Tuesday, April 02, 2019

Twitter Mystery Followers: ? GarBot ?

I'm one of those people who tends to review the people who are following me on Twitter and to block a great number of them.  Why?  Because many of them aren't real people!

Here are a few examples:


Juliette only has one tweet and it says "Just setting up my Twitter.  #myfirstTweet"

Gosh, the pretty blonde whose random mashup of bio statement says "Author, Musician, Harry Potter Lover, Idea Agent, Troll King, You're beautiful" must be a cyber security fan who has read some of my tweets and was inspired to follow me, right?

More likely, she is part of the botnet that has been assigned to search for the three character string "GAR" and follow people who come up in the search results.  Like these folks:

This has been going on for some time . . . in fact, the shortcut for me is to look at the followers of "@gar" (the "communist socialist libertarian anarchist who likes tacos") on that last row.  Almost all of this guy's recent followers are part of this bot:

How can we be sure?  Well, they do have something in common . . . besides a desire to follow people with "Gar" in their name or bio.  See if you can spot the pattern?

Many of the images are coming from "royalty free stock images" sites, which might imply someone is trying to be "legal" with their bot ... not sure.

And lest you think this is just a "pretty girls who follow you" bot, there are male accounts as well, although recently the males seem to be primarily Spanish (or Catalan):

And these accounts also share their passion for people named "Gar"  . . . 

More Tweets of Wisdom

Over time, the accounts do tweet things other than "Just setting up my Twitter. #myfirstTweet".  They share great wisdom such as:

"Love sees no faults" ... "Hope is life"  ... "Every bird loves to listen to himself sing"

I don't know if you can call Shery's post "wisdom" -- "i hate #cats" and "i love #dogs" and "i don't think there is such thing as too much #coffee"

StonerBot Variant

One odd variation of this bot is something I think of as "StonerBot" ... it starts out the same way.  @Janecarrson started with "Just setting up my Twitter #myfirstTweet" and following a bunch of Gar accounts:

But then things quickly go off the tracks ... in a decidedly marijuana friendly way:

StonerBotJane has posted 20 photos, instead of just one liners, and expanded beyond her "Gar" following to follow many other accounts, several of which feature nudity in their profile pictures.  Also, unlike my "GarBot" followers, StonerBotJane has a cover photo.

Looking at some of the other people's accounts that were followed by "GarBot" it was easy to spot many other "StonerBot" variants.  These all follow "@ColegSirGar" 

Victoria, Deirdre, Maria, Jane, and Leah, all behave like StonerBotJane, while Sarah, Olivia, and Julia are all more like the original "GarBot" (which surely must follow people with other names as well, but the version I am most familiar with, for obvious reasons, I refer to in my head as "GarBot."

Actually, Sarah Black is a good bot going stoner ... she still hasn't gone to posting drug photos, but her two most recent follows were 'non-Gar' accounts of questionable topics, and although she still hasn't chosen a cover photo, she did post a photo in a tweet with a drug reference.

Sarah's path to corruption includes forsaking the following of "Gar" accounts and choosing to follow two pornographic Twitter accounts ... 

Her last tweet was "Gonna roll a jay before I eat this beauty."

I think I'll stop there ... but I would certainly be interested in hearing from you if you have found your own version of a "GarBot" following you and others with similar names.  I'm genuinely curious how far this thing goes.  If you happen to know what research team is behind this project, please feel free to send me a note about that as well!


A few more of my "GarBots" . . . just in case more examples help anyone who is researching this trend themselves . . . 

Thursday, March 28, 2019

Dissect Cyber wins major DHS S&T Award for their BEC Work

Congratulations to our great friends at Dissect Cyber for receiving the DHS S&T Global Award for their work on BEC scams!

The FBI has been warning companies for several years now of the growing prominence of Business Email Compromise (BEC) scams as being one of the top forms of cyber crime based on the volume of dollars stolen.  A single BEC scam can often lead to six-figure and even seven-figure losses!  According to a June 2018 BEC report from the Internet Crimes Complaint Center, so far the FBI has documented $12,536,948,299 in losses stolen from 78,617 businesses.

Dissect Cyber decided that the best way to attack these scams and help protect those at-risk companies was to create an early warning system called Cyber Notify, based on their analysis of the vulnerable (and detectable) points of a BEC scam that is ABOUT TO HAPPEN!  To understand why their solution is so powerful, let's look at how a BEC fraud group is structured.

BEC Org Charts

Some of the leading experts in Business Email Compromise have documented the significant role in these scams played by West African cyber criminals.  Experts such as John Wilson, Crane Hassold, and Ronnie Tokazowski at Agari are doing some great work Investigating BEC Scams actors to learn more about how they commit their crimes.  The SecureWorks experts are documenting the role of malware in BEC crimes, and produced a great chart explaining the roles of the various actors, reproduced here from their report "Golden Galleon: How A Nigerian Cybercrime Crew Plunders the Shipping Industry."

SecureWorks BEC Org Chart
In that document, American researchers assigned names to each of the roles that make up a BEC scam.  One of those roles in the SecureWorks report is "Cloner" which is described as the person who "Registers domain names for impersonating email addresses."

The West African fraud experts at AA419 (Artists Against 419) provide a similar chart, but label their content based on the names the fraudsters use themselves.  In their diagram, the "Cloner" role is called within the West African fraudster community, a "Faker Maker."  While they do create domain names that closely imitate real organization names to be used in email, they often are also responsible for creating entire fraudulent organizations, complete with corresponding web sites, in order to facilitate their fraud, including fake travel agencies, fake government organizations, fake shipping companies, fake job websites, and fake lotteries.

AA419 BEC Org Chart
The AA419 staff did an excellent blog post explaining the critical role of The Faker Maker in December 2017.

Enter Dissect Cyber and Cyber Notify

I've known and worked with April Lorenzen, the founder of Dissect Cyber and Zetalytics, and her staff and products for many years.  She has been passionate about building tools for law enforcement and investigators to quickly understand the relationships between domain names, their name servers, and the IP addresses which host them.  She's also been generous enough to share her tools with researchers in my lab, including sharing them with our UAB Cyber Detective Camp last summer!  Whether we are doing phishing investigations, malware investigations, or illicit pharmaceutical investigations, Dissect Cyber has been a great partner!

Based on the organizational charts above, what Dissect Cyber realized was that part of the PRECURSOR events to having a new BEC attack often involve the creation of a "look-alike domain" that will imitate the company being targeted.  We've blogged many times about how BEC attacks work, such as our article "Business Email Compromise: Putting a Wisconsin Case Under the Microsope." Often, such as in two of the victim cases described in the Wisconsin case, the criminals are monitoring the emails of key executives, having already planted email-stealing malware on their computers, watching for an opportunity when they are traveling or otherwise unavailable.  During that scheduled outage, an employee will receive an "urgent command" that they must quickly pay an invoice, wire some funds for a merger, or some other large financial transaction.  By having the email come from a domain that is VERY SIMILAR to the true email domain, the employee often does not realize that this is not really The Big Boss, and they will comply with the financial transfer order they receive.

This is where Dissect Cyber comes in.  Because they have full visibility of EVERY NEWLY CREATED DOMAIN ON THE INTERNET, they created the Cyber Notify system to check each new domain to see if it might be a counterfeit look-alike domain. If so, their team of highly trained and vetted professionals (at the moment, all members of the alert team are military veterans), reach out to the imitated organization to help them understand that they may be about to be targeted with a BEC attack.

According to the press release from Dissect Cyber, this work has helped 1,500 companies prevent themselves from losing $407 million dollars which was requested to be wire transferred by the scammers who had created these fake domains!  Priority notifications are given to those companies that are part of the nation's Critical Infrastructure as defined by DHS.  Why?  While the techniques that have been broadly been used to steal money by West African scammers are the majority of the financial losses as reported by the IC3.gov team, the scarier fake domain attacks may be foreign nation state actors who are using the techniques refined by the West Africans to send dangerous emails that could have an impact on anything from our power grids to our water supply to employees of those critical infrastructure companies!

Congratulations, Dissect Cyber!  I hope that Cyber Notify (cybernotify.org) will grow, expand, and continue to innovate in ways to help us all protect our vulnerable small and medium-sized businesses from fraud, while also protecting our Critical Infrastructure businesses from nation state espionage hackers!

Wednesday, March 27, 2019

FTC shutters four Robocalling services that made billions of calls in 2018

The Federal Trade Commission announced settlements this week that could result in many fewer of those annoying Robocalls we've all been receiving.  Who did they sanction and what were those companies doing?

NetDotSolutions (James Christiano)

James Christiano ran a company that provided and operated softwarea called "TelWeb," a call spamming platform.  His software violated several laws, including places marketing calls to people on the "Do Not Call" list, and using a spoofed caller id, intending to deceive call recipients.

Of 883 Million robocalls per year, on the average, 157 million of the calls placed by TelWeb went to numbers on the National Do Not Call Registry.  At least 54 Million calls, just in the first half of 2016, had spoofed caller ID numbers.  The FTC received almost 8,000 consumer complaints against this company, which contributed greatly to choosing to pursue this lawsuit!

His companies, NetDotSolutions and TeraMESH Networks, were both named in the suit.  Additionally, Aaron Michael Jones and Andy Salisbury, two resellers of TelWeb, are both also named in the suit.  Which brings up one problem with these types of suits.  Jones was already "permanently banned" from doing telemarketing.  Salisbury and World Connection were each fined $2.7 million dollars. Nine of his previous companies were also subject to the ban previously:   1) Allorey, Inc.; 2) Audacity LLC; 3) Data World Technologies, Inc.; 4) Dial Soft Technologies, Inc.; 5) Digital Marketing Solutions, Inc.; 6) Savilo Support Services, Inc.; 7) Secure Alliance, Inc.; 8) Velocity Information Corp.; and 9) World Access Media.
Jones was also one of those charged in the Point Break Media case, where callers were told to "Press 1 to speak to a Google Specialist" who told them they were about to be "unlisted" from Google and charged them at least $169 to not be deleted from Google search results.

Higher Goals Marketing

Have you had the Robocall about reducing your credit card interest rate?  It may have been coming from Higher Goals Marketing. " According to the FTC’s complaint, Higher Goals Marketing LLC, Sunshine Freedom Services LLC, Brandun L. Anderson, Lea A. Brownell, Melissa M. Deese, Gerald D. Starr, Jr., and Travis L. Teel, have engaged in a telemarketing scheme that has deceived financially distressed consumers nationwide by pitching bogus credit-card interest-rate-reduction services."
Unfortunately, this is another case demonstrating that to robocallers, a multi-million dollar fine is just a slap on the wrist.  The defendants were helped with setting up their service just weeks by Wayne Norris, just weeks after he was put out of business by a previous FTC settlement against the company he was working for,Life Management Services, back in 2016. He is charged with violating the Telemarketing Sales Rule by helping the other defendants organize the telemarketing infrastructure they used to bombard consumers with illegal robocalls, putting a team of managers together to oversee the entire robocall operation, and helping to set up a shell company to collect illegal up-front fees from consumers.

In the case of Life Management Services, Wayne was asked to handle registering the new company for his boss, Steven Guise, because Guise was permanently banned from telemarketing.  He did so by asking a friend of his wife's to register the company in Florida. (See p.6 of this 51 page order .. https://www.ftc.gov/system/files/documents/cases/life_management_order_and_permanent_injunction_kevin_guice.pdf )

Wayne is behind the calls that start "This is Rachel, from Cardholder Services?"  In 2012, the FTC Chairman Jon Leibowitz declared Rachel from Cardholder Services "public enemy number one."  Back then, Wayne worked for Ambrosia Web Services.

Travis Deloy Peterson

You'll probably also be familiar with Peterson's "Veteran scams".  Using many different fake charity names, including Veterans of America, Vehicles for Veterans LLC, Saving Our Soldiers, Donate Your Car, Donate That Car LLC, Act of Valor, and Medal of Honor, Peterson made millions of calls asking people to donate a vehicle to help a veteran. In addition to paying more than a $500,000 fine, Peterson also has to return 88 vehicles that he's stolen under the guise of a charitable donation.

Point Break Media

A fourth settlement by the FTC this week targeted people offering false Google Business services.  Point Break, and several related companies and "d/b/a" aliases, were calling customers to inform them that if they didn't take action immediately, their company would no longer be able to be found in Google searches.

Dustin Pillonato; Justin Ramsey; Aaron Michael Jones, a/k/a Michael Aaron Jones and Mike Jones; Ricardo Diaz; Michael Pocker; Steffan Molina, Vincent Yates, and Daniel Carver were all charged individually in the case.   Three primary defendants in this case have agreed to settle.

As part of the settlement, the defendants will pay the FTC $3,637,386.57 and agree to forego any further work in the telemarketing industry.

Tuesday, January 29, 2019

Money Laundering and Counter-Terrorist Financing: What is FATF?

Many cybercrime investigators seem narrowly focused on the bits and bytes of the crimes they investigate while not truly understanding or interacting with those who focus on where the money goes.  As we've been expanding our horizons, I've learned quite a bit and wanted to share some resources for others who may have been similarly limited in their focus.

The Financial Action Task Force (FATF) was established in 1989. It built a list of Forty Recommendations for countries to address Money Laundering, which were first issued in 1990, and revised in 1996, 2001, 2003, and 2012.  Their latest FATF Annual Report (2017-2018) addresses Terrorist financing as well as new methods and trends and announces a research project on financing of recruitment for terrorism.  Many of these Recommendations meet our lives in the form of regulations on financial institutions and interactions between international law enforcement agencies.
"Regardless of their size and complexity, the financial activities and channels of terrorists are an essential source of intelligence.  Financial investigation can identify terrorist cells, their associates and facilitators, and reveal the structure of terrorist groups, and their logistics and facilitation networks." -- FATF President Santiago Otamendi, 14DEC2017, NYC.
FATF also released an important report "Financing of Recruitment for Terrorist Purposes" in January 2018, and a second report "Concealment of Beneficial Ownership" in July 2018.
Beneficial Ownership (July 2018)
Terrorist Recruitment (January 2018)
FATF is composed of 38 member states, covering most of the major financial centers of the world. Each of these member states has pledged to come into compliance with the Forty Recommendations, and to measure its progress.

The FATF Forty Recommendations on Money Laundering and Counter Terrorism Finance

International Standards on Combating Money Launderingand the Financing of Terrorism& Proliferation (Oct 2018)
The Recommendations fall into seven major categories:

A - AML/CFT Policies and Coordination
  • R1. Asessing risks & applying a risk-based approach
  • R2. National cooperation and coordination

B - Money Laundering and Confiscation

  • R3. Money laundering offense 
  • R4. Confiscation and provisional measures

C - Terrorist Financing and Financing of Proliferation

  • R5. Terrorist financing offense
  • R6. Targeted financial sanctions related to terrorism and terrorist financing
  • R7. Targeted financial sanctions related to proliferation 
  • R8. Non-profit organizations

D - Preventative Measures

  • R9. Financial institution secrecy laws
  • R10. Customer due diligence 
  • R11. Record keeping 
  • R12. Politically exposed persons
  • R13. Correspondent banking
  • R14. Money or Value transfer services
  • R15. New technologies
  • R16. Wire transfers 
  • R17. Reliance on third parties 
  • R18. Internal controls and foreign branches and subsidiaries
  • R19. Higher-risk countries
  • R20. Reporting of suspicious transactions
  • R21. Tipping-off and confidentiality 
  • R22. Designated non-Financial Businesses and Professions: Customer due diligence
  • R23. Designated non-Financial Businesses and Professions: Other measures 

E - Transparency and Beneficial Ownership of Legal Persons and Arrangements

  • R24. Transparency and beneficial ownership of legal persons
  • R25. Transparency and beneficial ownership of legal arrangements 

F - Powers and Responsibilities of Competent Authorities and Other Institutional Measures

  • R26. Regulation and supervision of financial institutions
  • R27. Powers of supervisors
  • R28. Regulation and supervision of Designated non-Financial Businesses and Professions
  • R29. Financial intelligence units
  • R30. Responsibilities of law enforcement and investigative authorities 
  • R31. Powers of law enforcement and investigative authorities 
  • R32. Cash couriers 
  • R33. Statistics
  • R34. Guidance and feedback 
  • R35. Sanctions 

G - International Cooperation

  • R36. International instruments 
  • R37. Mutual legal assistance 
  • R38. Mutual legal assistance: freezing and confiscation
  • R39. Extradition 
  • R40. Other forms of international cooperation 

Mutual Evalution and Ranking of Members  

4th Round Ratings
In this chart, each member state, including the Associate members, is ranked on how well they comply with each of the 11 "Immediate Outcomes" and 40 Recommendations.  For example, the United States is currently not compliant with recommendations 22, 23, and 24 -- so, we don't do well in non-financial institutions, and our shell company games are impossible to monitor as of now, but we do generally do well in most others.  Clicking the "4th Round Ratings" label will take you to the full chart.  If you do international business, it may be a form of risk doing businesses in countries with poor ratings across the board here.

FATF Member Assessments

Each member is encouraged to perform regular assessments to measure themselves on how they are complying with the Forty Recommendations.  Here are example reports from the United States, but these reports are available for every country that participates in FATF or one of the Associate Members.  In the United States, these assessments are published by the Department of the Treasury.  These reports were issued in 2015 by the Treasury Undersecretary for Terrorism and Financial Intelligence, Adam Szubin.

2015 Money Laundering Risk Assessment

2015 Terrorist Financing Risk Assessment

The goal of sharing these examples is to serve as a reminder that from the FATF site, ALL such reports for all member states are available, by looking for the "Mutual Evalutions Publications." As of this writing the four newest ones are from Tunisia, Nicaragua, Panama, and Tajikistan.

FATF Associate Members

FATF also has 9 Regional Bodies, considered "FATF Associate Members" each of which put out specialized information for their portion of the world.  For those who are interested in that Region, following up on those specific regions reports from their representative task forces and groups will be worthwhile.

A Special Focus on Terrorist Financing Risks 

FATF issued their first special report offering guidance on Terrorist Financing in 2008:

Several more recent reports would be especially interesting regarding terrorist financing, stemming from an emergency meeting of 55 states, the United Nations, the Egmont Group of Financial Intelligence Units, the International Monetary Fund, the World Bank, and others specifically to address curbing the financing of ISIS/ISIL.

In the Paris meeting of 19OCT2018, FATF encouraged members to expand their focus from looking specifically at ISIL to more broadly include Al Qaeda and its Affiliates, issuing this guidance:

Regional Terrorist Financing Focuses

There have also been significant regional reports issued by sub-groups and associate members.

The Counter-Terrorism Financing Summit, hosted by Australia's Financial Intelligence Agency (AUSTRAC) and the Indonesian counterpart, Pusat Pelaporan dan Analisis Transaksi Keuangan (PPATK), issued the Regional Risk Assessment on Terrorism Financing 2016.  The following year, the event was repeated, adding Bank Negara Malaysia as a partner.  These events issued two small statements, and one more substantial report, addressing events in Philippines, Thailand, Malaysia, Singapore, Indonesia, and Australia, and how those events were funded.

A risk methodology for their region (p.22)

The Nusa Dua Statement - August 2016 
Kuala Lumpur Communique - November 2017 

West and Central Africa have very different concerns, and held a summit to discuss these differences, resulting in this excellent joint publication: 

"Terrorist Financing in West and Central Africa", October 2016
50 page joint report from FATF, GIABA, and GABAC

Particular Funding Methods for Terrorism Finance

Many other special reports have been issued, related to the trade in:

Virtual Currencies of Growing Concern

In the Paris meeting 19OCT2018, a special issue that was raised was the Regulation of Virtual Currencies.  This was deemed to be a matter of strategic interest that will be further evaluated, especially with regard to Initial Coin Offerings and their role in Money Laundering.  FATF has committed to work with the G20 to come up with new guidelines to update their previous report "Virtual Currencies: Key Definitions and Potential AML/CFT Risks" as well as their report "Guidance for a Risk-based Approach to Virtual Currencies" (June 2015 - 46 page PDF).  

The work so far is in the form of a report to the G20, which addresses many topics in addition to Virutal Currencies:

In part the report shares:

"Noting that virtual currencies/crypto-assets raise issues with respect to money laundering and terrorist financing, they committed to implement the FATF Standards as they apply to virtual currencies/crypto-assets.  They looked forward to the FATF review of those Standards, called on the FATF to advance global implementation, and asked the FATF to provide an update on this work in July 2018.  The FATF will take this work forward under the US presidency from 1 July 2018 to 30 June 2019."

This work begins with first reviewing laws and regulations regarding crypto-assets and virtual currencies in each of the G20 states.

More on this topic will certainly be forth-coming from FATF.