Saturday, June 01, 2019

SMS Phish? Amazon Reward!

Are you getting text messages about winning prizes at Amazon?

I got one today with the following text from a VOIP-to-SMS number: 1 (410) 200-910

The text was:
 "FRM: You have a New Amazon Reward! MSG:"

I threw up a Virtual Machine to check the destination, and got a meaningless echo of the domain name:

The problem, of course, was that they knew I was supposed to be on a cell phone, since they sent me an SMS.  No problem.  Let's make my Windows Chrome Browser a Cell Phone: 

Ok.  Now I'm a Firefox browser on an Android Mobile phone.  Let's try again.  Much better!  The CloudFlare hosted "dmkr3h" now forwards me to "" which is a CNAME alias to "seempts-explegal[.]com ( " which passes my origin and affiliate data to chargingmilkshop[.]com (, which forwards me to "winopinions[.]com (" which shows me this!

Before I take my Survey, I hit my "Back" button, just to see what happens, because often there are traps about such things.  Sure enough, hitting the "Back" took me to an ad totally unrelated to my Amazon Prize:

As much as I'd like to be Ketogenically Accelerated, I decided to go back to my original URL from the phone.  This time I landed at "ZoneOpinions[.]com" instead of WinOpinions, but since I was still on the same IP address, I decided to keep going and take the survey this time.  Here are my five Survey Questions:

OK, now for the excitement!  My big Amazon Reward is about to be revealed, right?

Hmmm... do I want a larger penis, a flatter belly, or a $780 watch?  I think I'll take the $780 watch, since its free and all ... 

Each time I click "Claim Reward" I get sent through a "1592track[.]com" redirector:
Which then forwards me to one of its randomly selected possible fulfillment domains ... 

Odd.  Clicking on the watch takes me to a site for a free Tactical Flashlight. Oh well.  The point of this exercise is to feed some of my spam traps anyway.  We'll give them one of our spam trap email addresses just to see what they begin spamming to me. 

I wonder if ClickBank is complicit in these scams?
Since I'm not actually going to give them my credit card information, I'll see whether I get the same spam by submitting my address info for CBD Oil and Male Enhancement anyway.  Where do those clicks take me?
tryhealthoffer [.] com 

(a closer look at the Affiliate ID = 600080)

healthchoicev2 [.]com selling Primacin XL 

I saved which Spam Trap email I fed to each of the sites above.  If I start getting spam on them (none of them have existed before an hour ago and have never received any message prior to being fed to these sites) I'll do a follow-up post.

While trying to decide if this is something to share with my friends at the Federal Trade Commission, I decided to check what country these domains are hosted in ... Poland ... ==> OVH SAS in Poland.
According to the very useful tool at RiskIQ, it looks like 77 new domains stood up on this IP address about two days ago:
We went ahead and exported that list so we could save a record of what other domains were there.  Looks like there are MANY alternative domains for doing the same sort of things ... 


Many of these domains are proven to be interchangeable, as long as your user agent is right. Pasting the "path/file/parameters" from one site to another of the same type usually works.

Conclusion?  Don't think I'm going to get my Amazon Prize.  Darn.

Tuesday, May 07, 2019

The Next Miami Operation WireWire Case: Alfredo Veloso

In June of 2018, we blogged about a series of cases that the Department of Justice announced as "Operation: WireWire." In particular, we wrote three pieces about the "South Florida Cases" where a Lebanese recruiter convinced people to set up shell companies, open bank accounts, and receive large wire transfers that were quickly sent overseas.  (See Operation WireWire: The South Florida Cases -- Part 1, Part 2, and Part 3.)

Some of the earlier cases included US v. Eliot Pereira et al; US v. Gustavo Gomez et al; and US v. Cynthia Rodriguez et al.  So far, at least 250 shell corporations in South Florida have been identified that can all be linked back to the Roda Taher Money Laundering Network.  Those recruited communicated with Roda Taher, who was known as Rezi or Ressi, via WhatsApp and Email, including the gmail account "" 

On April 30, 2019, DOJ announced another related guilty plea.  This time three more related cases are linked under the name "USA v. Lugo et al."

Alvaro Lugo of Sunrise, Florida, Karina Rosada of Hollywood, Florida, and Alfredo Veloso are the main trio of defendants in these cases, with Veloso pleading guilty on April 30, 2019. 

Karina Rosado

Karina Rosado ran her shell company as "Karina Luxury Trade" through her address 4001 West Flagler Street, Apr 18, Coral Gables, Florida.  Karina received both her papers of encorporation and her IRS EIN number via email from Rezi in June and July of 2017.  On August 7, 2017, Karina opened a Bank of America account ending in 8775 with a $25 deposit.  On August 18th, she received a $105,000 wire from a Business Email Compromise victim scammed by impersonating a title company person.  On August 21st, Karina withdrew $7,500 in cash, and wired $44,700 to "Tianjin Shengfa Candle Co" at China Zheshang Bank and an additional $39,988 to "Jiangxi Textile Group Imp" at Bank of China on 21AUG2017.  She drained the rest of the account, $8,800, the following day.

On August 2, 2017, Karina opened a TD Bank account ending in 2712. 

She also opened a Wells Fargo account ending in 5271 the same day.  On September 20, 2017, she received a $32,900 wire from a second victim, and on September 21, 217, an additional $59,890 was attempted from a third victim, but was blocked by the victim's bank, who filed an complaint on October 8, 2017.  A fourth victim wired $17,609 to her Wells Fargo account on November 2, 2017.  She withdrew another $10,000 on November 6, 2017, and $17,690 on November 9, 2017, closing the account.

On November 13, 2017, Karina opened a JP Morgan Chase account ending in 3657, providing her business name and her true social security number.  She deposited $17,609 dollars to open the account, listing in the memo, her Wells Fargo bank account number "2846705271."

After an arrest warrant was sworn out on August 20, 2018, Karina surrended on August 27th.  She posted bail on September 10, 2018, and was declared a fugitive after failing to appear on December 20, 2018.  Like several of the previous WireWire mules, Karina attended Miami Dade College in Hialeah, Florida.

Alvaro Lugo

Alvaro Lugo opened a Florida shell company "Lugo Wide Trades" from his address at 11149 NW 80th Lane, Doral, Florida.  The address he used matches his home residence address according to Florida's Driver and Vehicle Information Database.  When the company filed for its EIN number with the IRS, the IP address used to do so was in Beirut, Lebanon, and matched the IP address used to request EIN numbers for several other shell companies that were part of this network.  (Roda Taher is from Lebanon.)

Lugo opened a Bank of America account ending in 4361, using his social security number and drivers license to do so.  On October 30, he received a wire from "a motorsports dealership" in the amount of $105,532.09.  On October 31, he received an additional $74,857.69 from another victim company.  Both of these companies filed complaints at  On November 3, Lugo cashed out the account with a $180,486.36 cashier's check payable to Lugo Wide Trades, Inc.

On October 26, 2017, Lugo opened a JPMC account ending in 1705.  The account was opened with $50.  On November 2, 2017, Lugo's account wrote a $50 check paid to Rosado's account.

Lugo was sentenced on April 8, 2019 to 34 months in prison.

Alfredo Veloso

Veloso's company was Veloso Bulk Trading which was registered to the address 6611 SW 99th Avenue, Miami, Florida.  In addition to Veloso Bulk Trading, Alfredo ran several other businesses from this address, including Tri Reptiles, a reptile importing company.  He also ran a "kink pornography" business from the same address, "Alex Ace 305 Productions Inc" which used the main website "kink305[.]com".  "Alex" is part of a group of 76 porn-related domain names and at least eight of the mules he recruited were women he ment through his internet video business, who were also used to open shell companies and associated bank accounts for the network. 

Veloso Bulk Trade received incoming wires totaling more than $1,000,000 from four victims - two corporations, a law firm, and an individual.  Veloso withdrew $26,686 of the funds.

In Veloso's Plea Agreement, signed on April 29, 2019, he agrees to plead guilty to counts 1 and 4 through 8.  To wit: 

1. Conspiracy to commit money laundering in violation of Title 18, USC section 1956(h) because he "did willfully with the intent to further the objects of the conspiracy, and knowingly combine, conspire, confederate, and agree with Alvaro Lugo, Karina Rosado, and others known and unknown, to knowingly conduct and attempt to conduct a financial transaction affecting interstate commerce, which transaction involved the proceeds of specified unlawful activity, knowing the property involved in the financial transaction represented the proceeds of some form of unlawful activity, knowing that such transaction was designed, in whole and in part, to conceal and disguise the nature, the location, the source, the ownership, and the control of the proceeds of specified unlawful activity, in violation of Title 18 USC Section 1956(a)(1)(B)(i) and all in violation of Title 18 USC Section 1956(h).  The specified unlawful activities were conspiracy to commit wire fraud, (Title 18 USC Section 1349) and Wire Fraud (Title 18 USC Section 1343).

Counts 4 through 8 are actually all Lacey Act offenses, related to smuggling reptiles through his "Tri Reptiles" company.

His Base Offense Level was an 8.  It goes up by 16 due to the volume of funds laundered (between $1.5 Million and $3.5 Million). +2 more for sophistication, and +2 more for being a section 1956 conviction, and +3 more because he was a "manager or supervisor, but not an organizer or leader, of criminal activity involving five or more participants."  That would give a 29, but he got a three level decrease for "demonstrating acceptance of responsibility."   He's likely looking at 63 to 78 months in prison.  The prosecution agreed to run the animal smuggling sentence, if any, concurrently.

(Veloso DID HAVE a reptile importing license from 2010 to 2014, as "Xtreme Reptiles", but he failed to renew his license and paid no taxes on his current reptile business.)  Veloso was "shipping large quantities of reptiles on a weekly basis." He made about $150,000 per year on his illegal reptile business, selling reptiles "in bulk" to pet stores around the country.  

Tuesday, April 30, 2019 BEC Compromises and Romance Fraud 2018

The Internet Crime & Complaint Center,, publishes annual statistics about the crimes which have been reported to them during the previous calendar year.  The full report offers insights and analysis into current trends in cybercrime.  While it is widely acknowledged that cybercrime is dramatically under-reported, there are still some shocking trends when looked at on a state-by-state breakdown.
While the IC3 has been collecting Internet Crime complaints since 2000, starting in 2016, the IC3 provided a more detailed state-by-state breakdown than  ever before, allowing us to see how many victims experienced how much loss by crime type reported.  What is abundantly clear in the 2018 numbers is that the greatest dollar losses among the reports are coming from Business Email Compromise.

Previous reporting from called Business Email Compromise The $12 Billion Scam (July 12, 2018), although quite a bit of that figure is "exposed dollar value" - meaning how much the criminals COULD have lost.  Actually losses in the US in reports gathered by the IC3 included $1.3 Billion stolen from 21,723 domestic companies from October 2013 to May 2016, and $1.6 Billion stolen from 19,335 domestic companies from June 2016 to May 2018.

In the 2018 State by State breakdown, we find documentation of 19,140 companies losing $1.2 Billion stolen from companies in the 50 states, with millions more from DC, Puerto Rico, and other US territories.  That means on the average day in 2018, criminals stole $3.3 Million dollars from 52 US businesses per day.

StateBEC LossesBEC VictimsAverage Loss Per VictimVictims per 100,000 PopulationBEC Losses per 100,000
New Hampshire$2,783,48786$32,3666.4$207,259
New Jersey$54,132,347554$97,7126.22$607,647
New Mexico$3,158,731101$31,2754.84$151,280
New York$124,028,6391288$96,2966.59$634,671
North Carolina$29,829,247436$68,4164.25$290,450
North Dakota$427,37931$13,7864.08$56,228
Rhode Island$3,543,031115$30,80910.85$334,248
South Carolina$8,077,180201$40,1854$160,772
South Dakota$836,73428$29,8833.17$94,843
Utah $7,931,467201$39,4606.48$255,689
West Virginia$2,093,28050$41,8662.75$115,269
Wyoming $1,637,11629$56,4525.02$283,367

The table above shows Business Email Compromise losses by state for calendar 2018, as based on complaints received by the team at  These are losses experienced by BUSINESSES.  As you can see, the average loss by business varied greatly from state to state.  Alaska only lost $11,000 per BEC case, while Ohio had $130,000 lost per BEC case and the average BEC case in Kentucky lost $271,000!  The average loss from a BEC scam in the 50 states in calendar 2018 was $62,849 per business.  ($1,202,934,836 stolen from 19,140 businesses.)

The Top Ten states for BEC by the number of victims per 100,000 population are:
Rhode Island - 10.85
Alaska - 8.92
Massachusetts - 8.67
Colorado - 8.08
Virginia - 7.82
California - 7.67
Texas - 7.4
Connecticut - 7.33
Nevada -  7.24
Vermont - 6.89

The median number of BEC victims per 100,000 by state was 4.86.
(My home state of Alabama was #41 at 3.89)

The Top Ten states for BEC by average losses per victim are:
Louisiana - $271,430
Ohio - $130,380
New Jersey - $97,711
New York - $96,295
Connecticut - $90,798
Georgia - $85,897
Minnesota - $83,624
Kansas - $78,535
Massachusetts - $77,881
Iowa - $75,326

The median state for "average loss per victim was: $47,742.80
(Alabama was #33 at $39,689 average loss per victim)

The table below documents the category of fraud that the team labels as "Confidence Fraud / Romance".  We know that Romance scams tend to target the lonely and the elderly in a disproportionate way, and are often enabled by social media.  While the average losses per incident are lower, realize that these are often losses experienced by a senior citizen, often representing the loss of their entire life savings!  The average loss from a Romance scam in the 50 states in calendar 2018 was $19,114.14.  ($296,613,212 stolen from 15,518 individual victims.)

StateRomance LossesRomance VictimsAverage Loss Per VictimVictims per 100,000 PopulationRomance Losses per 100,000
New Hampshire$1,068,70468$15,7165.06$79,576
New Jersey$8,275,788332$24,9273.73$92,897
New Mexico$2,608,857140$18,6356.7$124,945
New York$16,867,421782$21,5704$86,313
North Carolina$2,686,807432$6,2194.21$26,162
North Dakota$1,303,70235$37,2494.6$171,522
Rhode Island$1,389,85451$27,2524.81$131,118
South Carolina$3,439,585187$18,3943.72$68,463
South Dakota$99,74731$3,2183.51$11,306
Utah $2,380,004172$13,8375.54$76,725
West Virginia$1,367,24774$18,4764.07$75,289
Wyoming $370,92233$11,2405.71$64,203

The Top Ten states by the number of Romance Scam victims per 100,000 population are:

Alaska - 11.49 victims per 100,000
Nevada - 8.47
Wisconsin - 6.75
Colorado - 6.71
New Mexico - 6.7 
Washington - 6.66
Oregon - 6.42
Arizona - 6.11
Wyoming - 5.71
Virginia - 5.67 

The median number of victims per 100,000 population was 4.79.
(Alabama was #25 with 4.81 victims per 100,000 population) 

The Top Ten states by average loss per Romance Scam victim are:
North Dakota - $37,248
California - $34,373
Louisiana - $31,753
Connecticut - $27,665
Rhode Island - $27,252
New Jersey - $24,927
Nevada - $24,735
Massachusetts - $23,134
New York - $21,569
Ohio - $21,428 

The median average loss per state was $17,858.
(Alabama was #44 with average Romance Scam losses of $7,634 per victim.) 

Tuesday, April 02, 2019

Twitter Mystery Followers: ? GarBot ?

I'm one of those people who tends to review the people who are following me on Twitter and to block a great number of them.  Why?  Because many of them aren't real people!

Here are a few examples:


Juliette only has one tweet and it says "Just setting up my Twitter.  #myfirstTweet"

Gosh, the pretty blonde whose random mashup of bio statement says "Author, Musician, Harry Potter Lover, Idea Agent, Troll King, You're beautiful" must be a cyber security fan who has read some of my tweets and was inspired to follow me, right?

More likely, she is part of the botnet that has been assigned to search for the three character string "GAR" and follow people who come up in the search results.  Like these folks:

This has been going on for some time . . . in fact, the shortcut for me is to look at the followers of "@gar" (the "communist socialist libertarian anarchist who likes tacos") on that last row.  Almost all of this guy's recent followers are part of this bot:

How can we be sure?  Well, they do have something in common . . . besides a desire to follow people with "Gar" in their name or bio.  See if you can spot the pattern?

Many of the images are coming from "royalty free stock images" sites, which might imply someone is trying to be "legal" with their bot ... not sure.

And lest you think this is just a "pretty girls who follow you" bot, there are male accounts as well, although recently the males seem to be primarily Spanish (or Catalan):

And these accounts also share their passion for people named "Gar"  . . . 

More Tweets of Wisdom

Over time, the accounts do tweet things other than "Just setting up my Twitter. #myfirstTweet".  They share great wisdom such as:

"Love sees no faults" ... "Hope is life"  ... "Every bird loves to listen to himself sing"

I don't know if you can call Shery's post "wisdom" -- "i hate #cats" and "i love #dogs" and "i don't think there is such thing as too much #coffee"

StonerBot Variant

One odd variation of this bot is something I think of as "StonerBot" ... it starts out the same way.  @Janecarrson started with "Just setting up my Twitter #myfirstTweet" and following a bunch of Gar accounts:

But then things quickly go off the tracks ... in a decidedly marijuana friendly way:

StonerBotJane has posted 20 photos, instead of just one liners, and expanded beyond her "Gar" following to follow many other accounts, several of which feature nudity in their profile pictures.  Also, unlike my "GarBot" followers, StonerBotJane has a cover photo.

Looking at some of the other people's accounts that were followed by "GarBot" it was easy to spot many other "StonerBot" variants.  These all follow "@ColegSirGar" 

Victoria, Deirdre, Maria, Jane, and Leah, all behave like StonerBotJane, while Sarah, Olivia, and Julia are all more like the original "GarBot" (which surely must follow people with other names as well, but the version I am most familiar with, for obvious reasons, I refer to in my head as "GarBot."

Actually, Sarah Black is a good bot going stoner ... she still hasn't gone to posting drug photos, but her two most recent follows were 'non-Gar' accounts of questionable topics, and although she still hasn't chosen a cover photo, she did post a photo in a tweet with a drug reference.

Sarah's path to corruption includes forsaking the following of "Gar" accounts and choosing to follow two pornographic Twitter accounts ... 

Her last tweet was "Gonna roll a jay before I eat this beauty."

I think I'll stop there ... but I would certainly be interested in hearing from you if you have found your own version of a "GarBot" following you and others with similar names.  I'm genuinely curious how far this thing goes.  If you happen to know what research team is behind this project, please feel free to send me a note about that as well!


A few more of my "GarBots" . . . just in case more examples help anyone who is researching this trend themselves . . .