|From the indictment against Yevgeniy Nikulin|
On October 20, 2016, Radio Free Europe/Radio Liberty announced that they had identified the Russian hacker who was arrested in Prague. They were the first ones to announce the identify of Yevgeniy Nikulin providing a link to his arrest video:
VPN Hacking?Two points in the Indictment's "Background" section. One says "LinkedIn employees were assigned individual credentials by which they could remotely access the LinkedIn Corporate network.. As individual with the initials N.B. worked for LinkedIn at its Mountain View, California headquarters.
... and a couple paragraphs later ,,,
Formspring employees were assigned individual credentials by which they could remotely access the Formspring corporate network. An individual with the initials J.S. worked for Formspring in its San Francisco, California, headquarters.
The hack of LinkedIn, according to the Indictment, occurred on March 3-4, 2012, during which, Yevgeniy "did knowingly possess and use, without lawful authority, a means of identification of another person, that is, the user name and password assigned to LinkedIn employee N.B., during and in relation to violations of Title 18, USC, Section 1030.
Dropbox was hacked between May 14, 2012 and July 25, 2012, although no mention is made of the technique. (Motherboard indicates that more than 68 million passwords were stolen in this breach.)
The hack of Formspring was between June 13, 2012 and June 29, 2012, during which the defendant "did knowingly possess and use, without lawful authority, a means of identification of another person, that is, the user name and password assigned to Formspring employee J.S., during and in relation to violations of Title 18, USC, Section 1030.
BitCoin Theft by ChinaBig01After the indictment was released, as several others users have done, (such as @TalBeerySec of Microsoft Research), we found the allegations that Yevgeniy was involved in other types of crimes, including breaking in to the MySQL Database of a BitCoin "Hedge Fund".
The operator of that site sent this claim to the users:
I wanted to share a very bad news with you. Yesterday, in the middle of the night, someone hacked in to Bitmarket database and managed to modify his account. Then, he withdrew ~610 BTC from the site. He left about 100 BTC in the wallets.
Right now I'm investigating what happened. It seems that he managed to somehow find my administration console for the database, which wasn't under any gueassable name. This console was password protected (a very long, random password) but he still managed to overcome this somehow. I'm still investigating how this could happen. Right now I've removed this console entirely to prevent any further damage, but I'm devastated . I wrote a message to the email he registered with (email@example.com) literally begging him to return the stolen BTC. If he has any conscience, maybe he'll give it back. But at the moment we are 600 BTC short, and if this sees the light of day (ie. people want to withdraw more than 92 BTC that's currently in the wallets), we're totally screwed.
I know it's much to ask, but do you have any Bitcoins available right now to fill this gap temporarily? There is a small chance that the thief will give this back, but until then I really don't know what to do now. I didn't have the luxury to screw up again, and when things started to go on the right track, this happens. All this makes me wanting to kill myself. My hands are shaking right now. I won't do this, because I have people to repay. I hope this turns out good Sorry, I don't have any other idea right now, I just wanted to be 100% honest with you and inform you on this as soon as I saw what happened. "
The author claims that 620 BTC were stolen. He later offers this link to the alleged purse, controlled by "ChinaBig01@gmail.com" according to him. You can see the 620 BTC as 1, then 9, then 55.456, then 554.54 being deposit and then removed from this bitcoin address:
Monday, October 24, 2016
Monday, October 10, 2016
While the blog has seen ups and downs in the regularity of the posts, even being named "Most Popular Security Blog" by SC Magazine back in 2010, overall we've averaged one post per week and have been visited by nearly 3 million readers.
As I tried to decide how to mark the 10th Anniversary of the blog, I thought one way to do it would be to share what has been our most popular stories each year.
One of the strengths of the blog has always been to document "big campaigns" that are attacking people and try to help them understand the nature of the scam so that they could avoid being a victim themselves. The three most popular stories on the blog have all been of that nature:
1. "More ACH Spam from NACHA" (March 11, 2011) and "ACH Transaction Rejected payments lead to Zeus" (Feb 25, 2011) were both of that type. Even years later, spikes in visitors to these stories were an indication that someone was imitating NACHA again. In these spam campaigns, the spammers would claim to be sending email from the "National Automated Clearing House Association" the organization that handles all electronic payments between American banks. We later came to call these type of campaigns "Soft-Targeting" as most Americans have never heard of NACHA, but those who are involved in regularly moving money most certainly would have -- making them also the most likely to fall victim to such a spam message. The first entry in this series, "Newest Zeus = NACHA: The Electronic Payments Association" (November 12, 2009) was also very popular.
2. Coming much later, November 7, 2014, was "Warrant for your Arrest phone scams." It was great to see the heavy traffic to that blog post and receive the emails letting me know that someone had just "proven" to them that they were about to be scammed by sending them a link to the article!
3. During 2014 one of the largest spamming botnets was the ASProx botnet. This malware blasted out high volume spam campaigns that used a variety of social engineering ploys to make their campaigns convincing, leading to huge victimization rates. The most popular, based on hits to the blog, was the E-Z Pass Spam. "E-Z Pass Spam Leads to Location Aware Malware" (July 8, 2014) had tens of thousands of visitors. A close second, also ASProx, was "Urgent Court Notice from GreenWinick Lawyers delivers malware." ASProx had been dominate from the holiday season in 2013, when "package delivery failure" messages really hit a profound number of victims. (See for example "Holiday Delivery Failures Deliver Kuluoz Malware" (December 26, 2013)
Rather than go through the top campaigns in order, I thought it might be more interesting to see the most popular posts for each of our ten years as a blog.
|Top Cybercrime & Doing Time Blog Posts of 2016|
|Vovnenko / Fly / MUXACC1 pleads guilty||24JAN2016|
|Kelihos botnet delivering Dutch WildFire Ransomware||09JUL2016|
|Is the Bank of Bangladesh ready for the Global Economy?||23APR2016|
|Unlimited ATM Mastermind Ercan Findikoglu pleads guilty||06MAR2016|
In 2016, two of our four top stories were about arrests of top cybercriminals, which is a trend that I love to say is growing and rising as we see a higher level of cooperation internationally, and a growing ability among our Law Enforcement partners. One of the highest volume spam botnets, Kelihos, is regularly in our blogs and is quite popular with the readers, indicating how often they also see the spam. The Bank of Bangladesh SWIFT theft was also a high interest story!
|Top Cybercrime & Doing Time Blog Posts of 2015|
|Tech Support "pop-ups"||30MAR2015|
|Hillary"s Email Server and the New York City malware||03OCT2015|
|Passwords, Password Cracking, and Pass Phrases||29OCT2015|
|Darkode guilty pleas: Phastman, Loki, & Strife||24AUG2015|
In 2015, the Darkode forum was a top story for us. Readers responded well to the Tech Support "pop-up" scams, indicating that they were also seeing it quite a bit! Hillary's email server gave us a chance to show the value of a long-term spam repository. And the story on password cracking seems to be regularly accessed from people teaching others about strong passwords.
|Top Cybercrime & Doing Time Blog Posts of 2014|
|Warrant for Your Arrest phone scams||07NOV2014|
|E-ZPass Spam leads to Location Aware Malware||08JUL2014|
|Urgent Court Notice from GreenWinick Lawyers delivers malware||13JUL2014|
|GameOver Zeus now uses Encryption to bypass Perimeter Security||02FEB2014|
The phone scams claiming that a warrant has been issued for your arrest have been popular on a daily basis for most of the two years since this story was first released. EZ Pass and Urgent Court Notice spoke to the popularity of the ASProx botnet. Gameover Zeus was also quite interesting as it changed the way spam-delivered malware defeated perimeter security.
|Top Cybercrime & Doing Time Blog Posts of 2013|
|Holiday Delivery Failures lead to Kuluoz malware||26DEC2013|
|Vietnamese Carders arrested in MattFeuter.ru case||05JUN2013|
|When Parked Domains Still Infect - Internet.bs and ZeroPark||10AUG2013|
|New Spam Attack accounts for 62% of our spam!||10APR2013|
Kuluoz, later called ASProx, had its first big Christmas in 2013. One of the first arrests of Vietnamese hackers spoke to internationally cooperation.
|Top Cybercrime & Doing Time Blog Posts of 2012|
|Operation Open Market: The Vendors||25MAR2012|
|Paypal "You Just Sent a Payment" spam leads to malware||01MAY2012|
|DNS Changer: Countdown clock reset, but still ticking||28MAR2012|
|Operation Open Market: Jonathan Vergnetti||17MAR2012|
In 2012, the DNS Changer malware was on everyone's minds (we later blogged about the successful prosecution of the leaders of that campaign, all now in prison in New York.) Operation Open Market was the big Forum take-down that year.
|Top Cybercrime & Doing Time Blog Posts of 2011|
|More ACH Spam from NACHA||11MAR2011|
|ACH Transaction Rejected payments lead to Zeus||25FEB2011|
|Federal Reserve Spam||14MAR2011|
|The Epsilon Phishing Model||08APR2011|
I've already mentioned the ACH/NACHA spam campaigns that delivered Zeus. The Epsilon Phishing model focused on hacking email delivery services and using validated accounts to deliver phishing and malware. (This is the group that Neil Schwartzman of CAUCE labeled "The Adobers" for the many times their malware claimed to be Adobe software.)
|Top Cybercrime & Doing Time Blog Posts of 2010|
|New York FBI: 17 Wanted Zeus Criminals||30SEP2010|
|PakBugs Hackers arrested||12JUL2010|
|Lin Mun Poo: Hacker of the Federal Reserve and ...?||20NOV2010|
|Iranian Cyber Army returns - target: Baidu.com||12JAN2010|
The Iranian Cyber Army, and a variety of international cyber criminals captured the headlines in 2010.
|Top Cybercrime & Doing Time Blog Posts of 2009|
|Newest Zeus = NACHA: The Electronic Payments Association||12NOV2009|
|The FBI's Biggest Domestic Phishing Bust Ever||08OCT2009|
|Who is the "Iranian Cyber Army"? Twitter DNS Redirect||18DEC2009|
|Traveler Scams: Email Phishers Newest Scam||09FEB2009|
Our 2009 "Traveler Scams" post was for years the most successful post on the blog, as many people shared the post with their friends to warn about the scam. NACHA was just becoming the leading scam-victim related to Zeus, and the FBI celebrated a huge phishing victory!
|Top Cybercrime & Doing Time Blog Posts of 2008|
|The UAB Spam Data Mine: Looking at Malware Sites||09AUG2008|
|Anti-Virus Products Still Fail on Fresh Viruses||12AUG2008|
|ICE: Operation Predator - Solving Intertwined Child Porn cases||05NOV2008|
|Bank of America Demo Account - DO NOT CLICK||26NOV2008|
In 2008, we were just getting seriously up to ability with the UAB Spam Data Mine, and found many interesting malware campaigns using these techniques, which eventually led to the creation of Malcovery Security, later acquired by PhishMe
|Top Cybercrime & Doing Time Blog Posts of 2007|
|Is Your Fifth Grader Smarter Than a Laughing Cat?||15OCT2007|
|Google Referrer Only malware sites||13DEC2007|
|AffPower Indictments Scare Affiliates!||06AUG2007|
|TJX: From Florida to the Ukraine?||04SEP2007|
In 2007, the Storm Worm was one of the top spreaders of malware. The Laughing Cat story pointed out that if you share your computer with younger family members, they may very well click on lures that any educated adult would reject. The AffPower case remains one of my favorite law enforcement actions against online pharmaceutical affiliate programs. The TJX story tracked some of the carders involved in the TJX data breach.
|Top Cybercrime & Doing Time Blog Posts of 2006|
|Pump & Dump: SEC gives us a peek!||21DEC2006|
|Counterfeit Checks? Who cares!||12OCT2006|
|Birmingham InfraGard - October 2006||10OCT2006|
|FAL$E HOPE$ @ CHRI$TMA$||22DEC2006|
In 2006, our inaugural year, we didn't have a lot of stories, honestly. Pump & Dump spam was interesting that year, and we blogged about some of the holiday scams we were seeing.
Unfortunately, several of the graphics in the older stories are unavailable due to changes in hosting. Hopefully we'll get those recovered eventually. Sorry for any loss of enjoyment that may cause while strolling down Cybercrime Memory Lane with me!
Looking forward to another Ten Years informing the public about Cybercrime & Doing Time!
Thanks to all of my friends and students who encouraged this blog along the way, and helped through their dedication to fighting Cybercrime and sharing in the analysis we did together. While there have been tons of great contributors in the lab, with regards to things that ended up in the blog I'd like to especially thank: Heather McCalley, Matthew Grant, Chun Wei, Brad Wardman, Brian Tanner, Tommy Stallings, Sarah Turner, Josh Larkins, Jui Sonwalker, JohnHenri Ewerth, Brendan Griffin, and Kyle Jones.
Sunday, October 09, 2016
Charges Against Backpage
The Dallas AG's press conference regarding the arrest is here:
Backpage and Law Enforcement
Backpage and Freedom of Speech
Federal Responses to BackPage CEO ArrestOne of the champions against Human Trafficking on Capital Hill is Congresswoman Ann Wagner from the 2nd District of Missouri. She is the sponsor of the Stop Advertising Victims of Exploitation Act (SAVE Act). In many ways you could say the SAVE Act was written in response to Backpage.com.
Senator Porter is also leading the charge from the Senate side. In November 2015 he held hearings about Backpage and subpoenaed CEO Carl Ferrer to appear before the commitee. When Ferrer refused, Contempts charges were filed against him (with a 96-0 vote in the Senate to sustain the charges.) In his Senate Report about BackPage.com, he points out that in 2013, 80% of all revenue from advertising escort services in the United States was believed to have been generated by Backpage.com, and that according to the National Center for Missing and Exploited Children (NCMEC), 71% of the alerts they receive from members of the public about possible sex trafficking of underage persons has a Backpage.com nexus. The report also points out that American Express, Visa, and MasterCard refuse to allow their cards to do business with Backpage.com, due to their illegal or "brand damaging" activities. Although Backpage claims that 120 of its 180 employees do nothing but edit and filter ads on the site, NCMEC has documented 400 cases in 47 states of children being trafficked via Backpage.com.
|(196 report from Portman/McCaskill)|
Statements issued after the Arrest of Backpage.com's CEO:
- Wagner Responds to Arrest of Backpage.com CEO for Sex Trafficking
- Portman, McCaskill Statement on Arrest of Backpage.com CEO Carl Ferrer
- Statement by Senator John McCain on Arrest of Backpage.com CEO Carl Ferrer
One Example Sex Trafficking Case
In this case, announced 05OCT2016, a group smuggled sex workers in from Thailand to the United States and kept each woman confined in a house of prostitution until they were able to pay off their "bondage debt" of between $40,000 and $60,000. Hundreds of women were held in this way. Each "house manager" would choose the best way to advertise the women, but many chose the websites backpage.com and eros.com.