We've already seen nearly 500 copies of the new Government-related Zeus spam campaign so far this morning in the UAB Spam Data Mine. As has been typical in this campaign that we first started tracking on July 13th, the detection has been fairly horrible each morning for the new malware version. We lasted updated on this malware on July 29th in our story Government-related Zeus Spam Continues.

Today's version advertises the domain "tax-irs-report.com" and asks users to download the file 0000770950077US.pdf.exe from that site.

190 different computers have sent us the spam for this campaign so far today. 118 of them from the USA, 40 from India.

When we asked the UAB Spam Data Mine what other virus links we had been sent by this same group of 190 computers on other days, we got this list:

receiving_date | machine | path
----------------+------------------------------+-------------------------------
2011-07-13 | usbanking-security.com | /tax_report.pdf.exe
2011-07-15 | federalsecusrity.com | /pending-taxes.pdf.exe
2011-07-19 | irs-report-link.com | /tax-report.pdf.exe
2011-07-19 | irs-taxes-report.com | /tax-report.pdf.exe
2011-07-19 | taxreport-irs.com | /tax-report.pdf.exe
2011-07-20 | alerts-federalresrve.com | /rejected_wire.pdf.exe
2011-07-20 | nacha-alert.com | /rejected_transaction.pdf.exe
2011-07-20 | nacha-alert.org | /rejected_transfer.pdf.exe
2011-07-20 | reports-federalreserve.com | /rejected_wire.pdf.exe
2011-07-21 | national-security-agency.com | /blocked_list.exe
2011-07-21 | national-security-agency.com | /token_security_update.exe
2011-07-21 | nsa-security.net | /blocked-list.exe
2011-07-21 | nsa-security.net | /token_security_update.exe
2011-07-22 | irs-downloads.com | /00000700955160US.exe
2011-07-22 | irs-files.com | /00000700955170US.exe
2011-07-26 | irs-alert.com | /00000700955770US.exe
2011-07-27 | nacha-transactions.org | /304694305894903.pdf.exe
2011-07-27 | taxes-refund.com | /00000700975770US.exe
2011-07-27 | www.nacha-rejected.com | /304694305894903.pdf.exe
2011-07-28 | fdic-updates.com | /system_update_07_28.exe
2011-07-29 | federalreserve-alert.com | /transaction_report.pdf.exe
2011-07-29 | taxes-security.com | /00000700955060US.pdf.exe
2011-08-03 | irs-report.com | /00000770950077US.exe
2011-08-05 | tax-irs-report.com | /0000770950077US.pdf.exe
(24 rows)

So, at least some of today's spamming computers have been with this campaign since the beginning (July 13th).

When today's malware is executed it sets a registry key in "HKEY_USERS\S-1-5(my user)-500\Software\Microsoft\Windows\CurrentVersion\Run" to relaunch itself from my current user account where it had copied itself as "C:\Documents and Settings\Administrator\Application Data\Afena\iror.exe"

It makes connection to domains generated with a DGA (Domain Generation Algorithm). Today's live domain was:

olojkpcltulirqr.info on 50.57.71.39

from there it did a GET for /news/?s=158404

It tried many other domains, but none of the others were live. Some of them include:

jruioljslsitjpfv.biz
wlnzkqmohuhzqyra.info
tjjhmtjlziebo.net
jpkpbxkoxwijzijr.info

As we have seen before, the malware ALSO fetches a copy of "heap_v206_mails.exe" after it successfully installs itself.

The spam started at 4:45 AM (Central time), peaked at 5:15, and then began to trickle off. (We group in 15 minute windows.)

count | 15 minute spam block
-------+---------------------
3 | 2011-08-05 04:45:00
3 | 2011-08-05 05:00:00
406 | 2011-08-05 05:15:00
86 | 2011-08-05 05:30:00
(4 rows)

This morning's malware is largely undetected:

A VirusTotal Report shows 6 of 43 AV products know that this is a virus.

I have to praise Microsoft for being the only one of the six to correctly call this Zeus (Zbot).

Email subjects we've seen on this morning's campaign:

count | subject
-------+-------------------------------------------------------------------
38 | Change Confirmation
4 | Does your company is registered outstanding tax debt
5 | Does your company is registered tax debt
1 | Does your enterprise including unpaid tax debts
1 | Does your enterprise listed outstanding tax debts
1 | Does your enterprise listed unpaid tax debts
30 | Federal Tax payment rejected
1 | For your company including unpaid tax debts
1 | For your company is registered outstanding tax debts
1 | For your company is registered tax debts
1 | For your company is registered unpaid tax debt
1 | For your company listed tax debts
2 | For your enterprise listed tax debt
70 | Internal Revenue Service
24 | Internal Revenue Service (IRS)
19 | Internal Revenue Service United States Department of the Treasury
32 | IRS.gov
31 | IRS.gov US
19 | Notice of Underreported Income
35 | Payment IRS.gov
50 | Support IRS.gov
40 | Treasury Inspector General for Tax Administration
42 | U.S. Department of the Treasury
1 | Your company including outstanding tax debts
1 | Your company including tax debts
1 | Your company listed outstanding tax debt
2 | Your company listed tax debts
1 | Your enterprise including outstanding tax debts
2 | Your enterprise is registered unpaid tax debts
1 | Your enterprise listed outstanding tax debt
1 | Your enterprise listed unpaid tax debt
39 | Your IRS payment rejected
(32 rows)


A mix and match of sender name, sender-username, and sender-domain creates the from addresses:

count | sender_name
-------+---------------------------------------------------------------------
19 | "Internal Revenue Service"
18 | "Internal Revenue Service (IRS)"
27 | "Internal Revenue Service (IRS.gov)"
29 | "Internal Revenue Service United States Department of the Treasury"
23 | "Internal Revenue Service US Department of the Treasury"
29 | "IRS.gov"
18 | "IRS.gov United States Department of the Treasury"
30 | "IRS.gov US"
22 | "IRS.gov US Department of the Treasury"
21 | "IRS United States Department of the Treasury"
41 | "Payment IRS.gov"
37 | "Support IRS.gov"
23 | "The Consumer Financial Protection"
37 | "Treasury Inspector General for Tax Administration"
30 | "United States Department of the Treasury"
19 | "U.S. Department of the Treasury"
23 | "US_IRS"
17 | "USIRS"
35 | "US IRS.gov"


count | sender_username
-------+--------------------------
12 | admin
8 | adminnistration
9 | alerts
16 | cunsumer
29 | delivery
15 | e-file
10 | finance
33 | frboard-webannouncements
36 | govdelivery
26 | info
17 | information
14 | inspector
8 | internal_revenue_service
30 | Internal_Revenue_Service
18 | irs
6 | news
14 | news-alerts
8 | no-reply
28 | privacy_policy
22 | protection
5 | public
5 | report
9 | service
17 | stats
22 | subscriber
12 | subscriptions
13 | support
13 | usirc
14 | USIRS
13 | usttb
16 | webannouncements
(31 rows)

count | sender_domain
-------+-------------------
93 | antifraud.irs.gov
73 | info.irs.gov
78 | irs.gov
91 | irs.security.gov
73 | irs.taxes.gov
90 | service.irs.gov
(6 rows)

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!

count | mbox
-------+---------------------
1 | 2011-08-10 05:45:00
6 | 2011-08-10 06:00:00
3 | 2011-08-10 06:15:00
85 | 2011-08-10 06:30:00
1 | 2011-08-10 06:45:00
3 | 2011-08-10 07:00:00
1 | 2011-08-10 07:15:00
301 | 2011-08-10 07:30:00
252 | 2011-08-10 07:45:00
260 | 2011-08-10 08:00:00
247 | 2011-08-10 08:15:00
229 | 2011-08-10 08:30:00
(12 rows)


The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:

Aleris International Corp.
AMR Corporation Corp.
Anic Corp.
Arch Coal Corp.
ATFT Corp
Beazer Homes USA Corp.
Boyd Gaming Corp.
Brookdale Senior Living Corp.
Hyland Software Corp.
KPMG Corp.
Kraft Foods Corp.
Miltek Corp.
Novellus Systems Corp.
OSN Corp.
PDC Corp.
Safeco Corporation Corp.
WLC Corp.

Subject can be:

Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company invoice from (company)
Re: Fw: Intercompany invoice from (company)
Re: Fw: Corp. invoice from (company)

A couple example emails follow:

---

Hi
Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot for support setting up this process.

CHERYL Flowers
Kraft Foods Corp.

---

Hi

Attached the inter-company inv. for the period January 2010 til December 2010.
Thanks a lot

Asher GIFFORD
Anic Corp.

---

Good day


Attached the intercompany invoice for the period January 2010 til December 2010.

Thanks a lot for supporting this process
MAYOLA LEARY
Aleris International Corp.

---

The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:

Intinvoice_08.6.2011_2222341965.zip
or
Intinvoice_08.4.2011_Q167829.zip
or
Invoice_08.6.2011_T40099.zip


We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.

So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.

So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!

When we launched the malware, we made a connection to "armaturan.ru" on 94.199.48.152.

We also talked to "ss-partners.ru" on 77.120.114.100
and to "ledinit.ru" on 78.111.51.121

The connection to armaturan.ru did:

GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}

which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?

From ss-partners.ru we fetched a file:

GET /dump/light.exe

which dropped an approximately 70k file onto our local machine.

Then we went back to armaturan.ru and sent another get:

GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485

Any bets on whether that ahash is the MD5 of the file I just downloaded?

Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.

At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:

C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE

Odd, I don't recall having a file named that?

Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.

Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.

Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.

You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.

78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.

fileuplarc.com
hunterdriveez.com
asdfasdgqghgsw.cx.cc

I'll email the owner and get those taken down right away! (smirk)

-----------

person: Vugar Kouliyev
address: 44, J.Jabbarli str., Baku, Azerbaijan
mnt-by: MNT-SOL
e-mail: vugar@kouliyev.com
phone: +994124971234
nic-hdl: VK1161-RIPE
source: RIPE # Filtered

route: 78.111.48.0/20
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

route: 78.111.51.0/24
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

----------------

Armaturan.ru on 94.199.48.152 also has a sordid history.

That IP address, in Hungary, has been associated with at least two active SpyEye domains: hdkajhslalskjd.ru and hhasdalkjjfasd.ru

I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.

person: Zemancsik Zsolt
address: Victor Hugo u. 18-22.
address: 1132 Budapest
address: Hungary
phone: +36 203609059
e-mail: darwick@cyberground.hu
nic-hdl: DARW-RIPE
mnt-by: DARW-MNT
source: RIPE # Filtered

route: 94.199.48.0/21
descr: Originated from 23VNet Network
origin: AS30836
mnt-by: NET23-MNT
source: RIPE # Filtered

========
ss-partners.ru is on servers from Bellhost.ru, a customer of Volia DC

person: Volia DC Admin contact
address: Ukraine, Kiev, Kikvidze st. 1/2
phone: +38 044 2852716
abuse-mailbox: abuse@dc.volia.com
nic-hdl: VDCA-RIPE
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered

route: 77.120.96.0/19
descr: Volia more specific route
origin: AS25229
mnt-by: VOLIA-MNT
mnt-lower: VOLIA-MNT
source: RIPE # Filtered

Email attachments that contain malicious code are still being used to infect computers and steal the data found on those computers. While it is easy to find people who discount this threat, believing no one would be foolish enough to open one of these email attachments, the criminals are working hard to make their approaches more convincing.

Today we've seen more than 11,000 copies of their newest attempt come in to the UAB Spam Data Mine. The email received looks like this:



The email contains several falsified header indicators, including at the most basic level that it claims to come from "@nyc.gov". In addition to this, however, there has been a "Received:" tag added to make it appear to have originated from a legitimate New York City IP address:

Received: from nyc.gov ([167.153.240.51]) by xx.xx.xx.xx; Wed, 03 Aug 2011 12:20:46 +0530

The City of New York is the registrant for every IP address beginning with "167.153.*.*" - in fact 167.153.240.51 is the IP address of the website "nyc.gov" where Mayor Bloomberg's homepage can be found.

The other false information is the date. Both the date in the Received: tag and the date in the "Date:" tag have been falsified to make it seem this email has been in your in box for several days by the time you see it.

Just from the falsified header, we would predict that this email is going to be in the same family of malware as the "IRS Notification" and "UPS Notification" emails seen earlier this week, which also contained falsified Received: tags.

The zip file contains an executable file disguised as a PDF file:



When the malware is launched, it connects to "sfkdhjnsfjg.ru" on 195.189.226.117.

from there it fetches "/ftp/g.php" and "pusk3.exe" -- exactly the same as the IRS Notification spam and the UPS Notification spam.

VirusTotal Report

---

Another group of spam messages this morning pretends to be a notice that you have received money via Western Union.

The attachment is of course a virus:

VirusTotal Report.

Money Transfer Information
MONEY TRANSFER INFORMATION
Money Transfer Information 00375
Money Transfer Notice
MONEY TRANSFER NOTICE
MONEY TRANSFER NOTICE 06457
Western Union: Money Transfer For You
WESTERN UNION: MONEY TRANSFER FOR YOU
Western Union: Remittance Advice
WESTERN UNION: REMITTANCE ADVICE
Western Union: Transfer Of Money
WESTERN UNION: TRANSFER OF MONEY
Western Union: You Have Money Transfer
WESTERN UNION: YOU HAVE MONEY TRANSFER
Western Union: You have received a money transfer
WESTERN UNION: YOU HAVE RECEIVED A MONEY TRANSFER

---

Another top spammed malware attachment today delivers emails with these subjects:

Re: End of July Statement Required
Re: FW: End of July Stat.
Re: FW: End of July Statement
Re: FW: End of July Statement required
Re: FW: End of July Statement Required
Re: FW: End of July Statement REquired
Re: FW: End of July Statement REquired!
Re: FW: End of July Stat. required
Re: FW: End of July Stat. Required

The email body says simply:

Hallo,
As requested i give you open Invoices issued to you as per 5th Aug. 2011
Regards
DEENA BUCKLEY

Here's the VirusTotal report for this one.

If you have an email address in the United States, either you or your spam filter is certainly familiar with this spam by now:



The spam with the subjects "ACH Payment (random numbers) Canceled" intends to imitate the National Automated Clearing House Association. NACHA is the organization that banks use to handle the electronic transfer of funds between domestic banks for things such as "Direct Deposit" or electronic bill paying.

The spam's message "The ACH transaction recently initiated from your checking acount was canceled by the other financial institution" is intended to elicit a panic response to get the recipient to click on the link in the email.

The problem has been getting worse because of two "upgrades" by the spammers.

First - they are using "drive-by" infectors, in the form of the BlackHole Exploit Kit. In the past a spam message such as this would have relied on trying to get you to download an '.exe' file and trick you into running it on your computer. Now, simply visiting the website will often be enough to infect your machine.

The second improvement, which comes and goes in waves, is that the criminals have compromised many "intermediary" web hosts to use in their spam. If the spammer were sending you to "mybadsite.com" your security software would quickly learn that "mybadsite.com" is a potentially harmful destination and block you from visiting.

To make sure their spam is delivered, the spammers have stolen the credentials from many website owners and have used these credentials to add one tiny file to their existing legitimate website. So, as a randomly chosen example, the spam link that claims to point to "nacha.org" may actually point to a page at "iscsconferencerecording.com". That page belongs to the International Society of Communication Specialists, so it probably has a "positive" reputation among security companies, who may be loathe to block the site.

What happens when we visit that page?

The only contents on the page "am2wdh.html" are calls to two Javascript files on other websites. In this case:

www.xmjhx.com /czc /js.js
and
vscreative.com /images /js.js


The first time I loaded this, it caused a document location to be set to "www.nachaemployee.com"

A rerun of the same site pointed me instead to a blackhole exploit kit page at:

milloworks.com /main.php? page=890639ab2b6c1ab8

Which caused me to fetch:

milloworks.com /w.php ?f=70&e=4

This caused me to download the file:

www.vncoach.com /editors /nachareport20111910.pdf.exe





Another attempt sent me to:

tgqswpqqh.org.in from which we attempt to load the Blackhole Exploit page from

This drops a number of files on our computer, including Flash exploits, PDF exploits, and an EXE called "FIX_KB112755.exe" which gets downloaded from the IP address 213.123.52.133. FIX_KB111088.exe and FIX_KB113547.exe were also downloaded from there.

After the malware drops on the computer, we are forwarded through "dating-portal.net" where the affiliate engine sends us to an "Adult Friend Finder" sign-up website.

The point of this story, however, is not really what malware gets dropped, but the use of so many hacked intermediary servers to do the dropping.

In the first twelve hours of October 19, 2011, we saw 184 different websites used in this type of attack with an ACH spam subject line. In order of occurrence, with the first observed URL each, here is what we've seen today:

HOSTNAME PATH
================================ ===================================
preseis.com /7x1tyg6.html
server.softhost.org /
silverfruit.com.ec /t2jr.html
newsletter.stable-jo.com /t43z.html
www.Shoubra-prep.com /4x8l.html
marcinjarzabek.cp5.win.pl /16ih2.html
professionalroofing.co.uk /ph4xn5.html
host272.hostmonster.com /~fdflockc/6xh9l1e.html
sethsauction.com /6gh1u7.html
www.corazondejesus.net /4cpjx.html
murciaopina.com /tq3e.html
www.digitalhomna.com /
latinholdings.com.mx /4ghy.html
108cms.com /3n7s.html
way2tutorial.com /g02lwbp.html
nimbuscertifications.com /4qt4.html
ultimateselena.org /0tpno.html
www.efficientorganizationnw.com /rk1pb.html
trinity-work-shop.test-rackspeed.de /
hosting31.serverhs.org /~ecommerc/zu9iah7.html
www.todotaringa.com /0pya.html
stremyfoot.com /q37hdi.html
www.ganarlaprimitiva.com /g5knqjr.html
manaiz.com /a2w7q.html
caspsurveys.org /zmu2.html
www.ironsidegroup.pk /kq6bz.html
temporary-toilets.com /mczkg.html
0342962.netsolhost.com /716txi.html
babilhotel.com /5bf0html
customcakesnw.com /not8.html
tomralph.net /vsz8c.html
www.panelpeople.com /1060.html
goldencrownhotel.com /zf9w3uh.html
www.launas.fr /jjssgx4.html
dev.crm-warehouse.be /uclt4.html
alassite.com /2hyl0.html
02be375.netsolhost.com /6mu1v.html
evo2inc.com /o3wyn.html
campossaab.net /g1hrhtml
inzanepix.com /19v4sx.html
specialrental.com /p5y6.html
iscsconferencerecording.com /am2wdh.html
www.murciaopina.com /rt5dmy.html
buynanoclean.com /3c6tp7.html
froda.com /5kbnak.html
globaliellc.com /1o36z.html
mslbx.com /~servatus/soexlyy.html
indexpoker.com /
diversco.com /6fxo.html
www.acclaimcabinetscom.au /7xoslgn.html
mvlmobile.in /d34c.html
weightlosspersonaltrainerconsulting.com /1decnf9.html
vandieautomatisering.nl /linhe.html
intestinoirritable.ws /e66uc.html
fmwwrestling.us /gsld0d.html
abeauty.com.au /
sokullupasahotel.com /fvn4upi.html
ants.net.au /yxe4ma.html
lkco.in /a8l876j.html
static-64-184-73-69nocdirect.com /~afroland/eh8jvre.html
damarchesi.it /6m2rdlx.html
trinity-work-shop.de /5t5ub.html
mycountylink.com /f6atze.html
artigianatopasella.com /9ghy.html
ohtobeyoungagain.com /t4cj.html
syedaliahmad.com /3mlnfh.html
www.geelongeisteddfod.com.au /13pspj.html
www.tommysparger.com /ci87qyp.html
nt-ves.ac.th /
diipbmis.nl /l374dcthtml
bakulpharma.com /
etno-plants.ro /
professionalroofingco.uk /vmba.html
altiaproducts.com /29f4.html
dezoetezaak.nl /anxl5.html
ozurfa.com.tr /ras5.html
lexxstore.de /7nsenqhtml
meirmodiin.org /~meirm/kk22.html
siflindia.com /27swn2.html
grapediscounts.com /fjlj9k.html
fastincomebiz.com /hsd6g7b.html
thebeadrotisserie.com /vel42.html
46.23.64.241 /~jamias/lc50sf.html
fastincomesystem.biz /u8g4tn.html
surebg.co.za /xltlgs.html
110.4.42.93 /bx94l.html
www.resourceelementlimited.com /
graph2profit.com /utxfc.html
shriganpatiproduction.net /r05qv4h.html
micrene.com /ivowl1rhtml
pdscientific.com /tl1s.html
www.wanithai.com /u7pv30b.html
ads-protection.com /fs3lax.html
sl3-vgt.vgthosting.com /~worknetw/fj2bvn.html
fb.servatusdev.com /~servdev/56iy2.html
hedy-lamarr.org /n2tgsb.html
niritech.com /pxkf.html
212.68.54.148 /~radyoruz/qsdsw9m.html
www.pushtiieshakti.com /783i.html
empiresallies-secrets.com /k0bayr.html
tarjetaspilos.com /9tvd.html
voongo.com /asfti1/index.html
searchtroop.net /04sh.html
altagallura.it /bd5jhtml
gran-mar.com.ar /4p6sbu7.html
fullart.com.pe /3c55egr.html
sanianishtar.info /7o2dd.html
umtelecom.com /h10krhtml
reformasyreparaciones.com /76kdp.html
206.217.196.47 /~dumpsche/kes773.html
acumenauditors.com.au /vfa9.html
www.rippt.com /t8859u.html
trunghieu.com /hsx1n3r.html
delallosa.com /mtgy99y.html
lainformacion.us /snkk1.html
refritermo.com /j9ps4y.html
www.grahajodoh.com /bqe6zk.html
etakip.com /yg4jl9.html
carifind.com /t718xhhtml
jpvarleyllc.com /kna4wx.html
www.shatteredhope.gr /lnsp.html
autoblog.fastincomesystem.biz /~cheers/gyjde.html
reformhaus-mehnert.de /2vn9yr5.html
indianbookshop.co.in /5b9fgs.html
host272.hostmonstercom /~fdflockc/6xh9l1e.html
enbramex.com /mpvsgi2.html
onlinesurat.com /mb2d.html
surrealtopia.com /hmsuu.html
el-salto-fishing.com /agg0noo.html
simplefact.mx /xln290.html
bofco.in /htrc.html
iznillahcng.com /y5le.html
static-64-184-73-69.nocdirect.com /~afroland/eh8jvre.html
vizonix.com /c1ptwqs/index.html
visionciudadconsultores.com /dwqopc/index.html
winsbyinc.com /0sm9j5/index.html
www.tradehalls.com /8eeh2.html
4income-solutions.com /93e3x.html
locanda-stazzo-bona.com /
jade.nseasy.com /~manishar/7xl9bd.html
GUHDNS.COM /md8g.html
livedata.it /ssao.html
www.manojengg.com /scv2.html
sexshop.com.tr /3igtv8.html
perfumeylenceria.com /joiwku.html
server10.namecheaphosting.com /
freunde-klinik-ottobeuren.de /oryh1.html
floristeriasdecoaromascostarica.com /kh31.html
portalinternational.us /5ecf2z.html
molinas.eu /nz4ot.html
clubfirst.org /2ba0jra.html
thepentad.com /eg3eje/index.html
www.dsmodular.com /qt21ta.html
hotelmarinepalace.com /0493.html
teresita.com.mx /hcrji4t.html
198.63.48.81 /z116c.html
punjnud.com /3sllgkihtml
inkostudio.com /y0ao0c.html
tuncakyavas.com /jfifrpb.html
hkf.huber-babenhausen.de /xyy4dg3.html
watson.timeweb.ru /~kostos/7euyd25.html
vscreative.com /x882.html
lemilano.fr /
labeltula.it /e51rsq.html
www.acclaimcabinets.com.au /
shelterpropertydealers.com /97qf.html
dotmile.com /cvpa4jj.html
www.clubbayard.com /w6kzi.html
myauto.co.nz /odmz0chtml
whydodogs.org /jdab40.html
bigrace2012.com /3ri1vt.html
www.launas-hebergement.com /fj9p1.html
www.neoplastic.gr /0qedzw.html
ittefaqpipe.com /2inp.html
efficientorganizationnw.com /ix84c.html
indosyslife.com /cdwwto.html
newmonicaarts.org /
avicarusa.com /uyxasjr.html
atlantidesardegna.it /61fyvx.html
baratrucks.com /n6j5m.html
heromw.com /602ka.html
web3.biz /4jdsydk.html
eqsync.com /bx5wfm.html
weblinksubmissions.com /1bgypq/index.html

Two of the malware analysts in my lab have been complaining to me that the malware they see everyday is getting boring - the primary attacks that we see in the largest volume are the same thing over and over and over again.

Let's be thankful for that! The big news in the malware world yesterday came when Microsoft announced a work around for Duqu, named by researchers in the CrySyS Lab (the Laboratory for Cryptography and System Security at Budapest University of Technology and Economics) because it prefixes some created filenames with the letters "~DQ".

On October 14, 2011, CrySyS contacted Symantec to get some help analyzing the malware, and Symantec released an extremely informative 67 page PDF report called W32.Duqu: The Precursor to the next Stuxnet. (The link is to version 1.3 of the report, updated on November 1, 2011).

There have been two IP addresses confirmed to be associated with Duqu and serving as Command & Control. The first IP was in India - 206.183.111.97. The second was in Hungary - 77.241.93.160. Traffic flow to either of these IP addresses would be a strong positive indicator of a Duqu infection! Both sites are down now.

The first server was announced to be down on October 31st in stories such as this one -- India Shuts Server Linked to Duqu Computer Virus that shares some details of a server located at 200 employee data center Web Werks.

The second server was at Combell in Belgium -- as described in stories such as this one -- Duqu Hackers Shift to Belgium After India Raid.

Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we've seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Here's a VirusTotal report of the better detected of those pieces of code, which had the MD5 value e1e00c2d5815e4129d8ac503f6fac095. This file is not "Duqu" but is rather "an .exe file related to Duqu" which is a much larger program (this one is only 9k in size).

(Click for VirusTotal Report)

Non "generic" definitions for this malware included:

Avast: Win32:Duqu-F
Emsisoft: Trojan.Win32.Stuxnet!IK
Ikarus: Trojan.Win32.Stuxnet
Microsoft: Trojan:Win32/Duqu.E
NOD32: probably a variant of Win32/Duqu.A
TrendMicro: TROJ_DUQU.AJ

Symantec mentioned MD5s

9749d38ae9b9ddd81b50aad679ee87ec
Wed Jun 01, 03:25:18 2011
Stealing information

4c804ef67168e90da2c3da58b60c3d16
Mon Oct 17 17:07:47 2011
Reconnaissance module

856a13fcae0407d83499fc9c3dd791ba
Mon Oct 17 16:26:09 2011
Lifespan extender

92aa68425401ffedcfba4235584ad487
Tue Aug 09 21:37:39 2011
Stealing information

In each of those above, the link on the MD5 will show you the VirusTotal report. I find it interesting that TrendMicro consistently names these files "TROJ_SHADOW.AG" which makes me wonder if they had independently discovered this malware family prior to the naming as Duqu by the CrySyS team.

Symantec calls attention to the fact that several of these files show compile dates AFTER the public disclosure of the existence of Duqu.

Delivery Mechanism

Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

We now know from Microsoft more about this exploit. On November 3, 2011, Microsoft released this Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

Microsoft has released a work around. The exploit is taking advantage of the fact that there is a problem in one of the DLL's called by TrueType in certain circumstances. If a system denies access to that .DLL, T2EMBED.DLL, then the exploit would fail to work.

The workaround can be executed like this, but Microsoft cautions that applications that rely on EMBEDDED TrueType fonts could then fail to display properly:

(For older Windows versions)
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

(For newer Windows versions)
Takeown.exe /f "%windir%\system32\t2embed.dll"

For more details on the workaround, please see Microsoft Security Advisory: Vulnerability in TrueType font parsing could allow elevation of privileges which offers a "Fix It For Me" button to apply the work around for you.

Duqu Compared to Stuxnet

The Symantec report has 22 or so pages of original Symantec content, and then has as the majority of it's body the report by the CrySyS Lab, which has a section that compares the Duqu and Stuxnet code. In particular, the Decryption function seems to be nearly identical.

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested by the Estonian Police and Border Guard Board were:

Vladimir Tsastsin, age 31
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

Andrey Taame, age 31, Russian, is still at large

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).

The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants.

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as www.fbi.gov, into an IP address, such as 205.128.73.105. For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud

If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "www.apple.com/itunes/" which the real Apple website where someone can download the iTunes software.


(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "apple.com" the user is sent to "www.idownload-store-music.com" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit www.irs.gov. So, because you were using the criminal's nameserver, if you typed or clicked on "irs.gov" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement

The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Antivirus

In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges

All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?

The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge

The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "www.facebook.com" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies

The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (Gathi.com), Onwa Limited (Uttersearch.com), Lintor Limited (Crossnets.com) and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

Other Things You Must Read

TrendMicro's Malware Blog - EstHost Taken Down - Biggest Cybercriminal Takedown in History - An important link that must be pointed out. Vladimir Tsastsin, the CEO of Rove Digital, was also the CEO of EstHost, one of the first registrars to have its ICANN Accreditation pulled because of criminal activity.

TrendMicro: A Cybercrime Hub - this report, in August 2009, laid out the basics of the criminal activity that Trend had been able to identify. Industry contributions such as this are part of the "Partnership for Success" that the FBI spoke about today, and TrendMicro really lead the way on this case!

Brian Krebs authoritative journalism on Vladimir - "EstDomains: A Sordid History and a Storied CEO"

SpamHaus ROKSO file on Rove Digital - ROKSO File (Registry Of Known Spam Offenders) on Rove Digital

Newsweek calls Rove Digital one of the "Top Ten Spammers" -(December 2009).

Yesterday we saw two HUGE spam campaigns that continue into this morning advertising various alternatives of "your wire transfer failed" as subject lines.

We saw at least 86,197 copies of this spam on November 15th, that I am mentally dividing into "Named Institution / zfin" spam and "random intermediary" spam.

The "zfin" spam was far more prevalent, with 62,331 copies of the 86,197 copies pointing to a URL that contained "zfin.php" in the path.

The "zfin" spam has a mail message that reads something like this:

Dear Account Holder,

Money Transfer sent by you or on your behalf was hold by our bank.

Transaction ID: 17019302204565051
Current status of transaction: on hold

Please review transaction details as soon as possible.

N. B. Abel
Treasury Management

The "non-zfin" email has a message that reads something like this:

Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction: 238006864683285
Current transaction status: Pending

Please review transaction details as soon as possible.

In both versions a very large number of "intermediary" spam domains are used. These are "page forwarders" that have been placed on compromised web servers. The hackers have gathered a very large list of website userids and passwords where they can place new content at will, without the knowledge of the webmaster. They log in as the webmaster, upload their "forwarder" page, and then use that newly created page as the destination in spam messages.

More than 15% of the spam that we saw at the UAB Spam Data Mine yesterday belonged to this pair of campaigns, and the volume is still extremely high this morning.

Many of the emails used the faked "from" domains:

uba.org 5785
lba.org 5762
aba.com 5724
bankersonline.com 5681
cbanet.org 5674
vabankers.org 5672
mbaa.org 5645
nationalbankers.org 5634
icba.org 5620
allbankers.org 5604
fiba.net 5532
direct.nacha.org 5024


Forty-seven destinations were listed by the "zfin" spam, where a Financial Institution was included in the subject line. These destinations heavily favored Argentinian domain names:

adsr.com.ar /zfin.php
alarpargentina.com.ar /zfin.php
amhbra.com.ar /zfin.php
berlinonbike.de /zfin.php
blbtranslations.com.ar /zfin.php
cargadedatos.com.ar /zfin.php
cienciarama.com /zfin.php
diagonalpro.com.ar /zfin.php
diloplas.com.ar /zfin.php
f-guazzaroni.com.ar /zfin.php
grupoaie.com /zfin.php
healthsolution.com.ar /zfin.php
hebamme-hindenberg.de /zfin.php
horsejack.com.ar /zfin.php
horuz.com.ar /zfin.php
iguazuwonderful.com /zfin.php
imevial.cl /zfin.php
juliancortary.com /zfin.php
mecanicamm.zzl.org /zfin.php
mikromesh.de /zfin.php
mileycyrusdaily.com /zfin.php
monialberti.com.ar /zfin.php
ohoven.de /zfin.php
onpacker.de /zfin.html
picturereport.net /zfin.php
playamarinaestates.com /zfin.php
regionalvanesaduran.com.ar /zfin.php
saboresdecordoba.com /zfin.php
safarisfotograficos.com.ar /zfin.php
schoss-objekt.de /zfin.php
sindy.com.ar /zfin.php
sindy-arg.com.ar /zfin.php
tamandua-transporte.com.ar /zfin.php
vanessahudgens.bz /zfin.php
video-professionell.de /zfin.php
visiondelnoroeste.com.ar /zfin.php
viveroelparaiso.com.ar /zfin.php
whitehorsemedia.de /zfin.php
www.ava-kunden.de /zfin.php
www.bx000471.ferozo.com /zfin.php
www.enpuntasdepie.com.ar /zfin.php
www.profileinformatica.com.ar /zfin.php
www.samavi.com.ar /zfin.php
www.seebek.com.ar /zfin.php
www.tecnosistemas.com.ar /zfin.php
www.tecnotrucos.com.ar /zfin.php
www.tetraisotopos.com /zfin.php

By mixing a "prefix" with an "institution name" more than 10,000 unique subject lines were created. 702 Financial Institutions have been named so far . . .

The prefix for the subject is selected from this list:

ACH debit transfer was hold by
ACH debit transfer was not accepted by
ACH payroll payment was hold by
ACH payroll payment was not accepted by
ACH Transfer was hold by
ACH Transfer was not accepted by
Bill Payment was hold by
Bill Payment was not accepted by
Domestic Wire Transfer was hold by
Domestic Wire Transfer was not accepted by
Funds transfer was hold by
Funds transfer was not accepted by
Money Transfer was hold by
Money Transfer was not accepted by
Payment was hold by
Payment was not accepted by
Wire Transfer was hold by
Wire Transfer was not accepted by

and then suffixed with a financial institution name from the list found at the end of this email. . . .

The "non-zfin" form of the list uses one of these subjects: (Random number use is notated by #RND#)

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
ACH transfer was hold by our bank
Declined Direct Deposit payment
Direct Deposit payment ID #RND# rejected
Direct Deposit payment was cancelled
Direct Deposit payment was declined
Direct Deposit payment was rejected
Disallowed Direct Deposit payment
Fwd: Wire Transfer (#RND#)
Fwd: Wire Transfer Confirmation
Fwd: Wire Transfer Confirmation (FED #RND#)
Fwd: Your Wire Transfer
Notification about the rejected Direct Deposit payment
Payment ID #RND# rejected
Re: your Direct Deposit payment ID #RND#
Regarding your Direct Deposit via ACH
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Urgent notice about your electronic payments
Your ACH transaction
Your ACH transfer
Your Direct Deposit payment ID #RND# was declined
Your Direct Deposit payment via ACH was declined
Your Direct Deposit payments were disallowed
Your Direct Deposit payments were rejected

These spam messages directed users to one of 1962 unique URLs that all SEEM to be compromised websites, with the exception of some "free hosting" sites, and a handful of URL shortening services. That list is presented below, with the list reduced to 671 instances by eliminating all but a single example URL per host computer:

015cc13.netsolhost.com /7o1otl/index.html
119.245.150.188 /
163.30.58.134 /
164.125.9.9 /~kimjw/gigl.php
173.193.15.56 /~assalamt/13xwph/index.html
193.59.73.242 /
194.51.85.73 /~tlariviere/zmtg.html
195.244.192.61 /
200.13.224.125 /
200.58.114.11 /
202.43.73.66 /
203.174.34.130 /
210.239.8.82 /~kenmin/akatx.php
212.110.96.163 /
213.191.128.17 /
216.172.186.5 /~peacock/9f46fnr/index.html
38.103.167.38 /
4a.4b.354a.static.theplanet.com /~playcas/5be1urt/index.html
60.251.4.82 /
62.193.216.26 /
62.233.121.21 /
62.233.121.25 /
66.133.129.5 /~nsmarc1166/gbsmofb.html
74.86.158.236 /
82.140.32.161 /
82.223.150.99 /
83.243.20.173 /
84.32.77.200 /
87.98.187.244 /
90plan.ovh.net /~aventureo/1k87cy0/index.html
a.md /9Q6
abandonedontario.ca /
abbastravel.com /
ad.f8.5546.static.theplanet.com /~outdoors/0nnpob/index.html
adagadoxig.freecities.com /acjxur.html
adamant.az /deuhgi.html
adanovan968.100megsfree5.com /oduarg705.html
adi-tobyfatud.fcpages.com /oprirtir.html
ady-ufodopyrub.envy.nu /bezuvee0.html
afucezox706.bigheadhosting.net /nofloudabuse.html
agrooyl.ro /inlcude.html
airteksystems.com /
airworkscompressors.com /
ajubecujal-tope.freewebsitehosting.com /lrosperousneslaa08.html
akapela.gr /7as4xe/index.html
akat-tech.com /
alahpe.notlong.com /
alasimipi-akad.maddsites.com /poadkh.html
ale-jygowesop.lookseekpages.com /leonijii785.html
aleksrdest.com /
alfra-tools.be /contents/index11.html
alfra-tools.nl /
alided-isig.freewebportal.com /noninfecluoufyy45.html
all-expo.eu /0uktna/index.html
alphametal.info /
alphashop.nl /
alugiceb34.lookseekpages.com /pptopwaner.html
alzmetall.be /shared_files/index11.html
alzmetall.nl /contents/index11.html
amanibap105.envy.nu /pdiasamd.html
amidopysud.greatnow.com /pytacinc.html
amolijuza795.freewaywebhost.com /novdurabbebii57.html
amylo.ca /
annelotte.com /
anu-efitodose.maddsites.com /pinuda.html
anwaltskanzlei-apw.de /dxocq8/index.html
apibopeco-isex.maddsites.com /pammtqqaw.html
apnea-creativa.net /
apollox.net /
aqas-rijaxatoc.virtue.nu /polivlex.html
aqo-awiwyzyhot.lookseekpages.com /phaxa12.html
aquastats.nl /
ariane-services.com /~ph_laura/1trr7oh/index.html
asewad722.freewebsitehosting.com /petrqeisec.html
askara.ca /
assilphone.com /46in4f/index.html
assistantarea.com /0dt038i/index.html
astola.com.au /03ajwnt/index.html
athmajothi.com /2kejqlu/index.html
atlas.nseasy.com /~athmajot/995rxv/index.html
atomicdigitalcapture.com /4srpft/index.html
atscaf.fr /0w019w/index.html
audier.nl /1vz1hs/index.html
aunesty.com /34n6z2t/index.html
aurorabraces.com /
autodc.fr /5s82w4/index.html
auvalon.sk /0wffuo/index.html
aviorr.com /0jlklp6/index.html
axux-oxylule.s-enterprize.com /nikeuu5.html
aze-seqyqan.dreamstation.com /rorihigotikano.html
aziatische-ingredienten.nl /52n8pw/index.html
azuma.co.th /
babytake.com /7r7hr4p/index.html
badcompanyeredar.ba.ohost.de /2m23xd6/index.html
balconesdelparque.com /3sdl39/index.html
baldimanuela.it /inlcude.html
bandzaagmachine.nl /
banyanchildrenlibrary.com /qbbxnth/index.html
barpetra.com /hsldl6/index.html
bb4f.net /0pwbvz/index.html
bedrijftekooptiel.nl /
bedrijftekoopzetten.nl /
benice.pytalhost.de /8ir8he9/index.html
berufskolleg-brilon.de /2jt3oy/index.html
beststockbook.com /21jrj7g/index.html
bidenurefu-upi.servetown.com /nixqczzn.html
bifapuniho-nyna.digitalzones.com /jypajpa.html
birchip.com /c2xollw/index.html
biru.web.id /nemi5k/index.html
bi-vent.de /51kk7o/index.html
bizalgerie.com /92usm9/index.html
bjay12.com /2pamuex/index.html
blog.forumfan.pl /
blog.tedinet.com /kissnza/index.html
boatbooks.ca /
boatlicences.com.au /msp9nc/index.html
boncukhaliyikama.com /echhgst/index.html
boroth.servers.rbl-mer.misp.co.uk /~attract/3vpite/index.html
bosokovemi1800.maddsites.com /wizim.html
bosugixe.sdhost.tk /ugisogu.html
brouze.fr /inlcude.html
brutalfun.net /0p4tl4/index.html
bumblebeeman.enixns.com /~bookmi/726d5mn/index.html
buwynobolo.freehostyou.com /wlrbo.html
buzeqok.222mb.tk /aruvivy.html
byqopoveni-apyl.fcpages.com /redberunnez290.html
c2.16.344a.static.theplanet.com /~peterfur/hqrgv4/index.html
caddcentre.org /1do876d/index.html
caddcentre.ws /4yeqtja/index.html
cadokeduzi207.100freemb.com /paxhokuh.html
cafeamerika.de /2n7a13/index.html
cahev.com /
caqiwy-mora.greatnow.com /pgonham.html
casinospoker-online.info /3z0ugvx/index.html
casu-urenywyje.lookseekpages.com /sasg0211.html
cazonof1845.greatnow.com /nisolicoo8933.html
celluloidtamil.com /inlcude.html
cgworkshops.net /inlcude.html
ChaitanyaHolidays.in /
champagne-ruelle-pertois.com /
chateau-haut-gachin.com /
chilp.it /496e27
ciata.be /
cihawuva.webclot.org /yruwevu.html
cim-byzowofy.freewaywebhost.com /polairs.html
citydibo1446.exactpages.com /protenluuu41.html
citynewsservice.de /g5nfpqn/index.html
cizomixo.freehosting.bg /uxicutov.html
classicknits.co.in /6j3o6e/index.html
click1.goshadowshopping.com /iyyvyncqkbpwvhkcwbmpkwtnthwhmyhthfmyfkmynymzmc_lkhdmzdwhjzw.html
clickandclaimcouk.site.securepod.com /5n4uxw/index.html
cm.digiportal.com /php/CR/cmregister.php%3Fdata=cR2NA4mi3ED%2B9KZ3KbHZoLUlSJRqo2hCZWTTw7FA86yfesTTa7T5mz8nIfQIsOEJqCYEjlrSL2Kb22pt1bCNT9YgXTqnV9Hq0szMhVjmIj7KYTbpAXf8d9rdvs9EUK7IwIuiNhR4mho%3D
cocynuvoxo.virtue.nu /pabter255.html
cojojibi.4sql.net /amematy.html
conred.com /65q7jj/index.html
contimac.eu /
copofude.freehost.artonat.com /ugisogux.html
cornwell.cz /f.html
cos-ovaxyrex.mindnmagick.com /pashtetdqivuz.html
cp05.digitalpacific.com.au /~austraqc/6g6dif/index.html
crm.ndr.it /
cukydyvu.exactpages.com /uu3920.html
cuzihyket1405.bigheadhosting.net /dosf882.html
cygnus.inc.cl /~planhost/jgf5m7/index.html
cyta-qorizatovy.greatnow.com /onarban303.html
czester.freehost.pl /
dab-gynyto.1accesshost.com /ofyt745.html
dachshund.ru /
dahlih.nl /
dashramspa.com /79q2h6/index.html
daxilymapo-ymeg.exactpages.com /atextn858.html
degogoyi.hosto2.info /ruvivyfu.html
deko-bett.de /04eozwl/index.html
dembs.com /
denohifi.builtfree.org /xqibitaa90.html
desmidspijk.nl /inlcude.html
dhseminars.com /5zn712w/index.html
dialog-translations.com /00kzr4/index.html
diamanza.50webs.com /
dirimukysu.1accesshost.com /polarbead7610.html
disasterrecovery.org /
djxcube.com /
dollysgroceries.com /
domuxurasu.envy.nu /pyia234.html
dos-ykyratih.fcpages.com /lromisemyngerii62.html
douglasgwynnsmith.com /
dubimajis1142.bigheadhosting.net /noncallapsabmeyy05.html
durl.me /mikas
dykutimopa.servetown.com /nanablelutionuu14.html
edenindustries.ca /
egifat-kysi.maddsites.com /wlsejenro.html
ehykigicos1194.freehostyou.com /plogmafter111.html
eishohwa.notlong.com /
eja-upigewary.fcpages.com /nokh529.html
ekuin.notlong.com /
ekuxylylak-zowo.100freemb.com /osazatu.html
em003.czechian.net /
enafej1554.digitalzones.com /jity890.html
enfantsdoprata.org /
enyqypuhys.lookseekpages.com /pvopyliticii404.html
eqywazogif-uno.lookseekpages.com /paniauu96.html
eterysam.1accesshost.com /deipmus.html
europa-haus-leipzig.de /7k75p9/index.html
evil-knievel.gmxhome.de /
evy-evaqahup.freewebsitehosting.com /odbug.html
ewamosy1959.freewaywebhost.com /mttygesyy87.html
ewivisabec-jig.envy.nu /opium206.html
ewoutjonker.nl /
exirevoka.builtfree.org /kfhyra.html
eyeicu.notlong.com /
ezexezeba703.100megsfree5.com /sawv636.html
ezomusic.ez.funpic.de /
ezuwaqi-zoqa.1accesshost.com /wereipacd.html
fej-anepyveruw.fcpages.com /paradyseii170.html
f-guazzaroni.com.ar /
finsko.hostuju.cz /
fiwawax.10gb.tk /uhezivog.html
france-azur.nl /
fullmex.iblogger.org /inlcude.html
fyparor1321.freecities.com /rushantassdanov.html
galaxy.host-care.com /~perthbe1/fmkvw3/index.html
gia-jp.net /
gibobe1829.freewebportal.com /mutmitchell.html
gihujakabu.greatnow.com /promutzeis.html
giloziz-ijub.envy.nu /rorf.html
gofipipy-syg.100freemb.com /olofjolindur.html
goksenmuhendislik.com /
gozaqoba.eg.vg /nezivogo.html
gtpikes.com /6cqmid/index.html
gud-exonad.lookseekpages.com /nizibc.html
gulohr.notlong.com /
guptaservices.com /
guwe-syginyn.100megsfree5.com /fapux250.html
gyk-yrubecata.digitalzones.com /gacezoo7.html
halliemgt.com /59ybsd/index.html
hamibukike-qan.builtfree.org /sonyxplosivoee56.html
hammerrassebande.de /8jz5glg/index.html
harmonie-travaux.com /1lvsq8k/index.html
hax1234.ha.funpic.de /
hepidyzozo.1accesshost.com /ppoisee90.html
hero.host-care.com /~pin/9es7srf/index.html
hetigy-kyju.builtfree.org /urangahoua.html
himalayanweavers.org /
hipuhaq.simik.net /nezivog.html
hiralix.mblogger.info /vozalah.html
hiranobag.co.jp /
hitcombo.com /inlcude.html
hitechcsi.com /
hiz-ysupyso.100megsfree5.com /pbiccehc.html
hockeydykeincanada.ca /images/main.html
hoepner-lacke.de /89fj0g/index.html
hoguzud.blogerpa.com /nezivog.html
hokifuxu.greatnow.com /outsmature.html
homesatthebeach.ca /
honestlawyer.ca /
honkafusion.ch /o55zj1/index.html
honkafusion.es /bpmxh6/index.html
honkafusion.fr /1h0wgog/index.html
honmononoyosa.sakura.ne.jp /
hotelkayisi.com /inlcude.html
hsh-sh.de /04y855/index.html
icppo.ic.funpic.de /
icyryxure.digitalzones.com /paracletasiz.html
iduposywa.freewebsitehosting.com /pumilaoo62.html
iheartmypet.ca /
ihoje.notlong.com /
ijicuzajy-esu.arcadepages.com /ppkboris.html
ijy-ymexegahix.freewebsitehosting.com /nintwove.html
ikiwulete.mindnmagick.com /jordert1711.html
ikylec1342.o-f.com /bobico.html
ilidavy-pow.mindnmagick.com /zilku.html
ilipinyqez1193.fcpages.com /rickaa3447.html
inkwellgraphics.ca /
inteligus.pl /0xp8fz/index.html
interasia.co.in /
iphoneipadexperts.com /
ipigipo-ese.lookseekpages.com /nocregs.html
iqiturixug1179.lookseekpages.com /baljk891.html
iqodew493.o-f.com /bonsaa93.html
iqopuc-himi.100freemb.com /nurlajidealmarky.html
iru-ynonywecid.mindnmagick.com /rutipog.html
is.gd /2vNBBj
i-sites.hu /inlcude.html
ivywej69.s-enterprize.com /purtygmress.html
iwefedoj.dreamstation.com /viomondas.html
iwynokybar-ovu.virtue.nu /phantomnrue.html
ixoboqyqe-eme.greatnow.com /pajvar.html
jabowabi.zbyte.org /edoruvyh.html
japodubyj254.envy.nu /alexee94.html
japuseny.fcpages.com /paasoz.html
jaylau.com /
jel-acofuhagi.envy.nu /gapereno7210.html
jemadab1072.exactpages.com /owylfrudu.html
jeqy-qogiqyw.100megsfree5.com /qeeml.html
jimpruden.com /html/main11.html
jixucewa.arcadepages.com /hrovidableoo414.html
joakimdo.com /main11.html
johannessendesign.com /
john-adams.ca /main11.html
johnspassmonsterkingfish.com /
jozacupub.mindnmagick.com /proliderousnyaa88.html
ju-kreis-olpe.de /13z229/index.html
jup-oqupiwyf.lookseekpages.com /rickeskenmop.html
jydinoxoto.dreamstation.com /phit47tiz37.html
kakexo-xyho.builtfree.org /packran866.html
kamiqudob.lookseekpages.com /memgaful8510.html
karlo-b.de /1wls5te/index.html
kierwinski.pl /
kinditech.org /
kisyholy971.arcadepages.com /vsynu.html
kizodyxy.1accesshost.com /pesrul7910.html
klu-inkleur.nl /
kociqaw.websitehostfree.com /nezivog.html
kon.wheel.sk /4ypcij5/index.html
kowalczyk.cz /
ks31295.kimsufi.com /~palmthre/3dg825m/index.html
ks355256.kimsufi.com /~pool/bdw27yh/index.html
kuczka.eu /j9xiw3/index.html
kukawow.heikalhost.tk /ugisogu.html
kumquatphoto.com /
kutrite.ca /
laboiteabonheur.fr /
langleykinsmen.ca /
latiwusa.freewebportal.com /mipailmironuxko.html
latunogu.blogstar.tk /ovyruwev.html
lavegliacarlone.it /inlcude.html
lexisutherland.com /4fbf35l/index.html
lezisah.notlong.com /
lieuwedevries.com /
lifeart-petra-eischeid.de /7pm4la2/index.html
liveinconcerto.nl /08e4wt2/index.html
LNK.by /ff843
locker-ba.com.br /site/inlcude.html
loru-lazetes.o-f.com /ovtorko.html
lozamita.freewebportal.com /pallelundttjoeg.html
lusepewe.sertdisk.net /ugisogu.html
lutesylo421.100megsfree5.com /mfyainyy7.html
luyized.metrohosting.info /erygegy.html
lywobaneb-omic.1accesshost.com /oo90rufat.html
lyxnia.gr /2khjpzg/index.html
macservice.vn /
maddogphotography.ca /images/main11.html
majs.ca /
mcars.pl /
mesinuangku.net /2krnil/index.html
migre.me /69SRA
miron.notlong.com /
mixland.ca /
mkmdevcenter.ca /
mohidumo.sooot.cn /ubijemat.html
molihove.goearni.info /gizazago.html
moq-ydygafyko.greatnow.com /povuuk.html
moruyime.pi6.info /nezivog.html
muguhesi.3host.tk /furuser.html
mysejofov1845.fcpages.com /selegaaa0808.html
myuu.de /
n2testing.co.uk /
naf-tufamur.dreamstation.com /vherzodjor8810.html
nailandhammer.net /
nakayimahotel.com /
nefelefi1879.fcpages.com /niskish.html
netdekorasyoninsaat.com /
ntlauf.nt.ohost.de /inlcude.html
nyjicited.freewebportal.com /nurdete.html
nylaneri-mac.servetown.com /ditonii1167.html
nytezuva-pyh.100megsfree5.com /eqq6911.html
nz-wolfenhausen.de /kpqnpk/index.html
obehumekid.lookseekpages.com /ovenhrehv.html
ochrona-almar.neostrada.pl /inlcude.html
ocig-ujaforisoc.exactpages.com /podvouskiialezj.html
oficinasvirtualesimc.cl /5j4k0ke/index.html
oguce.notlong.com /
ohquudi.notlong.com /
okeg-gyhydyq.dreamstation.com /oo67ao.html
okywijejaf.maddsites.com /ssorpuonu1.html
one-egizad.fcpages.com /vavilugxa.html
onipuwavy-oge.dreamstation.com /pwuptro.html
ontariobuildingtrades.com /5vfe149/index.html
ooblu.com /
ooquoobe.notlong.com /
opezopan.100freemb.com /pvodateconnection.html
opibak-baw.freewebportal.com /mobodultyy04.html
oqomijoh.virtue.nu /nyculmoaa0.html
oral-hekegudu.arcadepages.com /zrooo72000.html
ostwestfalen-lippe.de /8ffzcx1/index.html
otrasexshopmas.com /81p88fk/index.html
ourdogz.nl /04x6pt/index.html
oursdes4saisons.com /~oursdess/fjnopyy/index.html
outsourcemanpower.com /~outso4/4jz88e/index.html
outtheboxmusik.com /1vpj9l/index.html
ovarc.us /3df0ta/index.html
overnightclippingpath.com /a3g2pwc/index.html
ovijujase.exactpages.com /rmren.html
owehyrufiz.freewebportal.com /wubuyukiyndo.html
owips.square7.ch /pc6ypb1/index.html
oxodopi-cuce.maddsites.com /uurnorld15.html
oxu-yvurobuboh.freehostyou.com /topcaf881.html
oxymarketing.com.br /inlcude.html
oyuncumusun.com /2sfjyh2/index.html
ozcanymm.net /
ozinocug.o-f.com /njuf.html
p131879.webspaceconfig.de /d07a0hw/index.html
p7902.typo3server.info /9f9bp6n/index.html
paetzold-beratung.de /cvo8xq/index.html
PageDr.com /d1mqfg7/index.html
pagedrakemusic.com /1o1eis/index.html
paintball-bohinj.si /00vb7md/index.html
paiportacf.com /7t62aei/index.html
palathinkalktm.org /hogm7g/index.html
panmotorsports.com /53412dc/index.html
panteleon.de /6t73qt/index.html
panzercrom.com /1yd59f/index.html
paokvolos.gr /13abr4/index.html
paperequipment.com /1lt2bt/index.html
ParkGina.com /2xi5al/index.html
partnersarl.lu /a6c9j6d/index.html
pascal-bellefroid.be /627bqd6/index.html
paspartoy.gr /77j0m9/index.html
passgo.ca /
paszczak.pl /6vgjxor/index.html
paynterparmesan.com.au /0tnx3ta/index.html
pcapinvest.com /t373ygr/index.html
p-center.biz /169mdzp/index.html
pchelpch.pc.ohost.de /1fdlwp/index.html
pcmswitch.co.uk /1so14g/index.html
pc-tuning.be /5mgsw8z/index.html
pcwbc.ca /
pdc.bplaced.net /5c9tin/index.html
pdrg.zxq.net /5rte95/index.html
pdsignatures.com /o1l5a4/index.html
peachesandcreamspas.com /
peelcruise.com /3xw40nk/index.html
peluangusahaonlines.com /57tt9o/index.html
penisenlargementcourse.com /bb8yhu/index.html
perfilthermik.com /lkpeam/index.html
perso.ovh.net /~polyverr/74r128/index.html
personalinjuryaccidents.com /dogsyd/index.html
peruvision.de /95nivmn/index.html
PeshawarJin.com /13d4tx/index.html
peveduto.com.br /
pheebaha.notlong.com /
philipdc.ph.funpic.de /cx52om/index.html
philippe-decotte.fr /~philippezm/i7nsv9i/index.html
philippinetyphoons.com /25jy8gd/index.html
phobiaman.co.uk /9af3v8/index.html
ph-online.net /37tyaxa/index.html
photosdumonde.info /
phprecdb.bplaced.net /7s4y1p/index.html
pictureahealthierworld.org /4e7h78z/index.html
piefaez.notlong.com /
pies.edu.pk /~piesedup/f0grdvr/index.html
pifadew.bdlike.com /buluvivy.html
pinskylickstein.com /h3fywd/index.html
pioneerweb.in /a9zkq8i/index.html
pite-olacelyb.100freemb.com /gvizdikvk.html
pixa-design.de /4xmbbut/index.html
pixe.mx /
pixelyn.co.za /~pbxnet/0p9gu8/index.html
pkphotography.com /93b6jfu/index.html
plasticimages.com /504mcxt/index.html
playgroupstudio.com /4ycljge/index.html
playweb.6po.pl /
plexuscomms.com.au /chu594/index.html
plummessage.com /lt7joa/index.html
pmtm.com /78gr9so/index.html
poizonroze.com /1ujn1kg/index.html
Pokerworld.com.au /4mebwl2/index.html
polidor.eu /29e41h/index.html
polimitlc.altervista.org /119976/index.html
poliprodukt.pl /frjawen.html
popihug.indiv.in /ugisogu.html
poppenhouse.ru /2x1gsy/index.html
porezi.rs /
portonesautomaticos-ferrobone.cl /260je7o/index.html
portrait-skulpturen.de /6d138g6/index.html
prismproductions.net /0edicf/index.html
prodomoelec.com /
pronutrition.ca /
prosolv.se /
puqupity-sase.bigheadhosting.net /lapwevuu04.html
pushkardesigns.com /
putovuve.arcadepages.com /abee680.html
qarehuq.hosthost.info /ruvyhupa.html
qejazocuf-adus.dreamstation.com /nightshado257.html
qejuticu.pubwebhost.com /ygegysed.html
qezevosak.s-enterprize.com /dcbadur.html
qibuxumu-gen.freewebportal.com /ovehdiligenz.html
qim-tajomuhu.virtue.nu /xnryy596.html
qoge-wigiqiber.freewebportal.com /hhaj.html
qr.net /fqv2
queller-gemeinschaft.de /3rysoo/index.html
quze-fegabugage.freewebportal.com /qbohrint.html
qybo-hubybewu.freewebsitehosting.com /nonplatentiluu21.html
qyn-otomibezo.1accesshost.com /nobolybo13.html
qyxozoxija.dreamstation.com /ptym2111.html
racogad-upy.greatnow.com /plaloj.html
ramebeny1368.greatnow.com /prompncyyy42.html
rapidosports.com /
raum-wolfenhausen.de /39zvuv3/index.html
redir.ec /8aOr5
rekufel.3host4.info /wuvyhup.html
rerajo-qaz.digitalzones.com /onioo8.html
restaurantposthalterey.de /1gml2xu/index.html
rid-yzytawaj.1accesshost.com /bursopaff.html
riteyolu.0fees.net /lodugiz.html
safe.mn /3tJR
safer63and881.com /
saform.com.pl /
sahecafa.3net.tk /furuser.html
saracens-fhc.ca /
scrapbookersbliss.com /
seasonal56.ca /
semineedevis.ro /
sensalights.com /in11.html
senuyave.yk0.net /wuvyhupa.html
sezaylighting.com /
sezogoca-epy.mindnmagick.com /restole.html
shangpalace.com.vn /
shorl.com /difratresutyby
siamrestaurant.ca /
simurl.com /bepnac
siperbinvestments.com /
smx1.hostdime.com.mx /~periodic/0hfmuib/index.html
snipr.com /2oalgv
snipurl.com /2oalwc
sojesif.hostingforfree.org /gagicyb.html
sorupemu.4ever20bucks.info /kejaruv.html
sothbys.ho.ua /
srisaipearls.com /
stepnik.de /9u4ougo/index.html
stykky.pl /
succesvol.su.funpic.org /
sudarom-dyke.dreamstation.com /qfoiio6g.html
surarena.rs /inlcude.html
sweetroute.com /
sytixytex140.s-enterprize.com /nicolahg.html
taklitci.com /
tamilsudartv.com /fejkb8e/index.html
tasaqifa.hostingwithu.com /uhezivo.html
tassilomusic.com /
taximihywe-pyri.bigheadhosting.net /kipusyy00.html
tbspirit.com /
tcjc.ca /
tcproperties.co.za /
teamprimerib.com /12evdr/index.html
tegikobi.w9l.in /edoruvy.html
telusplanet.net /~polihale/40ht0fa/index.html
teqaqybu.freewebportal.com /nermox.html
ternama.com /
tesuzuma-tah.freehostyou.com /zhavneree1971.html
thaore.notlong.com /
thegrandehaven.com /
thesacredvoicegallery.com /
thesurl.com /11
ticoyez.297m.com /gudylog.html
tie.ly /_ggeqie
tisilume.qualityprohost.com /sedejodu.html
tllg.net /aUm4
tm-studio.com.pl /
tolenaars.nl /
topolema.koon.pl /ivyfurus.html
toronto-orienteering.com /pictures/main.html
totavalaw-zejy.freewebportal.com /nunes.html
toyamakitokito.web.fc2.com /
trmfiltration.com /
trucksidefunding.ca /
tujeqexo.000adz.com /nezivogo.html
tuvoca1466.freewebportal.com /rdobyllo.html
u-china-consulting.com /1qvkcx5/index.html
uci-nyhiguve.fcpages.com /trobexso.html
ucugywyl.fcpages.com /brntschrmnf.html
ugi-ypuwewipax.freewebportal.com /otakunojoworo.html
uhocekef.servetown.com /heaami.html
ujugob-ytoz.100megsfree5.com /ivadpomidorivf.html
ulmer-shop.de /2rsl1a/index.html
ultraline.it /
umy-qekuqi.dreamstation.com /irnuschel.html
unbrockandice.ca /images/in11.html
unitedbookgroup.com /
upihigajar.1accesshost.com /pipkertyn.html
upmarketing.mx /
url.ie /dia9
usifof-ufy.o-f.com /prosencaphalecii21.html
usyrepihon-elaz.1accesshost.com /pronessorsii62.html
vabefod-uron.greatnow.com /ldnrkaa5.html
vahaxisasu.mindnmagick.com /vokolak.html
valanali.cuccfree.com /icutovov.html
vaneenoo.eu /images/index11.html
vbvastgoed.nl /
velvetropemiami.com /jl3o9c/index.html
vesadofefy.freewaywebhost.com /nuhedreampirls.html
vetmobile.ca /
video.web2001.cz /
viphoco.notlong.com /
vlamos-homerealty.gr /
voyibopa.cuscovirtual.tk /ivefuquw.html
vugojape.mindnmagick.com /nonspors.html
vuhyzeto1234.exactpages.com /wroromunticii71.html
walther-reinhardt.de /bvbiohh/index.html
wanaqecu.onlin-e.net /lodugiz.html
wca8532g2.homepage.t-online.de /d2gcop/index.html
webresourcecentral.com /2858sa/index.html
webseosmoservices.com /
welfare114.net /
welfens.de /8tc00m/index.html
wetyqifu1471.1accesshost.com /sluvataxo.html
whistleradio.com /
wiyetipa.webhostingforfree.org /ymanibu.html
wohi-xygumu.1accesshost.com /dystemhakem.html
wp.tedinet.com /bx0koa/index.html
wsconsulting.ca /
wuda-lolexu.maddsites.com /murokchiok.html
www.africanelections.org /4qtmbt/index.html
www.athmainfosolutions.com /29ial3/index.html
www.avtkhyber.com /1tcnzx/index.html
www.bakou.gr /h1hmsp/index.html
www.casainlegnohonka.it /wmi34d/index.html
www.desmidspijk.nl /
www.dldsrl.it /
www.flooringin.ae /
www.garagevanstraelen.be /
www.hadi-art.com /
www.honkafusion.it /t8xfifq/index.html
www.jenabakery.com /
www.lumhongye.com /13f2em/index.html
www.mesinuangku.net /~peluang4/sa0hxip/index.html
www.parimpood.ee /16e6beb/index.html
www.pcrutchfield.com /1g9wxxn/index.html
www.peluangusahaonlines.com /28dvhds/index.html
www.pension-kleinekorte-guestrow.de /
www.phobiaman.co.uk /81ccngg/index.html
www.photoeditingservices.co.uk /3sr31z5/index.html
www.physicaltherapy.co.ke /9a54nqy/index.html
www.pies.edu.pk /2nktlke/index.html
www.plasticsurgeryinstituteofcalifornia.com /aojaas/index.html
www.poodlesislandwear.com /eoqf7q/index.html
www.postandparcel.net /52xxjn/index.html
www.proalkoholici.cz /atb.html
www.publishingoutsourcing.com /2e0dh9/index.html
www.seriilanlar-antalya.com /
www.stockkamp.com /
www.wouda-assu.nl /
xagemume.bdlike.com /iticuto.html
xechuyendung.net /
xikuga486.1accesshost.com /anrrey216vorkuta.html
xizakobiv1963.freewebsitehosting.com /avevbroaren.html
xoragam.hostingperron.com /cacejodu.html
xumubowo.johaneswisnu.info /ejodugiz.html
ycomefy1524.bigheadhosting.net /aanbelochik.html
yeasheve.notlong.com /
ygo-foxucobyzy.virtue.nu /mojoqens.html
yiprint.com.tw /
yjoliveba.freewebsitehosting.com /demonidi9.html
ymob-cezulu.freewaywebhost.com /quak0610.html
ymoz-afydybime.mindnmagick.com /pichugana627.html
yosulag.freehost.artonat.com /oruvyhup.html
yulasuhu.adsfree.ru /xubijema.html
yusaduy.123bemyhost.com /uhezivo.html
yxydyt-caxa.mindnmagick.com /oxueywro.html
yzic-kuligu.lookseekpages.com /oupslyng.html
yzid-ufehupuse.servetown.com /mlitvyaj.html
zawizifani366.freewaywebhost.com /qumusegu.html
zebuana.de /
zeh-patinuli.lookseekpages.com /nicsfev.html
zespol-millenium.home.pl /
zil-vakahidyti.lookseekpages.com /umnyk.html
zoom.nsjet.com /~pochince/28nz9l/index.html
zulu-ezaxodevic.freewebsitehosting.com /dimenhofigan.html
zymuzymugo271.s-enterprize.com /bcretkon.html
zyvu-umodecy.1accesshost.com /rvm.html
zyxukifuzo.1accesshost.com /dmimkac.html



====================
List of Financial Institutions used by the "zfin" spam . . .

1st Bank Yuma
1st Capital Bank
1st Centennial Bank
1st Enterprise Bank
1st National Bank of Scotia
1st Pacific Bank of California
1st Source Bank
Abacus Federal SAvings Bank
ABC International Bank
ABN AMRO Bank
Abrams Centre National Bank
Affinity Bank
Agriland FCS
AgTexas
Aig Federal SAvings Bank
Alamerica Bank
Aliant Bank
Allegiance Community Bank
Alliance Bank
Alliance Bank of Arizona
Allied Irish Bank
Alta Alliance Bank
Amalgamated Bank of Chicago
Amarillo National Bank
Amcore Bank
Amegy Bank of Texas
Ameriana Bank and Trust
America California Bank
American Bank
American Bank of Commerce
American Bank of Texas
American Business Bank
American Express Bank Limited
American National Bank
American National Bank of Texas
American River Bank
American Riviera Bank
American Savings Bank
American State ABnk
American State Bank
Americas United Bank
Amsouth Bank
Amsterdam Savings Bank
ANZ Bank
Applied Card Systems
Archer Bank
Artisans Bank
Atlantic Bank of New York
Atlantic Pacific Bank
Atlas Savings Bank
AuburnBank
Austin Bank
Austin County State Bank
Austin Telco Federal Creit Union
Balboa Thrift and Loan Association
Balcones Bank
Ballston Spa National Bank
Bank Atlantic
Bank Calumet
Bank Independent
Bank of Agriculture and Commerce
Bank of Akron
Bank of Amador
Bank of Baroda
Bank of Castile
Bank of Evergreen
Bank Of Illinois
Bank of India
Bank of Los Altos
Bank of Marin
Bank of Marion
Bank of New York
Bank of Orange County
Bank of Pensacola
Bank of Petaluma
Bank of Pine Hill
Bank of Prattville
Bank of Quincy
Bank of Rantoul
Bank of Rio Vista
Bank of Sacramento
Bank of Santa Barbara
Bank of Santa Clarita
Bank of Springfield
Bank of Stockton
Bank of Tampa
Bank of the Orient
Bank of the Sierra
Bank of the Southwest
Bank of the West
Bank of Tidewater
Bank of Tuscaloosa
Bank of Vernon
Bank of Walnut Creek
Bank of Waukegan
Bank One
Bank United
BankChampaign
Bankers Trust Company
BankFIRST
BankUnited Express
Barclays Bank
Barrington Bank and Trust
Bay Area Bank
Bay Cities National Bank
Bay Commercial Bank
Beal Bank
Belvidere Bank
Benchmark Bank
Beverly Bank
Bluestem National Bank
Borel Bank
Borrego Springs Bank
Brady National Bank
Brenham National Bank
Brickyard Bank
Bridgehampton National Bank
Broadway Bank
Broadway Federal Bank
Broadway Federal Bank FSB
Broadway National Bank
Brooklyn Federal Savings Bank
Brown Brothers Harriman
Busey Bank
Business Bank of California
Business First National Bank
Butte Community Bank
Caledonian Fund Services
California Bank and Trust
California Community Bank
California Federal Bank
California National Bank
California Oaks State Bank
California State Bank
Canadaigua National Bank and Trust Company
Canyon Community Bank
Canyon National Bank
Capital City Bank
Capital Farm Credit
Cardinal Services Corp
Carlinville National Bank
Carver Federal SAvings Bank
Cathay Bank
Cattaraugus County Bank
Centier Bank
Central California Bank
Central Illinois Bank
Central National Bank of Waco
Central Trust and Savings Bank
Central Valley Community Bank
Century Bank
CFS Bank
Champlain National Bank
Chang Hwa Commercial Bank Ltd
Charlotte State Bank
Charter National Bank
Charter Oak Bank
Chase Manhattan Bank
Chicago Community Bank
Chino Commercial Bank NA
Circle Bank
Citibank
Citizens Bank
Citizens Bank Baytown
Citizens Bank of Northern California
Citizens Business Bank
Citizens Community Bank
Citizen's Federal Savings Bank
Citizens First Bank
Citizens National Bank
Citizens National Bank of Macomb
Citizens State Bank
Citrus Bank NA
City Bank Lubbock
City National Bank
City National Bank of Florida
City State Bank of Palacios
CivicBank of Commerce
Clarendon Hills Bank
Claritybank
Clay County Bank
Clear Lake National Bank
Coast Commercial Bank
Coast National Bank
Cohen Financial
Cohoes SAvings Bank
Coldwell Banker Commercial PR
Columbia Bank
Comerica
Commerce Bank of Folsom
Commerce National Bank
Commercial Bank of California
Commercial National Bank
Commerzbank
Commonwealth Business Bank
Commonwealth Trust Company
Community 1st Bank
Community Bank
Community Bank and Trust
Community Bank of Elmhurst
Community Bank of Florida
Community Bank of Naples
Community Bank of San Joaquin
Community Bank of Santa Maria
Community Bank of the Bay
Community Bank Texas
Community Banks of Northern California
Community Business Bank
Community Commerce Bank
Community First Bank of Howard County
Community Savings
Community West Bank
Compass Bank
Coppermark Bank
Cornerstone Community Bank
Coronado First Bank
Corus Bank
County Bank
Credit Suisse First Boston
Cross County Federal Savings Bank
Crown Bank
Crystal Lake Bank
DeAnza National Bank
Delaware National Bank
Delta Bank
Delta National Bank
Delta National Bank And Trust Company
Demotte State Bank
DEPFA BANK
Desert Commercial Bank
Deutsche Asset Management
Deutsche Bank
Devon Bank Online
Downers Grove National Bank
Downey Savings
Eagle Bank
East West Bank
Edens Bank
Edgar County Bank and Trust
Effingham State Bank
EFG Capital International Corp
Eisenhower National Bank
El Dorado Savings Bank
El Paseo Bank
Eldorado Bank
Elgin Financial Savings Bank
Elmira Savings Bank FSB
Emerald Coast Bank
Englewood Bank
Esse Hypothekenbank
Eureka Bank
Eurohypo Aktiengesellschaft
European American Bank
Evans National Bank
Evertrust Bank
Excel National Bank
Exchange Bank
Fairport Saving Bank
Falcon International Bank
Far East National Bank
Farm Credit Bank of Texas
Farmers and Merchants Bank
Farmers National Bank
Farmers State Bank of Hoffman
Federal Home Loan Bank
Federal Home Loan Bank of Dallas
Federal Land Bank
Federal Reserve Bank of Chicago
Federal Reserve Bank of Dallas
Federal Reserve Bank of New York
Federal Reserve Bank of San Francisco
Federal Trust Bank
Fidelity Federal Bank
Fidelity Federal Savings Bank
Fifth Third Bank
Fireside Bank
First American Bank
First Bank
First Bank and Trust
First Bank and Trust Company
First Bank of Clewiston
First Bank of San Luis Obispo
First California Bank
First Chicago Capital
First Choice Bank
First Citrus Bank
First City Bank
First Commerce Bank
First Commercial Bank
First Commercial Bank of Florida
First Community Bank
First Convenience Bank
First Federal Bank
First Franklin Bank
First General Bank
First Gulf Bank
First Home Bank
First Indiana Bank
First Internet Bank of Indiana
First Mercantile Bank
First Metro Bank
First Mountain Bank
First National Bank
First National Bank and Trust
First National Bank of Abilene
First National Bank of Ashford
First National Bank of Bellville
First National Bank of Brookfield
First National Bank of Central California
First National Bank of Chillicothe
First National Bank of Danville
First National Bank of Dryden
First National Bank of Eagle Lake
First National Bank of Jasper
First National Bank of Marengo
First National Bank of Mineola Texas
First National Bank of North County
First National Bank of Northern California
First National Bank of Northern New York
First National Bank of Paris
First National Bank of San Benito
First National Bank of Scottsboro
First National Bank of Steeleville
First National Bank of Trenton
First National Bank of Valparaiso
First National Bank of Waterloo
First Navy Bank
First Niagara Bank
First Northern Bank
First of America
First Priority Bank
First Regional Bank
First Savings Bank FSB
First SAvings Bank of Hegewisch
First Southern National Bank
First Standard Bank
First State Bank
First State Bank Frankston
First State Bank of Eldorado
First State Bank of Shallowater
First State Bank of the Florida Keys
First State Bank of Western Illinois
First United Bank
First USA Bank
First Victoria National Bank
FirstBank of Palm Desert
Five Star Bank
Flatbush Federal Savings
FLBA of Texas
Florida Choice Bank
Florida First Bank
Folsom Lake Bank
Foothill Independent Bank
Fort Hood National Bank
Founders Bank
Founders Community Bank
Franklin Bank
Fremont Bank
Frontier Bank
Frost Bank
Frost National Bank
Fullerton Community Bank
Gateway National Bank
Geddes Federal Savings
General Bank
Genesee Regional Bank
Gerard Klauer Mattison
Gibraltar Bank
Global Resource Bank
Golden Security Bank
Goleta National Bank
Grabill Bank
Grand Bank of Florida
Grand National Bank
Grapeland State Bank
Guaranty Bank
Guaranty Bond Bank
Guaranty Federal Bank
Gulf State Community Bank
Habib American Bank
Hanmi Bank
Hardware State Bank
Harris Trust and savings Bank
Hendricks County Bank and Trust
Heritage Bank East Bay
Heritage Bank of Central Illinois
Heritage Bank of Commerce
Heritage Bank South Valley
Heritage Commerce Corp
Heritage Land Bank
Heritage National Bank
Hickory Point Bank and Trust
Highwood Bank
Hinsdale Bank and Trust
Hinsdale Bank Trust Co
Home National Bank
Honda Bank
Horizon Bank
HSBC Bank
Hudson Valley Bank
Humboldt Bank Merchant Services
Hypo Real Estate Bank International
Illini State Bank
Imperial Bank
Imperial Capital LLC
Independent National Bank
Independent Online
ING Capital LLC
Intercredit Bank
International Bancshares
Interstate Bank of Oak Forest
Invex Grupo Financiero
Irwin Financial Corporation
Israel Discount Bank of New York
Itasca Bank and Trust Co
Jackson County Bank
Jacksonville Savings Bank
Jefferson Heritage Bank
Jefferson State Bank
Jourdanton State Bank
JP Morgan Chase Bank
Key West Bank
Kookmin Bank
Lafayette Bank And Trust
Lafayette Savings Bank
Lake Forest Bank and Trust
Lake Shore SAvings And Loan
Lamar National Bank
Landmark Bank
LaSalle State Bank
Lavine Financial Capital
Legacy Bank of Texas
Lehman Brothers
Liberty Bank
Liberty Federal Bank
Liberty Federal Savings Bank
Libertyville Bank
LIFE Bank
Lone Star Federal Land Bank Association
Long Island Commercial Bank
Long Island Savings Bank
Los Angeles National Bank
Lubbock National Bank
Luther Burbank Savings
Madison Bank
Malaga Bank
Mansfield Bank
Manufacturers Bank
Marathon National Bank
Marina Bank
Marketplace Bank
Mazon State Bank
Mellon 1st Business Bank
Melon Bank by
Mercantile Bank
Mercantile Trust and Savings Bank
Merchants and Southern Bank
Merchants Bank of California
Merchants Bank of Jackson
Merchants National Bank of Aurora
Meridian Bank
Merrill Lynch
MetroBank
Metropolitan Bank
MFB Financial
Mission Community Bank
Mission Oaks National Bank
Modern Bank
Mohave Community
Mohave State Bank
Monroe County Bank
Montecito Bank and Trust
Moody National Bank
Morgan Stanley
Morton Community Bank
Murphy Wall State Bank
Mutual Federal Savings Bank
Mutual of Omaha Bank
Nara Bank National Association
NatBank
National Bank
National Bank of California
National City Bank
New Century Bank
New South Federal Savings Bank
Nexity Bank
North Coast Bank
North Community Bank
North County Bank
North County Savings Bank
North Houston Bank
North Valley Bank
Northern Trust Bank
Northern Trust Company
Northfield Savings Bank
NorthShore Trust Saving
NorthStar Bank
Oak Brook Bank
Oak Lawn Bank
Oak Valley Community Bank
Oceanic Bank
Oceanmark Bank
Oceanside Bank of Jacksonville
Old Florida Bank
Old National Bank
Old Second Bancorp
Old Second Bank of Aurora
OptimumBank
Ossian State Bank
Oswego Community Bank
our bank
Overton Bank and Trust
Owen County State Bank
Pacesetter Bank
Pacific Crest Bank
Pacific National Bank
Pacific Trust Bank
Palm Desert National Bank
Palmer Bank
Park Avenue Capital
Park National Bank
Partners Bank
PathFinder Bank
Peoples Bank of Graceville
Peoples Bank of Lubbock
Peoples Bank of North Alabama
Peoples National Bank
People's Trust Company
Permanent Federal Savings Bank
Perryton National Bank
Pff Bank Trust
Phillipine National Bank
Pilgrim Bank
Pinnacle Bank
Pioneer Savings Bank
Plains National Bank Financial
Plaza Bank
Plumas Bank
Pna Bank
Pointe Bank
Ponce de Leon Federal Savings Bank
Popular Bank of Florida
Power Project Financing
Premier Valley Bank
Prosperity Bank
Provident Bank
Queens County Savings Bank
Raiffeisen Zentralbank AG
Randolf County Bank
Redding Bank of Commerce
Regents Bank
Reliance Bank
Ridgewood Bank
Ripley County Bank
River City Bank
Riverside National Bank
Robertson Stephens
Rondout Savings Bank
Roseville Banking Center
Roslyn Savings Bank
Royal Oaks Bank
RZB Finance LLC
Salin Bank and Trust Company
San Diego National Bank
San Jose National Bank
Sand Ridge Bank
Santa Barbara Bank and Trust
Santa Monica Bank
Saratoga National Bank
Scott State Bank
Seacoast National Bank
Second Federal Savings
Security Federal Savings Bank
Seneca Federal Savings and Loan
Sierra Vista Bank
Silicon Valley Bank
Silverado Bank
Six Rivers National Bank
Sonoma Valley Bank
South Alabama Bank
South County Bank
South Pointe Bank
Southern California Funding
Southern Security Bank
Southwest Bank
Southwest Bank of Texas
Sovereign Bank
Spencer County Bank
Star Bank
Star Bank of Texas
Star Financial Bank
State Bank of Ashland
State Bank of Countryside
State Bank of India
State Bank of Lizton
State Bank of Long Island
State Bank of Texas
State Bank of The Lakes
State Bank of Waterloo
State Farm
State National Bank of West Texas
Staten Island Savings Bank
Sterling Bank
Sterling National Bank
Stone City Bank
Strategic Partners
Success National Bank
Suffolk County National Bank
Sumitomo Bank of California
Summit Bank
Surety Bank
Synergy Bank
Tallahassee State Bank
TCB Bank
TCF National Bank
Tempo Bank
Terre Haute Savings Bank
Texas Bank
Texas Capital Bank
Texas Champion Bank
Texas First Banks
Texas Independent Bank
Texas Land Bank
Texas State Bank
The Astoria Federal Savings Bank
The Bank
The Bank and Trust
The Carson Medlin Company
The Dime Savings Bank of New York
The First American Investment Banking Corporation
The First National Bank of Hico
The First National Bank of Long Island
The First State Bank of North Dakota
The Foothills Bank
The Gifford State Bank
The Independent Bankers Bank
The Laredo National Bank
The Mechanics Bank
The SAvings Bank of Utica
The South Holland Bank
The State National Bank
The Warwick Savings Bank
TIB Bank of the Keys
Tokai Bank of California
Tompkins County Trust Company
Town North Bank
Tremont SAvings Bank
Troy Bank and Trust
Troy Savings Bank
Trustbank
Ulster Savings Bank
Unicredito Italiano
Union Bank of Arizona
Union Bank of California
Union Federal
Union Federal Savings Bank
Union Planters Bank
Union State Bank
United Bank
United California Bank
United Commercial Bank
United Community Bank
United Fidelity Bank
United Security Bank
United Southern Bank
Universal Bank
Upstate Niagara Cooperative
us
Valley Business Bank
Valley Commerce Bank
Valley Independent Bank
Valrico State Bank
Vantage Bank of Alabama
Ventura County Business Bank
Viewpoint Bank
Village Banc of Naples
Vineyard Bank
Vintage Bank
VirtualBank
Visalia Community Bank
Vista Bank
Walden Savings Bank
Warrington Bank
Washington Federal Bank
Washington Savings and Loan
Wells Fargo Bank
West Coast Bank
West Suburban Bank
Western Financial Bank
Western Security Bank
Western Springs Bank
Western Springs National Bank
Whisperwood National Bank
Wilber National Bank
Wilmington Trust
Wilshire State Bank
Wintrust Financial Corporation
Woodforest National Bank
Worth National Bank
WSFS bank
Yolo Community Bank

==========================

On Friday, March 16, 2012, the United States Secret Service announced the results of "Operation Open Market" in a headquarters press release lead by A.T. Smith, the Assistant Director for Investigations. (Open Market press release can be found at OpenMarket.)

They announced charges against 50 individuals in three separate indictments. One indictment of 39 defendants (with 16 of those individuals yet to be arrested, eleven of which are still listed as John Does), another indictment charging seven individuals, and a third indictment charging four individuals.

Arrested in the operation are people in California, Florida, New York, Georgia, Michigan, Ohio, New Jersey, and West Virginia. During the search warrants executed on March 16 counterfeit credit card manufacturing equipment, electronic media, and even an ATM machine were seized. All three indictments were unsealed in Las Vegas.

Five of the arrests were in Las Vegas, including:

Michael Lofton, 34
David Ray Camez, 20
Thomas Lamb, 47
Jonathan Vergnetti, 40

All of the defendants were said to be "members, associates, or employees" of a criminal organization called "Carder.su" where "su" refers to the old Internet Top Level Domain for "Soviet Union."

Carder.su has been around since at least late 2007, originally registered to "Maria A Ageeva, 886824@mail.ru" and for some time using the gmail account "cardersu@gmail.com".

To join Carder.su, criminals had to be "vouched" into the forum by two existing members. The site is no longer active, with members being sent to the newer sites run by the same admin, crdrsu.su and carder.pro.



Carder.pro receives an average of 777 visitors per day, 372 from the United States, 218 from Russia, and 23 from Albania. (source: Alexa.com) (Carder.pro has been live for about 14 months, registered by Maria A Ageeva, cardersu@gmail.com.) To join Carder.pro, members must pay a fee of 33 "Liberty Reserve" or "WebMoney" dollars.

Jonathan Edward Vergnetti

While we wait for the names of other "Open Market" criminals to be released, I thought it might be interesting to look at one of those named so far who has plenty of familiarity with Identity Theft, Carding, and the Legal System, Jonathan Vergnetti. Often in the case of these type of law enforcement "Operations" the operation combines recent arrests that clearly are related. In the case we'll examine today, the arrest actually occurred in June of 2010, but the new information is that the previously undisclosed "internet" source of Vergnetti's credit card information is now known to be the Carder.su website.

Making False Statement to Law Enforcement

Jonathan Edward Vergnetti first shows up in the federal courts system after being arrested along with Gabriella Jiminez, Robert Albert Zabala, and Barbra Jo Van Horn back in June of 2010 in the Northern District of Oklahoma.

Jonathan and his friends apparently vacated a Best Western Hotel in Grove, Oklahoma in a hurry and forgot to take with them a shoe box full of credit cards and papers containing lists of other credit card numbers. The hotel manager contacted the Grove, Oklahoma Police Department, and detectives from the GPD did a good job of tracking down people who had worked with Vergnetti. They found six individuals who had been provided with fake credit cards that Vergnetti had created for them, and were encouraged to use the cards to obtain cash in exchange for which they would provide Vergnetti a 60% share of whatever they got. They determined the hotel rooms Vergnetti and his ring were currently operating out of and hit them with search warrants, recovering a laptop computer, equipment for embossing credit cards (printing the names and numbers on them) and writing the magnetic stripes, as well as "a significant number" of identification cards and drivers licenses.

Oklahoma filed state charges on six individuals, but were given false identities for the four featured in this charge. They claimed to be (and presented matching identification cards) David Washington, Mehrdad Maknouni, Susan Lee Nuveman, and Barbara Jo Jeffries. Oklahoma submitted their fingerprints to CJIS and were able to learn the real identities as a result of the fingerprint matches. The four were questioned individually with three refusing to talk, but Barbara Jeffries (later found to be Barbra Jo Van Horn) cooperated and claimed that Vergnetti was the head of a criminal organization consisting of "40 to 50 people" in Oklahoma, California, and Nevada for which he provided credit cards and identities using data he received from "an internet chat room". The group mostly used these identities to obtain cash advances from casinos, including casinos in Las Vegas, but also numerous Indian casinos, including those in Oklahoma.

(see Vergnetti False Statement Criminal Complaint)

Vergnetti's First Grand Jury

Although making false statements to an arresting officer was enough to get Vergnetti into the federal system, by the time the Grand Jury was assembled July 8, 2010, there were better charges to bring. In addition to Vergnetti, Jiminez, Zabala, and Van Horn, Joseph Elijah Johnson and Cree Frances Clapper, both in their early twenties, were charged with this Original Indictment.

The charges were:
18 USC § 371 - Conspiracy
18 USC § 1029(a)(4)
and 18 USC §§ 1029(c)(1)(A)(ii) - Possession of Device Making Equipment
18 USC § 2(a) - Aiding and Abetting
18 USC §§ 922(g)(1) and 924(a)(2) - Felon in Possession of Firearm (Jiminez)
18 USC §§ 113(a)(5), 1151 and 1152 - Simple Assault in Indian Country (Vergnetti)
18 USC §§ 1028(a)(7), 1028(c)(1), 1028(b)(1)(A)(i) - Identity Theft

The indictment says that the gang would obtain pre-paid debit cards and then replace the magnetic stripe information with information that he burned on with his card writing information. He also could emboss names and numbers and the cards, and create matching identification documents in order to withdraw funds from casinos.

Some examples -

May 18, 2010, Vergnetti used a Nevada driver's license with his photo and the name "Berry Decker" at the River Spirit Casino in Tulsa to obtain a cash advance.

At the same casino on the same day, he also used a California driver's license in the name "Stephen Graham" and presented it to law enforcement to avoid revealing his identity.

Superseding Indictment

After the original indictment, which was enough to move procedings forward, a Superseding Indictment was filed on August 3, 2010, which brought sixty additional charges, mostly related to additional detective work to identify some of the particular frauds that were committed by the gang of six.

So, for example, on June 4th, 6th, and 8th, Vergnetti did transactions on cards belonging to Mario Chacon and Kimberly McGee - $1263.99, $1263.99, $1075.00, $1048.99, $1048.99, and $1075.00.

Jiminez used an account belonging to Brandon Walser to do cash advances on June 5th, 6th, 7th, and 8th in the amounts of $1505, $2079.99, $2079.99, $2150, $2050, $2079.99, $2050, $2460, $1540, and $1030.

Van Horn used an account belonging to Hector Ramirez to advance 1540 on June 8th.

Clapper used an account belonging to Floyd Farmer to advance 1612.50, 1540, and 1540 on June 6th and 7th.

Johnson used accounts belonging to Ernest Richmond, Amber Beck, and Hermon Galloway to advance $1080, $1620, $2079, $1048.99, $1048.99, $1540, $1540, $1080 on June 1st, 6th, 7th, and 8th.

Zabala used an account belonging to Phillip Carney to take $500 out on June 11th.

All of those charges are the results of looking at TEN DAYS worth of transactions in Oklahoma by this gang.

The Plea Agreement

Vergnetti decided with the information against him, he would plea out. He agreed to provide $107,235.74 in restitution and the prosecution agreed to drop all but two of the charges. The Plea lists who he has to pay restitution to as part of the bargain:

Bank of America - $9235.89
Bank of Commerce - $1554.80
Bank of Hawaii - $5064.98
Bank of Oklahoma - $9010.54
Charles Schwabb Bank - $4288.99
Community Bank of the Arbuckles - $1277.99
Cosden Federal Credit Union - $1075.00
Discover Card Services - $1801.42
First Hawaiian Bank - $1044.99
JP Morgan Chase Bank - $15,948.66
Merrill Lynch - $3183.99
Mountain American Federal Credit Union - $5872.76
RBS Citizens - $5746.47
Regions Bank - $33,475.15
TCM Bank - $1075.00
USAA Savings Bank - $5065.00
Village Bank - $1170.81
Zions First National Bank - $1342.00

Here's his actual "plea":

I, Jonathan Edward Vergnetti, admit that from Spring 2010, through June 8, 2010, I conspired and agreed with my named co-conspirators to possess device making equipment, to produce and use counterfeit access devices with the intent to defraud, and to possess and use the means of identification of other persons.

Generally, my named co-conspirators and I manufactured, possessed, and used counterfeit access devices. We obtained pre-paid debit cards from retail stores, and then frauduntely imprinted the electronic banking information of other persons onto the pre-paid debit cards without the knowledge of the true account holders. We obtained the banking information through a third party source over the internet. We embossed the characters of account numbers and names on the face of the fraudulent access devices. We then used the counterfeit access devices, along with false identification documents, to obtain cash advances at tribal gaming establishments and for other purchases. This conspiracy and the overt acts in the conspiracy occurred in the Northern District of Oklahoma and elsewhere.

Specifically, in order to carry out the objects of the conspiracy and to commit aggravated identity thieft, I admit that on June 6, 2010, I knowingly possessed and used a counterfeit access device that was a means of identification of another indivual to fraudulently obtain a cash advance in the amount of $1048.99 from the Grand Lake Casino located in the Northern District of Oklahoma, and the use of the counterfeit access device affected interstate commerce.

The Sentence

Having the plea agreement all lined up that basically said, "pay back the money and we'll only charge you with Conspiracy and Aggravated Identity Theft" on January 31, 2011 Judge James H. Payne, Northern District of Oklahoma, sentenced Jonathan Edward Vergnetti to pay $114,931.74 in restitution (garnishing wages at 50% of income while in prison and 10% of income after prison) until paid. The sentence called for imprisonment of 84 months, which were 60 months for the Conspiracy, and 24 months for the Aggravated Identity theft, which were to run Consecutively.

The Status

According to the Bureau of Prisons Inmate Locator Service, Jonathan Edward Vergnetti, Register # 10908-062, a 40 year old white male, is scheduled to be released on July 14, 2016 and is currently held at the Federal Correctional Institution in Lompoc, California (175 miles northwest of Los Angeles, adjacent to Vandenberg Air Force Base.)

Today the Russian MVD and FSB have announced the arrest of eight cybercriminals who have stolen more than 60 million rubles ($2 million USD) from at least ninety victim bank accounts in the charges documented in this case.

The Ministry of Internal Affairs (Ministerstvo Vnutrennikh Del or Министерство внутренних дел) better known as the MVD has a computer crimes unit known as "Department K". In this case they worked together with the Russian Federal Security Service's Center for Information Security. (The Federal Security Service, or FSB for Federal'naya sluzhba bezopasnosti, Федеральная служба безопасности is the equivalent to the FBI in the United States.)

Similar to charges brought in the United States against cyber criminals, the MVD Press Release only documents charges that can be proven beyond any reasonable doubt. The total activities of these criminals are likely to greatly exceed what can be formally charged. The formal charges are significant though.

According to Russian computer forensics and investigations company, Group-IB, the Russian government received assistance in the investigation from Group-IB as well as Dutch company Fox-IT. Group-IB says that the group primarily used the malware families Win32/Carberp and Win32/RDPdor.

The Carberp trojan is a financial crimes trojan that has been said to have "High Damage Potential" by anti-virus companies like Trend Micro. Trend was able to show some interesting statistics about who was infected with at least one version of CARBERP by "sink-holing" the CARBERP Command and Control server. S21Sec also did some great research on how to decrypt Carberp communications.

Carberp has continued to evolve and add functionality beyond simple banking credential theft. More recently Carberp has been used for DDOS attacks and to grant remote control access to infected computers, giving the criminals access to everything on the computer, or the ability to use that computer to mask origins of other attacks.

Department K has been tracking these particular criminals since October of 2011, and says the group was run by two brothers, born in 1983 and 1986. One of those brothers was already a known criminal having a record related to real estate fraud.

This particular gang of eight criminals would gain access to banking credentials and cause money to be electronically transferred to accounts controlled by the criminals. They actually rented office space under the guise of a legal computer company and spent their days taking remote control of compromised computers in order to set up the fraudulent banking transactions. Once the money had been transferred to accounts controlled by the gang, it was withdrawn from a variety of ATM machines in the Moscow area.

The malware was distributed by hacking into popular Internet sites and leaving traps, including the websites of some prominent newspapers.

All of the criminals were arrested simultaneously in cooperation between the MVD and the FSB, from the botnet administrator all the way down to the criminals who made the ATM withdrawals.

If I'm reading the Russian translation correctly, the ringleader is in custody, his elder brother was released on 3 million rubles bond, and the other six are under house arrest.

The charges brought against them were based on three Russian laws:

- Article 272 - "Illegal access to computer information"
- Article 273 - "The creation, use and dissemination of harmful computer programs"
- Article 158 - "Theft"

The hackers could face up to 10 years imprisonment, if convicted.

It is not known at this time how this arrest will impact other use of the CARBERP trojan. The trojan continues to be active, with criminals continuing to take advantage of the lack of enforcement of domain name registration rules, and the gullibility of human computer users. One quick example of each.

One of the domains associated with CARBERP recently was: n9ewpon98euohfe.org

Here is the WHOIS information for that domain:

Registrant name: trgtrf trgtrf
Registrant organization: trgtrf
Registrant street: trgtrf
Registrant state: trgtrf
Registrant postal code: trgtrf
Registrant country: CN
Registrant phone: +86.6857463454
Registrant email: gewtghdcu@mail.cn

See if you can spot the inaccuracy in that WHOIS data? Did you pass? Of course! It's a Russian phone number (+86) claiming to be in China! Oh, the fact that trgtrf may not be a valid postal code, or name, or address, might also be a hint. Rather strange that this Russian in China chooses to use as his nameserver "Primaryns.kiev.ua" as well.

On the Social Engineering front, Trusteer CEO Amit Klein recently blogged about a Facebook related scam being pushed to users infected with Carberp. In that scam, users were told that their Facebook account was locked, and that they needed to provide a 20 Euro "Ukash Voucher #" to unlock the account:

(click image to visit Trusteer blog article).

Ukash started in the United Kingdom (UK-cash = Ukash?) but now has partnerships with certain mobile phone companies and with Mastercard.

Tonight's Rock Center with Brian Williams episode talked about the September 2010 "Trident BreACH" case. One of the things that the students in the UAB Computer Forensics Research Laboratory learn is that Cybercrime investigation is a community event. Hundreds of researchers around the world have been tracking cybercriminals who use malware, including Zeus.

UAB now provides a daily report to law enforcement called "Emerging Threats by Email" which regularly documents continued Zeus-related malware threats delivered by spam email. This week there have been several new "social engineering" scams that attempt to convince the email recipient to click on a link.

The UAB Spam Data Mine currently gathers and analyzes more than a million new spam messages each day. Here are some of the Zeus threats we've seen in the spam in the past 72 hours.



The spam message here uses the subject:

J.P. Morgan ACCESS Action Required-Password Reset

The email says that the "Security Administrator" has reset your password to a temporary password, and now you need to logon at "www.jpmorganaccess.com"

Only the link doesn't actually go to JP Morgan. There are more than fifty websites that are actually linked here, each one hacked to include a new subdirectory that contains a file full of redirectors. Those redirectors end up at a "Black Hole Exploit Kit" which then infects the visitor with the Zeus trojan.

The Black Hole Exploit Kit is "crimeware" - criminals sell the software as a service that allows the "renter" of the crimeware to infect visitors with the malware of their choice. Brian Krebs has a nice write up about Black Hole Exploit kits and Crimevertising.



This spam message claims to be a notice from the "Commercial Electronic Office" and tells the recipient they need to access their "Deposit Adjustment Notice" by signing on to "the CEO Portal".

This one works exactly like the JP Morgan version. Forty-five different destinations, each a hacked website, contain redirectors which also send visitors to a Black Hole Exploit kit that drops Zeus.



One of the broader social engineering scams this week says that you are about to fly from the Washington DC airport and that it's time to Check-in online. After receiving such an email, the temptation would be to just "take a peek" and figure out whether you've been charged for a flight!

You might have figured out by now that if you click the link, it's going to take you to one of 140 compromised websites which all have redirectors on them that will automatically take your web browser to a Black Hole Exploit kit that will infect your computer with Zeus.



On March 19th we saw around 9,000 of these messages using the following subjects:

2239 | Careerbuilder.com open positions suggestion.
2188 | New position found for you at Careerbuilder.com.
2106 | Careerbuilder.com has found an open position for you
1930 | Careerbuilder.com has found a vacant position for you
1842 | Careerbuilder.com open position notification.

Some of the templates were a bit screwed up, so, while there was a position of "Chief Legal Officer" being offered at "Security Finance Corporation." But another message offers the position of "Chief commercial officer Chief Communications Officer" at "%." (Apparently the variable name for the company didn't match up.)

There's also a "Chief Customer Officer" (whatever that is.)

When the email recipient clicks on the job title, perhaps while saying to themselves "How silly, why would anyone want me to be the Chief Legal Officer? I'm not even a lawyer!" they aren't taken to CareerBuilder, but to one of the 100+ websites that have each been hacked to place a set of redirectors that sends the visitor to a Black Hole Exploit kit, which will infect the visitor with Zeus.



In the very most recent of these "BlackHole to Zeus" malware campaigns, LinkedIn is being imitated. The LinkedIn invitation claims to be from "Your classmate", but guess what happens if you click one of the 820 advertised URLs, each disguised as your "friend's" name?

Yes, it loads several redirectors, and then sends them to a Black Hole Exploit kit that infects the visitor with Zeus!


As an example, one of the links:

... DANGER: DO NOT CLICK OR FOLLOW ANY OF THESE ...

promocaolilicaetigor.com.br / VJBqqR5H / index.html

contains three redirectors:

gilson.kooka.be  / ACwhfZ0X / js.js

m2m-direct.co.uk / tx96TETB / js.js

maksutoski.com / 5GUVH5Sz / js.js

Each of these points to the Black Hole Exploit kit at:

slickcurve.com / showthread.php ?t= 73a07bcb51f4be71

The Black Hole Exploit kit caused my test machine to download:
- a 111,129 byte executable (two times)
- a 17,476 byte Java JAR file
- a 283,160 byte executable (three times)

The 283,160 byte file is the Zeus malware. It was pulled from:

- 173.255.195.167 (slickcurve.com) a computer in New Jersey
- 64.90.51.63 (dosimedio.com) a computer in Brea, California
- 213.152.26.166 (dynolite.eu) a computer in France

But all of those computers are also compromised by the criminal to host the malware. Two of the domains are more than four years old!

The copy of Zeus that gets downloaded is 283,160 bytes in size and has an MD5 of 424c6b3afcde978b05cef918f04df759.

The current VirusTotal report shows that 15 of 43 current anti-virus products will detect this file as malware, although currently only Kaspersky, Microsoft, and Norman call it by ZeuS's most common name, Zbot.

---

Prospective students might want to learn more about UAB's Master's Degree in Computer Forensics and Security Management (MSCFSM)

Businesses interested in supporting our research are invited to learn more about the Center for Information Assurance and Joint Forensics Research (CIA|JFR)

When we wrote last week about Operation Open Market the court documents had not yet been released in a major multi-agency Identity Theft case which targeted criminals who traded in the identities of others through the online site "Carder.su" and its affiliated other sites. We profiled the prior identity theft career of one of the charged, Jonathan Vergnetti, while we waited for the rest of the court documents to be made publicly available.

Now we are part way there. We have received copies of all three of the indictments related to this operation. Today we'll focus on the largest of the three cases, which still has a considerable amount of data redacted in the version that has been released by the courts. I refer to this case as "The Vendors" case because most of those charged were approved vendors of services in the Carder.su framework. The case, known as "No: 2:12-CR-004" in the PACER system, currently charges 39 defendants in the U.S. District Court of Nevada.

DISCLAIMER: The data below is a reflection of the CHARGES. Of course these dirty rotten identity thieves are presumed innocent until convicted in a court of law.

[REDACTED] indicates someone whose identity is being suppressed for the time being, but "John Doe" indicates someone who is known only by their online monickers such as those used at Carder.su. Authorities may be interested in learning more true identities of John Does if you have them.

A quick index of Carder.su aliases that are still John Does:

Senna071, Morfiy, Gruber, Maxxtro, Elit3, Fozzy, Vitrum, Lermentov, TM, Zo0mer, Deputat, Centurion, and Consigliori. If you know who those folks are, I'm sure your local FBI office would be interested. Refer to "Operation Open Market Nevada Case 2:12-CR-004" when you call. 8-)

The Charges

Count 1: 18 USC § 1962(c) and 1963: Participate in a Racketeer Influenced Corrupt Organization
Count 2: 18 USC § 1962(d): Conspiracy to Engage in a Racketeer Influenced Corrupt Organization
Counts 3-17: 18 USC § 1028(a)(1): Unlawful Trafficking in and Production of Counterfeit Identification Documents or Authentication Features
Count 18: 18 USC § 1028(a)(1): Attempt to Unlawful Trafficking in and Production of Counterfeit Identification Documents or Authentication Features
Count 19: 18 USC § 1028(a)(2): Conspiracy to Unlawfully Transfer Identification Document, Authentication Feature, and False Identification Document
Count 20: 18 USC § 1028(a)(7) and (c)(3)(A): Unlawful Transfer, Possession, and Use of a Means of Identification
Count 21: 18 USC § 1029(a)(2): Trafficking in and Use of Counterfeit and Unauthorized Access Devices
Counts 22-55: 18 USC § 1029(a)(3): Possession of Fifteen or More Counterfeit and Unauthorized Access Devices
Counts 56-60: 18 USC § 1029(a)(4): Unlawful Possession, Production, and Trafficking in Device-making Equipment
Counts 61-62: 18 USC § 1029(a)(4): Conspiracy to Unlawful Possession, Production and Trafficking in Device-Making Equipment
18 USC § 2: Aiding and Abetting (applied to Counts 1, 3-17, 18, 20, 21, 22-56, 61-62).

The Charged

[REDACTED] AKA Admin, AKA Support (Counts 1,2,19)

[REDACTED] AKA Graf, (Counts 1,2,33,44,47)

Alexander Kostyukov, AKA Temp, AKA Klbs (Counts 1-2, 3-17) (Age 27, arrested in Miami, Florida, a Russian citizen)

Maceo Boozer III, AKA XXXSimone, AKA Gr, AKA El Padrino, AKA Mr. Right, AKA MRDC87 (Counts 1,2,3-17) (Age 23, arrested in Detroit, Michigan)

[REDACTED] AKA [REDACTED], AKA Ray (Counts 1,2, 3-17)

Edward Montecalvo, AKA Nightmare, AKA Tenure44 (Counts 1,2,3-17,22-55), arrested in Morgantown, West Virginia. (Carder.su Member#8711, Carding.su Member#8237 Current Status: RIPPER. His profile says he sells FEDEX labels and Track2 Dumps)

[REDACTED] AKA Ibatistuta (Counts 1-2)

[REDACTED] AKA cc--trader, AKA Kengza (Counts 1-2, 20, 22-55)

Jermaine Smith, AKA SirCharlie57, AKA FairBusinessMan (Counts 1-2, 61-62), age 31, arrested in Newark, New Jersey

Makyl Haggerty, AKA Wave (Counts 1-2) NOT YET ARRESTED, LAST KNOWN ADDRESS IN SAN FRANCISCO, CALIFORNIA

[REDACTED] AKA Bank Manager, AKA Document Manager, AKA Corey (Counts (1-2, 61-62)

[REDACTED] AKA AbagnaleFrank (Counts 1-2)

[REDACTED] AKA Devica, (Counts 1-2)

[REDACTED] AKA Track2, AKA Bulba, AKA NCUX (Counts 1-2, 22-55)

Qasir Mukhtar, AKA Caliber, (Counts 1-2, 56-60), Age 27, arrested in New York, NY

[REDACTED] AKA [REDACTED], AKA Patistota, (Counts 1-2, 22-55)

[REDACTED] AKA Source (Counts 1-2, 22-55)

[REDACTED] AKA C4rd3r (Counts 1-2, 22-55)

[REDACTED] AKA Bowl (Counts 1-2, 22-55)

[REDACTED] AKA Dorbik, AKA Matad0r (Count 2)

Michael Lofton, AKA Killit, AKA Lofeazy (Counts 1-2, 3-17), Age 34, arrested in Las Vegas, NV

Shiyang Gou, AKA CDER, (Counts 1-2, 3-17), Age 27, Arrested in New York, NY

David Ray Camez, AKA BadMan, AKA DoctorSex, (Counts 1-2, 3-17), Arrested in Las Vegas, NV

Cameron Harrison, AKA Kilobit, (Counts 1-2,3-17), Age 25, Augusta, Georgia

[REDACTED] AKA Qiller (Counts 1-2, 3-17)

Duvaughn Butler, AKA MackMann (Counts 1-2, 21, 61-62), age 37, arrested in Las Vegas, Nevada

Fredrick Thomas, AKA 1Stunna (Counts 1-2), age 31, arrested in Orlando, Florida

John Doe 1, AKA Senna071 (Counts 1-2, 3-17)
John Doe 2, AKA Morfiy (Counts 1-2, 3-17)
John Doe 3, AKA Gruber (Counts 1-2, 18)
John Doe 4, AKA MAXXTRO (Counts 1-2)
John Doe 5, AKA Elit3 (Counts 1-2)
John Doe 6, AKA Fozzy (Counts 1-2, 22-55)
John Doe 7, AKA Vitrum, AKA Lermentov (Counts 1-2, 22-55)
[REDACTED] AKA Panther, AKA Euphoric, AKA Darkmth (Counts 1-2, 22-55)
John Doe 8, AKA TM (Counts 1-2, 22-55)
John Doe 9, AKA ZO0MER, AKA Deputat (Counts 1-2, 22-55)
John Doe 10, AKA Centurion (Counts 1-2, 22-55)
John Doe 11, AKA Consigliori (Counts 1-2, 61-62)

The main indictment goes after the vendors who provided services at Carder.su, which includes Carder.info, Carder.su, Crdsu.su, Carder.biz, and Carder.pro.

LEADERSHIP

The name of the Administrator (AKA Admin AKA Support) is known but [REDACTED]. There are two moderators charged in the indictment, one [REDACTED] AKA Graf and the other unknown, called JOHN DOE 4, AKA MAXXTRO.

Vendors

Kostyukov, AKA Temp, AKA Klbs, is a vendor of Cashout Services at Carder.su, receiving a fee between 45% and 62% of the total funds laundered in exchange for providing members with cashout.

Boozer, AKA XXXSimone, AKA G4, AKA El Padrino, AKA Mr. Right, AKA mrdc87, is a vendor of Dumps at Carder.su. He sells dumps for between $15 and $150 each, depending on the quantity and the geographical location. United States dumps are least expensive, and European dumps are most expensive.

[REDACTED Defendant #5] AKA RAY is a vendor of Counterfeit Plastic. He sells blank cards for $20 to $25, with a minimum order of 50 cards. Embossed counterfeit credit cards were $65 to $75 with a minimum order of 10. He is also a vendor of Dumps – stolen credit card account numbers – ranging from $30 to $45 each.

Montecalvo, AKA N1ghtmare AKA Tenure44, is a vendor of Dumps at Carder.su as well. He was arrested at his home in Morgantown, West Virginia.

[REDACTED Defendant #7] AKA Ibatistuta is a vendor of Dumps, Counterfeit Credit Cards, Counterfeit Holograms and Signature Panels.

[REDACTED Defendant #8] AKA CC—Trader AKA Kengza is a vendor of Fullz or credit cards along with the cardholder information: name, date of birth, Social Security Number, address, telephone number, mother’s maiden name, ATM PIN, Expiration Date, and the CVV number or the security code on the back of the card for $20 each with a minimum order of $200. He also sells Paypal accounts for $10 each. He also sells access to online banking accounts with Fullz identification information for between $140 and $200, depending on the balance in the victim’s account.

Smith, AKA Sircharlie57 AKA Fairbusinesssman, is a vendor of Counterfeit Plastic and Counterfeit Credit Cards at Carder.su.

Haggerty, AKA Wave, is a vendor of Counterfeit Identification Documents and Counterfeit Credit Cards at Carder.su. Haggerty offers drivers licenses for the states of Arizona, California, Florida, Georgia, Hawaii, Illinois, Louisiana, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, and Wisconsin, as well as British Columbia, Canada.
Drivers Licenses range from $100 to $200. Blank credit cards were $20 and embossed cards $30 each.

[REDACTED Defendant #11], AKA Bank Manager, AKA Document Manager, AKA Corey, is a vendor of Counterfeit Identification Documents, stolen or otherwise stolen corporate account information, dumps, and counterfeit credit cards in the Carder.su organization.

[REDACTED Defendant #12], AKA AbagnaleFrank, is a vendor of Dumps. He sells a mix of 100 Visa and Master Card accounts for $1500, and 100 American Express cards for $1,000.

[REDACTED Defendant #13], AKA Devica, is a vendor of counterfeit credit cards and holograms.

[REDACTED Defendant #14], AKA Track2, AKA Bulba, AKA nCux, is a vendor of dumps (ICQ#572019043/164419326/460085653). He has his own website that he advertises to sell his dumps that allows users to do searches for the types of cards they want and to pay using Liberty Reserve dollars (an online currency). Card prices are approximately $20 each.

Mukhtar, AKA Caliber, is a vendor of Counterfeit Plastic and Counterfeit Credit Cards as well as Counterfeit Holograms and Signature panels. Blank plastic was sold for $15, embossed credit cards for $20. Cards with photos or chips were $25 unembossed or $30 embossed. Cards with both chip and photo were $30 unembossed or $35 embossed. His prices were negotiable based on volume.

[REDACTED Defendant #16] AKA Patistota is a vendor of CVVs as well, with a custom website that allowed buyers to shop for cards at specific banks by their BINs (Bank Identification Numbers, the prefix of a Visa or MasterCard number), and offered a service for testing whether the CVV on a card was valid.

[REDACTED Defendant #17] AKA Source is a vendor of dumps, which he sells from $12 to $150 each depending on quantity and geographical location. He also advertised his own specialty site on Carder.su which allows members to lookup cards for sale by BIN.

[REDACTED Defendant #18] AKA C4rd3R is a vendor of CVVs and Fullz on Carder.su, and offers member-to-member ICQ chats.

[REDACTED Defendant #19] AKA Bowl is a vendor of CVVs at Carder.su, and advertises his own website on Carder.su websites.

[REDACTED Defendant #20] AKA Dorbik AKA Matad0r is a vendor of Bullet Proof Hosting services. Bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content. Other criminals hosted carding forums and phishing sites on Dorbik’s services.

John Doe 3, AKA Gruber, is a vendor of counterfeit identification documents in the Carder.su organization. He makes cards for Arizona, California, Florida, Georgia, Hawaii, Illinois, Louisiana, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, and Wisconsin, as well as British Columbia, Canada. (By pricing and state selection, it is clear that Gruber and Haggerty are working together.)

John Doe 5, AKA Elit3, is a vendor of Fullz which he sells for $5 to $7 each with a minimum order of $15. He also sells Enroll data (all the personal information in a Fullz, plus login information for an online bank account) for $15 to $20 if the Enroll also included an ATM PIN.

John Doe 6, AKA Fozzy, is a vendor of dumps in the Carder.su organization with prices from $12 to $100 depending on quantity and geographic location.

John Doe 7, AKA Vitrum, AKA Lermentov, is a vendor of dumps in the Carder.su organization, priced between $15 and $100 depending on quantity and geographic location.

[REDACTED Defendant #35], AKA Panther, AKA Euphoric, AKA Darkmth, is a vendor of dumps in the Carder.su organization with prices beginning at $20 for United States dumps.

John Doe 8, AKA TM, is a vendor of dumps and CVVs in the Carder.su, which he sells through his own website advertised on Carder.su.

John Doe 9, AKA Zo0mer, AKA Deputat, is a vendor of stolen Paypal accounts, including names and passwords, as well as proxies (for hiding member’s true IP addresses while performing transactions) and Fullz. He also provided Credit Card testing services, and information services, including lookups of Social Security numbers, Dates of Birth, and Mother’s Maiden Names. He sold dumps for between $15 and $150 depending on quantity and geographic location.

John Doe 10, AKA Centurion, is a vendor of dumps in the Carder.su organization which he sold for between $15 and $80 depending on quantity and geographic location.

John Doe 11, AKA Consigliori, is a vendor of dumps in the Carder.su organization and sells blank plastic cards for $15 or embossed credit cards for $20 each.

Members charged with production and trafficking

Michael Lofton, AKA Killit, AKA Lofeazy.
Shiyang Gou, AKA Cder.
David Ray Camez, aka BadMan, aka DoctorSex.
Cameron Harrison, AKA Kilobit.
[REDACTED Defendant #25], AKA Qiller.
Duvaughn Butler, AKA Mackmann.
Fredrick Thomas, AKA 1Stunna.
John Doe 1, AKA Senna071.
John Doe 2, AKA Morfiy.

More on the Charges

In the Full Indictment individual charges are shown with many examples.

For example, one charge lists all of those charged with trafficking in false identities, and gives one example of a purchase date from each vendor, with dates ranging from January 23, 2009 to April 7, 2011, and showing what state the driver's license was for, including many in Nevada, some in New York, and others in Texas, Georgia, and Virginia.

To show the Conspiracy charges, each charge provides evidence of at least two of the defendants communicating and agreeing to be involved in criminal activity.

For the "Possession of Document-making Implements" charge, an example is that Montecalvo was found to have laminates used in the production of counterfeit Illinois driver's licenses; and Photoshop templates for creating counterfeit Maryland and Florida driver's licenses.

Several of the members, including REDACTED #8, 12, and 16, and Lofton, Harrison, Thomas, Maxxtro, and Elit3 are shown committing fraud by making charges using cards on certain dates belonging to certain named people. Dates range from MAXXTRO in November of 2006 to REDACTED #16 on September 16, 2010.

The "Possession of more than 15" cards charges are spelled out by showing how many provably counterfeit cards each charged user was shown to have on a particular date (presumably when a search was performed or an email was sent or received containing that information). Some were as low as 17 for Fozzy on February 15, 2007, and as high as "More than 490" for REDACTED #7. Dates of evidence range from February 13, 2007 to June 14, 2011. That's right, bad guys! Even if you "got out of the game" five years ago, you can still be charged for your activities at that time.

Again, for more details, interested readers are referred to the full 50 page PDF of the indictment.

On March 24, 2012, Microsoft unveiled a joint lawsuit with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association (NACHA). Based on a Temporary Restraining Order filed as part of the Law Suit, Microsoft and their agent, Stroz Friedberg, accompanied by U.S. Marshals, served their TRO at the BurstNET facility in Scranton, Pennsylvania, and at Continuum Data Centers in Chicago, Illinois. Servers named in the TRO were allowed to be monitored to capture four hours of network traffic before taking the servers into possession where they will be held in Escrow by Stroz Friedberg.

In addition, more than 1700 domain names were redirected to the Microsoft IP address 199.2.137.141. While at first, I thought it would be a useful service to our readership to list the 1700+ domain names, I believe (and will hopefully have confirmation from Microsoft shortly) that it would be sufficient for network administrators to look for traffic destined to this new "rerouted" address. If you have a computer on your network sending traffic to 199.2.137.141, my current understanding is that this computer is likely attempting to send traffic to one of the domains that are subject to this TRO, and that this is an indication that computer may be infected with Zeus, ICE-IX, or SpyEye. Appropriate security measures will vary based on the role and use of that computer within your organization, but password changes of any accounts accessed from that computer, and malware removal would be minimum steps.

The lawsuit names "John Does 1-39" which are described by their online monickers or "handles", many of which will be well known to anyone who has been researching Zeus:

JOHN DOES 1-39 D/B/A Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits AND JabberZeus Crew CONTROLLING COMPUTER BOTNETS THEREBY INJURING PLAINTIFFS, AND THEIR CUSTOMERS AND MEMBERS

All of the supporting legal documents can be found on the Microsoft-registered server:

zeuslegalnotice.com

The Temporary Restraining Order seizes 1,703 domain names! Each domain name is listed with the role that it played in the overall scheme to infect computers and steal data from their users. For example:

filmv.net - dropzone
finance-customer.com - source
firelinesecrets.com - embedded_js
fllmphpxpwqeyhj.net - dropzone, source, infector
flsunstate333.com - updater

A "source" would be a domain that was advertised in an email. An "embedded_js" would be a site to which the source redirected to load hostile java script. A "dropzone" would receive credentials from an infected computer. An "updater" would push additional or new commands, configurations, or malicious code to the already compromised computers.

Microsoft

In a 179 page Declaration, Mark Debenham, a Senior Manager of Investigations in the Microsoft Digital Crimes Unit, lays out the overall structure of the Zeus gang and the way in which Zeus infects users and steals money. He describes the three-fold purpose of Zeus as to infect end-user computers in order to:

(1) steal credentials for online accounts, such as account login information for Microsoft or other websites, or financial and banking credentials, from the owners or users of those computers.

(2) access the victims' online accounts with the stolen credentials, and

(3) transfer information or funds from the victims' accounts to accounts or computer controlled by the Defendants.

Debenham goes on to say that three inter-related malware families are the subject of this lawsuit -- Zeus, Ice-IX, and SpyEye, and that all were created and sold by the individuals using the handles:

Slavik, Monstr, Harderman, Gribodemon, and nvidiag

John Doe 1 is identified as the Zeus botnet code creator, who uses the handles Slavik, Monstr, IOO, and Nu11. bashorg@talking.cc

John Doe 2 is identified as the creator of Ice-IX, who uses the handles nvidiag, zebra7753, lexa_mef, gss, and iceIX. iceix@secure-jabber.biz. ICQ 610875708.

John Doe 3 is identified as the creator of SpyEye, who uses the handles Harderman and Gribodemon. shwark.power.andrew@gmail.com, johnlecun@gmail.com, gribodemon@pochta.ru, glazgo-update-notifier@gajim.org, gribo-demon@jabber.ru.

John Doe 4 is identifed as an operator within the "JabberZeus Crew" who recruits money mules and uses them to cah out stolen credentials. He uses the handles Aqua, aquaSecond, it, percent, cp01, hct, xman, and Pepsi. aqua@incomeet.com, ICQ 637760688.

etc.

NACHA

In a separate 163 page declaration, Pamela Moore, the Senior Vice President and Chief Financial Officer of NACHA documents the particular harm caused to NACHA, showing that in same cases the volume of documented spam messages imitating NACHA rose as high as 167 million emails in a single 24 hour period.

Readers of this blog will be well-familiar with the NACHA scams that lead to Zeus, as we have been documenting them as far back as November 12, 2009 when we wrote the article Newest Zeus = NACHA: The Electronic Payments Association.

According to Moore's affidavit, just in the month of November 2011, NACHA was responsible for terminating 555 websites that were distributing malicious content linked from an email message imitating NACHA. As a small business with less than 100 employees, NACHA has been hit with $624,000 in costs responding to the emails that falsely claimed to be from her organization.

Moore's declaration contains her 15 page statement followed by page after page of documented evidence supporting that false and misleading emails were sent out related to these Zeus actors.

American Banking Association

William Johnson of the American Banking Association also entered a statement of support. Johnson serves as the Vice President and Senior Advisor for Risk Management Policy for the ABA. He also chairs the ABA's Information Security Working Group and their Bank Security Committee. In addition, Johnson is on the board of the FS-ISAC, on the Steering Committee for NACHA's Internet Council. The ABA is of huge importance to the banking world. 92% of the $13 Trillion in U.S. Banking assets are held by ABA members.

Statistics shared by Johnson include:
- 2010 was the first time where electronic debit card fraud exceeded traditional check card fraud
- 96% of all banks incurred losses from debit card fraud in 2010. Community Banks experiencing such fraud grew from 61% in 2006 to 96% in 2010.
- In 2009, 36% of banking customers said "online banking" was their primary means of interacting with their bank. In 2010 it was 62%.
- In 2011 4.9% of the U.S. adult population was a victim of identity theft.
- In 2009, the average victim of identity theft spent 68 hours and $741 in costs repairing the damage caused by identity theft.

Kyrus Technologies

Jesse Kornblum (yes, THAT Jesse Kornblum!) of Kyrus Technologies also prepared an affidavit of support for the lawsuit. Jesse was a Computer Crime Investigator for the Air Force Office of Special Investigations, ultimately becoming the Chief of the Computer Crime Investigations Division of the Air Force Office of Special Investigations.

In his role at Kyrus Technologies he and his team reverse engineered many of the Zeus malware binaries, comparing known source code and various binaries, and showing conclusive evidence of shared code between SpyEye, ICE-IX, and Zeus (which they refer to as PCRE). For the malware reverse engineering geeks, be sure to read the Kornblum Declaration (55 page PDF).

Orrick, Herrington, Sutcliffe

Kornblum's declaration was for the malware geeks. For the lawyers in the readership, Jacob Heath of the law firm Orrick, Herrington & Sutcliffe LLP also makes a declaration in support of the call for the Temporary Restraining Order. Orrick is the counsel of record for Microsoft in this matter.

They have arranged the website on which these procedings are located, as well as the publication of proceedings throughout "Russia, Ukraine, and Romania, where Defendants are generally believed to reside."

Heath's declaration - part one carefully walks through the finer points of ICANN's Policies and procedures showing the clauses that give them the rights to suspend, cancel, or seize the domain names in question, as well as terms of service at BURSTNET (AKA Network Operations Center, Inc.) that require the client's to register domains using truthful information. "Failure to comply fully with this provision may result in immediate suspension or termination of your right to use BurstNET(R) Services" and also showing the BurstNET policies stating that BurstNET services "may be used only for lawful purposes" and specifically banning malware, botnets, spam, or phishing uses of these services.

How thoughtful of Microsoft to help BurstNET enforce these policies!







For many more details, and a video about this weekend's raid at BurstNet in Scranton, Pennsylvania, please see the Official Microsoft Blog.

Operation Ghost Click

Last November, the main FBI.gov website headline was "DNS Malware: Is Your Computer Infected?". The story detailed the arrest of six Estonian criminals who had infected more than 4 million computers with malware that changed Domain Name Server settings on the impacted computers. The impact of this change was that when a user typed an address in their web browser, or even followed a link on the web page, instead of asking their Internet Service Provider's DNS server where they should go to reach the computer that had that name, they would ask a DNS server run by the criminals.

Most of the time, the traffic still went to the correct address. But at any time of the criminals' choosing, they could replace any website with content created or provided by the criminals. This allowed them to do things like place an advertisement for an illegal pharmaceutical website selling Viagra on a website that should have been showing an advertisement paid for by a legitimate advertiser.

The case, called "Operation Ghost Click" was the result of many security professionals and researchers working together with law enforcement to build a coordinated view of the threat. The University of Alabama at Birmingham was among those thanked on the FBI website.

DNS Servers and ISC

This case had one HUGE technical problem. If the criminals' computers were siezed and turned off, all of the four million computers that were relying on those computer to "find things" on the Internet by resolving domain names to numeric IP addresses for them would fail. They wouldn't just "default back" to some pre-infection DNS setting, they would just stop being able to use the Internet at all until someone with some tech-savvy fixed the DNS settings on those computers.

Because of this, the court order did something unprecedented. Paul Vixie, from the Internet Systems Consorium, a tiny non-profit in California that helps to keep name services working right for the entire world, was contracted to REPLACE the criminals' DNS Servers with ISC DNS Servers that would give the right answer to any DNS queries they received. Vixie wrote about his experience with this operation in the CircleID blog on Internet Infrastructure on March 27th.

The problem, as Vixie, and other security researchers such as Brian Krebs, have related is that the court order was supposed to be a temporary measure, just until the Department of Justice managed to get everyone's DNS settings set back the way they were supposed to be. Back in November, the court decided March 9th would be a good day to turn off the ISC DNS servers.

But are you STILL infected?

Unfortunately, the vast majority of the 4 million compromised computers have not been fixed. On March 8th the court agreed to give them an extension until July 9th. (Krebs has a copy of the court order here)

But how do you know if YOU are still infected?

CLICK THIS PICTURE



When I visit the website "DNS-OK.US" I get a green background on the image (shown above) which tells me that my computer is not using a DNS server address that formerly belonged to an Estonian cybercriminal. (The website is available in several other languages as well.)


The tech behind this is that the website is checking to see if you resolve your DNS by using an IP address in the following ranges:

77.67.83.1 - 77.67.83.254
85.255.112.1 - 85.255.127.254
67.210.0.1 - 67.210.15.254
93.188.160.1 - 93.188.167.254
213.109.64.1 - 213.109.79.254
64.28.176.1 - 64.28.191.254

If you ARE, then you need to assign a NEW DNS SERVER ADDRESS.

The DNS Changer Working Group has a CHECKUP page and a DNS CLEANUP page to explain this process to technical people. Any "computer savvy" person should be able to follow their guidelines to get the job done.

Good luck!

Gary Warner
Center for Information Assurance and Joint Forensics Research at the University of Alabama at Birmingham.
Learn more about our Masters Degree in Computer Forensics and Security Management.

This campaign begins with an email that looks like this:



The email indicates that you have been charged a random amount of money to have a shipping label created. In this case, we were charged $47.44. Because we haven't really ordered a shipping label, we might be upset to be charged, and click the "USPS Click-N-Ship" link that APPEARS to take you to "www.usps.com/clicknship".

In reality, there are more than eight hundred destination webpages on more than one hundred sixty (160) websites were advertised in emails that we saw in the UAB Spam Data Mine that use this template, but none of them go to the United States Postal Service.

A single destination would have many subdirectories, all created by the hacker, that contained the link. For example, this Czech website:

1 | lenkajonasova.chytrak.cz | /1xmg2qrr/index.html
11 | lenkajonasova.chytrak.cz | /9hEetc63/index.html
5 | lenkajonasova.chytrak.cz | /CgeknEwU/index.html
14 | lenkajonasova.chytrak.cz | /FP817PwV/index.html
9 | lenkajonasova.chytrak.cz | /hQLv8GxT/index.html
1 | lenkajonasova.chytrak.cz | /LRt1KuAY/index.html
13 | lenkajonasova.chytrak.cz | /qedwZQiv/index.html
1 | lenkajonasova.chytrak.cz | /rSqvJdhP/index.html

The spam messages use a variety of subjects. The ones we saw yesterday were:

count | subject | sender_domain
-------+--------------------------------------------+---------------
479 | USPS postage labels order confirmation. | usps.com
433 | Your USPS postage charge. | usps.com
428 | USPS postage labels receipt. | usps.com
403 | Your USPS postage labels charge. | usps.com
384 | Your USPS shipment postage labels receipt. | usps.com
346 | USPS postage labels invoice. | usps.com
322 | Your USPS delivery. | usps.com
319 | USPS postage invoice. | usps.com
(8 rows)


This was a very light campaign, compared to many that we have seen recently. We received more than half of these emails in a single 15 minute span ending at 7:15 AM our time - which would be 8:15 AM on the US East Coast. We have the theory that the new spam campaign, with a never-before-seen malware sample, is sent at the beginning of the East Coast day as a way to get maximum infections in places like New York City and Washington DC.


The most common websites, all with their own "random-looking" subdirectories were:
count | machine
-------+----------------------------------
598 | h7xb37qx.utawebhost.at
208 | jadore-events.ro
150 | kissmyname.fr
143 | renkliproje.com
139 | kegelmale.com
138 | layarstudio.com
127 | firemediastd.com
126 | hillside.99k.org
126 | ks306518.kimsufi.com
118 | k-linkinternational.com
113 | graphicdesignamerica.com
112 | hascrafts.com
112 | iaatiaus.org
102 | immodefisc.net

(The rest of the list is at the end of this article...)

A Sample Run

Each day in the UAB Computer Forensics Research Laboratory, students in the MS/CFSM program produce a report shared with the government called the "Emerging Threats By Email" report. They take a prevalent "new threat" in the email from that day and document it's action, in part by infecting themselves with the malware! Here's a sample run through I did this morning using the techniques followed in our daily report.

We begin by visiting a website advertised in the spam. In this case, I chose:

allahverdi.eu (109.235.251.244) /BSg1hNCZ/index.html (400 bytes)

These "email-advertised links" each call javascript files from a variety of other sites. In this example run, visiting the site caused us to load Javascript from the URL below.

uglyd.com/xTnfi7mG (210.193.7.161) / xTnfi7mG/js.js (81 bytes)

This javascript file sets the "document location" for the current browser
window to be "http://178.32.160.255:8080" with a path of showthreat.php
?t = 73a07bcb51f4be71. This is a Black Hole Exploit kit server, which causes the rest of the infection to be continued.)

This is the location my run gave this morning . . . yesterday morning's run used a different Black Hole Exploit Kit location:



178.32.160.255:8080/showthread.php?t=blahblahblah (20,110 bytes)

178.32.160.255:8080/data/Pol.jar (14,740 bytes)

178.32.160.255:8080/q.php?f=4203d&e=0 (dropped calc.exe 151,593 bytes)
MD5 = 44226029540cd2ad401c4051f8dac610
VirusTotal (16/42)

The next two files are dropped because of the Java execution of "Pol.jar".

At the time of the UAB Emerging Threats by Email report on Friday morning March 29th, the Virus Total detections for this malware were "2 of 42". More than 20 hours later the detection is still only "19 of 42".

santacasaitajuba.com.br (200.26.137.121) /WBoTANuY/hBhT7.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)

elespacio.telmexla.net.co (200.98.197.103) /sNxQTzEK/bHk6KE.exe (323,624 bytes)
MD5 = 276dbbb4ae33e9e202249b462eaeb01e
VirusTotal (19/42)



The "Zeus file" (the 323,624 byte one) copies itself into a newly created randomly named directory within the current user's "Application Data" directory. In the current run, it disguised itself with a "Notepad" icon, claiming to be "Notepad / Microsoft Corporation" in it's properties. The file was named peix.exe (but that's random also.) The file does an "in place update" so that my MD5 modified without changing the filename. My new MD5 of this morning was:

98202808dea55042a3a1aa2d28ab640a

Which gives a current VirusTotal detection of (14/42):

AntiVir = TR/Crypt.XPACK.Gen
Avast = Win32:Spyware-gen [Spy]
AVG = Zbot.CO
BitDefender = Gen:Variant.Kazy.64187
DrWeb = Trojan.PWS.Panda.1947
F-Secure = Gen:Variant.Kazy.64187
GData = Gen:Variant.Kazy.64174
Kaspersky = Trojan-Dropper.Win32.Injector.dxrh
McAfee = PWS-FADB!98202808DEA5
Microsoft = PWS:WIn32/Zbot.gen!AF
NOD32 = Win32/Spy.Zbot.AAN
Norman = W32/Kryptik.BKR
Rising = Trojan.Win32.Generic.12BDDB90
VIPRE = Trojan.Win32.Generic.pak!cobra

Most of those definitions just mean "Hey! This is Bad! Don't Run It!"

Antivirus companies don't use the same names for most of this stuff as cybercrime investigators. So, for instance, in the Microsoft Lawsuit last week, they described criminals involved with three malware families = Zeus, SpyEye, and IceIX. All of these would show a "Zbot" or "Kazy" detection in the group above. PWS means "Pass Word Stealer." "pak", "XPACK", and "kryptic" just mean that the malware is compressed in a way that implies it is probably malicious.

The bottom line is that this very successful malware distribution campaign has tricked people into installing something from the broader Zeus family (whether Zeus, SpyEye, or IceIX doesn't really matter to the consumer). Once compromised, that computer is going to begin sharing personal financial information with criminals, and allowing remote control access to the computer from anywhere in the world to allow further malicious activity to occur.

This is the kind of malware that was featured on NBC's Rock Center with Brian Williams recently, and that was at the heart of the civil action taken by Microsoft, FS-ISAC, and NACHA that lead to the seizure of many domain names and some servers controlled by Zeus Criminals.

---

Click to learn more about UAB's Center for Information Assurance and Joint Forensics Research or to learn about UAB's Masters Degree in Computer Forensics & Security Management.

---

other destinations

98 | made.lu
96 | maceraoyunlari.host.org
88 | kazahana.hanabie.com
85 | kthtu.or.kr
84 | ftp.peratur.com.br
82 | agroturystyka-szczawnica.pl
78 | lenkajonasova.chytrak.cz
77 | ftp.lucpinheiro.com.br
74 | imo213.com
70 | indonesiatravelnow.com
67 | gulfcoastlocalsearch.com
67 | laptopschematic.org
65 | 4realpeople.info
62 | incaltamintepeg.ro
58 | davidanber.com
52 | malibojevnik.si
52 | 188.121.58.196
45 | lcvtv.com
44 | lastrender.com
44 | laserreproducciones.com
44 | lukasz-slaby.pl
41 | 032b67b.netsolhost.com
41 | larryharrison.com
40 | 182.18.152.247
39 | genxlogistics.com
38 | 0317159.netsolhost.com
37 | getprofitsfast.com
37 | kbizzsolutions.com
34 | icon-construction.ca
33 | mariekebrouwers.nl
33 | kgncomputers.com
30 | meinungsmacher.at
21 | heroesandheritage.net
20 | interfinbrok.ro
16 | ecrane.vn
16 | erolkara.net
12 | euro2012bettingtips.com
11 | ftp.tack.sk
11 | stcw95.org
10 | 6111homewood.com
10 | meritmobile.com
10 | ozerresidence.com
10 | ftp.infoesporte.com.br
10 | grossturismo.com.br

According to today's Daily Mail, court details have now emerged regarding Edward Pearson, a 23 year old hacker from York, England known online as "G-Zero", and his activities involving the Zeus and SpyEye trojans.

Pearson was ultimately arrested after his girlfriend, Cassandra Mennim, tried to pay for hotel rooms at the Cedar Court Grand Hotel and the Lady Anne Middleton Hotel, both in York, using stolen credit cards. (Pictures of the hotels were in the Daily Mail's original story on this case on February 20 - Computer whizz faces jail for writing programme to steal personal details of 8 MILLION people, including 400 PayPal accounts.

G-Zero Gets Doxed (June 2011)

Although these details are not shared in court, the Hacker world has known who Pearson was for some time ... on June 3, 2011, on the hacker forum "OpenSC.ws" - a site where Trojan authors and botnet herders meet and greet and buy and sell from one another, a user named "cr333k" posted these details. His post read:

"I dedicate this post to ED aka G-Zero because he is the reason I obtained this material" (referring to the leaked version of SpyEye v.1.2.8.0 and v.1.2.99.39).

"So in his honor, I will chase him off the internet."

Cr333k then proceeds to document G-Zero's use of Spyeye, claiming that G-Zero was in charge of the Spyeye servers at 89.149.202.104 [Leaseweb in Germany] and 91.211.11.192 [a serverbox.de account hosted in the UK], and claiming that his main IP address was 178.86.2.40 [a Ukrainian IP], but that he also used the IPs 94.12.53.50 [a SkyNet broadband account in the UK] and 77.103.230.142 [a VirginMedia/Telewest residential cable modem in the UK].

He provides userids and passwords to several of his sites, including the details of his "webnames.ru" account in the name of "GZero" and his hosting.ua account in the name of "rogue2" (with the same password.)

He claimed at that time that his name was Edward Pearson, and that he was in control of the email accounts gzero@9.cn, eddypearson@gmail.com, solipsis@w.cn, cellar@9.cn.

He gave his address as: Edward Pearson, 11 Regatta Court, Oyster Row, Cambridge, Cambridgeshire, cb58ns, UK, and shared his userid and password for his Liberty Reserve online money account

Cr333k claims to have stolen $5500 from Pearson's account...no idea if that is true.

(Eddy also had his superstrong password hash dumped by the guys at Zero For Owned. When they dumped Eddy's details out of the RootCult website after SQL-injection of their database, Eddy's GroundZero password was shown to have an MD5 hash of c8837b23ff8aaa8a2dde915473ce0991. Bad news. That would mean his password was "123321". Not a good password choice for a bad ass hacker. Of course that dump was from 2006, so Eddy would have been ... 17??)

Loose Lips

Probably not a good idea to tie your bad-ass hacker name to your real name in such things as your SoundCloud account (Userid: GZero Name: Edward Pearson, Cambridge, Britain (UK) soundcloud.com/eddypearson

He did the same thing back in 2009 when he was trying to share his online video ripping system on the forum DigitalSpy. His ripper service was distributed from "ripple.net" which he registered with his true personal details, but advertised in the DigitalSpy forum with his hacker handle "GZero".

Domain name: RIZZLE.NET

Administrative Contact:
Pearson, Edward eddypearson@gmail.com
93 Brampton Road
Cambridge, Cambridgeshire CB1 3HJ
GB
+44.7912558447

GZero's post on July 13, 2010 to "HackForums.net" was also pretty interesting:

Alright guys,
Basically I've not been part of the "scene" for many years, long before botnets, around the "how do i hack hotmail?" era. I got very bored of the bunch of rude little pricks that seemed to engulf the place.

Who remembers Zebulun hey? :p

Anyway, I a freelance programmer (C,C++,PHP,Python+many more) and pentester, the legit kind!

I was playing with one of the public copies of the the Zeus botnet, and I have simply fallen in love!

Basically, I'm have all the skills to really do some cool stuff here, coding is my day job, and have until now been working with a private group to make a bit of cash on the side, just not with bots.

Basically, I can do Programming, Custom Hacking, Bulletproof hosting, Setups of anything, FUDding things, Some very sneaky stuff to do with botnet takeovers, CC stuff, Been stealing the latest drive by sploits (NOT the packs), reversing em and then hopefully I'll make a real nice exploit pack if I have the time.

Basically I only just got onto botnets, and I LOVE WHAT I SEE. That said, I have been working with malware, hacking, financial stuff and the darker side of things for many years, just with a group I trust, not involved in the "scene"

Long story short, I want to to talk to people, learn more about the way things are done, and ideally work with somebody, or do some work for them in exchange for a decent copy of Zeus.

Basically, I'm trying to get on this and I have everything else pretty much setup, but I'm just not happy with using a public Zeus. REALLY want to get everything JUUUST right before really get stuck in ;)

MSN me guys, even if you don't have what I want, a interesting discussion is always nice and I'm always nice and helpful. I do have some vaguely private softs to share, but really this is my problem, for this to be GOOD, I need a good bot, and I LOVE Zeus...

MSN:
gzero@9.cn
solipsis@w.cn

8 Million Identities?

According to the police, on one of Pearson's computers they recovered 8,110,474 names with birthdates and postcodes for adults living in the United Kingdom. He also had details of 2,701 credit or debit cards stolen between January 1, 2010 and August 30, 2011.

At one point Pearson used a program he had written in Python to test potential PayPal accounts, and successfully confirmed more than 200,000 PayPal account details.

David Hughes, the prosecutor in the case, says that Pearson also hacked into systems belonging to Nokia and AOL, which caused Nokia to disable certain of its systems for two weeks while it reviewed the intrusion.

(The Nokia intrusion is believed to be the August 2011 SQL Injection of the "developers.nokia.com" website)

Intellectual Challenge?

Although the crown paints Pearson as a criminal mastermind, his defense attorney, Andrew Bodnar, claims that he was not interested in large-scale theft, but considered this merely an intellectual challenge. To support his point, he claims that the total documented theft, despite possession of thousands of cards, was only £2,351 or about $3700 US Dollars, mostly in the form of fastfood orders, pizza, and to pay his cell phone bills.

This is quite a difference between the original charge, that Pearson "plotted a £350,000 fraud" ($560,000 USD).

Mennim's lawyer called her a "vulnerable young woman who found comfort in Pearson following a difficult previous relationship." He describes her as a straight A student who is ashamed of her actions and will pay back the money she owes the hotel.

Pearson was sentenced to two years and two months, and Mennim to 12 months of supervised release. Although Pearson did not SELL the details he had gathered, it was demonstrated that he shared them with other hackers online, and the judge took this into consideration in the sentencing, as she said "Your computers and software were a devastating tool kit. I accept you didn't sell this information, but you shared it with other computer programmers, and you had no way of knowing how THEY might use this information."

The ultimate charges, to which the pair plead guilty:

Pearson - "Making an article for used in fraud and two counts of possession of an article for use in fraud."

Mennim - "Two counts of obtaining services dishonestly."

According to the original charges, the couple were also dealing the drug MDVP, also called "super cocaine". Apparently those charges were dropped. They seem consistent with his lifestyle - for instance, see this post on Cannabis.com from October 2007 where Eddy announces he has just moved to Cambridge and is looking for "connections" via his MSN chat account, eddypearson@gmail.com. This is consistent with some of his HackForums.net posts where he describes himself as "High and Pissed Off".

Today the Serious & Organised Crime Agency (SOCA) in the UK announced the completion of a joint operation targeting 36 criminal websites dealing with stolen credit card and online bank account information. The April 26th Press Release indicates that the operation targeted a particular type of e-commerce platform known as an Automated Vending Cart, or AVC. Here's an advertisement from one of the sites, CVVPlaza.com:

The seized domains are now redirected to a website controlled by the FBI which reads:

The United States Government has seized this domain name pursuant to a seizure warrant issued by the United States District Court for the Eastern District of Virginia under the authority of 18 U.S.C. §§ 981(a)(1)(A) & (b)(2). A United States Magistrate Judge issued that seizure warrant after finding that a sworn affidavit established probable cause that this domain name was personal property involved in a transaction or attempted transaction in violation of section 18 U.S.C. § 1956(a)(2)(A) & (h)
If you registered this domain name, or otherwise claim an ownership interest in this domain name, you should consult an attorney about your rights.

(click for full size)

SOCA has requested that we not provide a full list of the domain names at this time, but two which they have revealed in their own products are "cvvplaza.com" and "ccstore.biz". The others will be added once permission is received.

Some of the screenshots provided by SOCA include:

a site offering an inventory of more than 37,000 confirmed credit cards:

and a fairly nice "search screen:

SOCA has recovered more than 2.5 million card numbers or credentials that they say would have granted the criminals access to more than £500 million (about $809 million US Dollars!) These were NOT the value of the cards currently available for sale in these card shops, but rather the value of the cards that have been recovered from criminals who purchased the cards from these card shops. The total inventory is expected to be much higher. SOCA is leading the way in international cooperation. In this case they worked with the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police, the Romanian National Police and of course the FBI in the United States. These recoveries took place over the course of the past two years. The operator of at least one of these AVC stores was arrested in Macedonia by the Macedonian Ministry of the Interior's Cyber Crime Unit. Some online card shops have very simplistic interfaces, such as this: while others have extremely beautiful websites. Check out the login page for this site: Our friend Dancho Danchev has written extensively about the online carding markets, for example in his article: Exposing Market for Stolen Credit Cards. Brian Krebs has also written extensively on the topic with articles such as How much is your identity worth?

A new malicious spam campaign has just launched this morning targeting Paypal users. This malware campaign attempts to "social engineer" users into clicking a link that they know they shouldn't click on! Here's the email:

The criminals believe (and from what we've seen, correctly) that when presented with the news that you just sent $100 to someone from your Paypal account, you will have a panic reaction and click on the link in the email. This is what they are counting on!

As you can see we got quite a few of these this morning:

The destination is NOT going to be Paypal. Don't click on the link, and tell your friends not to click on the link either! If they do, a bad set of malicious actions are set into motion.

This particular version of the campaign just started about 2.5 hours ago. Here are the number of messages we have seen so far:

 count |        mbox         
-------+---------------------
    22 | 2012-05-01 04:00:00
    22 | 2012-05-01 04:15:00
   312 | 2012-05-01 04:30:00
    41 | 2012-05-01 04:45:00
    15 | 2012-05-01 05:00:00
    78 | 2012-05-01 05:15:00
   241 | 2012-05-01 05:30:00
     1 | 2012-05-01 05:45:00
   210 | 2012-05-01 06:00:00
    91 | 2012-05-01 06:15:00
(10 rows)

There are many hundreds of links that may have been advertised in your copy of this email, but don't click on ANY of them!

In the example case that we checked, we followed a link to "globalsecurityservices.com" (yes, we like irony).

When the web page was visited, it immediately executed two remote javascript files (I've added spaces to "break" them):

script type="text/javascript" src="http:// laxana .org /1VxMC4Dy /js .js"
script type="text/javascript" src="http:// womaametw3 .com /CWTKosSw /js .js"
which redirected to an Exploit server that displayed this "Please Wait" sign while something more malicious was happening in the background.

The exploit kit dropped a Java "JAR" file that was launched in Java, taking advantage of a security hole, which then caused another executable file to download and install on the computer.

What was that executable? We're not sure yet, but your anti-virus product probably doesn't know either. At the time we submitted the malware to VirusTotal there were only 5 of 43 anti-virus products could label the malware as malicious. Although McAfee called it "Zbot" (PWS-Zbot.gen.ya, the anti-virus name for the Zeus Bot) Avast and one other vendor called it "Karagany" (Win32:Karagany-FS [Trj]).

The malware's MD5 was 4f58895af2b8f89bd90092f08fcbd54f and it was 33280 bytes in size.

Here's a link to the original VirusTotal report.

Previous Threats

This link is very closely linked to a "LinkedIn" spam campaign from yesterday. That campaign functioned in exactly the same manner, with the difference only in the spam campaign.

All of the domains listed below have been compromised by an attacker. Most likely the criminals have stolen the FTP userid and password of the criminal, allowing them to change the webmaster's content without the webmaster's knowledge. If you control or know the owner of one of these websites, let them know they have been hacked. They need to remove the content, scan any computers they use to access their website for malware, and change their password AFTER they get the malware cleaned up.

            machine            |         path         
-------------------------------+----------------------
 cpaindia.net                  | /rHFbxKTn/index.html
 dealaddict.ch                 | /bp9ksV54/index.html
 dealaddict.ch                 | /N2rhmW5i/index.html
 dealaddict.ch                 | /r1kVYAfU/index.html
 dealaddict.ch                 | /vpW8hoZ6/index.html
 depilee.com                   | /BzJoVeo0/index.html
 depilee.com                   | /Lskx0Bew/index.html
 depilee.com                   | /NdHgm0gT/index.html
 depilee.com                   | /oZFZ0qJK/index.html
 depilee.com                   | /pD2zHbBB/index.html
 depilee.com                   | /vpW8hoZ6/index.html
 depilee.com                   | /wcE0aK0J/index.html
 depilee.com                   | /wjivLtgo/index.html
 dpsdurgapur.com               | /4RcYf6gB/index.html
 dpsdurgapur.com               | /7QLZuMme/index.html
 dpsdurgapur.com               | /bp9ksV54/index.html
 dpsdurgapur.com               | /BzJoVeo0/index.html
 dpsdurgapur.com               | /ErmgUouT/index.html
 dpsdurgapur.com               | /gj1W42Ee/index.html
 dpsdurgapur.com               | /i8ztSS5H/index.html
 dpsdurgapur.com               | /iaJ7FSBi/index.html
 dpsdurgapur.com               | /mKvc8Mh7/index.html
 dpsdurgapur.com               | /N2rhmW5i/index.html
 dpsdurgapur.com               | /NdHgm0gT/index.html
 dpsdurgapur.com               | /oZFZ0qJK/index.html
 dpsdurgapur.com               | /pD2zHbBB/index.html
 dpsdurgapur.com               | /rHFbxKTn/index.html
 dpsdurgapur.com               | /rzDZAsw7/index.html
 dpsdurgapur.com               | /t7xYVUJE/index.html
 dpsdurgapur.com               | /tLnW6jJT/index.html
 dpsdurgapur.com               | /UAtkgmot/index.html
 dpsdurgapur.com               | /UcL29wrU/index.html
 dpsdurgapur.com               | /vpW8hoZ6/index.html
 dpsdurgapur.com               | /wtQ8G0Ku/index.html
 dpsdurgapur.com               | /YhwvXGhk/index.html
 dpsdurgapur.com               | /zvo8ioak/index.html
 enfoquescreativos.com         | /4RcYf6gB/index.html
 enfoquescreativos.com         | /7NEM56yQ/index.html
 enfoquescreativos.com         | /7QLZuMme/index.html
 enfoquescreativos.com         | /bp9ksV54/index.html
 enfoquescreativos.com         | /BzJoVeo0/index.html
 enfoquescreativos.com         | /ddLvpeMu/index.html
 enfoquescreativos.com         | /DkM4v1PP/index.html
 enfoquescreativos.com         | /gj1W42Ee/index.html
 enfoquescreativos.com         | /N2rhmW5i/index.html
 enfoquescreativos.com         | /oZFZ0qJK/index.html
 enfoquescreativos.com         | /r1kVYAfU/index.html
 enfoquescreativos.com         | /Re3BMGVG/index.html
 enfoquescreativos.com         | /rHFbxKTn/index.html
 enfoquescreativos.com         | /RoScD8aq/index.html
 enfoquescreativos.com         | /rzDZAsw7/index.html
 enfoquescreativos.com         | /UAtkgmot/index.html
 enfoquescreativos.com         | /vpW8hoZ6/index.html
 enfoquescreativos.com         | /wjivLtgo/index.html
 enfoquescreativos.com         | /wtQ8G0Ku/index.html
 enfoquescreativos.com         | /YhwvXGhk/index.html
 enfoquescreativos.com         | /zvo8ioak/index.html
 ftp.neez.com.br               | /4RcYf6gB/index.html
 ftp.neez.com.br               | /7NEM56yQ/index.html
 ftp.neez.com.br               | /7QLZuMme/index.html
 ftp.neez.com.br               | /ErmgUouT/index.html
 ftp.neez.com.br               | /gj1W42Ee/index.html
 ftp.neez.com.br               | /mKvc8Mh7/index.html
 ftp.neez.com.br               | /NdHgm0gT/index.html
 ftp.neez.com.br               | /oZFZ0qJK/index.html
 ftp.neez.com.br               | /pSG1s2xs/index.html
 ftp.neez.com.br               | /Re3BMGVG/index.html
 ftp.neez.com.br               | /rzDZAsw7/index.html
 ftp.neez.com.br               | /t7xYVUJE/index.html
 ftp.neez.com.br               | /tLnW6jJT/index.html
 ftp.neez.com.br               | /UAtkgmot/index.html
 ftp.neez.com.br               | /UcL29wrU/index.html
 ftp.neez.com.br               | /wcE0aK0J/index.html
 ftp.neez.com.br               | /xXr3khjG/index.html
 ftp.pousadaesmeralda.com.br   | /4RcYf6gB/index.html
 ftp.pousadaesmeralda.com.br   | /bp9ksV54/index.html
 ftp.pousadaesmeralda.com.br   | /ddLvpeMu/index.html
 ftp.pousadaesmeralda.com.br   | /DkM4v1PP/index.html
 ftp.pousadaesmeralda.com.br   | /gj1W42Ee/index.html
 ftp.pousadaesmeralda.com.br   | /i8ztSS5H/index.html
 ftp.pousadaesmeralda.com.br   | /iaJ7FSBi/index.html
 ftp.pousadaesmeralda.com.br   | /Lskx0Bew/index.html
 ftp.pousadaesmeralda.com.br   | /mKvc8Mh7/index.html
 ftp.pousadaesmeralda.com.br   | /N2rhmW5i/index.html
 ftp.pousadaesmeralda.com.br   | /NdHgm0gT/index.html
 ftp.pousadaesmeralda.com.br   | /oZFZ0qJK/index.html
 ftp.pousadaesmeralda.com.br   | /pD2zHbBB/index.html
 ftp.pousadaesmeralda.com.br   | /pSG1s2xs/index.html
 ftp.pousadaesmeralda.com.br   | /r1kVYAfU/index.html
 ftp.pousadaesmeralda.com.br   | /Re3BMGVG/index.html
 ftp.pousadaesmeralda.com.br   | /rHFbxKTn/index.html
 ftp.pousadaesmeralda.com.br   | /rzDZAsw7/index.html
 ftp.pousadaesmeralda.com.br   | /UcL29wrU/index.html
 ftp.pousadaesmeralda.com.br   | /wcE0aK0J/index.html
 ftp.pousadaesmeralda.com.br   | /wjivLtgo/index.html
 ftp.pousadaesmeralda.com.br   | /wtQ8G0Ku/index.html
 ftppousadaesmeralda.com.br    | /ddLvpeMu/index.html
 ftppousadaesmeralda.com.br    | /Lskx0Bew/index.html
 ftppousadaesmeralda.com.br    | /oZFZ0qJK/index.html
 ftppousadaesmeralda.com.br    | /pSG1s2xs/index.html
 ftppousadaesmeralda.com.br    | /wjivLtgo/index.html
 globesecurityservices.com     | /4RcYf6gB/index.html
 globesecurityservices.com     | /6BrzkppT/index.html
 globesecurityservices.com     | /7NEM56yQ/index.html
 globesecurityservices.com     | /7QLZuMme/index.html
 globesecurityservices.com     | /bp9ksV54/index.html
 globesecurityservices.com     | /BzJoVeo0/index.html
 globesecurityservices.com     | /ddLvpeMu/index.html
 globesecurityservices.com     | /DkM4v1PP/index.html
 globesecurityservices.com     | /ErmgUouT/index.html
 globesecurityservices.com     | /gj1W42Ee/index.html
 globesecurityservices.com     | /i8ztSS5H/index.html
 globesecurityservices.com     | /iaJ7FSBi/index.html
 globesecurityservices.com     | /Lskx0Bew/index.html
 globesecurityservices.com     | /mKvc8Mh7/index.html
 globesecurityservices.com     | /NdHgm0gT/index.html
 globesecurityservices.com     | /oZFZ0qJK/index.html
 globesecurityservices.com     | /pD2zHbBB/index.html
 globesecurityservices.com     | /pSG1s2xs/index.html
 globesecurityservices.com     | /rHFbxKTn/index.html
 globesecurityservices.com     | /RoScD8aq/index.html
 globesecurityservices.com     | /rzDZAsw7/index.html
 globesecurityservices.com     | /t7xYVUJE/index.html
 globesecurityservices.com     | /tLnW6jJT/index.html
 globesecurityservices.com     | /UAtkgmot/index.html
 globesecurityservices.com     | /UcL29wrU/index.html
 globesecurityservices.com     | /vpW8hoZ6/index.html
 globesecurityservices.com     | /wcE0aK0J/index.html
 globesecurityservices.com     | /wjivLtgo/index.html
 globesecurityservices.com     | /wtQ8G0Ku/index.html
 gpureappliances.com           | /4RcYf6gB/index.html
 gpureappliances.com           | /6BrzkppT/index.html
 gpureappliances.com           | /7NEM56yQ/index.html
 gpureappliances.com           | /7QLZuMme/index.html
 gpureappliances.com           | /bp9ksV54/index.html
 gpureappliances.com           | /ddLvpeMu/index.html
 gpureappliances.com           | /DkM4v1PP/index.html
 gpureappliances.com           | /ErmgUouT/index.html
 gpureappliances.com           | /gj1W42Ee/index.html
 gpureappliances.com           | /Lskx0Bew/index.html
 gpureappliances.com           | /N2rhmW5i/index.html
 gpureappliances.com           | /NdHgm0gT/index.html
 gpureappliances.com           | /oZFZ0qJK/index.html
 gpureappliances.com           | /pD2zHbBB/index.html
 gpureappliances.com           | /r1kVYAfU/index.html
 gpureappliances.com           | /rHFbxKTn/index.html
 gpureappliances.com           | /RoScD8aq/index.html
 gpureappliances.com           | /rzDZAsw7/index.html
 gpureappliances.com           | /t7xYVUJE/index.html
 gpureappliances.com           | /UAtkgmot/index.html
 gpureappliances.com           | /vpW8hoZ6/index.html
 gpureappliances.com           | /wcE0aK0J/index.html
 gpureappliances.com           | /wtQ8G0Ku/index.html
 gpureappliances.com           | /xXr3khjG/index.html
 gpureappliances.com           | /YhwvXGhk/index.html
 gpureappliances.com           | /zvo8ioak/index.html
 hitechsystems.org.in          | /4RcYf6gB/index.html
 hitechsystems.org.in          | /7NEM56yQ/index.html
 hitechsystems.org.in          | /7QLZuMme/index.html
 hitechsystems.org.in          | /ddLvpeMu/index.html
 hitechsystems.org.in          | /DkM4v1PP/index.html
 hitechsystems.org.in          | /gj1W42Ee/index.html
 hitechsystems.org.in          | /Lskx0Bew/index.html
 hitechsystems.org.in          | /mKvc8Mh7/index.html
 hitechsystems.org.in          | /N2rhmW5i/index.html
 hitechsystems.org.in          | /NdHgm0gT/index.html
 hitechsystems.org.in          | /oZFZ0qJK/index.html
 hitechsystems.org.in          | /pD2zHbBB/index.html
 hitechsystems.org.in          | /pSG1s2xs/index.html
 hitechsystems.org.in          | /r1kVYAfU/index.html
 hitechsystems.org.in          | /Re3BMGVG/index.html
 hitechsystems.org.in          | /rHFbxKTn/index.html
 hitechsystems.org.in          | /RoScD8aq/index.html
 hitechsystems.org.in          | /rzDZAsw7/index.html
 hitechsystems.org.in          | /t7xYVUJE/index.html
 hitechsystems.org.in          | /UAtkgmot/index.html
 hitechsystems.org.in          | /UcL29wrU/index.html
 hitechsystems.org.in          | /vpW8hoZ6/index.html
 hitechsystems.org.in          | /wcE0aK0J/index.html
 hitechsystems.org.in          | /wjivLtgo/index.html
 hitechsystems.org.in          | /wtQ8G0Ku/index.html
 hitechsystems.org.in          | /xXr3khjG/index.html
 hypernovamedia.com            | /4RcYf6gB/index.html
 hypernovamedia.com            | /6BrzkppT/index.html
 hypernovamedia.com            | /7NEM56yQ/index.html
 hypernovamedia.com            | /7QLZuMme/index.html
 hypernovamedia.com            | /bp9ksV54/index.html
 hypernovamedia.com            | /BzJoVeo0/index.html
 hypernovamedia.com            | /DkM4v1PP/index.html
 hypernovamedia.com            | /ErmgUouT/index.html
 hypernovamedia.com            | /gj1W42Ee/index.html
 hypernovamedia.com            | /i8ztSS5H/index.html
 hypernovamedia.com            | /iaJ7FSBi/index.html
 hypernovamedia.com            | /Lskx0Bew/index.html
 hypernovamedia.com            | /mKvc8Mh7/index.html
 hypernovamedia.com            | /N2rhmW5i/index.html
 hypernovamedia.com            | /pD2zHbBB/index.html
 hypernovamedia.com            | /pSG1s2xs/index.html
 hypernovamedia.com            | /r1kVYAfU/index.html
 hypernovamedia.com            | /Re3BMGVG/index.html
 hypernovamedia.com            | /RoScD8aq/index.html
 hypernovamedia.com            | /t7xYVUJE/index.html
 hypernovamedia.com            | /tLnW6jJT/index.html
 hypernovamedia.com            | /UAtkgmot/index.html
 hypernovamedia.com            | /UcL29wrU/index.htm
 hypernovamedia.com            | /UcL29wrU/index.html
 hypernovamedia.com            | /vpW8hoZ6/index.html
 hypernovamedia.com            | /wcE0aK0J/index.html
 hypernovamedia.com            | /wjivLtgo/index.html
 hypernovamedia.com            | /xXr3khjG/index.html
 hypernovamedia.com            | /YhwvXGhk/index.html
 hypernovamedia.com            | /zvo8ioak/index.html
 ilabph.com                    | /6BrzkppT/index.html
 ilabph.com                    | /7NEM56yQ/index.html
 ilabph.com                    | /BzJoVeo0/index.html
 ilabph.com                    | /ddLvpeMu/index.html
 ilabph.com                    | /ErmgUouT/index.html
 ilabph.com                    | /gj1W42Ee/index.html
 ilabph.com                    | /i8ztSS5H/index.html
 ilabph.com                    | /iaJ7FSBi/index.html
 ilabph.com                    | /Lskx0Bew/index.html
 ilabph.com                    | /mKvc8Mh7/index.html
 ilabph.com                    | /N2rhmW5i/index.html
 ilabph.com                    | /NdHgm0gT/index.html
 ilabph.com                    | /oZFZ0qJK/index.html
 ilabph.com                    | /pD2zHbBB/index.html
 ilabph.com                    | /pSG1s2xs/index.html
 ilabph.com                    | /r1kVYAfU/index.html
 ilabph.com                    | /Re3BMGVG/index.html
 ilabph.com                    | /rHFbxKTn/index.html
 ilabph.com                    | /RoScD8aq/index.html
 ilabph.com                    | /rzDZAsw7/index.html
 ilabph.com                    | /t7xYVUJE/index.html
 ilabph.com                    | /tLnW6jJT/index.html
 ilabph.com                    | /UAtkgmot/index.html
 ilabph.com                    | /UcL29wrU/index.html
 ilabph.com                    | /vpW8hoZ6/index.html
 ilabph.com                    | /wcE0aK0J/index.html
 ilabph.com                    | /wjivLtgo/index.html
 ilabph.com                    | /wtQ8G0Ku/index.html
 ilabph.com                    | /xXr3khjG/index.html
 ilabph.com                    | /YhwvXGhk/index.html
 jmexy.com                     | /4RcYf6gB/index.html
 jmexy.com                     | /7QLZuMme/index.html
 jmexy.com                     | /BzJoVeo0/index.html
 jmexy.com                     | /ddLvpeMu/index.html
 jmexy.com                     | /DkM4v1PP/index.html
 jmexy.com                     | /ErmgUouT/index.html
 jmexy.com                     | /gj1W42Ee/index.html
 jmexy.com                     | /Lskx0Bew/index.html
 jmexy.com                     | /mKvc8Mh7/index.html
 jmexy.com                     | /N2rhmW5i/index.html
 jmexy.com                     | /NdHgm0gT/index.html
 jmexy.com                     | /r1kVYAfU/index.html
 jmexy.com                     | /Re3BMGVG/index.html
 jmexy.com                     | /rHFbxKTn/index.html
 jmexy.com                     | /RoScD8aq/index.html
 jmexy.com                     | /rzDZAsw7/index.html
 jmexy.com                     | /tLnW6jJT/index.html
 jmexy.com                     | /UAtkgmot/index.html
 jmexy.com                     | /UcL29wrU/index.html
 jmexy.com                     | /vpW8hoZ6/index.html
 jmexy.com                     | /wcE0aK0J/index.html
 jmexy.com                     | /wjivLtgo/index.html
 jmexy.com                     | /wtQ8G0Ku/index.html
 jmexy.com                     | /xXr3khjG/index.html
 jmexy.com                     | /YhwvXGhk/index.html
 jmexy.com                     | /zvo8ioak/index.html
 justinbieber-fans.nixiweb.com | /6BrzkppT/index.html
 justinbieber-fans.nixiweb.com | /7NEM56yQ/index.html
 justinbieber-fans.nixiweb.com | /ddLvpeMu/index.html
 justinbieber-fans.nixiweb.com | /DkM4v1PP/index.html
 justinbieber-fans.nixiweb.com | /ErmgUouT/index.html
 justinbieber-fans.nixiweb.com | /gj1W42Ee/index.html
 justinbieber-fans.nixiweb.com | /iaJ7FSBi/index.html
 justinbieber-fans.nixiweb.com | /Lskx0Bew/index.html
 justinbieber-fans.nixiweb.com | /mKvc8Mh7/index.html
 justinbieber-fans.nixiweb.com | /oZFZ0qJK/index.html
 justinbieber-fans.nixiweb.com | /pD2zHbBB/index.html
 justinbieber-fans.nixiweb.com | /pSG1s2xs/index.html
 justinbieber-fans.nixiweb.com | /Re3BMGVG/index.html
 justinbieber-fans.nixiweb.com | /rHFbxKTn/index.html
 justinbieber-fans.nixiweb.com | /RoScD8aq/index.html
 justinbieber-fans.nixiweb.com | /rzDZAsw7/index.html
 justinbieber-fans.nixiweb.com | /t7xYVUJE/index.html
 justinbieber-fans.nixiweb.com | /UcL29wrU/index.html
 justinbieber-fans.nixiweb.com | /xXr3khjG/index.html
 justinbieber-fans.nixiweb.com | /YhwvXGhk/index.html
 justinbieber-fans.nixiweb.com | /zvo8ioak/index.html
 mangalamcorporation.in        | /4RcYf6gB/index.html
 mangalamcorporation.in        | /6BrzkppT/index.html
 mangalamcorporation.in        | /bp9ksV54/index.html
 mangalamcorporation.in        | /BzJoVeo0/index.html
 mangalamcorporation.in        | /ddLvpeMu/index.html
 mangalamcorporation.in        | /DkM4v1PP/index.html
 mangalamcorporation.in        | /gj1W42Ee/index.html
 mangalamcorporation.in        | /i8ztSS5H/index.html
 mangalamcorporation.in        | /iaJ7FSBi/index.html
 mangalamcorporation.in        | /mKvc8Mh7/index.html
 mangalamcorporation.in        | /N2rhmW5i/index.html
 mangalamcorporation.in        | /NdHgm0gT/index.html
 mangalamcorporation.in        | /oZFZ0qJK/indexhtml
 mangalamcorporation.in        | /oZFZ0qJK/index.html
 mangalamcorporation.in        | /pD2zHbBB/index.html
 mangalamcorporation.in        | /pSG1s2xs/index.html
 mangalamcorporation.in        | /r1kVYAfU/index.html
 mangalamcorporation.in        | /rHFbxKTn/index.html
 mangalamcorporation.in        | /RoScD8aq/index.html
 mangalamcorporation.in        | /rzDZAsw7/index.html
 mangalamcorporation.in        | /UAtkgmot/index.html
 mangalamcorporation.in        | /UcL29wrU/index.html
 mangalamcorporation.in        | /vpW8hoZ6/index.html
 mangalamcorporation.in        | /wcE0aK0J/index.html
 mangalamcorporation.in        | /xXr3khjG/index.html
 mangalamcorporation.in        | /YhwvXGhk/index.html
 mksteslaenergy.com            | /4RcYf6gB/index.html
 mksteslaenergy.com            | /6BrzkppT/index.html
 mksteslaenergy.com            | /7NEM56yQ/index.html
 mksteslaenergy.com            | /BzJoVeo0/index.html
 mksteslaenergy.com            | /ddLvpeMu/index.html
 mksteslaenergy.com            | /DkM4v1PP/index.html
 mksteslaenergy.com            | /ErmgUouT/index.html
 mksteslaenergy.com            | /gj1W42Ee/index.html
 mksteslaenergy.com            | /i8ztSS5H/index.html
 mksteslaenergy.com            | /iaJ7FSBi/index.html
 mksteslaenergy.com            | /mKvc8Mh7/index.html
 mksteslaenergy.com            | /N2rhmW5i/index.html
 mksteslaenergy.com            | /NdHgm0gT/index.html
 mksteslaenergy.com            | /oZFZ0qJK/index.html
 mksteslaenergy.com            | /pD2zHbBB/index.html
 mksteslaenergy.com            | /pSG1s2xs/index.html
 mksteslaenergy.com            | /r1kVYAfU/index.html
 mksteslaenergy.com            | /rzDZAsw7/indexhtml
 mksteslaenergy.com            | /rzDZAsw7/index.html
 mksteslaenergy.com            | /tLnW6jJT/index.html
 mksteslaenergy.com            | /UAtkgmot/index.html
 mksteslaenergy.com            | /UcL29wrU/index.html
 mksteslaenergy.com            | /wcE0aK0J/index.html
 mksteslaenergy.com            | /wjivLtgo/index.html
 mksteslaenergy.com            | /xXr3khjG/index.html
 mksteslaenergy.com            | /YhwvXGhk/index.html
 mpralos.gr                    | /6BrzkppT/index.html
 mpralos.gr                    | /7NEM56yQ/index.html
 mpralos.gr                    | /7QLZuMme/index.html
 mpralos.gr                    | /bp9ksV54/index.html
 mpralos.gr                    | /BzJoVeo0/index.html
 mpralos.gr                    | /ErmgUouT/index.html
 mpralos.gr                    | /gj1W42Ee/index.html
 mpralos.gr                    | /i8ztSS5H/index.html
 mpralos.gr                    | /iaJ7FSBi/index.html
 mpralos.gr                    | /Lskx0Bew/index.html
 mpralos.gr                    | /mKvc8Mh7/index.html
 mpralos.gr                    | /N2rhmW5i/index.html
 mpralos.gr                    | /NdHgm0gT/index.html
 mpralos.gr                    | /oZFZ0qJK/index.html
 mpralos.gr                    | /pD2zHbBB/index.html
 mpralos.gr                    | /pSG1s2xs/index.html
 mpralos.gr                    | /r1kVYAfU/index.html
 mpralos.gr                    | /rHFbxKTn/index.html
 mpralos.gr                    | /rzDZAsw7/index.html
 mpralos.gr                    | /t7xYVUJE/index.html
 mpralos.gr                    | /tLnW6jJT/index.html
 mpralos.gr                    | /UAtkgmot/index.html
 mpralos.gr                    | /UcL29wrU/index.html
 mpralos.gr                    | /wcE0aK0J/index.html
 mpralos.gr                    | /wjivLtgo/index.html
 mpralos.gr                    | /wtQ8G0Ku/index.html
 mpralos.gr                    | /zvo8ioak/index.html
 njsksansthan.com              | /6BrzkppT/index.html
 njsksansthan.com              | /7NEM56yQ/index.html
 njsksansthan.com              | /7QLZuMme/index.html
 njsksansthan.com              | /bp9ksV54/index.html
 njsksansthan.com              | /ddLvpeMu/index.html
 njsksansthan.com              | /DkM4v1PP/index.html
 njsksansthan.com              | /ErmgUouT/index.html
 njsksansthan.com              | /iaJ7FSBi/index.html
 njsksansthan.com              | /Lskx0Bew/index.html
 njsksansthan.com              | /N2rhmW5i/index.html
 njsksansthan.com              | /pD2zHbBB/index.html
 njsksansthan.com              | /Re3BMGVG/index.html
 njsksansthan.com              | /RoScD8aq/index.html
 njsksansthan.com              | /rzDZAsw7/index.html
 njsksansthan.com              | /UcL29wrU/index.html
 njsksansthan.com              | /wtQ8G0Ku/index.html
 njsksansthan.com              | /xXr3khjG/index.html
 njsksansthan.com              | /YhwvXGhk/index.html
 njsksansthan.com              | /zvo8ioak/index.html
 pakwestind.com                | /6BrzkppT/index.html
 pakwestind.com                | /ErmgUouT/index.html
 pakwestind.com                | /i8ztSS5H/index.html
 pakwestind.com                | /NdHgm0gT/index.html
 pakwestind.com                | /oZFZ0qJK/index.html
 pakwestind.com                | /pD2zHbBB/index.html
 pakwestind.com                | /rHFbxKTn/index.html
 pakwestind.com                | /t7xYVUJE/index.html
 pakwestind.com                | /tLnW6jJT/index.html
 pakwestind.com                | /UAtkgmot/index.html
 pakwestind.com                | /UcL29wrU/index.html
 pakwestind.com                | /wcE0aK0J/index.html
 pakwestind.com                | /wtQ8G0Ku/index.html
 punial.com                    | /4RcYf6gB/index.html
 punial.com                    | /7NEM56yQ/index.html
 punial.com                    | /7QLZuMme/index.html
 punial.com                    | /bp9ksV54/index.html
 punial.com                    | /BzJoVeo0/index.html
 punial.com                    | /ErmgUouT/index.html
 punial.com                    | /i8ztSS5H/index.html
 punial.com                    | /NdHgm0gT/index.html
 punial.com                    | /r1kVYAfU/index.html
 punial.com                    | /rHFbxKTn/index.html
 punial.com                    | /RoScD8aq/index.html
 punial.com                    | /t7xYVUJE/index.html
 punial.com                    | /UcL29wrU/index.html
 punial.com                    | /vpW8hoZ6/index.html
 punial.com                    | /xXr3khjG/index.html
 punial.com                    | /zvo8ioak/index.html
 rsons.in                      | /6BrzkppT/index.html
 rsons.in                      | /bp9ksV54/index.html
 rsons.in                      | /DkM4v1PP/index.html
 rsons.in                      | /gj1W42Ee/index.html
 rsons.in                      | /i8ztSS5H/index.html
 rsons.in                      | /mKvc8Mh7/index.html
 rsons.in                      | /r1kVYAfU/index.html
 rsons.in                      | /Re3BMGVG/index.html
 rsons.in                      | /tLnW6jJT/index.html
 rsons.in                      | /UAtkgmot/index.html
 rsons.in                      | /vpW8hoZ6/index.html
 rsons.in                      | /wcE0aK0J/index.html
 rsons.in                      | /wtQ8G0Ku/index.html
 rsons.in                      | /xXr3khjG/index.html
 siniflar.net                  | /4RcYf6gB/index.html
 siniflar.net                  | /ddLvpeMu/index.html
 siniflar.net                  | /ErmgUouT/index.html
 siniflar.net                  | /wjivLtgo/index.html

We often hear complaints from our Banking friends about criminals in Nigeria. Today's story is another example of the truth that in 2012, there is no place left to hide. Back in April 2011, FBI New Jersey presented their case to the Grand Jury in the form of a sealed indictment accusing several criminals of phishing:

Karlis Karklins
Charles Umeh Chidi
Waya Nwaki (AKA Prince Abuja, AKA USAPrince12k)
Osarhieme Uyi Obaygbona (AKA bside)
Marvin Dion HIll (AKA Nyhiar Da Boss, AKA Nihiar Springs)
Alphonsus Osuala
Olaniyi Jones

The case was officially unsealed on January 20, 2012, as the suspects were rounded up, chiefly Olaniyi Jones Makinde, who was arrested that week in Lagos, Nigeria:

(click for original in AfricanSpotlight.com)

Romance: Nigeria Style

Although this is what would normally be thought of as a "Nigerian Scam Ring" many of the players were already in the United States and had been for some time. Olaniyi, pictured above, is better known to Americans as his romantic alter ego, Brenda Stuart (brendastuart@rocketmail.com, age 35, London, b.Feb 21, 1977)

"Brenda" would "fall in love" with various men that "she" met online, and then have various financial hardships which required the men to send money to her overseas accounts. Several "Money Mules" (called "Maga" in the Nigerian lingo) would assist with getting the money back to Jones via Western Union or Moneygram.

According to BekkyBlog Olaniyi Victor Makinde, also known as Andrea Bradley and Olaniyi Jones was originally arrested on September 6, 2011 by FBI agents working with Nigerian authorities on charges brought by the San Francisco division of the FBI related to two marriage scams where he harvested $620,225.04 from two American victims, Marilou Sibbaluca and John Massoni. While waiting in the Olokuta medium prison, he was charged again in the current New Jersey case. According to the blogger, Olanyiy was a recent graduate of the University of Ado Ekiti.

Criminal History in US

Waya Nwaki and Alphonsis Osuala should have been fairly easy to find. Rather than being in Nigeria, they were already in prison in Georgia. They had been arrested in Belvedere, South Carolina all the way back in April 20, 2005. They recruited a "white guy", Douglas Hudson, to go into a bank and cash a check for $2950 in a Bank of America branch while they waited outside in their silver Lincoln Navigator. Later that day they did the same scam, using a copy of the same check, in Aiken, South Carolina. Aiken, who was carrying a counterfeit resident alien card in the name of Steven Ratzlaff, was arrested in the bank by Lieutenant Farmer of the Aiken Department of Public Safety, while his colleague Officer Wilson pulled over the suspicious Lincoln Navigator and searched it, finding $17,000 in cash under the driver's seat, and a fake soda can containing six more copies of the same check. Nwaki was paying Hudosn $500 for each check they succesfully cashed, and theat they had done five successful scams in the previous two days. After being released, they were apparently back on the street for a while before being rearrested in Georgia.

Phishing

The more recent scams were pure phishing. The six US-based codefendants worked with Jones to steal money from Payroll Processors ADP and Intuit as well as several banks. Karklins and Chidi would email phishing and spear-phishing attacks to the banking customers to lure them to phishing sites - fake bank websites that would be used to gather login credentials. As has been a growing trend, some of the credentials were used to do telephone transactions with the banks, instead of trying to use their online systems, which often have more fraud protection in place. Once the money was available, the criminals sent wire transfers to bank accounts in the United States, Mexico, the United Kingdom, Latvia, France, Bulgaria, Russia, and Nigeria. $3.5 million in wire transfers were attempted and $1.3 million were successfully withdrawn. This activity spanned a couple years, beginning at least as early as November 2009, when Karklins was setting up Chase Bank phishing sites. In January 2010 they added an ADP scam, and successfully harvested credentials for at least 27 sets of userids and passwords. These Payroll accounts allowed them to establish imaginary employees in various companies who received payments along with the real employees each payday until they were discovered. Karklins and Chidi would email Nwaki credentials for high value phishing accounts that they came across so that Nwaki could gather the money. It seems they ignored low value balances and focused only on taking the money from the high value accounts. Notices would go to Nwaki such as "28k chase, male, login yourself for check copy." or "CHASE 13.8k = male, age 32" or "BOA Business 25k + mail access". In February 2010, an Regions Bank account operated by defendant Hill was used to wire money to Bulgaria and Latvia. Nwaki also provided login credentials for a "50k drop" that was sent to the Regions account. Of the more than $1.3 million stolen, more than $300,000 of the funds were sent to a J.M. Sovereign Account operated by Jones in Nigeria.

The news in Alabama today is that IDENTITY THEFT DOES NOT PAY. Veronica Dale of Montgomery, Alabama was sentenced to 334 months in prison and Alchico Grant of Lowndes County, Alabama was sentenced to 310 months in prison after the two participated in a scheme to file more than 500 fraudulent tax returns and steal from the IRS $3,741,908! The two will also have to pay $2.8 Million in restitution.

The sentences were announced on the main Department of Justice website with the title Leaders of Multi-million Dollar Fraud Ring That Used Stolen Information of Medicaid Recipients Each Sentenced to Over 25 Years in Prison

The charges brought against Veronica Dale include:

CR. NO: 2:10-CR-242-MEF (see see Indictment

18 USC § 286: Conspiracy to Defraud the Government
18 USC § 287: False, Fictitious or Fraudulent Claims
18 USC § 641: Theft of Government Public Money, Property or Records
18 USC § 1028A: Aggravated Identity Theft

CR. NO: 2:11-CR-69-MEF (see see Indictment

18 USC § 1343: Wire Fraud
18 USC § 1028A: Aggravated Identity Theft

In the first case, the defendants were:

Veronica Denise Dale
Alchico Dewayne Grant
Laquanta Grant
Isaac C. Dailey
Leroy Howard

In a superseding indictment filed for crimes that occurred after the first case was already underway, the defendants were:

Melinda Renae Clayton
Alchico Dewayne Grant
Veronica Denise Dale
Stephanie Adams
Valerie Byrd

Veronica owned and operated Dale's Tax Service, a tax preparation business located in Montgomery, Alabama. Looking back, it is likely that opening the Tax Service was just part of the plan to commit these crimes.

Veronica obtained Social Security numbers and names and used them to prepare and file false income tax returns and directed tax refunds to be deposited into accounts controlled by her and her co-defendants.

The bank accounts received at least $2.3 million in tax refunds.

1/21/2009 $4,990
2/14/2009 $5,124
3/6/2009 $7,352
3/15/2009 $10,688
3/15/2009 $10,031
3/15/2009 $10,332>
3/24/2009 $10,636
etc. etc. (the indictment lists 26 filings, but this happened well over 500 times!) Money was deposited into accounts opened in 2008, 2009, and 2010 at Regions Bank in Montgomery, Alabama and Woodforest Bank in Montgomery, Alabama, as well as Alabama State Employees Credit Union, MAX Credit Union. In 2011 additional accounts were opened at Bank of America where several more tax returns were received.

Veronica turned herself in to US Marshall Service on December 17, 2010. Here is the amazing part. AFTER TURNING HERSELF IN, and being released on bail pending trial, SHE KEPT STEALING MONEY FROM THE IRS!!!

The second case (2:11-CR-69-MEF) explains that between approximately January 2011 and April 2011, Dale conspired with Melinda Clayton and others to file an ADDITIONAL 155 fraudulent tax returns, to gather another $494,424 in tax refunds. THIS WAS AFTER DALE HAD ALREADY TURNED HERSELF IN because of the charges in the other case! She "caused to be stored at Clayton's residence thousands of names and social security numbers unlawfully obtained from EDS."

She pleaded guilty October 14, 2011.

The guilty plea (see see the Plea Agreementincludes the fact that "on counts 1,9,10,27 and 28, a 6-level enhancement is warranted because the Defendant's direct participation in the offense involved 250 or more victims.

The guilty plea explains that "Between June 2007 and February 2008, the Defendant worked as a temporary employee at EDS in Montgomery, Alabama. She "was able to and did wrongfully and illegally acquire Medicaid records which included the names, social security numbers, and dates of births of thousands of inviduals who received Medicaid benefits.

Between January 2009 and December 2010, she used these records stolen from EDS to file over 500 false tax returns.

308 of those tax retunrs deposited money into accounts of the Alabama State Employees Credit Union controlled by Betty Washington. The accounts received approximately $1,440,632.40 in false tax refunds.

Back in 2009, this blog ran the story FBI's Biggest Domestic Phishing Bust documenting Operation Phish Phry and explaining what was then known of the structure of an international phishing operation with more than 100 members. Yesterday Nichole Michelle Merzi, one of the ring-leaders, was finally sentenced to five years:

Defendant is committed on Counts 1, 34, 35, 38, 39, 48, and 51 of the Indictment to the Bureau of Prisons for 36 months. This term consists of 36 months on each of Counts 1, 34, 35, 38, 39, and 51; 36 months on Count 48, to be served concurrently; and 24 months on Count 46, to be served consecutively; for a total of 60 months. Defendant shall receive credit for any time served. Supervised release for three years.

The case began all the way back on September 30, 2009 with the filing of an indictment that charged:

• Kenneth Joseph Lucas (1) count(s) 1-9,
• Nichole Michelle Merzi (2) count(s) 1,
• Jonathan Preston Clark (3) count(s) 1,
• Jarrod Michael Akers (4) count(s) 1,
• Kyle Wendell Akers (5) count(s) 1,
• Wayne Edwards Arbaugh (6) count(s) 1-2,
• Demorris Brooks (7) count(s) 1,
• Antonio Late Colson (8) count(s) 1,
• Kenneth Crews (9) count(s) 1,
• Manu T Fifita (10) count(s) 1,
• Jennifer Anabelle Lopez Gonzalez (11) count(s) 1, 7-9,
• Tinika Sabrina Gunn (12) count(s) 1,
• Jason Marcellus Jenkins (13) count(s) 1,
• Sylvia Johnson (14) count(s) 1,
• Remar Ahmir Lawton (15) count(s) 1,
• Kyle Brandon Martin (16) count(s) 1,
• Franklin Anthony Ragsdale (17) count(s) 1, 4-6,
• Steven Aaron Saunders (18) count(s) 1,
• Rynn Spencer (19) count(s) 1,
• Raquel Raffi Varjabedian (20) count(s) 1,
• Candace Marie Zie (21) count(s) 1,
• Ashley A Ager (22) count(s) 1,
• Latina Shaneka Black (23) count(s) 1,
• Michael Dominick Gunn Dacosta, Jr (24) count(s) 1,
• Virgil Phillip Daniels (25) count(s) 1,
• Tramond S Davis (26) count(s) 1,
• Shontovia D Debose (27) count(s) 1,
• Joshua Vincent Fauncher (28) count(s) 1,
• Krystal Fontenot (29) count(s) 1,
• Anthony Donnel Fuller (30) count(s) 1, 5-6,
• Michael Christopher Grier (31) count(s) 1,
• Bryanna Harrington (32) count(s) 1,
• Shawn K Jordan (33) count(s) 1-3,
• Billy Littlejohn Kelly (34) count(s) 1,
• Reggie B Logan, Jr (35) count(s) 1,
• Ikinasio Lousiale, Jr (36) count(s) 1,
• Raymond V Mancillas (37) count(s) 1,
• David P Mullin (38) count(s) 1,
• Vincent Nguyen (39) count(s) 1,
• Ario Plogovii (40) count(s) 1,
• Brandon R Ross (41) count(s) 1,
• Alan Elvis St. Pierre (42) count(s) 1,
• Courtney Monet Sears (43) count(s) 1,
• Me Arlene Settle (44) count(s) 1,
• Paula W Sims (45) count(s) 1,
• Jamie Smith (46) count(s) 1,
• Brandon Kyle Thomas (47) count(s) 1,
• Christopher Uhamaka (48) count(s) 1,
• James Michael Viorato (49) count(s) 1,
• Jovon Darnell Weems (50) count(s) 1,
• David D Westbrooks (51) count(s) 1,
• Bridget Deque Wilkins (52) count(s) 1,
• Marcus Deshaun Williams (53) count(s) 1.

In a conspiracy, we have to show "Overt Acts" committed by each member of the conspiracy in support of the conspiracy, which is how we end up with an 86 page Operation Phish Phry Indictment.

The indictment charges:

18 USC § 134: Wire and Bank Fraud Conspiracy
18 USC § 1344(1): Bank Fraud
18 USC § 1028A: Aggravated Identity Theft
18 USC § 371: Computer Fraud Conspiracy
18 USC § 1030(a)(4): Computer Fraud
18 USC § 1956(h): Money Laundering Conspiracy
§ 2: Aiding and Abetting and Causing an Act to Be Done

There are 335 Overt Acts charged in the Indictment, such as:

Overt Act No. 14: On July 31, 2008, defendant ZIE sent an SMS message to defendant LUCAS, in Los Angeles County, to transmit the account number and account holder name for the one checking account and one savings account that unindicted coconspirator K.M. opened that day at BOA, which transmission was for the purpose of causing defendant LUCAS, to make and to cause an unauthorized transfer of funds to those accounts and for the purpose of allowing unindicted coconspirator K.M. to withdraw the transferred funds.

Overt Act No. 16: On July 31, 2008, in Los Angeles County, defendant LUCAS caused a computer transfer of funds from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant LOGAN's checking and savings accounts.

(In Overt Acts 17 and 18 Logan then withdraws $900 of that money from checking and $400 from savings.)

Overt Act No 70: On August 20, 2008, in Los Angeles County, defendant LUCAS caused computer transfers of $350 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's checking account and $1,200 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's savings account.

Overt Act No. 181: On December 11, 2008, in Los Angeles County, defendant JENKINS drove unindicted coconspirator A. J. to a Wells Fargo bank branch located in Los Angeles County to withdraw the $1,000 that defendant LUCAS caused to be deposited into unindicted coconspirator A.J.'s savings account.

Overt Act No. 186: On December 16, 2008, during a telephone conversation with defendant LUCAS< defendant MERZI advised defendant LUCAS that she had caused an unindicited coconspirator to conduct a transfer of funds from a victim bank account at Wells Fargo, which neither Wells Fargo nor the victim had authorized, and next would cause an unauthorized transfer of funds from a victim BOA account.

Overt Act No. 237: On June 14, 2007, in Los Angeles Cou8nty, defendant K. AKERS transmitted $1,900 by Western Union to unindicted coconspirator E. A.

---

It goes on like that for some 60 pages. From January 2007 to September 2009, the Ringleaders get victim credentials, the second tier transfer the funds around to accounts opened and controlled by the third tier, who then get driven around and sent into banks to take out the money, which gets passed up through management and wired via Western Union to Egypt, with everyone taking a piece of the pie.

For those who are interested in how you argue such a case in court, I've also posted the Operation Phish Phry Closing Arguments Power Point. Hundreds of pages of courtroom transcripts are also available from PACER.