Saturday, July 16, 2016

Hacking, Carding, SWATting and OCD: The Case of Mir Islam

There can be no argument that Mir Islam is a hideous Internet Troll.  Part of a group of hackers who participated in elaborate scams that combined social engineering, hacking, and gaining credit reports under false pretenses to expose the personally identifiable information of "at least 50 celebrities" on the website ""

On July 11, 2016, Islam was given a 2-year sentence for "SWATting and Doxing" Arizona victims.  On the website press release of the sentence (see: ) it mentions that his false 9-1-1 calls to summon SWAT teams unnecessarily involved cases against at least 20 celebrities and state and federal officials, including an Assistant United States Attorney and a Congressman from Michigan.

The world's top cybersecurity journalist, Brian Krebs, was among the victims of Islam's group after revealing on his blog the methods used by the group to dox celebrities including Arnold Schwartzenegger, Ashton Kutcher, and Jay Z, and government officials including FBI Directory Robert Mueller, CIA Director John Brennan, and First Lady Michelle Obama.  Krebs revealed the methods at KrebsOnSecurity in 2013 -- Credit Reports Sold for Cheap in the Underweb.

JoshTheGod's prior Experience as a Credit Card Thief

Like so many other young cyber criminals,  Mir Islam had been active in the carding scene, stealing and selling credit card information, and after his arrest tried to work a deal to be an informant. And like Albert Gonzalez, Max Vision, and so many other cybercriminals, was a disaster as an informant.  Under the Alias of JoshTheGod, "Josh" had been previously arrested, tried, convicted, and sentenced for Attempted Access Device Fraud, Conspiracy to Commit Access Device Fraud, Aggravated Identity Theft, and Conspiracy to Commit Computer Intrusion.   He was a member of a group called "UGNazi" and admitted to being a co-founder of the credit card trading website ""

He was arrested as part of  a massive action announced on June 26, 2012, that also included 404myth (Christian Cangeopol of Georgia), Cubby (Mark Caparelli of San Diego, CA), Kabraxis314 (Sean Harper of Albuquerque, New Mexico), kool+kake (Alex Hatala of Jacksonville, Florida), OxideDox (Joshua Hicks of Bronx, NY), xVisceral (Michael Hogue of Tucson, AZ), IwearaMAGNUM (Peter Ketchum of Pittsfield, MA), theboner1 (Steven Hansen of Wisconsin) (and two minors). The case also involved 13 other arrests overseas.

FBI Press Release (Click to open)

 What were those charges based on?   Here's some from the charging document, filed May 28, 2013:

"From at least in or about 2009, through at least in or about June 2012, [the defendant and others] did willfully and knowingly did combine, conspire, confederate, and agree together and with each other to commit offenses under Title 18, United States Code Section 1029(a) to . . . "
  • (in 2010) Purchase at least 20 computer servers over the Internet using stolen credit card information belonging to other individuals
  • (in 2011) establish an Internet forum for other co-conspirators to buy, sell, and exchange stolen credit card information
  • (in Feb 2012) possess stolen credit card information belonging to OVER 50,000 OTHER INDIVIDUALS
  • use stolen bank account numbers to fraudulently make purchases
  • launch coordinated attacks on computer systems for the purpose of disabling those systems including (Jan 2012 - DDOS attacks against the Ultimate Fighting Championship; DDOS attacks against Coach, Inc; June 2012 - DDOS attacks against the Wounded Warrior Project

The FBI Press Release also projected what charges Mr. Islam may be facing:

10 years for Access Device Fraud and 15 years for Affecting Transactions with unauthorized devices.

Aggravated Identity Theft

Under the law, identity theft is considered a FELONY if the perpetrator is found to have been involved in "the production or transfer of MORE THAN FIVE identification documents."

Quick math check.  50,000 credit cards > 5.  Ok, we're good.

Despite the fact that the criminal code, 18 U.S. Code § 1028A -- Aggravated Identity Theft, was SPECIFICALLY CREATED via the "Identity Theft Penalty Enhancement Act of 2004" to give a MANDATORY SENTENCE of 2 years imprisonment in addition to any other sentence received, Mir Islam was convicted of Aggravated Identity Theft and sentenced to ONE DAY imprisonment and three years supervised release.  Wait!?!?!  How did we get from "probably 10-15 years" to ONE DAY?

Did I mention that the two year sentence is MANDATORY?  Let's make that even more clear:
(b) CONSECUTIVE SENTENCE -- Notwithstanding any other provision of law -- 
(1) a court SHALL NOT PLACE ON PROBATION any person convicted of a violation of this section.
(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony during with the means of identification was transferred, possessed, or used; 
(3) in determining any term of imprisonment to be imposed for the felony during which the means of identification was transferred, possessed, or used, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section;
Gee!  It almost sounds like a person who commits Aggravated Identity Theft is not supposed to get Probation or a Reduced Sentence!   In fact, in 2015, the Congressional Research Service was specifically asked to examine this statute.  Their conclusion was that "More than half of the judges responding to the United States Sentencing Commission sruvey felt that the two-year mandatory minimum penalty was generally appropriate."  While they fell short of wildly praising the statute, they summarized their report as being "mildly complimentary of the provision." (see "Mandatory Minimum Sentencing: Federal Aggravated Identity Theft")

Unfortunately, in order for the Mandatory term to be considered in effect, the corresponding Felony has to receive a sentence of "greater than one year" (which is why we see so many sentences of "a year and a day".)  As part of a plea agreement, he agreed to the dramatically reduced sentence of ONE DAY for the carding charges, in exchange for cooperating in good faith with the Southern District of New York's office to cooperate to try to identify further co-conspirators in his case.  Because it was the desire of law enforcement to use Mr. Islam as a source, he was given a sentence of ONE DAY for the carding charges, meaning that the intention of the legislators was entirely thwarted.  Rather than cooperating, the Prosecution's sentencing memo indicates that Islam was "toying with his FBI handlers, and continued his criminal activity in the Exposed conspiracy and his cyber-stalking." 

One of the conditions of his supervised release was set as "No Use of Computer or Internet Access without the Permission of the Parole Officer," which condition Mir Islam agreed to and swore to obey before a judge on June 26, 2012.   

JoshTheGod Re-Offends

On June 10, 2013, US District Judge approved that the defendant's bail be modified to include mandatory mental health treatment, and that the defendant BE ALLOWED TO PROCESS CREDIT CARD TRANSACTIONS AT HIS PLACE OF EMPLOYMENT and be allowed to possess a computer and access the Internet under the supervision of a case agent. (See PACER -- Case 1:12-cr-00810-KMW Document 26)

Great idea. Let's give a convicted credit card criminal permission to process credit cards at work.  After all, it's been more than a year since he was arrested for STEALING FIFTY THOUSAND CREDIT CARDS and running a forum for selling them on the Internet.

He didn't quite make it 90 days.  He was re-arrested on September 4, 2013. 

His new case, (1:15-cr-00067-RDM) opens up with charges of Violations of 18 USC Section 371 (Conspiracy) 18 USC Section 844(e) (Threatening and Conveying False Information Concerning Use of Explosive), and 18 USC Section 2261A(2) (Stalking).

The Conspiracy charges include that he was still doing identity theft  and wire fraud (18 USC Sections 1343, 1030(a)(2), 1028(a)(7), 1028(b)(2)(B), and that once again it was "Aggravated Identity Theft" level -- "15 or more devices which are unauthorized access devices, to wit, social security numbers" -- 1029(a)(3) and 1029(c)(1)(A)(i). And that he used those SSNs to obtain a thing of value - 42USC Section 408(a)(7)(B), and that he accessed a computer without authorization (18 USC 1030(a)(2)(A) and 1030(c)(2)(A), and that he "devised a scheme to defraud and obtain property by means of materially false and fraudulent pretenses" (18 USC Section 1343) and that he used a "deadly or dangerous weapon to assault, impede, intimidate or interfere with an officer of empoyee of hte US Government" -- 18 USC Section 111(a), 111(b), and thta he transmitted a threat to injure the person of another via interstate commerce -- 18 USC Section 875c.

Some of the particulars from this second round of charges include:
  • March 2013 - purchasing stolen credit reports for US and State government officials and public celebrities from
  • March 22, 2013 - began stalking "A.R.T" (the Arizona cheerleader) via email, Facebook, Instagram, Text message, and telephone calls, and making false Twitter accounts in A.R.T's name.
  • March 23, 2013 - called in bomb threats to University of Arizona
  • March 31, 2013 - "Swatting" a US Government employee in Massachusetts
  • April 2013 - buying more credit reports for US and State government officials and public celebrities from ""
  • April 19, 2013 - "Swatting" T.L. a state government official in California
  • April 27, 2013 - "Swatting" M.R. (that would be Mike Rogers, Congressman of Michigan)
  • July 22, 2013, bought more credit reports from "" 
  • August 12, 2013 - uploaded many sets of "Dox" to "" on a server in Washington DC

Mental Illness and Reducing Sentence

This week the sentence finally came down on Mir Islam.  He was sentenced to 24 months in prison to be followed by 36 months of supervised release, during which he will be required to participate in Education/Vocational training approved by Probations, participate in a Mental Health Treatment program, and consent to disclosing a list of all computer systems and internet capable devices and allowing them to be forensically searched or to have computer/internet monitoring program installed.

Why?   Partly because of an amazing 82 page "Defendant's Memorandum in Aid of Sentencing" that begins with:

Mr. Islam has matured immensely during his 34 months of incarceration and has taken great strides to atone for his behavior and overcome the mental health issues that contributed to it.  Accordingly, it is respectfully submitted that a sentence of time served and 36 months of supervised release would represent a sentence that is sufficient, but not greater than necessary to meet the purposes of sentencing reflected in 18 USC Section § 3353(a).  Such as sentence would be longer than many if not most sentences in similar cases, and would adequately punish conduct by an immature and mentally-ill teenager who, by the government's own admission, has earned a departure from the applicable guidelines range.
The memo then goes on to talk about his "Good Time Served" (meaning he was a model prisoner, which is not unexpected, given lack of access to a computer or telephone).  He then argues that the "doxing" was not really so bad, since "The Secret Files" were only accessible during three short periods, for 8 days, 20 days, and 20 days.

(Click to visit KrebsOnSecurity, source of this image)
He also claims that "Doxing" is not illegal (citing this The Daily Beast article, where all good legal theories should come from) and that we should consider the "veneer of legality, especially as perceived by the immature minds of the teenage co-conspirators."  He goes on to say that we should consider the "misguided but public-minded spirit and desire for attention not uncommon among teenagers."  Would that be the "public-minded spirit" that caused so many SWAT teams to waste their time and place innocent people in danger?   Just in the University of Arizona case, testimony was given that FIFTY-FOUR OFFICERS were involved in searching for the non-existent bomb while classes were canceled and students, staff and faculty faced the fear (and inconvenience) of potential death during the ensuing lockdown.

While the defense admits that swatting was "extremely traumatic and dangerous" he claims that "in the online gaming communities in which Islam practically lived and breathed, swatting was an unfortunately common tactic used by competitive gamers to harass their opponents."  Because of this we are to understand that this would have been considered "normal" behavior by "teenagers immersed in this new online world."

In the case of the swatting of an Assistant US Attorney, the government provides a transcript of the 9-1-1 call:
"Hello my wife is dead.  I shot her and now she's dead.  I don't know what to do.
I'm having thoughts of hurting people and I don't know what to do.  If anyone comes in my house I might shoot them.  I am just letting you know now if I see any police outside my house I will start shooting.  I will not be taken alive.  Mark my words. I am not going to prison for the rest of my life.  I will not.  Don't worry about where I am at in the house. If any cops are outside in my yard or on the street I will start shooting.  By the way I have a police scanner right next to me and I can hear everything and you guys  think I'm joking.  I will shoot anyone who comes near my property.  I see cars outside my house I swear I will shoot.  I am not playing.  I am not fucking around. I will shot them.  You know I work with the police a lot but I am not afraid to shoot them."
Youthful prank, right?

The defense then moves on to address the cyberstalking of A.R.T., which he admits "subjected her to emotional distress, anxiety, and fear for her safety" and was "extremely serious."  HOWEVER, he goes on, "Islam was suffering from untreated obsessive-compulsive disorder (OCD) which fueled his obsession for A.R.T. and drove him to try to contact her through any and all means."  Islam "believed at the time that he had communicated and developed a relationship with A.R.T. through weeks of online conversations, causing him extreme confusion and anxiety with her refusal to interact with him in the non-virtual world."

The document then goes on to explain Islam's life, immigrating at age six from Bangladesh to Bronx, New York. They say he had untreated bipolar disorder, chronic depression, OCD, and ADHD, which led to him dropping out of high school to spend 15-18 hours per day online without interruption or parental intervention.  They then go on to explain his "carding" as a "seductive playground that allowed them to purchase food and electronics with stolen credit card numbers" and that Islam viewed these activities as "adolescent pranks."

Next we turn to his prison hardships, including the fact that he was denied a lower bunk even though he was a restless sleeper (which the defense says led to a herniated disc, nerve damage, and chronic pain after falling from a top bunk.)  He also claims he was given "vitamins contaminated by mold" that damaged his cartilage in his wrists and knees, discolored his skin, and exacerbated his chronic pain.  That is some mighty powerful Vitamin Mold!  Islam also filed charges against the prison for denying him Kosher food.  (These examples are to use the sentencing reduction of "Harsh conditions of confinement."  Not sure if "denied lower bunk" and "given moldy vitamins" are what that the term "Harsh conditions" normally means.)

CyberCrime: The World Where Sentencing Guidelines Don't Matter At All

The strongest and most unforgivable argument the defense makes is that Section 3553(a) directs courts to consider the need to avoid unwarranted sentencing disparities.  In the government's sentencing memo they had made the assertion that they were "unaware of any individuals sentenced for conduct similar to Islam's."  The defense jumps on that and waves it in their faces!  The defense  argues that because Hector "Sabu" Monsegur of Lulzsec got RIDICULOUS [my term] sentencing departures (a 97% reduction in the minimum sentencing) and that Sabu and JoshTheGod were both people who violated their release conditions and were remanded back into custody for very similar crimes, the Federal Government themselves had basically established precedence that hacker sentencing guidelines are worthless and not to be taken at face value.

The defense also argues "The need to avoid unwarranted sectencing disparities" with regard to other swatting cases.  They cite Tollis (1 year and 1 day for numerous swattings of schools and universities) and James Eli Shiffer (15 months for multiple doxing, swatting, and cyberstalking incidents.)  That argument is strengthened even more by the government's failure to observer proper sentencing for many of those arrested at the same time as Islam.  The defense gives examples  including Christian Cangeopol (3 years probation), Harper (time served), Joshua Hicks (2 years probation), Michael Hogue (5 years probation) and Peter Ketchum (2 years probation).  The LulzSec slap-on-the-wrist cases were also used in the Defense's argument - Cody Krestsinger (1 year imprisonment, 1 year home detention), Raynoldo Rivera (1 year and 1 day, 13 months home detention), Matthew Flannery (15 months home detention) and Hector Xavier Monsegur, already mentioned, (7 months.)

 Part of the Defendant's package was a letter to the judge praising Mir Islam for being a successful graduate of The Focus Forward class, where he studied the book A Long Way Gone and learned public speaking, conflict resolution, and resume writing skills.  He brought "light-hearted humor and laughter to class discussions" and "displayed humility, opening up to the group about the frustration and disappointment he felt about finding himself in this situation."  

Would that be the same "light-hearted humor" that he used when telling University of Arizona police that he was holding a rifle to the head of a woman that he was planning to kill if he did not receive $50,000 in ransom, and that he had placed explosives in eight campus buildings and was going to blow them up and start shooting?

Mir himself wrote a letter to the judge about how he wants to make a project "similar to PayPal" to help the members of my society stop getting ripped off.  Excuse me.  You can read his letter while I go get a tissue:

Chance of Re-offending?

Really?   This letter comes from the kid who arranged a ONE DAY sentence for all of his credit card crimes in exchange for giving his "Full Cooperation" to the SDNY FBI Office. Despite the prosecution's Sentencing Memo pointing out that "Based on Islam's duplicity in his SNY case, any expression of remorse or contrition by Islam should be viewed with a great deal of skepticism" the judge chose to ignore this and issue Yet Another Slap On The Wrist.

 Anyone taking bets on how many months it takes for Mir Islam to re-offend when he is released?  Put me down for "thirty-days or less."

Thursday, July 14, 2016

Pokémon Go: An invitation to spammers

Today we have another Guest Blog from Arsh Arora, PhD student at UAB. Arsh is a malware analyst in my lab and I asked him to look into the theory that Pokémon Go was being used to trick people into installing malware. In this particular case, the scammers aren't delivering malware, but they are still getting TONS of personal information through this scam that shares a great deal of features with the "Gift Card Scams" that we have written about before. A similar scam that followed a top news trend was our 2014 Target Data Breach Spam story where people got caught in a similar privacy trap. Now, take it away, Arsh! . . .

Pokémon Go: An invitation to spammers

Since its release, Pokémon Go has become a sensation. With over 7.5 million downloads in the United States, it became an attracting force for spammers. The launch of any game brings a launch of its cheat codes. The man hunt began for cheat codes of Pokémon Go, and the spammers took advantage of it. While researching for cheat codes, I ran into a website hackmobilecheats[.]com, which stated that you can get “Pokémon Go Hack Tool” for free. This is tempting, how can a gamer avoid it when at a standstill in the game and needs extra PokeBalls/PokeCoins?

I was not able to control my temptation and thought it would be noble of me to click the “Get Access Now” button. Let’s see what happened when we clicked it:Here’s the Fiddler capture of the redirect stream:

So, the magic button of “Get Access Now” redirects you to “trianglefoxfile[.]com as you intended (not really). After reaching the destination, the following page is displayed:

Wow! You can produce as many PokeCoins or PokeBalls as you want. By following these steps: enter username, choose your count to produce, and then Click to Start.Once the processing is complete, the following dialog box pops up:

The pop-up stated that the website has detected signs of you being a SPAM ROBOT! You have to verify that you are a HUMAN by clicking on one of the offers. The offers were so amazing, and it became extremely difficult to pick one. Also, I needed the cheat codes, so I had no option.
  • Get a Glade Sample Pack
  • Get Starbucks Samples (Coffee Lovers )
  • Get a New Samsung S7!
  • Get a Brand New Xbox One!
  • Do You Fly Delta? (Sidenote: Gary is not a loyal member)
  • Who Would You Conquer in a Battle?
I am a fan of video games so decided to go with an Xbox One. After clicking the following option, I was redirected to onlinepromotionusa[.]com.

Below is the Fiddler capture of the redirect:

So far we have changed 3 websites and no sign of cheat codes. It is just the beginning. Now we are required to fill a survey about Xbox.

Privacy Policy -- (note: You have none!)

An important thing to note while performing these surveys is to read the privacy policy and more specifically, how our information is going to be used by the website operators. The following is a snippet of the survey’s privacy policy.

Here are some of the types of Information we collect from users:
• Name • Postal address • E-mail address
• Telephone number • Cell/landline phone number • Gender and date of birth
• IP Address • Survey responses • Device ID & location
• Browser User Agent • Referring URL
We may use third party sources to augment and/or verify the Information we collect from users and may also associate demographic and other data we collect such as the user’s browser and device with their Information.

Children and Non- US Residents: We don’t knowingly collect or retain information from the Websites from children under the age of 13. The Websites are intended for use by U.S. residents who are not minors. If you are a minor, not a U.S. resident or don’t agree with this Policy’s terms, please don’t access or use our Websites.


We may use Information and share it with third parties (who may compensate us) in many ways and for many purposes including the following:

  • To fulfill an incentive;
  • To maintain suppression or opt-out lists that we may share with third parties so that a user is not contacted when the user has asked not to be;
  • For site operation;
  • To provide users with information and/or offers for products or services from us or third parties;
  • To notify the IRS that a user has received an incentive if the value exceeds the reporting threshold;
  • To track online behavior for behavioral advertising and other marketing purposes. If a user registers on one of our Websites, the user may receive relevant third party daily emails from that Website, its exclusive emailing partner and other websites we or our affiliates own and operate;
  • To develop and/or enhance our Affiliates’ and/or third parties’ products and/or services;
  • If we are acquired by or merged with another company, we may transfer our users’ information to the acquirer;
  • To respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims or when we determine it is necessary to comply with applicable laws or regulations; and
  • To assist with site operation and other communication services, we may share Information with third parties, including vendors and contractors who provide services to us.
We will use commercially reasonable efforts to limit use of the Information by these third parties as necessary for the purposes set forth above.

Behavioral Advertising: Behavioral advertising enables us and our third party marketing partners to deliver to users what is hoped to be more relevant information and/or offers for products or services. We and our third party marketing partners may use cookies, web beacons and other technological means to track user’s online behavior and to collect Information that enables the tailoring of targeted offers and advertisements. We may share this and other Information with our third party marketing partners, who may compensate us. We are not responsible for the Information they collect, for their use of this Information or for the privacy practices of other websites that are linked to our Websites.

Personal Health Information: Our surveys may ask health-related questions which we may share with our third party marketing partners who advertise health-related products and services on our Websites or who otherwise promote health-related products or services. We will use this health information only with your consent and for the purpose of displaying offers for health-related for products and services or to provide Information to these providers so they can contact you. You may always request modification or removal of your information by contacting us at

We use commercially reasonable efforts to prevent unauthorized access or disclosure, or accidental loss or destruction of your Information. We currently do not encrypt Information that we store. Given the nature of the Internet, your Information passes through entities that we are unable to control. Therefore, we cannot guarantee that our security measures or those of third parties who access or transmit your Information will prevent your Information from being illegally accessed, stolen or altered.

They are interested in your online Facebook activities too. What’s next?

Hooray! We qualified for the reward, just one step away. Now we will not only get the cheat codes, but an Xbox with it.

Not Really! What does having a car have to do with getting an Xbox One or cheat codes? I am not going to drive and playHere’s the Fiddler traffic of what actually happened:

After confirming our email address, we were redirected to amarktflow[.]com. The Fiddler trace shows that we were transferred from one marketing program to another and another. In short, everyone should benefit from our information and get compensated well in the end for scamming us.Additional questions to be answered to obtain the reward and cheat code.

There were about 15 questions that required our answers. Let’s check the NEW privacy policy before proceeding.

Awesome! You must complete 1 Silver, 1 Gold, and 6 Platinum offers, within 30 days from when you complete your first offer. Also, completion of the offer usually requires a purchase or entering into a paid subscription program for goods or services.
So after everything is in place, it is time to confirm.

Jack and Jill went up the hill! So, by now you have given quite a bit of information to the website operators. Don’t forget your date of birth and address. Let’s hope this is the last step to glory.

Unfortunately not! They wanted to re-confirm our information. After the confirmation, a pop up window is displayed and they want to install a plugin into our web browser.
After the installation of the plugin, the browser redirects us to joinpiggy[.]com, as noted in the Fiddler Trace below.

So “Joinpiggy” is another coupon website. Such Browser Helpers invade your normal web surfing by popping up advertisements and "Coupons" for things that may or may not be related to what you are surfing.  While not "malware" these are considered by most Anti-Virus products in the category "Potentially Unwanted Programs" or PUPs.

It was high time that one should realize that this is a vicious circle, and getting out of it seems to be impossible.

After wasting enough time, I thought of pressing the skip button and move forward. I was treated with a different survey while moving forward.

Now they were interested in my family and information about how much money I make. Why should I tell you? OH WAIT! I have already given them a lot of information. Frustrated, I decided to skip and move forward.

Below is the Fiddler Trace to where I am redirected, “promoandsweeps[.]com”

Now I can either buy Dr.Seuss books, join Disney Movie Club, try the number 1 kids learning app, and many others. And here I was trying to get the cheat codes for Pokémon Go—Phewww!!

Lastly, although was a free app, I still have to pay $5 for 2 months.
This is how you get trapped when being greedy and trying to cheat your way up in Pokémon Go. What’s the best way to avoid this? Try using your time to do something good like a responsible person, and use the DELETE app function in your smart phone. This will not only prevent you from scammers but save your valuable time.

Guest blogger Arsh Arora came to UAB to earn his Masters Degree in Computer Forensics & Security Management (MS/CFSM). As part of his degree, he and other students participate in real-world cybercrime investigations. Arsh has decided to stay for a PhD to continue his malware research.

For those interested in the Computer Programming side of Computer Science, but aren't interested in seeking a graduate degree afterwards, please consider our new Bachelor of Arts in Computer Science! The BA focuses on applying data analytics and programming skills to complement the student's interest in another field. Think of it as "Computer Science APPLIED TO Biology/Chemistry/Criminal Justice/name-your-major-here."

Wednesday, July 13, 2016

Reality Checking Mister Robot's Ransomware Attack

In tonight's Episode of Mr. Robot, the fsociety hackers deliver a Ransomware attack to the Bank of E.
At PhishMe, our malware analysts have reviewed more than six million malicious Ransomware  emails this year!

Check out my blog over there to see how the hacking in tonight's Mr. Robot compares to reality:

PhishMe: Reality Checking Mr. Robot

Mr. Robot Easter Egg Hunt

For more fun ... try to solve the first of the S2 Easter Eggs. First clue ... Here is Elliot's Notepad page --

I used the Online Graph Paper website to turn that into a more proper 29 x 29 QR Code:

 The rest is up to you!   Post a comment when you successfully log in!  

Saturday, July 09, 2016

Kelihos botnet delivering Dutch WildFire Ransomware

Guest Blogger Arsh Arora, a malware analyst and PhD candidate at UAB, has been keeping watch over the Kelihos spamming botnet. Yesterday he found some interesting things that I've asked his permission to share here.

Kelihos Delivering WildFire Locker Encryption Ransomware

So while doing the daily chores of Kelihos malware, we found an interesting behavior change that has never been seen before for Kelihos. The Kelihos botnet, which is famous for doing pharma spam predominantly for Canadian Health & Care Mall; pump & dump is delivering the WildFire Locker Encryption ransomware along with its regular pharma spam.
Kelihos spamming in Dutch

The messages observed during this analysis made use of a Dutch-language subject line and message body.

Subject: Mislukte afleverpoging BT-32084

Transportbedrijf Buitink B.V.
Westkanaaldijk 160
3542 DA Utrecht

Geachte heer / mevrouw, 

Op donderdag 7 juli heeft een van onze chauffeurs omstreeks 11.30 geprobeert 
om een pakket af te leveren. Aangezien dit niet is gelukt willen wij u graag 
verzoeken om zo spoedig mogelijk een nieuwe afspraak te maken.  U kunt een 
nieuwe afpsraak maken door het volgende formulier te downloaden, in te vullen
en retour te mailen naar

When translated to English, the message states:

Subject: Unsuccessful delivery attempt BT-32084
Transport Buitink B.V.
Westkanaaldijk 160
3542 DA Utrecht
Dear Sir / Madam,
On Thursday, July 7th at about 11:30 our drivers tried to deliver a package.
Since this was not successful, we would like to request to make a new appointment as soon as possible.
You can create a new appointment by downloading the following form to complete and return by email to
(This form also contains delivery HINTS)
Anna Dorst
The information contained in this email message is automatically generated and intended solely for the addressee. Use of this information by anyone other than the addressee is prohibited.

The message informs recipients of an undelivered package and entices the user to click on the embedded link.
Once the victim clicks the embedded link and downloads the file, a Microsoft Word document is downloaded which contains malicious code to place a file representing the WildFire Locker Encryption Ransomware on the victim’s computer.
This hostile document performs the following two steps:
First, it asks the user, in both English and Dutch, to "Enable Editing":

And then it asks the user, to "Enable Content" or "Inhoud inschakelen":

When viewing the Visual Basic macro code within Microsoft Word, we found the following source code:

Some very interesting choices of variable names!  TonyMontanaZRanaJakmietana, Nazgul, MinasTirit, Gondor, KerryMcNot, LouiseBackdone, and VERYKINDVAR and seem rather unique.  If you've seen them before, please leave a comment!

Once the macro is enabled, WildFire takes control of your machine and encrypts all the files with AES-256 CBC encryption.

The ransom note is displayed ot the victim and he or she is instructed to visit one of the TOR-hosted payment locations in order to purchase a decryption password.  This password would be used to retrieve the files encrypted from the ransomware.

Some interesting observations from this data include several locations:

1. The Onion domain name, gsxrmcgsygcxfkbb[.]onion
2. A geoplugin URL, http://  www . geoplugin . net /
3. exithub1[.]su
4. exithub2[.]su
5. exithub-xuq[.]su
6. exithub-pql[.]su

We hope you will agree that this change in behavior of the payload of the Kelihos botnet was worth noting.

Thanks for the Guest Blog, Arsh!
For more details on this observation: Arsh Arora, MSCFSM, PhD student, ararora at
(Arsh also runs the Facebook Group "Security Tips for Parents & Kids"

For more information about the Masters in Computer Forensics and Security Management at UAB, Gary Warner - gar at