Posts Tagged: Media Breakaway


2
Sep 19

Feds Allege Adconion Employees Hijacked IP Addresses for Spamming

Federal prosecutors in California have filed criminal charges against four employees of Adconion Direct, an email advertising firm, alleging they unlawfully hijacked vast swaths of Internet addresses and used them in large-scale spam campaigns. KrebsOnSecurity has learned that the charges are likely just the opening salvo in a much larger, ongoing federal investigation into the company’s commercial email practices.

Prior to its acquisition, Adconion offered digital advertising solutions to some of the world’s biggest companies, including Adidas, AT&T, Fidelity, Honda, Kohl’s and T-Mobile. Amobee, the Redwood City, Calif. online ad firm that acquired Adconion in 2014, bills itself as the world’s leading independent advertising platform. The CEO of Amobee is Kim Perell, formerly CEO of Adconion.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark ManoogianPetr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment on charges of conspiracy, wire fraud, and electronic mail fraud. All four men have pleaded not guilty to the charges, which stem from a grand jury indictment handed down in June 2017.

‘COMPANY A’

The indictment and other court filings in this case refer to the employer of the four men only as “Company A.” However, LinkedIn profiles under the names of three of the accused show they each work(ed) for Adconion and/or Amobee.

Mark Manoogian is an attorney whose LinkedIn profile states that he is director of legal and business affairs at Amobee, and formerly was senior business development manager at Adconion Direct; Bychak is listed as director of operations at Adconion Direct; Quayyum’s LinkedIn page lists him as manager of technical operations at Adconion. A statement of facts filed by the government indicates Petr Pacas was at one point director of operations at Company A (Adconion).

According to the indictment, between December 2010 and September 2014 the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

The government alleges the men sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

“Members of the conspiracy would use the fraudulently acquired IP addresses to send commercial email (‘spam’) messages,” the government charged.

HOSTING IN THE WIND

Prosecutors say the accused were able to spam from the purloined IP address blocks after tricking the owner of Hostwinds, an Oklahoma-based Internet hosting firm, into routing the fraudulently obtained IP addresses on their behalf.

Hostwinds owner Peter Holden was the subject of a 2015 KrebsOnSecurity story titled, “Like Cutting Off a Limb to Save the Body,” which described how he’d initially built a lucrative business catering mainly to spammers, only to later have a change of heart and aggressively work to keep spammers off of his network.

That a case of such potential import for the digital marketing industry has escaped any media attention for so long is unusual but not surprising given what’s at stake for the companies involved and for the government’s ongoing investigations.

Adconion’s parent Amobee manages ad campaigns for some of the world’s top brands, and has every reason not to call attention to charges that some of its key employees may have been involved in criminal activity.

Meanwhile, prosecutors are busy following up on evidence supplied by several cooperating witnesses in this and a related grand jury investigation, including a confidential informant who received information from an Adconion employee about the company’s internal operations. Continue reading →


4
Apr 18

Dot-cm Typosquatting Sites Visited 12M Times So Far in 2018

A story published here last week warned readers about a vast network of potentially malicious Web sites ending in “.cm” that mimic some of the world’s most popular Internet destinations (e.g. espn[dot]cm, aol[dot]cm and itunes[dot].cm) in a bid to bombard visitors with fake security alerts that can lock up one’s computer. If that piece lacked one key detail it was insight into just how many people were mistyping .com and ending up at one of these so-called “typosquatting” domains.

On March 30, an eagle-eyed reader noted that four years of access logs for the entire network of more than 1,000 dot-cm typosquatting domains were available for download directly from the typosquatting network’s own hosting provider. The logs — which include detailed records of how many people visited the sites over the past three years and from where — were deleted shortly after that comment was posted here, but not before KrebsOnSecurity managed to grab a copy of the entire archive for analysis.

The geographic distribution of 25,000 randomly selected Internet addresses (IP addresses) in the logs seen accessing the dot-cm typosquatting domains in February 2018. Batchgeo, the service used to produce this graphic, limits free lookups to 25,000, but the above image is likely still representative of the overall geographic distribution. Perhaps unsurprisingly, the largest share of traffic is coming from the United States.

Matthew Chambers, a security expert with whom this author worked on the original dot-cm typosquatting story published last week, analyzed the access logs from just the past three months and found the sites were visited approximately 12 million times during the first quarter of 2018.

Chambers said he combed through the logs and weeded out hits from Internet addresses that appeared to be bots or search engine scrapers. Here’s Chambers’ analysis of the 2018 access log data:

January 2018; 3,732,488 visitors
February 2018: 3,799,109 visitors
Mar 2018: 4,275,998 visitors

Total Jan-Mar 2018 is 11.8 million

Those figures suggest that the total number of visits to these typosquatting sites in the first quarter of 2018 was approximately 12 million, or almost 50 million hits per year. Certainly, not everyone visiting these sites will have the experience that Chambers’ users reported (being bombarded with misleading malware alerts and redirected to scammy and spammy Web sites), but it seems clear this network could make its operators a pretty penny regardless of the content that ends up getting served through it. Continue reading →