Sunday, December 23, 2018

Alert Traffic Patrolman Unveils Romanian Skimming Ring

Clinton, Mississippi doesn't sound like the kind of place where an international skimming operation would be operating.  With a population of barely 25,000, the town in southwest Mississippi does have one thing that helped - an alert police dispatcher.

Cheatham County, Tennessee, on the west side of Nashville, also doesn't seem like a cyber crime Metropolis.  But they also had something critical to this type of police work.  An alert traffic cop, Cheatham County Deputy Paul Ivy.

Clinton is more than a six hour drive from where a Cheatham County Sheriff's deputy pulled over a suspicious vehicle on December 12th as they were about to pull on to Interstate 40 headed west.  The deputy had seen the 2005 Chevy Trailblazer parked at a Shell gas station and noticed a temporary license tag displayed in an unreadable manner behind a tinted windshield.   The driver, Forrest Beard, showed the officer a Mississippi drivers license which came back as suspended.  Beard's story of the two other occupants of the car, "Mike" who had met at a party four months ago, and another man who he had only known for a couple weeks seemed odd.  He consented to a vehicle search, which revealed "a large amount of money", a credit card terminal, two laptops, credit card skimmers, and a stack of 159 Walmart gift cards.  Most of the materials were hidden in Nike shoe boxes.

Vehicle search items discovered
Labels added to the photo by Security Researcher Silas Cutler

The other two men in the car had unusual forms of identification for Kingston Springs, Tennessee.  George Zica was from Romania, according to his passport.

George Zica (Cheatham County Sheriff's Office)
Madalin Palanga (Cheatham County Sheriff's Office)
Madalin "Mike" Palanga was also from Romania, but the id he was carrying was a counterfeit Czech Republic identity card in the name of Vaclav Kubisov.

The officer contacted the Secret Service, and they ended up keeping the vehicle, the money, the computers, and all three men's cell phones.  On Wednesday, December 19th, a judge posted a bail order for the men, and Madalin bonded out for $74,999, although he is wearing a GPS-tracking ankle bracelet, before a hold order was received from Mississippi, preventing the other two men from doing the same.

Further investigation revealed that the men had been tied to skimming cases across middle Tennessee, but also in North Carolina and South Carolina, but Mississippi added one critical piece of evidence, courtesy of ATM footage from Regions Bank.  On Tuesday, Regions Bank employees contacted the Clinton, Mississippi police to let them know they had "trapped" some cards in the local Regions ATM.  When Regions receives fraud reports indicating one of their accounts has been compromised, their policy is to capture any ATM card put into one of their ATMs that uses that account information.

In this case, the captured cards were both Walmart gift cards.  In this case, the Skimmers were "Verifone" terminal overlays, commonly found in many gas stations and convenience stores at the counter.  After criminals modify the keypad by installing a skimmer, a device placed in front of the card slot makes a copy of the magnetic stripe, while the fake keypad overlay captures the PIN number when the customer puts in their four digit code.  The information can be retrieved wirelessly from a vehicle in the parking lot.

(Video from Andy Cordan, WKRN TV News)

In Clinton, Mississippi, over $13,000 in fraudulent ATM charges had been reported recently, with most of the stolen card data being tracked to customers in the Memphis, Tennessee area.

Regions Bank provided ATM Surveillance camera footage to the Clinton police.  An alert police dispatcher who was reviewing the material started comparing the image to other recent credit card crimes in the South East and determined that the man in the ATM footage was George Zica, who was arrested later that week in Tennessee as described above.  (The timestamp on the video is confusing.)

Saturday, December 22, 2018

126 Arrests: The Emergence of India's Cyber Crime Detectives Fighting Call Center Scams

The Times of India reports that police have raided a call center in Noida Sector 63 where hundreds of fraud calls were placed every day to Americans and Canadians resulting in the theft of $50,000 per day.

 The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

Times of India photo 

Noida police have been cooperating very well with international authorities, as well as Microsoft, leading to more than 200 people arrested in Noida and "scores" of fake call centers shut down, including four in Sector 63.  (In a case just last month, another call center was said to have stolen from 300 victims, after using online job sites and to recruit young money seekers by having them work conducting the scams. )

In the current scam, callers already had possession of the victim's Social Security Number and full name.  This information was used to add authority to their request, which got really shady really fast.  The victim was instructed to purchase Apple iTunes Gift Cards, or Google Play Gift Cards, scratch the numbers, and read them to the call center employee.  The money was laundered through a variety of businesses in China and India before cashing out to bank accounts belonging to Pahuja and Ashija.

 Go to Tweet
Noida police are advancing in their Cyber Crime skills!

As more and more cyber crime enterprises spring up in India, the assistance of their new Centers for Cyber Crime Investigation thtat are becoming more critical to stopping fraud against Americans:

We applaud the Center for Cyber Crime Investigation in Noida

The US Embassy was quick to acknowledge the support of the newest cyber crime partners of the United States after their action at the end of November:

US Embassy to India thanks the Noida and Gurgaon Police for their help!
Another recent Times of India story from November 30, 2018, "Bogus Call Centres and Pop-up Virus Alerts - a Global Cyber Con Spun up in NCR" [NCR = National Capital Region] had more details of this trend, including this graphic:

That's at least 50 call centers shutdown just in these two regions, but with this weeks' 126 arrests being the culmination of an on-going investigation, receiving data from both the FBI and Microsoft.

Local news of India reported the names of some of the gang members held in the November 29-30th action in their story नोएडा: बड़ी कंपनियों में नौकरी दिलाने के नाम पर करते थे धोखाधड़ी, 8 गिरफ्तार (Noida: Fraud, 8 arrested for giving fake jobs in the name of big companies).

Sontosh Gupta, who was the ring leader, was previously employed by an online job site, but then created his own site,  vintechjobs (dot) com, which he used to attract call center employees, many of whom were duped into serving as his scammer army without ever being compensated for their work!

Others arrested then included Mohan Kumar, Paritosh Kumar, Jitendra Kumar, Victor, Himanshu, Ashish Jawla, and Jaswinder.

During that same two day raid, police swept through at least sixteen other call centers, according to this New York Times story, "That Virus Alert on Your Computer? Scammers in India May Be Behind It"
Ajay Pal Sharma, the senior superintendent of police, told the NYT that 50 of his officers swept through eight different call centers in Gautam Budh Nagar as part of the case.  Microsoft's Digital Crimes Unit told the Times that with 1.2 million people generating $28 Billion in India working for call centers, it isn't hard to disguise the shady callers among the legitimate businesses.

The problem is not unique to Delhi and the National Capital Region suburbs that are the current focus.  Back in July, Mumbai was in the headlines, as a massive IRS-imitating Call Center ring was broken up with the help of more great cyber crime investigators from India:

Madan Ballal, Thane Crime Branch, outside Mumbai
Police Inspector Madan Ballal had his story told as the focus of an article in Narratively, "This Indian Cop Took Down a Massive IRS Call-Center Scam".

Much more investigating and arresting needs to be done, but it is a great sign that the problem is now receiving help from an emerging new generation of Indian Cybercrime Detectives!

Saturday, December 15, 2018

Bogus Bomb Threats Demand Bitcoin Disrupt Businesses

Bogus bomb threats created a scare across the country. A quick note here that I'll dive into more deeply next week. The big question at this time -- with MANY of the IP addresses found in email headers originating from Moscow, Russia, is this "Russian influence" designed to disrupt American commerce? or is this just a spammer looking for a new way to make money?


The more emails we have to analyze, the better our understanding of this threat will be.  While reporting to the FBI's is a great idea, and highly encouraged, that hides the details from security researchers such as myself.  One great place to report any type of fraudulent bitcoin activity is "".  If you decide to report there, please extract the sending IP address and the email Subject from your spam and include them as part of the report.  We can cluster on both of those things. (Including the bitcoin address used is a given.)

Extracts taken from follow below. You can read the original reports yourselves here:

(If you have a sample of one of these emails, please consider filling out a - but please make sure to include the SENDING IP ADDRESS from the email headers!)

Email Bodies contain Spam-template randomization

Here are extracts from many of the spam messages. Note for example the [man | mercenary | recruited person] and [tronitrotoluene | Hexogen | Tetryl] substitutions. Or the [suspicious | unnatural | strange] [activity | behavior] or the [power the device | device will be blown up | power the bomb]. This is very characteristic spam behavior.

Subjects reported by the NCFTA include:

Subject: Better listen to me
Subject: Bomb is in your building
Subject: Do not panic
Subject: Do not waste your time
Subject: Dont get on my nerves
Subject: I advise you not to call the police
Subject: I've collected some very interesting content about you
Subject: keep calm
Subject: My device is inside your building
Subject: Think about how they can help you
Subject: Think twice
Subject: We can make a deal
Subject: You are my victim
Subject: You are responsible for people
Subject: Your building is under my control
Subject: Your life is in your hands
Subject: Your life can be ruined, concentrate
Subject: You're my victim

(If you have examples of other Subjects, please share them in the comments section)

Hello. There is the bomb (tronitrotoluene) in the building where your company is located. It is constructed under my direction. It has small dimensions and it is hidden very carefully, it is not able to damage the supporting building structure, but you will get many wounded people if it detonates. My recruited person is controlling the situation around the building. If he notices any strange activity or policemen the device will be blown up. I want to propose you a deal. $20'000 is the value for your safety. Pay it to me in BTC and I assure that I have to withdraw my recruited person and the bomb will not explode. But do not try to deceive me- my assurance will become actual only after 3 confirms in blockchain. It is my btc address : 15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM

Good day. My mercenary hid an explosive device (Hexogen) in the building where your business is conducted. It was assembled according to my instructions. It is compact and it is hidden very carefully, it is impossible to damage the structure of the building by this bomb, but in case of its explosion you will get many victims.My mercenary is watching the situation around the building. If he notices any suspicious behavior, panic or cops he will blow up the bomb.I want to propose you a bargain. You transfer me 20'000 usd in BTC and the bomb will not explode, but don't try to deceive me -I guarantee you that I have to withdraw my man only after 3 confirmations in blockchain network. It is my Bitcoin address : 1LrZorkdqzPsg8JaGLwjLwg35viiH1Sv9v You must send bitcoins by the end of the working day.

My mercenary has carried an explosive device (Tetryl) into the building where your company is located. It was assembled under my direction. It can be hidden anywhere because of its small size, it is impossible to destroy the building structure by this explosive device, but if it detonates there will be many victims. My recruited person is watching the situation around the building. If he sees any unusual behavior or policemen he will power the device. I would like to propose you a deal. 20.000 dollars is the cost for your life. Tansfer it to me in BTC and I ensure that I will call off my man and the bomb will not explode. But do not try to fool me- my warranty will become valid only after 3 confirms in blockchain network. Here is my BTC address - 15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM You have to pay me by the end of the working day, if you are late with the payment the device will explode.

Good day. I write you to inform you that my mercenary hid an explosive device (lead azide) in the building where your company is located. My recruited person constructed a bomb under my direction. It can be hidden anywhere because of its small size, it can not damage the supporting building structure, but you will get many victims in case of its explosion. My mercenary keeps the territory under the control. If he notices any unnatural behavior or emergency he will power the bomb. I can call off my man if you make a transfer. 20'000 usd is the price for your safety. Pay it to me in Bitcoin and I guarantee that I will call off my mercenary and the device will not detonate. But do not try to cheat- my assurance will become valid only after 3 confirmations in blockchain.

Good day. There is a bomb (tronitrotoluene) in the building where your company is conducted. My recruited person constructed the explosive device according to my instructions. It can be hidden anywhere because of its small size, it is impossible to destroy the structure of the building by my explosive device, but in case of its explosion you will get many victims. My man keeps the territory under the control. If any unnatural behavior, panic or emergency is noticed the device will be blown up. I can call off my recruited person if you make a transfer. 20'000 usd is the price for your safety. Tansfer it to me in Bitcoin and I ensure that I will withdraw my mercenary and the bomb won't explode. But do not try to deceive me- my warranty will become valid only after 3 confirms in blockchain network. My payment details (Bitcoin address): 1CDs3JXUU6wNmndAF7EFcrJ6GGSYRKXd7w

My man hid a bomb (lead azide) in the building where your business is conducted. It was constructed according to my guide. It is small and it is hidden very well, it is impossible to destroy the supporting building structure by this explosive device, but you will get many victims in the case of its detonation. My mercenary keeps the territory under the control. If any unnatural activityor emergency is noticed the bomb will be blown up. I would like to propose you a deal. You transfer me $20'000 in Bitcoin and explosive will not explode, but do not try to cheat -I warrant you that I will call off my man solely after 3 confirmations in blockchain network.

Hello. There is the bomb (lead azide) in the building where your business is conducted. My man built the explosive device according to my instructions. It is compact and it is hidden very carefully, it is impossible to damage the structure of the building by this explosive device, but if it detonates you will get many victims. I would like to propose you a bargain. 20.000 dollars is the cost for your life. Pay it to me in BTC and I guarantee that I have to call off my man and the device will not explode. But do not try to cheat- my guarantee will become valid only after 3 confirmations in blockchain network.

My man has carried the explosive device (tronitrotoluene) into the building where your business is conducted. My recruited person constructed the bomb according to my guide. It can be hidden anywhere because of its small size, it can not destroy the supporting building structure, but in the case of its detonation there will be many wounded people. My man is controlling the situation around the building. If any unnatural activity, panic or policeman is noticed the device will be blown up.
I write you to inform you that my recruited person carried the explosive device (Tetryl) into the building where your business is located. It is assembled according to my instructions. It can be hidden anywhere because of its small size, it is impossible to destroy the building structure by this bomb, but in case of its explosion there will be many victims. My man is controlling the situation around the building. If he sees any suspicious activity, panic or emergency the device will be exploded. I can withdraw my mercenary if you make a transfer. You transfer me 20.000 dollars in Bitcoin and the device will not detonate, but don't try to fool me -I ensure you that I will withdraw my recruited person only after 3 confirmations in blockchain. Here is my BTC address - 161JE4rHfvygXUVLya8N2WFptjwon2172t

These were EVERYWHERE - NOT targeted

Dozens of law enforcement agencies tweeted about these threats being received in their local area.  If you are aware of such "official" tweets, please leave a link to the Twitter Status report in the comments section below. 

Even AFTER it was well known that these were hoaxes, many law enforcement agencies continued to respond with full bomb squad roll-outs.  Given the history in Oklahoma City, this was especially understandable there, but wasted a tremendous amount of resources as they responded to AT LEAST thirteen threats just in that city!

Here are a few examples, and then a longer list in Table form:
Each entry in the table below is an "official" Tweet indicating local law enforcement responded to a bomb threat in that area.  If your local is not listed, please search for "official" notices for your area and share them in our comments section.  Thanks!

Calgary, Alberta, CA
Calgary, Alberta, CA
Winnipeg, Manitoba, CA
London, Ontario, CA
Toronto, Ontario, CA
Anniston, Alabama
Pelham, Alabama
Anchorage, Alaska
Phoenix, Arizona
Bakerfield, California
Chico, California
Chino, California
Garden Grove, California
Los Angeles, California
San Francisco, California
San Francisco, California
Santa Rosa, California
Ottawa, Canada
Aurora, Colorado
Fort Collins, Colorado
Danbury, Connecticut
Wallingford, Connecticut
Ocala, Florida
Sanford, Florida
Tampa, Florida
Atlanta, Georgia
Dekalb County, Georgia
Valdosta, Georgia
Honolulu, Hawaii
Chicago, Illinois
Chicago, Illinois
Indianapolis, Indiana
Cedar Rapids, Iowa
Wichita, Kansas
Wichita, Kansas
Lexington, Kentucky
Portland, Maine
Frederick, Maryland
Salisbury, Maryland
Boston, Massachusetts
Salisbury, Massachusetts
Massachusetts State Police
Detroit, Michigan
Grand Blanc, Michigan
Grand Rapids, Michigan
Long Beach, Mississippi
Raleigh, NC
Lincoln, Nebraska
Lincoln, Nebraska
Omaha, Nebraska
Linden, New Jersey
Buffalo, New York
Buffalo, New York
Buffalo, New York
New York, New York
Niagara Falls, New York
Rochester, New York
Boone, North Carolina
Boone, North Carolina
UNC Raleigh, North Carolina
Cleveland, Ohio
Columbus, Ohio
Bexley, Ohio (Capital University)
Oklahoma City, Oklahoma
Oklahoma City, Oklahoma
Tulsa, Oklahoma
Erie, Pennsylvania
Lancaster, Pennsylvania
Memphis, Tennessee
Beaumont, Texas
El Paso, Texas
Fricso, Texas
Houston, Texas
Lubbock, Texas
Rosenberg, Texas
St. George, Utah
St. George, Utah
Chesterfield County, Virginia
Hampton Roads, Virginia
Bellevue, Washington
Massachusetts States Police
Michigan State Police
Michigan State Police
Notre Dame University
Washington DC

Thursday, November 29, 2018

Two Iranian Hackers charged with $6 Million in SamSam Ransomware Attacks

Today the Department of Justice announced an indictment against two Iranian men: Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri for their roles in stealing more than $6 Million in Ransom payments from a 34 month long ransomware campaign known as SamSam.

They were charged with:

18 U.S.C. § 371 - Conspiracy to Defraud the United States

18 U.S.C. § 1030(a)(5)(A) - knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

18 U.S.C. § 1030(a)(7)(C) - demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion

18 U.S.C. § 1349 - Conspiracy

Victims were found in nearly every state:

Victim Locations from:

Piecing together the case involved gaining cooperation from two European VPN services, and apparently at least one search engine.   The indictment refers, for example, to the defendants using Bitcoin to pay for access to a European VPS, and then searching on May 15, 2016, for "".  The same day, they accessed the public website of Kansas Heart Hospital, and on May 18th, encrypted many key computers on the network and sent their ransom note.

Another key part of the investigation was gaining the cooperation of a Bitcoin Exchanger, which was able to demonstrate that on July 21, 2016, the defendants cashed out at least some of their ransomed Bitcoin into Iranian Rials and deposited it into bank accounts controlled by MANSOURI and SAVANDI.

Chat logs were also available to the investigators, as the indictment mentions contents of chat consistently throughout their timeline.  Using the combination of events, some of the key dates were:

  • December 14, 2015 - Defendants chatting about the development and functionality of SamSam.
  • Jan 11, 2016 - Attack on Mercer County Business in New Jersey 
  • Feb 5, 2016 - Attack on Hollywood Presbyterian Medical Center 
  • March 27, 2016 - Attack on MedStar Health 
  • May 15, 2016 - Attack on Kansas Heart Hospital 
  • May 27, 2016 - Attack on University of Calgary 
  • July 27, 2016 - Attack on Nebraska Orthopedic Hospital 
  • April 25, 2017 - Attack on City of Newark, New Jersey 
  • January 18, 2018 - Attack on Allscripts Healthcare Solutions, Inc. 
  • February 19, 2018 - Attack on Colorado Department of Transportation 
  • March 22, 2018 - Attack on City of Atlanta, Georgia 
  • July 14, 2018 - Attack on LabCorp 
  • September 25, 2018 - Attack on the Port of San Diego 
FBI Wanted Poster from:

Tuesday, October 23, 2018

Business Email Compromise: Putting a Wisconsin Case Under the Microscope

Clement Onuama and Orefo Okeke were arrested on November 1, 2017 in the Western District of Texas after receiving a complaint and warrant from the District of Wisconsin, that the pair were involved in Romance Scams and Business Email Compromise Scams.

This week Okeke was sentenced to 45 months in prison.  Onuama was sentenced on October 30th to 40 months in prison.
Orefo Okeke (image from Dallas News
Clement Onuama, 53

According to the Criminal Complaint and Indictments from the case, from 2010 until at least December 2016, in the Western District of Wisconsin and elsewhere Clement Onuama and Orefo Okeke knowingly conspired with each other and persons known and unknown to the grand jury, to commit and cause to be committed offenses against the United States, namely: wire fraud, in violation of Title 18, United States Code, Section 1343.

They used Romance fraud scams, developing relations via email, chat apps, and telephonic conversations.  Eventually the person that posed as the victim's online partner requested each victim for financial assistance. They told the victims that they needed funds in order to release a much larger sum of money that was frozen by a foreign country.

They also used Business email compromise scams, primarily by sending email messages that altered wire instructions causing funds to be deposited into accounts controlled by the criminals.  Often these emails were "spoofed" to appear to come from an employee or officer of their company.  During several such scams, the real officer was traveling.

 The deposited funds went into bank accounts of "nominees and shell entities" and were quickly converted to cash and cashier's checks, with a portion of the funds wired overseas.  The criminals also failed to pay taxes on their proceeds.

 $3,259,892 in transfers were attempted and the actual fraud losses were $2,678,328.  The proceeds laundered by Onuama totalled $428,346.  The proceeds laundered by Okeke totalled $538,100.

 Details of the Wisconsin BEC Fraud Scam 

  On or about February 19, 2014 at 10:02 am, an email puporting to be from Sarah Smith from the email  was sent in reply to real estate agent Terrell Outlay of Madison, Wisconsin asking him to update wire instructions that were sent a few days before.  The email had an attachment from Portage County Title, on Portage County Title letterhead, updating the details and indicating funds should be sent to a Wells Fargo Bank account in Bettendor, Iowa in the name of TJ Hausch.

 $123,747.54 was wired later that day.

 On the same day, a wire transfer from Tammy Hausch's Wells Fargo bank account ending in 9492 sent $80,000 to a Wells Fargo bank account ending in 6411 held by Clement C. Onuama of Grand Prairie, Texas.  Clement withdrew $10,000 in cash that day, $20,000 in cash the following day, and purchased a cashier's check for $28,885 from the account.  On March 11, 2014, a check for $10,000 was sent from Okeke to Onuama, who cashed it.

 An Affidavit from a Treasury Agent shares more details.  Terrell Outlay was a new real estate agent who had recently relocated from Chicago.  Outlay is believed to have had malware planted on his computer in relation to a home sale that he negotiated in January 2014.

 After receiving the email from, instructing the agent to have his client, Dynasty Holdings, wire $123,747.54 to the TJ Hasuch Wells Fargo account. He was contacted by the REAL Sarah Smith on February 25, 2014 to inform him the funds were never received into the BMO Harris Account which had been agreed to at closing.  Outlay reported the situation to his boss, who contacted the Madison Police Department.

 Although the email of February 19, 2014 seemed to be from, the headers revealed it was sent from and the actual email was

 A second email, confirming to Mr. Outlay that the new account should be used:  "Yes!! TJ Hausch Wells Fargo" -- used the email server located at with IP address and the same outlook account, ""

 Four additional pieces of email correspondence used the same "" IP and return address.  Legitimate emails from Sarah Smith were sent from a Charter Communications IP address, confirmed by subpoena to belong to Portage County Title in Stevens Point, Wisconsin.

 The IP belongs to Sharktech in Chicago, Illinois, and that particular IP address was leased from August 13, 2013 to March 24, 2014 by a Singapore-based company called Surat IT Pte. Ltd. It was used to host hundreds of websites.  The other IP address,, was confirmed to be a Unified Layer IP address operated by Bluehost.  The customer of record at that time was Hind Jouini of Dubai, UAE.

 The additional funds from the Tammy Hausch account were sent to a Bank of America account ending in 9593 held by P.M. Voss of Costa Mesa, California.

 Tammy Hausch was interviewed by the US Secret Service in Madison, Wisconsin.  She was unaware of the source of the $123,000.  She had actually performed four similar transactions in the past, all at the bequest of her online boyfriend, Brian Ward, with whom she had communicated exclusively online.  Brian needed her help because he and his friends had funds that were locked up in Spain and he needed additional funds to pay to have those funds released.

 Hausch had previously received a $12,112 check from the IRS addressed to Brian and Patricia Downing.  "Brian Ward" said that Patricia Downing was the maiden name of his deceased wife.

 Brian Downing was interviewed and reported that when he attempted to file his 2013 taxes, he learned they had already been filed and that an unauthorized tax refund of $12,112 had already been paid to a Wells Fargo account ending in 9492.  He confirmed his wife Patricia was not deceased and introduced her to the agent.

  More BEC Fraud Linked to the Case 

  On August 23, 2016, Anessa Hazelle, the financial controller of Ocean Grove Development of Basseterre, Saint Kitts, West Indies told the Treasury investigator that on November 30, 2015, an email claiming to be from her supervisor, Nuri Katz, urged her to wire $84,100 to D&D Serv, Inc of Grand Prairie, Texas, to pay an invoice for the purchase of "VxWorks Proll" for $84,100.  Hazelle did as she was ordered, and sent the funds.  Katz was on a flight to Russia at that time.  After she landed, they had a telephone conversation and learned that this email had been fraudulent.

 Katz true email was "" but the email with the wire transfer instructions was from "" - similar enough that Hazelle did not notice the difference.  The funds were sent to a Capital One Bank account ending in 8232.

 That Capital One acount was opened by Clement C. Onuama d/b/a D&D Serv, Inc, of 2621 Skyway Drive, Grand Prairie, Texas.  Onuama was the sole signatory of the account.

 On July 26, 2016, Daniel Yet, the owner of D&T Foods of Santa Clara, California, relayed a similar experience.  His personal investment account at TD Ameritrade was managed by Bao Vu.  On June 29, 2015, while Yet was traveling overseas on vacation, Vu attempted to contact him to verify a wire transfer request sending $22,000 to a Regions Bank account ending in 6870 for Sysco Serve.  Since Vu could not reach Yet, and the matter had been described as urgent, Vu went ahead with the wire.  A SECOND request came through asking for an additional $30,000 to be sent.

 The Regions Bank account ending in 6870 was opened by Orefo S. Okeke d/b/a Sysco Serve, with the same address as the Capital One account controlled by Onuama above, 2621 Skyway Drive, Grand Prairie, Texas!

 The 6870 Regions account made a payment of $15,000 on July 1, 2015 (two days after the deposit from Mr. Yet's TD Ameritrade account) to another Regions Bank account ending in 6452.

 The 6452 Regions account was opened by Clement C. Onuama d/b/a D&D Serv, of 2621 Skyway Drive, Grand Prairie, Texas.

  Letters from Okeke

  The defense entered seven letters to be considered during the sentencing hearing.  In the first, Orefo explains that when he first came to America, he made a business of buying used American cars and reselling them in Nigeria.  He ended up in financial hardship, which he blames partly on medical bills for his sick father and partly on caring for his wife and two step children.  He was approached by others in Nigeria who needed his assistance in converting US dollars to Nigerian Niara.

 The other letters explained how Orefo was kind enough to hire a convicted felon to work for him, and a disabled veteran.  One letter, from his Aunty, says he is kind and loves animals. His wife begs the mercy of the courts and explains how much her children miss him.  Okeke's brother in South Africa explains to the judge that his brother is an honest God-fearing man and that his pleading guilty demonstrates his honesty, and that this trial caused the death of their father and now their mother's health is also on the line. His uncle writes how sad it is that the judge has incarcerated his nephew for a non-violent first time offense causing him to miss his sister's wedding and his father's funeral.  A friend explains Okeke's very good moral character and how he always operates with integrity.

 On the other hand, the FBI says that Business Email Compromise has stolen $12 Billion dollars, and that just from June 2016 to May 2018 they have identified 30,787 victims, of which 19,335 of them were in the United States.  Records from October 2013 to May 2013 actually show at least 119,675 victims!  Hopefully the examples shared above will help us realize more about how these people come to be victims -- often losing their entire life savings, or funds that cause them to no longer be able to buy a house or continue the operation of a business!

Monday, October 22, 2018

Project Lakhta: Putin's Chef spends $35M on social media influence

Project Lakhta is the name of a Russian project that was further documented by the Department of Justice last Friday in the form of sharing a Criminal Complaint against Elena Alekseevna Khusyaynova, said to be the accountant in charge of running a massive organization designed to inject distrust and division into the American elections and American society in general.
In a fairly unusual step, the 39 page Criminal Complaint against Khusyaynova, filed just last month in Alexandria, Virginia, has already been unsealed, prior to any indictment or specific criminal charges being brought against her before a grand jury.  US Attorney G. Zachary Terwilliger says "The strategic goal of this alleged conspiracy, which continues to this day, is to sow discord in the U.S. political system and to undermine faith in our democratic institutions."

The data shared below, intended to summarize the 39 page criminal complaint, contains many direct quotes from the document, which has been shared by the DOJ. ( Click for full Criminal Complaint against Elena Khusyaynova )

Since May 2014 the complaint shows that the following organizations were used as cover to spread distrust towards candidates for political office and the political system in general.

Internet Research Agency LLC ("IRA")
Internet Research LLC
MediaSintez LLC
GlavSet LLC
MixInfo LLC
Azimut LLC
NovInfo LLC
Nevskiy News LLC ("NevNov")
Economy Today LLC
National News LLC
Federal News Agency LLC ("FAN")
International News Agency LLC ("MAN")

These entities employed hundreds of individuals in support of Project Lakhta's operations with an annual global budget of millions of US dollars.  Only some of their activity was directed at the United States.

Prigozhin and Concord 

Concord Management and Consulting LLC and Concord Catering (collectively referred to as "Concord") are related Russian entities with various Russian government contracts.  Concord was the primary source of funding for Project Lakhta, controlling funding, recommending personnel, and overseeing activities through reporting and interaction with the management of various Project Lakhta entities.

Yevgeniy Viktorovich Prigozhin is a Russian oligarch closely identified with Russian President Vladimir Putin.  He began his career in the food and restaurant business and is sometimes referred to as "Putin's Chef."  Concord has Russian government contracts to feed school children and the military.

Prigozhin was previously indicted, along with twelve others and three Russian companies, with committing federal crimes while seeking to interfere with the US elections and political process, including the 2016 presidential election.

Project Lakhta internally referred to their work as "information warfare against the United States of America" which was conducted through fictitious US personas on social media platforms and other Internet-based media.

Lakhta has a management group which organized the project into departments, including a design and graphics department, an analysts department, a search-engine optimization ("SEO") department, an IT department and a finance department.

Khusyaynova has been the chief accountant of Project Lakhta's finance department since April of 2014, which included the budgets of most or all of the previously named organizations.  She submitted hundreds of financial vouchers, budgets, and payments requests for the Project Lakhta entities.  The money was managed through at least 14 bank accounts belonging to more Project Lakhta affiliates, including:

Glavnaya Liniya LLC
Merkuriy LLC
Obshchepit LLC
Potentsial LLC
Kompleksservis LLC
SPb Kulinariya LLC
Almira LLC
Pishchevik LLC
Galant LLC
Rayteks LLC
Standart LLC

Project Lakhta Spending 

Monthly reports were provided by Khusyaynova to Concord about the spendings for at least the period from January 2016 through July 2018.

A document sent in January 2017 including the projected budget for February 2017 (60 million rubles, or roughly $1 million USD), and an accounting of spending for all of calendar 2016 (720 million rubles, or $12 million USD).  Expenses included:

Registration of domain names
Purchasing proxy servers
Social media marketing expenses, including:
 - purchasing posts for social networks
 - advertisements on Facebook
 - advertisements on VKontakte
 - advertisements on Instagram
 - promoting posts on social networks

Other expenses were for Activists, Bloggers, and people who "developed accounts" on Twitter to promote online videos.

In January 2018, the "annual report" for 2017 showed 733 million Russian rubles of expenditure ($12.2M USD).

More recent expenses, between January 2018 and June 2018, included more than $60,000 in Facebook ads, and $6,000 in Instagram ads, as well as $18,000 for Bloggers and Twitter account developers.

Project Lakhta Messaging

From December 2016 through May 2018, Lakhta analysts and activist spread messages "to inflame passions on a wide variety of topics" including:
  • immigration
  • gun control and the Second Amendment 
  • the Confederate flag
  • race relations
  • LGBT issues 
  • the Women's March 
  • and the NFL national anthem debate.

Events in the United States were seized upon "to anchor their themes" including the Charleston church shootings, the Las Vegas concert shootings, the Charlottesville "Unite the Right" rally, police shootings of African-American men, and the personnel and policy decisions of the Trump administration.

Many of the graphics that were shared will be immediately recognizable to most social media users.

"Rachell Edison" Facebook profile
The graphic above was shared by a confirmed member of the conspiracy on December 5, 2016. "Rachell Edison" was a Facebook profile controlled by someone on payroll from Project Lakhta.  Their comment read  "Whatever happens, blacks are innocent. Whatever happens, it's all guns and cops. Whatever happens, it's all racists and homophobes. Mainstream Media..."

The Rachell Edison account was created in September 2016 and controlled the Facebook page "Defend the 2nd".  Between December 2016 and May 2017, "while concealing its true identity, location, and purpose" this account was used to share over 700 inflammatory posts related to gun control and the Second Amendment.

Other accounts specialized on other themes.  Another account, using the name "Bertha Malone", was created in June 2015, using fake information to claim that the account holder lived in New York City and attended a university in NYC.   In January 2016, the account created a Facebook page called "Stop All Invaders" (StopAI) which shared over 400 hateful anti-immigration and anti-Islam memes, implying that all immigrants were either terrorists or criminals.  Posts shared by this acount reached 1.3 million individuals and at least 130,851 people directly engaged with the content (for example, by liking, sharing, or commenting on materials that originated from this account.)

Some examples of the hateful posts shared by "Bertha Malone" that were included in the DOJ criminal complaint,  included these:

The latter image was accompanied by the comment:

"Instead this stupid witch hunt on Trump, media should investigate this traitor and his plane to Islamize our country. If you are true enemy of America, take a good look at Barack Hussein Obama and Muslim government officials appointed by him."

Directions to Project Lakhta Team Members

The directions shared to the propaganda spreaders gave very specific examples of how to influence American thought with guidance on what sources and techniques should be used to influence particular portions of our society.  For example, to further drive wedges in the Republican party, Republicans who spoke out against Trump were attacked in social media:
(all of these are marked in the Criminal Complaint as "preliminary translations of Russian text"):

"Brand McCain as an old geezer who has lost it and who long ago belonged in a home for the elderly. Emphasize that John McCain's pathological hatred towards Donald Trump and towards all his initiatives crosses all reasonable borders and limits.  State that dishonorable scoundrels, such as McCain, immediately aim to destroy all the conservative voters' hopes as soon as Trump tries to fulfill his election promises and tries to protect the American interests."

"Brand Paul Ryan a complete and absolute nobody incapable of any decisiveness.  Emphasize that while serving as Speaker, this two-faced loudmouth has not accomplished anything good for America or for American citizens.  State that the only way to get rid of Ryan from Congress, provided he wins in the 2018 primaries, is to vote in favor of Randy Brice, an American veteran and an iron worker and a Democrat."

Frequently the guidance was in relation to a particular news headline, where directions on how to use the headline to spread their message of division where shared. A couple examples of these:

After a news story "Trump: No Welfare To Migrants for Grants for First 5 Years" was shared, the conspiracy was directed to twist the messaging like this:

"Fully support Donald Trump and express the hope that this time around Congress will be forced to act as the president says it should. Emphasize that if Congress continues to act like the Colonial British government did before the War of Independence, this will call for another revolution.  Summarize that Trump once again proved that he stands for protecting the interests of the United States of America."

In response to an article about scandals in the Robert Mueller investigation, the direction was to use this messaging:

"Special prosecutor Mueller is a puppet of the establishment. List scandals that took place when Mueller headed the FBI.  Direct attention to the listed examples. State the following: It is a fact that the Special Prosector who leads the investigation against Trump represents the establishment: a politician with proven connections to the U.S. Democratic Party who says things that should either remove him from his position or disband the entire investigation commission. Summarize with a statement that Mueller is a very dependent and highly politicized figure; therefore, there will be no honest and open results from his investigation. Emphasize that the work of this commission is damaging to the country and is aimed to declare impeachement of Trump. Emphasize that it cannot be allowed, no matter what."

Many more examples are given, some targeted at particular concepts, such as this direction regarding "Sanctuary Cities":

"Characterize the position of the Californian sanctuary cities along with the position of the entire California administration as absolutely and completely treacherous and disgusting. Stress that protecting an illegal rapist who raped an American child is the peak of wickedness and hypocrisy. Summarize in a statement that "sanctuary city" politicians should surrender their American citizenship, for they behave as true enemies of the United States of America"

Some more basic guidance shared by Project Lakhta was about how to target conservatives vs. liberals, such as "if you write posts in a liberal group, you must not use Breitbart titles.  On the contrary, if you write posts in a conservative group, do not use Washington Post or BuzzFeed's titles."

We see the "headline theft" implied by this in some of their memes.  For example, this Breitbart headline:

Became this Project Lakhta meme (shared by Stop All Immigrants):

Similarly this meme originally shared as a quote from the Heritage Foundation, was adopted and rebranded by Lakhta-funded "Stop All Immigrants": 

Twitter Messaging and Specific Political Races

Many Twitter accounts shown to be controlled by paid members of the conspiracy were making very specific posts in support of or in opposition to particular candidates for Congress or Senate.  Some examples listed in the Criminal Complaint include:

@CovfefeNationUS posting:

Tell us who you want to defeat!  Donate $1.00 to defeat @daveloebsack Donate $2.00 to defeat @SenatorBaldwin Donate $3.00 to defeat @clairecmc Donate $4.00 to defeat @NancyPelosi Donate $5.00 to defeat @RepMaxineWaters Donate $6.00 to defeat @SenWarren

Several of the Project Lakhta Twitter accounts got involved in the Alabama Senate race, but to point out that the objective of Lakhta is CREATE DISSENT AND DISTRUST, they actually tweeted on opposite sides of the campaign:

One Project Lakhta Twitter account, @KaniJJackson, posted on December 12, 2017: 

"Dear Alabama, You have a choice today. Doug Jones put the KKK in prison for murdering 4 young black girls.  Roy Moore wants to sleep with your teenage daughters. This isn't hard. #AlabamaSenate"

while on the same day @JohnCopper16, also a confirmed Project Lakhta Twitter account, tweeted:

"People living in Alabama have different values than people living in NYC. They will vote for someone who represents them, for someone who they can trust. Not you.  Dear Alabama, vote for Roy Moore."

@KaniJJackson was a very active voice for Lakhta.  Here are some additional tweets for that account:

"If Trump fires Robert Mueller, we have to take to the streets in protest.  Our democracy is at stake." (December 16, 2017)

"Who ended DACA? Who put off funding CHIP for 4 months? Who rejected a deal to restore DACA? It's not #SchumerShutdown. It's #GOPShutdown." (January 19, 2018)

@JohnCopper16 also tweeted on that topic: 
"Anyone who believes that President Trump is responsible for #shutdown2018 is either an outright liar or horribly ignorant. #SchumerShutdown for illegals. #DemocratShutdown #DemocratLosers #DemocratsDefundMilitary #AlternativeFacts"   (January 20, 2018)

@KaniJJackson on Parkland, Florida and the 2018 Midterm election: 
"Reminder: the same GOP that is offering thoughts and prayers today are the same ones that voted to allow loosening gun laws for the mentally ill last February.  If you're outraged today, VOTE THEM OUT IN 2018. #guncontrol #Parkland"

They even tweet about themselves, as shown in this pair of tweets!

@JemiSHaaaZzz (February 16, 2018):
"Dear @realDonaldTrump: The DOJ indicted 13 Russian nationals at the Internet Research Agency for violating federal criminal law to help your campaign and hurt other campaigns. Still think this Russia thing is a hoax and a witch hunt? Because a lot of witches just got indicted."

@JohnCopper16 (February 16, 2018): 
"Russians indicted today: 13  Illegal immigrants crossing Mexican border indicted today: 0  Anyway, I hope all those Internet Research Agency f*ckers will be sent to gitmo." 

The Russians are also involved in "getting out the vote" - especially of those who hold strongly divisive views:

@JohnCopper16 (February 27, 2018):
"Dem2018 platform - We want women raped by the jihadists - We want children killed - We want higher gas prices - We want more illegal aliens - We want more Mexican drugs And they are wondering why @realDonaldTrump became the President"

@KaniJJackson (February 19, 2018): 
"Midterms are 261 days, use this time to: - Promote your candidate on social media - Volunteer for a campaign - Donate to a campaign - Register to vote - Help others register to vote - Spread the word We have only 261 days to guarantee survival of democracy. Get to work! 

More recent tweets have been on a wide variety of topics, with other accounts expressing strong views around racial tensions, and then speaking to the Midterm elections: 

@wokeluisa (another confirmed Project Lakhta account): 
"Just a reminder that: - Majority black Flint, Michigan still has drinking water that will give you brain damage if consumed - Republicans are still trying to keep black people from voting - A terrorist has been targeting black families for assassination in Austin, Texas" 

and then, also @wokeluisa: (March 19, 2018): 
"Make sure to pre-register to vote if you are 16 y.o. or older. Don't just sit back, do something about everything that's going on because November 6, 2018 is the date that 33 senate seats, 436 seats in the House of Representatives and 36 governorships will be up for re-election." 

And from @johncopper16 (March 22, 2018):
"Just a friendly reminder to get involved in the 2018 Midterms. They are motivated They hate you They hate your morals They hate your 1A and 2A rights They hate the Police They hate the Military They hate YOUR President" 

Some of the many additional Twitter accounts controlled by the conspiracy mentioned in the Criminal Complaint: 

@UsaUsafortrump, @USAForDTrump, @TrumpWithUSA, @TrumpMov, @POTUSADJT, @imdeplorable201, @swampdrainer659, @maga2017trump, @TXCowboysRawk, @covfefeNationUS, @wokeluisa (2,000 tweets and at least 55,000 followers), @JohnCopper16, @Amconvoice, @TheTrainGuy13, @KaniJJackson, @JemiSHaaaZzz 

Sunday, September 30, 2018

FBI's Crime Data Explorer: What the Numbers Say about Cybercrime

What do the numbers say about Cybercrime?  Not much.  No one is using them.  

There is a popular quote often mis-attributed to the hero of Total Quality Management, Edward Deming:  "If you can't measure it, you can't manage it."Its one of the first things I think about every year when the FBI releases their annual Crime Statistics Report, as they just did for 2017.   (The "mis-attributed" is because for all the times he has been quoted, Deming actual said almost the exact opposite.  What he actually said, in "The New Economics," was:  "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.")

Despite being a misquote, I've used it often myself.  There is no way to tell if you are "improving" your response to a crime type if you don't first have valid statistics for it.  Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics.  This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases.  Want to test it yourself?  Call your local Police Department and tell them your computer has a virus.  See what happens.

It isn't for lack of law!  Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered "hacking."  A quick reference to all 50 states computer crime laws is here:  State Computer Crime Laws - and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.

You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation.  UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):

murder and non-negligent homicide, rape, robbery, aggravated assault, burglary, motor vehicle theft, larceny-theft, and arson.

The data for calendar year 2017 was just released this week and is now available in a new portal, called the Crime Data Explorer.  Short-cut URL:

To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS - the National Incident-Based Reporting System.  This system primarily focuses on  52 crime categories, and gathers statistics on several more.  Most importantly for us, it includes several categories of "Fraud Crimes"

  • 2 / 26A / False Pretenses/Swindle/Confidence Game
  • 41 / 26B / Credit Card/ATM Fraud
  • 46 / 26C / Impersonation
  • 12 / 26D / Welfare Fraud
  • 17 / 26E / Wire Fraud
  • 63 / 26F / Identity Theft
  • 64 / 26G / Hacking/Computer Invasion

Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate.  The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:
In the just-released 2017 data, out of the 18,855 law enforcement agencies in the United States, 16,207 of them submitted SRS "old-style" UCR data.  Only 7,073 (42%) submitted NIBRS-style data.

Unfortunately, the situation when it comes to cybercrime is even worse.  For SRS-style reporting, all cybercrimes are lumped under "Fraud".  In 2016, SRS reported 10.6 Million arrests.  Only 128,531 of these were for "Fraud" of which cybercrime would be only a tiny portion.

Of those eight "fraud type" crimes, the 2017 data is not yet available for detailed analysis  (currently most of state data sets, released September 26, 2018, limit the data in each table to only 500 rows.  Since, as an example, Hoover, Alabama, the only city in my state participating in NIBRS, has 3800 rows of data, you can see how that filter is inadequate for state-wide analysis in fully participating states!

Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes.  In 2016, 6,191 law enforcement agencies submitted NIBRS-style data.  Of those 5,074 included at least some "fraud type" crimes.  Here's how they broke down by fraud offense.  Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:

type - # of agencies - fraud type description
 2 - 4315 agencies -  False Pretenses/Swindle/Confidence Game
41 - 3956 agencies -  Credit Card/ATM Fraud
46 - 3625 agencies - Impersonation
12 - 328 agencies - Welfare Fraud
17 - 1446 agencies - Wire Fraud
63 - 810 agencies - Identity Theft
64 - 189 agencies - Hacking/Computer Invasion

Only 189 of the nation's 18,855 law enforcement agencies submitted even a single case of "hacking/computer invasion" during 2016!  When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered "64 - Hacking/Computer Invasion".  To explore on your own, visit the NIBRS 2016 Map.  Then under "Crimes Against Property" choose the Fraud type you would like to explore.  This map shows "Hacking/Computer Intrusion."  Where a number shows up instead of a pin, zoom the map to see details for each agency.

Filtering the NIBRS 2016 map for "Hacking/Computer Intrusion" reports
 As an example, Zooming the number in Tennessee, I can now see a red pin for Nashville.  When I hover that pin, it shows me how many crimes in each NIBRS category were reported for 2017, including 107 cases of Wire Fraud, 34 cases of Identity Theft, and only 3 cases of Hacking/Computer Invasion:

Clicking on "Nashville" as an example

I have requested access to the full data set for 2017.  I'll be sure to report here when we have more to share.