Monday, October 10, 2016

Ten Years of Cybercrime & Doing Time

On October 10, 2006 while I was sitting in my office at Energen I decided to start a blog.  I had been an InfraGard member for five years at that time, and was realizing based on the feedback I was getting from other InfraGard members around the country that while many people knew about Cyber Security, very few knew about CyberCrime.  I was working on a daily basis with the FBI Cybercrime Squad in Birmingham, so I had a fairly good view on the topic, so I decided to try to share what I knew by starting this blog.  One year later I had taken things to a whole new level by quitting my job at the Oil & Gas company and moving to the University of Alabama at Birmingham to dedicate the next decade to training new cybercrime fighters!

While the blog has seen ups and downs in the regularity of the posts, even being named "Most Popular Security Blog" by SC Magazine back in 2010, overall we've averaged one post per week and have been visited by nearly 3 million readers.

As I tried to decide how to mark the 10th Anniversary of the blog, I thought one way to do it would be to share what has been our most popular stories each year.

One of the strengths of the blog has always been to document "big campaigns" that are attacking people and try to help them understand the nature of the scam so that they could avoid being a victim themselves.  The three most popular stories on the blog have all been of that nature:

1. "More ACH Spam from NACHA" (March 11, 2011) and "ACH Transaction Rejected payments lead to Zeus" (Feb 25, 2011) were both of that type.  Even years later, spikes in visitors to these stories were an indication that someone was imitating NACHA again.   In these spam campaigns, the spammers would claim to be sending email from the  "National Automated Clearing House Association" the organization that handles all electronic payments between American banks.  We later came to call these type of campaigns "Soft-Targeting" as most Americans have never heard of NACHA, but those who are involved in regularly moving money most certainly would have -- making them also the most likely to fall victim to such a spam message.  The first entry in this series, "Newest Zeus = NACHA: The Electronic Payments Association" (November 12, 2009) was also very popular.

2. Coming much later, November 7, 2014, was "Warrant for your Arrest phone scams." It was great to see the heavy traffic to that blog post and receive the emails letting me know that someone had just "proven" to them that they were about to be scammed by sending them a link to the article!

3. During 2014 one of the largest spamming botnets was the ASProx botnet.   This malware blasted out high volume spam campaigns that used a variety of social engineering ploys to make their campaigns convincing, leading to huge victimization rates.   The most popular, based on hits to the blog, was the E-Z Pass Spam.  "E-Z Pass Spam Leads to Location Aware Malware" (July 8, 2014) had tens of thousands of visitors.  A close second, also ASProx, was "Urgent Court Notice from GreenWinick Lawyers delivers malware."   ASProx had been dominate from the holiday season in 2013, when "package delivery failure" messages really hit a profound number of victims.  (See for example "Holiday Delivery Failures Deliver Kuluoz Malware" (December 26, 2013)

Rather than go through the top campaigns in order, I thought it might be more interesting to see the most popular posts for each of our ten years as a blog.

Top Cybercrime & Doing Time Blog Posts of 2016
Vovnenko / Fly / MUXACC1 pleads guilty24JAN2016
Kelihos botnet delivering Dutch WildFire Ransomware09JUL2016
Is the Bank of Bangladesh ready for the Global Economy?23APR2016
Unlimited ATM Mastermind Ercan Findikoglu pleads guilty06MAR2016

In 2016, two of our four top stories were about arrests of top cybercriminals, which is a trend that I love to say is growing and rising as we see a higher level of cooperation internationally, and a growing ability among our Law Enforcement partners. One of the highest volume spam botnets, Kelihos, is regularly in our blogs and is quite popular with the readers, indicating how often they also see the spam. The Bank of Bangladesh SWIFT theft was also a high interest story!

Top Cybercrime & Doing Time Blog Posts of 2015
Tech Support "pop-ups"30MAR2015
Hillary"s Email Server and the New York City malware03OCT2015
Passwords, Password Cracking, and Pass Phrases29OCT2015
Darkode guilty pleas: Phastman, Loki, & Strife24AUG2015

In 2015, the Darkode forum was a top story for us. Readers responded well to the Tech Support "pop-up" scams, indicating that they were also seeing it quite a bit! Hillary's email server gave us a chance to show the value of a long-term spam repository. And the story on password cracking seems to be regularly accessed from people teaching others about strong passwords.

Top Cybercrime & Doing Time Blog Posts of 2014
Warrant for Your Arrest phone scams07NOV2014
E-ZPass Spam leads to Location Aware Malware08JUL2014
Urgent Court Notice from GreenWinick Lawyers delivers malware13JUL2014
GameOver Zeus now uses Encryption to bypass Perimeter Security02FEB2014

The phone scams claiming that a warrant has been issued for your arrest have been popular on a daily basis for most of the two years since this story was first released. EZ Pass and Urgent Court Notice spoke to the popularity of the ASProx botnet. Gameover Zeus was also quite interesting as it changed the way spam-delivered malware defeated perimeter security.

Top Cybercrime & Doing Time Blog Posts of 2013
Holiday Delivery Failures lead to Kuluoz malware26DEC2013
Vietnamese Carders arrested in case05JUN2013
When Parked Domains Still Infect - and ZeroPark10AUG2013
New Spam Attack accounts for 62% of our spam!10APR2013

Kuluoz, later called ASProx, had its first big Christmas in 2013. One of the first arrests of Vietnamese hackers spoke to internationally cooperation.

Top Cybercrime & Doing Time Blog Posts of 2012
Operation Open Market: The Vendors25MAR2012
Paypal "You Just Sent a Payment" spam leads to malware01MAY2012
DNS Changer: Countdown clock reset, but still ticking28MAR2012
Operation Open Market: Jonathan Vergnetti17MAR2012

In 2012, the DNS Changer malware was on everyone's minds (we later blogged about the successful prosecution of the leaders of that campaign, all now in prison in New York.) Operation Open Market was the big Forum take-down that year.

Top Cybercrime & Doing Time Blog Posts of 2011
More ACH Spam from NACHA11MAR2011
ACH Transaction Rejected payments lead to Zeus25FEB2011
Federal Reserve Spam14MAR2011
The Epsilon Phishing Model08APR2011

I've already mentioned the ACH/NACHA spam campaigns that delivered Zeus. The Epsilon Phishing model focused on hacking email delivery services and using validated accounts to deliver phishing and malware. (This is the group that Neil Schwartzman of CAUCE labeled "The Adobers" for the many times their malware claimed to be Adobe software.)

Top Cybercrime & Doing Time Blog Posts of 2010
New York FBI: 17 Wanted Zeus Criminals30SEP2010
PakBugs Hackers arrested12JUL2010
Lin Mun Poo: Hacker of the Federal Reserve and ...?20NOV2010
Iranian Cyber Army returns - target: Baidu.com12JAN2010

The Iranian Cyber Army, and a variety of international cyber criminals captured the headlines in 2010.

Top Cybercrime & Doing Time Blog Posts of 2009
Newest Zeus = NACHA: The Electronic Payments Association12NOV2009
The FBI's Biggest Domestic Phishing Bust Ever08OCT2009
Who is the "Iranian Cyber Army"? Twitter DNS Redirect18DEC2009
Traveler Scams: Email Phishers Newest Scam09FEB2009

Our 2009 "Traveler Scams" post was for years the most successful post on the blog, as many people shared the post with their friends to warn about the scam. NACHA was just becoming the leading scam-victim related to Zeus, and the FBI celebrated a huge phishing victory!

Top Cybercrime & Doing Time Blog Posts of 2008
The UAB Spam Data Mine: Looking at Malware Sites09AUG2008
Anti-Virus Products Still Fail on Fresh Viruses12AUG2008
ICE: Operation Predator - Solving Intertwined Child Porn cases05NOV2008
Bank of America Demo Account - DO NOT CLICK26NOV2008

In 2008, we were just getting seriously up to ability with the UAB Spam Data Mine, and found many interesting malware campaigns using these techniques, which eventually led to the creation of Malcovery Security, later acquired by PhishMe

Top Cybercrime & Doing Time Blog Posts of 2007
Is Your Fifth Grader Smarter Than a Laughing Cat?15OCT2007
Google Referrer Only malware sites13DEC2007
AffPower Indictments Scare Affiliates!06AUG2007
TJX: From Florida to the Ukraine?04SEP2007

In 2007, the Storm Worm was one of the top spreaders of malware. The Laughing Cat story pointed out that if you share your computer with younger family members, they may very well click on lures that any educated adult would reject. The AffPower case remains one of my favorite law enforcement actions against online pharmaceutical affiliate programs. The TJX story tracked some of the carders involved in the TJX data breach.

Top Cybercrime & Doing Time Blog Posts of 2006
Pump & Dump: SEC gives us a peek!21DEC2006
Counterfeit Checks? Who cares!12OCT2006
Birmingham InfraGard - October 200610OCT2006

In 2006, our inaugural year, we didn't have a lot of stories, honestly. Pump & Dump spam was interesting that year, and we blogged about some of the holiday scams we were seeing.

Unfortunately, several of the graphics in the older stories are unavailable due to changes in hosting. Hopefully we'll get those recovered eventually. Sorry for any loss of enjoyment that may cause while strolling down Cybercrime Memory Lane with me!

Looking forward to another Ten Years informing the public about Cybercrime & Doing Time!

Thanks to all of my friends and students who encouraged this blog along the way, and helped through their dedication to fighting Cybercrime and sharing in the analysis we did together. While there have been tons of great contributors in the lab, with regards to things that ended up in the blog I'd like to especially thank: Heather McCalley, Matthew Grant, Chun Wei, Brad Wardman, Brian Tanner, Tommy Stallings, Sarah Turner, Josh Larkins, Jui Sonwalker, JohnHenri Ewerth, Brendan Griffin, and Kyle Jones.

Thanks also to my inspirations in blogging, Brian Krebs, and Graham Cluley. This amateur blogger is truly grateful for what you guys do and share!


  1. Last year I also faced some problem with my credit card and I got notification from my provider that i DID TOO MANY PURCHASE that I never ever did! I checked my bank details and I realize I was mobbed hacked by some son**o**btch** :-((

    Now I am too much conscious & concern about this cyber crime. You are doing a excellent job. Thanks a lot for your all posts. Gracious :-)) Ed, Clipping Path Service


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.