It's clear that you've been kicking some serious ass since you've taken over as Yahoo's new CEO, and you have a lot of eyes on you as you shake up the entire Yahoo product roster, and change a lot of how Yahoo works, and what Yahoo means. It's a big job, and you definitely have a lot on your plate.
I write to you today to discuss what your future plans are regarding Yahoo's current standing as arguably the most criminally-infested online property in the world.
Pretty much since email has existed there has been spam, and since there has been spam, there have been online scams.
Since the beginning of online scams, Yahoo Mail has been the preferred free email product used by Nigerian scammers, also known as "419 scammers" or "advance-fee fraud scammers".
This is now an accepted fact among members of the anti-spam and anti-fraud community. Yahoo is a prime resource for online criminals, much more than any other free email provider. That's saying something, since Yahoo isn't even as old as (say) AOL.com, which predates the commonly-defined internet by a few decades. AOL had real problems with spammers in the mid-90s and was among the very first to employ processes like spam filtering to their email product.
My problem isn't one regarding comparisons about how infested with criminal activity one service is versus another. My problem is that for the past several years, Yahoo has been systematically removing every single method of reporting criminal activity to Yahoo's abuse teams.
This is not a good thing. People don't like receving spam in the first place. They certainly don't like it when the same stupid scammers keep sending the same stupid, old scam messages every single day for years on end. They like reporting the accounts these scammers use and seeing success in getting them shut down. I know this because I built a standardized reporting tool that creates an abuse report outlining which account is being used by a criminal, what the specific scam is, details to support why this scam is a bad thing, and requests that it be shut down. This tool is called the Nigerian Scamerator™ and it's been downloaded and used by several dozen people.
I've been using a system like this in one form or another since around 2002. I formalized it in 2008. It greatly reduces the time it takes to report every single Nigerian scammer I hear from every single day, and it works.
My reporting tool would probably be used by far, far more people if it weren't for the fact that Yahoo specifically has made it literally impossible to report Nigerian Scammers to their abuse teams! This is a significant problem now.
Prior to 2013 my biggest complaint about Yahoo was simply that they were not fast enough at shutting these abused accounts down. Yahoo Abuse would routinely take more than 24 hours to shut down one single account, which is way too long, and allows the scammers to set up all kinds of backup accounts and just use those whenever the old ones get shut down. Every other free email provider now takes a mere matter of a few hours to shut these offending accounts down, and it definitely pisses the criminals off. Kudos are especially in order for MSN's Outlook email, which often shuts down Nigerian scammer accounts within 3 hours or less. It's impressive, and it's definitely impacted these moron criminals in a big way. (They all let me know, and they attack several of my abuse-reporting accounts.)
Rather than fix the time it takes to shut a Yahoo Mail account down, Yahoo Abuse has instead decided to remove ANY form that might inform them of the abuse ever taking place, instead putting users through an endless loop of FAQ's about what spam is, and how to "flag a message as spam".
This is not helpful for the beleaguered users of email, and it is detrimental to any efforts that attempt to make life difficult for Nigerian scammers specifically.
As a final resort before writing this entry, I was put in contact with a senior Yahoo Abuse representative by my colleague Mr. Brian Krebs. This contact informed me that there was one form he recommended I use to report offending scammer accounts. I began using that form. That was three weeks ago.
Today: that form is also gone.
Yahoo has systematically removed every single reporting form they ever had, in any country, to report criminal activity within their services. There is now no way to do so. Yahoo is effectively supporting these criminals by making it impossible to report them. Why?
Did you know that most Nigerian scammers have now co-opted the Yahoo brand as part of their own names?
Very recently, police in the Benin Republic have executed several widely-publicized raids against large gangs of these scammers, who now regularly refer to themselves as "Yahoo-Yahoo Boys". They're proud of it. That term is now synonymous with someone who has become wealthy from the proceeds of widespread, systematic fraud. Your company's name is now being used to refer to a criminal operation. Congratulations.
In a 2006 article, CNN referred to Nigerian scammers as Yahoo Millionaires. In a very recent article in New Scientist Magazine, Nigerian scammers are referred to as "Yahoo Boys". This can't be good for Yahoo's image, their branding, or their reputation. As CEO of Yahoo generally, I would hope this would be something that concerns you.
I have some specific questions for you, which I hope you will seriously consider:
- Is Yahoo intending to create any new forms that allow for the detailed reporting of these scamming criminals?
- If not: why not?
- Assuming Yahoo ever does intend to allow the detailed reporting of this activity, is the response time ever going to improve?
- Does Yahoo have any intention of ever taking this criminal issue seriously?
Here's the thing, Ms. Mayer: you used to work at Google. In fact you were an early hire of theirs. Google is arguably in the forefront of spam filtering and abuse processing. Their white paper on reputation-based spam filtering is one of the smartest things I've seen in recent years with regards to the international fight against spam and online criminal activity. You come from that background. You're also younger than any other CEO in recent memory, and you're already making significant strides with Yahoo's existing products - notably Flickr and the new acquisition of Tumblr. Well done.
I think one of the major things you could also shake up is Yahoo's abuse processes, which in my opinion are in dire need of improvement. I know I am not alone when I say this, and I would like to think that this issue is somewhere near front-of-mind for you as you take on the challenge of upgrading Yahoo's reputation as a pioneering Internet company, and not merely some long-in-the-tooth, out-of-touch mega-corporation that outgrew itself.
Yahoo is effectively providing a 100% free infrastructure to international criminal operations and has zero abuse reporting. That is not a good thing at all. I would think that in your new role as CEO, among the things that would make people respect your brand more would be taking a serious stand against this rampant criminal activity. Please prove me right in this regard.
Very sincerely yours
SiL / IKS / concerned citizen
Well here we are. The end of the year has arrived and again there is a lot to recap in terms of the ongoing fight against online crime in all its forms.
2011 was a busy year in terms of law enforcement action against predominantly overseas spamming criminals, and also for further leaks of valuable data, chat logs, email accounts and other information that exposed the inner workings of several mostly Russian spam operations. This is a continuation of the same leaks and law enforcement action which we saw in 2010. It also was a year that saw unprecedented cooperation between several international law enforcement agencies to shut down everything from botnets to financial fraud gangs to fake pharmaceutical manufacturers and promoters. There were also some incredibly detailed and in-depth investigative reports into the financial operations of large-scale pharmacy spam operations. So well done to all law enforcement agencies and investigators for an incredibly successful year.
Spam is still with us, but it's swiftly becoming a less popular and riskier method of making a quick buck. This is all good to see.
So here we go. Get some popcorn, enjoy, and have a happy new year.January:
- On Jan. 20th, an insightful article is posted on RussiaProfile.org by Svetlana Kononova. The article outlines several new trends in online crime originating from Russia, and makes specific mention of the demise of the criminal online pharmacy affiliate program Spamit.
- On Jan. 26th it is announced via several media outlets that Russian hosting company Volgahost was de-peered from the internet by their upstream provider RUNNet.ru. This is due to several investigations identifying VolgaHost as a source of a great deal of online criminal activity including the control and command setups for several botnets, including several Zeus botnets. January is already off to a great start.
- The same day, an article in the New Zealand Herald announces that an unnamed 32-year-old Chinese man has been arrested in Auckland, New Zealand charged with international distribution of counterfeit drugs. This followed a three year investigation by the Auckland Metro Crime and Operations Support (AMCOS).
- A headline in the Toronto Star announces Canada no longer synonymous with spam. It's an odd "consumer affairs" piece but it does outline the difficulties of trying to run a genuine online pharmacy from Canada against the unending barrage of fake, Russia-based, criminally operated sites.
- On Jan. 28th, social networking website Facebook is awarded $360,500,000.00 USD in statutory damages as the result of charges of spamming activity against the site by one Philip Porembski. This is the third major award to be granted by a court in Facebook's favor since it started going after spammers on its site in 2006. As for actually collecting the money? That's another story. But it continues to set a very strong precedent for any future spammers who think that Facebook is still worth flooding with spam.
- In the "gift that keeps on giving" department, on Feb. 7th it is announced that Gregg Burger of Yonkers, New York has been arrested for acting as convicted stock spammer Alan Ralsky's stock broker. The SEC has also filed fraud and other charges against Burger and 10 other accomplices. Burger faces up to 25 years in prison and significant fines if convicted. (No followup story has been posted regarding this case.) See also the SEC Filing.
- On Feb. 17th, another court action is announced, this time against repeat spamming offender Brendan Battles. The Australia Dept. of Internal Affairs seeks penalties of $200,000 AUD against Battles, and $500,000 AUD against his company, Image Marketing Group Limited. The court alleges that sent nearly 45,000 SMS text messages to Vodafone mobile customers in March of 2009, and later also engaged in email spamming. This makes the fifth year in a row where Mr. Battles has either been publicly exposed as a repeat spammer or has been charged directly.
- In what would be the first of a series of great, great articles from Brian Krebs throughout 2011, on Feb. 21st "Krebs On Security" publishes an interview with renowned Chronopay operator Pavel Vrublevsky. The story is insightful, and inevitably outlines a raid on a party held by Russian online pharmacy "RX-Promotion". It's an insightful read, and marks the beginning of a lot of unwanted exposure for Vrublevsky throughout 2011.
- On Feb. 24th the US Federal Trade Commission (FTC) asks a court to shut down a high volume text message spamming operation run by a man named Phillip A. Flora. [Court document PDF]. According to the court document, "During one 40-day period, beginning in August 2009, Flora's operation sent more than 5.5 million spam texts, a "mind boggling" rate of about 85 a minute".
- Also on Feb. 24th, Krebs On Security posts a pair of engaging articles about the twin illicit online pharmacy affiliate programs Spamit and Glavmed. (Spamit as most of you will remember shuttered its operation in October 2010.) This begins a series he titles "Pharma Wars". The first article outlines how Spamit came to be investigated by law enforcement and others, and also makes a connection between the leak of Spamit data and Pavel Vrublevsky. The other documents a large-scale leak of the entire Spamit database in mid-2010 by someone named "Despduck". The database makes clear that both programs were operated and maintained by the same people, and generated millions of dollars of illegal profits from the sale of fake pharmaceutical products. This is a good peek behind the scenes of how a large-scale pharmacy spam operation works and how much money is generated from their illegal spamming activity.
- In what appears to be a dubious article from Feb. 26th, TechWorld reports that China has been effectively clamping down on spam activity within its borders. Eight months later, we all still continue to see all kinds of spam volume originating from China, but the report is correct in stating that its activity has "dropped" compared to previous years.
- Mar. 3rd, Wired Magazine's "Epicenter" blog reports on the release of career spammer Robert Soloway from federal prison, following his three year sentence. Soloway makes it clear that he is never going to spam again.
- Also On Mar. 3rd, Krebs on Security posts another in a series of investigative articles regarding Chronopay and its involvement in the rogue antivirus / scareware industry, something Chronopay appears to support a great deal. In retaliation, a childish "press release" is sent to numerous security blogs, notably F-Secure, making the ridiculous claim that Brian Krebs and "his boyfriend" F-Secure's Myko Hipponen had both been "arrested" in relation to an online credit card theft ring. Absolutely nobody takes the article seriously, and sites which published the fake story immediately retract it. This is a good indication that the accurate reporting of Mr. Krebs is definitely ruffling all the right feathers.
- On Apr. 3rd, Krebs on Security posts a story about another in a continuing series of large-scale data leaks, this time affecting customers of supermarket giant "Kroger Co." In this case the compromise was the result of criminal activity, but throughout 2011 various groups of online hacktivists, notably "LulzSec", would repeatedly, publicly release numerous large caches of data to illustrate the lack of security in place at common companies used by millions of people every day.
- On Apr. 8th, Germans news website Welt Online publishes a story about the dismantling [Google Translation] of a fake pharmacy site operated in Potsdam, Germany. The fake pharmacy generated "at least 18 million euros" in earnings.
- On Apr. 13th the US Dept. of Justice posts a press release announcing that the DOJ and the FBI acted together to shut down the "Coreflood" botnet, which infected more than 2 million computers at the time of the action. This takedown was unique in that not only were the command and control (C&C;) servers taken over by law enforcement, but commands were also sent from the compromised C&C; server to send commands to individual infected bot computers to stop sending any further data and to shut down. They also provided large lists of infected IP addresses to the respective Internet Service Providers so that the customers behind them could be notified of the infection of their computers, and what steps to take to remove the infection. This was an unprecedented legal action and would raise the bar for several future botnet shutdowns in 2011. This story was widely covered by numerous news outlets, blogs and websites, notably Reuters, Krebs on Security, ComputerWorld and Slashdot
- On Apr. 19th, the FTC and other US federal regulators filed a lawsuit against a series of "online marketers" for fraudulently creating fake "news websites" used in spam campaigns to promote bogus Acai Berry weight loss products. They also charge that the claims made on these fake sites are completely false and represent a definite danger to consumers. Despite this action, we all continue to see this exact same "fake news website" technique used to promote numerous completely bogus "make money for free at home" websites via spam.
- On May 23rd, an indepth report authored by a team of researchers at the University of California at San Diego (UCSD) is published which essentially "follows the money" through a typical criminal online pharmacy affiliate operation, and identifying just three banks which process all of the orders. The paper, entitled "Click Trajectories: End-to-End Analysis of the Spam Value Chain", was presented at the IEEE Symposium on Security and Privacy in Oakland, Calif. This is by far some of the most effective reporting on the profit structure of an illegal online pharmacy. This further causes lots of public investigation into the three banks which processed payments for this operation, notably Azerigazbank Joint-Stock Investment Bank in Baku, Azerbaijan.
- McAfee publishes an insightful article in late May outlining how a "blackhat SEO" campaign (a.k.a.: forum spamming) can generate income from an illegal online pharmacy affiliate program.
- Leonid "Leo" Kuvayev, renowned operator of numerous child porn sites and the "Mailien" criminal online pharmacy, "admits child abuse" on Jun. 1st in a court appearance after having been arrested back in December 2009. Police discovered a sex dungeon in a property of Kuvayev's while investigating him for illegal spam charges. He now faces up to 20 years in prison. More details, in Russian, available here.
- On Jun. 2nd the UK's Telegraph reports that Google is publicly naming and shaming the Chinese government for "Spear phishing" as part of a series of attacks launched by China against Google's Gmail service in 2010. The Chinese government responds, calling Google's claims "unacceptable".
- In some fairly major news, on Jun. 23rd, Russian authorities arrested Chronopay co-founder Pavel Vrublevsky "for allegedly hiring a hacker to attack his company’s rivals."
- On Jul. 19th, Joseph Mercier, an IT Security supervisor from Laval, Québec, Canada, is arrested by Canada's RCMP (the Canadian equivalent of the FBI) for "allegedly coordinating an international computer hacking scheme." Mercier essentially crafted his own botnet, including the virus malware, and managed to infect computers in several countries. The report doesn't make clear what the purpose of the botnet actually was, but one can most likely imagine.
- Long-renowned career spammer Sanford Wallace is again charged with spamming activity, this time coupled with a phishing attack. Spamford has been indicted numerous times since the late 1990's for his ongoing, unrelenting, malicious spamming activities. More coverage here.
- Brian Krebs continues his highly informative "Pharma Wars" investigative series with a posting on Aug. 19th which exposes a leaked chat session between Spamit owner and operator Igor Gusev and a senior member of his technical team, Dmitri Stupin.
- On Aug. 20th, ICANN begins an investigation into domain registrar eNom and their parent company "Demand Media" for predominantly providing domain registration services to online criminal organizations. This was in reaction to a detailed report by Hostexploit.com identifying eNom as a preferred domain registrar for all manner of criminal activity for many years, referring to them as the #1 most abusive domain registrar.
- In an interesting turn of events, Google forfeits $500 million USD on Aug. 24th, "generated from Canadian pharmacies targeting US customers through its AdWords program".
- After years in legal limbo, the ill-fated lawsuit on behalf of E360 Insight against Spamhaus is vacated on Sep. 3rd, with the result being that Spamhaus must pay a total of $3.00 USD to E360, but also making E360 liable for all legal costs. A judgement document skewers E360 owner and plaintiff David Lindhart, calling his testimony throughout the lengthy trial process "inherently unreliable" and outlining several "systemic problems" with much of the financial information he produced during the trial.
- With the year 2011 not yet over, Brendan Battles again shows up on the spamming radar, this time charged with selling 50,000 email addresses without the owners' permission. His company, the notorious "Image Marketing Group Limited", now faces a $700,000 AUD fine for selling the addresses to an unnamed "businessman" via (you guessed it) spam. "The businessman alleges that when he bought the database, IMG assured him it complied with the necessary legislation and the email holders had given their permission to be contacted, said senior investigator Toni Demetriou."
- On Oct. 4th, Krebs on Security (among others) reports on the conviction of the 13th defendant from a group which operated a Zeus botnet for the purposes of financial fraud against numerous victims. All 13 members of this gang were indicted, arrested, and convicted of operating a Zeus botnet which resulted in the theft of £3 million ($4,657,050.00 USD) from banks in the UK between Sept. 2009 and Mar. 2010.
- Also on Oct. 4th (quite the day!), INTERPOL announces the results of an unprecedented international law enforcement action code-named "Operation Pangea IV", which took place between Sept. 20th and 27th. "In the largest operation of its kind, 81 countries have taken part in an international week of action targeting the sale on the Internet of counterfeit and illegal medicines, resulting in dozens of arrests and the seizure of 2.4 million potentially harmful medicines worldwide worth USD 6.3 million." This is definitely one of the largest international law enforcement actions in years, and certainly the largest action related directly to spamming and illegal online pharmacies.
- In a related story, domain registrar, in direct response to the INTERPOL actions, "shut down DNS resolution for hundreds of domains to cut off access to over 13,500 websites peddling fake pharmaceuticals."
- In a great recap article, Ars Technica reports on Microsoft's combined efforts to target, trap and reduce spam traffic, specifially phishing, malware and other dangerous elements.
- In another installment in his "Pharma Wars" series, on Nov. 11th Brian Krebs posts another leaked chat session between Igor Gusev and Dmitri Stupin. Not long after the story is posted, KrebsOnSecurity.com is the target of a sustained DDOS attack, which he subsequently reports on in some detail thanks to the investigative assistance of Joe Stewart from Dell Secureworks. The operators and affiliates of Spamit and Glavmed have to be suffering financially for them to take this kind of action against a security blog with such a wide readership.
- On Dec. 16th, Krebs on Security reports that (among a few others) former Ukranian General Verliu Gaichuk is arrested in Romania "suspected of being part of an organized cybercrime gang that laundered at least $1.4 million stolen from U.S. and Italian firms." This was another large-scale international law enforcement investigation which comprised Romanian authorities, the FBI and Italian special forces. Since 2010 we have seen more and more of this type of coordinated law enforcement coordination and cooperation, and it's very good to see.
- On Dec. 8th, four Romanian nationals are indicted in the District of New Hampshire on charges of compromising the credit card data of more than 80,000 customers of the Subway restaurant chain - among others - covering nearly three and a half years. Three of the criminals were arrested and a fourth remains at large.
Happy Holidays everyone. Stay safe, and thanks again for reading.
SiL / IKS / concerned citizen
The product range many of these affiliate programs offer nearly always sound "too good to be true" but they do make them money. Career spammers essentially join, ignore any zero-tolerance policies the affiliate program has for email spamming (or any other spamming for that matter), get an affiliate id, and start up their email deployment system.
The products include a product that will turn your PC into an HDTV receiver using (they claim) only software, a book that tells you how to build your own solar cells, a book that tells you how to make thousands of dollars from home "instantly", and - my most recent favorite - a book called the "Lotto Black Book".
I decided to examine each of the claims this spam campaign makes, and especially the completely fake claims they make on their websites. Nearly every single statement on these websites is 100% false, and that's a big no-no pretty much anywhere in the world, but it's an especially eggregious offense in the US.
Here is a spam message I receive a few days ago from another career affiliate-progam-abusing spammer:
From: The LottoBlackbook firstname.lastname@example.org
Subject: Win a lottery everyday- Secret exposed
"They Kept Asking Me:
"How The Heck Did You Do It? What's Your Secret For Winning The Lottery?
Tell Us Or We'll Kill You" I Managed To Escape But I Got Shot In The Left Foot"
They Would Have Killed Me If I Didn't Tell Them My Lottery Secret…
But Today, It is yours:
Can Anyone Win The Lottery? ...Or How Did I Manage To "Kill" The Lottery 5 Out Of 10 Times?
I was searching for a lotto PATTERN...
Winning The Lottery Is Not ROCKET Science.
Anyone can do it. That's why I decided to publish all my secrets in a book.
Wow. That is quite the story, isn't it? The protagonist of this ridiculous spam campaign, "Larry B." (on the website it links to he says he is "Larry B****" but the footer says the site is made by "Larry Blair") is so good at winning lotteries that he's receiving threats.
It links to an affiliate website:
That might not exist for long, but if you've ever researched this type of spam you can spot it a mile away. One single, length, rambling page making a series of ridiculous or outright false claims. It's the HTML page version of a 3:30am infomercial on tv. They just repeat the same claim in numerous ways while telling an (arguably) outlandish story, then back it up with a series of "testimonials", which are also very easily proven to be false.
Here's the first thing you see when you visit this site:
Again I have to say: wow.
80 point masthead type shouting out "Oklahoma professor gets shot in the leg after winning the big lotto prize".
Before I dive into this particular site, let's just get a feeling for how many of these websites are out there. I did a quick google search for that first line and Google (as of this writing) returned "About 320,000 results" for that phrase with no quotation marks around it. If I add quotation marks, which looks for that exact phrase, it returns "about 10,200 results". So this site is not unique at all. Keeping in mind that it's also pulling up sites which ridicule this product - possibly this very website as well - the majority of the results are actually trying to sell you the Lotto Blackbook product.
A little further down, it claims that this is one of the people who shot him in the leg in order to gain his "secret" about winning lotteries.
"They Kept Asking Me:
"How The Heck Did You Do It? What's Your Secret For Winning The Lottery? Tell Us Or We'll Kill You…"
…I Managed To Escape But I Got Shot In The Left Foot"
Here is the robot portrait of one of the aggressors. it's the same picture that was presented to the police. They were never apprehended..."
It shows a police sketch:
That dates back to April of 2008.
You'll notice that there is absolutely no mention of shooting anyone in the leg in order to expose "lottery secrets".
It doesn't appear that he was caught, but it seems unlikely that the story would fail to mention that he shot someone in the leg. We can file this detail under "unlikely".
The writing about this (probably) completely fake scenario is written with way too much melodramatic flair. ("All you think about is your wife and children..." - so true, man... so... true.)
After an awful lot of copy about how he felt "blessed" for having his lotto-winning "secret" and claiming to donate it to charity, the story continues that he had to use a lot of paper and books for his research, and that his wife was concerned, and took a photo of what he claims was his desk:
That can be found on this page:
The original contest is of course long gone. If you search for that image (thanks again Google) you get "About 9,370 results". So again: not at all a rare image. Is it our lotto-secret-wielding hero? Again: filing that under "unlikely".
Further still, an image that he claims is of him "winning" his first lottery, after trying his alleged theory for 8 years:
That photo is actually a picture of December 2006 Powerball winner Michael Anderson:
Wait - Michael Anderson? That doesn't even rhyme with the name "Larry B." So that's basically just an outright lie.
But did Michael Anderson use some hidden secret method to win his prize? The story doesn't say.
So let's look a little further down:
Google searching for that image, unfortunately, only turns up results of competing "lotto blackbook" websites. But if you look closely it doesn't appear to be the same person.
I would basically call bullshit on pretty much every facet of "Larry B."'s story. The police sketch doesn't add up; the first image of him is not him, it's Michael Anderson; the photo of the messy desk is unlikely to be his, and the second image of him "winning" again is unlikely to be him.
So let's talk about his so-called testimonials:
The first image shows someone he refers to as "Alain M."
Larry B's testimonial copy:
Larry, Thanks to your system, I managed to give up my day job. Now all day long I’m preparing for the weekend lotto drawings. This is the big prize I won. Sometimes I get a couple of thousand, sometimes hundreds … but one thing is for sure: I won almost every time.
Again a very simple search turns up this story:
The name of this winner is actually Alain San Giorgio, not Alain M. (Another outright lie.)
How did Alain actually win? Let's search for that too:
When asked by Virginia Lottery officials how it happened, he replied simply, "I'm just lucky, that's all."At random.
The winning numbers for that drawing were 4-8-20-22-34. He selected the numbers on his ticket at random.
Now: Alain might be trying to hide the so-called secret method Larry over here is talking about, but you would think we would have heard of him winning numerous times, since this is the claim made on the Lotto Black Book site. There is no mention.
Let me add that when a person wins the lottery, if they want to accept the money they have to give the lottery the right to use their name, their likeness and other identifying elements to promote the lottery. If Mr. San Giorgio actually had won the lottery that many times, there would be several press releases from the lotteries all saying so.
But there aren't. There's only one. Dating from Feb. 2009.
You would also see a series of personal interest stories in several newspapers commentingon how unlikely it was that such a person could win so many lotteries all the time. But in this case: zero.
So: another outright lie.
A companion site mentioned in the footer of this website - thelottoblackbook.com - features most of the same claims and testimonials, but also references just such a news story. They only show a screen grab of the story, but don't link to it:
And I quote:
Three of her wins, all in two-year intervals, were by scratch-off tickets bought at the same mini mart in the town of Bishop.This entire time this website has been claiming that it will teach you how to beat lotteries like the Powerball, a lottery where a series of winning numbers are pulled completely at random, and tickets are purchased which have user-selected numbers on them.
Mr Rich details the myriad ways in which Ms Ginther could have gamed the system - including the fact that she may have figured out the algorithm that determines where a winner is placed in each run of scratch-off tickets.
Scratch tickets don't work that way. They are pre-printed and have serial numbers, and there are numerous stores of people who have foiled these systems. The two systems are completely different.
The site again claims that this person shared the same Lotto Blackbook method for winning lotteries, but the real article about Ms. Ginther states otherwise.
In short: it's really easy to assume a product is a scam in the first place, but when the websites promoting them (and the spam messages promoting the websites) are so chock-full of such easily disproven lies, it's time to question why the FTC and other consumer protection organizations haven't gone after companies like this one.
Of course he only receives payment via PayPal, so attempting to get your money back from this scam operation is probably a laborious and potentially fruitless exercise.
As usual it's up to the consumers themselves to be cautious about any claims a website makes - especially one promoted via unsolicited non-CAN-SPAM-compliant spamming - and I would hope this single posting provides enough proof that consumers should probably assume that any claim made by a spamvertised website is likely to be an outright fabrication.
My advice: If a company is lying to you once, you shouldn't waste your money on them. But if they lie to you numerous times like this one is? Not only should you never send them your money, the company behind these fraudulent spamvertisements should be completely shut down. That should be obvious to anybody.
Here are some links to discussions which debunk this obviously fraudulent operation:
Over the past two days, only my spam-fighting email addresses have begun to receive a ridiculous amount of stock spam promoting a company called Caduceus Software Systems Corp. Stock symbol CSOC.OB.
Unless this individual has a serious desire to join Al Ralsky in prison, I fail to see the attraction of trying a new stock spam campaign. Ever since Al Ralsky's arrest and conviction, and especially after the SEC's shaming after the Bernie Madoff affair, the attention to this type of fraud has gone up significantly. This is a particularly stupid and very public move on behalf of this moron spammer.
But it also indicates a few things, just as stock spamming has for years.
Stock spamming has routinely been a "quick fix" replacement for any other type of spam campaign which gets shut down or severely hindered. In 2006 prior o the shutdown of AffKing and the indictments and fines against Shane and Lance Atkinson, numerous spammers promoting AffKing would switch immediately to stock spamming whenever the money dried up for any AffKing spamming, or especially when AffKing had to lay low to fix one or another problem. You could practically set your watch to it, it was that consistent.
My recently developed Nigerian ScamerAtor™ is a tool that I had been using for a long while to report up to 200 or so Nigerian scamming email addresses. I ramped up my own reporting over the past four months, and decided to make that tool public. Is it a coincidence that I now see stock spam so soon after putting that utility into the public domain? (Probably.)
The good news is: stock spam means that the spammer probably lost money, or is in the midst of losing money. It may also indicate a wish to get caught. (As mentioned: this is a particularly stupid thing to do as a spammer.)
Never buy a stock promoted by someone you've never heard of, especially if they're sending you 70 - 100 spam messages over only a few hours.
Note also that they have done some Google-jacking to make sure any mention of this company only shows articles which support the spam campaign. This indicates that this is an experience stock spammer. I wouldn't be surprised to hear that this somehow relates back to the same crew that Ralsky was using for years.
To whoever you are: good luck in jail.
SiL / IKS / concerned citizen
Over the past ten years or so I have been sporadically reporting "Nigerian Scam" spam messages to the email vendors these criminals abuse.
I'm going to assume that you know what a Nigerian Scam is. They've been in existence since the mid-90's, and they re-use a lot of the same ruses to entice their victims to part with some - and in some cases nearly all - of their money. Many of you may remember my experiment over the past two years to tabulate how much I would have "won" from these alleged inheritances, lotteries, funds and other ridiculous scams. I also kept tabs on how much I would have "inherited" or "won" from November 2009 to the end of 2010. The final total was $100,319,915,673.22 USD (100.3 Billion dollars.)
In November 2008 I wrote a detailed posting describing how anyone could report these scam messages, and about the reliability and timeliness of the responses and cancellations of these offending accounts. At that time, Hotmail and Yahoo were two of the worst at getting accounts removed which were actively being used in this patently criminal activity. Fast forward to today - and especially the past six months - and that situation has greatly changed for the better.
Hotmail is now cancelling these offending account in as little as ten minutes of receiving my report. This is a huge, huge difference and I applaud this drastic change in their responses to these reports. I would report a new scammer's Hotmail / MSN Live Mail account within a few seconds of receiving one of them, and 10 - 15 minutes later it would be shut down.
It's important to note that they won't shut down just any account. You have to explain to them why the account is being used fraudulently, and explain where in the message the offending account appears. If your reporting to them is consistent, they shut the account down, simple as that.
Per day, I was receiving from 60 - 80 of these scam messages every single day. Once I started cc'ing the criminal's account on my reports, that account saw a precipitous drop in the volume of Nigerian Scam spam messages received every day. Now it's one or two a day. For that account, Nigerian scam messages are the only spam it receives. All the pharmacy spammers gave up on that account two years ago.
I also received a small handful of replies from the criminals on the other side of these accounts. Some of them demanded that I stop reporting them. I replied that they shouldn't have me in their lists in the first place. Some boasted that this would do nothing, that they would just create thousands of other new accounts. But then after a few weeks I received another message pleading for me to stop. All of this indicates that these reports work, even if it's just one person doing them.
So I decided to create a tool that automates the creation of these detailed reports so that a lot more people could join me in trying to put a major dent in this malicious activity, and I called it the Nigerian ScamerAtor™.
You can download it here:
[Link last updated Jun. 24th, 2012 - v.1.6]
- Download the file
- Unzip the file
- Open the html file in a browser of your choice (as always, I recommend FireFox.)
- Choose the email vendor this criminal is abusing from the drop-down list.
- Enter the offending email address
- (Optional) Choose which fake scenario this criminal is claiming to present. (Lottery, fund, FBI, UN, etc.)
- Choose where this email address appears (headers, body, both.)
- Enter the message headers
- Enter the message body
- Click on the "Go!" button
- A message will be generated for you including the "to", "subject" and a detailed message for the abuse team you wish to send it to.
- Copy that into an actual email and send.
Both Gmail and Yahoo now only process these abuse reports via online forms. No emails, period. They also do not respond to any reports but I did some randomized testing and it appears that within 24 hours the reported accounts are indeed terminated. I wish that they would be more communicative of this but at least they do shut the accounts down.
I welcome responses as to further features you think this tool could use, and especially any reports of major successes.
As always, thanks for reading.
SiL / IKS / concerned citizen
As you all have no doubt been aware, updates here have been very few and far between for a while now. I wanted to post a quick update to let you know that yes, I'm still alive, and yes, many things are still underway in the fight against online criminals and the spamming they engage in, among other things.
When I started this blog, email spam was definitely a major scourge, and a vast amount of criminality stemmed from spam itself, which eventually led me further and further up the food chain. That meant that over time, email spam itself (or spam of any sort really) became less of a focus of investigation for me than more meaty subjects like the hosting infrastructure of one or another criminally-operated pharmacy affiliate program, or investigations into one or another botnet's infrastructure and command and control.
Over the past several years, my role in these investigations has been one of a disseminator of collected research and intelligence, handing over as much of the indepth analysis and research as I could supply to a larger and larger number of researchers and investigators.
As the last two years have shown, that's lead to a much greater set of eyes becoming focused on all manner of online crime, and the results have been pretty fascinating to see. I am not saying that my research specifically has directly led to legal action - I have no way of knowing - but it's part of a collected mass of research which may have assisted several organizations in deciding which action (or actions) to take against the operators of these large-scale spam operations.
I'll just itemize a few of these investigations here to get the idea across. Much of this has been covered in greater detail and with more background research by many other more established journalists, security researchers and bloggers than I would have been able to do here.
Microsoft managed to shut down the infamous Rustock botnet - responsible for the majority of spam sent on behalf of Spamit - via some extremely strategic legal and subsequently technical means. That led to a massive drop in spam of any sort (but especially fake pharma) being greatly, greatly reduced. It's also more recently led to a very public notification to the public, especially in Russia, where most recently they've offered a new $250,000 reward for the "identification, arrest and criminal conviction of whoever is responsible" for the Rustock botnet. (If you know who it is, you can file your own report at avreward[at]microsoft[ot]com.)
This is a big deal to anyone who has been researching spamming via botnets, since Rustock was the botnet responsible for the vast majority of this spam.
Since Rustock was shut down, the statistics for spam overall have seen a dramatic drop. I mean a seriously dramatic drop. It's still there (there are other botnets of course) but it's nowhere near the high volume enterprise that it once was. This is a monumental shift from how things were even a year or so ago, but especially when compared with spam volumes from 2006 through 2010.
As previously mentioned, Spamit themselves pulled the plug on their fake pharmacy affiliate program in October of 2010. Very shortly after this, the alleged owner and operator of Spamit (and, one might logically assume, Glavmed) - Igor Gusev - fled Russia where he began a blog outlining the criminal activities of Russian payment processor Chronopay. Renowned security blogger Brian Krebs has written about all of this at great length, and continues to cover more recent legal activity against Chronopay and its (now former) CEO, Pavel Vrublevsky.
I haven't written about any of that here, again because it's been covered in extremely deep detail by both Russian and North American bloggers and journalists. The litany of public leaks of internal Chronopay emails, documents and other items between 2010 and 2011 has been breathtaking and it most recently led to a large scale raid of the Chronopay offices, and the arrest of Mr. Vrublevsky. That is pretty huge news and I encourage any of my readers to dig into the stories covering that raid and the previous links because it's a pretty big eye openener into one of the largest online criminal operations I've seen in my time covering this subject. The leaked documents have revealed that Chronopay was the operator of one of the first taregted Mac-only fake antivirus scams, MacDefender, and further shows that Chronopay's direct statement insisting that they had no relationship with MacDefender whatsoever was an outright lie. The leaked documents further outline Chronopay as a company creating several new companies specifically to sell other types of fake antivirus "products" over many months. Vrublevsky is the co-founder of one of the larger fake pharmacy operations known as RX-Promotion. Rx-Promotion was formerly in third place after Spamit and what is now known as Eva Pharmacy (formerly Bulker.biz and Bulkerbiz.com.) Since the raids, rx-promotion.com no longer resolves, and other criminal online programs which used Chronopay as their payment processor (notably, other fake-antivirus affiliate groups) have had to recently announce that they were no longer able to pay affiliates in a timely manner.
In the midst of all of this, Pavel Vrublevsky is arrested for having ordered or engaged in a DDOS attack against his competitors.
An additional interesting occurrence was the publishing of a couple of very well-researched reports and the subsequent widespread publicity of the same. Two very gifted researchers at the University of California at San Diego published two reports - "Click Trajectories: End-to-End Analysis of the Spam Value Chain" and "Show Me the Money: Characterizing Spam-advertised Revenue" - which I cannot recommend more strongly as a must-read for anyone interested in discovering how an online criminal spam operation works and who profits from them. These two scholarly reports, each of which have been linked to, Slashdotted, quoted, reported on by the New York Times and many other large-scale media organizations, investigate in very great detail and organize the research into every facet of how a typical criminally-run spam operation works.
So what does this mean for the spam landscape? Generally it appears that spamming, as a scummy way of making money, is way down the list of things a burgeoning online criminal or otherwise unscrupulous "marketing" affiliate would choose to engage in. In fact, forum spamming - euphemistically referred to as "SEO marketing" - has very quickly come in to take its place. There are numerous existing researchers and monitoring operations which report on this activity, and many companies such as Google (especially Google!) have already begun to put processes in place to make this type of search engine gaming less and less effective.
Based on feedback from many individuals out there, the majority of email spam that now routinely appears in anyone's mailbox (if indeed it appears there at all, given how good some spam filters have become, again most notably Gmail's) are for Nigerian scams. This has to mean that whoever is still sending any volume of spam today has definitely run short on options of what to send their stolen or harvested lists of recipients. That's mostly a good sign, since there's a lot of very public stories about how to avoid Nigerian scams, and most of the content of the messages promoting these scams haven't changed significantly since 2003.
Today, for the first time in several years, I received a stock spam message. I can only see this as a further indication of outright desperation on the part of whoever's lists I'm on. Stock spam, when it was sent regularly at all (2006 through 2008) only rose in volume once some facet of a fake pharmacy operation experienced major issues either in terms of their ability to keep sites up or to process transactions. Receiving a single stock spam message in the current climate, when most people are seeing very small numbers of pharma or replica watch spam, is something I personally see as a cry for help.
So: taken together we see several fairly big breakthroughs in only the past 10 months or so:
- Spamit closes their doors
- Spamit operator (Igor Gusev) flees
- Gusev starts an anti-Chronopay blog
- Numerous sources leak internal emails and lots of internal documentation from Chronopay
- Many researchers and bloggers, Russian and otherwise, examine and report on findings from the leaked Chronopay documents and emails
- Chronopay is linked to RX-Promotion directly
- Chronopay is linked directly to one or more fake antivirus scams
- Chronopay is identified as the payment processor of choice for numerous other fake antivirus scams
- The Rustock botnet is shut down via legal and technical efforts from Microsoft
- The creator of the Rustock botnet is currently a wanted man, and has a new bounty on his head
- Chronopay offices are raided and its CEO, Pavel Brublevsky, is arrested for DDOS attacks against his competitors
- Several fake-antivirus affiliate programs indicate that they can no longer process payments for their affiliates
- RX-Promotion's website and affiliate portal shut down with no public explanation (but we can all take a wild guess.)
That's a lot of activity in such a short amount of time. In all the years I've been researching the multitude of online criminal activities, this is the first year where it looks like the options for online criminals are finally dwindling. It hasn't disappeared completely, and I don't think I should ever expect that to happen. But the fight against the people who thrive on this illicit activity is turning a corner.
I'd like to add a separate item which is mostly speculation on my part. Since the recent devastating earthquake in New Zealand, spamming for a variety of fake pharmacy, "herbal" penis enlargement, diet and fake replica products have seen a massive decrease as well. These were all products which were virtually identical to ones previously promoted via the former "AffKing" affiliate program, operated by Shane and Lance Atkinson, who both still have restraining orders and very heavy fines against them for promoting those products via spam (well: and for the products being, you know, fake.) The spam hasn't stopped 100% but it's clear that the earthquake affected the ability for this particular type of spam to be sent.
My involvement in the exposition of these operations has been reduced mostly due to my desire to get the proper research into the hands of people who can accelerate the fight against this activity. That's proven to be the best use of my time over the past couple of years. I still research it. I still document what I find. I still participate in the many online communities which engage in this research, sharing ideas, discovering how things work in the online criminal world. But my use of this research is better served by being shared with broader groups of researchers, and it's encouraging to see so many more researchers (or even better: large groups of researchers) who are making a difference with the data they uncover.
I think it will be interesting to see if certain parts of the spam landscape resuscitate themselves or not, or if they morph into some newer or unexpected form of scammy operation. I also think it is heartening to know that a large number of career spammers are now left with far less of their regular illicit income, and most importantly that law enforcement agencies, internationally, are working together to get this activity shut down on a very large scale.
If I do have more to report I definitely will do so, even if that means I ultimately link to someone else's report. The battle continues, and from where I sit I hope that you would agree that the developments in that battle have been very interesting indeed.
SiL / IKS / concerned citizen
This domain, among several others (camsecret.com, camsecretcrush.com, camsecretcrush2.com, yourprivateshow.com, many, many more), is being spammed via MSN Messenger and Yahoo Instant Messenger in much the same way that the renowned "SlickCams" webcam dating sites were spammed since 2007. (SlickCams is part of a very large number of companies and properties owned and operated by Flying Croc, who have a history that dates back several years of malicious adult-content spamming of one sort or another, but predominantly via MSN Messenger.)
It turns out that FlyingCroc.net has never stopped this practice, and appears to now control a large variety of similar adult webcam dating sites and affiliate programs, with no intention of stopping the ongoing practice of spamming total strangers (and probably minors) with automated MSN chat sessions promoting webcam porn dating sites. The most prominent of their spammed properties since 2008 has been StreaMate.com. I'll outline that setup here, but there are others.
At first it was assumed that this particular spammer was engaging in this malicious activity on behalf of only one webcam affiliate program. It turns out: he / they are doing this on behalf of at least two distinct affiliate programs, but probably more.
Here's how the StreaMate scam works:
- An unsuspecting user of either Yahoo Messenger or MSN Messenger receives notice that an unknown user has added them to their list of Messenger friends / "Buddies"
- They accept the invite
- They initiate a messenger session with the anonymous "person"
- The anonymous person goes through a predictable script
- The messenger chat always mentions a specific link that the victim should click on to see this "person" on their webcam
- The link is always to one of the above-mentioned domains
Here's a sample:
<[redacted] 4:19:15pm> hello
<princesstera200 4:19:38pm> hey :-)
<[redacted] 4:22:11pm> someone told me to IM you
<princesstera200 4:22:18pm> im good how are you?
<[redacted] 4:22:30pm> oh it's a bot
<princesstera200 4:22:40pm> looks like you got my message? whats up with you?
<[redacted] 4:22:50pm> you're a bot yo
<princesstera200 4:26:12pm> do you think i should wear a thong?
<[redacted] 4:26:17pm> no
<princesstera200 4:26:30pm> lol great choice well i want to give you a free courtesy pass to view me on my cam?
<[redacted] 4:26:40pm> chii would never wear a thong
<princesstera200 4:26:54pm> i want to give it to you k babe?
<[redacted] 4:27:06pm> k fine
<princesstera200 4:27:18pm> Ok go to http://www.camsecretcrush.com/kiss***** and create a free profile
<[redacted] 4:27:32pm> k thx
<[redacted] 4:27:44pm> bot
Very obviously an automated chat session.
So here's where we end up if we follow that link [click to enlarge]:
Visiting the site we see a page that presents a few things which appear to be real, but actually are not.
The first is a countdown, indicating that this invitation from our MSN bot has a time limit, and therefore some urgency is implied with your immediate registration.
The second is that there is what appears to be a live chat window, which it turns out is a pre-recorded 1 minute video of a girl pretending to engage in conversation with the victim.
If you attempt to type into the fake chat field, the page refreshed with a totally different video of a totally different girl.
Note the inclusion of the blinking words "Live Now" on the top right corner of the video window. Also utterly fake.
It turns out that video is provided in an iframe by the camsecretcrush.com website itself:
But that iframe is in fact pulling all of its content from a site called camsecret.com
Each of these pass the affiliate id of "1-0-1". This is probably irrelevant since the only time I or anyone else have seen these is via spammers, so one could assume that every single affiliate of this program is probably a spammer via MSN, and that this company fully condones MSN or Yahoo Messenger spamming. (Some have also complained that this is also occurring on Skype.)
If you load that camsecret.com iframe url on its own you see a completely random choice of fake videos depicting several women. It lies to you and says it's "Live Now", but in reality these are all pre-made videos which stream to it in real-time from the domain naiadsystems.com:
naiadsystems.com uses flyingcroc name servers:
Domain Name: NAIADSYSTEMS.COM
Registrar: TLDS, LLC DBA SRSPLUS
Whois Server: whois.srsplus.com
Referral URL: http://www.srsplus.com
Name Server: NS1.FLYINGCROC.NET
Name Server: NS2.FLYINGCROC.NET
Updated Date: 02-apr-2007
Creation Date: 27-apr-2005
Expiration Date: 27-apr-2012
Surprise surprise. Welcome back, former SlickCam.com spammers.
Its contact information in the WHOIS points to StreaMates, allegedly in Cyprus:
Streamates Limited Streamates Limited (email@example.com)
196 Arch Makarios Avenue, Ariel Corner 1st Floor, Office 102, PO Box 57528
3316 Limassol, 3316
StreaMate has had affiliates spamming via MSN on their behalf for something like two full years as of this writing.
var spoof_cam = '';
var start_minutes = 5;
var start_seconds = 30;
var current_minutes = start_minutes;
var current_seconds = start_seconds;
var splashpage_name = 'Sam';
var random_message_start = 3;
var random_message_end = 6;
var random_message_interval = (random_message_start + Math.floor(Math.random() * (random_message_end - random_message_start))) * 1000;
var random_message_text = 'hurry im waiting for u..';
var ad_categories = '';
"spoof_cam". "random_message_text". This is so clearly a scam. Not a single real event is taking place here. The spammers know this.
When the 1 minute video is completed, a link appears in the flash video window only, an attempt to further obscure where this spammer wants you to click.
In the example I'm presenting here, the link goes to:
[Notice: no secure "https://", just plain "http://"]
CamSecret is also operated by FlyingCroc:
FCI, Inc. FCI, Inc. (firstname.lastname@example.org)
2019 3rd Ave Ste 200
Seattle, WA 98121
Note that at the top of that page, it claims that you can "Sign-up safely at Camsecret"
This is of course also a lie. None of these domains offer any SSL or other security. CamSecret.com makes this statement boldly on a page which is very obviously not secure.
Just to be 100% sure: attempting to load:
Results in a "not found" error.
Liars. So far numerous lies from beginning to end and we haven't even joined yet. Exactly how "real" do you these so called "webcam girls" are going to be?
As with all of these spamvertised domains, whois information for one of the numerous spammed domains, webcamcrush.com, was originally protected by Privacy Protection provided by GoDaddy.com. However one intrepid researcher decided to raise this case with the Arizona State Attorney General's office, who apparently managed to convince GoDaddy to identify who had registered this domain. It turns out to be one Yaniv Mindell, from the domain "DefiniteDollars.com":
Amory Building, Victoria Road
Saint Kitts and Nevis
Mindell, Yaniv email@example.com
Amory Building, Victoria Road
Saint Kitts and Nevis
Another shell company. First Cyprus, now Saint Kitts and Nevis.
webcamcrush.com is also suspended as a domain.
mywebcamcrush.com's whois information is still protected via GoDaddy. (Aside: When are registrars going to stop providing this for repeat offenders? This is year #4 of this activity. GoDaddy should know better by now.)
DefiniteDollars.com has all the markings of an underground affiliate program. No FAQ, a terms of service that states that they don't allow spamming, but of course no contact gets any response from this company.
I would like to cast an open invitation to anyone who has been affected by this group's ongoing MSN or Yahoo Messenger spamming, and I'd also like to put out an open invitation to both the Yahoo Messenger and Microsoft Live Messenger Team specifically, since I have been attempting to raise any attention whatsoever with that team since 2007, with absolutely no effect.
I'd also like to openly ask GoDaddy why it is that four years on they still allow this group to register dozens-to-hundreds of domains with their company, an continue to hide their contact information despite numerous abuses of their terms of service.
As with all previous spam activity on behalf of Flying Croc, the risk is very high that minors are being exposed to this content. Whoever harvested these MSN and Yahoo accounts had absolutely no concern for how old the unwitting recipient of these invitations might be. They just send out the invitation to however many thousands of these accounts they can unearth, and begin the automated chat to get them into what is clearly an adults-only website. I would assume that the Arizona State Attorney General's office would be aware of this detail, but if not they certainly should be.
Somebody has to start a class-action suit against the owners and operators of Flying Croc. They've been getting away with this crap for years and people are sick of hearing from them.
SiL / IKS / concerned citizen
I've begun receiving tons (as usual) of spam promoting a new "Viagrow" site setup. This same spammer also sends me Ultimate Replica spam and spam messages promoting "Online Pharmacy" (I don't know the affiliate program for that one.)
Viagrow is of course yet another in a long line of utterly fake penis enlargement products. (I have to wonder why these spammers, all predominantly Russian, have such a fixation on penises, but that's probably a topic for another day.)
I decided to check out the new "Viagrow" site setup in terms of examining their order processing methods and was stunned to discover that they actually use the Verified by Visa process. This is a first, and is especially surprising given how frequently spam affiliate programs have been abusing the Verified by Visa brand over the past six years.
Presents two forms to the user to capture personal details including full credit card details. It does so (of course) using no security whatsoever.
Posting the second form leads to this spam operation's custom payment processing domain:
Which in turn passes the form's values to the actual Verified by Visa domain, using Visa's proprietary encryption.
Since I began researching criminal spam operations and the forms their sites use to snare personal details from victims (ahem) "customers", Visa - or more likely the third-party "high-risk" merchants who perform the processing - has never canceled any processing for these sites. This is going all the way back to 2002 or earlier. MasterCard and American Express have repeatedly denied service to pro-spam websites, but never Visa.
Now the Verified by Visa program, one which is directly operated by Visa itself, is allowing payments to be processed directly, essentially sending the message that Visa as a company is a-ok with criminals using their services.
cyber-pay.biz is registered with Directi and hosted on 220.127.116.11, provided by SoftLayer. Softlayer is now owned by ThePlanet. Softlayer has provided hosting, dns and domain registration to online criminals for many years now, so it's probably not going down anytime soon. Directi, in my experience, has been very helpful with spam complaints so we'll see what happens in that department.
change-your-life1.com is registered with bizcn, hosted on 18.104.22.168 by Voxility in Bucharest, Romania.
If anyone knows of any Verified by Visa contacts I'd be extremely interested to see if anyone over there would care to respond regarding their support of a criminal spamming operation.
SiL / IKS / concerned citizen
However, this year we also saw several very highly publicized "takedowns" of some well known botnets, notably Lethic, Waledac, Bredolab, and Mega-D. Not all of these shutdowns were 100% successful, but the volume of activity related to getting specific control servers for one or another botnet is a welcome development, and hopefully will lead to more firm activity on behalf of law enforcement and security researchers around the world. In one particularly interesting case, a series of renowned criminal botnets known as Zeus were shut down and several of their operators were also arrested, pending sentencing as of this writing. This didn't always immediately result in a slowing of criminal activity related to these botnets, and in many cases it didn't appear to have any noticeable effect on the volume of spam received by ordinary email users, but it was still a very notable development in the fight against online criminal activity.
2010 was also the first year where we saw a major international incident caused by a malware infection, which in this case affected Iran's nuclear program. This was a major story and continues to be a genuine concern with regards to international diplomacy and overall relations in the Middle East. Later still, the now-infamous Wikileaks "Cablegate" releases to the media further compromised international diplomacy, as bit by bit thousands and thousands of classified US embassy cables from embassies around the world make their way into the mainstream media. This is an unprecedented event and should continue to be the source of further interesting developments in the years to come.
In more specifically spam-related areas we saw major media also casually refer to operations such as Spamit or Glavmed, identifying them (correctly) as one of the most egregious high-volume criminal spam operations in the world. Even better: a lot of media and law enforcement attention was paid specifically to Spamit and Glavmed, resulting in Spamit closing up shop due to receiving too much heat. That was a development I wasn't expecting to happen so quickly, and it's an indication that the days of criminally operated pharmacy affiliate programs may finally be about to come to an end.
So here we go. Start the popcorn maker...
- SiL begins 2010 having "won" or "inherited" $15 Billion USD from a 14-month flood of Nigerian scam messages. Within the month of January, SiL "wins" or "inherits" an additional $5 Billion USD, due to a sudden increase in this type of spam.
- Jan. 4th, in a followup to a previous article he wrote in December 2009, Knujon's Garth Bruen writes about the large number of illicit hosting providers related to the online fake / illicit pharmacy trade. The article comes under fire from many US-based ISP's, but definitely makes some salient points, focusing on the violation of intellectual property rights by pill spammers.
- On Jan. 11th, renowned security investigative firm M86 coordinate with several ISP's an registrars to take down the "Lethic" botnet, responsible for some 8 - 10% of all spam worldwide. From their research it seems very clear this spambot was dedicated to mailing on behalf of Spamit and Glavmed criminal online pharmacies ("Canadian Pharmacy", "Canadian Healthcare", etc.)
- On Jan. 11th, the Dallas office of the FBI publishes a press release detailing a new indictment against 19 individuals for participating in a massive cybercrime conspiracy. [Original press release available here.] Four of the defendants - including the two primary individuals originally investigated back in April, 2009 (Michael and Chastity Faulkner) are alleged to have fled the United States to avoid prosecution. If convicted of conspiracy, the defendants face a maximum sentence of 30 years in prison and a $1 million fine. [Also see this coverage.]
- On Jan. 12th, in what is considered to be a bold statement internationally, the Google Blog divulges that Google as a company has decided to no longer filter their search results from within China after coming under numerous strategic attacks, allegedly from Chinese locations.
...we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.
These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
This announcement makes the front page of the New York Times among numerous other international newspapers, not merely tech news outlets.
- On Jan. 15th, Cornel Ionut Tonita of Galati, Romania pleaded guilty to criminal phishing of bank credentials and faces up to five years in prison for his involvement in the criminal act. Also charged were two other Romanians: Petru Belbita and Ovidiu-Ionut Nicola-Roman, who was the first Romanian suspect convicted in the US for this activity. The phishing operation purported to represent Citibank, Wells Fargo and eBay. Sentencing for Tonita takes place on April 5th.
- In a series of very public defacements, a group of rogue hackers referring to themselves as the "Iranian Cyber Army" modify the DNS settings of Twitter.com and Baidu.com to point to their own server, presenting a page stating that the site was taken over by them. [See coverage here and here.]
- On Jan. 28th, Jody M. Smith is sentenced to a year plus one day in federal prison for his part in assisting the notorious AffKing / SanCash / Genbucks affiliate program, known for spamming all manner of fake "male enhancement" pills from 2004 til their court-ordered shutdown in 2008.
- Brian Krebs, on his fantastic Krebs On Security blog, continues to hear from more and more victims of theft involving the use of the Zeus infection. This continues a very long-running series of stories (going back at least a full year) documenting the losses suffered by a litany of companies, schools, and other organizations.
- Microsoft and Adobe, starting in January and continuing throughout 2010, issue a larger-than-average number of emergency patches for their products to specifically address a rash of newly-discovered exploits. In three months they issue as many emergency fixes as they did in all of 2008.
- On Feb. 8th, numerous news outlets report that the Chinese police have shut down a major hacker training site known as "Black Hawk Safety Net".
The tally is: three people arrested; nine Web servers, five computers and one car confiscated; $249,000 in assets frozen.
According to China Daily, the website was ran from the Hubei province in Central China, and offered attacking programs and malicious software to its subscribers.
In theory this could represent some heavy damage to the Chinese hacker community.
See also this coverage from the Wall Street Journal.
- On Feb. 17th, CNN airs a multi-hour program which attempts to simulate the US government's reaction to a cyber attack. This results in a series of stories outlining the US's lack of preparedness for such an eventuality. [See one such story here.]
- Also on Feb. 17th, security organization M86 report that despite a very highly-publicized shutdown last year, the Mega-D botnet is still sending very large amounts of spam.
- On Feb. 22nd, in a Reuters story, representatives state that the US Government have pinpointed the Chinese developer of the malware used in the attack against Google.
U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware program used in hacker attacks on Google last year, the Financial Times reported on Monday.
The man, a security consultant in his 30s, posted sections of the program to a hacking forum where he described it as something he was "working on," the paper said, quoting an unidentified researcher working for the U.S. government.
- On Feb. 25th, Microsoft posts a story on their security blog detailing their shutdown of the command and control servers for the Waledac botnet. [See also this coverage and this story from the Wall Street Journal.] The project to get the botnet shut down is known internally as "Operation b49". On March 16th, it is independently confirmed that the Waledac botnet had ceased operation.
- In late February, much of the massive flood of Zeus bot-related spam messages purporting to be from any number of financial or other institutions drops completely out of circulation. This had been slowing by Feb. 22nd, but by the 27th it drops to zero for the first time since June 2009.
- Further ratcheting up international criticism, on March 2nd the US government considers lodging a complaint with no less than the World Trade Organization (WTO) claiming that China's censorship requirements are an unfair barrier to trade. This is specifically in relation to the requirement that Google.cn must censor any potentially sensitive search terms in order to operate within China.
- On Mar. 2nd, capping a multi-year investigation and year-long trial preparation, convicted and completely unrepentant stock spammer and all around fraud artist Alan Ralsky reports to the Morgantown Federal Correctional Institute to begin his four year sentence. You can see his prison listing here. His release date is scheduled for November 11th, 2013.
- On Mar. 10th, with very little explanation to go on, it is reported that dozens of Zeus botnets are knocked offline.
In an online chat conversation with Krebs on Security, [Zeus researcher Roman] Hüssy said the average ZeuS C&C; he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs; knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.
- By March 10th, SiL's "winnings" pass the $32 Billion USD mark. That's past double what he started the year with. On average he receives from 40 to 60 of these messages every day, resulting in accumulated "winnings" of $1 Billion USD every two days or so. Who needs a stimulus package? Let's just rely on these Nigerians to pay for everything.
- On March 10th, it is confirmed that two rogue ISP's were shuttered:
Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.Troyak and Group 3 join McColo and 3fn / Pricewert in the dustbin of rogue ISP's. Yet another blow to criminal botnet operators.
The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks.
(Note that there are multiple Zeus botnets, not just one. Any vetted criminal can buy the code to start their own. This was still a very heavy blow to a large number of criminal operators.) [More great coverage by Brian Krebs]
- March 11th: another shoe drops and another of the co-conspirators in the infamous TJX hacking case is sentenced to 4 years.
Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.So far, March 2010 looks like one of the worst months in history for cyber criminal operatives. Good to see.
Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.
- On March 11th, a securities attorney, ironically named David B. Stocker, pleaded guilty and was sentenced to two and three-quarter years for his participation in yet another stock spamming and market manipulation scheme. (His mailer was one Justin Medlin, previously unknown to me.) This makes the third straight year we've seen charges, arrests, trials, convictions and actual prison time for this type of crime. You would have to be an outright imbecile to engage in stock spamming.
- On March 23rd, the FBI's Steven R. Chabinsky gave a Major Executive Speech entitled The Cyber Threat: Who's Doing What to Whom? In it he outlined the very real threat that online crime poses to ordinary citizens but also to governments and businesses.
- In the first major leak they have released to date, Wikileaks post a classified US military video to their website and numerous other locations [YouTube Link] which depicts a US apache helicopter firing on over a dozen people, most of them non-military personnel. This includes journalists, women and children. This is a very serious leak and sets the stage for far bigger leaks which begin to appear in late 2010. [Further coverage: Collateral Murder Website]
- On April 17th, National Defense magazine publishes a report on the current status of the threat of online criminal activity. The author quotes liberally from well-known online crime researcher Gar Warner, but it has some interesting insights about the risks and dangers if this activity is allowed to continue.
- In what may have been a first, M86 actually names "Spamit" (as opposed to "Glavmed") as the subject of one of several spam messages they witness being sent by a new botnet which resembles the Storm botnet. [source]
- On May 3rd Knujon's Garth Bruen writes a great article entitled When Registrars Look the Other Way, Drug-Dealers Get Paid. The article outlined the key process that supports non-compliant spamming: lazy and non-compliant registrars, and a slow, ineffective ICANN. As a bonus he specifies Bulker.biz / Eva Pharmacy as an especially bothersome spammer affiliate program. This is the first of what would become several blog postings and online magazine articles drawing attention to this rampant problem with so-called "bullet-proof" domain registrars.
- In what would become a high-water mark for the exposition of the Russian online crime economy, on May 18th Brian Krebs publishes a landmark article regarding several Russian individuals and their involvement with spamming and illicit payment processor Chronopay, sourced from several Russian media articles.
In an open letter to investigators at the Ministry of Internal Affairs (MVD) of the Russian Federation, Ilya V. Ponomarev, a deputy of the Russian State Duma's Hi-Tech Development Subcommittee, in March called for a criminal inquiry into the activities of one Pavel Vrublevsky, an individual I interviewed last year in an investigative report on rogue security software (a translated PDF version of Ponomarev's letter is here).
This leads to a lot of open discussion spanning several months on both Russian and English forums related to online security and cybercrime research.
- On May 19th, notorious rogue ISP 3FN (a.k.a.: Triple Fiber Network or "Pricewert") is shut down by the FTC for providing hosting and other infrastructure to several varieties of online criminal activity.
The Federal Trade Commission today got a judge to effectively kill off the Internet Service Provider 3FN who the agency said specialized in spam, porn, botnets, phishing and all manner of malicious Web content.
The ISP's computer servers and other assets have been seized and will be sold by a court and the operation has been ordered to give back $1.08 million to the FTC.
This caused some sizable financial damage to several criminal elements who profited from these servers' continued availability and marked a small success for law enforcement against some really scummy spammers.
- On June 10th, Wired Magazine's Threat Level blog publishes an article [source] in which two of their journalists communicate with a hacker named Adrian Lamo who had communicated via a variety of chats with Private Bradley Manning. Manning allegedly downloaded thousands of classified cables and handed them over to WikiLeaks over a lengthy period of time.
- On June 20th, Igor Gusev, the alleged owner and operator of the notorious Spamit.com affiliate program files a defamation lawsuit against representatives and editors of the Russian "Newsweek" magazine over an article they published in Dec. 2009 entitled "The Evil (Cyber) Empire: Inside the world of Russian hackers." The article, which has since been amended, referred directly to Igor Gusev by name, calling him "one of the world's leading spammers".
- On June 21st, Knujon posts a report [full report pdf] which directly names Demand Media and their domain registration unit eNom "as a major facilitator of Internet drug crime."
- On June 28th, the FTC busted a massive online fraud ring which used spam messages, money mules and stolen credit card data to swindle cardholders out of an alleged $10 million USD over many years using "micro transactions" which were then funneled through several shell companies without the cardholders ever noticing. [FTC press release here, Wired Threat Level article here.]
- On July 8th, an anonymous person using the name "Obivan" posts a comment on a story by Brian Krebs regarding a hack on the Pirate Bay website. The comment announces that the Russia-based payment processing company "Chronopay" has been under a sustained online attack, and that a great deal of data has been lost. At about the same time, numerous anonymous bloggers begin posting several large-scale leaks of insider information regarding the payment processing company "Chronopay", totaling several gigabytes in size.
- Aug. 3rd: LegitScript, a website which reports on criminal or rogue online pharmacies, publishes a story exposing a hack performed on a US government website which was used to promote yet another Spamit website via "blackhat SEO" (a.k.a.: search engine spamming). [source] These kinds of exploits against the public's servers are not new, but a hack against a US government website by these same Russian criminals highlights how rampant this actviity has become.
- On August 9th, one of the previously-mentioned Chronopay leak sources, operating under the name "Chronoplay", publishes a comment on porn forum "gfy.com" which reveals that long-time spammer Leo Kuvayev (operator of the original BadCow and later Mailien spam affiliate programs) has been arrested in Russia on 50 counts of juvenile rape. The arrest apparently took place earlier in 2010. Unfortunately the comment and any of Chronoplay's blogs are all offline as of this writing, but the arrest has been confirmed from several sources including Russian law enforcement. [Brian Krebs coverage here.]
- Russian credit card thief Vladislav Anatolievich Horohorin (a.k.a.: "BadB") was arrested by French authorities on August 12th and charged with the illegal sale of thousands of stolen credit card numbers, known as "dumps".
Horohorin, in an April 2009 advertisement of his services, said he had been selling "dumps" — compromised credit and debit card numbers — through websites such as the now-closed Cardplanet.com for about eight years.
Horohorin is charged with access device fraud and aggravated identity theft. He faces a maximum penalty of 10 years in prison and a US$250,000 fine on the count of access device fraud and two years in prison and a fine of up to $250,000 for aggravated identity theft.
[Dept. of Justice press release here.]
- On August 25th, ICANN begins an investigation into the operations of domain registrar eNom. [source] This follows a report by HostExploit entitled Demand Media / eNom Report - CyberCrime USA which concludes that 51.5% of all domains that eNom approved were detected in spam traps, and that eNom was considered the #1 rogue domain registrar on the Internet. eNom had been the subject of numerous complaints for many months by security researchers and many members of the team at InBoxRevenge, and was also mentioned in the aforementioned scathing report in June by Knujon.
- On August 26th, Andrew J. Klein, the White House Senior Adviser for Intellectual Property Enforcement, invited representatives of several domain registrars to attend a three-hour meeting in September to talk about cracking down on criminally-operated rogue online pharmacies. [Brian Krebs coverage here.] This appears to be related to Knujon's previous coverage of domain registrar eNom and their lack of action against several million domain names registered for the purpose of spamming numerous criminal pharmacy websites.
- On Sep. 21st, following many months of reporting of illicit domain registrations by registrar eNom (see above), LegitScript joins forces with eNom to assist them in identifying the individuals behind the plethora of rogue, fake or otherwise non-compliant domain registrations by predominantly Russian online pharmacy affiliate programs.
- On Sept. 23rd, numerous media outlets report that Iran's delayed Bushehr nuclear power plant was infected by the Stuxnet virus as far back as June 2010. This story brings to the forefront a scenario which was previously the stuff of movies: that a piece of malware could be used for nefarious purposes to affect real-world infrastructure. Stuxnet is said at the time to be a very complex piece of malware and was likely programmed by several very senior developers and other operatives. This is considered a very serious international incident and finger-pointing ensues, largely blaming the Israeli government for the infection. [More coverage: Switched.com, Wired Threat Level]
- In a completely unsurprising turn of events, the majority of domains for spammed criminal online pharmacies are now registered via Russian domain registrars.
- October comes one day early in the arrests and convictions department: on Sep. 30th, 19 individuals of Eastern-European origin are arrested in London on fraud charges related to their long-term Zeus botnet activities.
He and his team targeted hundreds of victims who had weak security on their computers and accessed their user names and passwords despite tight security systems put in place by the banks on their internet sites.
Police were alerted by high street banks who were alarmed by a sudden surge in fraud.
Investigators from Scotland Yard's e-Crime Unit discovered that the gang were hitting vulnerable computers using software which is described in the industry as a 'Trojan horse' because it infiltrates the computer without the user realising.
London was only the first of many countries which made arrests related to this action. Most notably in the US, more than 60 people were arrested for engaging in identical behavior and operating Zeus botnets.
This story received very wide coverage, and not only via tech or security news sites or blogs:
Last year I mentioned that November is usually a very high-volume month for announcements of indictments, arrests, convictions and other legal actions against spammers and those who help them. I want to amend that this year to say that it's actually more like October through November. However 2010 was especially fruitful during the month of October. This was another landmark year for legal action against numerous criminal entities related not only to spamming (of any sort, not merely email spamming) but any kind of online criminality, from botnet operation, to the operation of any large-scale criminal pharmacy affiliate program, to money mules, to you name it. As you can see from the story mentioned above, we got a head start this year as well.
- On Oct. 8th the US Food and Drug Administration (FDA) posts a warning letter specifically naming RX-Promo as an affiliate program which violates numerous FDA regulations and several US laws by selling illicit, fake versions of numerous pharmaceutical products. RX-Promo are a very active spamming affiliate program known to sell fake or dangerous pills online, promoted solely via spamming of one sort or another.
- On Oct. 21st, James Bragg, a former assistant in Al Ralsky's pump-and-dump spamming operation, who had already served six months in prison for his part in that organized fraud, pleaded guilty to charges of securities fraud and fraud related to new pump-and-dump activity since that arrest. He faces five years in prison and a $500,000 fine. Once a fraudster, always a fraudster...
- On Oct. 25th, it is reported in the Dutch news media that the High Tech Crime unit had shut down 143 servers which were part of the Bredolab botnet. One day later, F-Secure reported that any affected servers were now redirecting users to a help page describing how to remove the infection. Later on the 26th, it was announced that a 27-year-old Armenian citizen had been arrested in connection with the operation of Bredolab, among other crimes.
- On Oct. 27th, the New York Times run a story which delves into the workings of Russian email pharmacy spam, specifically naming Spamit and its alleged operator Igor Gusev.
- Oct. 29th, Igor Gusev makes a statement to the press that he is not a spammer, and has never spammed. This is in response to charges made by the Russian Association of Electronic Commerce [RAEC] and other Russian law enforcement agencies that Gusev has been the operator of the most widely-renowned pharmacy spam affiliate program, Spamit, since at least 2006. Gusev claims this is a smear campaign on behalf of Chronopay's director, Pavel Vrublevsky. Chronopay is Russia's largest online payment processing company. The same day it is reported that Russian police raided Gusev's properties in relation to these charges.
- On Oct. 30th, Igor Gusev begins writing a blog entitled RedEye Blog (in Russian and English) in which he exposes the inner workings of Chronopay, his business relationship with Pavel Vrublevsky and other interesting items.
- On Nov. 1st, SiL posts his final update to the running tally of his Nigerian scam "winnings", having hit the $100 Billion USD mark several months ahead of schedule. At the time of that final update, SiL was averaging nearly $1 Billion USD of winnings or inheritances every day of the year. The sheer volume of Nigerian scam spam messages is at its highest point since SiL began tracking, often resulting in several hundreds of messages every day to just one of the accounts he monitors.
- On Nov. 11th, as the Igor Gusev story continues to unfold, the RAEC hold a press conference in which they claimed they would expose Igor Gusev as "the largest spammer in the world". [Blog posting here, English translation here.] As previously mentioned, Gusev is alleged to be the operator of renowned criminal spamming affiliate program Spamit, and sister site Glavmed.
Gusev, in this case is called a man who stands for the well-known pharmaceutical affiliate program "GlavMed". A year ago, RAEC, declaring war on pharmaceutical spammers, used as an example of this particular resource, associating it with a brand Canadian Pharmacy, which Spamhaus list, ranked by volume of the world's spam.
- On Nov. 26th, The UK's Metropolitan Police Central eCrime Unit (PCeU) arrest two 18 year olds (Nicholas Webber and Ryan Thomas) for engaging in widespread credit card theft totalling some £12 million (~$18.6 million USD). [Gar Warner coverage here.] Sentencing, which is expected to be very severe, has been adjourned until Feb. 28th, 2011.
- In what would become one of the most notorious international incidents, WikiLeaks begin leaking what they claim is a portion of over 200,000 classified US embassy cables in an event which would come to be known as CableGate. Over the following weeks and months, several news outlets report on the vast amount of information contained in the leaked documents, including the Guardian, the New York Times, Der Spiegel and Wired. As of this writing, the cables are still being released in what seems to be batches of just over 1,000 at a time. Weeks later, an international arrest warrant is released for Wikileaks director Julian Assange by Swedish police. [WikiPedia Link] The cables were apparently illegally downloaded by Private Bradley Manning, who allegedly downloaded them from the US's "SIPRNET" system, a network system which allows US embassies to communicate securely. [Cryptome timeline re: Adrian Lamo]
- On Dec. 5th, an FBI indictment against one Oleg Nikolaenko is leaked to the Smoking Gun. Nikolaenko is alleged to be the main operator of the once-rampant spamming botnet known as Mega-D, a fundamental botnet for the former AffKing affiliate group. The FBI arrested Nikolaenko on Dec. 3rd. [PDF available here.]
- Dec. 13th, the Chinese government announces a new crackdown on piracy of any copyrighted property, from DVD's to MP3's to (presumably) fake Rolex watches. This is allegedly to smooth trade relations iwth the US who have been attempting to get China on board with this strategy for many years.
- On Dec. 18th, it is announced that the US government is setting up an initiative that would attempt to shut down fake pharmacy websites. They will certainly have their work cut out for them. This is an addendum to an existing strategy to go after any site which violates patents or copyrights, which was started mid-2010.
- On Dec. 14th, Bloomberg publishes a story confirming that, among many other major online companies, Google and Microsoft are creating a non-profit organization targeting illegal internet pharmacies, in support of the US government initiative.
Google Inc. and Microsoft Corp. are helping to establish a nonprofit organization targeting illegal Internet pharmacies in support of Obama administration efforts, according to the White House Office of Management and Budget.
The group is comprised of companies that serve as Internet choke points and was in response to a call from the administration for private efforts to police illegal pharmacies, said Victoria Espinel, the White House intellectual property enforcement coordinator.
- On Dec. 16th, several news outlets report that the Stuxnet infection which hit Iran's Bushehr reactor in June was apparently better than a bomb in terms of affecting Iran's nuclear program, possibly setting it back by as much as two years:
According to a top German computer consultan, the Stuxnet virus, which has attacked Iran's nuclear facilities and which Israel is suspected of creating, has set back the Islamic Republic's nuclear programme by two years.
The consultant, who was one of the first experts to analyse the program's code and was only identified as "Langer", told The Jerusalem Post that it will take two years for Iran to get back on track.
"This was nearly as effective as a military strike, but even better since there are no fatalities and no full-blown war. From a military perspective, this was a huge success."
There have been claims that the virus is still infecting Iran's computer systems at its main uranium enrichment facility at Natanz and its reactor at Bushehr.
- On Dec. 23rd an independent research blogger named Nart Villeneuve posts a detailed breakdown of how a site is created and configured for the widely-spammed RX-Promotion pharma affiliate program.
- On Dec. 27th, the website for Chronopay displays a notice that their entire database had been compromised, and all credit card and other payment information, has been downloaded by criminal entities. The notice turns out to have been placed by hackers who have actually redirected the DNS for chronopay.com to the domain "anotherbeast.com". Links are placed to what they claim is a database of all the stolen credit card data, but which is in fact only the credit card information for 800 users, captured between Dec. 25th and 26th.
Phew! That is quite a year.
Here's hoping that online criminal activity remains a high-focus item for world governments and the mainstream media. This is a first for both of those entities paying any kind of attention to these issues and it's been extremely refreshing to see.
Happy New Year, everybody. Stay safe!
SiL / IKS / concerned citizen
Уважаемые партнеры и коллеги,
В связи с длинной чередой негативных событий последнего года и обострившимся вниманием к деятельности нашей партнерской программы, мы приняли решение свернуть свою деятельность и прекратить прием трафика с 1 октября 2010 года.
Мы считаем, что в создавшейся ситуации такое решение является наиболее правильным, т.к. оно позволяет полностью избежать рисков внезапной, незапланированной остановки, которая обязательно повлекла бы за собой коллапс всей деятельности нашей программы и, скорее всего, привела бы к невыплате заработанных вами средств. В нашем же случае, все заработанные средства будут выплачены в обычном режиме. Кидков не будет.
Пожалуйста, используйте оставшееся время для своевременного перевода трафика на другие партнерские программы.
Спасибо что работали с нами, мы очень ценим ваше доверие!
Dear partners and colleagues!
Because of the numerous negative events happened last year and the risen attention to our affiliate program we’ve decided to stop accepting the traffic from 1.10.2010. We find the decision the most appropriate in this situation. It provides avoiding the sudden work stop which leads to the program collapse and not paying your profit.
In our case the whole profit will be paid normally. All possible frauds are excluded. Please transfer your traffic to other affiliate programs till 1.10.2010.
Thank you for your cooperation! We appreciate your trust very much!
Here's a screenshot of Spamit.com from around an hour ago:
This was the output on Spamit.biz and Spamit.com. Now I and many others notice that spamit.com no longer resolves as a domain. Spamit.ru is also down but I don't know if that had been the case prior to today.
Note that no such notice appears anywhere on Glavmed.com (long alleged to be their sister company.)
The #1 criminally-operated spam operation in the world is suddenly shutting down? (Albeit, possibly temporarily. I'll check back on Oct. 1st of course.)
The "numerous negative events" possibly refers to the loss of Mastercard processing which happened several months ago, and "the risen attention to our affiliate program" possibly means coverage from this blog but also several other media outlets, most notably a large amount of coverage in the Russian press.
If Spamit as an affiliate operation were in any way operating legally or legitimately, this media coverage would not be a cause to shut down. This only goes to show you what a scumbag, criminal operation Spamit and Glavmed have always been.
The fact that spamit domains specifically are shutting down the same day a few sources told me to check this page out indicates some Very Bad Things could be underway for the operators of Spamit.
This could be a very interesting few weeks.
Are you high?
You keep saying I need a life. Look at yourselves.
Here was his comment (dollars to donuts it's a man.):
Whomever made this post, isn't that bright!!! Is it illegal to pretend to earn credentials that you didn't, to gain advancement? YES! Absolutely! So, is it illegal to take a fake diploma and use to get a job? Yes. Is it illegal to buy a fake diploma and just hang on your wall? No. Is illegal to joke with your friends about graduating? No. This person is trying to take something that isn't black & white and making it black & white. Fake diplomas are legal. They are legal to buy. A lot of fake diploma companies take major credit cards. If it was illegal, Visa would not accept them! You can't use a Visa to buy meth! haha Fake diplomas are 100% legal. There are illegal acts you can do with it, but people need to be warned about that side of it, without being scared out of simply owning one.
You know, if you want to be taken seriously, "Anonymous", you should really not post anonymously. That and you should get your facts straight. Clearly you didn't read the article.
> Whomever made this post, isn't that bright!!!
Heck of a way to legitimize your post. I will, for now, ignore your stellar lack of skill in grammar and the use of punctuation.
"Whomever made this post?" It's pretty clear who I am. I've been at this for a while.
> Is it illegal to pretend to earn credentials that you
> didn't, to gain advancement? YES! Absolutely! So, is it
> illegal to take a fake diploma and use to get a job? Yes. Is
> it illegal to buy a fake diploma and just hang on your wall?
> No. Is illegal to joke with your friends about graduating?
Correction (and here it is clear you do not know the law): "Novelty" diplomas, only in a very small number of US states, are legal. The law has a pretty specific definition of that, thus the use of the word "Novelty".
I recommend that you read this website: counterfeitdegrees.com. They are a veritable cornucopia of information regarding the specific legalties of this industry.
On the main page you see the following:
Parallel to the types of fake degree consumer, are two types of fake degree businesses:
- Fake degree suppliers make no pretense of being colleges or leading consumers to believe their resumes can translate to real degrees. They unabashedly sell, advertise, and fiercely market "fake," "phony," "bogus," and "novelty" degrees.
- In comparison, diploma mills go to great lengths to create an illusion of reality and authority. Savvy marketing ploys and misleading information draws customers that may believe an evaluation essay or exam, combined with their resume, earns them an academic degree.
So you can't even just say that "selling fake degrees is legal", because that statement is trying to make things "black & white". It depends on how you word how you want to sell them, and for what purposes.
Further, there are indeed very specific federal and state laws covering this type of industry. You should most definitely read this link also, as it outlines each.
Let me show you, really specifically, a couple of very recent examples of this spam.
Subject: Get a diploma for a better job.
BECAUSE YOU DESERVE IT! Is your lack of a degree holding you back from career advancement?
Are you having difficulty finding employment in your field of interest because you don?t have the
paper to back it up ? even though you are qualified?
If you are looking for a fast and effective solution, we can help!
Call us right now for your customized diploma: Inside U.SA.: 1-718-989-5740 Outside U.S.A.: +1-718-989-5740.
Just leave your NAME & TEL. PHONE # (with country-code) on the voicemail and one of our staff members will get back to you promptly!
Subject: Need a diploma? Call us.
BECAUSE YOU DESERVE IT! Is your lack of a degree holding you back from career advancement?
Are you having difficulty finding employment in your field of interest because you don't have the
paper to back it up - even though you are qualified?
If you are looking for a fast and effective solution, we can help!
Call us right now for your customized diploma: Inside U.SA.: 1-718-989-5740 Outside U.S.A.: +1-718-989-5740.
Just leave your NAME & TEL. PHONE # (with country-code) on the voicemail and one of our staff members will get back to you promptly!
Note how the subject line of one of them directly states that this is to be used "for a better job"? Did you notice that? What about the use of the sentence "Is your lack of a degree holding you back from career advancement?". Nothing "jokey" about that, "Anonymous." These spammers - about whom I am specifically writing, because you might have noticed that this is a blog about spamming, and these fake diploma operations are promoted via criminal spamming - are not selling a diploma in the hopes that you just want to "joke with your friends about graduating". They are specifically saying: you "need" this diploma, because you can't advance in your career, or you are unable to get a better job without one.
Many other subject lines in recent messages make the claim that younger candidates are getting the job faster than you, therefor you would (again) "need" this fake diploma to stand out. This is not Novelty. This is a criminal act. It is extremely clear.
What's worse is, we're in a down economy, as you may have noticed. The enticement is even higher to purchase these as "proof" of someone's abilities since there are fewer and fewer jobs available. The spammers behind this know that that's the case, and recent spam volume in this sector is way higher than in previous years. You don't think this is dangerous? You think these spammers are really targetting unemployed professionals because they just want to "joke about" having a degree? Shame on you!
So I have to ask you, "Anonymous", where are the spam messages you apparently seem to be arguing with me about which only sell diplomas so you can "joke with your friends about graduating?" The only spam I've ever seen promoting diplomas are ones which very much get across that these are to be used to "get a better job."
Also: How much, reasonably, does a novelty degree cost? If I want to go to a joke shop and get a "PHd in Beerology", that's probably $20. Money not well spent, but that is probably the extent of that. The diplomas that these criminal diploma spam operations are selling often sell for upwwards of $400 apiece. It depends on the "degree" you want to get.
> This person is trying to take something that isn't black &
> white and making it black & white. Fake diplomas are legal.
On the contrary: you, "Anonymous", are trying to lump diploma spammers in with any other kind of seller of novelty diplomas. My posting was extremely clear, and I think any normal human being with eyes could tell the difference between a joke diploma that costs $20 which claims I have a "Masters in Fishing" and a $400 diploma claiming to be from the University of Arizona which claims I have a PHd in Nuclear Physics and has a pretty convincing looking embossed seal on very carefully watermarked paper.
> There are illegal acts you can do with it, but people need
> to be warned about that side of it, without being scared out
> of simply owning one.
They should sure as hell be scared of other people owning them if they're claiming to be a surgeon, a lawyer, an accountant, etc. Would you want surgery from someone based on their fake diploma?
I didn't say novelty diplomas were illegal, I said fake diplomas are illegal, and my posting went into a great deal of detail explaining why. The law is extremely clear, and the litany of ongoing court cases which have been taking place recently (and on a weekly or monthly basis since my original posting was published) is pretty conclusive evidence that selling fake diplomas is, indeed, illegal. Further: many states are actually now strengthening the law to include the manufacture of fake diplomas as an illegal act.
Quit posting anonymously, and don't be so facile about this topic.
- Earth Times News: Resumes That Can Kill: Fraudulent Credentials a Growing Threat, Says Scherzer International
- NBC 15, Madison, Wisconsin: Doyle Signs Bill Cracking Down On Diploma Mills
- Stuff.co.nz: Victoria University busts most cheats
P.S. You'll notice I didn't even bother to go into the legality of fake transcripts. Want to try me on that one?
These registration attacks are executed using automated software such as XRumer, with the hopes that we aren't monitoring registrations, and are automatically approving all new accounts. If that were the case, the process would look like this, all originating from the forum-spamming software itself (usually via a botnet.):
- Visit a topic on the forum. (Usually they choose a fairly low number for the thread id. It's nearly always 1 or 2)
- Visit the registration page
- Agree to the terms
- Create a new registration
- Wait a predetermined amount of time.
- Based on known algorithms used by most forum software, visit the "confirmation URL" which is usually sent to the registration email address.
Because of our particular forum registration requirements, that last portion fails. The software notices this, and often tries a minimum of four times, and (so far) a maximum of on average 14 - 30 times, always using the same username, email address and frequency of registration. Very often the source IP address used in these registrations is dynamic, which very strongly indicates that this software is using a botnet to perform these registrations. This is not always the case, not in every instance, but it is very frequently so.
Yesterday I encountered six such attacks from a domain called LowCostLinks.com, all using bogus email addresses which indicate that whoever it was that was doing this was no fan of either our forum or another well-known cybercrime researcher:
Date Entered / Email
04/20/2010 04:26:24PM / firstname.lastname@example.org
04/20/2010 06:59:33PM / email@example.com
04/21/2010 06:05:51AM / firstname.lastname@example.org
04/21/2010 06:06:01AM / email@example.com
04/21/2010 06:06:09AM / firstname.lastname@example.org
04/21/2010 06:06:20AM / email@example.com
Username in all cases was: soepxozk
IP address for all registration attempts was 22.214.171.124, a home DSL account hosted by Telus, located somewhere in British Columbia.
Clearly they have a bone to pick with Brian Krebs as well. That, I can tell you, means they're probably involved in - or at least "fans" of - far worse things than rinky little forum spamming operations.
LowCostLinks.com is easily one of the most bogus operations I've seen in a while, and their administrator didn't do anything to dissuade me from that opinion, as you'll see below.
LowCostLinks is well aware that they engage in forum spamming. Based on an email discussion I had with their anonymous admin, he didn't care whether it bothered me or anyone else. In fact their convenient "How To Stop Forum Spam" page makes it clear that their "opt out" policy (found here) is to instead tell forum operators that it's up to them to block LowCostLinks. He also rested on the misguided opinion that forum spamming isn't spamming, since it isn't performed via email.
Unfortunately for "companies" (and I use the term loosely) like LowCostLinks, they're woefully uninformed about what their actual platform means from a legal perspective. The same way that an individual can be seen to be "attacking" a website by repeatedly attempting to guess the username and password of a specific third-patry account - without authorization - this repeated attempt to register can be perceived, especially in a court of law, as an attack.
Automated registrations can and have been considered a direct form of "attack" againt any third party website, since by its very nature it ignores the terms and conditions of most forum software on the internet today. In our particular case, we've made a very clear amendment to our terms and conditions for new registrants which specifically describe that we consider any automated registrations to be an actual attack against us. We define it pretty specifically as well:
- Automated attacks are expressly forbidden
- Automated registrations mean that usually no actual human being is even reading the terms and conditions, or performing the registration.
- If an automated registration occurs more than once, we can assume that they still agreed to our terms and conditions (since you have to click the "agree" button to continue,) which means that they agree we should pursue all means to get their email and other accounts shut down, since they are not only in violation of our terms of service, but those of their email and hosting provider
But even if we hadn't put these very specific clauses in place, a court of law would still perceive this activity to be unauthorized, malicious, and, in some cases, illegal.
The average idiot forum spammer is typically trying to place links within forums for the purposes of boosting the search engine ranking of the site they want our forum, and thousands of others, to link to. This is usually known as "Search Engine Optimization" or "SEO".
Usually, page rank is based on actual useful, valid content. So for example if I write a posting about pharmaceuticals, and it has links to research papers about pharmaceuticals, that means the page rank of those research papers gets a tiny boost, because it's assumed that the content is both related and relevant.
In this case though: we're talking about utter noise: totally unrelated postings on thousands of forums, linking to sites which on its own would not have a very high page ranking at all. Further: we're talking about subverting actual, relevant, content-related search results by flooding forums with totally unrelated links to sites which have no bearing whatsoever on whatever their main focus is.
Now: that part is, just like regular email spam is perceived to be, annoying, and a nuisance, but not by definition illegal.
However the means to make these links appear can most certainly be charged in a court of law as being malicious, unauthorized, and as previously mentioned an actual attack against which the server or servers this scummy operation chooses to execute their auto-registrations.
he administrator of LowCostLinks claimed that my complaint to him would be re-posted on the lowcostlinks.com website because he claimed it would be "great for sales!" Instead I thought I'd post it here to make clear just what type of characters we're dealing with here, and that LowCostLinks is a nuisance about which any forum operator out there should very much be aware.
Date: Wed, 21 Apr 2010 11:05:27 -0400
Subject: Stop auto-registering to my forum!
Automated registration attempts made at inboxrevenge.com, by date, descending order:
[above-mentioned list of attack entries redacted - SiL]
Date: Wed, 21 Apr 2010 11:34:29 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <firstname.lastname@example.org>
I think you of all people must know what's up if you managed to find our gmail address. We create posts on forums for a fee. Simply deny access to the @lowcostlinks.com email domain and you will never hear from us again. We are not trying to post on "live" forums, sorry for the inconvenience.
Nice abuse policy, yes? Completely unacceptable.
Also note that he lies about registering to "live" forums. IBR is most definitely live. So are hundreds or thousands of others out there, all featuring fake profiles created by this idiotic organization.
Date: Wed, 21 Apr 2010 11:55:31 -0400
Subject: Re: Stop auto-registering to my forum!
To: "LowCostLinks.com" <email@example.com>
How about instead you stop violating CAN-SPAM law by continuing to allow your scumbag "affiliates" from attempting automated registrations against thousands of forums?
It's pretty clear you're obviously pro-spam, so I'll make sure that my law enforcement contacts know that.
> We are not trying to post on "live" forums, sorry for the inconvenience.
Then what the hell are the automated registrations for?
You should also be aware that under most countries' privacy laws, this constitutes an attack.
Date: Wed, 21 Apr 2010 11:58:57 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <firstname.lastname@example.org>
Go ahead, call your cop buddies, it's hilarious how little you know about
forum "spamming" ;) Have a nice day SiL.
Date: Wed, 21 Apr 2010 12:00:15 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <email@example.com>
P.S. you might want to take a read here: http://lowcostlinks.com/how_to_stop_forum_spam.php
So clearly he isn't taking any of this seriously. So be it.
Date: Wed, 21 Apr 2010 12:06:28 -0400
Subject: Re: Stop auto-registering to my forum!
To: "LowCostLinks.com" <firstname.lastname@example.org>
On Wed, Apr 21, 2010 at 11:58 AM, LowCostLinks.com
> Go ahead, call your cop buddies, it's hilarious how little you know about
> forum "spamming" ;) Have a nice day
"buddies" you say.
On Wed, Apr 21, 2010 at 12:00 PM, LowCostLinks.com
> P.S. you might want to take a read here:
That is a bullshit response, and you know it. You're actively encouraging your "affiliates" (why not just call them spammers?) to continue automated registration against forums, then leaving it up to forum operators to do the extra work of blocking your domain.
You will regret this.
Date: Wed, 21 Apr 2010 12:14:37 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <email@example.com>
SiL, please stop acting so SiLly. Making idle threats doesn't do anybody any good.
Don't create a forum signup form if you do not want people signing up to it. I am sorry, am I missing something?
1. We do not encourage anybody to make our posts for us.
2. We have an opt out program just like any can spam compliant email posting company does. (But we don't post unsolicited emails, so we don't fall under that law anyways.)
3. We do not attempt to hide our identity.
4. We comply with all "do not post" requests.
Good luck finding another one of the thousands of competitors I have that is as genuinely truthful as us.
Don't worry, we have added all of your domains to our black list, you should not receive any more registrations, please provide any more forums you might have.
Again, no hard feelings, have a nice day!
P.S. this entire thread will be posted on our website, they're great for sales!
In that message he incorrectly linked to the url "http://www.google.com/search?q=forum+backlinks+for+sale" when trying to illustrate how much better his site was than his "competitors", which wasn't anything I mentioned in my original message.
But look at the logic. Honestly. Yeah that's the only reason anyone would put together a forum: so that bogus "companies" like LowCostLinks.com can forum-spam it out of existence. Completely obvious isn't it?
Date: Wed, 21 Apr 2010 12:23:20 -0400
Subject: Re: Stop auto-registering to my forum!
To: "LowCostLinks.com" <firstname.lastname@example.org>
> Don't create a forum signup form if you do not want people signing up to
> it. I am sorry, am I missing something?
Clearly, you are, see below. hat is one of the stupidest answers I have ever received from anyone, ever.
> 1. We do not encourage anybody to make our posts for us.
Sure you don't.
> 2. We have an opt out program just like any can spam compliant email
> posting company does.
you are defining "opting out" as telling the owner of a forum to block your domain. That's not "opting out."
> (But we don't post unsolicited emails, so we don't fall under that law
Yes you do fall under that law. It doesn't just apply to email. Nice to know that you don't read.
> 3. We do not attempt to hide our identity.
Yes you do:
registrant-lastname: Private Registration
registrant-organization: 1&1 Internet, Inc. -
registrant-street1: 701 Lee Road, Suite 300
registrant-street2: ATTN: lowcostlinks.com
> 4. We comply with all "do not post" requests.
Sure: by telling me to block any registration attempts. How about I and all my colleagues continually, 24 hours a day, keep trying to log in to your affiliate form. Maybe we should do so as many times per second as we can, from numerous randomized IP's I mean it's just up there waiting for thousands of automated attempts to log in right? If you don't like it, why did you create an affiliate login form?
> P.S. this entire thread will be posted on our website, they're great for
Hey it's also great for law enforcement investigations, charges, arrests, indictments, and convictions. My team has led several of those since 2005 against operations just like yours. You are violating computer trespassing laws. You don't seem to care, so I will make you care.
This last email seems to drastically change his tune:
Date: Wed, 21 Apr 2010 12:39:21 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <email@example.com>
Content-Type: text/plain; charset=ISO-8859-1
We made a few signups to your forum, our apologies for that. Forum signup forms are meant to be signed up on, are they not? I get plenty of false affiliate signups daily, I just figured it was the way of the net.
Forums are created to post messages on, we post our messages on forums, if the owner deletes the message, or asks us to stop, we do not post anymore. That is basically what we do. Good luck with your future fights, and congratulations on stopping so many spammers out there!
We do not require forum owners to block our email domain to stop posting, it is only an additional option. As well as deleting the very first message, that is another way to stop our posts as well.
Those are not the only opt out methods however, a simple email telling us to "stop posting" will do the trick. I have proof of numerous, kindly worded messages to and fro from such situations, should law enforcement ever find the need to get involved.
Basically we have 3 opt out policies, you took care of two of them, you have already been added to our opt out list, and should not receive anymore registrations.
So suddenly now that I've clarified that we go after operations like his, he's apologizing. He's also suddenly saying that my request was now all I had to do.
He's a liar! (Surprise.)
Also: welcome to the brain of a forum spammer. If they didn't have the internet, they'd just as soon use your bedroom wall or perhaps your car's front seat to plaster thousands of posters announcing where people could get porn for $12, or promoting fake Viagra pills. After all: why else did you buy your house or your car? Your house has a prominent front door which faces the street. It's OBVIOUSLY there for me to put posters on.
Subject: Re: Stop auto-registering to my forum!
To: "LowCostLinks.com" <firstname.lastname@example.org>
On Wed, Apr 21, 2010 at 12:39 PM, LowCostLinks.com
> We made a few signups to your forum, our apologies for that. Forum signup
> forms are meant to be signed up on, are they not? I get plenty of false
> affiliate signups daily, I just figured it was the way of the net.
Registration to a forum, by a human being who reads our terms and conditions - which expressly forbid automated attempts - is certainly allowed, with the idea that the human being has a brain, and will recognize that repeated automated attempts will have a habit of looking like an automated attack.
That registration is also assumed to be made by a human being who will actually contribute to said forum. This is true of any forum. Forums don't exist purely for you and your affiliates to auto-register at so you can promote whatever bogus links you want.
Especially since my forum is very clearly against this type of automated promotional activity, especially since it has a habit of being run by organized criminals, it's especially telling that your affiliates chose specifically to auto register to it, since it's extremely clear we disallow that exact type of illicit activity.
> Forums are created to post messages on,
By human beings, for the purposes of contributing to specific topics of discussion.
> we post our messages on forums,
Automatically, using software such as Xrumer or several others.
> if the owner deletes the message, or asks us to stop, we do not post
That is unacceptable. You're in violation of your hosting company's terms of service, which specifically disallows automated attacks against other servers, or unauthorized access to other servers. You are performing both of these acts, which I remind you are also against computer trespassing laws in the US, Canada, the UK, Japan, Hong Kong, China, and several other countries.
> That is basically what we do. Good luck with your future fights, and
> congratulations on stopping so many spammers out there!
You really, really need to investigate other alternatives to what you do.
> We do not require forum owners to block our email domain to stop posting,
> it is only an additional option. As well as deleting the very first message,
> that is another way to stop our posts as well.
That is not what you said in your first reply to me. I'll quote it back to you since you conveniently forgot all about that:
"Simply deny access to
the @lowcostlinks.com email domain and you will never hear from us again. We
are not trying to post on "live" forums, sorry for the inconvenience."
Funny how you never mentioned:
1) Yes, right away, sorry to bother you.
2) We take this email seriously, and will acknowledge your request for us to stop doing this.
Your reply was basically: too bad, it's up to you to block us.
> Those are not the only opt out methods however, a simple email telling us
> to "stop posting" will do the trick.
See above! You did not do that, and you are lying to me now about this being your policy.
> I have proof of numerous, kindly worded messages to and fro from such
> situations, should law enforcement ever find the need to get involved.
Oh so it needs to be "kindly worded". I notice that isn't anywhere on your "how to stop forum spam" message either.
> Basically we have 3 opt out policies, you took care of two of them, you
> have already been added to our opt out list, and should not receive anymore
And it took repeated back-and-forth emails to get this simple answer out of you.
This does not excuse your behavior, and reports have already been sent to numerous authorities outlining not only this offense, but many others by your organization which are not hard to find at all.
Too bad you didn't just take my first email seriously. Oh well.
So there we have it. Further proof that spammers lie, as usual, all the time. And further proof that spammers essentially see any online entity, no matter who actually owns or operates it, as their own personal promotion vehicle.
I'd like to add that searching for lowcostlinks.com routinely turns up all kinds of bot-monitoring sites which list many, many automated registrations.
How any of this is "great for sales!" is baffling.
I have yet to receive a response from their hosting company, the infamous "1and1.com", who routinely are found to be providing hosting to all manner of spamvertised properties, phishing operations and numerous other unsafe and unsavory properties. Doesn't mean it won't happen.
Forum spamming is just as bad as any other form of spamming, but affiliates who join these programs should be aware: they are an accessory to computer trespassing and unauthorized attacks against forums.
SiL / IKS / concerned citizen
Just a quick update that I made a brief addendum to my January posting regarding the by-now-well-known "Lady Marmelady" Russian dating spam setup.
In a nutshell:
Marmeladies.com appears to be a fairly recent additional property spammed in precisely the same way.
The URL "littledatenow.com" is a very heavily spammed URL. As with previous "Lady Marmedlady" spam, it never divulges where you will end up, but the confirmation email inevitably leads there should you foolishly complete a registration. (And why would you do that? It was received via spam. Use your brain!)
When the spammers promoting this are not spamming that particular URL, the link in the spam message is nearly always (yet again) an MSN Live Spaces URL, or that of some other free-redirection url. That started in March, but especially in the recent two weeks has instead changed back to the "littledatenow.com" URL. A few hours after I posted that domain, I started receiving notice from numerous recipients that the new domain being spammed is "dateyourgirl.com".
The MSN Live Spaces urls typically redirect or link to an unpronouncable domain name, passing one of a series of affiliate ID's. The domain at the current time is redactjuri.info, and they pass affiliate ID's 132, 134, 135 and 136 (that I have seen or been informed of.)
Here's a list of all the domains that these MSN Live Spaces locations redirect to:
(Where "###" is any of the aforementioned "affid" values of 132, 134, 135 and 136.)
redactjuri.info is again registered via GoDaddy using totally fake - and, I might add, incomplete - contact information. Hosted on IP address 126.96.36.199, provided by "North Star Information Hi.tech Ltd. Co." in (of course) Beijing, China.
littledatenow.com was registered via Regtime LTD. on April 5th 2010, just in time to be spammed to millions of recipients. It features questionable contact information claiming to be in Russia. The site is hosted on IP address 188.8.131.52 courtesy of course of "CNCITYNET" in Beijing, China. dateyourgirl.com was registered today (April 19th, 2010) using different but more than likely still fake Russian contact information, registered at Regtime.net. It's hosted on the exact same IP address in China.
[I wonder why the sudden change? Possibly reading this blog? Keep it up. I hear from hundreds of angry recipients of your spam, Marmeladies.]
Nobody from Marmeladies has responded to numerous requests into why they continue to use criminal spam operations to promote their service, but their "service" appears to be a 100% scam anyway based on the multiple messages I've received from the victims of their ongoing financial swindling.
Stay far, far away. Marmeladies.com is a complete and utter scam, more than likely run by criminals.
SiL / IKS / concerned citizen
[Edited 04/19/2010 9:23:09 AM to include MSN Live Spaces redirection information.]
[Further edited 04/19/2010 2:34:16 PM to include newer spammed domain, dateyourgirl.com]
[Further edited 04/20/2010 10:32:23 AM to include further MSN Spaces redirection URLs.]
As I write this, I just updated that total to be:
Of course I haven't actually won or inherited anything. That should be obvious. This is based on messages sent by criminals who hope I will believe I won or inherited money, so that they can then tell me to wire them "fees" to ensure the money gets sent to me.
When I first started tabulating this, it was meant to be a one year experiment to see how much I would have "won" if I took seriously the claims of every one of the Nigerian scam emails I receive on a daily basis.
Within the first full year of tabulating, I had "won / inherited" $15,010,243,226.36. (Fifteen Billion USD.) On average I was "winning" 20 - 40 million dollars every single day. I arrived at my first Billion USD of tabulated winnings on Jan. 14th, 2009. The next on Jan. 27th. On average, I was winning a Billion dollars every two to three weeks.
Fast forward to 2010 and what a difference a year makes.
I "won" the equivalent of all I won in 2009 within the first two months of 2010, hitting $30,452,821,816.30 on March 3rd. I now routinely receive from 50 - 90 of these messages every single day. There has never been a single day where I have not received any Nigerian scam messages claiming I have won the "Microsoft Lottery", the "Toyota Lottery", the "Yahoo / Microsoft Lottery", the "Euro Powerball Lottery" or any of the other so-called lotteries these morons keep promoting.
I'm not sure why, suddenly, after new year's eve the volume on this particular type of spam experienced such a drastic spike, but it's officially reached what any normal email recipient would have to think was a ridiculous level.
To the idiots sending this spam: if you send the same "YOU HAVE WON!!!1!!" message more than once a year? People will think you are stupid. More than once a month? Come on.
But several times a day?
Every single day?
How often do people seriously think they can win a lottery?!
Unfortunately, the answer seems to be that at least one person does, because I don't see this trend ending anytime soon.
Some more stats in case anyone out there needs further proof of how utterly stupid the criminals are that send these messages:
- Per day, I now win or inherit around $224 million dollars. Every day.
- The lowest amount I have won in a single day this year: $8,833,127.56.
- The highest amount: $1,726,677,256.77 (That was last week.)
- On average I am winning a Billion dollars every 2 - 5 days. In mid-February it was literally every single day that I was winning one Billion dollars.
Who needs a stimulus package?
I think there greatly needs to be further education of the general, non-tech-savvy public, because as the saying goes, if it didn't work, we wouldn't be seeing this spam.
I'm frankly tired of seeing "soft" news stories about otherwise smart people who get duped into these scams. Literally every one of them ends with the same epilogue: "If it sounds too good to be true, it probably is."
I've got a better line they should start using: "Are you high?!"
Seriously: does anyone really believe that they are actually the "winner" of a lottery every other day?
At this rate, I can't even guess how high this will go. My existing projection tells me that based on today's date, and the average I am winning / inheriting every single day, I will reach the following total on Dec. 31st of this year:
Or: nearly one hundred and eight Brillion dollars.
If you found this blog posting while looking to see if "your email has won you $10,000,000.00!!!!!!11!!", please read this:
Use your brain.
No lottery in the world will notify you by email, and they will not require you to ever PAY them any money. Use your brain.
The only way you win a lottery is on the off chance (alleged to be one in several billion) that your number, which you payed for at a lottery booth, has won. Your email address cannot "win" anything. Use your brain.
Similarly, you are very unlikely to be notified at random via email when some long-lost alleged relative has died and left you an inheritance.
But most importantly:
You won't win a lottery or inherit hundreds of millions of dollars every single day. You just won't.
SiL / IKS / concerned citizen
Over the course of many months, several of my colleagues and I assisted Yahoo's abuse teams to rectify the problem, and now they have a very accurate filtering system in place, as well as other means of stopping mass registrations of new Yahoo Groups entries.
Well here we are, only 8 months later, and we're seeing the same abuse happening on MSN Live Spaces, Microsoft's social media portal.
To be clear, the abuse of MSN Live Spaces has been going on at least as long as Yahoo Groups abuse, but it's only recently that we've seen a noticeable increase in the use of MSN Live Spaces Links in spam messages. For the accounts that I monitor, I'm talking about at least a 500% increase. For friends of mine, the increase is even higher than that. On average I now see over 180 messages every day which feature these links.
Some of my colleagues have had mild success in contacting members of MSN support regarding this. To date there has been only a tiny response to this problem, and the barrage is only increasing.
MSN's abuse process for reporting one single, individual offending MSN Live Spaces account is to fill out a form located here, manually entering as much information as the user can find out about the link, and including information which I guarantee the user will not know at all, such as which MSN account was the creator of the Spaces account in the first place.
Filling out that form for one offending URL is fine, if you're only receiving, say, one or two per day. Nobody I know is receiving fewer than 40 or more of these every single day. This is far from an intuitive method of reporting abuse.
All attempts to contact MSN Spaces abuse teams directly, including via this abuse form, has been met with no response, and no feedback on what happened to my report. In most cases, URL's I have reported remain alive several days or weeks later.
MSN Spaces: Wake up!
previously mentioned) "Marmeladies.com" fake Russian Dating scam, but many more recent examples seem to focus on "Elite World Casino", another bogus online casino, possibly featuring malware in its installer software. Other newer spam messages I'm monitoring are now also promoting a Korean-hosted "Auto Warranty Source" website, currently hosted at americanwarrantyexpress.com, but of course that URL changes weekly. It's the same affiliate ID every time, however. This turns out to be a scammy US-only auto-insurance operation promoted by the Russia-based "AffZoo.com" affiliate program.
Prior to this month, the #2 type of spam abusing this service was for "Downloadable Software", a site which sells counterfeit versions of Microsoft Windows, Microsoft Office, and a variety of other popular software titles. The software these sites provide is known to contain malware and will cause your Windows computer to join one or another known botnet, operated by criminals, and actively engaging in illegal activity. MSN Live Spaces was likely chosen as the free-hosting solution for this spam because it's a Microsoft portal, so it would make these patently illegal software websites appear to have an air of legitimacy. I reported some 300 of these in the past two months. Only a very small portion of those URLs were ever shut down. (I just checked again and several dating back to January are still active.)
The point is: MSN is not doing anything about this. It's been going on for at least a full year now, and it's only getting worse. The abuse form provided to users is only going to be used by those who really want to spend a lot of time reporting one single URL. People receiving anything like the same deluge I'm seeing aren't going to bother, and of course MSN offers no bulk-reporting service whatsoever.
An obvious suggestion would be to have a quick, easy-to-click link that reports the MSN Live Spaces URL that you are currently viewing, and there you go. Done. Click on it, provide some details about why you think it's scammy, and submit. Blogger does this. Google Pages does this. Numerous types of forum software do this. MSN Live Spaces does not. Why?
Given that so far only 1% or less of my abuse reports have seen any kind of action taken; I believe it is safe to say that MSN effectively has no abuse process for this issue. As far as I'm concerned, I could block all inbound email messages featuring a "spaces.live.com" URL, and my spam would drop by at least two thirds. I know I'm not the only one thinking this, and already at least one spam blocklist has indeed flagged spaces.live.com as featuring a large amount of spammy URLs.
What will it take for MSN to address this problem? Why isn't anyone from MSN Live Spaces responding to any abuse complaints? Why has there been absolutely no modifications to their abuse form in well over a year, given that this problem has only increased?
I'd like to encourage readers of this posting to provide feedback directly to the MSN Live Spaces team, using their feedback form, especially if you, like me, are continuing to see the majority of your inbound spam messages featuring MSN Live Spaces links. This has to stop.
SiL / IKS / concerned citizen
I wanted to post a few quick thoughts on the whole Google vs. China situation.
As most of you have no doubt read, Google very publicly announced that it was the subject of a number of coordinated attacks from Chinese-hosted sources. Google and the international news media have very much raised the focus of the ongoing attacks on behalf of Chinese IP addresses, and this has raised numerous questions about China and its government's involvement in these attacks. I reserve judgement on the particular topic of whether members of the actual government of China had direct involvement or not. [For those of you who have missed all of this, there are dozens of articles out there, but this one should be a good starting point.]
source], and further led to the discovery of the author of a significant portion of the malware used in the attacks against Google, who did in fact turn out to be Chinese. [source]
All of this got me thinking: why hasn't the same bright light also been shone upon Russia, Ukraine and Eastern Europe, since - together with China - they constitute the majority of all attacks against all servers worldwide on a daily basis? This is not merely my opinion. Do any amount of research into botnets and criminal online operations, and Russia especially shows up most frequently, with Ukraine and China not very far behind. Off the top of my head there are at least a dozen very well-renowned cybercriminal bloggers and security researchers which echo this assessment, and all of them appear to just mention it in a manner which implies this is nothing special.
Some coverage of this.]
Many respected contributors participated in this multi-hour examination of what a cyber attack could result in in terms of damage to a country, but nobody at any point mentioned that as we speak there are thousands of attacks taking place against ordinary websites every single day, with the hopes of taking them over so that criminals located in Russia, Ukraine and China can continue to profit via black market fake pharmaceutical products.
A piece of rampant malware named Zeus bot, also known as Zbot, which solely exists to capture banking information, has been a tool used to illegally withdraw money from the bank accounts of several small businesses in the US, and subsequent money transfers to individuals located in Russia and Ukraine, on a daily or weekly basis. This continues to have a devastating effect on numerous banks and small companies as well as school boards and other municipal govenment entities in the US. Brian Krebs has nearly single-handedly been reporting this since at least June of last year. [source, source, source, source and source.] Nobody goes after these people. Why not?
A few points I'd like to add to each of these, lest we continue to refer to spam as being "merely annoying":
- The Zeus bot malware was very often executed by individuals who received it as an attachment to a piece of spam.
- The money mules hired by the Russian criminals to participate in the receipt of the money stolen from these businesses were recruited via spam messages claiming to represent fake financial "processing companies".
- The majority of hijacked servers and home PC's are used in one way or another to support the sending of spam, the hosting of sites promoted via spam, or the deeper infrastructure to obscure the location of sites promoted via spam messages.
I submit to you that email spam is far more than a "mere annoyance": it's a very broad and obvious signal leading to much deeper and more insidious criminal activity should the recipient care to do any digging.
The #1 spamming operation in the world today, by any measure, is Russia-based Spamit and Glavmed, and the ties between this affiliate program and numerous types of malware, identity theft, fast-flux hosting on hijacked Windows PC's, hacking and takeover of pulic websites on a variety of platforms, and probably more that we aren't aware of, takes place every single day. This is a criminal organization and there have been many reports which draw the conclusion that a high-ranking Russian government official has ties to it. Nobody does anything about this. Why not?
"Discount Pharmacy" is another criminal online pharmacy operation, this time alleged to be tied to one Vincent Chan [source]. It's been in operation since 2004 (six years now!) and it remains profitable, because again this operation relies on hosting provided by hacked and compromised windows server operating systems, predominantly located in the US. The profits from this operation siphon their way to both china and Russia. Nobody has bothered to investigate this operation despite the fact that (so far) they have taken over several thousand windows server systems. Why not?
bulker.biz, later known as bulkerbiz.com and currently still operating under an unknown moniker, continues to spam bogus pharmacies like "My Canadian Pharmacy" and "Canadian Health&Care Mall". Their sites, DNS and image hosting are all provided by hacked and compromised Unix, Linux and FreeBSD servers, using a custom compromise which I first described in great detail in 2006 [link]. Not one law enforcement agency has investigated this operation, despite the fact that several of their operators are US-based, and a significant number of these hijacked unix servers have also been US-based. As usual, both Russia and Ukraine feature highly in this operation. Nobody has gone after them. Why not?
You can see the pattern here.
I began my research primarily into spamming operations because spamming was an annoying problem which it was obvious that law enforcement and other agencies simply don't take seriously because it is so pervasive. My tactics have greatly modified over the years to focus more on the purely criminal elements of these spamming operations, and my research has lead where most other cybercriminal researchers have ended up: spam is merely the annoyance. Peer deeper and we see a litany of persistent criminal activity on an international scale, and it's not merely my research which bears this out. Look at the research of most malware investigators, from M86 to SecureWorks, to F-Secure, to PandaLabs, to MacAffee, to Sophos, to Brian Krebs and the Wall Street Journal. All of them started from the other side of the equation: malware, botnets, command and control and money laundering, inevitably resulting in the discovery of "Canadian Pharmacy" spam of one sort or another being sent. This is usually seen as a side-effect. The true criminality from the perspective of malware and botnet investigators is that someone is running the botnet and that it is predominantly criminal. The side effect is always: oh by the way they also send spam on behalf of Spamit and Glavmed, or Bulker.biz.
It took Google to raise the issue of Chinese attacks against servers and other infrastructure, but only because they hinted that the Chinese Government might have a hand in this. I want to re-re-re-raise the following issue, because I believe it to be related, and at least as important as the statments and investigations that Google has been making regarding China:
China, in tandem with Russia and Ukraine, is the source of consistent, large-scale attacks against perhaps thousands of servers of every sort, every day, hundreds to thousands of times per day, for the purposes of taking these servers over, so that they may be used as all manner of infrastructure to support the serving of fake pharmacy websites, which profit criminal spam operations located in those countries.
They have all collectively been doing this consistently for at least 5 years now.
No law enforcement agency in any country has taken a single notice of this, nor have they begun any large scale investigations into these operations despite my notification of this activity, and despite the research of dozens of other respected malware, botnet and security investigators.
I have to ask, since we're in to the second year of those financial attacks, and beginning year six of the other myriad criminal compromises of public web infrastructure: what will it take for law enforcement, and more importantly our governments, to bring Russia, Ukraine and China to task for their continued lack of attention to this criminality?
I have to ask, because so far the likes of CNN are willfully ignoring this fact. The average cyber criminal relies on profit to continue performing these persistent attacks. The only reason one of these criminals would actively go after a power station is if they were out to swindle one of their accounting personnel into sending them money. They're doing this right now to less obvious targets. Wake up.
SiL / IKS / concerned citizen
UPDATE (April 18th, 2010): A few things to add to this, since this remains a pretty popular and routinely discovered posting on this blog.
First: the spam promoting "Lady-Marmeladies.com" has mutated into spam that either is still promoting that bogus Russian dating setup or the more recent "marmeladies.com". That switch occured not long after I first posted this in January, and it appears that Marmeladies.com is the predominant spammed property.
Second: As of this April 19th update, the spam promoting these properties has not stopped, and in fact is now third or fourth in quantity compared to the well-known "Canadian Pharmacy" fake Russian pharmacy setup.
Predominantly Gmail recipients (but definitely many, many others) are continuing to receive massive, massive amounts of this spam, with most of it promoting the URL "littledatenow.com". This has been going on for several weeks promoting that specific URL. The predominant means this group is using to promote either "Lady Marmelady" or "Marmeladies.com" is via unwanted spam sent via botnet to most likely millions of email addresses, none of whom ever opted in.
Starting on Dec. 12th, I started receiving notices from numerous readers of this blog that yet another strain of ridiculous "Russian dating" spam had begun. (I also received a pretty large batch of it but I had to weed through spam logs to find them.)
I've decided to write this entry to outline what it is, because enough people were curious about it that I thought it was worth doing.
Here are a few examples of the ridiculously worded messages being sent in the hopes of enticing potential "mates" for these alleged "single Russian women" These are just from the past 24 hours.
Subject: Want to know what the real Russian girls love and warmth?
I want you now, tell me reciprocate and get me! A smart click
[Links to: http://cid-e96fb019c8ac25b9.spaces.live.com]
Subject: I can do for you is - what can not no girl!
Want to know what the real Russian girls love and warmth? Visit here
[Links to: http://cid-340515fcc8a5b596.spaces.live.com]
Subject: You have little joy in life? Lacks warmth and affection? Come to me.
I can do for you is - what can not no girl! Speed to come
[Links to: http://pprp.net/index.php?idAff=136&action=3]
Subject: Want to know what the real Russian girls love and warmth?
I sexual Russian blonde, want to see, come closer Knock here
[Links to: http://cid-5af57dfa325d5e11.spaces.live.com]
The MSN Live Spaces links (all reported, but they take a while to come down of course) link to the url "mdok.net".
Each of those MSN Live Spaces URL's feature the following image:
[Hosted on the same mdok.net domain, and named "Ebulk-Img.JPG".]
It only identifies the alleged "dating site" by the name of "Dating".
That image has extremely compressed copy. Clearly they don't seem to care that anyone might actually wish to read what it says before linking forward to the target URL. Here's the copy so it can be fed into search engines (I'm including it verbatim, I'm not altering anything the image contains.):
Welcome to the
Best russian brides online dating site.
Our clients who have already married Russian wives** illustrate better than anything the work we do.
We have been introducing single Russian women since 1997, and we are one of the oldest international marriage companies on the Internet.
What is there in Russian women than no one can fnid in women from other countries? Probably, if you decided to visit the site, you already know what women in your country lack. Russian women are undoubtedly beautiful and sexy, loyal and trustworthy, family-oriented and very feminine.
A great many websites on the Internet are dedicated to russian women marriage. However the number of these sites only makes it more difficult to find a real Russian wife. If this is not your first experience of dating russian women online or dating online at all, then you probably know that there are plenty of scams. You may read about them and - avoid them. I know a couple of sad stories about guys who have been disillusioned in any kind of online dating. Don't become one of them. Believe me, a lot of beautiful lonely women are really trying to find their second half on the Internet. You do have a wonderful opportunity to find your beloved and have a happy life where there will be no place for loneliness.
We represent only real women who are genuinely looking to marry a foreigner. I may assure you that we filter out the scammers and check all profiles. We are always aware if a woman is actively searching for her Mr. Right. We delete all inactive profiles, and you can be certain to find only real women on this site.
Wow. Just tugs at the heartstrings, doesn't it? Something which has always baffled me is when spam arrives with text that could only have been written with spam filter evasion in mind, and then links to a site which speaks to the visitor in the first person. If I received this message, I've clearly never heard of whoever it is that's promoting this rather obvious scam of a site, yet the idiots behind this assume I'm going to have the slightest interest in their fake-personal endorsement of this scam of a website. "I know a couple of sad stories", "Believe me", "I may assure you", etc.. Who is this "I" person? Why on earth would anyone take this seriously at all?
But I digress...
For the nerdier among you: That domain is registered using an address in - you guessed it - Estonia, hosted on IP address 184.108.40.206, which is - you're right again - hosted in China. DNS servers are ns2.datinghosting.net and ns1.datinghosting.com, both also hosted no that same IP. That domain was registered on Jan. 11th. (Yesterday.)
So: nothing terribly surprising so far. An anonymous website, called only "Dating" yet claiming to be "one of the oldest international marriage companies on the Internet" (Really? You registered this site yesterday.)
If you actually visit mdok.net, the goal of the site - no matter which of the "ladies" you click on - is to ultimately get you to register. I would be willing to wager that not one single piece of information presented to the user is genuine.
The title on all pages gives the user no idea whatsoever of what site they are actually registering for. The title on every page is "The best selection on Russian brides". The goal here appears to be to keep the actual brand of this site a secret from the user. The landing page shows a list of what appear to be professionally photographed models with the phrase "100% Checked" underneath the images. (Well that's certainly encouraging.) Clicking on an individual "lady" results in a pretty generic "description" of the model with the only link encouraging the user to "Contact me!"
Upon successfully posting the form, you are presented only with the following text:
Thanks for registration!
We'll let you know by email how to contact the ladies
Note that at no point does it ever pass forward any specific "lady"'s ID, even though all of the call-outs are to "Contact me!". At no point does it ever mention where you just registered. No real tangible information whatsoever. On the surface this seems to be an identity theft operation. (Note: as usual no SSL or other secure processing is in place at any point.)
Several individuals did a bit of legwork and created bait registrations to see where the trail led.
About two weeks after sending in their registration, they receive the following "welcome message":
Subject: Your account details on www.lady-marmelady.com
Thank you for the registration on our site www.lady-marmelady.com.
Here your account details:
Your login is [#######]
Your password is [########]
E-mail of information service
Save or remember this information!
And look at the messages that start showing up immediately after that:
If you have problems with your site www.lady-marmelady.com and can't reach it or login there, you can always go to the site www.dmlogin.com and login to your account there with your login and password.
These ladies did not get any mails for the past 7 days.
We are sending you the list of active profiles (ladies that have been on the site this week) that have NOT received any mails in the last 7 days and that seem to meet your requirements for a partner.
If you like somebody, just click on the profile and write to them.
Also: within one day of the new registration being approved, "private messages" start arriving:
Subject: New Private Messages has arrived!
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For replying use the links below or go to the site, login and answer your mail there.
If you have problems with your site www.lady-marmelady.com and can't reach it or login there, you can always go to the site www.dmlogin.com and login to your account there with your login and password.
You have received a new private messages on www.lady-marmelady.com.
From raptornat 26y.o., 1 message(s), last message at 25-12-2009 08:15:08 GMT Read the letter(s)
To your account [##########]
If you've forgotten your password - write to us at email@example.com
If you don't want to receive such a message - correct your Account Settings at the site.
Huh? So I can login to either lady-marmelady.com or dmlogin.com?!
lady-marmelady.com was registered in Turkey using contact information from Moscow, Russia on Nov. 30th, 2009.
dmlogin.com was registered using contact information from St. Petersburg, Russia on Jan. 20th, 2009.
Neither of these is anywhere near being "the oldest international marriage companies on the Internet". Not even close.
In literally every case, the people who sent me this information claimed that all they had done was register, using bogus information and a newly created email address. They had not entered *any* information on the site itself. No photos. No personal details. No information about the user's height, weight, eye color or hair color: Nothing. And yet, starting the day after their registration was activated, each of the people who contacted me about this scummy operation claimed they were receiving anywhere from 3 - 5 new private messages a day, every single day.
Hey guess what? You can't read private messages without paying money to lady-marmelady.com.
Given that the initial contact regarding this whole setup claimed "you can be certain to find only real women on this site", this sounds extremely suspect. Genuine dating sites don't act like this one does. No normal human being on the other end of a dating site will contact someone without seeing the slightest hint of personal information. For anyone who had any doubts about whether this is a legitimate site or not, that right there should tell you: this is 100% fake.
Subsequent messages consistently claim that no fewer than a thousand new "ladies" have been "activated" on the site:
On our site www.lady-marmelady.com 1641 new ladies have been activated this week!
There are 1014 among them who match your criteria.
On our site www.lady-marmelady.com 1608 new ladies have been activated this week!
There are 993 among them who match your criteria.
On our site www.lady-marmelady.com 1086 new ladies have been activated this week!
There are 635 among them who match your criteria.
That's an average of from 58% to 63% who "match your criteria", despite these users never having logged into the site to set any such "criteria". Again: FAKE! Stay far away.
So who's responsible for this scam?
Messages sent to the user on behalf of lady-marmelady.com come from firstname.lastname@example.org. dmlogin.com appears to be a separate operation. Its affiliate program is: owndating.com (Registered in March, 2007)
The affiliate program for lady-marmelady.com is profitdating.com (registered in June, 2009)
Neither of these organizations has responded to numerous requests regarding why they use criminal spammers to promote their services. I wonder why?
Nutshell: yet another bunch of scammers from Russa. What else is new?
I would very strongly recommend against joining this scam of a site. (I guess that actually means: either of these sites. They can't even keep that part straight.)
I'm starting a counter to keep track of how many times someone from Russia is lying to the public at large. This sole example represents no fewer than 30 distinct lies, not including the repeated emails the individuals who brought this to my attention continue to receive. Much of the Russian individuals I hear from regularly via crap like this seem to have a pretty consistent track record of being outright liars.
SiL / IKS / concerned citizen
P.S. I edited the last paragraph because some readers felt it was overly broad. Apologies to any non-criminal Russian citizens I may have offended.
Here's to still more pressure against cybercriminals who think they can constantly get away with selling fake and dangerous pills to us, swindling the public, and avoiding law enforcement. Certainly some of them still have, but it's clear from the past three years that their days are numbered.
For a change, I want to send out best wishes to some of the extremely diligent researchers and reporters out there who have remained a consistent sharp eye on the illegal activities of numerous groups and individuals, and recommend their blogs to you
» All the researchers at FireEye Malware Intelligence Lab.
» Brian Krebs, Security Fix at the Washington Post.
» Gar Warner, Cybercrime and Doing Time.
» All the contributors to the Threat Level Blog at Wired.
» Dancho Danchev, Mind Streams of Information Security Knowledge.
And of course:
» All of the contributors to the Forums at InBoxRevenge.
All of you have helped make life extremely difficult for cyber criminals this year and in previous years, and I think it's safe to say that your continued shining of bright lights on their activities may one day lead to a serious shutdown of cyber crime activities. (Well, or more so than even this year. You'll see what I mean below.)
I should apologize in advance because the length of this post is far more than any average posting on this blog. In this particular case, long is good. This was an unprecedented year.
Here we go...
- Jan. 8th: Maksym Yastremskiy (aka: "Maksik") is sentenced to 30-years in prison by a Turkish court for his part in the infamous TJ Maxx hack which stole some 45 million credit cards from point of sale network data at a variety of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores across the US. There are 10 others still pending trial.
- On Jan. 14th, SiL's "winnings" total from Nigerian scammers [visible in the right-side section of this blog] hits $1 Billion USD. He had begun tabulating every fake "lottery" or "inheritance" message starting on Nov. 17th, 2008. It only took 59 days to reach his first billion USD.
- Jan. 30th: Ukrainian web hosting provider UkrTeleGroup Ltd., another in a series of "bad actor" hosting companies (remember Atrivo and McColo?), is taken offline. This is as a result of the continued exposition of their illicit activities by members of the tech media.
- On Jan 27th, SiL's "winnings" total from Nigerian scammers hits $2 Billion USD. That only took 13 days.
- Feb. 12th: FireEye Security begins a series uncovering further companies who clearly support illegal activity online, starting with a comprehensive report on Starline Web Services, hosted in Estonia.
- Also on Feb. 12th, a news story is posted claiming that Microsoft, Symantec and other corporations are offering a $250,000 reward for information leading to the arrest of whoever is behind the malicious "Conficker" worm, which is extremely virulent and widespread. This leads to some doubtful discussions within the anti-spam community, since whoever it is most likely is living in Russia or Ukraine, and likely very well-protected and hard to find. [See also this story.]
- On Feb. 14th, a news story appeared that (finally!) one of the numerous Nigerian scammers had been arrested for fraud in Mumbai, India:
The incident started when Mmereole had e-mailed a message to the Mumbai businessman in November 2008 saying that he could obtain unclaimed money amounting US$ 8.6 Million from one Oceanic Bank located in Nigeria by paying US$ 8,780 as processing fees, police said.
The message said that the bank's director would personally collect the fees from the businessman. However, the businessman sought police help by lodging a complaint at the CCIC.
He subsequently contacted Mmereole and falsely expressed his willingness to pay the processing fees. After that, they chalked out a plan to meet at the hotel where police caught the Nigerian fraudster while taking the money, officials said.
- On Feb. 18th at approximately 4:00pm EST, the forum at InBoxRevenge is the target of an SQL injection attack. The attack was vaguely warned about via a spam message worded identically to those for well known illegal pharmacy site Canadian Pharmacy. The attack was effective for approximately 12 minutes, after which the forum continued operation unfazed. Following this attack, numerous automated attempts to register were logged. All of them originated from Russia, Ukraine, Israel and Croatia. The operators of Glavmed / Spamit (the affiliate program and sponsor group behind Canadian Pharmacy spamming activity) are believed to be the perpetrators.
- On Feb. 25th, SiL's "winnings" total from Nigerian scammers hits $3 Billion USD.
- On March 3rd, renowned and unrepentant spammer Sanford Wallace is sued by Facebook for (guess what?) spamming Facebook members.
...the suit covers allegations that Wallace and his business associates spammed Facebook members with wall posts that posed as messages from their friends. The gang allegedly hacked into accounts using phishing techniques before sending the offending messages.
This comes nearly a full year after Wallace was ordered to pay $230 million dollars to MySpace for precisely the same activity. (See also this coverage.)
- March 4th, renowned cybercrime investigator and blogger Dancho Danchev notes that pro-gay Russian websites have been under sustained DDOS attack for a week. This is somewhat ironic, given the sheer volume of spam messages originating from Russia featuring message bodies with multiple occurrences of the word "penis".
- On March 10th, Sergei Markov, a member of Vladimir Putin's Unified Russia Party, jokes that his assistant was responsible for the 2007 cyber attack against Estonia.
During a discussion on information warfare in the 21st century, moderated by US-based Russian journalist Nargiz Asadova, Markov unexpectedly went into a Boris Yeltsin-style rant, Radio Free Europe reports.
"About the cyberattack on Estonia... don't worry, that attack was carried out by my assistant. I won't tell you his name, because then he might not be able to get visas," he said.
- On March 5th, SiL's "winnings" total from Nigerian scammers hits $4 Billion USD.
- On March 7th, the most widely-spread new virus known as Conficker and Downadup upgrades all infected PC's in the first "push" style update ever witnessed regarding a large-scale botnet.
In a couple of ways, the new component is designed to harden infected machines against an industry consortium that is actively trying to contain the prolific worm. For one, the update targets antivirus software and security analysis tools to prevent them from removing the malware. Not only does it try to disable anti-malware titles, it also goes after programs such as Wireshark and regmon.
And for another, it also greatly expands the number of domain names infected machines contact on a daily basis.
A few days later, a group known as "Bit Defender" releases their own Conficker removal tool.
- On March 13th, Konstantin Goloskokov, a "commissar" in the Kremlin-backed youth movement known as Nashe (or Nashi, depending on the report you read) claimed responsibility for the 2007 cyber attack against governmental and other sites in Estonia.
Mr. Goloskokov said: "We did not do anything illegal. We just visited the various internet sites, over and over, and they stopped working.
"We didn't block them: they were blocked by themselves because of their own technical limitations in handling the traffic they encountered."
- On March 13th, the BBC program "Click" receives lots of tech media attention when they demonstrate the functionality of a botnet which they had temporarily gained control of. British investigators consider whether what they did was illegal even though they didn't use the botnet for any actual malicious intent.
- March 16th, internetnews.com reports that cybercriminal and spamming activity is rising as it never has before.
Expect more spam later this year. IronPort's Bandhari said that botnet owners are building vast bot armies with the capability of sending even more spam but are not yet using them to their full capacity. "We see two or three botnets that are set up but not fully monetized yet," he said. "There have been some spam and malware attacks hosted from there, but they are trying to stay under the radar."
Botnets and cybercrime appear to be receiving much more press attention since November, 2008. This is mostly a good sign.
- On March. 19th, renowned, long-time stock spamming relatives Darrel and Jack Uselton settled with the SEC regarding charges filed against them by the SEC way back in July 2007 regarding their rampant stock spamming and market manipulation.
Without admitting or denying the SEC's allegations, the Useltons agreed to be permanently banned from selling penny stock in the future. Out of $4.2m seized by authorities, Darrell Uselton will pay more than $2.8m in disgorgement and prejudgement interest. The SEC will also collect a $1m penalty.
Darrel Uselton still faces charges for engaging in organized criminal activity.
- On March 20th, rogue fake antivirus affiliate portal trafficconverter2.biz is shuttered after Visa and MasterCard report massive chargebacks for their card processing accounts. The story is reported both by F-Secure and Brian Krebs' Security Fix blog at the Washington Post. The Krebs story in particular references several connections to the Conficker worm, which may have been purposely flooding that site in the hopes of stifling competition with another unknown fake antivirus site.
- Also on March 20th, Trend Micro's security blog itemizes all of the spam brands being spammed via the Waledac virus. The spam is clearly from several affiliate programs, notably Spamit, Bulkerbiz.com and AffConnect. This only clarifies that any individual can use whichever botnet they choose, to spam on behalf of any rogue affiliate program.
- On March 24th, SiL's "winnings" total from Nigerian scammers hits $5 Billion USD.
- March 26th, 25-year-old Charlie Blount Jr. of West Haven, CT is sentenced to four years for his participation in a phishing and identity theft scheme against users of AOL.
- Also from West Haven, CT, 24-year-old Thomas Taylor of West Haven, CT, (what is it about that city?) managed to avoid doing any jail time for his participation in the same malware scheme.
- On April 7th, SiL's "winnings" total from Nigerian scammers hits $6 Billion USD.
- At the RSA conference on April 21st, cybercriminal researcher Joe Stewart makes an open call to take a new approach in fighting the numerous criminal organizations which perpetrate most of the cybercriminal activities around the world. The following day, he is interviewed by security reporter Brian Krebs (story)
What we really need is to form teams that focus on tracking specific adversaries, trying multiple tactics to affect these guys' criminal enterprises. The idea is to escalate the technical measures they have to go through to keep their businesses up and running.
- April 23rd, Darkreading.com reports that a very large-scale Ukraine-based botnet has infected 70 US Government domains.
The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains -- 51 of which are U.S. government ones, according to Ophir Shalitin, marketing director of Finjan, which recently found the botnet. Shalitin says the botnet is controlled by six individuals and is hosted in Ukraine.
Details of the botnet and what it does can be found on the Finjan website, who were the ones who discovered it.
- On April 30th a US District court in Missouri indicted four men in a "Giant College Spam Operation":
A federal grand jury in Missouri has indicted two brothers and two other people on charges related to an alleged e-mail spamming case that targeted more than 2,000 U.S. colleges and sold more than US$4.1 million worth of products to students, the U.S. Department of Justice announced.
- On April 24th, SiL's "winnings" total from Nigerian scammers hits $7 Billion USD.
- It also comes to light on April 30th that a list of backers of Hillary Clinton and her presidential campaign were sold to some 21 buyers for an alleged $4.5 million.
In the first three months of 2009, Mrs. Clinton's presidential campaign brought in $4.5 million by selling or renting out the list, which has contact information for more than a million people. Among the 21 customers for the list were political entities closely connected with Mrs. Clinton, according to first quarter filings with the Federal Election Commission. They included her political action committee, her Senate campaign committee and her husband Bill Clinton's charitable foundation, which together paid more than $3.5 million to use the list, the FEC filing showed.
- On April 25th, the Canadian Government tables their first-ever legislation regarding spam and online crime. Titled "The Canadian Electronic Commerce Protection Act" (CECPA?!), the bill purports to protect Canadians against numerous forms of online criminal activity, including spamming.
The Honourable Tony Clement, Minister of Industry, today announced that the Government of Canada is delivering on its commitment to protect consumers and businesses from the most dangerous and damaging forms of spam. The government has introduced legislation in Parliament that aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.
The proposed Electronic Commerce Protection Act (ECPA) will deter the most dangerous forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and will help drive spammers out of Canada.
- On May 8th, in a bizarre story, "someone" operating a very large botnet known as the "Zeus botnet" (one of many such Zeus botnets, by the way) sends a command to "kill operating system", or "kos", causing some 100,000 infected Windows PC's to shut down completely. Zeus is known to harvest financial and identity data, and the theory is that whoever commanded this botnet to shut down did so in the hopes that they could use the vast amounts of credit card and other data they had harvested.
- May 18th, Sergiu Daniel Popa, 23, originally from Romania, is sentenced to eight and a half years for running numerous phishing websites claiming to be Sun Trust Bank, Citibank and PayPal. Popa also (of course!) sold several phishing kits to other criminals. See also further coverage by the Register.
He pleaded guilty last year, so the long prison term Popa received took some security watchers by surprise.
In sentencing, Judge John Tunheim said the long jail sentence he was imposing against Popa reflected the scope and longevity of his offences, as well as the many victims affected by his crimes.
- On June 2nd, SiL's "winnings" total from Nigerian scammers hits $8 Billion USD. This latest "Billion" took longer than average [40 days], possibly due to SiL reporting some 750 free-mail accounts to their providers.
- Throughout June, and continuing to this day, spam is seen in the wild claiming to be from Microsoft, Adobe, and a variety of governmental, financial and other agencies in the hopes of infecting (or perhaps "re-infecting") as many people as possible with the Zeus bot (remember the shutdown that took place earlier?) Numerous researchers write several reports and track down the hundreds of thousands of domains this crew register, and this further raises the question of when ICANN will actually start enforcing their registrar accreditation regulations, given that so many rogue affiliates continue to allow domains to be registered "en masse", with either no contact information or completely fake contact information.
This same group of spammers or individual spammer (unknown) also attempts to sell one or another of a growing number of fake Antivirus products which are essentially ransomeware.
Numerous stories tied to this one, and the research continues to this day, but this one covers all the bases.
- On June 22nd, the FBI put out a press release announcing that Alan Ralsky, long-time fraudster and unrepentant spammer, has pleaded guilty along with four of his accomplices, to numerous charges including those directly pertaining to criminal spamming activity. The charges include conspiracy to commit wire fraud, making false statements to federal officers, and (obviously) violating the CAN-SPAM act. Each face from 2 - 3 years in federal prison. Score another win for law enforcement.
- A few news organizations publish a story alleging that well-known spammer Ron Scelson has been arrested on rape and molestation charges.
Slidell Police seized over a dozen computers on Tuesday from the business and home of a man who allegedly molested a teenager.
The bust comes after a several month investigation looking into claims that 36-year-old Ronald Scelson handcuffed a 14-year-old girl to a chair and molested her.
There is no further coverage of this story for the rest of the year, so it's unknown whether these charges were sustained or not.
- On June 30th, SiL's "winnings" total from Nigerian scammers hits $9 Billion USD.
- On July 28th, a report entitled HTTP, Web Browsers and Web 2.0 - A Criminal's Dream is presented at a Cisco / Ironport event in Thailand. It directly names Glavmed, Spamit, and Canadian Pharmacy as having direct links to each other and a variety of website infections as well the ubiquitous Storm worm.
- On July 21st, cybercrime research group FireEye publish their discovery that yet another rogue ISP which is allowing criminal activity to thrive known as "3fn" has also lost its connectivity. (3fn stands for "Triple Fiber Networks", and was apparently related to a company named "Pricewert LLC".) This is the fourth shutdown that we know of, and exposes a huge amount of criminal activity related to payment processing (notably on behalf of several child pornography sites), hosting of child porn, command and control of botnets, distribution of malware, and of course the hosting and processing for numerous illegal online pharmacies. There's lots more that probably wasn't published.
The shutdown was executed by the US Federal Trade Commission [press release] and marks another win for law enforcement against these criminal entities.
- On July 8th, David S. Patton pleads guilty to creating botnet software which was previously used by renowned spammer Alan Ralsky. This is merely the latest in a series of guilty pleas and sentences which followed the arrests of Ralsky and several of his cohorts in 2008.
- August 4th, The Canadian Press publishes what must be the first mainstream media story (i.e.: not specifically a technology blog or media entity) regarding the criminal nature of "Canadian Pharmacy", making specific mention of GlavMed.
GlavMed.com - whose logo is a googly-eyed snake wrapped around a martini glass containing colourful pills - is registered under the name Pharmos Limited, with an address listed in Great Britain.
The phone number provided offers no identification when called, and accepts voice mail; but no call was returned when a message was left. While the majority of the GlavMed site is in English, the frequently asked questions are in Russian.
- On August 8th, Twitter, Facebook and many other social networking sites suffer a fairly large-scale DDOS attack from persons unknown.
"On this otherwise happy Thursday morning, Twitter is the target of a denial of service attack," wrote Stone. "Attacks such as this are malicious efforts orchestrated to disrupt and make unavailable services such as online banks, credit card payment gateways, and in this case, Twitter for intended customers or users. We are defending against this attack now and will continue to update our status blog as we continue to defend and later investigate."Also see this coverage from the Washington Post's Brian Krebs.
- On August 10th, SiL's "winnings" total from Nigerian scammers hits $10 Billion USD.
- August 17th: Jody Smith, the third individual previously charged in the shutdown of AffKing (responsible for huge, huge amounts of spam until their shuttering in October 2008) pleads guilty to the charges laid against him.
Jody M. Smith, 30, of McKinney, Texas, has pleaded guilty in federal court here of conspiracy charges that said he helped manage an international business that sold counterfeit goods and illegal pharmaceuticals online in 2004-08.
Officials said Friday that the business used spam e-mails to sell in eastern Missouri and elsewhere.
Unfortunately he only faces fines of $250,000, but he also does face up to five years in federal prison. Sentencing is scheduled for October 23rd.
- On August 19th, Harpo, Inc., Oprah Winfrey's production company, filed a trademark infringement suit against more than 50 online marketers of bogus dietary supplements such as "acai berry".
Harpo, Inc. has filed this lawsuit to let consumers know that these internet marketers are willfully using the names of well-known figures to deceive the public. Neither Ms. Winfrey nor Dr. Oz has ever sponsored or endorsed any acai, resveratrol or dietary supplement product and cannot vouch for their safety or effectiveness. It is our intention to put an end to these companies’ false claims and increasingly deceptive practices.
The marketing company behind this operation known as FWM Laboratories state that their affiliates are the problem, completely ignoring the fact that those affiliates are representing their products, which makes FWM legally liable.
- August 27th, Real Host, based in Riga, Latvia, loses its upstream network connectivity due to rampant, relentless criminal activity taking place throughout its domains.
Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious "rogue" antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site. "This is maybe one of the top European centers of crap," he said in an e-mail interview.
"It was a cesspool of criminal activity," said Paul Ferguson a researcher with Trend Micro.
Also see this excellent documentation. This follows in the line of other disconnections of online "bad actors" which started in October 2008.
- In late August a mini-documentary entitled Stop H*Commerce is produced by computer security company MacAfee. This documentary is a must-see for anyone intrigued by how a typical Nigerian scam operates, and how cyber criminal activity is perpetrated generally.
- On September 1st, SiL's "winnings" total from Nigerian scammers hits $11 Billion USD.
- The ongoing "Zeus bot" phishing / malware attacks continue, this time under the guise of an IRS message claiming that the recipient has "underreported income" [source]. Brian Krebs continues to monitor and report on these attacks, and ties them to a very large scale money mule operation [source], as well as the theft of hundreds of thousands of dollars from the accounts of several small businesses and US School Districts. The spam barrage continues, and this has the effect of exposing numerous holes in the US business banking industry as well as the money wire industries (Western Union, etc.) [source]
- Sept. 29th, a very comprehensive report is presented at the Virus Bulleting Conference in Geneva, Switzerland entitled The Partnerka - What Is It, And Why Should You Care? It discusses spamming as a popular cultural entity within Russia, its ties to Russian organized crime, and again names Glavmed as being directly responsible for the plethora of Canadian Pharmacy spam flooding the Internet.
- September 29th: Petru Belbita, 25, and Cornel Tonita, 28, both of Romania, are extradited to the U.S. for their execution of a number of phishing attacks claiming to represent Citibank, Wells Fargo, eBay and a slew of others. Both face more than 30 years in prison.
- On October 19th, SiL's "winnings" total from Nigerian scammers hits $12 Billion USD.
- Starting on October 28th and continuing throughout November, the InBoxRevenge forum becomes the target of a series of large-scale DDOS attacks by persons unknown. This has very little effect on the stable communication of its members, or on the communication of its members with media and tech contacts or law enforcement.
- Also on October 28th - and very possibly linked to the above-mentioned attack against InBoxRevenge - several domains crucial to payment processing for Spamit and Glavmed are shut down, including spamdot.biz and spamdot.info. This is briefly mentioned in a sweeeping report (dated Nov. 7th) on behalf of the Russian Association of Electronic Communication (RAEC) which draws a lot of the same conclusions numerous spam researchers have been arriving at for years:
Experts estimate that the lion's share of spam market players have provided service for such pharmaceutical resources as Glavmed.com which sells counterfeit goods, including counterfeit Viagra. As of November 15, 2009, this affiliate programme tops Spamhaus list under the name of http://www.spamhaus.org/statistics/spammers.lasso">Canadian Pharmacy (Glavmed.com), #1 spammer in the world.
This does not stop or even appear to slow the onslaught of spam promoting the bogus "Canadian Pharmacy", but it certainly must have made some of their affiliate ranks lose considerable profits. Nobody at InBoxRevenge had anything whatsoever to do with the shutdown of any of these processing domains. (Though we wish we did.)
- The zeus / zbot spam continues, claiming over numerous weeks to be on behalf of Gmail, Towernet / CapitalOne, "your email provider", the FDIC, Facebook and MySpace. Many media outlets report on this (not merely tech media) and most of the dozens of domains the criminals behind these attacks have registered end up being shut down quickly, often before the phishing spam is even received.
- On October 30th, a California Judge awarded Facebook $700 Million in damages against Sanford Wallace (see original lawsuit entry in March.)
In addition to the damages, Judge Jeremy Fogel of U.S. District Court in Northern California's San Jose division banned Wallace, and anyone affiliated with him, from accessing Facebook.
Facebook acknowledged that it doesn't expect to get much money out of the bankrupt Wallace, but it said that he could end up behind bars.
- On Nov. 2nd, Shane Atkinson and Roland Smits, of the infamous AffKing / SanCash / GenBucks spamming affiliate program, are ordered by a New Zealand court to pay fines of $100,000 NZD and $50,000 NZD, respectively.
- Nov. 6th, renowned network security organization FireEye investigate and subsequently take action to shut down the persistent Mega-D botnet, also known as Ozdok. Mega-D is widely known for sending some 30% or more of all spam worldwide. Their planning and execution of this shutdown is reported in numerous media outlets.
- On November 9th, SiL's "winnings" total from Nigerian scammers hits $13 Billion USD. This is just shy of a year from the date he first started tabulating the amount.
- Nov. 10th, four men are indicted by the U.S. Attorney's office for the Northern District of Georgia, in Atlanta for their part in the theft in Nov. 2008 of 9 million dollars (USD) via hacked ATM pay cards. They hail from Ukraine, Estonia and Romania. A fourth individual's identity and location remain unknown. Definitely also read coverage by Gar Warner and the Washington Post's Brian Krebs on this story. [Also see: USDOJ press release.]
Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as "Hacker 3" were indicted by a federal grand jury in what's being described as "perhaps the most sophisticated and organized computer fraud attack ever conducted."
The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack.
- In further follow-up to the previous Mega-D botnet takeover, FireEye hands over control and monitoring of the "sinkhole" domains to renowned security research organization Shadowserver [source] who will continue to monitor and report on any further discoveries regarding this now-defunct spamming botnet. [See also this story.]
- InBoxRevenge undergoes its third major SYN Flood attack during an additional 2 days in late November. Again this does absolutely nothing to stop that group from continuing to analyze and report on criminal spamming and other cybercriminal activity. Clearly somebody is upset, and only a few days later do we discover that it may have been due to the above-mentioned shutdowns of Spamit / GlavMed payment processing servers.
- On Nov. 18th, after receiving and analyzing spam attempting to spread the Zeus or Zbot infection for many months [see above], Gar Warner coordinates with law enforcement and other agencies to strategically shut down what is known as the "Avalanche" phishing community. This is yet another major blow to online criminals who had been sending this type of criminal spam for at least six months in 2009, claiming to be on behalf of the IRS, Capital One, Facebook, MySpace and a variety of other organizations. Good riddance. Of course: a new infection campaign - known as Sasfis, which is far more widely detected - begins in its place...
- On the same day (coincidence?) two individuals from Manchester, England are arrested for their part in the dissemination of the Zeus / Zbot infections. This is the first arrest of its kind, and begins to finally chip away at this widespread, internationally executed crime.
- On Nov. 19th, numerous news sources quote a press release from the US Food and Drug Administration (FDA) which specifically calls out a large number of domain owners and operators representing what are deemed to be illegal pharmacy affiliate websites.
The agency issued 22 warning letters to the operators of these Web sites and notified Internet service providers and domain name registrars that the Web sites were selling products in violation of U.S. law. In many cases, because of these violations, Internet service providers and domain name registrars may have grounds to terminate the Web sites and suspend the use of domain names.
"The FDA works in close collaboration with our regulatory and law enforcement counterparts in the United States and throughout the world to protect the public," said FDA Commissioner Margaret A. Hamburg, M.D. "Many U.S. consumers are being misled in the hopes of saving money by purchasing prescription drugs over the Internet from illegal pharmacies. Unfortunately, these drugs are often counterfeit, contaminated, or unapproved products, or contain an inconsistent amount of the active ingredient. Taking these drugs can pose a danger to consumers."
Shockingly, one specific affiliate program is singled out, known as Rx-commission.com, ignoring several of the other far more widely-promoted programs such as (duh) Spamit / Glavmed, promoters of the completely illegal "Canadian Pharmacy" set of websites. Still good news.
- Also on Nov. 19th, in what appear to be a series of very welcome announcements, Interpol issues a press release outlining the widespread, large scale shutdown of numerous bogus pharmacy operations, including multiple arrests in several countries.
An international week of action targeting the online sale of counterfeit and illicit medicines has resulted in a series of arrests and the seizure of thousands of potentially harmful medical products.
In response to an ever-increasing number of websites supplying dangerous and illegal medicines, Operation Pangea II involving 24 countries was co-ordinated by INTERPOL and the World Health Organization's (WHO) International Medical Products Anti-Counterfeiting Taskforce (IMPACT) to highlight the dangers of buying medicines online.
This affects more than mere spamming operations. This affects a large sector of the black market which sells these drugs, only part of which has to do with criminal spam operations. This is a huge win not just for cybercriminal investigators, but for unwitting consumers of these clearly very dangerous fake pharmaceutical products.
- On Nov. 23rd, Alan Ralsky is sentenced to more than four years in prison for leading a large-scale criminal spamming operation and engaging in stock manipulation. This case has, of course, been discussed here many times.
Ralsky, 64, from West Bloomfield, near Detroit, Michigan, was sentenced to 51 months while his son-in-law, Scott Bradley, 48, was imprisoned for 40 months over the same pump and dump stock fraud conspiracy involving thinly-traded stocks.
Each pleaded guilty to wire fraud, money laundering and violations of the CAN-SPAM Act. Two other co-conspirators, who also confessed their involvement in the scam, were sentenced on Monday. Five others face a sentencing hearing later on Tuesday.
From the US Dept. of Justice press release:
"Today's sentencing sends a powerful message to spammers whose goal is to manipulate financial transactions and the stock market through illegal e-mail advertisements," said Assistant Attorney General Lanny A. Breuer. "People who use fraudulent e-mails to drive up stock prices and reap illicit profits will be prosecuted, and they will face significant prison time."
Cases against three other co-conspirators were still pending...
- ...Uuuuuntil November 24th. :)
The remaining six co-conspirators were sentenced to anywhere from one day in prison (David Patton) to four and a half years in prison (Frank Tribble) for their part in assisting Ralsky with his ongoing fraudulent activities. They all face several years of supervised release following their sentences, and they each had to either forfeit hundreds of thousands of dollars, or were fined similar amounts.
In total, all of the guilty parties forfeited $1,866,100.00 to the US government from their ill-gotten gains, and are fined a total of $10,500.00. On average, they will serve ~3 years in federal prison (longest sentence: 3.3 years for Ralsky and his son Scott Bradley, shortest sentence: 1 day for David Patton.
It's also notable that four of the accomplices were given additional jail time and supervisory release time due to what was termed "committing a substantive violation of the CAN-SPAM Act". This is the first time the actual CAN-SPAM law has been brought to bear, and the first court precedent in sentencing for this particular violation. Certainly a step in the right direction.
- On Nov. 26th, a press release states that police in Germany and Austria shut down a fairly major credit card theft operation:
In raids throughout Germany and Austria, police closed down a web gang which stole private credit-card data and used viruses to create a network of 100,000 robot computers, Germany's Federal Crime Office said Wednesday.
In Germany, three persons were detained during the Tuesday raids on 46 homes. One was held in Austria. Many computers were seized.
This is not necessarily related to spam (and in SiL's opinion, spam is really just one of many outlets of the type of crime he and others investigate and report on) but it's still a very significant series of arrests.
- On November 27th, in what appears to be a later-than-usual discovery, numerous news outlets - notable several Russian outlets - declare Glavmed (aka: Spamit) to be the #1 criminal spamming operation in the world. The Russian Association of Electronic Communication (RAEC) state the following:
Experts estimate that the lion's share of spam market players have provided service for such pharmaceutical resources as Glavmed.com which sells counterfeit goods, including counterfeit Viagra. As of November 15, 2009, this affiliate programme tops Spamhaus list under the name of Canadian Pharmacy (Glavmed.com), #1 spammer in the world.
With regard to the trans-frontier nature of cyber-crime RAEC urges the international community to synchronize activities aimed at spam prevention. The clampdown on spam in the Russian Internet (RuNet) will most likely result in spammers moving their servers to other countries. This assumption is confirmed by the fact that SPAMDOT.BIZ (Glavmed.com) has physically moved its server to Germany (spamdot.INFO, spamdot.ORG) after it has been closed down in Russia.
As it happens, the shutdown of Spamdot.biz, a recruiting site for Spamit, occured on October 28th, the same day as the first of a series of large-scale attacks against the InBoxRevenge forum. (Coincidence?) A Google Translation is available here. Of course, Glavmed's only response is to deny, deny, deny, despite the fact that they openly promote the widely-spammed "Canadian Pharmacy" brand of illegal online pharmacy, and have never hired pharmacists to fulfill the prescription drugs they illegally export to the US and other non-Russian countries.
- On Nov. 30th, things get worse for the AffKing / SanCash / Genbucks spammers when Lance and Shane Atkinson are ordered to pay $15.5 million USD by the US Federal Trade Commission (FTC). This is nearly a year to the day after their extremely high-volume spam operation was shut down as a result of several restraining orders.
A U.S. district court last fall ordered an asset freeze and a halt to the spam gang's operation, which was responsible for sending potentially billions of illegal spam messages, and has accounted for more than three million complaints.
The court has since issued a default judgment against Atkinson, his company, and three companies affiliated with Smith. In addition to the $15.15 million that Atkinson and his company have been ordered to pay, the three companies affiliated with Smith are liable for $3.77 million. All five defendants are prohibited from making unlawful claims about male enhancement products, hoodia products, and any dietary supplement, food, drug, or service purported to provide health-related benefits; from misrepresenting that they can lawfully sell prescription drugs or pharmacy services over the Internet; from misrepresenting the data security measures they provide on their Web sites; and from violating the CAN-SPAM Act.
- On Dec. 4th, SiL's "winnings" total from Nigerian scammers hits $14 Billion USD.
- Dec. 9th, following several weeks of inbound spam asking the question "Is Working Online At Home The New Gold Rush?" and linking to a variety of sites implying that Google was somehow promoting some type of pyramid scheme (Original story, documenting hundreds of abused links and third-party properties), Gar Warner reports that Google had finally had enough and was filing suit against "Pacific Webworks", the company behind the scam. [He cites the Sophos blog, but a few other sources also reported it.] Much more information on the company and their scam available here.
- Also on Dec. 9th, Project HoneyPot, an initiative to track IP addresses of all known spam which harvests addresses from public websites, received it's billionth spam message.
The message, a picture of which is displayed below, was a United States Internal Revenue Service (IRS) phishing scam. The spam email was sent by a bot running on a compromised machine in India (220.127.116.11). The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester (18.104.22.168) that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot.The report lists a variety of statistics regarding how much time it takes from harvesting to receipt of spam, and generally describes which botnets are involved, and which properties they spam.
- On December 10th, news outlets report that one Pavel Valkovitch has pleaded guilty to solicitation to commit murder for trying to have an informant killed. Valkovitch was arrested in 2008 on bank fraud charges, essentially for stealing people's money via a variety of PayPal accounts. He will be sentenced in Feb. 2010. [See also the Wired Threat Level story.]
- On or around December 11th, a notice is sent from the China Internet Network Information Center (CNNIC), China's regulator of domain name registrations, informing registrars that they must not allow domains to be registered using fake contact information, and must take steps to purge their systems of any offending domain names. This should seem obvious to any legitimate person registering any domain name, but this sets a very strong precedent for Chinese registrars who for many years have been abused by spammers and their cohorts who register thousands of domains using arguably fake contact info. Gar Warner's blog also has some very in-depth analysis, calling out two very common offenders: Xin Net and Namerich.cn. This should prove to be a very big hit to the profits of spammers from any major criminal affiliate group, notably Bulker.biz and Spamit.
- In a surprising but very much welcome development, on Dec. 11th, domain registrar GoDaddy change their terms of service to specifically disallow domain registration for any site which sells pharmaceutical products without a prescription. This leads to many angry postings from individuals who operate such websites within the US, apparently unaware that this has actually always been of questionable legality in the first place. In 2008, GoDaddy also changed their terms of service to disallow similar registrations related to the sale of anabolic steroids, causing similar angry responses.
- On Dec. 17th, in an intriguing report, Symantec reports that 2010 could be the year we see our first autonomous, intelligent botnet [pdf], claiming that the earlier shutdowns of badware hosting companies McColo and Real Host did little to stave off this progresion.
As we move into 2010, it is expected that botnets will become more autonomous or artificially intelligent, perhaps even exhibiting the characteristics of swarm intelligence, where each compromised computer will have built-in self-sufficient coding in order to coordinate and extend its own survival. This will mean the botnet controllers will have more time to focus on driving the bots use in spamming and other criminal activities, rather than dedicate resources to extending the lifecycle of the botnet.In general this makes for interesting reading, and makes clear that despite a year full of successes, there are still some major threats to take care of in 2010.
- On Dec. 22nd, Lance Atkinson is fined $210,000.00 AUS ($184,239.93 USD) and ordered to refrain from any spam-related activity for seven years:
...Justice Andrew Greenwood agreed with the proposed penalty, adding a seven year injunction from sending spam and ordering Atkinson not to knowingly associate with any person involved in sending spam.
In his judgment, Justice Greenwood labelled the spam as "annoying and irritating".
He forgot to add "potentially lethal", since many dangerous particles were found in sample orders shipped from the manufacturers of these pills in India. By any measure this fine is far from a deterrent. Atkinson and his cohorts probably made that much inside of half a day. Also see this TimesOnline article
- On Dec. 29th, in what appears to be a rather sudden move, Brian Krebs leaves the Washington Post to begin his own security blog, krebsonsecurity.com. For the past three years Krebs has been instrumental in exposing bad actors involved in cybercriminal activity, and assisting ISP's and law enforcement in tracking down and prosecuting them.
2009 would appear to have been an incredibly bad year to be in the scamming business, even if in previous years these criminals "got away" with their crimes originally. As you may have noticed over the past year, this blog has become less concerned specifically with spamming and more concerned with what spamming is a part of: organized criminal activity which puts the public at risk, no matter which country the perpetrators live in.
Legal action may be slow, but when it all comes together, we end up with a year much like 2009. This is extremely good news. Here's hoping 2010 shows even more progress, especially against the largely Chinese, Eastern European and Russian operatives behind the flood of illegal spam, promoting criminal organizations and the "products" they continue to try to foist upon us.
Happy Holidays everyone. Stay safe!
SiL / IKS / concerned citizen
I'll use an example I just received.
From: "John Mensah" <email@example.com>
Subject: Genuine Investment Proposal
My name is John Mensah from Ghana. I represent a group of a Government Certified Local Gold Dust Miner in Ghana. We have just concluded gold dust deals with foreign gold trading companies in Ghana and realised some funds out of the deals. The funds are now kept in security companies in Ghana and Cote D'Ivoire respectively. We would want to invest the funds outside Africa and if you are interested to assist us in this venture, please respond immediately so that we will discuss details on how to handle the transaction.
Now let's switch the identity:
From: "Santa Claus" <firstname.lastname@example.org>
Subject: Genuine Investment Proposal
My name is Santa Claus from The North Pole. I represent a group of a Gift-Making Elves in The North Pole. We have just concluded manufacturing of toys in The North Pole and are ready to begin distribution. The toys are now kept in safe places in The North Pole and my sleigh respectively. We would want to distribute the toys outside The North Pole and if you are interested to assist us in this venture, please respond immediately so that we will discuss details on how to handle the transaction.
Even if you don't celebrate Christmas, you know that Santa Claus doesn't "need assistance" in providing toys that he freely distributes to children around the world. He just does it. So why would you need to send him anything? (Well: aside from a Christmas list I mean...)
More importantly, assuming you responded to this criminal, he'd immediately come up with some story that you somehow needed to send him a "fee" to begin with your "assistance."
The same is true of our "John Mensah", and unfortunately just like Santa Claus, he doesn't exist.
This holiday season, remind your loved ones not to participate in Nigerian scams. Many, many people still fall for these. An analogy like this one might make it much clearer how to spot these scams.
SiL / IKS / concerned citizen
[Edited Dec. 17th for stupid spelling error. Apologies to Mr. Claus and wife...]