Web Fraud 2.0


31
Mar 14

Who’s Behind the ‘BLS Weblearn’ Credit Card Scam?

A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.

At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574).

I began hearing from readers about this early this month, in part because of my previous sleuthing on an eerily similar scheme that also leveraged payment systems in Malta to put through unauthorized junk charges ($9.84) for “online learning” software systems. Unfortunately, while the names of the companies and payment systems have changed, this latest scam appears to be remarkably similar in every way.

Reading up on this latest scam, it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network used by the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta.

And, just like with the $9.84 scam, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue.com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine).

The very first time I encountered Plimus was in Sept. 2011, when I profiled an individual responsible for selling access to tens of thousands of desktop computers that were hacked and seeded with the TDSS botnet. That miscreant — a fellow who used the nickname “Fizot” — had been using Plimus to accept credit card payments for awmproxy.net, an anonymization service that was sold primarily to individuals engaged in computer fraud.

Apparently, the Internet has been unkind to Plimus’s online reputation, because not long ago the company changed its name to BlueSnap. This blog has a few ideas about what motivated the name change, noting that it might have been prompted in part by a class action lawsuit (PDF) against Plimus which alleges that the company’s marketing campaigns include the “mass production of fabricated consumer reviews, testimonials and fake blogs that are all intended to deceive consumers seeking a legitimate product and induce them to pay. Yet, after consumers pay for access to any of these digital goods websites, they quickly realize that the promotional materials and representations were blatantly false.”

Continue reading →


19
Feb 14

Fire Sale on Cards Stolen in Target Breach

Last year’s breach at Target Corp. flooded underground markets with millions of stolen credit and debit cards. In the days surrounding the breach disclosure, the cards carried unusually high price tags — in large part because few banks had gotten around to canceling any of them yet. Today, two months after the breach, the number of unsold stolen cards that haven’t been cancelled by issuing banks is rapidly shrinking, forcing the miscreants behind this historic heist to unload huge volumes of cards onto underground markets and at cut-rate prices.

asdf

Cards stolen in the Target breach have become much cheaper as more of them come back declined or cancelled by issuing banks.

Earlier today, the underground card shop Rescator[dot]so moved at least 2.8 million cards stolen from U.S.-based shoppers during the Target breach. This chunk of cards, dubbed “Beaver Cage” by Rescator, was the latest of dozens of batches of cards stolen from Target that have gone on sale at the shop since early December.

The Beaver Cage batch of cards have fallen in price by as much as 70 percent compared to those in “Tortuga,” a huge chunk of several million cards stolen from Target that sold for between $26.60 and $44.80 apiece in the days leading up to Dec. 19 — the day that Target acknowledged a breach. Today, those same cards are now retailing for prices ranging from $8 to $28. The oldest batches of cards stolen in the Target breach –i.e., the first batches of stolen cards sold –are at the top of legend in the graphic above; the “newer,” albeit less fresh, batches are at the bottom.

The core reason for the price drop appears to be the falling “valid rate” associated with each batch. Cards in the Tortuga base were advertised as “100 percent valid,” meaning that customers who bought ten cards from the store could expect all 10 to work when they went to use them at retailers to purchase high-priced electronics, gift cards and other items that can be quickly resold for cash.

This latest batch of Beaver Cage cards, however, carries only a 60 percent valid rate, meaning that on average customers can expect at least 4 out of every 10 cards they buy to come back declined or canceled by the issuing bank.

The most previous batch of Beaver Cage cards — pushed out by Rescator on Feb. 6 — included nearly 4 million cards stolen from Target and carried a 65 percent valid rate. Prior to Beaver Cage, the Target cards were code-named “Eagle Claw.” On Jan. 29, Rescator debuted 4 million cards bearing the Eagle Claw name and a 70 percent valid rate. The first two batches of Eagle Claw-branded cards — a chunk of 2 million cards — were released on Jan. 21 with a reported 83 percent valid rate.

Continue reading →


3
Feb 14

File Your Taxes Before the Fraudsters Do

Jan. 31 marked the start of the 2014 tax filing season, and if you haven’t yet started working on your returns, here’s another reason to get motivated: Tax fraudsters and identity thieves may very well beat you to it.

According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

There are countless shops in the cybercrime underground selling data that is especially useful for scammers engaged in tax return fraud. Typically, these shops will identify their wares as “fullz,” which include a consumer’s first name, last name, middle name, email address (and in some cases email password) physical address, phone number, date of birth, and Social Security number.

This fraud shop caters to thieves involved in tax return fraud.

This underground shop sells consumer identity data, catering to tax return fraud.

The shop pictured above, for example, caters to tax fraudsters, as evidenced by its advice to customers of the service, which can be used to find information that might help scammers establish lines of credit (PayPal accounts, credit cards) in someone else’s name:

“You can use on paypal credit, prepaid cards etc. After buying try to search by address and u can see children, wife and all people at this address,” the fraud shop explains, advising customers on ways to find the names and additional information on the taxpayer’s children (because more dependents mean greater tax deductions and higher refunds): “It’s great for tax return method, because u can get $$$ for ‘your’ children.”

Continue reading →


15
Jan 14

A First Look at the Target Intrusion, Malware

Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.

The seller of the point-of-sale "memory dump" malware used in the Target attack.

The seller of the point-of-sale “memory dump” malware allegedly used in the Target attack.

In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.

This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack.

‘BLACK POS’

On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache (Update, Jan. 16, 9:29 a.m.: Sometime after this story ran, Google removed the cached ThreatExpert report; I’ve uploaded a PDF version of it here).

According to sources, "ttcopscli3acs" is the name of the Windows share point used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was "Best1_user"; the password was "BackupU$r"

According to sources, “ttcopscli3acs” is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the malware used to upload stolen data data was “Best1_user”; the password was “BackupU$r”

According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –“POSWDS”). Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.

The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

pos-fbiThat source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.

According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.

Continue reading →


16
Dec 13

Botnet Enlists Firefox Users to Hack Web Sites

An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

The "Advanced Power" botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

The “Advanced Power” botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.

The fraudulent Firefox add-on.

The fraudulent Firefox add-on.

The malicious code comes from sources referenced in this Malwr writeup and this Virustotal entry (please don’t go looking for this malware unless you really know what you’re doing). On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.

Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.

Continue reading →


13
Dec 13

Hacked Via RDP: Really Dumb Passwords

Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.

Makost[dot]net is a service advertised on cybercrime forums which sells access to “RDPs”, mainly Microsoft Windows systems that have been configured (poorly) to accept “Remote Desktop Protocol” connections from the Internet. Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, simply fire up the Remote Desktop Connection utility in Windows, type in the Internet address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.

Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC's upload and download speeds.


Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC’s upload and download speeds.

Makost currently is selling access to more than 6,000 compromised RDP installations worldwide. As we can see from the screen shot above, hacked systems are priced according to a combination of qualities of the server:

  • city, state, country of host;
  • administrative or regular user rights;
  • operating system version;
  • number and speed of computer processors;
  • amount of system memory;
  • network download and upload speeds;
  • NAT or direct

KrebsOnSecurity was given a glimpse inside the account of a very active user of this service, an individual who has paid more than $2,000 over the past six months to purchase some 425 hacked RDPs. I took the Internet addresses in this customer’s purchase history and ran WHOIS database lookups on them all in a bid to learn more about the victim organizations. As expected, roughly three-quarters of those addresses told me nothing about the victims; the addresses were assigned to residential or commercial Internet service providers.

But the WHOIS records turned up the names of businesses for approximately 25 percent of the addresses I looked up. The largest group of organizations on this list were in the manufacturing (21 victims) and retail services (20) industries. As I sought to categorize the long tail of other victim organizations, I was reminded of the Twelve Days of Christmas carol.

twelve healthcare providers;
ten education providers;
eight government agencies;
seven technology firms;
six insurance companies;
five law firms;
four financial institutions;
three architects;
two real estate firms;
and a forestry company (in a pear tree?)

Continue reading →


6
Dec 13

Meet Paunch: The Accused Author of the BlackHole Exploit Kit

In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as “Paunch,” the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today.

Paunch, the accused creator of the Blackhole Exploit Kit, stands in front of his Porche Cayenne.

Paunch, the accused creator of the Blackhole Exploit Kit, stands in front of his Porsche Cayenne.

A statement released by the Russian Interior Ministry (MVD) — the entity which runs the police departments in each Russian city — doesn’t include Paunch’s real name, but it says the Blackhole exploit kit creator was arrested in October along with a dozen other individuals who allegedly worked to sell, develop and profit from the crimeware package.

Russian security and forensics firm Group-IB, which assisted in the investigation, released additional details, including several pictures of the 27-year-old accused malware author. According to Group-IB, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity. The image at right shows Paunch standing in front of his personal car, a Porsche Cayenne.

First spotted in 2010, BlackHole is commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing. The price of renting the kit ran from $500 to $700 each month. For an extra $50 a month, Paunch also rented customers “crypting” services; cryptors are designed to obfuscate malicious software so that it remains undetectable by antivirus software.

If the pictured man truly is Paunch, he certainly lived up to his nickname.

If the 27-year-old pictured here truly is Paunch, he certainly lived up to his nickname.

Paunch worked with several other cybercriminals to purchase new exploits and security vulnerabilities that could be rolled into Blackhole and help increase the success of the software. Paunch bought the exploits to fund a pricier ($10,000/month) and more exclusive exploit pack called “Cool Exploit Kit.”

As documented on this blog in January 2013 (see Crimeware Author Funds Exploit Buying Spree), Paunch contracted with a third-party exploit broker who announced that he had a $100,000 budget for buying new, previously undocumented “zero-day” vulnerabilities.

Not long after that story, the individual with whom Paunch worked to purchase those exclusive exploits — a miscreant who uses the nickname “J.P. Morgan” — posted a message to the Darkode[dot]com crime forum, stating that he was doubling his exploit-buying budget to $200,000.

In October, shortly after news of Paunch’s arrest leaked to the media, J.P. Morgan posted to Darkode again, this time more than doubling his previous budget — to $450,000.

“Dear ladies and gentlemen! In light of recent events, we look to build a new exploit kit framework. We have budgeted $450,000 to buy vulnerabilities of a browser and its plugins, which will be used only by us afterwards! ”

Continue reading →


5
Dec 13

ZeroAccess Botnet Down, But Not Out

Europol, Microsoft Kneecap Click-Fraud Botnet

Authorities in Europe joined Microsoft Corp. this week in disrupting “ZeroAccess,” a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers.

The action comes partly from Europol’s European Cybercrime Center (EC3), as well as law enforcement cybercrime units from Germany, Latvia, Switzerland and the Netherlands, countries that hosted many of the Internet servers used to control the ZeroAccess botnet.

In tandem with the law enforcement moves in Europe, Microsoft filed a civil lawsuit to unmask eight separate cybercriminals thought to be operating the giant botnet, and to block incoming and outgoing communications between infected PCs in the United States and those 18 control servers, according to a statement released by EC3.

The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”).

In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site.

Maps of ZeroAccess infected PCs in Texas. Source: botnetlegalnotice.com

Maps of ZeroAccess infected PCs in Texas. Source: botnetlegalnotice.com

It remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term. Early versions of ZeroAccess relied on a series of control servers to receive updates, but recent versions of the botnet malware were designed to make the network as a whole more resilient and resistant to targeted takedowns such as the one executed this week.

Specifically, ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. P2P-based botnets are designed to eliminate a single point of failure, so that if one node used to control the botnet is knocked offline, the remainder of the botnet can still function.

The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers — including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.

Continue reading →


26
Nov 13

An Anti-Fraud Service for Fraudsters

Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also “test buys” from security researchers, law enforcement and other meddlers.

One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional “geo-IP” checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.

The trouble with these services is that they can get pricey in a hurry, and they’re often sold by the very companies that spammers are trying to outsmart. Enter services like fraudcheck[dot]cc: This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney, a virtual currency that is popular in Russia and Eastern Europe.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

This fraudster-friendly antifraud service does the following analysis:

  • Queries the geo-IP location from four distinct sources;
  • Calculates the billing ZIP code distance from the customer’s geo-IP coordinates;
  • Checks the customer’s Internet address against lists of known proxies that are used to mask an Internet user’s true location, and assigns a “risk score” of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy).
  • Generates a “fraud score” from 0-100 to rate the riskiness of the transaction (100 being the riskiest)

The bulk of the fraud checks appear to be conducted through [hijacked?] accounts at MaxMind.com, a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).

As detailed in this white paper (PDF), MaxMind’s minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a “bank identification number” (BIN) — the first six digits of any card — may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.

Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.

Continue reading →


19
Nov 13

Don’t Like Spam? Complain About It.

Cynical security experts often dismiss anti-spam activists as grumpy idealists with a singular, Sisyphean obsession.  The cynics question if it’s really worth all that time and effort to complain to ISPs and hosting providers about customers that are sending junk email? Well, according to at least one underground service designed for spammers seeking to avoid anti-spam activists, the answer is a resounding “yes!”

atball

Until recently, this reporter was injected into one of the most active and private underground spam forums (the forum no longer exists; for better or worse, the administrator shuttered it in response to this story). Members of this spam forum sold and traded many types of services catering to the junk email industry, including comment spam tools, spam bots, malware, and “installs” — the practice of paying for the privilege of uploading your malware to machines that someone else has already infected.

But among the most consistently popular services on spammer forums are those that help junk emailers manage gigantic email address lists. More specifically, these services specialize keeping huge distribution lists “scrubbed” of inactive addresses as well as those belonging to known security firms and anti-spam activists.

Just as credit card companies have an ironic and derisive nickname for customers who pay off their balances in full each month — these undesirables are called “deadbeats” — spammers often label anti-spam activists as “abusers,” even though the spammers themselves are the true abusers. The screen shot below shows one such email list management service, which includes several large lists of email addresses for people who have explicitly opted out of receiving junk messages (people who once purchased from spam but later asked to be removed or reported the messages as spam). Note the copyright symbol next to the “Dark Side 2012″ notation, which  is a nice touch:

This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.

This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.

The bottom line shows that this service also includes a list of more than 580,000 email addresses thought to be associated with anti-spam activists, security firms and other “abusers.” This list included a number of “spamtrap” addresses created specifically for collecting and reporting spam. The note in the above entry — “abusers_from_severa” — indicates that this particular list was provided by an infamous Russian spammer known as Peter Severa. This blog has featured several stories about Severa, including one that examines his possible identity and role in the development and dissemination of the Waledac and Storm worms.

Continue reading →