Monday, November 29, 2010

Minipost: IPR Center celebrates Cyber Monday

The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domains Selling Counterfeit Goods. The Operation, called Operation In Our Sites 2.0, expands the focus of the original op which concentrated on movies only. CyberCrime & Doing Time reported on the first Operation In Our Sites back on July 1st, when a half dozen major movie piracy websites were seized.

As with the original op, visitors to the domains see a warning like this instead:

The full list of Counterfeit Goods websites that were seized is available in this short report from ICE but its clear from the names these were not just movie sites.

In addition to sites selling DVD of movies and boxed sets of television series, there were handbags, watches, golfing gear, sunglasses, college and pro jerseys, ipods, shoes, and brand name clothes from Louis Vuitton, Timberland, and others.

Eighty-two sites is a good start, but you're sure to have seen other websites selling counterfeit goods. How do you report them?

Click the button below:

Or just visit:

Cyber Monday Warnings

Today is Cyber Monday, the more recent trendy computer version of Black Friday. It originated when the Internet at home was slow and expensive and corporations and online sellers realized that everyone came back from their long holiday weekend with a list of things they had been unable to buy in the malls and ready to use the company's fast Internet access to finish up their shopping lists.

Of course that's no longer true. Most of us have fast Internet at the house, and the online sellers realize this, which is why many companies started "Cyber Monday" over the weekend. I was getting messages yesterday afternoon from that "Cyber Monday Starts Today!" even though it was quite clearly Sunday. MSN's top ad yesterday was an animated cube from JC Penney announcing 40,000 deals for "Cyber Monday" were already available. Sears sent me emails announcing "The deals launch tonight! Get up to 20% off for Cyber Monday!" WalMart is among the firms extending the holiday shopping spree with "Cyber Week" sales available. I also received Cyber Monday emails from Best Buy, Guitar Center, Kohl's, Office Depot, Rosetta Stone, and Toys'R'Us. Just while I'm typing this two more came in! (Bass Pro Shops and Books-A-Million...excuse me, I'll be right back, and I'm not going fishing!)

I'll be joining all of you shopping, as soon as I get home from work, of course. But let's make sure to use some Cyber Sense to keep safe during this holiday shopping spree.

We've already talked about some general Consumer Safety tips, such as this Birmingham News article, Avoid Being Victimized While Shopping Online and our interview this morning on the CNBC Ron Insana show.

In this blog post, we wanted to share a bit more "techie" version of what we'll be watching for on this Cyber Monday. These are the things that have been troubling me as I think about what the bad guys are plotting for this holiday season.

ESP Spear Phishing leads to ... what?

You might know the term "ISP" is Internet Service Provider. "ESP" is Email Service Provider. Something that has me especially concerned as we head into Cyber Monday is a story from last week that ESP's have been the target of Spear Phishing campaigns. In "Phishing" criminals try to steal your userid, password, and other personal information by sending an email pretending to be from an online company with which you do business, and then directing you to a website to steal your information. In "Spear Phishing" criminals are not using a general "lure" but are instead targeting a particular individual. ESP "ReturnPath" shared this spear phishing attack they observed last week as an example of what was targeting their employees:

Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:


Let’s keep in touch then.


Michelle & Brian

Obviously, I added that "Do Not Visit" part...

Real people who were really getting married sending emails to real people working at the ESP. Only the wedding site was fake, and instead dropped two pieces of malware. Brian Krebs has more details on his KrebsOnSecurity column, but if the people working at the ESP followed the link, they would be infected with a password stealing program called iStealer and a RAT (a Remote Administration Trojan) called CyberGate.

Why? These companies, and it is believed that perhaps as many as a hundred ESPs were targeted, are the companies that send the "official marketing" emails for many of the largest companies on the planet. Their sending IPs are listed as "trusted" and their emails are signed with digital certificates that "prove" the email is legitimate. If the criminals can take over computers in these organizations, they can insert their malware links into the official marketing emails of large companies!

Shipping Spam Malware

A constant for more than a year, one of the main ways malware is delivered with spam is from messages claiming that a package that you were supposed to receive was not delivered for some reason. While most of the time this is a general annoyance, during the holiday online shopping spree season, this is the kind of email that people are likely to click on. What advice do we always give regarding email? DON'T CLICK THAT LINK! (Or in this case, open that attachment.)

To help protect yourself during the holiday season, make sure that you keep track of what packages have been shipped to you, and what the tracking numbers are for those packages. If you really need to know the status, UPS, FedEx, and the US Postal Service all have great websites where you can enter your tracking number to find out what's going on with your package. Visit the website and type in your tracking number.

We've blogged on this subject repeatedly in the past, including this story from last year's Cyber Security Awareness Month (scroll past the IRS spam, it was the second topic).

Holiday Gift Card Malware

Although we haven't seen it yet this year, some of the most successful malware distributions in the past, particularly with Storm and Waledac, have been holiday themed malware and especially "Greeting Card" malware. See for instance the 2009 story Happy New Year! Here's a Virus! or last Christmas and New Year's New Year's Waledac Card. We even saw these back in 2007, with A Stormy Christmas and a Botnet New Year.

Search Engine Poisoned Results

Back in April we detailed how the criminals use "Search Engine Optimization," which we prefer to call "Search Engine Poisoning" to attach their malware to hot search topics. In that article, that we called Fake AV in the News we demonstrated the technique using common search terms from hot news stories. Watch for the same technique to be used now, only using hard to find gifts as the bait!

(oops...just got another email from about Cyber Sale!)

Counterfeit (Illegal) Product Sales

There are so many spam campaigns going on right now, as usual, for Rolex watches, UGG Boots, ridiculous software sales, and luxury items, such as popular handbags.

These are largely criminal enterprises, using compromised home computers to send spam that advertises webservers hosted in China by criminals in Russia who will send you fake products of questionable quality that are illegal in the United States as they have violated the copyrights and trademarks of the legitimate companies.

Remember: Why do spammers spam? Because Americans keep buying their garbage. There is no such thing as "OEM Software" that is legal.

Penny Auctions & Gift Cards

Another scam we're seeing spammed heavily today are the "penny auctions" that promise to sell items for pennies on the dollar. One popular site is advertising "Save 95% off retail!" and shows iPhones for $19 and laptops for $40. Most of these work by selling bids. You pay a price to have the right to bid, but of course that doesn't guarantee you will win. The item may "sell" for $4, but in order to sell it for that, thousands of dollars of purchased bids are expended. We've seen spam this morning for QuiBid and BidCactus, as examples.

Other spam messages are giving away "Free $1,000 Gift Cards!" These scams, including popular spam right now for Victoria Secrets and Olive Garden work by having the visitors complete "Member Tasks" to earn their gift card. Another popular version allows you to "pick your gift card" and shows images of Sears, KMart, Kohl's, JCPenney, and Walmart gift cards. Before you actually get the card though, you have to do things like trying NetFlix or trying a new Tooth Whitener. The tasks get more complex, and more expensive, as you try to get enough "points" to get your gift card. By the end, some of the tasks are things like "spend at least $1800 on a EuroRail Pass," or "stay three nights in a Red Horse Inn hotel's luxury suite" or "buy a new car from General Motors!" READ THE FINE PRINT! (and don't waste your time!)

Work At Home, Refinancing, and Other Financial Desperation spam

As desperate as some Americans are for some extra holiday cash, answering a job ad that you receive in spam should not be a consideration. Many of these jobs are helping to facilitate money laundering or illegal product shipment. We've talked about this scams before, most recently in the story Running Out of Money Mules?. Don't fall for the temptation.

Today we've seen spam from "Home Jobs For Citizens", promising us we can earn $150 per day at home, as the most recent example.

We've also seen an uptick in really threatening sounding mortgage spam. One spam message I received today had my true street address in the subject line and warned that my mortgage was delinquent! The spam had my wife's name, my real address, and my email, and took me to a webpage that offered me a 3.6% interest rate on refinancing my home. They've got many "look and feels" all running on the same webserver:

These spammers are "lead generators" that have you fill out all the credit information that would be used to generate a loan application, and then shop you out to people desperate to make their quota refinancing. Its also not uncommon that this type of spam leads to identity theft. If you want to refinance your home, call a mortgage company, don't click a spam message!

Friday, November 26, 2010

Schoolboy Hackers steal $18 Million (£12 Million pounds)

The Background

Back in August one cybercrime story we were watching came to our attention via ZDNet's story Teenagers accused of running cybercrime ring. In that story most of the public learned for the first time of a criminal online forum called, run by a pair of 18-year-olds, Nicholas Webber and Ryan Thomas. Webber owned and operated the forum, which had over 8,000 members, while Thomas did day-to-day moderating and operations tasks.

The pair had actually been arrested back in October 2009 when they tried to pay a high-end hotel bill of around £1,000 with a stolen credit card. At the time of his arrest, Thomas' laptop revealed that he had a leading role on Webber actually had business cards calling himself "N2C AKA Webber". N2C was the main administrator of GhostMarket.

The pair jumped bail in October but were arrested when they returned to the UK on January 31st at the Gatwick airport. A laptop they were carrying at that time revealed the details of 100,000 credit cards and identified an additional co-conspirator, 21-year-old Gary Paul Kelly. Kelly had been previously identified as being involved with a Zeus botnet associated with the domain "". (several pieces of malware used IRC rooms to spread themselves as shown in this TeamElite report, this Wepawet report, or this Prevx report, or this malwareurl report.) listed the "woot/gate.php" file on totalunix as a confirmed Zeus distribution point as well.

Despite previously fleeing when they had posted bail, they were allowed to post bail a second time, on the condition they did not use the Internet. They entirely ignored this condition, and continued to perform their duties on GhostMarket.

In addition to Webber, Thomas, and Kelly, 20-year-old Shakira Riccardo and 21-year-old Samantha Worley were charged as well for their role in controlling two Halifax building society accounts used to handle proceeds from GhostMarket.

PCeU officers called the case Operation Pagode.

Born and raised in Guernsey, Nick Webber now attends school at St John's College in Southsea, Hampshire, where he lives on Cavendish Road.

According to The Guernsey Press, Webber's hometown paper, 65,000 bank accounts had been drained of approximately £8 million in what were called "linked frauds". The forums also contained bomb-making information, and Webber was said to have discussed his desire to blow up the home of the detective he believed was the head of the e-Crime unit.

Accusations against Webber, Thomas, Kelly, and Ricardo include "conspiracy to commit fraud", and "encouraging or assisting offcences" between 12 April 2009 and 4 November 2009, namely providing Ghostmarket credit card data, and tutorials on various crimes, including hacking, phishing, spamming, and manufacturing crystal meth.

Kelly is also charged with "conspiracy to make or supply articles for use in fraud" and "unauthorised modification to computers", while Ricardo was charged with "possession of articles for use in fraud" and "acquiring criminal property".

Worley is also charged with "acquiring criminal property" including a Tiffany ring and an H Samuel platinum chain.

The Crimes

Mikko Hyponnen found an interesting post on an underground forum the day before Kelly went back to trial, and shared it on his blog, "I possibly won't be back for a while...".

In that thread, Kelly points back to this SkyNews article about his original Zeus arrest, Two Arrested Over Computer Virus Plot from November 18, 2009.

Kelly, who used the hacker name "Cache" on several boards, was a sometime malware author, selling a "crypter" that he authored that would help protect malware from discovery. He also has been seen offering to buy "installs" from others when "his DNS got screwed up" and he lost a botnet he was controlling. He preferred to chat with Yahoo messenger using the name "" which was often associated with his alias "Mike Wilson".

He claims to have been charged with having 15,000 controlled Zeus bots, 2 million lines of stolen Zeus log data, for scamming a casino for 10,000 pounds, stealing $9,000 via Western Union, and other related crimes. He also was running a #ccpower IRC server, according to a post he made in January 2010 asking his fellow hackers how much prison time he might get for Zeus.

Nick Webber, who used the alias "N2C" to run Ghostmarket was teased when the full version of the abbreviation was shared:

He used that as his MSN chat handle, to register the domain name "" (with a zero) and for his YouTube page where he posted videos on hacking, such as this one called Advanced VBV / MSC Phisher (that's VBV as in Verified By Visa).

He also used that email with the N2C alias as his member email on, which was outed in RM #2 back in 2008. Back then he was logging in from BT Central on

The Trial

Webber and Thomas have now plead guilty to their charges, and Gary Kelly has admitted to being behind a particular Zeus trojan. The two others charged have admitted to their role as money mules. According to The Porstmouth News story, Teenage admits £12m internet banking fraud the sentencing is expected to be quite lenghty.

'You used your enormous skills and education in what looks like an enormous conspiracy to defraud and steal people's credit cards and bank accounts.

'These are such serious matters that there may well be substantial periods of imprisonment.'

Webber pleaded guilty to conspiracy to commit fraud, conspiracy to make or supply articles for use in fraud and encouraging or assisting offences, at Southwark Crown Court.

Kelly, of Swinton, Manchestor, pleaded guilty to the same charges as well as an additional count of conspiracy to make or supply articles for use in fraud and a further charge of conspiracy to cause unauthorised modifications to computers.

Ricardo, of Kings Road, Swansea, admitted conspiracy to commit fraud, conspiracy to make or supply articles for use in fraud, possession of articles for use in fraud and acquiring criminal property.

Worley, also of Kings Road, Swansea, admitted one charge of acquiring criminal property.

Webber and Kelly will be held until their sentencing, but the remaining three are out on bail.

The Daily Mail has the best photos of the group that I've seen, including:

Nick Webber

Samantha Worley

and Gary Kelly

Wednesday, November 24, 2010

Another M00P Group Member arrested

Pardon me while I have a Matrix-moment imagining this conversation. Matthew Anderson is sitting in a small room, and Detective Constable Bob Burls is flipping through the charges against him. "Mister Anderson ... it seems you've been living TWO lives. In one life, you're Matthew Anderson, program writer for a respectable software company. You have a social security number, you pay your taxes, and you help your landlady carry out her garbage. The other life is lived in computers, where you go by the hacker alias "Warpiglet" and are guilty of virtually every computer crime we have a law for. One of these lives has a future, and one of them does not."

OK, back to reality . . . who is Mister Anderson? Let's back up a bit.

In 2006, Brian Krebs, then of the Washington Post, ran a story in his Security Fix column called The Scoop on the m00p Group. The story started as an analysis of a June 27, 2006 Times of London story, Virus hackers held in UK and Finland. The Times told us that the suspects were a 63-year-old from England, a 28-year-old from Scotland, and a 19-year-old from Finland, who had released malware known variously as Ryknos, Breplibot, or Stinkx. Thousands of machines were hijacked, mostly in the UK, in violation of the 1992 Computer Security Act charge of "conspiracy to commit unauthorised modification of computer material" which at the time carried a maximum penalty of six months in prison and a £5,000 fine. Krebs went on to claim that "these jokers are thought to be responsible for releasing the Zotob.d worm." The Ryknos bot was an old-school IRC-controlled botnet. All of the bots were directed to join an Internet Relay Chat (IRC) channel where they would receive further commands from the bad guys, known as "botherders" in the community. One of Krebs' sources determined the method by which the bots joined the chat room and did so himself, sharing an interesting Chat Log back with Brian, where a botherder callin himself Uluz claimed he had sent out 5 million spam messages and 50,000 people had become infected and joined the chat room. Krebs believed the 63-year-old Brit was not a malware person himself, but was paying the botherders to deliver spam email messages using their bot-controlled computers.

We now know that Uluz, aka Warpigs, aka Warpiglet, aka Aobuluz, was actually Mr. Anderson.

What happened to the criminals? First, it is unlikely that m00p were the authors of Zotob, although they may have been using a Zotob variant. The author of Zotob was Farid Essebar, a 19-year-old Moroccan, who was sentenced to a two-year prison term in September of 2006. (See Symantec report Zotob author sentenced to 2 years in prison. Diabl0, as Essebar was known, created as many as 20 variants of his bot, and its possible that m00p was a customer of that process.)

In a Swedish language story published September 17, 2007, the headline read "Finnish man suspected of computer crimes" and gave more details (source: Finsk man misstänks för databrott with some help from Google Translate.)

A young man from Poris suspected of having participated in a computer hijacking offensive against millions of computers.

According to the police in Pori, the man made malware that uses e-mail distributed to tens of millions of computers around the world. The man admits that he made 30-40 different malware programs. The malware was so-called trojan horse programs, which means that the people managing the malware had access to the compromised computer and its contents. The hijacked computers formed botnets that can be used, for example, to spread malware.

The man is suspected to have belonged to an international group of computer criminals, led by a British man. The police found that group m00p had 64 million email addresses for spreading the malware.

The preliminary investigation on the most comprehensive data breach in Finland will be ready in September and then go for an objective consideration of the charges in the prosecutor's office in Stakunta.

Three days later, Finnish technology magazine DigiToday ran a story about the arrest of a member of the M00P Group that no one in English-speaking countries paid much attention to, perhaps with the exception of Detective Constable Bob Burls of the Metropolitan Police of London's -- M00p-ryhmä toimi tietoturvayhtiön suojissa, "Security Company working under the auspices of M00P-group." The story claims that while a company sold security software as a cover, secretly the group was distributing malware and botnets. The 63-year-old Englishman is said in this article to have hired the m00p group to infect members of a rival company and to gather information about that company from the data their trojans could harvest from the rival's computers.

DC Bob Burls, from the Police Central e-Crime Unit (PCeU), was still on the case all this time. Last month, Matthew Anderson, now 33 years old, plead guilty to his role in the group, as reported by the UK's IT Pro in their story of October 25, 2010, Virus spreading snooper pleads guilty. That story continued "A 33-year-old Scottish franchise manager helped spread viruses and spied on people via webcams". Burls is quoted as saying:

This organised online criminal network infected huge numbers of computers around the world, especially targeting UK businesses and individuals. Matthew Anderson methodically exploited computer users not only for his own financial gain but also violating their privacy.
- DC Bob Burls

We now know some more about the Finland-based hacker and his sentence. He did plead guilty to the charges mentioned above, and was sentenced to the harsh term of EIGHTEEN DAYS, yes, 18 DAYS, not months, and was forced to serve community service.

Fortunately, the Brits are a bit more reasonable in their sentencing. Anderson was sentenced on November 23 to serve 18 months in prison. The penalties were stiffened in 2008 under the law with which he was charged. If his crimes had occurred after October 2008 the maximum penalty could have been 10 years, and the judge mentions, according to this article in The Register he would have received at least 36 months instead.

The Daily Mail describes Anderson as a father of five, who did most of his hacking from his mother's front room in the Scottish Highlands town of Banffshire, Scotland. They claim he sent out 50 million spam emails with a malicious attachment, and at least 200,000 people clicked on the attention "enslaving" their computers to Anderson. Anderson was then able to gather files and photographs from their computers and to turn on their web cameras and record video. According to the Daily Mail "At his leisure he then sat spying into the living rooms or bedrooms of strangers."

In captured text from his computer, Anderson, using the name "Warpigs" boasts to another hacker, "CraDle", of one 16-year-old girl he had been "tormenting for hours" and saved a video of her bursting into tears as he made his presence known by changing her screen. According to DC Burls, the images and videos kept as trophies were carefully catalogued: passwords, CVs, medical records, intimate photos, etc.

Similar to yesterday's blog post, he claims that personal tragedy lead to his career choice. He became house-bound in his early 20s, experiencing panic attacks when he went out in public. This lead to his fascination with online chat. His company is a computer security firm, ironically protecting its customers, supposedly, from people just like him.

The only financial gain for Anderson seems to be his selling of email addresses that he had harvested from his bot computers. Only £12,000 in profit can be proven. In addition to private computers, Anderson controlled systems at John Radcliffe Hospital, Oxford University, and several non-military government computers in the UK.

According to the story Scottish botnet master jailed for 18 months by Chris Williams at TheReg, it was the hospital computer case that lead the PCeU to get involved. Burls was called to the hospital when the malware was discovered, and tracked the command and control of the botnet to a domain registered to the email address "". Inquiries to Paypal and eBay helped link that email address to Matthew Anderson and his company, Opton-Security.

Having his email address makes it possible to find quite a few interesting emails from Mr. Anderson.

Here's one forum post to the Toyota USENET Discussion Group "" found on Toyota Nation:
02-21-2006, 11:01 AM Subject: How to keep your private files private


I would like to offer you the chance of owning a very powerful product of ours. Opton FileCrypt is designed to keep your private files private. These can be personal files where you store your important passwords, credit card or banking details. It can also be used to protect legal documents, private databases, images and music files. In fact, it will lock and protect any filetype available on a PC

If you have anything at all you would like to keep away from prying eyes then this tool will lock & encrypt the files at a click of a button using MD5 encryption technology.

If you are at all worried about your personal information getting into the wrong hands, having your private images and files being looked at by your children or by anyone with out authorised access or being the victim of Identity Theft then I recommend this application highly. Its simplicity of use makes it reachable to all PC owners as no advanced skill are needed to operate the software.

To read more and possibly make a purchase please visit us at

Kind regards

John Anderson

The ironic reply to this thread, from Travis Jordan, was:

Now why would Mr. Anderson's UK-based company whose email address is
known variously as
and their domain contact

post this commercial material to a Lexus newsgroup?

I suppose it might be because

aren't geting enough spam.

Most Opton Security products, such as Opton FileCrypt Pro, were distributed as try-before-you-buy trial software. Some are creepy when you consider the charges above. Consider, for example, the description of the product "Opton Monitor Pro 1.0":

"Designed to record everything that is done on your business or home PC."

I'm guessing the license didn't reveal that the author's hobby was the same thing.

Investigators speculate that the m00p gang's success rate was approximately 1 computer take over for every 250 spam emails sent. The original spam campaign claimed that the recipient's computer was infected and that the attached program was being provided to fix it. At one point during police monitoring, police observed 1,743 new computers being added to the botnet in one 90 minute period.

Other members of the m00p gang hacked under the aliases Kdoe, CraDle and Okasvi, with the last being the alias of Artturi Alm, the Finland-based hacker who received the 18 day sentence, which the British press are being described as "brought to justice" of which I am not quite so convinced.

Anderson, photo from

Tuesday, November 23, 2010

Lord Aughenbaugh of the Trailer Park

It turns out you don't have to be an evil Russkrainian genius hacker to be a successful identity thief. Consider the case of sixth grade educated Lord Joseph Helaman Mormon Aughenbaugh and his trailer-mate, Todd Yurgin.

Here's the way these two made more than $1 million from the single-wide trailer in Bear, Delaware, according to the Aughenbaugh Indictment filed in Delaware.

In order to commit identity theft, first, you need some social security numbers. In this case, these were provided primarily through mail theft. At least thirty-six times, beginning possibly as far back as March 2003, the pair stole pieces of mail from other people's mail boxes.

They would use websites to verify the validity of the SSNs, and once confirmed use them to create driver's licenses and other identification cards using a photo editing program. Over the course of six years, Aughenbaugh and Yurgin "misappropriated" the social security numbers of at least 93 individuals.

Once they had their new identities, the two would begin applying for credit cards. They received at least 343 credit cards from at least forty financial institutions over the course of their scheme. These were paired with a dozen separate mailing addresses and Post Office Boxes they had set up.

Eventually the pair determined they needed a better source of income. Aughenbaugh set up two businesses. Cathouse was the name of his "Professional Services-Veterinarian" business and Restored was the name of his "Professional Services-Occupational Therapy" business. Cathouse used the SSN of an adult male as the owner while Restored belonged to a minor child, according to the SSN.

Aughenbaugh created a bank account at PNC Bank under the name Joseph H. Aughenbaugh d.b.a. Restored. Then they bought a Point of Sale Terminal, which they installed in their trailer home, and which they used as an ATM. Whenever they needed money, they would swipe one of their 343 credit cards and charge it for either veterinary or occupational therapy services, which would be deposited to their account.

They then used this money to:

1. make payments to the financial institutions of their various credit cards

2. transfer funds to other bank accounts they controlled

3. pay the lease on the land where their trailer was located

4. make payments on several parcels of real estate

5. to purchase goods and services

6. to make payments on their 2006 Mercury Mariner, 2007 Ford F-150, and 2009 Dodge Avenger

On April 15, 2009, a $40,000 deposit was made to the PNC Bank Account. The payment was written to "Cathouse" and was from "Helaman Mormon".

The various credit cards were also used to go shopping, paying for clothing, accessories, travel, vehicles, high-end jewelry, collectible items, gold coins, and other merchandise. The cards were frequently charged above their balance, and payments were often sent from invalid bank accounts created with fictitious names set up with invalid social security numbers.

So, what do the prosecutors charge them with?

COUNT ONE: Mail Fraud

From March 25, 2003 through September 8, 2009, the defendants "did knowingly conspire with each other to commit mail fraud, in violation of Title 18 USC Sections 1341 and 2, and bank fraud, 18USC sections 1344 and 2, to wit "by devising and intending to devise a scheme and artifice to defraud and to obtain money and property by means of false and fraudulent pretenses and promises and in so doing did deposit and cause to be deposited materials to be sent and delivered by the US Postal Service and by private and commercial interstate carriers, and did defraud a financial institution to obtain the moneys, funds, credits, and other property owned by or under the custody and control of, a financial institution."


The defendants applied for a Citibank Mastercard claiming to be for Clyde Aughenjbaugh, b. March 4, 1986, employed by the University of Pennsylvania, earning a $56,000 salary, with a SSN XX-XXX-4911, which belonging to a minor male child born in 1997. The card made multiple charges to "Cathouse" and also was used to pay for travel for Joseph Aughenbaugh and Todd Yurgin to Walt Disney World.

COUNT THREE: Title 42, USC Section 408(a)(7)(B) "with intent to deceive, falsely represents a number to be the social security account number assigned by the Commissioner of Social Security to him or to another person"

The defendants applied to Cardinal Financial to acquire a loan to purchase real estate in West Deptford, New Jersey. The loan was assured with a check for $7,500 from a PNC Bank Account in the names of T. Yurgin and J. Aughenbaugh, and a pay stub purporting to be from Verizon Communications showing Yurgin as an employee, born August 23, 1980, showing that he earned $92,000 per year as a manager and had SSN XXX-XX-4577, which actually belonged to a male born in 1964. (The defendants birthday is in 1968.)

That same SSN was used to acquire at least 25 credit cards including cards for Todd Yurgin, Tadd Yurgin, Matthew Yurgin, and Joshua Yurgin.

Yurgin obtained communication services from Verizon for the West Deptford property, but he used an SSN XXX-XX-4478, belonging to a minor female born in 2000. On the same app, he gives his birthdate as September 4, 1986 and claims to be an aide at the University of Pennsylvania.


Using the name "Tristan Yurgin" and an SSN XXX-XX-5009, the two applied for a Citibank card. That SSN belongs to a minor child.

COUNT FIVE - Title 18 USC Section 1957 - "engaging in monetary transactions in property derived from unlawful activity"

Transferring $17,000 from a PNC Bank Account into a WSFS bank account under their control.

COUNT SIX - Title 18 USC Section 1028A(a)(1) - Aggravated Identity Theft

Possessing and using without lawful authority the means of identification of another person during and in relation to Social Security Fraud.

COUNT SEVEN - Social Security Fraud

Presenting an application to Citi Financial Corp claiming to be Jonathan P. Aughenjbaugh with SSN XXX-XX-0002, which they knew to not be an SSN assigned to that name, but rather to a minor child.

COUNT EIGHT - Social Security Fraud and Aggravated Identity Theft

COUNT NINE - Title 18 USC Section 111 - Assaulting, resisting, or impeding certain officers

Todd Yurgin knowingly did forcibly assault, resist, oppose, impede, intimidate, and interfere with United States Social Security Adminstration Office of the Inspector General Special Agent Kevin Huse, and engaged in acts involving physical contact while Special Agent Huse was engaged in his official duties


Because of Counts 1-8, the defendants forfeited:

A silver and blue Mercury Mariner, a black Dodge Avenger, a 2.1 carat diamond, a .5 carat diamond ring, a three stone ring, ten "Presidential First Spouse" gold coins, five gift cards to Bailey, Banks & Biddle jewelry store, a Cannon SD550 ELPH camera, , nine other gift cards, a Gucci handbag, a Cartier 21 watch, two Dell computers, a Compaq computer, and many other pieces of jewelry.

The Sentencing Memorandom was quite extensive - 32 pages. It begins with the recap that Aughenbaugh had no maternal influence, moved fifteen times, lost his grandmother and his father, endured physical and sexual abuse on an almost constant basis and "with his sixth grade education he was easily influenced to break the law by close members of his family who he would expect to be only thinking of his best interests." The memo tells a truly tragic story of an early childhood of being bullied, living with a verbally abusive uncle who called him a "Nazi Bastard." The defendant tells his own story of his tragic childhood, including having his Uncle Wade leave his dog out on a cold night causing him to freeze to death, and being repeatedly sexually molested for a period of three or four years by the sons of his father's girlfriend. At his next address a cousin, Charles, forced him to perform sex on himself and two friends on a regular basis, lighting his clothes on fire, threatening him with knives and guns, and locking him into a trunk. At the next address, classmates forced him to have oral sex and beat him. After that, his father never enrolled him in school again. When his father became ill, Aughenbaugh began kiting checks to pay his medical bills. When he lost his house, he moved in with a homosexual man he met on AOL chat. After that ended disastrously, Aughenbaugh, then Calvin Ashley Harris, married, became a Mormon, and changed his name in 1996 to Lord Joseph Helaman Mormon Aughenbaugh. Lord Joseph, for Joseph Smith, Helaman, a hero in the book of Mormon who leads an army of children to conquer an enemy army, Mormon, for his new-found faith, and Aughenbaugh, the name of his new wife Janette, a widow with five children. The marriage lasted less than a year. He had a series of jobs, including cleaning motel rooms at several motels, working at Jury Box Restaurant, driving for a graphics company, working at Hardees, working at a loan office, working at a Westin Inn, a grocery store, a temp agency, Zion's Bank, and finally Jury Box Courtside Coffee Shops before returning to North Carolina. There he worked for Carolina Builders, Panera Bread, Warner Brothers, Wal-Mart, and Kay Bee Toys. In Philadelphia he worked for Rite Aid, and Macy's in New York. When he settled in Bear, Delaware, he worked at Mitchell Temporary Services, Butler County Publishing, P&R Environmental Industries, and Britt Enterprises.

In 1997, Aughenbaugh was sentenced to 14 months for violation of Title 18 sections 1341 (Mail Fraud), 1343 (Fraud by Wire, Radio or Television) and 1344 (Bank Fraud).
See USA v. Aughenbaugh Eastern District of North Carolina, CASE #: 5:97-cr-00155-H-1.

He was sentenced to 14 months, with 5 years supervised release, and ordered to pay $28,300 in restitution.

Shortly after his release, he met Todd Yurgin in Butner, North Carolina. They lived for a time with Todd's sister, but left to move to San Francisco, then Tennessee and then Kentucky. Todd was sent back to prison, arrested in 2001 after having his probation revoked, ordered to serve ten more months. About a year after he was released, he and Todd Yurgin moved to Philadelphia and then to New Jersey where they lived with Todd's sister and worked together cleaning houses. Finally, they moved to Delaware, where they purchased the trailer and began their new careers as identity thieves.

While all of these factors point to a tragic life where finding regular employment was difficult, crime still merits punishment, and Aughenbaugh was sentenced to twelve years. Todd Yurgin has still not been tried.

Saturday, November 20, 2010

Lin Mun Poo: Hacker of the Federal Reserve and ...?

** UPDATE: Poo arraigned and in custody **

On October 21, 2010, Malaysian citizen Lin Mun Poo landed at the JFK airport in New York and and hit the streets to make a business deal. He was taken into custody a few hours later, after meeting with a "carder" who had offered to give him $1,000 cash for 30 active credit and debit card numbers. When the meet went down, in Queens, New York, it turns out the carder was an undercover Secret Service agent. His laptop computer was searched and found to contain thousands of stolen credit and/or debit card numbers, as well as log files indicating multiple servers belonging to various financial institutions had been infiltrated. (From Case 1:10-mj-01240-VVP, PACER)

He was arrested and arraigned on a probable cause affidavit from the US Secret Service stating that "in or about and between September 2010 and October 21, 2010, both dates being approximate and inclusive, within the Eastern District of New York and elsewhere, the defendant LIN MUN POO did knowingly and with intent to defraud produce, use and traffic in one or more unauthorized access devices, and by such conduct did obtain $1,000 or more during that period."

As the affidavit makes clear, that wasn't all that was going to be charged, but this violation of Title 18 USC § 1029(a)(2) - "Fraud and related activity in connection with access devices" - was enough to get POO picked up and held.

Poo was taken into custody, and Justice argued he would be a flight risk, so he should be held. *UPDATE 22NOV2010 @ 1300* - Poo was arraigned today, pleading not guilty. He was remanded into custody and will be held without bail until at least his next hearing on December 20th! A copy of his Detention Letter is available courtesy of the Eastern District of New York.

A Press Release from the Eastern District of New York Department of Justice has the headline Malaysian National Indicted for Hacking into Federal Reserve Bank and continues "Defendant's Criminal Activities Extended to the National Security Sector."

Poo was in possession of 400,000 stolen credit and debit card numbers at the time of his arrest. According to the Press Release, "the defendant made a career of compromising computer servers belonging to financial institutions, defense contractors, and major corporations, among others, and selling or trading the information contained therein for exploitation by others."

While the headline is all about the Federal Reserve Bank of Cleveland, Ohio, an SC Magazine article by Dan Kaplan downplays that aspect of the story. In a statement Dan received for his story, Malaysian Man Charged with Hacking into Bank Systems, Fed spokeswoman June Gates said "There's been some confusion based on the wording in the Department of Justice news release. The incident here involved a test computer that is used to test software and applications. No Federal Reserve data or information was accessed or compromised."

The confusion comes from a misunderstanding of the Detention Request filed by justice, which states:
the defendant admitted that he compromised a computer network of the Federal Reserve Bank (“FRB”) by exploiting a vulnerability he found within their secure system. The FRB in Cleveland, Ohio has confirmed that an
FRB computer network was hacked in approximately June 2010, resulting in thousands of dollars in damages, affecting ten or more FRB computers, and forming the basis for Counts Three and Four.

It is not necessary to steal data to cause thousands of dollars in damages.

What should be of bigger concern are the other victims of Poo's hacking. One of these was FedComp, described as a data processor for federal credit unions. As a result of the FedComp breach, the New York Press Release says Poo "was able to gain unauthorized access to the data of various federal credit unions, such as the Firemen's Association of the State of New York and the Mercer County New Jersey Teachers." Another was a system belonging to a DoD contractor "that provides systems management for military transport and other military operations, potentially compromising highly sensitive military logistics information," according to the Press Release.

The four-count indictment against Poo, filed Nov 18, 2010 in Brooklyn, charges the following:

COUNT ONE - Access Device Fraud
"knowingly and with intent to defraud possess fifteen or more unauthorized access devices, to wit: credit and debit card account numbers, in a manner affecting interstate and foreign commerce."

(See: Title 18 USC §§ 1029(a)(3), 1029(c)(1)(A)(i),
Fraud and related activity in connection with access devices )

COUNT TWO - Aggravated Identity Theft
"knowingly and intentionally possess, without lawful authority, means of identification of one or more persons, to wit: credit and debit card account numbers of individuals, knowing that the means of identification belonged to said persons."
(See: Title 18 USC §§ 1028A(a)(1), 1028A(b), 1028A(c)(4)
Aggrevated Identity Theft )

COUNT THREE - Unlawful Transmission of Computer Code and Commands - Federal Reserve Bank
"knowingly and intentionally cause and attempt to cause the transmission of one or more programs, infomration, codes and commands, to wit: malicious codes and commands, and as a result of such conduct, did intentionally cause damage without authorization to one or more protected computer, to wit: computer of the Federal Reserve Bank, which offense caused, and if completed would have caused, loss to one or more persons during a one-year period aggregating at least $5,000 in value, and damage affecting ten or more protected computers during a one-year period."
(See: Title 18 USC §§ 1030(a)(5)(A), 1030(b), 1030(c)(4)(B), 2 and 3551 et seq)

COUNT FOUR - Unauthorized Computer Access Involving Government Information
"knowingly and intentionally access and attempt to access one or more computers without authorization, to wit: computers of the Federal Reserve Bank, and thereby obtained and attempted to obtain information from a department and agency of the United States, to wit: the Federal Reserve Bank, which offense was committed for the purpose of commercial advantage and private financial gain.

(See: Title 18 USC §§ 1030(a)(2)(B), 1030(b), 1030(c)(2)(B)(i), 2 and 3551 et seq.)
Fraud and related activity in connection with computers

Monday, November 08, 2010

WIRED: November Jargon Watch & Forensics?

One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduced her to one of the PhD candidates in our lab, Brad Wardman, she dropped a stray comment "Oh, have you been following the MIT Probability Chip? It seems relevant to what you are doing..."

I haven't asked, but she may have heard about the chip in this month's WIRED magazine. Although I browse lots of magazines, I have to confess the only ones I read cover to cover every month are WIRED and Analog.

This month, three of the four Jargon Watch terms had potential Forensic Applications, so I'm doing a bit of an odd column here and talking about them in more detail. (since they aren't actually online yet, I'm not going to "quote" them. Here's a link to the last available (October) Jargon Watch which has nothing to do with this article other than to give a shout out to Jonathan Keats!) Its one of my favorite columns in WIRED each month.

For those who don't read WIRED, Jargon Watch looks for new science and technology words or phrases that are beginning to be used more broadly in the media. The three from the November WIRED that I want to dig a bit deeper on were Bacterial Fingerprints, Probability Chip, and Cybercase. I first looked at the Probability Chip because of the hint Lisa dropped, but had so much fun doing it, I decided to dig deeper on the other two as well.

Bacterial Fingerprinting

Bacterial Fingerprinting is the idea that your fingertips may have a unique bacterial colony that could be retrieved from items you touch, such as your keyboard or mouse, and used to identify you. It started inching into the public consciousness with a CBS News story back in March that covered research at the University of Colorado by Dr. Christian Lauber. According to the story, the researchers gathered swabs from the keyboards and mice of three people and compared the bacteria found there to that found on the hands of 270 random people. 87 percent of the bacteria is unlike anyone else's, according to the story. Science Daily had more facts. The researchers, who are actually at University of Colorado at Boulder had their study published March 15th in the Proceedings of the National Academy of Sciences. Noah Fierer was the lead author, with Christian Lauber and Nick Zhou. They linked together chemistry and biochemistry departments for the study. In a second phase of the study, they sampled nine computer mouses that had not been used for more than 12 hours, and were able to find their owners when mixed with the same group of 270 random people.
Fierer's Lab seems to be a publishing MONSTER on this and related topics. Here is the story "Forensic identification using skin bacterial communities", which is the BEST source for all of the above.

According to Science Daily, in an earlier study in 2008, 4,700 different bacteria species were found on 102 human hands, with only five species being shared by all participants in the study. That study was actually The influence of sex, handedness, and washing on the diversity of hand surface bacteria, which planted the seeds that your personal bacterial colony may be of forensic interest.

The Probability Chip

The Probability Chip is a new type of microprocessor that claims to not use the traditional 0 and 1 that has been computing's mainstay since the days of the vacuum tube, but rather a new type of logic gate that calculates the probability that a value is 0 or 1. The story was covered by ZDNet in this recent story "Start-up sets sights on probability chip". For Jargon Watch to be interested, things have to have moved out of the academic community and into "the public eye." The story feature Lyris Semiconductor, an MIT startup.

On the company's website, they claim that with this new approach "many applications that today require a thousand conventional processors will soon run in just one Lyric processor, providing 1,000x efficiencies in cost, power, and size."

They go into more details, showing a demo that uses their new programming language that will take advantage of this new form of chip, called "PSBL" or "Probability Synthesis for Bayesian Logic".

So where is the Forensics link? They also have a demo about clustering where they have various typists type on a keyboard and log the timing and sequence of their keystrokes to create a forensic signature of their typing style. They claim "probability processing" would be especially strong at this type of calculation, and then they go on to imagine spam filtering as well:

"...It can tell which text was entered by which person. In the real world, this could help identify unauthorized access to a computer merely by observing the rhythms and typing habits of the designated user, and determining when someone else is accessing their computer.

This same class of computations can be used to cluster data for applications ranging from network security, to spam filtering, to enterprise search."


Cybercasing is the idea that when one shares pictures or information online, it could be used by a potential thief to determine the geographic location of the item they would like to steal. Additional information about that location could help them "case the joint" and determine ideal times and methods of gaining access. This was described in The Atlantic's story "How Tech Savvy Thieves Could Cybercase Your House" which quoted a paper published in August at the Fifth USENIX Workshop on Hot Topics in Security (HotSec 10) by Friedland and Sommer of Berkeley's International Computer Science Institute (ICSI): "Cybercasing the Joint: On the Privacy Implications of Geotagging". You can read their full paper from the author's website, or see an Abstract or the Slides from the HotSec conference.

Gerald Friedland went on to create the website talking about some of the geotagging things we do (and possibly shouldn't) including taking GPS-labelled photos (Geotagged) with our iPhones, and playing "Foursquare", a game where people "check in" to let the world know their exact geographic location at all times.


So, go subscribe to WIRED magazine!

Friday, November 05, 2010

Minipost: NY Zeus "At Large" Codreanu and Adam captured

We've previously posted about the FBI's Operation ACHing Mule (that's A-C-H as in Automated-Clearing-House, the way American banks send money between themselves) and the 17 Wanted Zeus Criminals who were still at large for their roles in moving massive amounts of money to Eastern Europe.

While we previously shared some fun Facebook photos of the "at large" criminals, we were encouraged to wait until they were arrested to share more of our findings.

Today @nigroeneveld let us know that two more of the missing baddies had been located, and were actually arrested arraigned yesterday in Madison, Wisconsin.

Graham Cluley had the first story I saw on the arrests on his Naked Security Blog, but I haven't really seen any details on how they were caught.

What do we know about how Dorin got into the country? All we have to go by is hearsay, but let's just say its interesting that convicted Zeus Money Mule Alina Turatura, at large Zeus Money Mule Catalina Cortac, and Dorin were all Facebook Friends with "Acord Travel" or Chisinau, Moldova, whose Facebook page calls them the "Lider in Programe Work and Travel" which would be consistent with the J1 Visa Travel theory.

Is Zeus connected with the Mafia? Let's just say that Dorin, whose profile picture featured himself holding a sign that reads "HELP! I Need Money for WEED!", was a level 68 criminal:

As a reminder, on April 21, 2010, Dorin Codreanu, carrying a Greek passport with his photo and the name "Savvas Paian", walked into a J.P. Morgan Chase Bank in New York and opened a new account with an initial $25 deposit. On May 4th, someone deposited $10 into the account. Then on May 11, 2010, someone wire transfered $10,246 from Illinois to the account. Within two days, $10,236 of that amount had been withdrawn, including a $800 ATM withdrawal, a $140 ATM withdrawal, and counter checks in the amounts of $2,000 and $4,800 from two different branches in the Bronx.

On May 18, 2010, Savvas Paian opened a business account at TD Bank North America in Cherry Hill, New Jersey using the same Greek Passport, in the name of "Savvas Import Group LLC". As we mentioned earlier, that's a "fruit and vegetable importer" at "1612 Kings Highway, Apartment 48, Brooklyn New York, 11229-1210 -- which used the same phone number as "Brooklyn Fruit Vegetable Growers Shippers" and "Neptune Fruit Vegetable Growers Shippers", which makes one wonder if there may be other bank accounts as well.

I think that rates as probably much lower than level 68, but I may be wrong. Dorin actually was recruiting other Moldovan students, named in the indictment as "CC-1", "CC-2", "CC-3", and "CC-4" to assist his efforts. Codreanu helped CC-1 get into the business, and CC-1 brought CC-2, who was also recruited to work under Codreanu. CC-2 received payments and made withdraws of approximately $34,000 from July 6 to July 9. CC-1 and CC-2 were arrested on August 4th, but have not been named.

Lillian Adam

Also arrested with Codreanu was Lillian Adam, also known as Roman Kobilev.

Lillian is one of four individuals named in the same indictment - the others being:

his at least sometime girlfiend, Catalina Cortac, pictured here kissing Adam on top of the Empire State Building:

Catalina Cortac, who is still friends with Acord Travel, and who claims to have successfully returned to Chisinau, Moldova.

Marina Oprea, who shares with us her "New York" photo album on Facebook, featuring bathing beauties Marina and Catalina:

I have no idea why Marina preferred to be photographed with Banks . . .

According to the Indictment, Marina opened accounts at both Chase Bank and M&T Bank, and used them to receive tens of thousands of dollars.

Ion Volosciuc --

Thursday, November 04, 2010

Sextortion Hacker: Victims sought by FBI

On September 9, 2007, I received a forwarded email that had been sent to several high school parents in the Birmingham, Alabama area. It described a chilling scenario:

We have received SEVERAL reports of an unknown subject infiltrating students' Facebook and MySpace accounts. The unknown subject has taken over several students accounts and the student no longer has access to their account. The subject has made threats for the student to do what he demands or he/she will keep their accounts locked. ... The unknown subject has been using a screen name of 'metascape'.

In April of 2009, the public learned that Metascape was actually a 24 year old from Auburn, Alabama, who had taken over more than 200 accounts from young women from ages 14 to 26, with victims in at least Alabama, Pennsylvania, and Missouri. The Birmingham News headline was Facebook Helps Fight Cybercrime and detailed more of the situation. Metascape, whose real name was Jonathan Vance, had blackmail power over the girls through sexual statements of photos he had obtained from them. In at least 50 cases, he leveraged this information to force the girls to perform more and more graphic sexual acts for him on their webcams, which he then used for greater leverage.

Birmingham FBI Cybercrime Supervisor, Dale Miskell, put it this way to the Birmingham News:

"The embarrassment factor was big in this case," said Dale Miskell, supervisory spe­cial agent for the FBI's cyber­crimes squad in Birmingham. "How can a girl go to her pa­rents and tell them what hap­pened? Even the adult victim didn't come forward until we contacted her."

Jonathan Vance was sentenced to eighteen years in his case, mostly because of the severe emotional trauma that the girls described when interviewed by prosecutors and law enforcement.

My friend Graham Cluley of Sophos mentions that there have also been similar cases in Spain, Great Britain, and Canada in his Cyber-Sextortionist blog story.

When the FBI and US Attorney's Office shared the details of the case with my Investigating Online Crime class in the summer of 2009, I hoped I would never hear of another case like it. Unfortunately, this week there has been another such case revealed.

On November 2nd, the FBI put out a press release called Web of Victims that described a nearly identical scenario involving a 31 year old Santa Ana man. Luis Mijangos was arrested in June, according to the Los Angeles Times and charged with taking over the webcams of 44 girls and 186 women. A June 22nd KABC News story reveals that the investigation was begun by the Glenndale Police Department. A UPI Story from the same day describes Mijangos as a Mexican citizen, wheelchair bound after being shot in "a gangland shooting." After that first court visit he was restricted to home and forbidden to use a computer while out on $10,000 bond. He was indicted on July 8th and charged with:

18 U.S.C. § 371 - Conspiracy
18 U.S.C. § 1341 - Mail Fraud
18 U.S.C. § 1028A - Aggravated Identity Theft
18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(ii) - Accessing Protected Computers to Obtain Information
18 U.S.C. § 875(d) - Extortion
18 U.S.C. §§ 2511(1)(a), (4)(a) - Wiretapping
18 U.S.C. §§ 1029(a)(3), (c)(1)(A)(i) - Possession of more than 15 Unauthorized Access Devices
18 U.S.C. § 2(a), (b) - Aiding and Abetting and Causing an Act to Be Done

The indictment calls Mijangos a "self-employed website developer and computer consultant" and says that he used the following screen names:

gui_blt, Woods05, CiFfEjUd914m EKEvatrGZrD03, Pimpcess03666, Your3name3here03, Bri23nice, Dmagecntr137, H2IOW14, ELEvATrhRZd03, Playrgrl37, Your3name3here3, goldlion14, and Hotchit13w

and the following email accounts:,,,,,,, and


Let them know that if they, or any of their friends, has been subjected to something like this, they need to talk with you, and YOU need to talk with the FBI. Especially if you have information regarding one of the screen names or email addresses above. The 18 year sentence for Metascape was because victims came forward and talked freely (albeit painfully) about their victimization. Don't let these creeps get away with this, and don't let YOUR daughter live in shame because she is worried you will flip out.

The indictment names criminal acts from as far back as November 26, 2008, Mijangos and co-schemers throughout the world developed malware that would give him complete control of a computer, including keylogging for identity theft, and webcam and microphone control.

With the keylogged data, they would engage in credit card fraud. Mijangos was a better hacker than metascape. He would use computers belonging to teenage boys, and FROM THEIR COMPUTERS, trick their female friends into sharing intimate videos or images. He would then contact the women and girls directly, disclosing that he had these videos and images, and threatening to post them online if they did not share additional images and videos.

Some of the co-conspirators named (by screen name) include "Manhattan" and "Demonio666vip". One co-conspirator ordered stolen goods using the name "mauricio garza arcos" and the email "". This is probably "St4t1k" of the "Money Buster Team".

UAB Computer Forensics Research Laboratory has determined that demonio666vip and st4t1k were both members of the hacker website "" and were involved in the trade of "undetectable" BiFrost servers. BiFrost is a "RAT" or "Remote Administration Trojan" which was likely involved in the case above., so named for their distribution of undetectable malware, has 30,242 users who have posted 133,942 messages about hacking and malware.

Monday, November 01, 2010

USAA Phish: Avalanche uses many "redirectors"

A hard-hitting phishing campaign is trying to steal login credentials from the customers of USAA bank. Reports from all over are indicating the emails slide right through spam filters.

The emails look like this:

Dear USAA Customer,
We would like to inform you that we have released a new version of USAA Confirmation Form. This form is required to be completed by all USAA customers. Please use the button below in order to access the form.

Although the spam is coming from all over the world, of 309 computers which have sent a copy of this spam to the UAB Spam Data Mine so far, 77 of them are in Russia, 40 in Ukraine, 29 in India, 18 in Brazil, and 12 in Belarus. The single largest sending ISP is URKTelecom in Ukraine.

There are several reasons for thesuccess. First, the phisher is using an unusually wide variety of spam subject lines, such as:

account notification: security alert Mon, 1 Nov 2010 22:29:32 +0300
Automatic notification
Automatic reminder
Automatic reminder
Enhanced online security measures
Enhanced online security measures [message ref: 3986632685]
Important alert [message ref: 8656525645]
Important alert Mon, 1 Nov 2010 22:10:09 +0200
important announce
important banking mail from USAA - Ref No. 911592
important instructions
Important security alert from USAA Mon, 1 Nov 2010 22:27:09 +0530
Important security update - Ref No. 867527
information from USAA customer service
information from USAA customer service team Mon, 1 Nov 2010 22:08:41 +0200
instructions for customer
instructions for our customers
Instructions for USAA customer
instructions from customer service team
Message from customer service Mon, 1 Nov 2010 09:45:22 -0800
message from customer service team (message ref: 5833415494)
new online security measures
new online security measures
new online security measures
New security measures Mon, 1 Nov 2010 20:15:10 +0100
new USAA form
new USAA form released
Official update
official update (message ref: 1785474186)
safeguarding customer information
scheduled security maintenance
Security alert
security alert
Security maintenance - Ref No. 390744
Service message from USAA
Service message Mon, 1 Nov 2010 22:47:50 +0500
Service notification from USAA
Software updating [message ref: 3352139151]
urgent message for USAA customer
urgent message from USAA Mon, 1 Nov 2010 11:38:23 -0800
urgent notification from customer service
urgent notification from customer service (message ref: 4130612339)
Urgent notification from customer service Mon, 1 Nov 2010 20:03:03 +0200
USAA customer service informs you
USAA customer service: account notification (message ref: 1265140610)
USAA customer service: account notification Mon, 1 Nov 2010 15:55:27 -0300
USAA customer service: important notification
USAA customer service: important security update
USAA customer service: instructions for customer
USAA customer service: instructions for customer
USAA customer service: instructions for customer Tue, 2 Nov 2010 01:34:18 +0530
USAA customer service: new online form released
USAA customer service: official information
USAA customer service: official update
USAA customer service: security alert
USAA customer service: security issues
USAA notification (message ref: 6543359729)
USAA online form (message ref: 8649844530)
USAA reminder: notification
USAA: customer alert
USAA: customer alert Mon, 1 Nov 2010 19:30:31 +0300
USAA: customer alert Mon, 1 Nov 2010 19:31:52 +0300
USAA: important announce (message id: 5905706704)
USAA: important announce
USAA: important information
USAA: important message
USAA: important message (message id: 8210883971)
USAA: important notification
USAA: important security update
USAA: notification Mon, 1 Nov 2010 22:39:46 +0300
USAA: security alert (message ref: 7918345647)
USAA: service message
USAA: service message
USAA: service message
USAA: service message Mon, 1 Nov 2010 20:18:41 +0300
USAA: urgent message Mon, 1 Nov 2010 20:58:50 +0300
USAA: urgent notification Mon, 1 Nov 2010 19:52:51 +0100
USAA: urgent security notification (message ref: 8157388415)

But the phisher is also not placing a direct link to his criminal website in any of the emails. Instead we have seen more than 200 URLs which used the "" URL shortening service. Other URL shortening services deployed by this phisher include,,, and In addition to these traditional shorteners, the criminal has also created at least 290 "free" .tk domains using the service to create realistic looking domain names to redirect to their phishing site.

The actual phishing site looks like this:

The "CARDHOLDER FORM" is actually hosted on randomly generated hostnames on the domain name "". Some examples of the random domains would be:

the path "inet/ent_chform/" is used on that server, regardless of the random numbers in the "session" portion of the URL.

The webserver seems to be fastflux hosted. We've seen the domain resolve to: = PenTeleData - (Pennsylvania) = Charter Communications - this IP has also hosted pill spam domains, such as,, and = Charter Communications (Georgia) (also hosting fastflux domains,, and = CMA Cablevision (Dallas, TX) = Comcast Cable (Washington) = Rochester NY = AT&T = Ukraine UKR Telecom = Russian Federation = Macon, Georgia = Comcast Cable (Texas) = Paraguay = = Rogers Cable (Canada) = Columbia, SC = Comcast Cable = Uruguay = Chile = Brazil

While almost none of the spam is coming from the US, almost all of the website addresses are in the US. That's because the spammers need fast sites that can resolve the webpages quickly for their US based victims, but the speed of their spam is irrelevant.