Saturday, May 02, 2009

University Spammers, the Shah brothers, arrested

Congratulations to the Assistant US Attorney for Western Missouri, Matthew Wolesky, and the FBI investigators who have arrested and indicted the Shah brothers! The news was released in a Kansas City FBI Press Release on April 29th.

Amir Ahmad Shah, 28, and his brother, Osmaan Ahmad Shah along with their business, I2O, Inc, and their co-collaborators Liu Guang Ming of China, and Paul Zucker, 55, of New Jersey were named in the 51-count indictment.

Both Amir Shah and Osmaan Shah are listed on the Entrepreneur site, "The Rise To The Top", where they are listed as "Experts" on the site, which provides "Entrepreneurship Education for Young Entrepreneurs". (Any guesses on whether they will be there by Monday? haha! Just in case, I've taken screen shots for you here:



original URL: http://www.therisetothetop.com/guest-expert-profile.php?id=22



original URL: http://www.therisetothetop.com/guest-expert-profile.php?id=24

According to "CrunchBase", Osmaan Shah received his BS in Finance & Banking in 2006, and his MBA in 2009, both from the University of Missouri. His profile says:

Osmaan Shah is the co-founder and lead software developer of Noog. In his 7+ years of development experience, he exhibits a passion for dynamic front-end web design (javascript, AJAX/Comet). He specializes in the incubation of creative new products and online portals targeted towards students and young retail consumers. Mr. Shah is also the a Director and co-founder of VistaClick where he serves as the online marketing campaign manager.


Amir Shah's company is VistaClick.


(Original URL: http://www.vistaclick.com)

VistaClick's website describes an Affiliate Program where you could become one of their 17,000 "registered campus affiliates".

I wasn't able to pull the indictment from Pacer myself, as the "CM/ECF System for the Western District of Missouri is currently down for maintenance" (sigh), but someone else had already posted it online. (See indictment for case mowdce 4:2009cr00141, courtesy of Columbia Daily Tribune).

Here's what we can glean from the 59 page indictment:

First, the charges, which are all applied to the Shah brothers and to I2O, Inc. Liu Guang Ming and Paul Zucker are included in charges 1, 7-16, and 43-51.

Count One: 18 USC § 371 (Conspiracy), a Class D Felony, with possible sentence not more than 5 years with not more than $250,000 fine.

Counts Two through Six: 18 USC § 1030(a)(2) (Fraud in Connection with Computers), a Class C Felony, with possible sentence not more than 5 years with not more than $250,000 fine.

Count Seven: 18 USC § 1030(a)(5) (Fraud in Connection with Computers), a Class C Felony, with possible sentence not more than 10 years with not more than $250,000 fine.

Counts Eight through Sixteen: 18 USC § 1037(a)(1) (Fraud in Connection with Email), a Class E Felony, not more than 3 years, with not more than $250,000 fine.

Counts Seventeen through Forty-Two: 18 USC § 1037(a)(2) (Fraud in Connection with Email), not more than 3 years, with not more than $250,000 fine.

Counts Forty-Three through Fifty-One: 18 USC § 1037(a)(3) (Fraud in Connection with Email)

In the indictment, the defendants are said to have developed an email-harvesting program and used the program to harvest email addresses from the University of Missouri and over two thousand other United States universities and colleges. The defendants then used this database, which included more than 8 million email addresses, to send email messages advertising products that were specifically targeted to college students. The indictment covers thirty-one separate spam campaigns sent using this database.

The emails would claim to be sent from their local "campus representatives", and would often refer to the company as being "alumni-owned" in an attempt to make recipients believe their use of the advertised service would somehow benefit their alma mater or its graduates.

Many of the emails were sent from an "Offshore Bullet Proof Hosting" company located in China. Their emailing software falsified email header information and rotated the subject lines, reply-to addresses, message contents, and advertised URLs in an attempt to bypass spam filters. They also used false information when registering domain names.

After being investigated, and having search warrants served against their homes and business in an investigation into spam messages targeted at University of Missouri students, the spammers merely stopped sending email to any of the addresses harvested from the University of Missouri.

The defendants would register as many as sixty unique domain names for a single spam campaign, all pointing at identical content. They also started a social networking site called "noog.com" which also was advertised by spam. More than $4.1 million in product sales came from the defendants' spam campaigns. They attempted to conceal their earnings both through real estate purchases and sending large sums of money out of country.

In a useful part of the indictment that might be copied by others, definitions for the following terms are provided:
Addresses
Botnet
Domain
Domain name
Domain name service
Email harvesting
Email header
Instant messaging
Internet
Internet Protocol address (IP address)
Internet service provider (ISP)
Mail server
Name server
Proxy server
Realtime Blackhole List (RBL)
Server
Spam filter
Viruses
Website
Web Host

Here's how the roles of the defendants are described:

Amir Ahmad Shah - the co-owner and president of I2O, Inc. - the overall leader of the spam operations and the "idea guy".

Osmaan Ahmad Shah - the co-owner of I2O, Inc - the Chief Operating Officer and the "computer guy" in the partnership. He created the email extgractors, administered the websites, designed the websites, and dealt with other programming and implementation matters.

Liu Guang Ming - rented forty servers under his control in China to host websites, send spam, and search for proxies that could be used for sending spam.

Paul Fredric Zucker - a spammer who purchased proxies from the Shahs, and at other times sold proxies to the Shahs. He also leased space from Ming.

Several other unindicted and unnamed co-conspirators are mentioned, included a family member who ran "VistaClick Pakistan" for the Shahs.

Other companies in the conspiracy were DirectPO, VistaClick, Funding Junction, Veridio, OIBA, Textbook Registry, and Your City Development.

The Shahs began their operation "in or before 2001" by harvesting student email addresses. They began working with Ming in or before 2002, conducting conversations via AOL Instant Messenger. The ad they responded to read:


Servers are located in China and run by some of their largest ISPs. Our tech support team manages servers around the clock with constant contact from China to US. We have several sites sending millions of emails per day. Unlike other hosts, you will NOT need to switch domain names or experience periods of downtime. Our uptime guarantee is 90%. If you are serious about bulk mailing, you have come to the right place.


I was able to find a copy of a post by "AMIR SHAH" back on October 11, 2002, advertising "BULLET PROOF CHINA HOSTING" on this URL on sidetrak.com as an example.

In that ad, Amir offers to send messages for $30 per million emails sent. He used the AOL instant messager id "rulubos@aol.com".

Amir Shah also had a twitter account with that same identity, rulubos. He hasn't posted anything there since January 5th, 2009, when his last post was "looking at twitter and wondering if I should just incorporate this feature into Noog."

Amir follows Jianxiong Song. Hmmm...let's look at some more twitter links . . . Jianxiong is following WaqasShah, whose last twitter post is "WaqasShah is relieved" posted on APril 24th. WaqasShah follows noog_com, who was testing bloog mobile, according to their last twitter on April 17th. Noog has an interesting group of Venture Capitalists that he follows, but I won't list them here.

OK, back to the indictment.

In chat logs found on the computers, Zucker trains O. Shah in the art of spamming, and they communicate about how many proxies they would need to send 2 million emails, being disappointed with a rate of only 110,000 per hour. O. Shah later tells Zucker (July 14, 2003) that he can now send 1 million emails per hour with a 65% delivery rate (unblocked/unfiltered). Later, O. Shah tells his brother A. Shah that by plugging directly into the University of Missouri Columbia network "with a cable not using the wireless" he can send 2 million spam messages per hour from the school.

Search warrants were served against the Shah residence in Columbia, Missouri and their business address also in Columbia on February 23, 2005. They found more than 3 million student email addresses harvested from 2002, 5 million harvested from 2003, and 37.5 million AOL email addresses, 33.7 million MSN addresses, 10.8 Hotmail addresses, 5.2 million Yahoo addresses, and more than 4 million United Kingdom email addresses.

The indictment shows that the crew was identifying a ridiculous number of proxy servers which they could use to "bounce mail" from. For a price of $75 per week, Zucker was able to provide them "1500-2500 proxies twice a day". Originally, the transaction had gone the other way, with Shah providing a list of 45,000 proxies to Zucker earlier, receiving payment for his services via Paypal.

Zucker communicated with O. Shah about how to obtain and use the software program "Dark Mailer", and sent Shah a copy of the program on February 3, 2005. They also used the programs Supermailer and "Group Mail".

Bank records showed that the Shahs transferred more than $30,000 to Ming for hosting services.

Other chats showed the brothers discussing ways to make money. For example, they sent spam for a "teeth whitening" service, where they received a commission for successful sales. The brother said "if we need to mail a million or two to get 10,000 kids...then so be it...who cares."

Here's an example of their teeth-whitening emails, from April 1, 2004, which will illustrate how the SHAH brothers took advantage of students trust in their university relationships:

"Each year, several alumni-owned companies offer various specials to our students and faculty. This month, the university has been offered a special discount on custom fitted teeth whitening systems. Alumni-owned, Custom Bright, Inc., is offering its products to students and faculty at significant discounts all this month. We encourage you to visit their website and take advantage of this alumni offer."

This continued all the way through 2009, with messages like this one, sent March 1, 2009:

"As many of you may be aware, our campus has been offered a special discount on professional custom-fitted teeth whitening systems from a company run by our very own alumni. There will be several campus representatives (like myself) giving out more information over the next 2 weeks."

The brothers discussed having "a more forceful message" to encourage registration in a particular textbook system they were spamming:

"With higher tuition and course material costs, we are working to find new ways of saving students money. This semester, we have implemented a new textbook buyback program that will get students better payouts at the semester ending buyback and may also increase used textbook availability. You MUST complete your registration before the end of this week if you wish to be eligible for this semester's buyback."

Other campaigns that used similar spam sold Digital Cameras, iPods, NCAA Basketball merchandise, and Magazine subscriptions.

Some of the many domain names they used:

surveyproject.org
surveydirect.org
campuschange.org
whiteningtoday.com
whiteningnow.com
discoverwhitening.com
myschoolipods.com
studentipods.com
campusipods.com
semestersavings.com
semesterdiscounts.com
saveatcollege.com
collegedecember.com
estudentoffers.com
mycollegedeals.com
collegefuture.com
campusfuture.com
campusinput.com
whiteningservices.com
whiteningovernight.com
whiteninglabs.com
mycampusnanos.com
campusnanos.com
schoolipods.com

The full indictment gives date ranges for these and many other domain names.

Some of the purchases the Shah brothers made include:

a home in Columbia - $191,123.

a luxury lost in St. Louis - $251,861.

paying off a house in St. Louis - $33,698.

a downpayment on a Lexus sedan - $8,800.

The forfeiture of any assets, up to a total of $4,191,966.57 is also requested, which will come from several bank accounts, and the sale of properties at:

1301 Fieldcrest, Columbia, MO
1520 Washington Avenue, Unit #301, St. Louis, MO
a parking space (?)
5417 Idaho Avenue, St. Louis, MO

a 2002 Lexus (Missouri plate: CA9R6B)
a 2001 BMW (Missouri plate: 391ZEP)

Update



Apparently the Shah brothers indictment has shared with other spammers some good tips on this type of spam. Here's a message that one of my students at UAB received on April 30, 2009:

_____________________________________
From: Jenna T. [jenna@OverstockApple.com]
Sent: Thursday, April 30, 2009 2:20 AM
To: (name of my student)
Subject: Student/Faculty Discount

Dear Students/Faculty,

As you may have heard, several alumni-owned companies have teamed up to sponsor a campus-wide gift for our students and faculty. Working with Apple, they have acquired a small quantity of the new iPod Nano Chrome. This limited supply has now been made available to students and faculty at a significant discount. If you were at all interested in getting one of these iPods with this educational discount, please be sure to place your order online before this offer expires NEXT WEEK.

http://www.OverstockApple.com/h/3189094

Have a great summer!

Jenna T.
OverstockApple.com Student Representative



Have you seen a recent spam (after April 24th) from this group, pretending to be offering a discount for products from an "alumni-owned company"? If you can send it to me WITH HEADERS, I'd very much like to see it. Send it to: alumnispam@askgar.com

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.