Sunday, July 18, 2010

The Future of Cyber Attack Attribution

On July 15th, the US House of Representatives' Committee on Science and Technology's Subcommittee on Technology & Innovation held a hearing called Planning for the Future of Cyber Attack Attribution.

I was drawn to the topic, having a great deal of experience with the puzzles of finding bad guys on the Internet who need badly to spend some time deprived of freedom as a consequence for their actions. Unfortunately, the hearings really stressed the problem that using technology to make attribution certain creates human rights issues around the globe. Conversely, the creation of privacy tools can grant bullet-proof privacy to child pornographers, terrorists, and cyber criminals.

Finding almost no mention of this hearing in any media source, I wanted to at least give a brief outline of what happened.

Chairman David Wu, an advocate for cybersecurity, and co-author of the excellent Cybersecurity Enhancement Act of 2010, made the Opening Statement to kick off the hearings, putting this hearing in context in the overall series of hearings on cyber threats that have been held over the past two years. Wu said that "Now more than ever, we need to be focused on the development of tools and technologies to prevent, detect, and respond to cyber attacks." Wu went on to say that one method of deterrence, the focus of the hearings on this day, was "the ability to attribute an attack to a particular person, party, or system" and that this could be "vital to defending against cyber attack." The desire for attribution though was tempered by a reminder that Chairman Wu was "personally very concerned about the potential implications to privacy and internet freedom posed by attribution technologies."

Mr. Wu had to apologize for the lack of attendance by his committee, but ensured the panelists that the full committee will have read their written testimony, although at least one attending member admitted he had "browsed through" their testimony and "read some of it." It seems that only seven Congressmen were able to attend.

Each of the four witnesses below had been given four questions to answer in their written testimony:

Q1: As has been stated by many experts, deterrence is a productive way to prevent physical attacks. How can attack attribution play a role in deterring cyber attacks?

Q2: What are the proper roles of both the government and private industry in developing and improving attack attribution capabilities? What R&D is needed to address capability gaps in attack attribution and who should be responsible for completing that R&D?

Q3: What are the distinguishing factors between anonymity and privacy? How should we account for both in the development and use of attribution technologies?

Q4: Is there a need for standards in the development and implementation of attack attribution technologies? Is there a specific need for privacy standards and if so, what should be the government’s role in the development of these standards?



The video of the spoken testimony and Q&A is available. I encourage interested parties to avail themselves of the video and the written testimony. The notes below are my personal "sketchy" notes as I tried to reduce an hour of video and 150 pages or so of testimony into a blog entry.

The witnesses for the hearing were each given five minutes to make an opening statement. I took a few notes below, but would again recommend interested parties to the originals:

Dr. David A. Wheeler

- the Institute for Defense Analyses: Information Technology and Systems Division - I have to say that Wheeler's written "testimony" was quite disappointing. Introduced into a Senate hearing in 2010 is Wheeler's 85 page DARPA paper for the "Defense-Wide Information Assurance Program" called "Techniques for Cyber Attack Attribution", which was an excellent, thorough, and timely report, when it was authored in October of 2003. While it does provide a nice framework for possible forms of attribution, the paper is about fifty years old in "Internet years", making the relevance of much of the paper questionable. It was the only one of the four responses that actually talked about what could be done technologically with attribution, but most of the papers cited as references are from the late 90s or early 2000s, including things like Staniford-Chen's work from 1995, Stefan Savage's work from 2000 on "IP Network Traceback", and Jelena Mirkovic and Dave Dittrich writing about DDOS attacks in 2001. Good stuff, but quite dated.

The paper in fact specifically excuses itself from addressing nearly every modern form of cyber attack when it declares (p. 20 of the testimony):

This paper does not cover identifying or locating people who are not DIRECTLY ATTACKING the defender.


So, if they are attacking via a botnet, via a proxy, via malware already installed in the attacking organization, this paper doesn't address any of that. It also excludes itself from social engineering, determining HOW an attacker attacked. Another useful feature of this particular "testimony" is that most of the URLs referenced in the paper don't work. Nice.

Dr. Wheeler began his spoken testimony by cautioning about 4th amendment protection from "unreasonable search". One point he made was that if we cannot make attribution, then there is no chance of making a successful counter-attack, either over the network or using a "kinetic attack."

Mr. Robert Knake

- International Affairs Fellow at the Council on Foreign Relations. Mr. Knake started his spoken testimony by saying that the problem of attribution is "largely overstated", and went on to say that no more than 100 groups, and possibly as few as FOUR possess the capability to cause "real world" harm through cyber attacks.

Knake suggests that labeling all packets with a so-called "Internet license plate" would be more useful for authoritative regimes to deny their citizens any anonymity or freedom of speech, while criminals would probably find a way to work around these identifying mechanisms. He also gives the current example from China that even when we positively identify the attacking system, the owner of the system, or in this case the Chinese government, can say that while the attack traffic originated on that system, it was probably a case of that system having poor security itself and being used as a proxy. Because of the lack of our ability to overcome these doubts, attribution will likely never reach a level where a kinetic counter-attack can be justified.

Mr. Knake's Written Testimony contained one fairly interesting graphic, which I share here:



Mr. Knake's written testimony asks three main questions:

- what degree of certainty in attribution is necessary to take action?
- what would that action look like?
- how will we make potential adversaries understand the answer to those questions - because if they don't understand, they will not be deterred!

He goes on to discuss espionage, crime, terrorism, and the fact that you can't actually LEGISLATE this successfully, mentioning that the CAN-SPAM act made it a law that email marketers are required to "attribute" emails to themselves, yet 9 of every 10 emails on the Internet do not do so!


Mr. Ed Giorgio

- President and Co-Founder of Ponte Technologies - Mr Giorgio's testimony spoke of the need for Internet users to be allowed to create as many identities as they like, with some certificates positively identifying the real user, while other certificates guaranteed their anonymity or privacy. Mr. Giorgio said that a "trusted third party" would have to take the role of assigning these certificates, as government had so far not demonstrated the capability to do so in a trustworthy manner.

Mr. Giorgio's Written Testimony specifically mentions a number of threats:
whether it is the Chinese stealing our American innovations to produce less expensive versions, the Russians engaging in financial crimes, the Israelis' stealing our political intentions, the French stealing our competition-sensitive materials, the Nigerians conning our elderly, and so on.

He then goes on to mention that reference to foreign threats has been used in the past to justify "gross violations of domestic civil liberties" and warns that we must be cautious in this area of "dangerous constitutional grounds."

After answering the four questions, stressing the fear of government control, in an Appendix, Mr. Giorgio describes a "New Privacy Standards Framework". Remember "Alice and Bob" from crypto talks? In the new Privacy Standard we have a buyer, Bob, and a search agent, Goliath. Could Goliath = Google, Mr. Giorgio? The Framework was an interesting read, although it actually answered the opposite of what the committee was asking. It answers "how can individuals have their privacy protected?" when the question at hand was "how can we attribute attack traffic to its origins?"

Mr. Marc Rotenberg

- President of the Electronic Privacy Information Center - spoke of the fact that China has the most rigorous attribution capabilities, including a requirement that Internet users provide their true names, email addresses, and a list of news sources from which they receive information. Chinese ISPs are required to keep logs of all their activities, and Cyber cafes are required to log activities for sixty days of all users within their cafe. ".cn" domain owners have to provide both their real name and a photograph to create a domain name. "There is a real risk that attribution techniques will be used not for purposes of cyber security but in ways that have a real impact on human rights and freedom of expression. What attribution also does is make people think twice before saying something controversial. In the United States we have a strong constitutional right to speak anonymously," which Rotenburg says came from the use of anonymity in the publication of the Federalist Papers by our founding fathers.

I have to say that Mr. Rotenberg's written testimony was extremely well researched and had a fantastic list of eighty very current references, especially with great insights into China's censorship and monitoring activities. I found myself reading quite a few great papers that I hadn't seen previously as I followed the excellent footnotes prepared by EPIC's legal staff.



Q&A


Mr. Wu began the Q&A by saying that "as is often the case, when there are two flies flying in the Grand Canyon, they collide," apologizing that he had to go vote on another committee and would have to leave his own hearing. He also greeted "Russia Today" who was covering the committee hearings despite the absence of interest from American media.

Question from Chairman Wu: The role of Deterrence and Attribution may be over-stated. Comments?

Mr. Rotenberg - for non-state actors, attribution outside the US would be very difficult, and response may be very difficult for reasons of national sovereignty.

Mr. Giorgio mentions that even if we can't identify the PERSON at the keyboard, it is often enough to be able to block the COMPUTER at the other end in order to disrupt an attack.

Dr. Wheeler mentions that there is value to attribution, but there are serious limitations to attribution including delayed and intermediary attacks. Attribution should only be part of a larger strategy.

Mr. Knake - our strategy for preventing terrorism in the USA focuses on prevention, protection, and resiliency rather than deterring particular cyber actors. In many cases we do not lack attribution, we lack response options. Even when we know who the attacker is, we are limited in our ability to act. Whether they are Chinese national actors, Russian cyber criminals, or Nigerian scammers, knowing the identity of the attacker does not actually assist in having a means of acting.

Question from Chairman Wu - specifically to Mr. Giorgio - if we built attribution into the backbone of the Internet, we would be limiting privacy options.

All panelists agreed that anonymity was important. One speaker talked about the current noise about Blizzard requiring true identities for World of Warcraft players. Mr. Knake talks about the need for the government to actually step in and require Internet companies to disclose how they use personally identifiable information in the form of cookies and other information to target the internet user with customized advertising.

Ranking Member Smith asked the question "What are our current methods of being able to trace attacks?"

Dr. Wheeler mentions that there are many ways of doing so (in his written testimony, he had 17 categories of methods of identifying an attacker, and he states that surely there are more since then.)

Congressman Chris Smith then asked "if attribution is futile, what are our other methods to defend ourselves?"

Congresswoman Donna Edwards asked about the balance between Privacy and Attribution, specifically asking about internet cookies.

Congressman Dana Rohrabacher asked about the capability for "automatic counter attack" to be developed, and was warned off of the subject by multiple replies, stating that actually some forms of attack may be generated specifically to cause MIS-attribution in the hopes that a counter attack may be launched against a wrongful target.

In response to another question from Mr. Rohrabacher, Mr. Knake went back to a point that was well-articulated in his written testimony. He gave the example of the Taliban in Afghanistan, and pointed out that the warning we gave the Taliban after 9/11 was that if terrorist activities occurred from their soil, we would hold them responsible for refusing to cooperate with identifying and bringing to justice the criminals and terrorists they were protecting. In a similar way, Mr. Knake suggests that we have to hold foreign countries responsible when they thwart our abilities to identify various forms of cyber attackers in their countries.

Congresswoman Edwards then asked about the creation and establishment of new standards that would assist with these attribution standards.

Mr. Wu returned to his committee, and immediately cautioned that there were only seven more minutes before they had to adjourn for a floor vote. I really felt sorry for the panelists to see that there was so little time afforded to this very important topic.

Mr. Wu mentioned several questions that he hoped could be addressed in writing in the future, especially what role International committees, treaties, and standards may play in defining what is an attack, and how attacks should be responded to.

Monday, July 12, 2010

PakBugs Hackers arrested

(Thanks to Twitter friends - @nartv, @cedricpernet, @HostExploit - for setting me onto this story mostly by pointing to this article by Lucian Constantin over at SoftPedia, who had the English Language Scoop, as he often does.)

For Pakistani Hackers, July 7, 2010 will be remembered as the beginning of a fearful period in their lives. On that day, Mr. Shahid Nadeem Baloch, the Director of Cyber Crime Investigations for the Federal Information Agency announced the arrest of five ring leaders of the popular hacker forum "PAKBugs" in this release from the Press Information Department. Among those praised by FIA's Director General, Mr. Zafar Ullah Khan, for their roles in the investigation are Mr. Muhammad Idress Mian, who directs the National Response Center for Cyber Crimes (NR3C), Mr. Muhammad Raza, Cyber Crime Circle sub-inspector for the Rawalpindi Police, and NR3C Technical Officers Mr. Aun Abbas, and Mr. Amjad Abbasi.

The hackers arrested or wanted include:

Jawad Ehsan, alias Humza, still at large in Riyadh, Saudi Arabia.
Jawad uses the hacker handle ZombiE_Ksa, and is the founder of PakBugs and probably the most famous of all the PakBugs hackers. He is charged with 169 website defacements.

Ahmad Hafeez, arrested in Lahore.
Ahmad uses the hacker handle vergil, and is a moderator on the boards Pakbugs and Pakhaxorz. He is charged with 480 website defacements.

Hassan Khan, arrested in Peshawar.
Hassan uses the hacker handle x00mx00m, and is a co-founder of Pakbugs. He is charged with 8,697 website defacements.

Farman Ullah Khan, arrested in Bannu.
Farman uses the hacker handle Farman, and was a VIP-member of Pakbugs. Charges against Farman are unknown.

Malik Hammad Khalid, arrested in Rawalpindi.
Malik uses the hacker handle inject0r, and was a "super moderator" at Pakbugs. He is charged with 134 website defacements.

Taimoor Zafar Bhatti, arrested in Rawalpindi.
Taimoor uses the hacker handle h4v0c-, and was a "super moderator" at Pakbugs. He is charged with 105 website defacements.

Also wanted by the FIA Cyber Crimes Department are:
BiG^Smoke
Cyber-Criminal
spo0feR
and [a]

According to the press release:
These individuals have expertise in following techniques:
1) Linux
2) SQL Injection
3) Trojan horses
4) Phishing
5) Rooting
6) Access to various servers
7) Botnets
8) PHP Scripts
9) Stealers
10) ASP scripts (self writing)
11) JSP scripts (self writing)
12) Key loggers
13) Credit Cards Jacking and usage of stolen Credit Cards


What the press release doesn't mention is that the NR3C's own website was hacked by these website defacers in January of this year.

zonehmirrors.org/defaced/2010/01/07/www.nr3c.gov.pk/ "Hacked by zombie_ksa"

In that defacement the Pakbugs hackers suggest that if Pakistani citizens want help with security issues they should turn to Pakbugs rather than the NR3C.

The NR3C defacement was signed:

We are L33t Pakistani H4x0rZ,
www.Pakbugs.com
We are PAKbugs, We keep it real:
Zombie_Ksa::Spo0feR::x00mx00m::Cyber-Criminal
Special Greetz: BiG^Smoke
Greetz: Agd_Scorp :aB0 M0h4mM3d : The Moorish

That is actually the last website defacement credited to ZombiE_Ksa in the Zone-H archives, although his activities in 2009 included hacking numerous ".gov.pk" websites, temporarily taking over nameservers on the ".ug" registrar to allow defacements of the Ugandan websites for Microsoft, Toshiba, CNN, Citibank, and Google, and hacking the websites of the Saudi "Bank Al Bilad".

Zombie_KSA (KSA = Kingdom of Saudi Arabia) uses the hotmail addresses "Zombie_KsA@hotmail.com" and "mr.lonely420@hotmail.com".

TrendMicro posted screenshots obtained from Zombie_KSA proving that he not only had defaced the website, but actually had control of the email systems of the NR3C.

Despite the ZombiE_KsA hack, the Pakistani government is to be highly praised for taking on Cybercrime in such a proactive way. Pakistanis are encouraged to report cybercrime by emailing helpdesk@nr3c.gov.pk. The 2007 "Prevention of Electronic Crimes Bill (english language PDF) offers penalties from six months imprisonment all the way up to Capital punishment for 17 types of cyber crimes, with the most significant being "Cyber terrorism".


Other articles show that Zombie_KsA and Cyber-Criminal hacked the Pakistani Air Force website.

Unfortunately for the PakBugs hackers, in addition to having the Pakistani government after them, they had a bigger problem. Greyhat vigilante hacker "catch.them@live.com" posted the entire user database of the PakBugs forums to the mailing list Full-Disclosure back on September 14, 2009. That report revealed the email addresses used by all 12,640 members of PakBugs, including many of the hackers on the FIA wanted list including:

ZombiE_KsA = mr.lonely420@hotmail.com
x00mx00m = x00mx00m@gmail.com
Farman = farmanullahkhan@gmail.com
vergil = hotpoint-001@hotmail.com
Injector = lovedontcostapenny_1@live.com
h4v0c- = amilliondollarsmile@hotmail.com

The FIA may want to check out the history of website "loverzpoint.net", which has been "Greeted" several times by ZombiE_KsA, and where two of their "still at large" hackers have email accounts:

Cyb3r-Criminal = cyber-criminal420@loverzpoint.net
BiG Smoke = bigsmoke@loverzpoint.net
spo0fer = outlaw41@live.com
[a] = ahmed.kamal29@gmail.com

loverzpoint.net was originally registered to "big_smoke_boom@yahoo.com" with a fraudulent US-based address. In October 2008 that changed to "loverzpoint@gmail.com" with a Riyadh address and the name "Syed Jawad Shah".

(According to the Hack, userids 1, 12, 99, 1628 and 3844 all had "Admin" privileges at PakBugs. That would be users = ZombiE_KsA, spo0fer, Maximus, Test User, and Big Smoke, the last of those being the original owner of LoverzPoint.net)


The website "Propakistani.pk" has run a message regarding these arrests which is said to be from the "Pakistan Cyber Army". The PCA was active in a clash between Pakistani and Indian hackers in November of 2008. The message reads:
“Message from Pakistan Cyber Army on arrest of Pakbugs Members

If anyone has doubt that we are not the one who defaced ONGC then get a life first. If people have forgotten, then we are the same guys who Defaced ONGC in response to the attack on OGRA. After which we did a peace deal with the groups involved on both sides of borders including “Pakbugs” and “ICW” but kids didn’t keep their promise and got arrested.

We told PakBugs many (many, many, many) times to not to deface/destroy Pakistani websites and infrastructure. We told them to take FIA and NR3C seriously – as these agencies are not bunch of NOOBS, we had warned Pakbugs that you people don’t know about the power and the resources that NR3C has got but they gave a damn to our words and ended up in their custody.

I feel sad about the kids but… it happened due to their carelessness and childish attitude, which eventually landed them in the jail.

If you people are upcoming hackers and don’t know about Prevention of Electronic Crimes Ordinance then go and read it on NR3C website. I fear that Pakbugs would have a jail of 7 years if they got trialed and if FIA bail them out with some punishment they should thank Allah and concentrate on their studies.

We always told Jawad (HUMZA) and other kids about the consequences that they may face if arrested. [Jawad correct me if I am wrong.

Request to FIA/NR3C

“It is our humble request to FIA (NR3C) authorities to consider the case realistically and don’t give the kids the capital punishment as they are kids and can improve if given a chance. If they got the capital punishment as mentioned in Prevention of Electronic Crimes Ordinance then their future will be ruined. Sir these are our kids and our force if given a direction“

Message for upcoming Hackers

Our message to upcoming hackers or people who are interested in this field is that there is nothing bad to have the knowledge of hacking or hacking techniques, what’s bad is the usage of such knowledge and skill against our own country, National and international organizations or departments – that may cause damage to our country and its repute in the world. Don’t push your efforts to get famous. The fame will come by the time.

Some of your kids out there think that organizations in the west give opportunity to the hackers, if that’s the case then you are living in a heaven of fools.

Don’t believe in such stories that hackers will have a good future. The person who has a criminal record cannot fly from the country or he can’t enter into a country legally – go and ask your elders about it.

Message for Indian Hackers

If Indian hackers think that the game is over then read our message once again “Don’t mess with Pakistan else you will lose both your Name and this Game”. If you think that “Pakbugs” got arrested and you have a chance to play then give it a second thought.

Regards,

Pakistan Zindabad,
We are still awake for our country.
Haroon aka D45H & Hamza aka r4yd3n
Pakistan Cyber Army



(someone named R4yd3n was a member at PAKBugs as well, using the email sana2005@fastmail.fm)

Saturday, July 03, 2010

Stealing $10 Million, 20 cents at a time

On June 28, 2010, the Federal Trade Commission unveiled a law suit againt unknown credit card fraudsters, seizing the assets of 16 companies run by at least fourteen "money mules". The companies named were: API Trade, LLC; ARA Auto Parts Trading LLC; Bend Transfer Services, LLC; B-Texas European, LLC; CBTC, LLC; CMG Global, LLC; Confident Incorporation; HDPL Trade LLC; Hometown Homebuyers, LLC; IAS Group LLC; IHC Trade LLC; MZ Services, LLC; New World Enterprizes, LLC; Parts Imports LLC; SMI Imports, LLC; SVT Services, LLC. Each of these companies was run by a money mule recruited for the job via a spam email message. Each of them was instructed to establish their LLC to receive payments from small transactions, which they would then aggregate and wire to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. Before the law suit hit, a Preliminary Injunction had already been issued back in March to freeze the assets of the company in question.

This is the sort of case that raises strongly a point that I continually preach at UAB: Modern cybercrime law enforcement is not possible without strong computer science and data mining skills. At UAB, I work as the "Director of Research in Computer Forensics". My normal pitch about the program is that Computer Scientists solve problems by applying technology and algorithms. Criminal Justice professionals are facing more and more crimes that can only be solved by the application of Computer Science. In our program, we introduce the two to each other. Some of our graduates will be tool users -- law enforcement and corporate investigators who now know the range of technology solutions that might be possible to make them better cybercrime investigators. Other graduates will be tool makers -- computer scientists who now understand the range of problems being faced by modern law enforcement and who are now equipped to design solutions to those problems.

In this case, the criminals, who have been active since at least 2006, are documented to have placed at least 1.3 million credit and debit card charges without the authorization of the card holder. Can you imagine working a case with 1.3 million fraudulent charges without the benefit of data mining technology? The defendants "somehow obtain the consumers' account numbers and proceed to sneak the charges onto the accounts. Defendants purposely make their unauthorized charges less than $10 in the hopes that consumers will not notice them or will choose not to contest the charges." (Quoted from the FTC Memorandum of Support.

Unknown defendants, referred to as "the Doe Defendants", manage the creators of the sixteen fake LLCs, referred to as the "Money Cashing Defendants" from somewhere in Eastern Europe. The Doe Defendants create hundreds of fake companies and corresponding websites which are named in ways that come close to the names of real organizations, making them difficult to search. Often the listed addresses and phone numbers are also similar to a real organization.

The consumers are charged as little as 20 cents in a single fraudulent transaction, and as much as $10. 90% of the charges were never disputed. Those that were received instructions to call non-existent telephone numbers, or answering services from which calls were never returned. More than 1000 consumers have filed complaints with the FTC about these illegal practices.

How much effort would YOU go to to right the wrong of an illegal $3 charge on your credit card?

The Memorandum of Support filed by the FTC describes three roles of various criminal groups in this action:

A. The Money Mules

This group is described as "an expansive network of money mules in the United States to cash out the unauthorized charges." The Doe Defendants sent out emails to recruit their money mules "announcing that an international financial services company is seeking a US finance manager to process transactions and cash checks, money orders, and international wire transfers." The claim is that there is a tax benefit to the company to have many tiny charges aggregated in the United States. In order to realize this tax savings, the Does will send the payments from their US customers to the Money Mules, who receive the payments and send them on to the "international financial services company."

B. The Money Cashing Defendants

The "international financial services company" required that the money mules form corporate entitites and establish bank accounts in the names of these corporate entities. Between the sixteen corporations established, more than three hundred merchant bank accounts were opened. While this sounds like the same group of people as Group A, Group A is the people themselves, while defendant Group B is actually the group of corporations formed by the people in Group A.

These companies then established merchant accounts at numerous "credit card clearing companies" in order to have charges processed by a clearing company and have the cash placed into their bank accounts. The companies used "virtual offices" through a company that sells "non-PO box" addresses to give the company a sense of legitimacy. Rather than establish their own Employer Identification Numbers (tax numbers required to be on file for merchant banking accounts), the companies "borrowed" the EINs of existing organizations with similar sounding names.

In order to pass the "due diligence" checks used when establishing merchant accounts, fake websites were created for each of the companies, claiming they sold various types of office supplies, and providing business and "home" telephone numbers for each of the organizations. All of the numbers forwarded to a cell phone number in Belarus. The "Owners" of these companies were real people, who included their name, social security number, and date of birth on the merchant account applications. The Defendant Does ran credit checks on each of the "borrowed" identities to make sure their credit scores were good before using their identities.

FTC: All Your Base Are Belong To Us



After reviewing the data, the FTC ruled against the defendants in the form of a Preliminary Injunction which freezes assets of all defendants as well as prevents them from sharing or selling the identity data they may have acquired about their victims. Here's the Asset Freeze language.

IT IS FURTHER ORDERED that Defendants, and their officers, agents, servants,
employees, and attorneys, and all other persons in acti ve concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any trust, corporation, subsidiary, division, or other device, or any of them, except as provided herein, as stipulated by the parties, or as directed by further order of the Court, are hereby restrained and enjoined from:

A. Transferring, liquidating, converting, encumbering, pledging, loaning, selling, concealing, dissipating, disbursing, assigning, spending, withdrawing, granting a lien or security interest or other interest in, or otherwise disposing of any funds, credit instruments, real or personal property, accounts, contracts, shares of stock, lists of consumer names, or other assets,
or any interest therein, wherever located, including outside the territorial United States, that are:

1. Owned, controlled, or held by, in whole or in part, for the benefit of, or subject to access by, or belonging to, any Defendant;
2. In the actual or constructive possession of any Defendant; or
3. In the actual or constructive possession of, or owned, controlled, or held by, or subject to access by, or belonging to, any other corporation, partnership, trust, or any other entity directly or indirectly owned, managed, or controlled by, or under
common control with, any Defendant, including, but not limited to, any assets held by or for any Defendant in any account at any bank or savings and loan institution, or with any credit card processing agent, automated clearing house processor, network transaction processor, bank debit processing agent, customer service agent, commercial mail receiving agency, or mail holding or forwarding company, or any credit union, retirement fund custodian, money market or mutual fund, storage company, trustee, or with any broker-dealer, escrow agent, title company, commodity trading company, precious metal dealer, or other financial institution or depository of any kind, either within or outside the territorial United States;

B.Opening or causing to be opened any safe deposit boxes, commercial mail boxes, or storage facilities titled in the name of any Defendant, or subject to access by any Defendant or under any Defendant's control, without providing the Commission prior notice and an opportunity to inspect the contents in order to determine that they contain no assets covered by
this Section;

C. Cashing any checks or depositing any payments from customers of Defendants;

D. Incurring charges or cash advances on any credit card issued in the name, singly or jointly, of any Defendant;

E. Incurring liens or encumbrances on real property, personal property, or other assets in the name, singly or jointly, of any Defendant or of any corporation, partnership, or other entity directly or indirectly owned, managed, or controlled by any Defendant; or

F. Transferring any funds or other assets subject to this Order for attorney's fees or living expenses, except from accounts or other assets identified by prior written agreement with the Commission; provided that no attorney's fees or living expenses shall be paid from funds or other assets subject to this Order until the financial statements required by Section V are provided to counsel for the Commission.


I love it when the bad guys lose their toys!

Long Boring Lists


OK, I know this is the boring part, but here are all the companies listed in the order, followed by a list of the vendor names that may have showed up on your fake credit card charges if you are a victim. Both lists are drawn from the FTC documents already mentioned:

• API Trade, LLC, a Pennsylvania limited liability company incorporated in 2006, which has at least four bank accounts in its name; API's registered office address is 9926 Haldeman Avenue, #45 B, Philadelphia, Pennsylvania 19115

• ARA Auto Parts Trading LLC, a limited liability company, which has at least two bank accounts in its name; ARA's principal address is 14202 Barcalow Avenue, Philadelphia, Pennsylvania 19116

• Bend Transfer Services, LLC, a Nevada limited liability company incorporated in 2007, which has at least thirty bank accounts in its name; Bend's registered office address is 21285 East Highway 20, #169, Bend, Oregon 97701.

• B-Texas European, LLC, a Texas limited liability company incorporated in 2006, which has at least sixteen bank accounts in its name; B-Texas' registered office address is 701 Brazos Street, Suite 1050, Austin, Texas 78701. B-Texas also conducts business at 8070 County Road, 603, Brownwood, Texas 76801.

• CBTC, LLC, a Delaware limited liability company incorporated in 2007, which has at least four bank accounts in its name; CBTC's registered office address is 151 Evergreen Drive, Dover, Delaware 19901. It also conducts business at 9926 Haldeman Avenue, #45 B, Philadelphia, Pennsylvania 19115.

• CMG Global, LLC, a Pennsylvania limited liability company incorporated in 2006, which has at least eleven bank accounts in its name; CMG's registered office address is 7400 Roosevelt Boulevard, #52602, Philadelphia, Pennsylvania 19115. It also conducts business at 7400 Roosevelt Boulevard, Apartment A303, Philadelphia, Pennsylvania 19152 and P.O. Box 52602, Philadelphia, Pennsylvania 19115.

• Confident Incorporation, a California company incorporated in 2002, which has at least three bank accounts in its name; Confident's registered office address is 17800 Castleton Street, Suite 386, City of Industry, California 91748. Confident also conducts business at 30616 Sand Trap Drive, Agoura Hills, California 91301.

• HDPL Trade LLC, a Pennsylvania limited liability company incorporated in 2008, which has at least nine bank accounts in its name; HDPL's registered office address is 1143 Northern Boulevard, #263, Clarks Summit, Pennsylvania 18411.

• Hometown Homebuyers, LLC, a Texas limited liability company incorporated in 2002, which has at least thirty-seven bank accounts in its name; Hometown's registered office address is 413 East Highway 121, Lewisville, Texas 75057. It also conducts business at 8070 County Road 603, Brownwood, Texas 7680l.

• IAS Group LLC, a California limited liability company incorporated in 2008, which has at least five bank accounts in its name; Highway 121, Lewisville, Texas 75057. It also conducts business at 8070 County Road 603, Brownwood, Texas 7680l.

• IHC Trade LLC, a New York limited liability company incorporated in 2007, which has at least seventy-one bank accounts in its name; IHC's registered office address is 5823 North Burdick Street, East Syracuse, New York 13057.

• MZ Services, LLC, an Arizona limited liability company incorporated in 2004, which has at least fifty-three bank accounts in its name; MZ Services's registered office address is located at 2910 North Casa Tomas Court, Phoenix, Arizona 85016.

• New World Enterprizes, LLC, a New Jersey limited liability company incorporated in 2005, which has at least fourteen bank accounts in its name; New World's registered office address is 115 Magnolia Avenue, Suite 10, Jersey City, New Jersey 07306. New World also conducts business using the following addresses: (1) 441 Tomlinson Road, Apartment G 12, Philadelphia, Pennsylvania 19116, (2) P.O. Box 2645, Newark, New Jersey 07114, (3) 2400 East 3rd Street, Apartment 705, Brooklyn, New York 11223, and (4) 504 Florida Grove Road, Keasby, New Jersey 08832.

• Parts Imports LLC, a Louisiana limited liability company incorporated in 2006, which has at least forty-two bank accounts in its name; Parts Imports' registered office address is 617 Elm Drive, Bogalusa, Louisiana 70427.

• SMI Imports, LLC, a Florida limited liability company incorporated in 2006, which has at least fourteen bank accounts in its name; SMI's registered office address is 2329 North Tamiami Trail, Apartment #10, Sarasota, Florida 34234. SMI also conducts business at 8122 45th Court East, Apartment 7, Sarasota, Florida 34243.

• SVT Services, LLC, a New York limited liability company incorporated in 2008, which has at least eight bank accounts in its name. SVT's registered office address is 800 East 13th Street, Apartment K, Brooklyn, New York 11230.

The fraudulent charges seen by the consumers actually The mark of the scam is to see fraudulent credit card charges from one of the following companies:

ACM
Adele Services
Advanced Global Tech
AEI
Albion Group
Alpha Cell
ALS
ALS LLC
BEI
BIT
BusinessWorks
Center Company
Centrum Group
CFM
CFR
COS
Data Services
Den Enterprises
Dgen
Digest Limited
Don Partners
DwellTech
Edge
ESTA
Eureka
Extra Path
Form Limited
Foto Fast
Gamma
GFDL
GLOBO
Green Stone
Harry Dean
HBS
Home Port
Homebase
ICH Services
IHS
Image Company
Image Services
IPS
ISSO
IVA
Lang Group
Light Flow
Link Group
Link Services
List Services
Mark Silver
MARX
Mera
MFG
Name Services
NETT
New Eight
Office Development
Office Services
OM Extra
ONE
Online Group
Prc Services
Presi
Rasna
RSIPartners
RSS Inc.
Safeworks
Search Company
Search Management
Search Services
SFR
Sigma
Site Group
Site Management
Site Services
Source Limited
Standard Six
SYS INC
System Development
Terra
THQ
TIMO
TLC Inc.
Union Green
United Services
VIVOS
WELLE
Will Services
World Trade
World Wide Services
YES

Thursday, July 01, 2010

ICE Operation "In Our Sites"

When you think of a Federal agency that should be enforcing criminal copyright violations, you might not think of the US Immigration and Customs Enforcement (ICE), but once again, they are serious members of the cybercrime-fighting pack with their recently announced "Operation In Our Sites".

ICE Assistant Secretary John Morton was backstage in Los Angeles for a meeting with movie studios, entertainment unions, and the Motion Picture Association of America (MPAA) where he announced the first arrests in this operation.



In their first action, nine web sites had their domains seized by agents operating from the Southern District of New York. In addition, ICE agents seized the criminals' assets from 15 bank, Paypal, investment, and advertising accounts and executed four residential search warrants.

The domain names targeted in the first round included:

TVShack.net
Movies-Links.tv
FilesPump.com
Now-Movies.com
PlanetMoviez.com
ThePirateCity.org
ZML.com

Visitors to these websites will see this sign instead of their regular content:



Some of these sites were quite creatively hosted. For example, TVShack.net was hosted on the IP address 84.22.98.3, owned by "CyberBunker Customer Delegations," which claims to be located in Antartica (although they have a sales office in Berlin Germany). One of its close neighbors, "the-movie-downloads.com" is still on live at 84.22.98.19, which claims to have 3 million members and a catalog of 80 million titles available for "instant free download."

FilesPump.com was hosted prior to its seizure on the subnet 213.174.143.0/24, which currently hosts more than 500 hardcore pornography websites at "Advanced Hosters", but still has free movie sites mixed in, such as "freemoviesplace.com" owned by Hungarian "Alen Miscak" according to the WHOIS information. That site claims to have been offering streams of Twilight Saga: Eclipse since June 30th and Toy Story 3 since June 18th, but its possible that they are just making money on their related "allposters.com" affiliate advertising.

Some of the sites are quite confusing for the novice to use . . . for instance ABCFilm.org is a Russian language site, offering streams of all the most recent movies - Eclipse, Grown-Ups, A-Team, Killers, Karate Kid, Jonah Hex - but to watch them you have understand their special "Codex" and use their "DownloadMaster" program. The movies are clearly labeled as to what kind of stolen IPR you will receive, for example Grown-Ups (Russian is Одноклассники) is labeled as a "CamRip" (meaning someone videotaped it in the theater) of 1938 kb/s 688x384 resolution. Although this one is a Russian site, its hosted at "HostForWeb"

PlanetMoviez was hosted in Chicago Illinois by Cogswell Enterprises on IP address 96.30.9.104, while ThePirateCity was hosted on 89.185.228.192 = "Fast Internet Web & Server Hosting" in the Czech Republic (exmasters.com = "best low-cost adult web-hosting")

ZML.com was hosted on a long-time favorite host of cybercriminals everywhere, Noc4Hosts in Tampa, Florida. Noc4Hosts IP 96.31.66.11 was ZML's previous home, on a subnet that also contains all your offshore banking domain names, from places like "caymanfinancialreview.com", and which also hosted DVD and Movie piracy websites such as Basecinema.com, BuyDVDFilm2.com, CinemaINet.com, DVDOnlineService.com, FilmoKingdom.com, MovieShop77.com, MoviesforaPenny.com, and many others. Strangely, quite a few of these sites are currently not online. I'm sure this means Noc4Hosts has decided to purge themselves of criminals. Haha!

The National Intellectual Property Rights Coordination Center (IPR Center), which is operated by ICE in Virginia, also seized the domain names and all web site content for the sites:

NinjaVideo.net
and
NinjaThis.net


The IPR Center has launched its own web presence to help identify and fight copyright and trademark violation on the Internet. Here's their new logo:


(click for full-sized image)

The IPR Center urges consumers to report additional websites where copyright violation is rampant by using the National IPR Coordination Center Complaint Referral Form or by contacting their IPR Hotline at 1-866-IPR-2060 (1.866.477.2060).

During Fiscal Year 2009, ICE launched 1,479 Intellectual Property Rights Investigations that resulted in 414 arrests, 164 indictments, 203 convictions, and the seizure of $62 Million in counterfeit merchandise, according to their IPR Fact Sheet.

If you think you'd be interested in a career with ICE as a Special Agent, read about The Hiring Process and use their "Contact Us>" page to call and discuss the recruitment process with one of their 26 offices around the country. In addition to Special Agent jobs, they also have positions as Auditor, Criminal Research Specialist, Investigative Assistant, Mission Support Specialist, and Technical Enforcement Officer.



Here are a couple screen shots from the ICE Press Release of sites that they took offline: