B&B Theatres Hit in 2-Year Credit Card Breach

July 7, 2017

B&B Theatres, a company that owns and operates the 7th-largest theater chain in America, says it is investigating a breach of its credit card systems. The acknowledgment comes just days after KrebsOnSecurity reached out to the company for comment on reports from financial industry sources who said they suspected the cinema chain has been leaking customer credit card data to cyber thieves for the past two years.

bandbHeadquartered in Gladstone, Missouri, B&B Theatres operates approximately 400 screens across 50 locations in seven states, including Arkansas, Arizona, Florida, Kansas, Missouri, Mississippi, Nebraska, Oklahoma and Texas.

In a written statement forwarded by B&B spokesman Paul Farnsworth, the company said B&B Theatres was made aware of a potential breach by a local banking partner in one of its communities.

“Upon being notified we immediately engaged Trustwave, a third party security firm recommended to B&B by partners at major credit card brands, to work with our internal I.T. resources to contain the breach and mitigate any further potential penetration,” the statement reads. “While some malware was identified on B&B systems that dated back to 2015, the investigation completed by Trustwave did not conclude that customer data was at risk on all B&B systems for the entirety of the breach.”

The statement continued:

“Trustwave’s investigation has since shown the breach to be contained to the satisfaction of our processing partners as well as the major credit card brands. B&B Theatres values the security of our customer’s data and will continue to implement the latest available technologies to keep our networks & systems secure into the future.”

In June, sources at two separate U.S.-based financial institutions reached out to KrebsOnSecurity about alerts they’d received privately from the credit card associations regarding lists of card numbers that were thought to have been compromised in a recent breach.

The credit card companies generally do not tell financial institutions in these alerts which merchants got breached, leaving banks and credit unions to work backwards from those lists of compromised cards to a so-called “common point-of-purchase” (CPP).

In addition to lists of potentially compromised card numbers, the card associations usually include a “window of exposure” — their best estimate of how long the breach lasted. Two financial industry sources said initial reports from the credit card companies said the window of exposure at B&B Theatres was between Sept. 1, 2015 and April 7, 2017.

However, a more recent update to this advisory shared by my sources shows that the window of exposure is currently estimated between April 2015 and April 2017, meaning cyber thieves have likely been siphoning credit and debit card data from B&B Theatres customers for nearly two years undisturbed. Continue reading

Who is the GovRAT Author and Mirai Botmaster ‘Bestbuy’?

July 5, 2017

In February 2017, authorities in the United Kingdom arrested a 29-year-old U.K. man on suspicion of knocking more than 900,000 Germans offline in an attack tied to Mirai, a malware strain that enslaves Internet of Things (IoT) devices like security cameras and Internet routers for use in large-scale cyberattacks. Investigators haven’t yet released the man’s name, but news reports suggest he may be better known by the hacker handle “Bestbuy.” This post will follow a trail of clues back to one likely real-life identity of Bestbuy.

At the end of November 2016, a modified version of Mirai began spreading across the networks of German ISP Deutsche Telekom. This version of the Mirai worm spread so quickly that the very act of scanning for new infectable hosts overwhelmed the devices doing the scanning, causing outages for more than 900,000 customers. The same botnet had previously been tied to attacks on U.K. broadband providers Post Office and Talk Talk.

dtoutage

Security firm Tripwire published a writeup on that failed Mirai attack, noting that the domain names tied to servers used to coordinate the activities of the botnet were registered variously to a “Peter Parker” and “Spider man,” and to a street address in Israel (27 Hofit St). We’ll come back to Spider Man in a moment.

According to multiple security firms, the Mirai botnet responsible for the Deutsche Telekom outage was controlled via servers at the Internet address 62.113.238.138Farsight Security, a company that maps which domain names are tied to which Internet addresses over time, reports that this address has hosted just nine domains.

The only one of those domains that is not related to Mirai is dyndn-web[dot]com, which according to a 2015 report from BlueCoat (now Symantec) was a domain tied to the use and sale of a keystroke logging remote access trojan (RAT) called “GovRAT.” The trojan is documented to have been used in numerous cyber espionage campaigns against governments, financial institutions, defense contractors and more than 100 corporations.

Another report on GovRAT — this one from security firm InfoArmor — shows that the GovRAT malware was sold on Dark Web cybercrime forums by a hacker or hackers who went by the nicknames BestBuy and “Popopret” (some experts believe these were just two different identities managed by the same cybercriminal).

The hacker "bestbuy" selling his Govrat trojan on the dark web forum "Hell." Image: InfoArmor.

The hacker “bestbuy” selling his GovRAT trojan on the dark web forum “Hell.” Image: InfoArmor.

GovRAT has been for sale on various other malware and exploit-related sites since at least 2014. On oday[dot]today, for example, GovRAT was sold by a user who picked the nickname Spdr, and who used the email address spdr01@gmail.com.

Recall that the domains used to control the Mirai botnet that hit Deutsche Telekom all had some form of Spider Man in the domain registration records. Also, recall that the controller used to manage the GovRAT trojan and that Mirai botnet were both at one time hosted on the same server with just a handful of other (Mirai-related) domains.

According to a separate report (PDF) from InfoArmor, GovRAT also was sold alongside a service that allows anyone to digitally sign their malware using code-signing certificates stolen from legitimate companies. InfoArmor said the digital signature it found related to the service was issued to an open source developer Singh Aditya, using the email address parkajackets@gmail.com.

Interestingly, both of these email addresses — parkajackets@gmail.com and spdr01@gmail.com — were connected to similarly-named user accounts at vDOS, for years the largest DDoS-for-hire service (that is, until KrebsOnSecurity last fall outed its proprietors as two 18-year-old Israeli men).

Last summer vDOS got massively hacked, and a copy of its user and payments databases was shared with this author and with U.S. federal law enforcement agencies. The leaked database shows that both of those email addresses are tied to accounts on vDOS named “bestbuy” (bestbuy and bestbuy2).

Spdr01's sales listing for the GovRAT trojan on a malware and exploits site shows he used the email address spdr01@gmail.com

Spdr01’s sales listing for the GovRAT trojan on a malware and exploits site shows he used the email address spdr01@gmail.com

The leaked vDOS database also contained detailed records of the Internet addresses that vDOS customers used to log in to the attack-for-hire service. Those logs show that the bestbuy and bestbuy2 accounts logged in repeatedly from several different IP addresses in the United Kingdom and in Hong Kong.

The technical support logs from vDOS indicate that the reason the vDOS database shows two different accounts named “bestbuy” is the vDOS administrators banned the original “bestbuy” account after it was seen logged into the account from both the UK and Hong Kong. Bestbuy’s pleas to the vDOS administrators that he was not sharing the account and that the odd activity could be explained by his recent trip to Hong Kong did not move them to refund his money or reactivate his original account.

A number of clues in the data above suggest that the person responsible for both this Mirai botnet and GovRAT had ties to Israel. For one thing, the email address spdr01@gmail.com was used to register at least three domain names, all of which are tied back to a large family in Israel. What’s more, in several dark web postings, Bestbuy can be seen asking if anyone has any “weed for sale in Israel,” noting that he doesn’t want to risk receiving drugs in the mail.

The domains tied to spdr01@gmail.com led down a very deep rabbit hole that ultimately went nowhere useful for this investigation. But it appears the nickname “spdr01” and email spdr01@gmail.com was used as early as 2008 by a core member of the Israeli hacking forum and IRC chat room Binaryvision.co.il. Continue reading

Advertisement

Is it Time to Can the CAN-SPAM Act?

July 2, 2017

Regulators at the U.S. Federal Trade Commission (FTC) are asking for public comment on the effectiveness of the CAN-SPAM Act, a 14-year-old federal law that seeks to crack down on unsolicited commercial email. Judging from an unscientific survey by this author, the FTC is bound to get an earful.

spamspamspam

Signed into law by President George W. Bush in 2003, the “Controlling the Assault of Non-Solicited Pornography and Marketing Act” was passed in response to a rapid increase in junk email marketing.

The law makes it a misdemeanor to spoof the information in the “from:” field of any marketing message, and prohibits the sending of sexually-oriented spam without labeling it “sexually explicit.” The law also requires spammers to offer recipients a way to opt-out of receiving further messages, and to process unsubscribe requests within 10 business days.

The “CAN” in CAN-SPAM was a play on the verb “to can,” as in “to put an end to,” or “to throw away,” but critics of the law often refer to it as the YOU-CAN-SPAM Act, charging that it essentially legalized spamming. That’s partly because the law does not require spammers to get permission before they send junk email. But also because the act prevents states from enacting stronger anti-spam protections, and it bars individuals from suing spammers except under laws not specific to email.

Those same critics often argue that the law is rarely enforced, although a search on the FTC’s site for CAN-SPAM press releases produces quite a few civil suits brought by the commission against marketers over the years. Nevertheless, any law affecting Internet commerce is bound to need a few tweaks over the years, and CAN-SPAM has been showing its age for some time now.

Ron Guilmette, an anti-spam activists whose work has been profiled extensively on this blog, didn’t sugar-coat it, calling CAN-SPAM “a travesty that was foisted upon the American people by a small handful of powerful companies, most notably AOL and Microsoft, and by their obedient lackeys in Congress.”

According to Guilmette, the Act was deliberately fashioned so as to nullify California’s more restrictive anti-spam law, and it made it impossible for individual victims of spam to sue spam senders. Rather, he said, that right was reserved only for the same big companies that lobbied heavily for the passage of the CAN-SPAM Act.

“The entire Act should be thrown out and replaced,” Guilmette said. “It hasn’t worked to control spam, and it has in fact only served to make the problem worse.”

In the fix-it-don’t-junk-it camp is Joe Jerome, policy counsel for the Electronic Frontier Foundation (EFF), a nonprofit digital rights advocacy group. Jerome allowed that CAN-SPAM is far from perfect, but he said it has helped to set some ground rules.

“In her announcement on this effort, Acting Chairman Ohlhausen hinted that regulations can be excessive, outdated, or unnecessary,” Jerome said. “Nothing can be further from the case with respect to spam. CAN-SPAM was largely ineffective in stopping absolutely bad, malicious spammers, but it’s been incredibly important in creating a baseline for commercial email senders. Advertising transparency and easy opt-outs should not be viewed as a burden on companies, and I’d worry that weakening CAN-SPAM would set us back. If anything, we need stronger standards around opt-outs and quicker turn-around time, not less.” Continue reading

So You Think You Can Spot a Skimmer?

June 30, 2017

This week marks the 50th anniversary of the automated teller machine — better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think you’re good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.

The first cash machine opened for business on June 27, 1967 at a Barclays bank branch in Enfield, north London, but ATM transactions back then didn’t remotely resemble the way ATMs work today.

The first ATM was installed in Enfield, in North London, on June 27, 1967. Image: Barclays Bank.

The first ATM was installed in Enfield, in North London, on June 27, 1967. Image: Barclays Bank.

The cash machines of 1967 relied not on plastic cards but instead on paper checks that the bank would send to customers in the mail. Customers would take those checks — which had little punched-card holes printed across the surface — and feed them into the ATM, which would then validate the checks and dispense a small amount of cash.

This week, Barclay’s turned the ATM at the same location into a gold color to mark its golden anniversary, dressing the machine with velvet ropes and a red carpet leading up to the machine’s PIN pad.

The location of the world's first ATM, turned to gold to commemorate the cash machine's golden anniversary. Image: Barclays Bank.

The location of the world’s first ATM, turned to gold and commemorated with a plaque to mark the cash machine’s golden anniversary. Image: Barclays Bank.

Chances are, the users of that gold ATM have little to worry about from skimmer scammers. But the rest of us practically need a skimming-specific dictionary to keep up with today’s increasingly ingenious thieves.

These days there are an estimated three million ATMs around the globe, and a seemingly endless stream of innovative criminal skimming devices has introduced us over the years to a range of terms specific to cash machine scams like wiretapping, eavesdropping, card-trapping, cash-trapping, false fascias, shimming, black box attacks, bladder bombs (pump skimmers), gas attacks, and deep insert skimmers.

Think you’ve got what it takes to spot the telltale signs of a skimmer? Then have a look at the ATM Fraud Inspection Guide (PDF) from cash machine giant NCR Corp., which briefly touches on the most common forms of ATM skimming and their telltale signs.

For example, below are a few snippets from that guide showing different cash trapping devices made to siphon bills being dispensed from the ATM.

Cash-trapping devices. Source: NCR.

Cash-trapping devices. Source: NCR.

Continue reading

‘Petya’ Ransomware Outbreak Goes Global

June 27, 2017

A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain.

The ransom note that gets displayed on screens of Microsoft Windows computers infected with Petya.

The ransom note that gets displayed on screens of Microsoft Windows computers infected with Petya.

According to multiple news reports, Ukraine appears to be among the hardest hit by Petya. The country’s government, some domestic banks and largest power companies all warned today that they were dealing with fallout from Petya infections.

Danish transport and energy firm Maersk said in a statement on its Web site that “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” In addition, Russian energy giant Rosneft said on Twitter that it was facing a “powerful hacker attack.” However, neither company referenced ransomware or Petya.

Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.

Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit should patch now. However, there are indications that Petya may have other tricks up its sleeve to spread inside of large networks. Continue reading

Got Robocalled? Don’t Get Mad; Get Busy.

June 25, 2017

Several times a week my cell phone receives the telephonic equivalent of spam: A robocall. On each occasion the call seems to come from a local number, but when I answer there is that telltale pause followed by an automated voice pitching some product or service. So when I heard from a reader who chose to hang on the line and see where one of these robocalls led him, I decided to dig deeper. This is the story of that investigation. Hopefully, it will inspire readers to do their own digging and help bury this annoying and intrusive practice.

robocallThe reader — Cedric (he asked to keep his last name out of this story) had grown increasingly aggravated with the calls as well, until one day he opted to play along by telling a white lie to the automated voice response system that called him: Yes, he said, yes he definitely was interested in credit repair services.

“I lied about my name and played like I needed credit repair to buy a home,” Cedric said. “I eventually wound up speaking with a representative at creditfix.com.”

The number that called Cedric — 314-754-0123 — was not in service when Cedric tried it back, suggesting it had been spoofed to make it look like it was coming from his local area. However, pivoting off of creditfix.com opened up some useful avenues of investigation.

Creditfix is hosted on a server at the Internet address 208.95.62.8. According to records maintained by Farsight Security — a company that tracks which Internet addresses correspond to which domain names — that server hosts or recently hosted dozens of other Web sites (the full list is here).

Most of these domains appear tied to various credit repair services owned or run by a guy named Michael LaSala and registered to a mail drop in Las Vegas. Looking closer at who owns the 208.95.62.8 address, we find it is registered to System Admin, LLC, a Florida company that lists LaSala as a manager, according to a lookup at the Florida Secretary of State’s office.

An Internet search for the company’s address turns up a filing by System Admin LLC with the U.S. Federal Communications Commission (FCC). That filing shows that the CEO of System Admin is Martin Toha, an entrepreneur probably best known for founding voip.com, a voice-over-IP (VOIP) service that allows customers to make telephone calls over the Internet.

Emails to the contact address at Creditfix.com elicited a response from a Sean in Creditfix’s compliance department. Sean told KrebsOnSecurity that mine was the second complaint his company had received about robocalls. Sean said he was convinced that his employer was scammed by a lead generation company that is using robocalls to quickly and illegally gin up referrals, which generate commissions for the lead generation firm.

Creditfix said the robocall leads it received appear to have been referred by Little Brook Media, a marketing firm in New York City. Little Brook Media did not respond to multiple requests for comment.

Robocalls are permitted for political candidates, but beyond that if the recording is a sales message and you haven’t given your written permission to get calls from the company on the other end, the call is illegal. According to the Federal Trade Commission (FTC), companies are using auto-dialers to send out thousands of phone calls every minute for an incredibly low cost. Continue reading

FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016

June 23, 2017

Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBI’s Internet Crime Complaint Center (IC3).

The IC3 report released Thursday correctly identifies some of the most prevalent and insidious forms of cybercrimes today, but the total financial losses tied to each crime type also underscore how infrequently victims actually report such crimes to law enforcement.

Source: Internet Crime Complaint Center (IC3).

Source: Internet Crime Complaint Center (IC3).

For example, the IC3 said it received 17,146 extortion-related complaints, with an adjusted financial loss totaling just over $15 million. In that category, the report identified 2,673 complaints identified as ransomware — malicious software that scrambles a victim’s most important files and holds them hostage unless and until the victim pays a ransom (usually in a virtual currency like Bitcoin).

According to the IC3, the losses associated with those ransomware complaints totaled slightly more than $2.4 million. Writing for BleepingComputer.com — a tech support forum I’ve long recommended that helps countless ransomware victims — Catalin Cimpanu observes that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats.”

“The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities,” Cimpanu writes.

It’s difficult to know how what percentage of ransomware victims paid the ransom or were able to restore from backups, but one thing is for sure: Relatively few victims are reporting cyber fraud to federal investigators.

The report notes that only an estimated 15 percent of the nation’s fraud victims report their crimes to law enforcement. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion.

If that 15 percent estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to $9 billion, and the losses from ransomware attacks upwards of $16 million. Continue reading

Why So Many Top Hackers Hail from Russia

June 22, 2017

Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs. This post explores the first part of that assumption by examining a breadth of open-source data.

The supply side of that conventional wisdom seems to be supported by an analysis of educational data from both the U.S. and Russia, which indicates there are several stark and important differences between how American students are taught and tested on IT subjects versus their counterparts in Eastern Europe.

computered

Compared to the United States there are quite a few more high school students in Russia who choose to specialize in information technology subjects. One way to measure this is to look at the number of high school students in the two countries who opt to take the advanced placement exam for computer science.

According to an analysis (PDF) by The College Board, in the ten years between 2005 and 2016 a total of 270,000 high school students in the United States opted to take the national exam in computer science (the “Computer Science Advanced Placement” exam).

Compare that to the numbers from Russia: A 2014 study (PDF) on computer science (called “Informatics” in Russia) by the Perm State National Research University found that roughly 60,000 Russian students register each year to take their nation’s equivalent to the AP exam — known as the “Unified National Examination.” Extrapolating that annual 60,000 number over ten years suggests that more than twice as many people in Russia — 600,000 — have taken the computer science exam at the high school level over the past decade.

In “A National Talent Strategy,” an in-depth analysis from Microsoft Corp. on the outlook for information technology careers, the authors warn that despite its critical and growing importance computer science is taught in only a small minority of U.S. schools. The Microsoft study notes that although there currently are just over 42,000 high schools in the United States, only 2,100 of them were certified to teach the AP computer science course in 2011.

A HEAD START

If more people in Russia than in America decide to take the computer science exam in secondary school, it may be because Russian students are required to study the subject beginning at a much younger age. Russia’s Federal Educational Standards (FES) mandate that informatics be compulsory in middle school, with any school free to choose to include it in their high school curriculum at a basic or advanced level.

“In elementary school, elements of Informatics are taught within the core subjects ‘Mathematics’ and ‘Technology,” the Perm University research paper notes. “Furthermore, each elementary school has the right to make [the] subject “Informatics” part of its curriculum.” Continue reading

Credit Card Breach at Buckle Stores

June 17, 2017

The Buckle Inc., a clothier that operates more than 450 stores in 44 U.S. states, disclosed Friday that its retail locations were hit by malicious software designed to steal customer credit card data. The disclosure came hours after KrebsOnSecurity contacted the company regarding reports from sources in the financial sector about a possible breach at the retailer.

buckle

On Friday morning, KrebsOnSecurity contacted The Buckle after receiving multiple tips from sources in the financial industry about a pattern of fraud on customer credit and debit cards which suggested a breach of point-of-sale systems at Buckle stores across the country.

Later Friday evening, The Buckle Inc. released a statement saying that point-of-sale malware was indeed found installed on cash registers at Buckle retail stores, and that the company believes the malware was stealing customer credit card data between Oct. 28, 2016 and April 14, 2017. The Buckle said purchases made on its online store were not affected.

As with the recent POS-malware based breach at Kmart, The Buckle said all of its stores are equipped with EMV-capable card terminals, meaning the point-of-sale machines can accommodate newer, more secure chip-based credit and debit cards. The malware copies account data stored on the card’s magnetic stripe. Armed with that information, thieves can clone the cards and use them to buy high-priced merchandise from electronics stores and big box retailers. Continue reading

Inside a Porn-Pimping Spam Botnet

June 15, 2017

For several months I’ve been poking at a decent-sized spam botnet that appears to be used mainly for promoting adult dating sites. Having hit a wall in my research, I decided it might be good to publish what I’ve unearthed so far to see if this dovetails with any other research out there.

In late October 2016, an anonymous source shared with KrebsOnSecurity.com a list of nearly 100 URLs that — when loaded into a Firefox browser — each displayed what appeared to be a crude but otherwise effective text-based panel designed to report in real time how many “bots” were reporting in for duty.

Here’s a set of archived screenshots of those counters illustrating how these various botnet controllers keep a running tab of how many “activebots” — hacked servers set up to relay spam — are sitting idly by and waiting for instructions.

One of the more than 100 panels linked to the same porn spamming operation. In October 2016, these 100 panels reported a total of 1.2 million active bots operating simultaneously.

At the time, it was unclear to me how this apparent botnet was being used, and since then the total number of bots reporting in each day has shrunk considerably. During the week the above-linked screen shots were taken, this botnet had more than 1.2 million zombie machines or servers reporting each day (that screen shot archive includes roughly half of the panels found). These days, the total number of servers reporting in to this spam network fluctuates between 50,000 and 100,000.

Thanks to a tip from an anti-spam activist who asked not to be named, I was able to see that the botnet appears to be busy promoting a seemingly endless network of adult dating Web sites connected to just two companies: CyberErotica, and Deniro Marketing LLC (a.k.a. AmateurMatch).

As affiliate marketing programs go, CyberErotica stretches way back — perhaps to the beginning. According to TechCrunch, CyberErotica is said to have launched the first online affiliate marketing firm in 1994.

In 2001, CyberErotica’s parent firm Voice Media settled a lawsuit with the U.S. Federal Trade Commission, which alleged that the adult affiliate program was misrepresenting its service as free while it dinged subscribers for monthly charges and made it difficult for them to cancel.

In 2010, Deniro Marketing found itself the subject of a class-action lawsuit that alleged the company employed spammers to promote an online dating service that was overrun with automated, fake profiles of young women. Those allegations ended in an undisclosed settlement after the judge in the case tossed out the spamming claim because the statute of limitations on those charges had expired.

What’s unusual (and somewhat lame) about this botnet is that — through a variety of botnet reporting panels that are still displaying data — we can get live, real-time updates about the size and status of this crime machine. No authentication or credentials needed. So much for operational security!

The “mind map” pictured below contains enough information for nearly anyone to duplicate this research, and includes the full Web address of the botnet reporting panels that are currently online and responding with live updates. I was unable to load these panels in a Google Chrome browser (perhaps the XML data on the page is missing some key components), but they loaded fine in Mozilla Firefox.

But a note of caution: I’d strongly encourage anyone interested in following my research to take care before visiting these panels, preferably doing so from a disposable “virtual” machine that runs something other than Microsoft Windows.

That’s because spammers are usually involved in the distribution of malicious software, and spammers who maintain vast networks of apparently compromised systems are almost always involved in creating or at least commissioning the creation of said malware. Worse, porn spammers are some of the lowest of the low, so it’s only prudent to behave as if any and all of their online assets are actively hostile or malicious.

A “mind map” tracing some of the research mentioned in this post.

Continue reading