Thursday, December 23, 2010

36 Million Americans Buy Drugs Online -- Illegally!

On December 14th, the White House Intellectual Property Health and Safety Forum was held by Victoria Espinel, the first U.S. Intellectual Property Enforcement Coordinator (IPEC) appointed by President Obama.

Intellectual Property Rights Advancement under President Obama

In June the IPEC released the Joint Strategic Plan on Intellectual Property Enforcement, which was released by Victoria's office, with support from the Departments of Agriculture, Commerce, Health & Human Services, Homeland Security, Justice, State, and the Executive Office of the President. One of the strategic parts of that plan was "Identify Foreign Pirate Websites as Part of the Special 301 Process."

The United States Trade Representative is required by Section 182 of the Trade Act of 1974 (Title 19 USC 2242) to produce an annual review of the global state of intellectual property rights, which is called the "Special 301 Report." One portion of that annual review is the "Notorious Markets List." Listed in the 2010 Special 301 Report as Notorious Markets are Baidu (China) for music piracy, TaoBao (China) and Alibaba (China) for game piracy, TV Ants (China) for sporting event piracy, (Russia) for music piracy, Webhards (Korea) for many types of illegal content,

In the December 14th forum, the focus was not so much on "general" Intellectual Property or piracy, but Intellectual Property rights violations that have the capacity to impact the health and safety of Americans.

This focus area, especially with regards to the Internet portion, has been under development for several months, with President Obama calling for a meeting between ICANN and other stakeholders back in September. See Obama seeks action on online pharmacies domain names as reported by the Securing Pharma website. This action expands from a previous report back in May by LegitScript, a company working to verify online pharmacies. After blasting the industry in general, and eNom in specific, for failing to respond to domain names registered through their company, (See Knujon report: Audit of the gTLD Internet Structure, Evaluation of COntractual Compliance and Review of Illicit Activity by Registrars, and the LegitScript/Knujon report: Rogues and Registrars: Are some Domain Name Registrars safe havens for Internet Drug rings?), eNom came full circle and entered an agreement September 21, 2010 with LegitScript and the National Association of Boards of Pharmacies to ensure that rogue pharmacies are not able to use eNom to register their domain names. (The criminals responded to this news by registering hundreds of horrible porn and bestiality websites using the name and contact information of LegitScript founder John Horton, as reported by Brian Krebs.)

The Forum

In case you missed it, CNN Image Source has a One hour video of the panel, chaired by Victoria Espinel. What a panel - Attorney General Eric Holder, DHS secretary Janet Napolitano, and John Morton, Director of Immigration and Customs Enforcement.

"We need more data to inform our policies and ensure that we are making smart decisions."

"The Alliance for Safe Online Pharmacies estimate that there are between 30,000 and 40,000 active online drug sellers operating at any one time."

(09:43:35)"The Partnership at announced the results of a suvey of consumers of online drug purchasing behavior. The survey's results? 1 in 6 adults, approximately 16% of adult population have bought or currently buy medications online without a doctor's prescription."

The report was sponsored by the Alliance for Safe Online Pharmacies and sponsored by The Partnership at

The survey was conducted by CARAVAN Survey. 1,015 adults were contacted by telephone from November 4-7, 2010. The margin of error is +/- 3%.

(09:45:30) A group of founding private sector partners announced today that they will form a non-profit to work with each other and the US Government to rid the Internet of illegal online pharmacies. Today they have issued priniciples that will guide those efforts.

(09:46:00) The list of eleven companies participating in the initiative was invited to stand and be recognized: American Express, eNom, Go Daddy, Google, Mastercard, Microsoft, Neustar, Network Solutions, PayPal, Visa, and Yahoo!

In case any of them are reading this, UAB Computer Forensics Research Laboratory is ready, willing, and able to help!

The next speaker was Attorney General Eric Holder, who has posted a transcript of his remarks on the Department of Justice website. He pledged his support to the Strategic Plan, and shared some recent successes, including a counterfeit cancer drugs case in August, a Texas case involving he seizure of 6,000 counterfeit pills that actually contained ground-up sheetrock as an ingredient, and a groundbreaking $100 million case in Richmond Virginia. (That last would be the case against Chong Lam, and Siu Yung Chan, who were found guilty on June 11. They were arrested back in January 2008 for smuggling more than 300,000 counterfeit handbags from China. Eric Yuen was actually found not guilty.

Holder was praised during his introduction for re-establishing the DOJ Intellectual Property Task Force, which he announced in February 2010.

Secretary Napolitano spoke next (09:59:40), stressing that both CBP and ICE are seizing more counterfeit goods than ever (seizures increased 97% over 2009), and pledging support for IPEC's Strategic Plan. The National Intellectual Property Rights Coordination Center (which I was able to visit December 7th, and which I blogged about recently regarding their Cyber Monday Operation in Our Sites enforcements.) ICE initiated more than 1,000 IPR cases in 2010, and criminal charges increased 79% over 2009. DHS also participated in Operation Pangea and Operation Mercury this year, coordinated through the World Customs Organization. Her full remarks are transcribed by LexisNexis.

John Morton, whose full title is "Assistant Secretary of Homeland Security for Immigration and Customs Enforcement", also has his remarks transcribed thanks to LexisNexis. He stressed that we needed to speak in plain English and get our message out, and the message is that "counterfeiting spells trouble for America." It robs Americans of jobs, innovation, and creativity. It is organized crime, and creates a risk of harm to consumers. He mentioned counterfeit toothpaste, heart medicine, and air bags, and discussed counterfeit engine parts and ball bearings, not just in cars, but in aircraft with GE Engines. Fake kevlar in Iraq, fake baby formula, fake CISCO routers, and counterfeit Christmas lights were also on his list. One case he went deeper on was the Kevin Xu case in Houston that AG Holder also mentioned.

Xu imported more than $9 million in counterfeit medicines, including Plavix (heart medicine), Casodex (cancer medicine) and Zyprexa (schizophrenia and bipolar medicine). He was arrested in 2007 and sentenced in January 2009 to 78 months and $1.28 million in restitution. Xu was arrested when he flew to Chicago to meet with undercover agents. Forensic Chemists working for the FDA determined that his drugs had less of the active ingredient than claimed on the label and had countless impurities of unknown origin. Some of the drugs had no active ingredient at all. He had managed to get his counterfeits into the real supply chain in the United Kingdom, prompting massive recalls of the drugs in June 2007.

First Panel: Dangers of Counterfeit Pharmaceuticals

The First Panel was moderated by Tony West, Assistant Attorney General, Civil Division, including enforcement of the Food, Drug, and Cosmetic Act.

Panelists included:
John Clark, VP of Global Security at Pfizer (former assistant deputy at ICE)
Tom Kubic, President of the Pharmaceutical Security Institute
Carmen Catizone, President of the Natioanl Association of Boards of Pharmacies
and John Taylor, Counselor to Commissioner of the FDA

After introductions, John Clark of Pfizer did a presentation about counterfeit drugs.

One counterfeit's ingredients were shown: roach powder, powdered brick, road paint, and floor wax. Clark showed slides of the difference between a real drug manufacturer and a fake one. He played a telephone interview where a drug maker was counseling his undercover agent on what he would need to set up his own manufacturing facilities.

John Taylor shared information on how FDA provides consumer alerts, which are also a means to gather further information for investigators.

(continues in part 2 CNN Image Source )

Tom Kubic of PSI has been investigating and measuring counterfeits since 2002. There has been a 700% increase in drug counterfeiting from 2002 to 2009. They have identified at least 800 unique medicines that were counterfeited worldwide just in 2009. (In 2002, there were around 250.) The ones they have reviewed "are neither safe nor effective."

Carmen Catizone made several points. Quoted (with a slight paraphrase):

When you obtain a medication that has been approved by the FDA, [prescribed] by a licensed practitioner, [dispensed] by a licensed pharmacy, that product is safe.
When you go out of the system, you are dealing with criminals who have found it is easier to sell drugs online than to sell crack or heroin on the street. Consumers and legislators don't understand that this is a serious consumer health risk. Carmen says several years ago he was told by legislators they would not take action until they were shown the dead bodies.

John Taylor follows up on Carmen's comment showing that the fakes don't have to produce death in order to be harmed. In one case the supplier of an active ingredient component TO the manufacturer caused an effective epilepsy drug to be suddenly ineffective. Patients around the country began to have seizures!

A guest from the audience joined the panel to share his story. As an AIDS patient, taking nearly 10,000 pills a year, found that his injectable medications were now giving him pain that had not been previously present when injecting. It turns out that his medicine, obtained from a national pharmacy chain, with a prescription, was a counterfeit. For six week period, he has no idea what he was injecting into himself.

Second Panel: Health and Safety Risks of the Counterfeiting of Trademarks

The Second Panel was moderated by Lanny Breuer, Assistant Attorney General, Criminal Division. This panel focused more on computer and electronic components. A bit off topic for today's blog post.

Panelists include:
Neal Rubin, VP and Director of Litigation at Cisco
Keith Williams, President of Underwriter Laboratories
Robert Barchiesi, President of the International Anti-Counterfeiting Coalition
Brett Brenner, President of the Electrical Safety Foundation International

(continues in part 3 CNN Image Source)


CNN Image Source

Prior activities

Many of the companies named in the new announcement have already been taking strides to reduce the sale and advertising of online drugs. In October, the National Assocation of Boards of Pharmacies released their report Internet Drug Outlet Identification Program: Progress Report for Federal Regulators which shared some of the findings of the International Internet Week of Action (IIWA). During October 5-12, 2010, the Food & Drug Administration, Interpol, and agencies in 45 countries took a concerted week of enforcement actions. Interpol calls the enforcement actions Operation Pangea III.

During the operation which saw the 45 participating countries send intelligence to a dedicated operations centre at INTERPOL's General Secretariat headquarters in Lyon, Internet monitoring revealed 694 websites engaged in illegal activity, 290 of which have now been shut down. In addition, some 268,000 packages were inspected by regulators and customs, almost 11,000 packages were seized and just over 1 million illicit and counterfeit pills were confiscated - including antibiotics, steroids, anti-cancer, anti-depression and anti-epileptic pills, as well as slimming or food supplement pills. Some 76 individuals are currently under investigation or under arrest for a range of offences, including illegally selling and supplying unlicensed or prescription-only medicines.

Operation Pangea III featured a series of YouTube videos themed "Don't Be Your Own Killer". Here are two examples:

Other organizations and actions

In 2009, US Customs & Border Protection (CBP) and Immigration and Customers Enforcement (ICE) seized over $260 million worth of couterfeit goods arriving at US ports.

The International AntiCounterfeiting Coalition (IACC) President, Robert Barchiesi, attended the forum as well.

Monday, December 20, 2010

DIICOT: Romanians Bust Up VOIP Ring

Any day that starts with a video of DIICOT in action is a good day! Over the weekend I saw Lucien Constantin share the good news on Softpedia that a Major VOIP Fraud Gang was Dismantled in Romania. Lucien was kind enough to point to the DIICOT press release from December 14th.

A Google translated version of the press release can be found here: For those who prefer to read their own Romanian, see here: DIICOT Press Release.

DIICOT is the Directorate for Investigating Organized Crime and Terrorism, and they have been gaining a world-wide reputation for scooping up cyber criminals. Regular readers of this blog will know I am in the DIICOT Fan Club, as we've previously written about on several occasions, including:

23SEP2010: eBay Spear Phisher Liviu Mihail Concioiu Arrested in Romania

12APR2010: Nicolae Popescu, Romanian hacker, at large!

06APR2010: 70 Romanian Phishers & Fraudsters Arrested

16JUL2008: 22 More Romanians meet the Long Arm of the Law


On 14DEC2010, there were 42 houses searched, with 31 in Constanta, 4 in Neamt, 3 in Brasov and others in Olt, Maramures, Cluj, and Dolj counties.

From Oct 2009 to Feb 2010, Cătălin Zlate is accused of running a team of over 50 individuals to commit computer crimes and to use fraudulent access to data to commit VOIP Fraud. Team members configured a VOIP client called "ZoIPer" to allow members to place Voice Over IP calls using fraudulently obtained credentials from other VOIP services. During the period Oct 2009 to Feb 2010, they generated 23,500 calls or 315,000 minutes of long distance charges, stealing from companies in Romania, South Africa, United Kingdom, Italy, and the United States.

Zlate is no stranger to computer crime. He was actually arrested in 2009, and sentenced to 1.5 years in jail for phishing. Unfortunately, the court system in Romania allowed him to be released with a suspended sentence. While I believe Romania has some of the best investigators and some of the hardest working police officers, they also have one of the most corrupt court systems in Europe. All the police can do is keep doing their job, and pray for a change in the court system.

According to, Zlate used the handle "Roşcatu" and was involved in a phishing gang with Manuel Sorin Paun, AKA "Puia", Mangue Barry, AKA "Dumbo", and Bogdan Nistor, AKA "Bobo". The four received "suspended sentences" of 2.5 years, 1.5 years, 3 years, and 3 years respectively for phishing, creating fake ATM cards, and withdrawing money from ATMs using those cards. DIICOT has been following "Roşcatu"'s exploits since at least 2006. The news of their previous conviction made the Ziu Constanta back on November 20, 2009.

Zlate came back with a passion, founding a new business in March of 2010.

That's when things really got out of hand. Through a new fraud company called "Shadow Communication Company Ltd", from February through June 12, 2010, 1,541,187 fraudulent calls were made, running up 11,094,167 minutes of talk time! The defendants were selling these fraudulently obtained minutes at about a 90% discount. While the actual costs should have been more than 11 MILLION EUROS, they actually sold the minutes for just over 1 MILLION EUROS. (Hint: If your telephone company is named something league "Shadow Communications" or "League of Evil", perhaps you should consider switching to AT&T.)

Charges brought against the group include:

- Article 7, Paragraph 1.3 - membership and support of an organized criminal group
- Article 18 Section 2 letter b of law 39/2003 - Money laundering
- Article 23 Paragraph 1 letter a, b, & c of law 656/2002 - Wireless access to a computer system to obtain data by breaching security measures
- Article 42 Paragraph 2.3 of law 161/2003 - Possession of a computer program in order to commit offenses
- Article 49 of law 161/2003 - Causing a loss of property through the introduction of computer code in order to obtain benefit for oneself or another

42 people have been brought to Bucharest to be charged of these crimes.

Here's the DIICOT video of the arrests and seizures:

Hopefully, this time the criminals will actually serve time in prison!

Wednesday, December 15, 2010

Minipost: Operation: Payback origin

Yesterday in our story about Crowds, Mobs, and Anonymous, Internet Anarchy: Anonymous Crowds Flex their Muscles, we mentioned that Operation Payback started back in September. Here is the letter that was sent to the media on September 19th:

After seeing Salon's story A brief history of Operation: Payback, which lists November 29, 2010 as the starting date, we thought it especially important to point out that this is NOT the start. The adoption of Wikileaks was an expansion of a three month old campaign in an effort to legitimize and expand the number of attackers Anonymous had at their disposal. For more on that "crowd action" mindset, the reader is referred back to yesterday's blog post.

Some have been asking "how do you know this is 4chan related?" Again, we refer readers back to early posts by Anonymous.

(Click to enlarge)
"I know that many of you, many of you whom I have seen on 4chan over the years, have grown cynical of the usefulness of anons as an army, especially since the mess that was Chanology*."

One of the places this image was posted back on September 20th was a hacker website run by a South African hacker. To put the message into context, the post immediately before this one read:

Anonymous vs Aiplex, MPAA, RIAA
This is happening right now. Join if you can.
/join #savetpb

We're targeting all the sites mentioned in the topic, but Aiplex first.

For piracy, for freedom, for victory.

* - While Operation Payback began September 19th, Anonymous has been involved in DDOS Protests since early 2008. (Project Chanology refers to the DDOS campaign that 4chan users waged against Scientology. The concept of that campaign was that because Scientology tried to remove all copies of a controversial Tom Cruise interview from the Internet, they were "censoring the Internet" and should be stopped. The campaign included DDOS attacks, fax campaigns, protests, and even an attempt to get the IRS to take away Scientology's tax exempt status. LOIC was one of their tools. Anonymous vs. Scientology ran "daily news" on YouTube documenting their in-person protests and raids. The same YouTube channel has been used for Anonymous messaging since at least April 20, 2008 (See: Reinstate Mark Bunker XENUTV1) and as recently as this week (see: Anonymous: Operation Leakspin.

Chanology was covered by:

Dan Kaplan at SC Magazine: "DDOS Hack Attack Targets Church of Scientology" - Jan 28, 2008.

John Leyden at The Register: "Critics Split over DDOS attacks on Scientology" - Jan 25, 2008. has the "" description of the project from July 2008, which showed substantial evolution from the original January 15, 2008 post archived here, by Encyclopedia Dramatica (caution, ED has crude and offensive messaging and is not 'work-friendly').

Monday, December 13, 2010

Internet Anarchy: Anonymous Crowds Flex their Muscles

This summary is not available. Please click here to view the post.

Monday, December 06, 2010

Wikileaks: Lessons Learned

I've spent the past couple days in our nation's capital, and it seems that everywhere I go, someone wants to know what I think of the Wikileaks scandal. I'll tell you at the end of this article. First, I want to talk about what we should LEARN from Wikileaks. When I worked more actively in Critical Infrastructure Protection, there was a saying I heard from time to time that the problem with most Crisis Events is that we don't learn from them. To rectify this failure to learn, the Department of Homeland Security even created the "Lessons Learned Information Sharing" site, Perhaps my exposure to DHS as a then-member of the Energy Sector has taught me to look for Lessons Learned as the silver lining to every dark cloud.

So what is the major Lesson Learned in the Wikileaks situation?

It has to do with information classification, access control, and monitoring. We'll go over those lessons learned, but first, here's a bit of background on what happened.


In the case of PFC Bradley Manning, here was a young man with a very important job. As an Intelligence Analyst, it was important that Manning have access to everything he needed to do his job. In the post-9/11 Kumbaya world of Information Sharing, that pretty much gives counter-terrorism warriors carte blanche. The information access level for people like this may be "If he needs it, give it to him, if you don't, the next 9/11 will be on your head!"

Like Katharine Gun, the UK's GCHQ intel analyst who decided to leak information about wiretaps among the UN prior to the Iraq invasion, Manning was an analyst who did not understand the chain of command. In Gun's situation, she became aware of cables which implicated the United States in the tapping of communications of United Nations personnel prior to the Iraq invasion. Gun determined that it would be a noble and responsible thing to ignore all of her oaths and orders and rather than sharing her concerns with her supervisors, smuggled this information out of GCHQ and leaked it to the press. Its a growing trend among Intelligence Analysts who determine they are in possession of information that the public has a "Right to Know" and Gun received the "Sam Adams Associates for Integrity in Intelligence" award for her actions. (Sam Adams was an information leaker during the Vietnam War.)

Brannon Manning became a ten-minute celebrity back in May for choosing to put his job on the line for a statement of his principles. He chose an act of civil disobedience, in the form of leaking a video of a helicopter gunship attack in Iraq where US forces fired on and killed Reuters news service photographer Namir Noor-Eldeen, 22, and his driver, 40-year-old Saeed Chmagh. Manning seemed to believe passionately that the US army had attempted to cover up their responsibility for the deaths, and decided to risk his job and his freedom to reveal this video. He was identified as a "whistle-blower" in the news. While I strongly disagree with his decision, that is an act of civil disobedience, and a "whistle-blower" action where a particular individual, possessing access to evidence of what they believe is an act of wrong-doing, "blows the whistle," understanding that there may be consequences for their action and choosing to accept the risk. I do not condone his actions in any way.

World-Wide Anarchy

To clarify, this attitude and action has absolutely nothing to do with the current Wikileaks crisis.

As reported in WIRED Magazine, the new hero of the left had no such intentions in mind when he then determined to leak 260,000 classified documents. He states his intention clearly:

“Everywhere there’s a U.S. post, there’s a diplomatic scandal that will be revealed,” Manning wrote. “It’s open diplomacy. World-wide anarchy in CSV format. It’s Climategate with a global scope, and breathtaking depth. It’s beautiful, and horrifying.”

So, was the goal of the "big data dump" to help reduce future civilian casualties? No. The stated goal was "world-wide anarchy."

According to the same article, Manning had access to "two classified networks from two separate secured laptops: SIPRNET, the Secret-level network used by the Department of Defense and the State Department, and the Joint Worldwide Intelligence Communications System which serves both agencies at the Top Secret/SCI level."

According to the same WIRED story, he boasted to celebrity hacker and information leaker Adrian Lamo:

“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
(source: WIRED: ThreatLevel)

While Manning apparently thought he would find a kindred spirit in Adrian Lamo, Lamo knows the difference between information disclosure and treason. Its curious that the New York Times seems to consider Manning a patriotic hero and is certainly selling a lot of papers based on his leaked information. Especially curious when you consider that when Adrian Lamo accessed confidential data at the New York Times back in 2002, the response was not to celebrate the glorious freedom of information, but rather to file charges against Lamo, resulting in facing up to five years in prison, (although he received House arrest, limited access to computers, and payment of restitution in the end. Lamo told the Washington Post that he agonized over the decision, but he turned him in.

Lessons Learned: #1 -- Classification vs. Categorization

I'm going to imagine a slightly oversimplified classification system for a moment, to make our illustrations easier. Let's imagine that the classifications in our system are Unclassified, Secret, Top Secret, and (Collateral / SCI / SAP). The last one is actually not a "classification" but rather means "super secret Need-To-Know." SCI means "Sensitive Compartmented Information" and SAP means "Special Access Programs." We'll imagine for the moment that they both mean simply "Need to Know."

Now, consider various types of information to which a government employee may have access.

It seems that in the environment in which Manning was working, as long as he held an appropriate clearance for the information, he was able to access the information. Imagine an information access chart then that looks like this:

Imagine this information request:

What level of classification does this diplomatic cable have?
"Top Secret"
Does the requester have Top Secret clearance?
Permission granted.

What failure has occurred? A failure in ACCESS MONITORING. Manning was attempting to access information for which he had an appropriate clearance, but information which was in an inappropriate CATEGORY for him.

The same challenge is present in many other workplaces where sensitive information can be found. Consider for example the categories of interest in a hospital or healthcare environment:

Although I've never been in a hospital where things are marked "SECRET" and "TOP SECRET", let's use those as an analogy to the sensitivity of data. Perhaps an unclassified Personnel fact would be that Joe works in radiology. A Top Secret Personnel fact may be that Joe has three DUIs in the past year and has to take a breathalyzer test each shift before reporting for duty. An unclassified patient billing fact may be that office visits cost $175. A Top Secret billing fact may be the credit card number of the patient. An unclassified billing payroll fact may be that Tom is in a minimum wage job. A secret payroll fact may be that Tom's wages are being garnished for child support.

While HIPAA makes it clear that only certain personnel are supposed to see certain records, how is this monitored within your organization?

A more appropriate monitoring situation for PFC Manning may have looked like this:

In a system like this, an auditing record is recorded for review whenever someone accesses Secret or Top Secret information that is outside of their assigned categories of responsibility. With this monitoring system, Manning would still be allowed access to Secret documents in other categories, but these would be flagged for a potential review because of the mismatch with his job description.

Here's a similar chart for a HealthCare environment:

Many of my students are surprised that in my own lab, I do not have "Administrator" access to the workstations! I don't want it! I gave it back! We have an IT staff who is responsible for the creation and maintenance of access permissions, and for the installation of software and documenting its licenses and controls. Because I am not a part of that group, and don't know their methods, I choose to not have that access.

Lessons Learned #2: Volume of Data Flow

The other red flag is the volume of information being extracted. As repeated requests for information IN ANY CATEGORY are made, the volume of requests should be used to determine if a more urgent review is needed. For example, if someone is working in the Iraq war theater, it would make sense for many requests to be made related to that category of information. Occasional requests in other categories may also not be alarming. However, if you saw a large number of requests in a category for which this person does not have a job responsibility match, those should sound a more urgent alarm.


We can agree to disagree on whether Manning is a Patriot, an Anarchist, or a Traitor, but the important outcome of any event of this nature is that we document our Lessons Learned.

Consider your own Information Collection in your workplace.

What are the "Categories of Information" and how is access to those categories assigned?

Within each area what are the "Sensitivity Levels" or "Classification" of that data?

What is a "reasonable volume" for accessing data in each of those categories and classes?

Perhaps most importantly, who is in charge of monitoring access to those categories of information, and how are "alarms" set when a category, class, or volume condition is reached?

Thursday, December 02, 2010

Oleg Nikolaenko, Mega-D Botmaster to Stand Trial

According to Milwaukee's Journal Sentinel one of the largest spam senders in the world is sitting in a cell in Milwaukee awaiting his first court appearance on Friday, where he will be charged with being one of the greatest spammers in the world.

The case being heard, in the Eastern District of Wisconsin (2:2010-cr-00246), charges Oleg Nikolaenko, born July 17, 1987, with violations of 18 U.S.C. §§ 1037(a)(3) and 2.

According to the 13 page criminal complaint beginning in January 2007, violated CAN-SPAM in a maximum way. The first charge against him was CAN-SPAM violations:

the defendant knowingly, in and affecting interstate commerce, materially falsified header information in multiple commercial electronic mail messages transmitted in furtherance of the offense exceeded 2,500 during a 24-hour period, 25,000 during a 30-day period, and 250,000 during a 1-year period, to wit, the defendants altered the header information of spam e-mails that they transmitted via the Internet to disguise the e-mails' true origin, in violation of 18 USC § 1037(a)(3)

Yeah, 10 billion per day is greater than 2,500. 8-)

The second charge brought in the complaint, by Special Agent Brett Banner of the Federal Bureau of Investigation, is that he shipped bogus drugs, failing to ship what was ordered. In other words, Mail Fraud.

Count two says:

On or about November 2, 2009, for the purpose of executing a scheme to defraud by failing to send purchased prescription drugs, the defendant knowingly caused to be sent and delivered by the Postal Service, the following matter: a package from Herbal Health Fulfillment House, 6 University Dr., Ste. 206-273, Amherst, MA 01002, containing 60 pills of "VPXL -#1 Dietary Supplement for Men", to an address in Milwaukee, State and Eastern District of Wisconsin, in Violation of 18 U.S.C. § 1341.

Oleg is messing with the wrong FBI Agent. Brett was the administrator of the Mid-Michigan Area Computer Crimes Task Force from June 2004 to September 2009. That would be Michigan, the state where Terrence Berg locks up spammers and throws away the key on behalf of the Department of Justice until replaced by Barbara McQuade by President Obama. I can't imagine a better office to learn about fighting spam with the legal system! (Don't get me wrong, McQuade is hitting drugs, child porn, and mortgage fraud hard, and earning a great reputation as well. But Berg was an anti-spam crusader!)

Special Agent Banner reveals in his complaint that Oleg was shipping "billions of spam emails on behalf of Jody Smith, Lance Atkinson, and others who were selling counterfeit Rolexes, non-FDA approved herbal remedies, and counterfeit prescription medications."

The fingers started pointing to Oleg from some other cases. In August 2009, Jody M. Smith pled guilty to "conspiracy to traffic in counterfeit Rolex watches" in the Eastern District of Missouri. How much money was Smith making in the watch business? Let's just say that in the court documents he admitted to spending TWO MILLION DOLLARS just on spamming services! Smith's affiliate spamming organization was called "AffKing" and actually included quite a few other messages as well. Just at the Federal Trade Commission's Spam Fridge, they had received over 3 million spam emails that were associated with the AffKing case.

We blogged about the AffKing case back in October of 2008 with this story - SanCash (AffKing) taken down in New Zealand.

Atkinson, who had been charged as part of a case called "Global Web Promotions" back in 2004, was called "the first criminal action under CAN-SPAM" according to the April 24th FTC Press Release. The FTC has the 25 page Judgement on their website.

According to the current criminal complaint, when Atkinson was being interviewed regarding his charges, he admitted posted messages on "a pro-spam Internet bulletin board" needing help from spammers to promote his herbal pills. Atkinson says that the two largest spammers he met on that board were Russians who called themselves "Docent" and "Dem". He estimated that 80% of all of his drug sales came from spam-delivered advertisements.

The complaint further shows that according to "The Director of Malware Research at SecureWorks" most of the AffKing spam was being routed through a botnet, which SecureWorks named "Mega-D" back in 2008, and which they claimed accounted for 32% of all the spam on the planet, or more than ten billion spam messages per day.

Monitoring of Atkinson's ePassporte account revealed that from October 2006 to December 2007, he sent out over $1.8 Million in payments of commission for items sold. Atkinson recalled that Docent used the ePassport account name "Genbucks_dcent".

A subpoena served on ePassporte compelled them to reveal that Genbucks_dcent was Oleg Nikolaenko of 28/10 Spasskiy Proezd, Vidnoe 2, Russian Federation, with the email addresses and In a six month period in 2007, Lance Atkinson had paid Genbucks_dcent $464,967.12 for his spamming services.

Search warrants provided to Google revealed that ddarwin and 4docent were sending and receiving emails from others about their spam, including "" (believed to belong to Lance Atkinson). The email also revealed malware being attached, which were analyzed by SecureWorks and determined to be part of the botnet family known as Mega-D.

In November of 2009, the security research company FireEye was able to take control of the Mega-D network, and was able to prove that 509,000 computers were infected with the spamming botnet software, including 136 computers located in the state of Wisconsin.

Another FBI Agent who was an investigator in parts of this case, Special Agent Jason Pleming, indicates that security research firm M86 Security informed him that a single infected computer on the Mega-D Botnet had been observed to send as many as 15,000 spam messages per hour.

A search of the U.S. State Department's visa applications indicated that Oleg Yegorovich Nikolaenko with matching address, email address, and birthdate, received a traveler's Visa to the United States and was in Los Angeles from July 17, 2009 to July 27, 2009. He was in the US again November 2, 2009 through November 6, 2009, staying in Las Vegas and logging in to his gmail accounts from an IP address at The Tower Hotel in Beverly Hills during that trip. (

The FBI agents indicate that Nikolaenko had expected to stay in the US until November 11, 2009, but that he left early. They propose that this may have been to go home and deal with the fact that FireEye disabled the Mega-D Botnet that week! Although M86 indicates that Mega-D totally disappeared for a short time that month, by December 13, 2009 it was back to 17% of worldwide spam.

Acting as an undercover purchaser, Special Agent Pleming clicked an email which claimed to be from "Amazon, Ltd" and visited a website that described itself as "Canadian Pharmacy". He purchased one package of VPXL, one package of Viagra, and received as a bonus four additional "Viagra Professional" pills.

Although a package arrived, Special Agent Pleming received his VPXL, but received no Viagra pills at all.

Now it was time to wait. . . .

On October 30, 2010, Nikolaenko arrived in the United States at JFK airport, flew to Las Vegas, and checked in at the Bellagio hotel, to attend the "Specialty Equipment Market Association (SEMA)" car show in Las Vegas. (He attended the same car show the previous year.)

The complaint was presented to Magistrate Judge Aaron E Goodstein on November 3rd, and a warrant was issued for the arrest of Oleg Nikolaenko, who was taken into custody in Las Vegas the following day.

The CAN-SPAM charges for which he was arrested in Las Vegas had a potential sentence of 3 years in prison, a $250,000 fine, and 3 years supervised release.

Nikolaenko will be presented with all these charges in court tomorrow, December 3rd.

[Note: after completing this story, while Googling up some additional facts, I notice that Brian Krebs has already written about this. I'll share my interpretation anyway - but please do see Brian's story at Had I seen it first, I would have saved myself a few bucks on PACER! haha!]