved the White House, getting all the named players on a teleconference, this was before DHS. A large botnet, a very large botnet was being assembled - is it possible that it is being grown to attack the United States? Well, no, in the end it was being used for click fraud. (Laughter) Yes, your reaction, it becomes comical. But at the time, you can't anticipate the end of the story while you are in the middle of it. Early on we were thinking an attacks was coming from your country, but now its gone to the other extreme, there is such poor attribution that the problem has resolved itself. We're better at understanding the motives of events. We don't have White House calls about these incidents any more.

A: (Chris) You asked about wake up calls, we've had several, but they are like wake up calls with a snooze button. It gets attention briefly and then we go back to sleep. Back in 2000 when we saw these big botnets being built, we thought this was going to be how the criminals took down everything. But then we started seeing the large DDOS events against media companies like CNN. They got a lot of media attention, it took a few months, but we found him and it turned out to be a 13 year old boy, MafiaBoy, living in Canada. At the time we were saying "This must be a nation state! It's too sophisticated, it couldn't be an individual." RCMP monitored his communications back to his house. The father was ordering a hit on one of his colleagues, so it was Mafia Dad and Mafia Boy, great family.

That was one wake up call. Later on you had the commercialization of this with botnets, botherders, and then the lone wolf, lone gunman hackers, who kept a low profile who didn't want to be seen who wanted to steal money or trade secrets from companies and others or having an impact on infrastructure. The early Infrastructure impacts were inadvertent. Some kids playing in a telephone switch who impacted a local airport ... (24:40) ... these all built on each other to create the atmosphere now compared to even five years ago is dramatically different, because of these cases, successful cases that we've talked about and other things that have happened.

A: (Shawn) We haven't had the wake up moment yet globally, and we won't until there are physical implications ramifications of an actual attack. When the lights go off for a period of time, or when people die. Its the equivalent of planes crashing into buildings. People take terrorism seriously when they see blood in the streets. For me the wake up uwas the I Love You virus. Around Valentine's Day, I love you, everyone wants to know who, so they all click on it and have a virus. It had a cascading effect around the world in 24 hours. This is not a United States problem, this is a global problem. In the past it was relatively clear where venue was. We had victims in all 50 states and 56 field offices who all claimed they had venue. I had to decide where, as chief of the unit, where venue was going to be and which field office was going to work that case, and I did it without conferring with the US Attorney's Offices. I gave it to Newark, and their US Attorney's Office jumped on board. When ultimately at the end of the day we identified that this was a young man in the Philippines, he was identified and someone put their arms on him, but in the end the Philippines had no law against what he did. Even though he was identified, even though he caused great economic damage, nothing happened. They arrested him, but then they let him go. The global element here. How do we look at this as an International level. Its an international problems. We need to have consistent laws, consistent strategy. We have to have a consistent understanding. The FBI has now centralized rather than 56 field offices operating independently there is a central command. Headquarters will decide how things get done. We, and not just the FBI, but the community as a whole have become much more strategic in our operations and much more strategic in the execution of our mission.

A: (Steve) Cybercrime has lead in terms of our understanding and Cybersecurity followed on. People were working on cyber crime policy before they were thinking at a policy level about cyber security, partly because of the I love you virus. There was a lot of efforts through the G8 to focus on cybercrime. There was a ministerial meeting back in 1999 where this was pushed as a major initiative. Three legs of a stool, you had to have good capacity to fight these crimes, good laws in place, and the capability to cooperate internationally. The G8 and then the Budapest Convention on Cybercrime, the Council of Europe convention that is still the single item that really deals with these issues. The 24/7 program which started with 8 countries and now has 60 countries. There was a lot of work enhancing the Legat program around the world. It was really good expert work among the cognicenti that has now reached the leadership of these governments.

A: (Shawn) I think you are being modest Chris, because the world looked to you and your colleagues at DOJ. The Philippines ended up updating their laws in just a couple months and the world followed. The Department of Justice put us in a leadership role here. The United States, through the Department of Justice, really put us in place. I haven't seen any cases in the last eight years where we haven't been able to prosecute because the laws were not in place.

A: (Steve) I'll go back to what Shawn said -- Its not about all following the cyber trail. There is the money trail. You have to combine all these things. There are a lot of countries where it is still illegal to do undercover operations. You can react all day long, but if you can't get inside these organizations and bust them down from the inside.

Are We Winning?

Q: It sounds like overall on the cybercrime and law enforcement side in the US, we've made great progress. Are we winning?

A: (Shawn) We are not winning

A: (Steve) But I don't think we are losing. This is why I always hate this question! (Shawn: The State Department!) What are the metrics for winning? How do you measure winning or not winning? Clearly there is much more awareness, there is much more law enforcement resource, there are things like Infragard on the private sector, there is more international awareness of this, but the threat has gotten bigger. Criminal groups, nation states, potentially terrorist actors though we aren't seeing this yet. We clearly are more reactive than we should be and we need to have more capability to fight it. Yes or no.

A: (Shawn) When I say we aren't winning, we are not getting ahead, we are falling behind. We are having impact. We are having success. Through the efforts of the FBI, the Department of Justice, the Intelligence community, and the private sector, we have had impact. We have made arrests, we have identified groups, we have attribution, but we are not getting ahead, we are falling behind. there is more and more data getting pushed, more and more people coming online more subjects getting into this who are realizing opportunities to exploit and to line their pockets, and there are countries getting involved in cyber espionage. We are having successes but we are falling behind.

A: (Chris) We are having successes. I came to this in August of 1998. The private sector is working together, the government and the private sector are working better together. I'm seeing more arrests. Tactically, you can show a chart showing how we've improved. We're doing better, but the threat is outpacing our capabilities. When we look at our strategy - what does success look like? The reason we are getting further behind - early on we saw this as an Internet problem a net-centric threat. Over time we've come to see this is a technology threat. Every aspect of our lives are chip-enabled. The threat is controlled by technology. The vulnerabilities to automobiles there are chips controlling your accelaration chips control your brakes. Can we get in through bluetooth? Biomedical devices - there is software in the insulin pump that allows for remote diagnostic capability. There are chips controlling the flow of insulin into your body. Can we cause that to happen remotely? The researchers say yes. You see the problems with Wireless, purposeful interference and jamming. We are becoming more reliant on inherently vulnerable products and services. So the combination of those two make us as a strategic point, falling further behind. We are getting to a point where we have to reflect on what risk mitigation looks like in this area. Whether our policies that focus predominently on vulnerability mitigation and whether that is a successful long term security model. If you think of most security models they rely on on threat deterrence - the notion that the actor won't act because there will be some deterrant effect. you'll be captured, have some penalty. Here we have a model relying on hardening our targets. That's not how we live in the real world, that's called a fortress. Technologies are not meant to be bunkered down. It's not surprising as we accept technologies that are not fortressed and bunkered down, when we have a risk model that doesn't rely on threat deterrence, we'll fall further behind.

A: (Steve) We have to have both of them. You need to lock your doors which we haven't done a good job of, AND have consequences for the people who break in also. There is a lot more to do on hardening the targets and locking the doors, but you have to do threat reduction and threat deterrence. The question is, If you are a cyber criminal, let's take the criminal element for now, it used to be really costless to you, could route your attacks through other countries, you really wouldn't think there was any chance of getting caught. Most cyber criminals ... There have been some great deterrent cases, Getting deterrence cases out there, undercover cases taken down that make the criminals not trust each other. But there is no perception of risk. The positive side if there is a benefit to the criminal, but there is a neglible chance of getting caught, you aren't going to have an impact.

Lessons Learned?

Q: When I look at DOD, I see them caught up on the same questions they had in the late 90s on organizations, and authorities, and definitions, but when I look at Cybercrime it seems you have made progress beyond all that. What are the most important lessons, and are those lessons being inculcated on the new agents, new attorneys?

A: Understanding the scope of this problem and how it will impact your life. There is an age-old problem that the three of us have dealt with for years, which is that victims won't come forward. There is a sense there is nothing government will do for them. That they would be further victimized, that law enforcement would come in and cart off their computers, that they would suffer public reputational damage if it was found out. We need to move this from the area of cyber intrusions being some special sexy kind of thing, but more like bank robberies in Los Angeles. There were many bank robberies in Los Angeles, but people kept using the banks.

A: There has been dramatic progress in how law enforcement addresses these issues. We are doing much better on not victimizing victims. There were big cases before I got there, a Citibank case ???? (42:15) ??? there were stories early on when the FBI came in and in order to preserve the data we seized the computers. We fixed that right away. We didn't keep repeating that, although the stories continue. We also stopped naming the victims so often. Working with the private sector better. The other issue, a Cuckoo's Egg issue back to Clifford Stoll, where someone says there has been a victimization and you ask how much the damage is and its neglible, 75 cents, you hang up and laugh. (Gar-note: Clifford really did report that someone had used 75 cents of computer time, and then had changed the logs to hide it.) The damage is not obvious, but the threat to infrastructure represented by these intrusions are real. You don't have to wait for a big dollar loss to take an attack seriously. The third area of change is taking information IN THE COURSE Of the investigation, and using that information to help protect victims while the case is still active. Back in the NIPC days, we would literally get on a stage and tell private sector what we knew while proceeding with the investigation. I hear all the time that the FBI wants to keep the problem happening so they can monitor the crime and don't care about the victim. We've done a better job helping law enforcement provide value to the Net Defender while we are proceding against the adversaries.

Q: When we first started, every FBI dude would stand up and say "I don't really understand these computers, I have to ask my granddaughter to help me ..." and every FBI dude would get up and start the pitch that way - but I remember the first time I heard Steve with Kim Perretti talk and realize they really get this stuff.

A: We started really hiring towards this hiring pool. In the 90s we hired attorneys and CPAs for the agent role, but then over time began hiring very brilliant people, who work for major companies patriotic people who sometimes take a cut of 2/3rds of their salaries. We created a career path oriented towards cyber, with 30 unique courses that are evaluated constantly to make sure they are timely.

A: In dealing the victims, we only identified in the Mitnick case the victims by their initials. Bloomberg had a hacker try to extort them, and he came to the FBI and said "screw them, I want to send the message that you can't come threaten me like this." Bloomberg met the guy in London with $250,000 with two of his colleagues who were actually a Metropolitan Police officer and an FBI agent who proceeded to lock up these two Kazikstanis and bring them back to New York. (See: Zezov case for details)

Q&A Session

Friday, May 18, 2012

Social Engineering: Facebook Photo

Please welcome a guest-blogger, Sarah Turner, who authored today's report. Sarah is a malware analyst in the UAB Computer Forensics Research Laboratory and is the editor of our daily "Emerging Threats By Email" report. I asked her to put together an article about a prevalent spam campaign that has been running wild for about a month now. While the HISTORICAL malware described below is fairly well detected, each morning when a new version has come out the detection has been low, with improvement over the next 24-48 hours. If you see a message like this, RESIST TEMPTATION! DO NOT CLICK!


Social Engineering: Facebook Photo

Guest blogger: Sarah Turner

This campaign utilizes social engineering containing subject lines that insinuate a photo is enclosed that was obtained from a social media site or public domain depicting the recipient or the ex girlfriend of the recipient in a scandalous or otherwise embarrassing predicament.

The campaign only uses 8 subjects, shown below.

  • FW:Check the attachment you have to react somehow to this picture
  • FW:They killed your privacy man your photo is all over facebook! NAKED!
  • FW:Why did you put this photo online?
  • FW:You HAVE to check this photo in attachment man
  • RE:Check the attachment you have to react somehow to this picture
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?
  • RE:You HAVE to check this photo in attachment man

The email body can vary between the 3 samples shown below:

I have a question-have you seen this picture of yours in attachment?? Three facebook friends sent it to me today...why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))

Hate to bother you,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter...The question is is it really you???.

I'm sorry,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that due??.

all of which encourage the recipient to open the attachment and see the image to which they’re referring. Typically the attachment is in the form of a .ZIP containing an executable, however the attachments received on May 16, 17, and 18, the attachment extension was not as a .ZIP but as “.jpg.exe”.

The first few times this malware was received (April 20 – 23), once it was downloaded and prompted to run, it acted as an AntiVirus Software.

After that, the received malware was identified as Cutwail delivering Zeus. The executable would be prompted to run and there would be no recordable network traffic but multiple changes would be made to your Registry and a new file, named svchost.exe would be added to your computer. The executable received today had a detection of XXXX on Virus Total.

UAB has 11 prominent MD5’s associated with this campaign (and a couple mis-formed files)

count md5_hex
24998  b42cf3d2cc829aba1e771f9517b2b97d (38 of 41 detects at VirusTotal)
21754  57f40166fd7cafe84ef51fe5f7776c51 (21 of 41 detects at VirusTotal)
21011  77e7fc1b2addc8ee5ea74e3592d4ab89 (14 of 41 detects at VirusTotal)
14918  76e144a572b4c52e3ddb8bd860dfbdd9 (36 of 41 detects at VirusTotal)
9562  5dea03a160543724d7cf4adda93a28ae (36 of 41 detects at VirusTotal)
9138  061f96cf8f7713d17e580900ba20c6b4 (31 of 42 detects at VirusTotal)
8286  9badf88e346bd0530d4e5248d2bb2f35 (37 of 42 detects at VirusTotal)
6362  d60bfa876dc382908fbcde1c96d5b95f (36 of 42 detects at VirusTotal)
5604  bf7b30a96dc8be8bbfb826158afb2379 (34 of 42 detects at VirusTotal)
4742  8cc36756d15560335ed53c47bd7cbc5e (36 of 42 detects at VirusTotal)
2538  d6f05da06a26d9d731273a0fa26dd7e1 (12 of 42 detects at VirusTotal)
This campaign was seen for the first time on 4/20/12 and was the top campaign seen today. Below is the full list of days and receipt counts from prior to this week.
receiving_date count
----------------        ------
 2012-04-20      6372
 2012-04-21      20819
 2012-04-22      3182
 2012-04-23      5739
 2012-04-29      14918
 2012-05-03      9252
 2012-05-04      308
 2012-05-06      2
 2012-05-07      9138
 2012-05-08      8286
 2012-05-08      13
 2012-05-11      1279
 2012-05-12      4325
 2012-05-16      7260
 2012-05-17      17053
 2012-05-17      13751
 2012-05-18      4701
 2012-05-18      2538
We have seen at least 6,757 unique IP addresses used to send us copies of this email with one of these malware attachments. When the malware is fresh, as it is each morning in the Emerging Threats By Email report, the detection rates are much lower. For example, here is the status from the May 17th Emerging Threats By Email report: So, yesterday morning when the report was written, that version of the malware had 7 detects, although as of this writing it has 14.

Nichole Michelle Merzi of Operation Phish Phry gets 5 years

Back in 2009, this blog ran the story FBI's Biggest Domestic Phishing Bust documenting Operation Phish Phry and explaining what was then known of the structure of an international phishing operation with more than 100 members. Yesterday Nichole Michelle Merzi, one of the ring-leaders, was finally sentenced to five years:
Defendant is committed on Counts 1, 34, 35, 38, 39, 48, and 51 of the Indictment to the Bureau of Prisons for 36 months. This term consists of 36 months on each of Counts 1, 34, 35, 38, 39, and 51; 36 months on Count 48, to be served concurrently; and 24 months on Count 46, to be served consecutively; for a total of 60 months. Defendant shall receive credit for any time served. Supervised release for three years.
The case began all the way back on September 30, 2009 with the filing of an indictment that charged:
  • Kenneth Joseph Lucas (1) count(s) 1-9,
  • Nichole Michelle Merzi (2) count(s) 1,
  • Jonathan Preston Clark (3) count(s) 1,
  • Jarrod Michael Akers (4) count(s) 1,
  • Kyle Wendell Akers (5) count(s) 1,
  • Wayne Edwards Arbaugh (6) count(s) 1-2,
  • Demorris Brooks (7) count(s) 1,
  • Antonio Late Colson (8) count(s) 1,
  • Kenneth Crews (9) count(s) 1,
  • Manu T Fifita (10) count(s) 1,
  • Jennifer Anabelle Lopez Gonzalez (11) count(s) 1, 7-9,
  • Tinika Sabrina Gunn (12) count(s) 1,
  • Jason Marcellus Jenkins (13) count(s) 1,
  • Sylvia Johnson (14) count(s) 1,
  • Remar Ahmir Lawton (15) count(s) 1,
  • Kyle Brandon Martin (16) count(s) 1,
  • Franklin Anthony Ragsdale (17) count(s) 1, 4-6,
  • Steven Aaron Saunders (18) count(s) 1,
  • Rynn Spencer (19) count(s) 1,
  • Raquel Raffi Varjabedian (20) count(s) 1,
  • Candace Marie Zie (21) count(s) 1,
  • Ashley A Ager (22) count(s) 1,
  • Latina Shaneka Black (23) count(s) 1,
  • Michael Dominick Gunn Dacosta, Jr (24) count(s) 1,
  • Virgil Phillip Daniels (25) count(s) 1,
  • Tramond S Davis (26) count(s) 1,
  • Shontovia D Debose (27) count(s) 1,
  • Joshua Vincent Fauncher (28) count(s) 1,
  • Krystal Fontenot (29) count(s) 1,
  • Anthony Donnel Fuller (30) count(s) 1, 5-6,
  • Michael Christopher Grier (31) count(s) 1,
  • Bryanna Harrington (32) count(s) 1,
  • Shawn K Jordan (33) count(s) 1-3,
  • Billy Littlejohn Kelly (34) count(s) 1,
  • Reggie B Logan, Jr (35) count(s) 1,
  • Ikinasio Lousiale, Jr (36) count(s) 1,
  • Raymond V Mancillas (37) count(s) 1,
  • David P Mullin (38) count(s) 1,
  • Vincent Nguyen (39) count(s) 1,
  • Ario Plogovii (40) count(s) 1,
  • Brandon R Ross (41) count(s) 1,
  • Alan Elvis St. Pierre (42) count(s) 1,
  • Courtney Monet Sears (43) count(s) 1,
  • Me Arlene Settle (44) count(s) 1,
  • Paula W Sims (45) count(s) 1,
  • Jamie Smith (46) count(s) 1,
  • Brandon Kyle Thomas (47) count(s) 1,
  • Christopher Uhamaka (48) count(s) 1,
  • James Michael Viorato (49) count(s) 1,
  • Jovon Darnell Weems (50) count(s) 1,
  • David D Westbrooks (51) count(s) 1,
  • Bridget Deque Wilkins (52) count(s) 1,
  • Marcus Deshaun Williams (53) count(s) 1.

In a conspiracy, we have to show "Overt Acts" committed by each member of the conspiracy in support of the conspiracy, which is how we end up with an 86 page Operation Phish Phry Indictment.

The indictment charges:

18 USC § 134: Wire and Bank Fraud Conspiracy
18 USC § 1344(1): Bank Fraud
18 USC § 1028A: Aggravated Identity Theft
18 USC § 371: Computer Fraud Conspiracy
18 USC § 1030(a)(4): Computer Fraud
18 USC § 1956(h): Money Laundering Conspiracy
§ 2: Aiding and Abetting and Causing an Act to Be Done

There are 335 Overt Acts charged in the Indictment, such as:

Overt Act No. 14: On July 31, 2008, defendant ZIE sent an SMS message to defendant LUCAS, in Los Angeles County, to transmit the account number and account holder name for the one checking account and one savings account that unindicted coconspirator K.M. opened that day at BOA, which transmission was for the purpose of causing defendant LUCAS, to make and to cause an unauthorized transfer of funds to those accounts and for the purpose of allowing unindicted coconspirator K.M. to withdraw the transferred funds.

Overt Act No. 16: On July 31, 2008, in Los Angeles County, defendant LUCAS caused a computer transfer of funds from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant LOGAN's checking and savings accounts.

(In Overt Acts 17 and 18 Logan then withdraws $900 of that money from checking and $400 from savings.)

Overt Act No 70: On August 20, 2008, in Los Angeles County, defendant LUCAS caused computer transfers of $350 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's checking account and $1,200 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's savings account.

Overt Act No. 181: On December 11, 2008, in Los Angeles County, defendant JENKINS drove unindicted coconspirator A. J. to a Wells Fargo bank branch located in Los Angeles County to withdraw the $1,000 that defendant LUCAS caused to be deposited into unindicted coconspirator A.J.'s savings account.

Overt Act No. 186: On December 16, 2008, during a telephone conversation with defendant LUCAS< defendant MERZI advised defendant LUCAS that she had caused an unindicited coconspirator to conduct a transfer of funds from a victim bank account at Wells Fargo, which neither Wells Fargo nor the victim had authorized, and next would cause an unauthorized transfer of funds from a victim BOA account.

Overt Act No. 237: On June 14, 2007, in Los Angeles Cou8nty, defendant K. AKERS transmitted $1,900 by Western Union to unindicted coconspirator E. A.

It goes on like that for some 60 pages. From January 2007 to September 2009, the Ringleaders get victim credentials, the second tier transfer the funds around to accounts opened and controlled by the third tier, who then get driven around and sent into banks to take out the money, which gets passed up through management and wired via Western Union to Egypt, with everyone taking a piece of the pie.

For those who are interested in how you argue such a case in court, I've also posted the Operation Phish Phry Closing Arguments Power Point. Hundreds of pages of courtroom transcripts are also available from PACER.

Thursday, May 10, 2012

IRS Identity Theft leads to 25 year Sentence for Alabama Fraudsters

The news in Alabama today is that IDENTITY THEFT DOES NOT PAY. Veronica Dale of Montgomery, Alabama was sentenced to 334 months in prison and Alchico Grant of Lowndes County, Alabama was sentenced to 310 months in prison after the two participated in a scheme to file more than 500 fraudulent tax returns and steal from the IRS $3,741,908! The two will also have to pay $2.8 Million in restitution.

The sentences were announced on the main Department of Justice website with the title Leaders of Multi-million Dollar Fraud Ring That Used Stolen Information of Medicaid Recipients Each Sentenced to Over 25 Years in Prison

The charges brought against Veronica Dale include:

CR. NO: 2:10-CR-242-MEF (see see Indictment

18 USC § 286: Conspiracy to Defraud the Government
18 USC § 287: False, Fictitious or Fraudulent Claims
18 USC § 641: Theft of Government Public Money, Property or Records
18 USC § 1028A: Aggravated Identity Theft

CR. NO: 2:11-CR-69-MEF (see see Indictment

18 USC § 1343: Wire Fraud
18 USC § 1028A: Aggravated Identity Theft

In the first case, the defendants were:

Veronica Denise Dale
Alchico Dewayne Grant
Laquanta Grant
Isaac C. Dailey
Leroy Howard

In a superseding indictment filed for crimes that occurred after the first case was already underway, the defendants were:

Melinda Renae Clayton
Alchico Dewayne Grant
Veronica Denise Dale
Stephanie Adams
Valerie Byrd

Veronica owned and operated Dale's Tax Service, a tax preparation business located in Montgomery, Alabama. Looking back, it is likely that opening the Tax Service was just part of the plan to commit these crimes.

Veronica obtained Social Security numbers and names and used them to prepare and file false income tax returns and directed tax refunds to be deposited into accounts controlled by her and her co-defendants.

The bank accounts received at least $2.3 million in tax refunds.

1/21/2009 $4,990
2/14/2009 $5,124
3/6/2009 $7,352
3/15/2009 $10,688
3/15/2009 $10,031
3/15/2009 $10,332>
3/24/2009 $10,636
etc. etc. (the indictment lists 26 filings, but this happened well over 500 times!) Money was deposited into accounts opened in 2008, 2009, and 2010 at Regions Bank in Montgomery, Alabama and Woodforest Bank in Montgomery, Alabama, as well as Alabama State Employees Credit Union, MAX Credit Union. In 2011 additional accounts were opened at Bank of America where several more tax returns were received.

Veronica turned herself in to US Marshall Service on December 17, 2010. Here is the amazing part. AFTER TURNING HERSELF IN, and being released on bail pending trial, SHE KEPT STEALING MONEY FROM THE IRS!!!

The second case (2:11-CR-69-MEF) explains that between approximately January 2011 and April 2011, Dale conspired with Melinda Clayton and others to file an ADDITIONAL 155 fraudulent tax returns, to gather another $494,424 in tax refunds. THIS WAS AFTER DALE HAD ALREADY TURNED HERSELF IN because of the charges in the other case! She "caused to be stored at Clayton's residence thousands of names and social security numbers unlawfully obtained from EDS."

She pleaded guilty October 14, 2011.

The guilty plea (see see the Plea Agreementincludes the fact that "on counts 1,9,10,27 and 28, a 6-level enhancement is warranted because the Defendant's direct participation in the offense involved 250 or more victims.

The guilty plea explains that "Between June 2007 and February 2008, the Defendant worked as a temporary employee at EDS in Montgomery, Alabama. She "was able to and did wrongfully and illegally acquire Medicaid records which included the names, social security numbers, and dates of births of thousands of inviduals who received Medicaid benefits.

Between January 2009 and December 2010, she used these records stolen from EDS to file over 500 false tax returns.

308 of those tax retunrs deposited money into accounts of the Alabama State Employees Credit Union controlled by Betty Washington. The accounts received approximately $1,440,632.40 in false tax refunds.

Friday, May 04, 2012

Waya Nwaki pleads guilty in globe-spanning phishing ring

We often hear complaints from our Banking friends about criminals in Nigeria. Today's story is another example of the truth that in 2012, there is no place left to hide. Back in April 2011, FBI New Jersey presented their case to the Grand Jury in the form of a sealed indictment accusing several criminals of phishing:

Karlis Karklins
Charles Umeh Chidi
Waya Nwaki (AKA Prince Abuja, AKA USAPrince12k)
Osarhieme Uyi Obaygbona (AKA bside)
Marvin Dion HIll (AKA Nyhiar Da Boss, AKA Nihiar Springs)
Alphonsus Osuala
Olaniyi Jones

The case was officially unsealed on January 20, 2012, as the suspects were rounded up, chiefly Olaniyi Jones Makinde, who was arrested that week in Lagos, Nigeria:

(click for original in

Romance: Nigeria Style

Although this is what would normally be thought of as a "Nigerian Scam Ring" many of the players were already in the United States and had been for some time. Olaniyi, pictured above, is better known to Americans as his romantic alter ego, Brenda Stuart (, age 35, London, b.Feb 21, 1977)

"Brenda" would "fall in love" with various men that "she" met online, and then have various financial hardships which required the men to send money to her overseas accounts. Several "Money Mules" (called "Maga" in the Nigerian lingo) would assist with getting the money back to Jones via Western Union or Moneygram.

According to BekkyBlog Olaniyi Victor Makinde, also known as Andrea Bradley and Olaniyi Jones was originally arrested on September 6, 2011 by FBI agents working with Nigerian authorities on charges brought by the San Francisco division of the FBI related to two marriage scams where he harvested $620,225.04 from two American victims, Marilou Sibbaluca and John Massoni. While waiting in the Olokuta medium prison, he was charged again in the current New Jersey case. According to the blogger, Olanyiy was a recent graduate of the University of Ado Ekiti.

Criminal History in US

Waya Nwaki and Alphonsis Osuala should have been fairly easy to find. Rather than being in Nigeria, they were already in prison in Georgia. They had been arrested in Belvedere, South Carolina all the way back in April 20, 2005. They recruited a "white guy", Douglas Hudson, to go into a bank and cash a check for $2950 in a Bank of America branch while they waited outside in their silver Lincoln Navigator. Later that day they did the same scam, using a copy of the same check, in Aiken, South Carolina. Aiken, who was carrying a counterfeit resident alien card in the name of Steven Ratzlaff, was arrested in the bank by Lieutenant Farmer of the Aiken Department of Public Safety, while his colleague Officer Wilson pulled over the suspicious Lincoln Navigator and searched it, finding $17,000 in cash under the driver's seat, and a fake soda can containing six more copies of the same check. Nwaki was paying Hudosn $500 for each check they succesfully cashed, and theat they had done five successful scams in the previous two days. After being released, they were apparently back on the street for a while before being rearrested in Georgia.


The more recent scams were pure phishing. The six US-based codefendants worked with Jones to steal money from Payroll Processors ADP and Intuit as well as several banks. Karklins and Chidi would email phishing and spear-phishing attacks to the banking customers to lure them to phishing sites - fake bank websites that would be used to gather login credentials. As has been a growing trend, some of the credentials were used to do telephone transactions with the banks, instead of trying to use their online systems, which often have more fraud protection in place. Once the money was available, the criminals sent wire transfers to bank accounts in the United States, Mexico, the United Kingdom, Latvia, France, Bulgaria, Russia, and Nigeria. $3.5 million in wire transfers were attempted and $1.3 million were successfully withdrawn. This activity spanned a couple years, beginning at least as early as November 2009, when Karklins was setting up Chase Bank phishing sites. In January 2010 they added an ADP scam, and successfully harvested credentials for at least 27 sets of userids and passwords. These Payroll accounts allowed them to establish imaginary employees in various companies who received payments along with the real employees each payday until they were discovered. Karklins and Chidi would email Nwaki credentials for high value phishing accounts that they came across so that Nwaki could gather the money. It seems they ignored low value balances and focused only on taking the money from the high value accounts. Notices would go to Nwaki such as "28k chase, male, login yourself for check copy." or "CHASE 13.8k = male, age 32" or "BOA Business 25k + mail access". In February 2010, an Regions Bank account operated by defendant Hill was used to wire money to Bulgaria and Latvia. Nwaki also provided login credentials for a "50k drop" that was sent to the Regions account. Of the more than $1.3 million stolen, more than $300,000 of the funds were sent to a J.M. Sovereign Account operated by Jones in Nigeria.

Tuesday, May 01, 2012

Paypal "You Just Sent a Payment" spam leads to malware

A new malicious spam campaign has just launched this morning targeting Paypal users. This malware campaign attempts to "social engineer" users into clicking a link that they know they shouldn't click on! Here's the email:

The criminals believe (and from what we've seen, correctly) that when presented with the news that you just sent $100 to someone from your Paypal account, you will have a panic reaction and click on the link in the email. This is what they are counting on!

As you can see we got quite a few of these this morning:

The destination is NOT going to be Paypal. Don't click on the link, and tell your friends not to click on the link either! If they do, a bad set of malicious actions are set into motion.

This particular version of the campaign just started about 2.5 hours ago. Here are the number of messages we have seen so far:

 count |        mbox         
    22 | 2012-05-01 04:00:00
    22 | 2012-05-01 04:15:00
   312 | 2012-05-01 04:30:00
    41 | 2012-05-01 04:45:00
    15 | 2012-05-01 05:00:00
    78 | 2012-05-01 05:15:00
   241 | 2012-05-01 05:30:00
     1 | 2012-05-01 05:45:00
   210 | 2012-05-01 06:00:00
    91 | 2012-05-01 06:15:00
(10 rows)
There are many hundreds of links that may have been advertised in your copy of this email, but don't click on ANY of them!

In the example case that we checked, we followed a link to "" (yes, we like irony).

When the web page was visited, it immediately executed two remote javascript files (I've added spaces to "break" them):

script type="text/javascript" src="http:// laxana .org /1VxMC4Dy /js .js"
script type="text/javascript" src="http:// womaametw3 .com /CWTKosSw /js .js"
which redirected to an Exploit server that displayed this "Please Wait" sign while something more malicious was happening in the background.

The exploit kit dropped a Java "JAR" file that was launched in Java, taking advantage of a security hole, which then caused another executable file to download and install on the computer.

What was that executable? We're not sure yet, but your anti-virus product probably doesn't know either. At the time we submitted the malware to VirusTotal there were only 5 of 43 anti-virus products could label the malware as malicious. Although McAfee called it "Zbot" (PWS-Zbot.gen.ya, the anti-virus name for the Zeus Bot) Avast and one other vendor called it "Karagany" (Win32:Karagany-FS [Trj]).

The malware's MD5 was 4f58895af2b8f89bd90092f08fcbd54f and it was 33280 bytes in size.

Here's a link to the original VirusTotal report.

Previous Threats

This link is very closely linked to a "LinkedIn" spam campaign from yesterday. That campaign functioned in exactly the same manner, with the difference only in the spam campaign.

All of the domains listed below have been compromised by an attacker. Most likely the criminals have stolen the FTP userid and password of the criminal, allowing them to change the webmaster's content without the webmaster's knowledge. If you control or know the owner of one of these websites, let them know they have been hacked. They need to remove the content, scan any computers they use to access their website for malware, and change their password AFTER they get the malware cleaned up.

            machine            |         path         
-------------------------------+----------------------                  | /rHFbxKTn/index.html                 | /bp9ksV54/index.html                 | /N2rhmW5i/index.html                 | /r1kVYAfU/index.html                 | /vpW8hoZ6/index.html                   | /BzJoVeo0/index.html                   | /Lskx0Bew/index.html                   | /NdHgm0gT/index.html                   | /oZFZ0qJK/index.html                   | /pD2zHbBB/index.html                   | /vpW8hoZ6/index.html                   | /wcE0aK0J/index.html                   | /wjivLtgo/index.html               | /4RcYf6gB/index.html               | /7QLZuMme/index.html               | /bp9ksV54/index.html               | /BzJoVeo0/index.html               | /ErmgUouT/index.html               | /gj1W42Ee/index.html               | /i8ztSS5H/index.html               | /iaJ7FSBi/index.html               | /mKvc8Mh7/index.html               | /N2rhmW5i/index.html               | /NdHgm0gT/index.html               | /oZFZ0qJK/index.html               | /pD2zHbBB/index.html               | /rHFbxKTn/index.html               | /rzDZAsw7/index.html               | /t7xYVUJE/index.html               | /tLnW6jJT/index.html               | /UAtkgmot/index.html               | /UcL29wrU/index.html               | /vpW8hoZ6/index.html               | /wtQ8G0Ku/index.html               | /YhwvXGhk/index.html               | /zvo8ioak/index.html         | /4RcYf6gB/index.html         | /7NEM56yQ/index.html         | /7QLZuMme/index.html         | /bp9ksV54/index.html         | /BzJoVeo0/index.html         | /ddLvpeMu/index.html         | /DkM4v1PP/index.html         | /gj1W42Ee/index.html         | /N2rhmW5i/index.html         | /oZFZ0qJK/index.html         | /r1kVYAfU/index.html         | /Re3BMGVG/index.html         | /rHFbxKTn/index.html         | /RoScD8aq/index.html         | /rzDZAsw7/index.html         | /UAtkgmot/index.html         | /vpW8hoZ6/index.html         | /wjivLtgo/index.html         | /wtQ8G0Ku/index.html         | /YhwvXGhk/index.html         | /zvo8ioak/index.html               | /4RcYf6gB/index.html               | /7NEM56yQ/index.html               | /7QLZuMme/index.html               | /ErmgUouT/index.html               | /gj1W42Ee/index.html               | /mKvc8Mh7/index.html               | /NdHgm0gT/index.html               | /oZFZ0qJK/index.html               | /pSG1s2xs/index.html               | /Re3BMGVG/index.html               | /rzDZAsw7/index.html               | /t7xYVUJE/index.html               | /tLnW6jJT/index.html               | /UAtkgmot/index.html               | /UcL29wrU/index.html               | /wcE0aK0J/index.html               | /xXr3khjG/index.html   | /4RcYf6gB/index.html   | /bp9ksV54/index.html   | /ddLvpeMu/index.html   | /DkM4v1PP/index.html   | /gj1W42Ee/index.html   | /i8ztSS5H/index.html   | /iaJ7FSBi/index.html   | /Lskx0Bew/index.html   | /mKvc8Mh7/index.html   | /N2rhmW5i/index.html   | /NdHgm0gT/index.html   | /oZFZ0qJK/index.html   | /pD2zHbBB/index.html   | /pSG1s2xs/index.html   | /r1kVYAfU/index.html   | /Re3BMGVG/index.html   | /rHFbxKTn/index.html   | /rzDZAsw7/index.html   | /UcL29wrU/index.html   | /wcE0aK0J/index.html   | /wjivLtgo/index.html   | /wtQ8G0Ku/index.html    | /ddLvpeMu/index.html    | /Lskx0Bew/index.html    | /oZFZ0qJK/index.html    | /pSG1s2xs/index.html    | /wjivLtgo/index.html     | /4RcYf6gB/index.html     | /6BrzkppT/index.html     | /7NEM56yQ/index.html     | /7QLZuMme/index.html     | /bp9ksV54/index.html     | /BzJoVeo0/index.html     | /ddLvpeMu/index.html     | /DkM4v1PP/index.html     | /ErmgUouT/index.html     | /gj1W42Ee/index.html     | /i8ztSS5H/index.html     | /iaJ7FSBi/index.html     | /Lskx0Bew/index.html     | /mKvc8Mh7/index.html     | /NdHgm0gT/index.html     | /oZFZ0qJK/index.html     | /pD2zHbBB/index.html     | /pSG1s2xs/index.html     | /rHFbxKTn/index.html     | /RoScD8aq/index.html     | /rzDZAsw7/index.html     | /t7xYVUJE/index.html     | /tLnW6jJT/index.html     | /UAtkgmot/index.html     | /UcL29wrU/index.html     | /vpW8hoZ6/index.html     | /wcE0aK0J/index.html     | /wjivLtgo/index.html     | /wtQ8G0Ku/index.html           | /4RcYf6gB/index.html           | /6BrzkppT/index.html           | /7NEM56yQ/index.html           | /7QLZuMme/index.html           | /bp9ksV54/index.html           | /ddLvpeMu/index.html           | /DkM4v1PP/index.html           | /ErmgUouT/index.html           | /gj1W42Ee/index.html           | /Lskx0Bew/index.html           | /N2rhmW5i/index.html           | /NdHgm0gT/index.html           | /oZFZ0qJK/index.html           | /pD2zHbBB/index.html           | /r1kVYAfU/index.html           | /rHFbxKTn/index.html           | /RoScD8aq/index.html           | /rzDZAsw7/index.html           | /t7xYVUJE/index.html           | /UAtkgmot/index.html           | /vpW8hoZ6/index.html           | /wcE0aK0J/index.html           | /wtQ8G0Ku/index.html           | /xXr3khjG/index.html           | /YhwvXGhk/index.html           | /zvo8ioak/index.html          | /4RcYf6gB/index.html          | /7NEM56yQ/index.html          | /7QLZuMme/index.html          | /ddLvpeMu/index.html          | /DkM4v1PP/index.html          | /gj1W42Ee/index.html          | /Lskx0Bew/index.html          | /mKvc8Mh7/index.html          | /N2rhmW5i/index.html          | /NdHgm0gT/index.html          | /oZFZ0qJK/index.html          | /pD2zHbBB/index.html          | /pSG1s2xs/index.html          | /r1kVYAfU/index.html          | /Re3BMGVG/index.html          | /rHFbxKTn/index.html          | /RoScD8aq/index.html          | /rzDZAsw7/index.html          | /t7xYVUJE/index.html          | /UAtkgmot/index.html          | /UcL29wrU/index.html          | /vpW8hoZ6/index.html          | /wcE0aK0J/index.html          | /wjivLtgo/index.html          | /wtQ8G0Ku/index.html          | /xXr3khjG/index.html            | /4RcYf6gB/index.html            | /6BrzkppT/index.html            | /7NEM56yQ/index.html            | /7QLZuMme/index.html            | /bp9ksV54/index.html            | /BzJoVeo0/index.html            | /DkM4v1PP/index.html            | /ErmgUouT/index.html            | /gj1W42Ee/index.html            | /i8ztSS5H/index.html            | /iaJ7FSBi/index.html            | /Lskx0Bew/index.html            | /mKvc8Mh7/index.html            | /N2rhmW5i/index.html            | /pD2zHbBB/index.html            | /pSG1s2xs/index.html            | /r1kVYAfU/index.html            | /Re3BMGVG/index.html            | /RoScD8aq/index.html            | /t7xYVUJE/index.html            | /tLnW6jJT/index.html            | /UAtkgmot/index.html            | /UcL29wrU/index.htm            | /UcL29wrU/index.html            | /vpW8hoZ6/index.html            | /wcE0aK0J/index.html            | /wjivLtgo/index.html            | /xXr3khjG/index.html            | /YhwvXGhk/index.html            | /zvo8ioak/index.html                    | /6BrzkppT/index.html                    | /7NEM56yQ/index.html                    | /BzJoVeo0/index.html                    | /ddLvpeMu/index.html                    | /ErmgUouT/index.html                    | /gj1W42Ee/index.html                    | /i8ztSS5H/index.html                    | /iaJ7FSBi/index.html                    | /Lskx0Bew/index.html                    | /mKvc8Mh7/index.html                    | /N2rhmW5i/index.html                    | /NdHgm0gT/index.html                    | /oZFZ0qJK/index.html                    | /pD2zHbBB/index.html                    | /pSG1s2xs/index.html                    | /r1kVYAfU/index.html                    | /Re3BMGVG/index.html                    | /rHFbxKTn/index.html                    | /RoScD8aq/index.html                    | /rzDZAsw7/index.html                    | /t7xYVUJE/index.html                    | /tLnW6jJT/index.html                    | /UAtkgmot/index.html                    | /UcL29wrU/index.html                    | /vpW8hoZ6/index.html                    | /wcE0aK0J/index.html                    | /wjivLtgo/index.html                    | /wtQ8G0Ku/index.html                    | /xXr3khjG/index.html                    | /YhwvXGhk/index.html                     | /4RcYf6gB/index.html                     | /7QLZuMme/index.html                     | /BzJoVeo0/index.html                     | /ddLvpeMu/index.html                     | /DkM4v1PP/index.html                     | /ErmgUouT/index.html                     | /gj1W42Ee/index.html                     | /Lskx0Bew/index.html                     | /mKvc8Mh7/index.html                     | /N2rhmW5i/index.html                     | /NdHgm0gT/index.html                     | /r1kVYAfU/index.html                     | /Re3BMGVG/index.html                     | /rHFbxKTn/index.html                     | /RoScD8aq/index.html                     | /rzDZAsw7/index.html                     | /tLnW6jJT/index.html                     | /UAtkgmot/index.html                     | /UcL29wrU/index.html                     | /vpW8hoZ6/index.html                     | /wcE0aK0J/index.html                     | /wjivLtgo/index.html                     | /wtQ8G0Ku/index.html                     | /xXr3khjG/index.html                     | /YhwvXGhk/index.html                     | /zvo8ioak/index.html | /6BrzkppT/index.html | /7NEM56yQ/index.html | /ddLvpeMu/index.html | /DkM4v1PP/index.html | /ErmgUouT/index.html | /gj1W42Ee/index.html | /iaJ7FSBi/index.html | /Lskx0Bew/index.html | /mKvc8Mh7/index.html | /oZFZ0qJK/index.html | /pD2zHbBB/index.html | /pSG1s2xs/index.html | /Re3BMGVG/index.html | /rHFbxKTn/index.html | /RoScD8aq/index.html | /rzDZAsw7/index.html | /t7xYVUJE/index.html | /UcL29wrU/index.html | /xXr3khjG/index.html | /YhwvXGhk/index.html | /zvo8ioak/index.html        | /4RcYf6gB/index.html        | /6BrzkppT/index.html        | /bp9ksV54/index.html        | /BzJoVeo0/index.html        | /ddLvpeMu/index.html        | /DkM4v1PP/index.html        | /gj1W42Ee/index.html        | /i8ztSS5H/index.html        | /iaJ7FSBi/index.html        | /mKvc8Mh7/index.html        | /N2rhmW5i/index.html        | /NdHgm0gT/index.html        | /oZFZ0qJK/indexhtml        | /oZFZ0qJK/index.html        | /pD2zHbBB/index.html        | /pSG1s2xs/index.html        | /r1kVYAfU/index.html        | /rHFbxKTn/index.html        | /RoScD8aq/index.html        | /rzDZAsw7/index.html        | /UAtkgmot/index.html        | /UcL29wrU/index.html        | /vpW8hoZ6/index.html        | /wcE0aK0J/index.html        | /xXr3khjG/index.html        | /YhwvXGhk/index.html            | /4RcYf6gB/index.html            | /6BrzkppT/index.html            | /7NEM56yQ/index.html            | /BzJoVeo0/index.html            | /ddLvpeMu/index.html            | /DkM4v1PP/index.html            | /ErmgUouT/index.html            | /gj1W42Ee/index.html            | /i8ztSS5H/index.html            | /iaJ7FSBi/index.html            | /mKvc8Mh7/index.html            | /N2rhmW5i/index.html            | /NdHgm0gT/index.html            | /oZFZ0qJK/index.html            | /pD2zHbBB/index.html            | /pSG1s2xs/index.html            | /r1kVYAfU/index.html            | /rzDZAsw7/indexhtml            | /rzDZAsw7/index.html            | /tLnW6jJT/index.html            | /UAtkgmot/index.html            | /UcL29wrU/index.html            | /wcE0aK0J/index.html            | /wjivLtgo/index.html            | /xXr3khjG/index.html            | /YhwvXGhk/index.html                    | /6BrzkppT/index.html                    | /7NEM56yQ/index.html                    | /7QLZuMme/index.html                    | /bp9ksV54/index.html                    | /BzJoVeo0/index.html                    | /ErmgUouT/index.html                    | /gj1W42Ee/index.html                    | /i8ztSS5H/index.html                    | /iaJ7FSBi/index.html                    | /Lskx0Bew/index.html                    | /mKvc8Mh7/index.html                    | /N2rhmW5i/index.html                    | /NdHgm0gT/index.html                    | /oZFZ0qJK/index.html                    | /pD2zHbBB/index.html                    | /pSG1s2xs/index.html                    | /r1kVYAfU/index.html                    | /rHFbxKTn/index.html                    | /rzDZAsw7/index.html                    | /t7xYVUJE/index.html                    | /tLnW6jJT/index.html                    | /UAtkgmot/index.html                    | /UcL29wrU/index.html                    | /wcE0aK0J/index.html                    | /wjivLtgo/index.html                    | /wtQ8G0Ku/index.html                    | /zvo8ioak/index.html              | /6BrzkppT/index.html              | /7NEM56yQ/index.html              | /7QLZuMme/index.html              | /bp9ksV54/index.html              | /ddLvpeMu/index.html              | /DkM4v1PP/index.html              | /ErmgUouT/index.html              | /iaJ7FSBi/index.html              | /Lskx0Bew/index.html              | /N2rhmW5i/index.html              | /pD2zHbBB/index.html              | /Re3BMGVG/index.html              | /RoScD8aq/index.html              | /rzDZAsw7/index.html              | /UcL29wrU/index.html              | /wtQ8G0Ku/index.html              | /xXr3khjG/index.html              | /YhwvXGhk/index.html              | /zvo8ioak/index.html                | /6BrzkppT/index.html                | /ErmgUouT/index.html                | /i8ztSS5H/index.html                | /NdHgm0gT/index.html                | /oZFZ0qJK/index.html                | /pD2zHbBB/index.html                | /rHFbxKTn/index.html                | /t7xYVUJE/index.html                | /tLnW6jJT/index.html                | /UAtkgmot/index.html                | /UcL29wrU/index.html                | /wcE0aK0J/index.html                | /wtQ8G0Ku/index.html                    | /4RcYf6gB/index.html                    | /7NEM56yQ/index.html                    | /7QLZuMme/index.html                    | /bp9ksV54/index.html                    | /BzJoVeo0/index.html                    | /ErmgUouT/index.html                    | /i8ztSS5H/index.html                    | /NdHgm0gT/index.html                    | /r1kVYAfU/index.html                    | /rHFbxKTn/index.html                    | /RoScD8aq/index.html                    | /t7xYVUJE/index.html                    | /UcL29wrU/index.html                    | /vpW8hoZ6/index.html                    | /xXr3khjG/index.html                    | /zvo8ioak/index.html                      | /6BrzkppT/index.html                      | /bp9ksV54/index.html                      | /DkM4v1PP/index.html                      | /gj1W42Ee/index.html                      | /i8ztSS5H/index.html                      | /mKvc8Mh7/index.html                      | /r1kVYAfU/index.html                      | /Re3BMGVG/index.html                      | /tLnW6jJT/index.html                      | /UAtkgmot/index.html                      | /vpW8hoZ6/index.html                      | /wcE0aK0J/index.html                      | /wtQ8G0Ku/index.html                      | /xXr3khjG/index.html                  | /4RcYf6gB/index.html                  | /ddLvpeMu/index.html                  | /ErmgUouT/index.html                  | /wjivLtgo/index.html