Wednesday, August 26, 2015

Hackers vs. Drones: ISIS Cyber Caliphate Leader Junaid Hussain

In what may be a first move in the new escalation of cyber warfare with kinetic results, Junaid Hussain, the 20-something hacker who fled to ISIS after being charged with hacking Tony Blair's email accounts, has been killed by a drone strike.

CNN is running with the exclusive at this time claiming "The U.S. military and intelligence community is in the final stages of confirming that a U.S. drone strike this week killed Junaid Hussain."

(Click for CNN Story)

CNN quotes "several U.S. officials" that "the drone strike was specifically targeting Hussain traveling in a vehicle in Syria after the U.S. got intelligence on where he was and watched him to confirm his presence before striking."

Those who follow the defacement community will be well-familiar with Hussain's previous shenanigans online as the leader of Team Poison.  He gradually drifted from target-of-opportunity defacing to more difficult "called target" defacing, and was eventually jailed at age 18 by the British government after publishing the details of Tony Blair's email accounts, as broadly documented in July of 2012.

Click for Telegraph story

Hussain, who hacked under the name "Trick" during his Team Poison days in England, was sentenced to six months imprisonment for "conspiring to commit public nuisance," "causing a computer to perform a function to gain unauthorized access to data or programs" and "defacing numerous websites" between January 1, 2010 and April 14, 2012.  After his release he was arrested again for his cyber activities and fled the country while out on bail.

2012 - TeaMp0ison hacks NATO
 Hacking governments and militaries was something TeamPoison (TeaMp0isoN) had been doing for years prior to Trick's run-in with the UK authorities.  Above is a typical rant from Trick decrying NATO, BAE Systems, BP Oil, and Rupert Murdoch.

On August 3, 2015, the Mirror ran the headline "ISIS: British computer hacker who fled to Syria is third on US hit list of key Islamist militants".  At that time, he was using his new jihadi-friendly hacking name of "Abu Hussain al-Britani".  According to the Mirror article, only Jihadi John (Mohammed Emwazi) and ISIS Leader Abu Bakr al-Baghdadi were more wanted on the US "kill list."

Among his crimes, Hussain was identified as the man suspected in hacking the Twitter and Facebook accounts of US Central Command.Their most recent Twitter accounts @UmmHussain_18 and @AbuHussain_23 were created after their August 13th leak of US government personnel contact information caused #17 and #22 to be deleted by Twitter.

His 45-year-old rock-musician wife Sally Jones, now "Umm Hussain Al-Britani" and their 10-year-old son also lived with him in Syria.  As of 14AUG2015, there was concern that she may have been seen back in England:

Click for "Mrs. Terror Back in Britain?"

Tuesday, August 25, 2015

The Case of Spamford Wallace: Guilty at Last!

My anti-spam community friends were all abuzz today with the news that Spamford Wallace had pleaded guilty in a Las Vegas court to "compromising approximately 500,000 Facebook accounts" in order to deliver "more than 27 million spam messages."

What might amaze the General Reader is that this is the SAME Spamford Wallace case that began with an indictment on July 6, 2011.

The Spamford Wallace Indictment

July 6, 2011 Original Charges

According to the Indictment, Wallace created an account on November 4, 2008 under the name "David Frederix" and then tested posting spam messages to his 'real' wall "Sanford MasterWeb Wallace" experimenting with which posts would best evade Facebook's filters.

He then made a script that would automate the process of logging in to a Facebook account, obtaining a list of all of the Friends of that account, and then posting his advertising message to each of those friends' walls.  Spamford then created a domain registrar account at Moniker Online and another at Dynadot (using the name Laura Frederix) and between the two created 2,500 domain names that would be used in these spamming attacks against Facebook users.

On November 5 and 6, 2008, Sanford sent approximately 125,000 spam messages to Facebook users using this method.  On December 28, 2008, another run was made, posting nearly 300,000 spam messages, by logging in through 143 different IP addresses that were used as proxies to disguise his origins.  On February 17, 2009, another 125,000 messages were posted.

At this point, a civil injunction was served on Sanford Wallace in the case of Facebook Inc v. Sanford Wallace (Northern District of California No 09-00798 JF) where Judge Jeremy Fogel ordered Sanford Wallace to no longer access Facebook's computer network.  (Orders issued on March 2, 2009 and March 24, 2009).  Sanford logged in on April 17, 2009, in violation of this order, while flying on a Virgin Airlines flight  from Las Vegas to New York.

In 2011, Sanford was back on Facebook, using a profile called "David Sinful-Saturdays Fredericks"

Counts 1,3, 7 - Fraud and Related Activity in Connection with Electronic Mail, carry a possibility of 3 years imprisonment.

2, 6, and 9 - Intentional Damage to a Protected Computer, carries a maximum sentence of 10 years imprisonment.

4, 5 and 8 - Fraud and Related Activity in Connection with Electronic Mail, carries a 3 year imprisonment possibility, and a possible $250,000 fine.

Counts 10 and 11  - Criminal Contempt, have unspecified potential penalties.

What's Happened Since?

Lots and lots of lawyering. . . behold the process of a Fair and Speedy Trial!!!!
  • 04AUG2011 - the indictment was unsealed
  • 04AUG2011 - notice of related cases was received.  These included:
  1. the case of Facebook v. Sanford Wallace, Adam Arzoomanian, Scott Shaw, and John Does 1 through 25, for Violation of the CAN-SPAM ACT, violation of the Computer Fraud and Abuse Act, Violation of the California Business Code Section 229489 AKA the California Anti-Phishing Act, and Violation of California Penal Code section 502, the California Comprehensive Data Access and Fraud Act.  That case describes:  "At least one of the Defendants, Sanford (aka "Spamford") Wallace, is a notorious Internet scam artist who has been involved in various illegal spamming and malware activities since the mid 90s.  Indeed, Mr. Wallace has both Federal Trade Commission and civil judgements against him for these activities that total in excell of $235 million."  Myspace, Inc. v. Wallace; FTC v. Seismic Entertainment Prod., Inc; CompuServe v. CyberPromotions, Inc (Ohio, 1997)
  2. This case resulted in a Default Judgement in favor of Facebook signed by Judge Jeremy Fogel on 29OCT2009. 
  • 22AUG2011 - bail hearing
  • 28SEP2011 - case reassigned to a new Judge (Judge D. Lowell Jensen)
  • 30SEP2011 - Order to Waive Appearance proposed )amd gramted_
  • 03OCT2011 - Status hearing held
  • 04OCT2011 - case reassigned to Judge Edward J. Davila
  • 31OCT2011 - Pretrial services form 8 submitted.
  • 28NOV2011 - Status hearing held
  • 09JAN2012 - "Fair and Speedy Trial Act" exemption requested due to AUSA Attorney being engaged in another trial, and for additional time for the defendant's need for effective preparation of counsel. "The ends of justice served by granting the requested continuance outweight the best interest of the public and the defendant in a speedy trial." - extension granted until 09APR2012.
  • 02APR2012 - extended to 07MAY2012 by mutual consent.
  • and again to 06AUG2012, and again to 01OCT2012, and again to 19NOV2012
  • Status hearings held 14JAN2013, 11MAR2013
  • 11MAR2013 - hearing grants a modification to pretrial release conditions to allow Spamford to travel to Albuquerque, New Mexico for work.
  •  More delays 31MAY2013, 08AUG2013, 20SEP2013, in each case ordering that time be "excluded" from consideration in the Fair and Speedy Trial Act to allow for effective preparation for the case.
  • 02NOV2013 - Sanford's attorney (K.C. Maxwell) files a sealed document asking to be relieved from the case 09DEC2013.
  • Extension granted to 03FEB2014
  • 17MAR2014 set as the date to hear the Motion to Withdraw as Counsel.
  • Continued to 31MAR2014, when Wallace assigns his new counsel, William W. Burns, Esquire.
  • 25JUN2014 new counsel asks for more time to prepare
  • 18JUL2014 William Burns petitions the court to withdraw as counsel
  • 21JUL2014 Burns Relieved
  • 21JUL2014 a Financial affidavit is delivered to the court pertaining to Spamford Wallace
  • 01AUG2014 - "The individual named above as defendant, having testified under oaht or having otherwise satisfied this court that he or she (1) is financially unable to employ counsel and (2) does not wish to waive counsel, and because the interests of justice so require, the Court finds that the defendant is indigent, therefore, IT IS ORDERED that the attorney whose name, address and telephone number are listed below is appointed to represent the above defendant." (Wm. Michael Whelan, Jr. / 95 South Market St, Ste 300 / San Jose, CA 95113 / (650) 319-5554 cell)
  • 19AUG2014 - time extended to allow Whelan to prepare
  • 22SEP2014 Status conference held, Jury Trial date set for 05MAY2015 through 22MAY2015.
  • 29SEP2014 Whelan petitions the court that drug testing no longer be required since Sanford has never tested positive. (Granted 15OCT2014)
  • 02MAR2015, status hearing extends case until an 08JUN2015 status hearing
  • 12JUN2015 - new financial affidavit entered under seal
  • 30JUN2015 - a change of plea hearing is requested for 27JUL2015
  • 24AUG2015 - Sanford Wallace pleas guilty to a single count - Count 3.  Sentencing scheduled for 07DEC2015 at 1:30 PM

Guilty of Count Three

So, if we go back to the indictment, what does this mean that Sanford has plead guilty to?

COUNT THREE: (18 U.S.C.  §§1037(a)(1) and (b)(2)(A) - Fraud and Related Activity in Connection with Electronic Mail.

22. The factual allegations contained in Paragraphs One through Eleven above are realleged and incorporated herein as if set forth in full.

23.  On or about December 28, 2008, in the Northern of California and elsewhere, the defendant, SANFORD WALLACE, knowingly accessed a protected computer without authorization, and intentionally initiated the transmission of multiple commercial electronic mail messages from or through such computer, in and affecting interstate and foreign commerce, to wit: the defendant accessed Facebook's computer network in order to initate the transmission of program that resulted in nearly 300,000 spam messages being sent to Facebook users.

What were 1 through 11?  The only really important paragraph is number 5:

5. From approximately November 2008 through March 2009, WALLACE developed and executed a scheme to send spam messages to Facebook users that compromised approximately 500,000 legitimate Facebook accounts, and resulted in over 27 million spam messages being sent through Facebook's servers.)

Monday, August 24, 2015

Darkode guilty pleas: Phastman, Loki, & Strife

So far there have been three guilty pleas related to the Darkode hacking forum.  Although the case, which used the name "Operation Shrouded Horizon" resulted in 70 arrests worldwide, only twelve individuals have been indicted so far by the Department of Justice, and several of those individuals are overseas.  When the site was taken over, it displayed this graphic, showing the many foreign law enforcement agencies that cooperated with the takedown and the arrests.

Johan Gudmunds / Mafi

Image from ArrestTracker

The main administrator of Darkode is Johan Anders Gudmunds.  Gudmunds used three hacker aliases: Mafi, Crim, and Synthet!c.  According to DOJ, he resides in Sweden.   According to the indictment "From around September 2008 until about January 23, 2015" Gudmuns "knowingly and willfully did aid and abet and conspire, combine, confederate and agree together with other persons" ... "to commit offenses against the United States" including:

  • intentionally accessing a computer without authorization and exceeding authorized access to a protected computer, committing the offense for purposes of commercial advantage and private financial gain in furtherance of a criminal and tortious act in violation of the Constituion and the laws of the United States to obtain a thing of value exceeding $5,000 -- 18 USC Sections 1030(a)(2)(C) and (c)(2)(B)(i)-(iii).
  • knowingly and with intent to defraud accessed a protected computer and by means of such conduct intended to commit fraud or obtain something of value -- 18 USC Section 1030(a)(4) and (c)(3)(A)
  • knowingly caused the transmission of a program, information, code, and commands that as a result of such conduct intentionally caused damage affecting 10 or more protected computers during a 1-year period -- 18 USC Sections 1030(a)(5)(A) and (c)(4)(B).
  • knowingly and with intent to defraud trafficked in passwords and similar information through which a computer may be accessed without authorization affecting interstate and foreign commerce -- 18 USC Sections 1030(a)(6)(A) and (c)(2)(A).
Gudmunds wrote a botnet called "Blazebot" that compromised computers that he later sold access to. His price for access was $80 per 1,000 compromised machines, or 8 cents per computer.  Yes, that is how much your PC is worth!  Gudmunds also sold root access on computers at universities in Europe for $50 per server, and to at least 200 other servers for between $10 and $50.  The Zeus malware that he controlled logged more than 200,000,000 credential thefts from 60,000 compromised computers that made up his botnet.  (This would include many repeated credentials, obviously.)  Gudmunds also wrote an Exploit Kit called "CrimePack" that he sold on his forum, as well as an MSN Messenger spreader.  He was still authoring and selling code much more recently, including his package called "Pandemiya 2014"

Some of Gudmunds online ids included the jabber account "mafioso@xmpp.jb" and the email account "".  He began using the Synthet!c alias in January 2012.

Daniel Placek / Loki

According to the Gudmunds indictment, the original forum was created by "Iserdo" and "nocen / Loki".  We know from the charges against Daniel Placek of Glendale, Wisconsin, that he was the one who used the aliases Nocen, Loki, Juggernaut, and M1rro0r.

Loki's charges say that "in or about June 2008, Daniel Placek and Martjaz Skorjanc (AKA Iserdo)  created the Internet forum with the domain with the intention of bringing together computer hackers and other criminals to facilitate the production and sharing of malicious software, and later led to forum discussion about the creation and dissemination of botnets and the sending of spam."   Placek was an administrator on the forum, and in January 5, 2010, agreed to sell malware that he designed for harvesting network traffic for email addresses and passwords to a user named Dethan.78 for $500.  Dehtan.78 was an FBI agent.  Oops!

When Placek's computer was raided, all the way back in 2010, it was found to contain 74,190 credit card numbers and 297 bank account numbers.  In his guilty plea on July 31, 2015, Placek agreed to plea to one charge in exchange for prosecutors agreeing to seek a sentence of "six to twelve months".  This agreement carefully considered the fact that Placek has provided full cooperation regarding law enforcement queries and access to Darkode FOR MORE THAN FIVE YEARS!

From all reports, Placek has left his black hat ways behind him and has not participated in crime since his 2010 activities.   He has been working as a network engineer for a company named Swick Technologies, and neither law enforcement nor his employer has had any reason to doubt that he is reformed.  (More from this article:  Placek to plead guilty for role in creating Darkode hacker marketplace  )

Eric Croker AKA Phastman

Eric L. Crocker, a 39-year old resident of New York, (some sources say 29) was the first to plea guilty from the charges that came out of the Darkode forum seizure.  His primary plea is that he violated the CAN-SPAM ACT.  Phastman's primary activity that he is charged with is the creation of a hacking tool called the Facebook Spreader.  Although he is only directly charged for breaking into "at least 77,000 computers" and his indictment indicates he sold access to computers his botnets controlled for $200 to $300 per 10,000 (2 to 3 cents per machine) some news sources are reporting that his hacking earned Crocker "upwards of $21 Million." 

Phillip Fleitz, AKA Strife

Phillip Fleitz photo from ArrestTracker
 Phillip Fleitz was the most recent person to plead guilty on the Darkode case.  Fleitz is named along with two others in an indictment from the Western District of Pennsylvania.  The three were:

  • Naveed Ahmed (AKA "Nav" AKA "Semaph0re")
  • Phillip R. Fleitz (AKA "Strife")
  • Dewayne Watts (AKA "m3t4lh34d" AKA "metal"
The conspiracy that these three are charged with involves leasing at least two "bullet-proof hosting" servers in China that were used to scan Internet-connected routers to identify places that would allow them to use those routers as Proxies to reroute commercial email messages to hide their true source.  The spam that was sent was primarily using "email-to-SMS gateways" so that the emails sent would show up as text messages on cell phones of the recipients.  The spam was primarily "gift card scams" with the indictment giving the particular example of Best Buy Gift Card spam.  A couple examples include:
  • "Congratulations, your 4th place code is H7G0 -"
  • "Congratulations! You've finished Fifth!  Your code is: WM154 -"
  • "Your entry placed 8 out of 10!  Claim the prize with this Code: U0V2 -"

Still to Come

The people who are still named by the Department of Justice, but have not yet plead guilty are:

  •     Johan Anders Gudmunds - see above
  •     Morgan C Culbertson - the "FireEye Intern" / Carnegie Mellon student
  •     Naveed Ahmed -
  •     Dewayne Watts - M3t4lh34d / metal
  •     Murtaza Saifuddin
  •     Matjaz Skorjanc - rzor from Pakistan
  •     Florencio Carro Ruiz - NetK, Netkairo from Spain
  •     Mentor Leniqi - Iceman from Slovenia
  •     Rory Stephen Guidry - selling botnets,
 Of those, the only individual who has received much US-based press was Morgan, who is the author of a Remote Administration Trojan known as Dendroid.            

If any more guilty pleas come through, we'll try to update this page!

By the way, much praise to a site I was not previously familiar with called "Arrest Tracker" from the people that run  His page "Mass Arrest #24"  here has a great summary of what's going on with Darkode, but I know many of my readers will be interested in regularly following the regular updates from his page!