Thursday, June 03, 2021

PPP Fraud or How to Use the CARES Act to Go To Prison

 If you are one of the thousands of people who fraudulently filed for a Paycheck Protection Program or PPP Loan under the CARES Act, pay attention!  This blog post  is going to explain why you should return the money and turn yourself in.  The CARES Act provided $349 Billion in forgivable loans that a business could use to cover payroll, mortgage interest, rent, lease, or utilities during the trying times of the pandemic.  But many people are assuming they can just steal that money and never pay a penalty.

Let's use as our example the case of Zsa Zsa Bouvier Couch, whose case was just unsealed in the Middle District of Alabama.

Zsa Zsa Bouvier Couch

Zsa Zsa is an entrepreneur in the Montgomery area.  She operated seven businesses, according to the Alabama Secretary of State:

  • Trinity Christian Ministry, LLC, incorporated on 26MAR2008.
  • Kidz Academy Christian Child Care Center, Inc, incorporated as a non-profit on 12JUN2007.
  • Bouvier Hair Boutique LLC, incorporated 22JAN2008.
  • Slim Fit Weight Loss Medical Clinic & Spa I Inc, incorporated 07APR2020.
  • Zsa Zsa's Boutique, LLC, incorporated 02MAY2020.
  • ABC Christian Ministries, LLC, incorporated 22JAN2008.
  • Walters Academy Corporation, incorporated 26MAY1999.
Kidz Academy opened a new Regions Bank checking account on 25JUN2019.
Bouvier Hair opened a new Regions Bank checking account on 07MAY2020.
Slim Fit opened a new Trustmark checking account on 22APR2020.
Kidz Academy opened a new Trustmark checking account on 06MAY2020.

PPP Loan Time!

Then the PPP Loan Applications started.  To apply for a PPP Loan, the applicant has to tell the bank what their average monthly payroll was and how many employees they have on staff.  One of the checks that is used to compare the information on the application to the history of the bank account.  For example, if I regular issue payroll for $20k per month, and claim on the PPP Loan application that I have a $90k per month payroll, I'm going to quickly get caught.  Zsa Zsa perhaps believed that by opening new checking accounts, the bank would be unable to look at her previous payroll information.

On 22APR2020, Zsa Zsa asked Trustmark for $206,041.68, claiming that Slim Fit had 10 employees and an average payroll of $82,416.67.

To complete the application, she had to attest that the business existed on 15FEB2020 and that the received funds would only be used as allowed in the CARES Act.  She also had to state that this was the only PPP Loan she was applying for and that she did not own or manage any other businesses.

Since SlimFit was incorporated AFTER 15FEB2020, (on 22APR2020) that was a pretty easy one to detect.  Opening a new checking account and then applying for a PPP Loan the same day with your new bank is also a sort of risky move ... but ... she got the loan!  For more than she asked for!  $248,125.00!

On 23APR2020, Zsa Zsa asked Trustmark for $122,479.18, claiming that Trinity also had 10 employees, but had an average monthly payroll of $48,991.67.  Winner move attesting TO THE SAME BANK that you don't have any other businesses, when you just filed THE DAY BEFORE for another business.  But ... she got the loan (though only for $95,625.00).

On 23APR2020, Zsa Zsa also asked Trustmark for $186,664.38 for a third business, Kidz Academy.  She claimed they had 10 employees and a monthly payroll of $74,665.75. And ... she got the loan (for $83,437.47.)

Since things were going so well, Zsa Zsa decided to ask Trustmark for $964,371.88 for Zsa Zsa's Boutique.  She claimed she had 30 employees and an average monthly payroll of $385,748.75.  This time, the Alabama Department of Labor notified Trustmark that ZZB had ZERO employees.  When Trustmark informed Zsa Zsa of this, she responded "Just withdraw the application." 

That application was withdrawn on 04MAY2020, but her Kidz Academy PPP loan was approved on 11MAY2020, her Trinity application was approved on 04MAY2020, and her Slim Fit application was approved on 03JUN2020.

So, after stealing $427,187.47 from the US Taxpayers via Trinity Bank, she realized the gig was up at Trinity and decided to start stealing via Regions Bank.

On 05MAY2020, just one day after learning that the Alabama Department of Labor was on to her and having her most audacious PPP Loan request denied, Zsa Zsa switched to Regions Bank and filed a PPP Loan for Kidz Academy.  This time she claimed to have 15 employees with a monthly payroll of $120,000 and asked for $66,700.00.  Regions approved the loan for the full amount.

On 03JUN2020, Zsa Zsa asked Regions for a PPP Loan for Bouvier Hair, claiming that she had 10 employees and $183,600 average monthly payroll.  She asked Regions for $115,800.  Regions approved the loan for the full amount.  

Zsa Zsa's total theft from the US Taxpayers then was $182,500 from Regions + $427,187.47 from Trustmark for a total of $609,687.47.

Time to Go Shopping!

After claiming that she only had one business, Zsa Zsa had two of her PPP Loans deposited into the same bank account at Trustmark.  Then our criminal mastermind paid for an Audi Q3 by sending a wire transfer from the account which was only funded via PPP Loans to the Rusnak Westlake Audi dealership.  She then wrote checks from the account to family members totaling $150,000.00.  She also wrote another $49,200 in checks to family members from one of her other PPP Loan accounts at Trustmark. 

The story in her Regions account was about the same.  She wrote out a $26,997.00 Cashier's Check and used it to pay cash for a Mercedes-Benz A-220 (VIN# WDD3G4EBCKW017692) which she registered to another family member.

Time to Go To Prison!

There were several other interesting purchases made with all of that money, as the Forfeiture requested by the court includes: 
  • a 2019 BMW 330 
  • a 2007 GMC Pickup truck 
  • a 2019 Mercedes Benz A220 
  • a 2017 Audi Q3 SUV 
  • a 2008 Ford Mustang GT 
  • and all the contents of eight bank accounts, $2400 seized when her house was searched and $1180 seized from her purse.

Let's Review . . . 

1. The banks have been encouraged -- HELP BUSINESSES SURVIVE -- if there is fraud, we will figure that out on the back end.  GET THE MONEY OUT THE DOOR and SAVE JOBS.

2. But they WILL FIND YOU.  If the number of employees you claim to have does not match the IRS tax records or the Alabama (or your state's) Department of Labor numbers, YOU WILL GET CAUGHT.

3. When your bank realizes your PPP Loan doesn't match your Payroll expenditures, YOU WILL GET CAUGHT.

4. If you attest (as required) that this is your ONLY PPP LOAN and then you file multiple applications, YOU WILL GET CAUGHT.

5. If you open new bank accounts to avoid payroll matching, the bank will eventually get around to checking that and YOU WILL GET CAUGHT.

6. And lastly, if you take your PPP Loan account and wire money to a car dealer, YOU WILL GET CAUGHT.

Don't be a Zsa Zsa.  If you committed fraud, return the funds and throw yourself on the mercy of the courts.



Wednesday, March 10, 2021

Microsoft Exchange: Patching Too Late If Already Compromised

On March 2, 2021, Microsoft accused a Chinese APT group which they name Hafnium of compromising 30,000 Exchange servers.  They announced four security vulnerabilities, known as 0-days, which refers to the fact that attackers had a reliable means of exploiting the vulnerability for which there was no patch.  In case your organization didn't go into full panic mode, GO PULL THE FIRE ALARM!  THIS IS SERIOUS!

Tom Burt, Microsoft's VP of Customer Security & Trust, released a blog post about Hafnium: New Nation-State Cyberattacks. Microsoft describes Hafnium as "primarily targeting entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs." According to my favorite APT Cross-reference chart, maintained by Florian Roth (Twitter: @Cyb3rOps) Hafnium is also referred to by Symantec as Ant. (They chose the name because one of the common webshells used for post exploitation was regularly hit by a web browser using the user agent "antSword/v2.1".  Both AntSword (中国蚁剑 ) and ChinaChopper (中国菜刀) are popular webshells used by Chinese attackers for many years.  

FireEye says there is no reason to believe the activity is limited to one threat actor and refers to the clusters of attacks as UNC2639, UNC2640, UNC2643.

FireEye associates UNC2639 with activity from IP addresses 165.232.154.116 and 182.18.152.105, both active at the time of the Microsoft announcement (March 2 and March 3).

FireEye associates UNC2640 with activity involving "web shell" files named "help.aspx" (MD5 4b3039cf227c611c45d2242d1228a121) and "iisstart.aspx" (MD5 0fd9bffa49c76ee12e51e3b8ae0609ac)

FireEye associates UNC2643 with the deployment of a Cobalt Strike Beacon (MD5 79eb217578bed4c250803bd573b10151) and the IP addresses 89.34.111.11 and 86.105.18.116.

FireEye says they began seeing this activity in January, which matches the reports from Microsoft that they were notified of this activity by security firm Volexity in January, however DEVCORE Research Team gets credit for trying to exploit marketing of the bug by calling the attack "ProxyLogon" and making a sexy webpage and logo for the attack, a la HeartBleed.  Fortunately, that really hasn't caught on, however their timeline is still very interesting. They found the first bug 10DEC2020 and the second 30DEC2020 and reported both to Microsoft on 05JAN2021 (as Tweeted by their Taiwanese researcher, Orange Tsai.)

Symantec makes clear that the actor which they call Ant (and Microsoft calls Hafnium) is definitely no longer the only attacker using these vulnerabilities. Symantec's diagram of the attack is useful:

Symantec's attack flow diagram 

Brian Krebs interviewed several researchers about the attack, including Steven Adair, who says his company, Volexity, has been seeing the bug since 06JAN2021.  See Krebs on Security: "At Least 30,000 US Organizations Newly Hacked via Holes in Microsoft's Email Software."

As Krebs and others have since pointed out, while 30,000 US-based organizations were known to be victims of Hafnium/Ant, now that the vulnerability is known, the attacks have grown to an astronomical number.  Why is this a problem?  The companies most likely to be running their own unpatched mail servers are also the least likely to be clueful enough to patch.

Both Forbes and WIRED now say that hundreds of thousands of servers have been compromised and the compromise count at one point was growing by "thousands per hour."


What To Do?  PATCH! (But it is quite possibly too late...)

Obviously, the most important thing to do is apply Microsoft's patches.  However it is VERY IMPORTANT TO UNDERSTAND that you may already be compromised.  Patching DOES NOT make you "un-hacked!"  Patch, but also follow the guidance from CISA on determining if you are already hacked.

The vulnerabilities are listed here, each linking to the Microsoft security alert associated with the CVE.


Unfortunately, smaller organizations tend not to patch, and rogue organizations within large organizations often run their own Exchange servers rather than following guidance to centralize. In a presentation I did for the Merchant Risk Council back in September 2020, we talked about the fact that CISA had put out a critical alert related to Office 365, calling it a "Top 10 Routinely Exploited Vulnerability" as well as its own alert, CISA Alert AA20-120A.  In that talk, we also mentioned how Rapid7's Tom Sellers had warned about unpatched Exchange Servers.  Sellers was actually talking about the "Critical" Exchange Server bug CVE-202-0688.  

In Rapid7's look at the data, "Phishing for SYSTEM on Microsoft Exchange (CVE 2020-0688)" originally published on 06APR2020 explained that a 24MAR2020 scan of the Internet found 357,629 vulnerable servers, 82.5% of those reachable from the public Internet, were unpatched for a CRITICAL vulnerability with a patch available since 11FEB2020.  EIGHT MONTHS LATER, Rapid7 repeated the test, and still found that 61% of those servers were still online and still vulnerable!  Further, 31,000 servers had not been patched since 2012, and 800 servers had NEVER been patched!

What do you think the chances are that they suddenly became patch-conscious on 02MAR2021?

It is quite likely, in this author's opinion, that MOST Internet-facing Exchange servers have been compromised.  How do you test to see if you are one of them?  Read on ...

WHAT TO DO?  SEE IF YOU ARE HACKED!



The CyberSecurity & Infrastructure Security Agency, CISA, part of the Department of Homeland Security, has provided comprehensive information on how to detect the attack, including a nice guide on how to use FTK Imager to capture memory from your Exchange Server and where to look for evidence of being compromised.

Please thoroughly review their recommendations found as Alert AA21-062A.

Many of their indicators come from Volexity, who also shares a video explaining the attack in their blog post from 02MAR2021, "Operation Exchange Marauder."  It should be noted that neither of the IP addresses from FireEye are included on this list.

In addition to the CISA guidance, Microsoft has released a script which can be run on your Exchange Server to look for signs of being compromised.  Their script is described in their Hafnium Targeting Exchange Servers blog post, but a direct link to the script is: 

https://github.com/microsoft/CSS-Exchange/tree/main/Security

This script scans the HttpProxy logs, the Exchange logs, and the Windows Application event logs for signs of exploitation.  Hopefully the bad guys haven't WIPED the logs!






Thursday, February 18, 2021

Mystery Shoppers Challenge Gift Card Warnings

 Have you ever seen those spam messages claiming they have a great job for you as a Mystery Shopper?  After seizing a check from a client (and then shredding it) a local bank let us check out the scam!  In this scam, a company claiming to be "Private Mart Auditors" says they have been contracted by WalMart to try to identify stores that are violating their policies by refusing to sell Gift Cards!  The project claims to actually be a partnership with the gift card companies themselves and the major retailers who sell them.


The criminals know that many companies have trained their personnel that if someone comes in and says "I'd like to buy $2,000 worth of Gift Cards!" they should ask probing questions to try to save someone from being scammed.  Some companies even have big signs on their registers, check-cashing terminals and gift card sales racks warning about scammers.  When we reviewed our Mystery Shopper instructions, we were told to validate our check by visiting their website ==> verifycheckatmet[.]org or verifycheckatbictoin[.]org.  (The instructions actually provide both URLs.)

What we learned at the website is that Wal-Mart's Audit Team had contracted our new employer to conduct an audit.  We were selected because some of the stores in our area were discouraging people from purchasing gift cards, despite the "Federal Reserve Global Campaign on Securities on Mobile Payments" requiring stores to encourage Gift Card purchases!


We wanted to proceed cautiously, so we validated each of the facts in our instructions just as they requested.  A few red flags came up, but these were easily explained by our new supervisor, Paul Newton.  Paul sends and receives texts from 574-777-6314 and uses the gmail account paulnewt005@gmail.com.  




First question -- why was this package, which claims to be from GNT Solutions at 5201 Thurman Way in Sacramento, California, being mailed through the US Postal Service from the Orlando, Florida area?

Second question -- if they are in Sacramento OR Orlando, why is the routing number on their check used exclusively for TD Bank branches in Maine?

Fortunately, we had an easy way to validate that OUR check was legitimate.  If we clicked the "Verify Cheque" button on the website, we could enter our name and check number.  If it was a valid check that had been issued by the company, it would instruct us to Proceed with Deposit.  If it was NOT a valid check it would tell us so, and instruct us what to do next.  So, we carefully entered our information: 

And ... we were in luck!  The check was totally valid!

According to our instructions, here's what we needed to do next:

1. Cash check or deposit at your Bank, then text your supervisor immediately via 574-777-6314 to receive further instructions.

2. Deduct your Salary $350 while you withdraw $2000 for your assignment.

3. Locate any 2 Wal-Mart stores near you.

4. Visit the first store and purchase 3 Wal-Mart gift card worth $400 each.

5. After purchasing the 3 cards successfully scratch each of the cards to reveal its code, take CLEAR pictures and send to your Supervisor on 574-777-6314.

6. Proceed to the second Wal-Mart store to purchase 2 cards worth $400 each, scratch each & take pictures to be sent to your supervisor.

7. With the help of your supervisor answer questions from the WAL-CARD AUDITORIA EVALUATION FORM then take a picture & sent to your assigned grading personnel via email to paulnewt005@gmail.com 

8. Keep the cards safely as they will be used for your second assignment provided you meet the pass mark otherwise you will be mailng them back to an address to be provided by your supervisor.

9. We encourage giving back to the society as such the moment result is sent to email, you are to purchase a Cashier's Check worth $30 at your bank in the name KIDNEY FOUNDATION. After purchase text your supervisor for further instructions on the purchased Cashier's check.

If we pass our "grade" we might be able to become a Permanent Contract employee, where we would earn $450 per assignment and do 3-4 assignments each week!  If we do well with that, we might become a "WAL-CARD-AUDITORIA CONTRACT" employee!  Then we would earn $600 per assignment and could do MORE than four assignments a week!

Now, if you are an unemployed person due to Covid and someone gives you a clear path to earning $150,000 per year, might you be tempted?  Other than our Check, here are the instructions and the PMA Evaluation Form that were also in our US Postal Service Priority Mail package.  (Click for full-size)


The Website - and possibly related scams!

Of course we also wanted to look into that website!  We used the Zetalytics Zonecruncher tool to check it out.  The domain name was registered at Public Domain Registrar, which wasn't shocking.  The last APWG report showed that with the exception of cyber criminal's FAVORITE Registrar NameCheap, PDR has recently been the second most common Registrar for BEC attacks, and this scam is definitely related, as we'll see.

APWG 4th Quarter 2020 Report

It is hosted at 67.220.184.146, and its nameservers, ns5.doveserver.com and ns6.doveserver.com are also located on 67.220.184.146 and .147.

ZoneCruncher data

One of my favorite things about ZoneCruncher's data is that it shows the "Start of Authority" record.  In this case it is telling us that the reseller to which this IP address space is assigned is "csf@smartweb.com.ng" 

One of the most common West African scams, besides the shipping of counterfeit checks, is various "delivery" scams.  These started with the earliest Nigerian Prince scams, but more frequently today involve a package of value (a box of diamonds, for example) that a soldier finds overseas and wants to ship to you to sell and split the profits.  Other times it is a "pet delivery" scam, where you anticipate having a pet shipped to you and the pet gets caught up in shipping.  As anticipated, we had plenty of these on this IP address.

One of the things that all of these sites have in common is a "TRACK Your Package" option.  This is where the scammers match pre-assigned tracking numbers to various conditions which require your payment to break a shipment free.  Pets may be "quarantine hold in customs" or valuables may be "inspection hold in customs."  Your scammer will send the website address with a tracking number so that you can look up "proof" of the situation.
  • https://regalcourierservice[.]com/track/
  • http://cargoexpedite[.]com/tracking.php
  • https://submarinecourierservice[.]com/track-your-shipment.php
  • https://www.safecargoeslogistics[.]com/?page_id=3731
Often you can find many websites with identical content but a different company name. Also a red flag.  For example:

http://ftcouriercompany[.]com/about.html (hosted on "our" IP address)
http://logitrex[.]net/about.html (hosted on 104.194.9.169, which leads to a whole new cluster of badness: 
==> https://wpsdelivery[.]com/
==> https://nexaglobalexp[.]com/tracking.html 
==> https://aimsair-ways[.]com/

But then we hit a gold mine!  The complete Soldier Romance Scam Support site!  (but that's the next blog post ...)









The Complete Soldier Romance Scam Support Site

 Yesterday we were reviewing a Work From Home "Mystery Shopper" scam, and ended by pointing out some of the scam shipping companies hosted on the same IP address.  But still on our same IP address, we hit a gold mine!  The complete Romance Scam with an Imaginary Soldier support site!  The webpage is: usmdept.com ... you know? the US Military Department?


This website has EVERYTHING an imaginary soldier might need in order to extract funds from his Romance Scam victim!

Let's start with the basics.  Do you love your soldier? At great risk to themselves, you can have a care package deployed, even into a combat zone!  If you REALLY love your soldier, you'll choose the $1700 Premium Care Package. (but if you're cheap, the $800 Mini Care package and the $1200 Airbourne Care Package are also available.)  What? He didn't get it? Do you have a Tracking Number? It's probably been held up in customs ...

https://usmdept.com/care-package/

Next, you'll want to chat with your soldier, right?  Because he is deployed on a Top Secret Mission, that's only possible if you purchase a Communication Permit.  You can buy Communication Permit cards ranging from the "Military Small Card" for $680 all the way up to the "Military Large Global Card" for $1150!


Of course, what you REALLY want is to have your soldier boyfriend or girlfriend come home and visit you, right?  Fortunately, there are several leave options available, including 3-week, 4-week, 2-month, and 6-month (Honeymoon Leave) durations.  "The above leave Duration are made available for you to choose and after you choose we would tell you the fee involved. ... The reasons of payment for emergency leave Application is to assist the USA military authority in replacement expenses and supporting of troops coming to take over duties for anyone going on emergency leave ... ensuring that our troops are protected and allowed to judiciously make use of their times for reasons they have applied and paid for."

Under the old military system, if a soldier refused to take a deployment to an area where they may be killed, they were just kicked out.  Good News!  "This policy has been mauled and we've been directed by the Department of Defense to bring forth the Deployment Declination option. ... Unfortunately, a deployed soldier is ineligible to apply ... Only a loved one, family, child, fiance, sibling, or close friend is eligible to apply." 



But wait, you thought that would be free?  "after the DOD spending weeks, even months, preparing for the mission, putting everything in place, setting all up having you in mind, the wasted resources and finances already made, because of this a fee is attached for the declination form to be processed and accepted." Just email support@usamilitarysupport.com to get the process started.



The real goal of having an Imaginary Soldier Boyfriend or Girlfriend is marriage though, right?  Good News!  That is TOTALLY OK with the US Military Department of Scammers!

Although, "There are also rules on who can receive a military ID card and military benefits. To receive a military ID card and benefits, including health care, a military spouse must be legally married to the service member. The military does not recognize common law marriage or engagements.  Registering a spouse for benefits has its fee."  Just click "Contact Us" and the scammers will gladly walk you through the process of getting a MILITARY Marriage License, based entirely on how much money they think you might have, of course.



Although it should not be necessary, if you really need your Imaginary Soldier to resign from the military, that is possible as well.  Doing so, however, "attracts a one time fee, which will be needed to process the request."  As with declination of deployment, "only a loved one ... is eligible to apply."


While this is the first time that *I* saw a site like this, as usual, FireFly and the experts at ScamSurvivors.com had already seen the pattern.  A great post there which talks about a previous or similar version of this site from August 2020 is here on her forum ==> Article: US Military Welfare - usamilitarywelfare.com