Breadcrumbs


13
Dec 14

SpamHaus, CloudFlare Attacker Pleads Guilty

A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned.

narko-stophausIn late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers. When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network. The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”

In April 2013, an unnamed then-16-year-old male from London identified only by his hacker alias “Narko,” was arrested and charged with computer misuse and money laundering in connection with the attack.

Sources close to the investigation now tell KrebsOnSecurity that Narko has pleaded guilty to those charges, and that Narko’s real name is Sean Nolan McDonough. A spokesman for the U.K. National Crime Agency confirmed that a 17-year-old male from London had pleaded guilty to those charges on Dec. 10, but noted that “court reporting restrictions are in place in respect to a juvenile offender, [and] as a consequence the NCA will not be releasing further detail.”

During the assault on SpamHaus, Narko was listed as one of several moderators of the forum Stophaus[dot]com, a motley crew of hacktivists, spammers and bulletproof hosting providers who took credit for organizing the attack on SpamHaus and CloudFlare.

WHO RUNS STOPHAUS?

It is likely that McDonough/Narko was hired by someone else to conduct the attack. So, this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good.

cocg-fbNot long after McDonough’s arrest, a new Facebook page went online called “Freenarko,” which listed itself as “a solidarity support group to help in the legal defense and media stability for ‘Narko,’ a 16-yr old brother in London who faces charges concerning the Spamhaus DDoS attack in March.”

Multiple posts on that page link to Stophaus propaganda, to the Facebook page for the Church of the Common Good, and to a now-defunct Web site called “WeAreHomogeneous.org” (an eye-opening and archived copy of the site as it existed in early 2013 is available at archive.org; for better or worse, the group’s Facebook page lives on).

The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization (hours after this story was posted, large chunks of text were deleted from Stephens’ profile; a PDF of the original profile is here).

Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”

More recent entries in Andrew’s LinkedIn profile show that he now sees his current job as a “social engineer.” From his page:

“I am a what you may call a “Social Engineer” and have done work for several information security teams. My most recent operation was with a research team doing propaganda analysis for a media firm. I have a unique ability to access data that is typically inaccessible through social engineering and use this ability to gather data for research purposes. I have a knack for data mining and analysis, but was not formally trained so am able to think outside the box and accomplish goals traditional infosec students could not. I am proficient at strategic planning and vulnerability analysis and am often busy dissecting malware and tracking the criminals behind such software. There’s no real title for what I do, but I do it well I am told.”

Turns out, Andrew J. Stephens used to have his own Web site — andrewstephens.org. Here, the indispensable archive.org helps out again with a cache of his site from back when it launched in 2011 (oddly enough, the same year that Stophaus claims to have been born). On his page, Mr. Stephens lists himself as an “internet entrepreneur” and his business as “IBT.” Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”

Stephens did not return requests for comment sent to his various contact addresses, although a combative individual who uses the Twitter handle @Stophaus and has been promoting the group’s campaign refused to answer direct questions about whether he was in fact Andrew J. Stephens.

Continue reading →


5
Nov 14

Still Spamming After All These Years

A long trail of spam, dodgy domains and hijacked Internet addresses leads back to a 37-year-old junk email purveyor in San Diego who was the first alleged spammer to have been criminally prosecuted 13 years ago for blasting unsolicited commercial email.

atballLast month, security experts at Cisco blogged about spam samples caught by the company’s SpamCop service, which maintains a blacklist of known spam sources. When companies or Internet service providers learn that their address ranges are listed on spam blacklists, they generally get in touch with the blacklister to determine and remediate the cause for the listing (because usually at that point legitimate customers of the blacklisted company or ISP are having trouble sending email).

In this case, a hosting firm in Ireland reached out to Cisco to dispute being listed by SpamCop, insisting that it had no spammers on its networks. Upon investigating further, the hosting company discovered that the spam had indeed come from its Internet addresses, but that the addresses in question weren’t actually being hosted on its network. Rather, the addresses had been hijacked by a spam gang.

Spammers sometimes hijack Internet address ranges that go unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker (for another example of IP address hijacking, also known as “network identity theft,” check out this story I wrote for The Washington Post back in 2008).

So who’s benefitting from the Internet addresses wrested from the Irish hosting company? According to Cisco, the addresses were hijacked by Mega-Spred and Visnet, hosting providers in Bulgaria and Romania, respectively. But what of the spammers using this infrastructure?

One of the domains promoted in the spam that caused this ruckus — unmetegulzoo[dot]com — leads to some interesting clues. It was registered recently by a Mike Prescott in San Diego, to the email address mikeprescott7777@gmail.com. That email was used to register more than 1,100 similarly spammy domains that were recently seen in junk email campaigns (for the complete list, see this CSV file compiled by DomainTools.com).

Enter Ron Guilmette, an avid anti-spam researcher who tracks spammer activity not by following clues in the junk email itself but by looking for patterns in the way spammers use the domains they’re advertising in their spam campaigns. Guilmette stumbled on the domains registered to the Mike Prescott address while digging through the registration records on more than 14,000 spam-advertised domains that were all using the same method (Guilmette asked to keep that telltale pattern out of this story so as not to tip off the spammers, but I have seen his research and it is solid).

persaud-fbOf the 5,000 or so domains in that bunch that have accessible WHOIS registration records, hundreds of them were registered to variations on the Mike Prescott email address and to locations in San Diego. Interestingly, one email address found in the registration records for hundreds of domains advertised in this spam campaign was registered to a “michaelp77x@gmail.com” in San Diego, which also happens to be the email address tied to the Facebook account for one Michael Persaud in San Diego.

Persaud is an unabashed bulk emailer who’s been sued by AOL, the San Diego District Attorney’s office and by anti-spam activists multiple times over the last 15 years. Reached via email, Persaud doesn’t deny registering the domains in question, and admits to sending unsolicited bulk email for a variety of “clients.” But Persaud claims that all of his spam campaigns adhere to the CAN-SPAM Act, the main anti-spam law in the United States — which prohibits the sending of spam that spoofs that sender’s address and which does not give recipients an easy way to opt out of receiving future such emails from that sender.

As for why his spam was observed coming from multiple hijacked Internet address ranges, Persaud said he had no idea. Continue reading →


24
Jun 14

The ‘Fly’ Has Been Swatted

A Ukrainian man who claimed responsibility for organizing a campaign to send heroin to my home last summer has been arrested in Italy on suspicion of trafficking in stolen credit card accounts, among other things, KrebsOnSecurity.com has learned.

Sergei "Fly" Vovnenko was arrested in Naples, Italy.

Passport photo for Sergei “Fly” Vovnenko. He was arrested in Naples, Italy earlier this month.

Last summer, appropos of nothing, an infamous cybercrook known as “Fly,” “Flycracker” and “Muxacc” began sending me profane and taunting tweets. On top of this, he posted my credit report on his blog and changed his Twitter profile picture to an image of an action figure holding up my severed head.

The only thing I knew about Fly then was that he was the founder and administrator of a closely-guarded Russian-language crime forum called thecc.bz (the “cc” part referring to credit cards). Fly also was a trusted moderator on Mazafaka, one of the most exclusive and venerable Russian carding forums online today.

Shortly after Fly began sending those nasty tweets, I secretly gained access to his forum, where I learned that he had hatched a plot to buy heroin on the Silk Road, have it shipped to my home, and then spoof a call from one of my neighbors to the local police when the drugs arrived (see Mail from the Velvet Cybercrime Underground).

Thankfully, I was able to warn the cops in advance, even track the package along with the rest of the forum members thanks to a USPS tracking link that Fly had posted into a discussion thread on his forum.

Angry that I’d foiled his plan to have me arrested for drug possession, Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

Irina Gumenyuk-Vovnenko lists her hometown as Naples in her Odnoklassniki.ru profile.

Irina Gumenyuk-Vovnenko’s lists her hometown as Naples in her Odnoklassniki.ru profile.

After this incident, I became intensely curious about the identity of this Fly individual, so I began looking through databases of hacked carding and cybercrime forums. My first real break came when Russian computer forensics firm Group-IB provided a key piece of the puzzle (they also were quite helpful on the heroin sleuthing as well). Group-IB found that on the now-defunct vulnes[dot]com, Fly maintained an account under the nickname Flycracker, and signed up with the email address mazafaka@libero.it (.it is the country code for Italy).

According to a trusted source in the security community, that email account was somehow compromised last year. The source said the account was full of emailed reports from a keylogging device that was tied to another email address — 777flyck777@gmail.com (according to Google, mazafaka@libero.it is the recovery email address for 777flyck777@gmail.com).

Those keylog reports contained some valuable information, and indicated that Fly had planted a keylogger on his wife Irina’s computer. On several occasions, those emails show Fly’s wife typed in her Gmail address, which included her real first and last name — Irina Gumenyuk.

Later, Gumenyuk would change the surname on her various social networking profiles online to Vovnenko. She even mentioned her husband by name several times in emails to friends, identifying him as 28-year-old “Sergei Vovnenko”. Payment information contained in those emails — including shipping and other account information — put the happy couple and their young son in Naples, Italy. Continue reading →


15
Jan 14

A First Look at the Target Intrusion, Malware

Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.

The seller of the point-of-sale "memory dump" malware used in the Target attack.

The seller of the point-of-sale “memory dump” malware allegedly used in the Target attack.

In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.

This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack.

‘BLACK POS’

On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache (Update, Jan. 16, 9:29 a.m.: Sometime after this story ran, Google removed the cached ThreatExpert report; I’ve uploaded a PDF version of it here).

According to sources, "ttcopscli3acs" is the name of the Windows share point used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was "Best1_user"; the password was "BackupU$r"

According to sources, “ttcopscli3acs” is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the malware used to upload stolen data data was “Best1_user”; the password was “BackupU$r”

According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –“POSWDS”). Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.

The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

pos-fbiThat source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.

According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.

Continue reading →


6
Jan 14

Deconstructing the $9.84 Credit Card Hustle

Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.

homecsOne reader said the $9.84 charge on her card  came with a notation stating the site responsible was eetsac.com. I soon discovered that there are dozens of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.

I did a bit of digging into that eetsac.com domain, ordering a historic WHOIS report from domaintools.com. The report shows that the domain eetsac.com was originally registered using the email address walter.kosevo@ymail.com. Domaintools also reports that this email address was used to register more than 230 other sites; a full list is available here (CSV).

A closer look at some of those domains reveals a few interesting facts. Callscs.in, for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. Callscs.in lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075.

iwepThe next site like that one on the list — cewcs.com — references the domain insiderwebeducationpro.com, another domain on the list of sites registered to that ymail.com email address. The homepage of insiderwebeducationpro.com lists the following contact information:

Copyright © 2014. All Rights Reserved – Lasorea Ltd

Lasorea Ltd.
Site and billing supported by:cewcs.com cs@cewcs.com
Premier Business Centre 47-49 Park Royal Road
London UK NW107LQ
8555311090

A search at companieshouse.gov.uk, a government site which maintains records about companies based in the United Kingdom, turned up incorporation records (PDF) showing that Lasorea Ltd. was founded in January 2013 by Emil Darbinian, a 28-year-old self-described accountant from Nicosia, Cyprus. Other records searches on Mr. Darbinian indicate he owns at least two other companies at the same address, including Testohealth Labs. Ltd — which appears to be a software company — and a firm called Levantos Venture Ltd. Mr. Darbinian did not return messages seeking comment.

Another domain on the list — etosac.com — is listed as the support and billing site for webtutorialpro.com, a site which bills itself as an “affiliate learning system.” In fact, of the 235 domains registered to walter.kosevo@ymail.com, all seem to be either affiliate programs of one kind (diet pills, work-at-home) or support/call center sites.

Dozens of sites like this one are the source of the $9.84 charges.

Dozens of sites like this one are the apparent source of the $9.84 charges.

Webtutorialpro.com lists on its homepage a company named Lukria, Ltd., and an address at the same London business park as Mr. Darbinian’s companies. If we step through the signup process to become an affiliate at Webtutorialpro.com, we can see that everything — from the “online store in a box” to “pay per click extreme” and the tutorial on “how to get FREE web traffic — all retail for….wait for it….$9.84!

Lukria, according to incorporation documents (PDF) purchased from companieshouse.co.uk, was created on the same day as Lasorea Ltd., and lists as its director a Sergey Babayan, also from Cyprus. According to the Facebook pages of both Mr. Darbinian and Mr. Babayan, the two men are friends. Mr. Babayan has not responded to requests for comment.

Mr. Babayan’s Facebook profile says he works at a company called Prospectacy Limited, which LinkedIn says is an accounting firm in Nicosia, Cyprus. According to Prospectacy’s Web site, this company specializes in “corporate services,” including “company formation,” “banking,” and “virtual office” services. The company seems to be in the business of establishing offshore firms; according to a reverse WHOIS record lookup from domaintools.com, the email address used to register Prospectacy’s domain also was used to register at least ten other domains, including registerincyprus.com, registerinuk.com, setupincyprus.com and setupineu.com.

A number of these affiliate sites include on their home page links to credorax.com, a Southborough, Mass. based acquiring bank Malta-based acquiring bank that is in the business of processing credit and debit card payments for merchants. It’s not clear whether either cewcs.com or insiderwebeducationpro.com use Credorax Inc. for payment processing, but it seems to suggest that by association. I reached out to Credorax to learn whether this site (and perhaps others that are the subject of this story) are customers, and will update this story if I hear back from them.

Update, 12:43 p.m. ET: I heard from Michael Burtscher, vice president of acquiring risk and fraud management at Credorax. Burtscher clarified that his company has offices in the U.S. but is based in Malta. Burtscher confirmed that Credorax had until recently helped to process cards for the network of sites named in this story, but that the company has severed that relationship. He declined to say when exactly the relationship ended, or indeed whether my information about the client’s identities was accurate. Burtscher would only say that Credorax terminated its relationship with the client in response to consumer complaints about the fraudulent charges. “This was one of those cases where when we onboarded them it looked like a legitimate account, but when we saw there were issues we decided to take action.”

Continue reading →


24
Dec 13

Who’s Selling Credit Cards from Target?

The previous two posts on this blog have featured stories about banks buying back credit and debit card accounts stolen in the Target hack and that ended up for sale on rescator[dot]la, a popular underground store. Today’s post looks a bit closer at open-source information on a possible real-life identity for the proprietor of that online fraud shop.

Rescator[dot]la is run by a miscreant who uses the nickname Rescator, and who is a top member of the Russian and English language crime forum Lampeduza[dot]la. He operates multiple online stores that sell stolen card data, including rescator[dot]la, kaddafi[dot]hk, octavian[dot]su and cheapdumps[dot]org. Rescator also maintains a presence on several other carding forums, most notably cpro[dot]su and vor[dot]cc.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator's email flood service at the bottom.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator’s email flood service at the bottom; this will become important as you read on.

In an Aug. 2011 thread that has since been deleted, Rescator introduced himself to the existing members of vor[dot]cc, a fairly exclusive Russian carding forum. When new members join a carding community, it is customary for them to explain their expertise and list previous nicknames and forums on which they have established reputations.

Rescator, a.k.a. "Hel" a.k.a. "Helkern" the onetime administrator of the Darklife forum, introduces himself to vor[dot]cc crime forum members.

Rescator, a.k.a. “Hel” a.k.a. “Helkern” the onetime administrator of the Darklife forum, introduces himself to vor[dot]cc crime forum members.

In the thread pictured above, we can see Rescator listing his bona fides and telling others he was “Hel,” one of three founders of darklife[dot]ws, a now-defunct hacker forum. In the screen shot below, Rescator clarifies that “Hel, in fact, is me.”

Rescator says his former nickname was "Hel," short for Helkern, the administrator of Darklife.

Rescator says his former nickname was “Hel,” short for Helkern, the administrator of Darklife.

The only darklife member who matched that nickname was “Helkern,” one of darklife’s three founders. Darklife administrators were all young men who fancied themselves skilled hackers, and at one point the group hacked into the venerable and closely-guarded Russian hacking forum cih[dot]ms after guessing the password of an administrator there.

Darklife admin "Helkern" brags to other members about hacking into cih[dot]ms, a more elite Russian hacking forum.

Darklife admin “Helkern” brags to other members about hacking into cih[dot]ms, a more elite Russian hacking forum.

In a counterattack documented in the entertaining thread that is still posted as a trophy of sorts at cih[dot]ms/old/epicfail, hackers from cih[dot]ms hacked into the Darklife forum, and posted personal photos of Helkern and fellow Darklife leaders, including these two of Helkern:

helkern1

And a self-portrait of Helkern:

helkern-self

So if Helkern is Rescator, who is Helkern? If we check at some of the other Russian forums that Helkern was active in at the time that Darklife was online in 2008, we can see he was a fairly frequent contributor to the now-defunct Grabberz[dot]com; in this cached post, Helkern can be seen pasting an exploit he developed for a remote SQL injection vulnerability. In it, he claims ownership of the ICQ instant messenger address 261333.

Continue reading →


9
Dec 13

Who Is Paunch?

Last week, the world got the first glimpses of a man Russian authorities have accused of being “Paunch,” a computer crime kingpin whose “Blackhole” crimeware package has fueled an explosion of cybercrime over the past several years. So far, few details about the 27-year-old defendant have been released, save for some pictures of a portly lad and a list of his alleged transgressions. Today’s post follows a few clues from recent media coverage that all point to one very likely identity for this young man.

Dmitry Fedotov from Togliatti, Russia.

Dmitry Fedotov from Togliatti, Russia.

The first story in the Western media about Paunch’s arrest came on Oct. 8, 2013 from Reuters, which quoted an anonymous former Russian police detective.  But the initial news of Paunch’s arrest appears to have broken on Russian news blogs several days earlier. On Oct. 5, Russian news outlet neslushi.info posted that a hacker by the name of Dmitry Fedotov had been arrested the night before in Togliatti, a city in Samara Oblast, Russia. The story noted that Fedotov was wanted for creating a program that was used by various organized crime groups to siphon roughly 26 billion rubles (USD $866 million) from unnamed banks. Another story from local news site Samara.ru on Oct. 8 references a Dmitry F. from Togliatti.

This is an interesting lead; last week’s story on Paunch cited information released by Russian forensics firm Group-IB, which did not include Paunch’s real name but said that he resided in Togliatti.

Fast-forward to this past week, and we see out of the Russian publication Vedomosti.ru a story stating that Paunch owned his own Web-development company. That story also cited Group-IB saying that Paunch had experience as an advertising manager. This Yandex profile includes a resume for a Dmitry Fedotov from Togliatti who specializes in Web programming and advertising, and lists “hack money” under his “professional goals” section. It also states that Fedotov attended the Volga State University of Service from 2003-2005.

That Yandex profile for Fedotov says his company is a site called “neting.ru,” a Web development firm. The current Web site registration records for that domain do not include an owner’s name, but a historic WHOIS record ordered from domaintools.com shows that neting.ru was originally registered in 2004 by a Dmitry E. Fedotov, using the email addresses box@neting.ru and tolst86@mail.ru.

A cached contact page for neting.ru at archive.org shows the same box@neting.ru email address and includes an ICQ instant messenger address, 360022. According to ICQ.com, that address belongs to a user who picked the nickname “tolst,” which roughly translates to “fatty.”

A user who picked the nickname "tolst" or "fatty" posted this image of his new Porsche Cayenne in March 2013

A user who picked the nickname “tolst” or “fatty” posted this image of his new Porsche Cayenne in March 2013

This brings up something I want to address from last week’s story: Some readers said they thought it was insensitive of me to point out that Paunch himself called attention to his most obvious physical trait. But this seems to be a very important detail: Paunch had a habit of picking self-effacing nicknames.

The pictures of Paunch released by Group-IB show a heavyset young man, and Paunch seems to have picked nicknames that called attention to his size. One email address known to have been used by the Blackhole author was “paunchik@googlemail.com” (“paunchik” means “doughnut” in Russian). Blackhole exploit kit users who wished to place their advertisements in the crimeware kit itself so that other customers would see the ads were instructed to pay for the advertisements by sending funds to a Webmoney purse Z356971281174, which is tied to the Webmoney ID 561656619879; that Webmoney ID uses the alias “puzan,” a variant of the Russian word пузо, or “potbelly.”

Turns out, “tolst” was a common nickname picked by Paunch. We can see a user who picked that same “tolst” nickname posting in a Russian car forum in March 2013 about his new ride: a white Porsche Cayenne. According to this photo released by Group-IB, Paunch also owned a white Porsche Cayenne. Tolst posted pictures of the interior of his Porsche here.

Continue reading →


25
Nov 13

Spam-Friendly Registrar ‘Dynamic Dolphin’ Shuttered

The organization that oversees the Internet domain name registration industry last week revoked the charter of Dynamic Dolphin, a registrar that has long been closely associated with spam and cybercrime.

Scott Richter. Image: 4law.co.il

Scott Richter. Image: 4law.co.il

The move came almost five years after this reporter asked the Internet Corporation for Assigned Names and Numbers (ICANN) to investigate whether the man at the helm of this registrar was none other than Scottie Richter, an avowed spammer who has settled multi-million-dollar spam lawsuits with Facebook, Microsoft and MySpace over the past decade.

According to the contracts that ICANN requires all registrars to sign, registrars may not have anyone as an officer of the company who has been convicted of a criminal offense involving financial activities. While Richter’s spam offenses all involve civil matters, this reporter discovered several years ago that Richter had actually pleaded guilty in 2003 to a felony grand larceny charge.

Richter’s felony rap was detailed in a January 2004 story in the now-defunct Rocky Mountain News; a cached copy of that story is here. It explains that Denver police were investigating a suspected fencing operation involving the purchase and sale of stolen goods by Richter and his associates. Richter, then 32, was busted for conspiring to deal in stolen goods, including a Bobcat, a generator, laptop computers, cigarettes and tools. He later pleaded guilty to one count of grand larceny, and was ordered to pay nearly $38,000 in restitution to cover costs linked to the case.

After reading this story, I registered with the Colorado state courts Website and purchased a copy of the court record detailing Richter’s conviction — available at this link (PDF) — and shared it with ICANN. I also filed an official request with ICANN (PDF) to determine whether Richter was in fact listed as a principal in Dynamic Dolphin. ICANN responded in 2008 that it wasn’t clear whether he was in fact listed as an officer of the company.

But in a ruling issued last week, ICANN said that analysis changed after it had an opportunity to review information regarding Dynamic Dolphin’s voting shares.

“Prior to this review, ICANN had no knowledge that Scott Richter was the 100% beneficial owner of Dynamic Dolphin,” ICANN wrote. “In light of this review, ICANN initiates a review of the application for accreditation from 2011. Based on Section II. B. of the Statement of Registrar Accreditation Policy, Dynamic Dolphin did not disclose in its application for accreditation that Scott Richter was the 100% beneficial owner of Dynamic Dolphin or that Scott Richter was convicted in 2003 for a felony relating to financial activities.”

ICANN has ordered that Dynamic Dolphin be stripped of its accreditation as a registrar, and that all domains registered with Dynamic Dolphin be transferred to another registrar within 28 days. Neither Richter nor a representative for Dynamic Dolphin could be immediately reached for comment.

ICANN’s action is long overdue. Writing for The Washington Post in May 2008, this author called attention to statistics gathered by anti-spam outfit Knujon (“NOJUNK” spelled backwards), which found that more than three quarters of all Web sites advertised through spam at the time were clustered at just 10 domain name registrars. Near the top of that list was Dynamic Dolphin, a registrar owned by an entity called CPA Empire, which in turn is owned by Media Breakaway LLC – Richter’s company. Another story published around that same time by The Washington Post showed that Media Breakaway was behind the wholesale hijacking of some 65,586 Internet addresses from a San Francisco, Calif. organization that was among the early pioneers of the Internet.

Continue reading →


2
Oct 13

Feds Take Down Online Fraud Bazaar ‘Silk Road’, Arrest Alleged Mastermind

Defendant Charged With Drug Trafficking, Hacking, Money Laundering

Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering.

A screen shot of the Silk Road Web site, taken Oct. 23, 2013.

A screen shot of the Silk Road Web site, taken Oct. 2, 2013.

The Silk Road is an online black market that as late as last month was hosting nearly 13,000 sales listings for controlled substances, including marijuana, LSD, heroin, cocaine, methamphetamine and ecstasy. Much like eBay sellers, merchants on the Silk Road are evaluated by previous buyers, who are encouraged to leave feedback about the quality of the seller’s goods and services.

The Silk Road is not available via the regular Internet. Rather, it is only reachable via the Tor network, an anonymity network that bounces its users communications across a distributed network of relays run by volunteers all around the world.

That is, it was until this week, when FBI agents arrested its alleged proprietor and seized the Web servers running the site. The feds also replaced the Silk Road’s home page with a message saying that the site had been seized by the FBI, Homeland Security Department and the Drug Enforcement Administration.

According to a complaint unsealed this week, Ulbricht alone controlled the massive profits generated from the operation of the business. The government alleges that Ulbricht also controlled and oversaw all aspects of the Silk Road, including: the maintenance of the computer infrastructure and programming code underlying the Silk Road Web site; the determination of vendor and customer policies; decisions about what could be sold on the site; and managing a small staff of online administrators who assisted with the day-to-day operations.

The Silk Road didn’t just sell drugs. For example, the complaint identifies 801 for-sale listings under “digital goods,” which included banking Trojans, pirated content, and hacked accounts at Netflix and Amazon. The “forgeries” section of the Silk Road featured 169 ads from vendors of fake driver’s licenses, passports, Social Security cards, utility bills, credit card statements, car insurance records, and other forms of identity documents.

An ad for heroin on the Silk Road. Notice this seller has 97 feedback points.

An ad for heroin on the Silk Road. Notice this seller has 97 feedback points.

Another popular section of the Silk Road included 159 listings for generic “Services,” mostly those listed by computer hackers offering such services as hijacking Twitter and Facebook accounts of the customer’s choosing. Other classified ads promised the sale of anonymous bank accounts, counterfeit bills, firearms and ammunition, and even hitmen for hire.

FBI investigators said that on or about March 29, 2013, Ulbricht contacted a Silk Road seller “Redandwhite” to see about hiring him to to take out another Silk Road user — someone going by the nickname “FriendlyChemist” — who was threatening to release the identities of thousands of users of the site.

From the government’s complaint: “Asked what sort of problem FriendlyChemist was causing him, DPR responded in a message dated March 30, 2013, ‘[H]e is threatening to expose the identities of thousands of my clients that he was able to acquire….[T]his kind of behavior is unforgivable to me. Especially here on Silk Road, anonymity is sacrosanct.'” As to the murder-for-hire job he was soliciting, DPR commented that “[i]t doesn’t have to be clean.”

Later that same day, redandwhite sent DPR a message quoting him a price of $150,000 to $300,000, “depending on how you want it done, ‘clean’ or ‘non-clean’.

On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.”

DPR, allegedly using the nickname "altoid" seeks to hire a tech expert for the Silk Road via bitcointalk.org

DPR, allegedly using the nickname “altoid” seeks to hire a tech expert for the Silk Road via bitcointalk.org

According to investigators, the two ultimately settle on a price of $150,000, and that Ulbricht paid for the transaction using Bitcoins — an anonymous virtual currency — sending the would-be hit man 1,670 bitcoins for the arranged hit. Bitcoin currency rates fluctuate quite a bit from day to day, but historic sites that track Bitcoin rates show that one bitcoin around that date in late March 2013 was worth about USD $90, meaning investigators believe Ulbricht paid approximately $150,300 for the hit.

The government’s complaint states that the hit wasn’t carried out, but it also doesn’t seem that FriendlyChemist was the source of investigators’ break in this case. That would come on July 23, 2013, when investigators gained access to a Silk Road server and made a complete copy of the data on the machine.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at University of California San Diego, said the information contained on the server seized by investigators indicates that Ulbricht/Dread Pirate Roberts routinely failed to heed his own advice to fellow Silk Road users: Prominent on the Silk Road site were links to tutorials DPR penned which laid out the technologies and techniques that users should adopt if they want to keep off the radar of federal investigators.

“This shows me that the head of the Silk Road wasn’t using [encryption] for all his communications, because [the government] wouldn’t have all of this information otherwise, unless of course he stored his encryption key on the server that was seized,” Weaver said. “Either [the government] got his encryption key off of this server or another server that they were able to access, or he wasn’t using encryption at all.”

The complaint also suggests that in June 2013, Ulbricht accessed a server used to control the Silk Road site from an Internet cafe that was 500 feet from the hotel he was staying at in San Francisco.

Continue reading →


9
Sep 13

Spy Service Exposes Nigerian ‘Yahoo Boys’

A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored.

The login page for the BestRecovery online keylog service.

The login page for the BestRecovery online keylog service.

At issue is a service named “BestRecovery” (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy (see screenshot at right).

But that was before I shared a link to the site with a grey hat hacker friend, who replied in short order with the entire username and password database of more than 3,000 paying customers.

Initially, I assumed my source had unearthed the data via an SQL injection attack or some other  database weakness. As it happens, the entire list of users is recoverable from the site using little more than a Web browser.

The first thing I noticed upon viewing the user list was that a majority of this service’s customers had signed up with yahoo.com emails, and appeared to have African-sounding usernames or email addresses. Also, running a simple online search for some of the user emails (dittoswiss@yahoo.com, for example) turned up complaints related to a variety of lottery, dating, reshipping and confidence scams.

The site was so poorly locked down that it also exposed the keylog records that customers kept on the service. Logs were indexed and archived each month, and most customers used the service to keep tabs on multiple computers in several countries. A closer look at the logs revealed that a huge number of the users appear to be Nigerian 419 scammers using computers with Internet addresses in Nigeria.

The seriously ghetto options page for BestRecovery web-based keylogger service.

The seriously ghetto options page for BestRecovery web-based keylogger service.

Also known as “advance fee” and “Nigerian letter” scams, 419 schemes have been around for many years and are surprisingly effective at duping people. The schemes themselves violate Section 419 of the Nigerian criminal code, hence the name. Nigerian romance scammers often will troll online dating sites using stolen photos and posing as attractive U.S. or U.K. residents working in Nigeria or Ghana, asking for money to further their studies, care for sick relatives, or some such sob story.

More traditionally, these miscreants pretend to be an employee at a Nigerian bank or government institution and claim to need your help in spiriting away millions of dollars. Those who fall for the ruses are strung along and milked for increasingly large money transfers, supposedly to help cover taxes, bribes and legal fees. As the FBI notes, once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances. “While such an invitation impresses most law-abiding citizens as a laughable hoax, millions of dollars in losses are caused by these schemes annually,” the FBI warns. “Some victims have been lured to Nigeria, where they have been imprisoned against their will along with losing large sums of money. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.”

Oddly enough, a large percentage of the keylog data stored at BestRecovery indicates that many of those keylog victims are in fact Nigerian 419 scammers themselves. One explanation is that this is the result of scammer-on-scammer attacks. According to a study of 419ers published in the Dec. 2011 edition of Cyberpsychology, Behavior, and Social Networking (available from the Library of Congress here or via this site for a fee), much of the 419 activity takes place in cybercafes, where “bulk tickets are sold for sending spam emails and some systems are dedicated to fraudsters for hacking and spamming.”

The keylog records available for the entries marked "Yahoo Boys" show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

The keylog records available for the entries marked “Yahoo Boys” show that Nigerian 419 scammers were just as likely to use this service as to be targets of it.

Perhaps some enterprising Nigerian spammers simply infected a bunch of these cybercafe machines to save themselves some work. It is also possible that vigilante groups which target 419 scammers — such as Artists Against 419 and 419eater.com — were involved, although it’s difficult to believe those guys would bother with such a rudimentary service.

BestRecovery gives customers instructions on how to use a provided tool to create a custom Windows-based keylogger and then disguise it as a legitimate screensaver application. New victims are indexed by date, time, Internet address, country, and PC name. Each keylogger instance lets the user specify a short identifier in the “note” field (failing to manually enter an identifier in the note field appears to result in that field being populated by the version number of the keylogger used). Interestingly, many of the victim PCs have a curious notation: “Yahoo Boys”.

Keylog data apparently collected from a Yahoo Boy.

Keylog data [partially redacted] that was apparently collected from a Yahoo Boy.

BLACK HAT OR BLACK MAGIC?

As noted in the above-mentioned academic paper (“Understanding Cybercrime Perpetrators and the Strategies They Employ in Nigeria”), the term “Yahoo Boys” is the nickname given to categories of young men in Nigeria who specialize in various types of cybercrime.  According to that paper, in which researchers spent time with and interviewed at least 40 active Yahoo Boys, most of the cybercrime perpetrators in Nigeria are between the age of 22 and 29, and are undergraduates who have distinct lifestyles from other youths.

“Their strategies include collaboration with security agents and bank officials, local and international networking, and the use of voodoo [emphasis added]. It was clear that most were involved in online dating and buying and selling with fake identities. The Yahoo boys usually brag, sag, do things loudly, drive flashy cars, and change cars frequently. They turn their music loud and wear expensive and latest clothes and jewelry. They also have a special way of dressing and relate, they spend lavishly, love material things, and go to clubs. They are prominent at night parties picking prostitutes at night. They also move in groups of two, three, and four when going to eateries. They speak different coded languages and use coded words such as “Mugun,” “Maga,” and “Maga don pay,” which all means “the fool (i.e., their victim) has paid.”

Continue reading →