Monday, May 28, 2018

Affiliate Movie Streaming Scam Service

Dear readers,

I'm sharing some information here wondering if anyone can identify the criminal affiliate program at the root of this scam service.

The scam begins with what seems to be an automated bot-response posted on Facebook.  One of the outstanding questions -- can anyone identify a bot that is making these spammy posts?  These are a few examples from many thousands observed over the past week.

Step One: Unknown malware uses stolen Facebook credentials to post a spammy comment link.

We'll just do one walk through here, but each of these functions in the same way.  The spam post, which often will be added as a comment to a publicly shared post that mentions a movie, links to a Facebook page.  Let's walk through the Ogbani Wanyu post first.

Step Two: The Spam link points to a Facebook page created to share a shortened URL.

Recently popular movies have Facebook pages created that claim to offer the ability to watch full movies and share a shortened URL, usually links, but we've also seen links.

Step Three: A shortened URL redirects to a Blogspot page (sometimes other types of pages)

The shortened URL on the fake IMDB page has received 4,298 clicks as of this writing.  Important to note that we've seen A COUPLE HUNDRED of these pages so far!  Each shortened URL points to a different redirection page.  So far about 80% of those we've traced go to Blogspot pages.

Step Four: A Blogspot page hosts a movie streaming service affiliate page

These Blogspot pages promise free streaming of many movies that are still out in the theaters.  Currently these include Solo (the new Star Wars movie), Avengers Infinity Wars, Deadpool 2, Rampage, and many other movies that are very recently released in the theaters.

Some of the top affiliates in this program actually send their shortened URL to a free ".tk" domain which then uses randomization to send the traffic to one of their dozens of Blogspot blogs.  That is the situation with Gmail user who has at least 50 blogs just associated to that gmail account!  Each link takes the visitor to yet another movie streaming redirector site:

Step Five: Try to stream a Movie ... redirects to the streaming service and credits the affiliate

So, let's try to stream "Ant-Man and the Wasp" which, as of this writing, hasn't even been released to theaters yet.  

We are now redirected to the streaming service ... in this case, the site is "" but that is one of dozens as well.  Note the "sub=doelsumbang" ... that part of the URL is revealing the affiliate name that should receive credit for the income generated from this click.

Many of the affiliate blogspot pages point to streaming services that have names similar to the old PutLocker criminal streaming service.

Step Six: Register your "Free Account" 

Oops!  We can't watch the movie yet!  We haven't registered our "Free Account!" 

Stream your favorite movies FOR FREE!  Sign up FOR FREE!   FREE Unlimited Access!

Step  Seven:  Provide your Credit Card for the Free Service!

Step Eight: Get Billed $39.95 per month

So, how much do you suppose this Free service will cost you?

That's right....$39.95 per month ... FOREVER.

But wait!  I thought it was FREE!?!?!? 

Did you read the Terms & Conditions?   Free trials are for 24 hours, after which, they automatically convert to premium accounts, billable at $39.95 per month.

Upon completion of the free trial period, your signup to the Site will renew automatically on a monthly basis billed as stipulated in your signup process, until cancelled regardless of the length of your free trial period. Please note, prices for the service may vary depending on country, device, service offered and promotions. The first day following the expiration of your free trial period will be your anniversary date for billing purposes during your Monthly Package Term. Your Payment Method will be charged the recurring monthly package fees and any applicable sales tax on the day following the expiration of your free trial period unless you have chosen to cancel your package prior to the conclusion of the free trial period. YOU MUST CANCEL YOUR MONTHLY PACKAGE PRIOR TO THE END OF THE FREE TRIAL OFFER TO AVOID CHARGES TO YOUR PAYMENT METHOD. You will not receive any notification from Silveris s.r.o. online at the expiration of your free trial. Please note the expiration date of your free trial for your records.

The Ask: Do you know more about this scam?

If you have additional information about any parts of this scam, we'd love to hear from you.  Examples of things we'd like to know:

1. Where does this program sign up affiliates?

2. What malware is making the Facebook spam comment posts?

3. Who runs the affiliate program?

Other Gaming, Movie, Book, websites offering the same scammy terms of service: 

A Small  Sampling of Blogs related to this scam:

Sunday, May 13, 2018

How to Steal a Million: The Memoirs of a Russian Hacker

As a University researcher specializing in cybercrime, I've had the opportunity to watch the Russian carding market closely and write about it frequently on my blog "Cybercrime & Doing Time."  Sometimes this leads to interactions with the various criminals that I have written about, which was the case with Sergey.  I was surprised last January to be contacted and to learn that he had completed a ten year prison sentence and had written a book.   I have to say, I wasn't expecting much.  This was actually the third time a cybercriminal had tried to get my interest in a book they had written, and the first two were both horrible and self-promotional.  I agreed to read his first English draft, which he sent me in January 2017.

I was absolutely hooked from page 1.  As I have told dozens of friends since then, his story-telling vehicle is quite good.  The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil  needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait.  What is a white card?"
My copy of the book!

As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling.  These and many of the other characters in this book appeared regularly in this blog.  (A list is at the bottom of this article)

Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them.  Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.

The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison.  Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside.  The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.

Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work."  It's clear that he took feedback like this seriously.  The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.

A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker

The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.

I seriously debated whether I should support this book.  Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job.  It is a moral dilemma.  Do I lend assistance to a many who stole millions of dollars from thousands of Americans?  Read the book.  To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison.  I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."

Links to selected blog articles that feature Pavlovich's cast of characters:

May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.

August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.

August 8, 2008 TJX: the San Diego Indictments where the US government indicts:
  • SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
  • DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
and charges them with violation of "18 USC Section 1029(b)(2) Conspiracy to Traffic Unauthorized Access Devices"

May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.

Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.

Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.