The Eastern District of New York has ruled in the case "United States v. Nicholas Palumbo, et al" effectively putting TollFreeDeals.com and SIPRetail.com out of business.  These are the "Voice Over IP" companies that have allowed millions of overseas calls per day to be routed to Americans, often for the purposes of facilitating fraud, often by imitating either the Social Security Administration or the IRS.  The case, originally filed 28JAN2020 ( 1:2020cv00473) announced their final "permanent injunction" ruling on 26AUG2020, as conveyed by the Office of the Inspector General of the Social Security Administration.  

In the 62-page criminal complaint against the two companies, the government explains that the major fraud types facilitated by the Palumbos were: 

a. Social Security Administration ("SSA") Imposters

b. Internal Revenue Service ("IRS") Imposters 

c. United States Citizenship and Immigration Services ("USCIS") Imposters 

d. Tech Support Imposters -- often claiming to be Apple or Microsoft 

e. Loan Approval Scams

Through the use of the Palumbos' companies, the callers were able to spoof their caller ID to seem to originate from a U.S. Federal government agency, local police department, or technical support organization. 

From October 1, 2018 to September 30, 2019, the SSA received more than 465,000 complaint related to these types of calls and documented losses of more than $14 million.  The Federal Trade Commission's Consumer Sentinel Database documented 166,000 such calls with losses of $37 million just in calendar 2019.  When all types of government impersonation calls were included, the FTC Consumer Sentinel reported 255,223 complaints causing $128 Million in fraud losses in 2018 and 389,563 complaints resulting in $152 Million in fraud losses in 2019!

The Social Security Calls

The Technology 

In just 23 days in May and June of 2019, TollFreeDeals transmitted more than SEVEN HUNDRED TWENTY MILLION calls!  (720,000,000 calls!!!!)  425 million of these calls lasted less than one second.  More than 24 million of these calls were placed to residents of the Eastern District of New York.

182 Million of these TollFreeDeals calls were originated from a single India-based VoIP carrier co-conspirator in the United States.  One thousand different source numbers accounted for 90% of these calls.  79% of these 1,000 numbers were listed as fraudulent robocall numbers by a robocall blocking company (YouMail).  Of these 143 million calls, 20% were Social Security imposter calls, 35% were loan approval scams, and 14% were Microsoft refund calls. Other calls imitated the IRS, the U.S. Treasury, and additional tech support scams.

In May 2017, Nicholas Palumbo was notified by AT&T and others that his company was routing fraud government imposter calls.  Palumbo promised to block two particular telephone numbers, but continued to allow the others.  

In February 2019, AT&T notified Palumbo that calls spoofing the USCIS and attempting to extort money had been traced to his company.  Again, Palumbo blamed his India-based VoIP carrier customer, even though this was the same company for which he had already received many warnings.  

A telecommunications industry trade association, USTelecom, provided an additional 144 notifications of fraudulent call origination to the Palumbos' companies from May 2019 to January 2020, including 83 SSA Imposter fraud call cases, 24 Tech Support imposter fraud cases, 10 IRS imposter fraud cases, and 1 USCIS impersonation fraud calls.  USTelecom's notices estimated that TollFreeDeals was placing "more than 1 million fraudulent calls per day."  Palumbo logged in to the USTelecom portal and repeatedly indicated the calls had been placed by the same India-based customers of TollFreeDeals.

USTelecom also formally notified SIP Retail of similar traffic, including 35 traceback investigations from August 2019 to January 2020, including 19 SSA Impersonation cases, 3 Tech Support impersonation cases, and 1 USCIS Impersonation case.

Elder Fraud Task Force Reports

To put a human face on the crimes, a Postal Inspector working for the Elder Fraud Task Force in the Consumer Protection Branch of the Department of Justice investigated many example calls facilitated via the Palumbos' companies.

Palumbo received at least nineteen large cash deposits into Wells Fargo Bank accounts that he controlled from May 28, 2019 to September 11, 2019, totalling $130,250.  The deposits were made in Minnesota, South Carolina, Florida, Alabama, and New Jersey.  After each cash deposit, Palumbo would move the funds to his Ecommerce National LLC accounts at JP Morgan Chase. These activities are characterized by the Postal Inspector as "Interstate Funnel Account" transactions, a form of laundering money.

Some of the victims interviewed by the Postal Inspector included: 

J.K - an 84 year old veteran of the US Marine Corps from Belle Harbor, NY.  He received a call claiming to be from the U.S. Marshals Service with a wrarant for his arrest.  He then was told by a "SSA Employee" that someone had used his SSN to rent a car in Texas and that the car was used in drug trafficking and money laundering.  The "SSA Employee" then forced J.K to wire all of the money in his bank accounts to him - $9,800. 

C.E. - a 36 year old man who was a brand-new U.S. citizen.  He was told be "George" from SSA that he was being investigated for money laundering.  He was told to drive to a Best Buy in Queens, NY and buy $700 worth of Hotels.com gift cards. 

L.U. - a man in his 40s from Roosevelt, NY lost $2,200 in an SSA Imposter scam 

More on Call Routing

Another Affidavit related to this case was the Declaration of a Special Agent of the Social Security Administration's Office of the Inspector General, who provided the diagram above to explain the complication of Least-Call Routing Tracebacks. 

From 2016 to 2020, TollFreeDeals.com was offering VoIP termination services specializing in servicing foreign call center call originators.  Their website specifically stated: 

"TollFreeDeals.com is your premier connection for call center and dialer termination.  We are always looking for the best call center routes in the telecom industry.  We specialize in short call duration traffic or call center traffic.  We understand there is a need for it and we want to help you find all the channels you need!" 

They were proud of the number of call minutes they had "terminated" (which means, facilitated the call from VoIP to a Common Carrier call completion.)  As of January 23, 2020, they boasted that they had helped to completed 10,491,500,323 minutes of calls!  That's TEN BILLION MINUTES of mostly fraud calls! 

One of the calls documented by the SSA OIG Special Agent stated: 

"We have been forced to suspend your social security number with immediate effect.  Due to this, all your social benefits will be cancelled until further clearance. In case you feel this is due to an error you may connect with legal [unintelligible] Social Security Administration. In order to connect with a Social Security Administration office, press One now.  In case we do not hear from you, your social will be blocked permanently. To connect with an officer now, press One and you will automatically be connected with the concern departments. We did not receive any input. Dear citizen, in order to speak with Social Security personnel regarding your social security, press One and this automated system will connect you with the officials." 

This affiant establishes that those 1,000 top phone numbers identified by YouMail and confirmed as fraud based on complaints in the FTC Consumer Sentinel database came from 29 unique TollFreeDeals customers.

Many Additional Details 

 Trickbot is having a truly bad time this month!  While as of today, Trickbot binaries are being delivered by Emotet, there is every sign that they are struggling.   Emotet's daily activities are best documented by a team of researchers using the collective identity "Cryptolaemus" and sharing news of IOCs and URLs on their website: https://paste.cryptolaemus.com/.  With no activity from October 6th to 12th, there was every indication a "change" was coming, and beginning on 14OCT2020, researchers such as our friends at @CofenseLabs and @Malware_Traffic are both reporting that Trickbot is now being delivered by the Emotet spam-sending botnet.  

This post examines Microsoft's case against Trickbot. However, there are also reports of U.S. Cyber Command taking a role in disrupting Trickbot, as reported by the Washington Post and security journalist Brian Krebs. In the "take-down" attempt, as described by Krebs, the bot began propagating to other bots that its new controller IP address should be "127.0.0.1:1" - which would result in the bot-infected computer stopping communication with the criminals.  There was also an attempt to flood the criminals with millions of fake "stolen credentials" hoping to confuse their ability to sort out "true victims."  As Krebs also reported, the fabulous Trickbot C&C tracker at FEODOTracker is reporting many live C&C addresses for Trickbot.  (Also see Trickbot On the Ropes Part 2: the QQAAZZ Money Laundering Ring.) 

The Microsoft Trickbot Case

On October 12, 2020, Microsoft announced "New action to combat ransomware ahead of U.S. election" describing Trickbot as malware that "has infected over a million computing devices around the world since late 2016." By filing a lawsuit in the U.S. District Court for the Eastern District of Virginia, Microsoft received permission for a Temporary Restraining Order (TRO).  The Digital Crimes Unit (much love, guys!) worked with the FS-ISAC, ESET, Symantec, the Microsoft Defender team, NTT, and Lumen's Black Lotus Lab and others to lay out their case. 

The legal documents surrounding the case are on the Microsoft website: NoticeOfPleadings.com/trickbot/

Microsoft and the FS-ISAC bring the case with a 60 page complaint, demonstrating harm to their respective customers in the Eastern District of Virginia, and demanding that "John Doe 1" and "John Doe 2" appear in court for a Jury Trial.

They charge them with violations of: 

• The Copyright Act - 17 USC § § 101 
• The Computer Fraud and Abuse Act 18 USC § 1030
• The Electronic Communications Privacy Act 18 USC § 2701
• Trademark Infringement under the Lanham Act 15 USC § 1114
• False Designation of Origin under the Lanham Act 15 USC § 1125(a)
• Trademark Dilution under the Lanham Act 15 USC § 1125(c) 
• Common Law Trespasses to Chattels 
• Unjust Enrichment 
• and Conversion 

Each team made significant contributions to the effort, and most have published their own Trickbot blogs, which I link below, with regards to the case, their most important function was to provide professional analysis in the form of a Declaration in Support of Motion for TRO: 

• Lyons is Jason Lyons, a Senior Manager of Investigations at the DCU Malware & Cloud Crimes Team.  Lyons, who served in the Cyber CounterIntelligence unit of the U.S. Army, provides 25 pages of testimony and ten "Exhibits." Part of his testimony included the proof of 25 million Gmail, 19 million Yahoo, 11 million Hotmail, 7 million AOL, 3.5 million MSN, and 2 million Yahoo.co.uk addresses known to have been targeted by Trickbot (based on reporting from Deep Instinct)
• Finones is Rodelio Finones, a Senior Security Software Engineer and Malware Researcher at the Microsoft DCU. He provides a 21 page testimony of his own investigation into Trickbot, 
• Thakur is Vikram Thakur, the Technical Director of Symantec Enterprise, where he has been a major rockstar for more than a dozen years!  He provides a 20 page testimony.
• Garlow is Kevin Garlow, Lead Information Security Engineer at LUMEN (formerly CenturyLink). His testimony includes the fact that he has identified 502 distinct IP addresses that had acted as Trickbot controllers, but that 40 of them have remained online despite more than 30 abuse notifications and that 9 of them have been sent more than 100 such notifications.  He states that "We confirmed 55 new Trickbot controller IPs in September 2020 and 99 new Trickbot controller IPs in August."  It is these long-lived "bullet-proof" controllers that Microsoft is targeting.  It is also likely that revealing whoever is paying the bills for those long-lived services may be a path to identifying John Doe 1 and John Doe 2.  Garlow's testimony that he has sent so many notices for take-down which have been ignored is a powerful part of this package!
• Silberstein is Steven Silberstein, the CEO of the FS-ISAC.  He provides testimony to more than 500 fraud attempts against FS-ISAC member institutions over an 18 month period, with $7 Million in attempted fraud.  One FS-ISAC member had dozens of attempts in a two week period with an average fraud attempt of $268,000!  
  
  
• Ghaffari is Kayvan M. Ghaffari, an attorney with Crowell & Moring LLP for Microsoft and the FS-ISAC.  His testimony calls out the particular web hosting companies that were hosting the machines targeted by the TRO, including Colocrossing, IOFlood, HostKey, VDI-Network, ENET-2, and King Servers, pointing out that all of these organizations have Terms of Service which are clearly violated by the Trickbot controllers.  He then attaches as exhibits more than 650 pages of similar cases and the related court documents from them.
• Boutin is Jean-Ian Boutin, the Head of Threat Research, calls Trickbot "one of the most prolific and frequently encountered types of malware on the Internet."

Related TrickBot Blogs

ESET analyzed 125,000 malware samples and downloaded and decrypted 40,000 configuration files used by Trickbot modules, helping to map out the C&C servers by the botnet. While Trickbot can drop many "modules" these are not one-size-fits-all.  Trickbot modules were sometimes dropped in phases after an initial assessment of the network on which the bot found itself, and other times varies by the "gtag" -- the unique label used to sign the infection, thought to be related to affiliates who paid the Trickbot operators.

gtag timeline by ESET

Symantec's blog post "Trickbot: U.S. Court Order Hits Botnet's Infrastructure" has a great infographic about "How Trickbot Works": 

Microsoft on Trickbot's use of Covid-19 Lures

Microsoft is in a unique position to take action against malware, having visibility to so much malware-related traffic from browser telemetry, Microsoft Defender reports, and Office365 scans.  In the past year, they have evaluated 6 Trillion messages and blocked 13 Billion malicious emails that used 1.6 Billion URLs to try to infect the email recipients!

Microsoft's Digital Defense Report 2020 points out that Trickbot began using COVID-19 spam lures on March 3, 2020, and went on to become the most prominent spam botnet using COVID-19 themes.

From MS Digital Defense Report 2020

We've long argued that if the lure is timely and controversial, people will click on it.  That seems to be the case even today as ProofPoint's @ThreatInsight has pointed out, documenting that a recent malware campaign, first seen October 6, 2020, is using President Trump's diagnosis as a lure to infect people with additional malware, using the subject line "Recent material about the president's situation" and the promise of additional details in a password-protected email attachment.

While shutting down the technical aspects of malware is critical (see Trickbot on the Ropes Part 1), the real disincentive to the criminals is when you hit them hard in the money.  That was the objective of Europol's Operation 2BaGoldMule case against QQAAZZ.   Working with partners in 16 countries, including Latvia, Bulgaria, the United Kingdom, Spain, and Italy, Europol helped to coordinate search warrants being executed at 40 different residences in support of criminal proceedings in the United States, Portugal, and the UK, and Spain.

Europol put out a two-part InfoGraphic as part of their story on the arrests, "20 Arrests in QQAAZZ Multi-Million Money Laundering Case":

Date	Victim Bank	Wire Attempt	Beneficiary
07MAR2017	Schwab	$75000	Aktrofi Services
20SEP2017	BOA	$84900	Aktrofi Services
26OCT2017	JPMorgan Chase	$98780	Privelegioasis
29NOV2017	American Express	$121360	Selbevulte
30NOV2017	BB&T	$72000	Privelegioasis
08MAR2018	USAA	$29500	Flamingocloud
08MAR2018	USAA	$29500	Colossal Devotion
21MAR2018	BOA	$49000	Colossal Devotion
10APR2018	JPMorgan Chase	$59426	Cardinal Gradual
10APR2018	JPMorgan Chase	$59426	Cardinal Gradual
10APR2018	JPMorgan Chase	$59426	Cardinal Gradual
30AUG2018	PNC	$99693	Selbevulte
14NOV2018	BOA	$56202	Aktrofi Services
14NOV2018	BOA	$112921	Deinis Gorenko
14NOV2018	BOA	$45830	Deinis Gorenko
06DEC2018	JPMorgan Chase	$114652	Flamingocloud

https://www.bbc.com/news/world-us-canada-52671381

1. a technology company in Windsor, CT 
2. an Orthodox Jewish Synagogue in Brooklyn, NY 
3. a medical device manufacturer in York, Pennsylvania
4. an individual in Montclair, NJ 
5. an architecture firm in Miami, FL 
6. an individual in Acworth, GA
7. an automative parts manufacturer in Livonia, MI 
8. a homebuilder in Skokie, IL 
9. an individual in Carollton, TX 
10. an individual in Villa Park, CA.  

Dozens of additional US victims are identified, but it is unknown the total number of victims whose funds were stolen, or attempted to be stolen through these schemes. 

Those named in the two indictments received funds to shell company bank accounts including at least 147 accounts opened at banks in Portugal, as well as Germany, Spain, and the United Kingdom. 

The indictment provides a partial list of the funds transfers which occurred between US-based victims and accounts controlled by these criminals. 

In order to accomplish this, members of the QQAAZZ cash-out system advertised their services on "exclusive, underground, Russian-speaking, online cybercriminal forums."   Some of these advertisements on a single forum cost as much as $10,000 per year!  

Some of the online monikers used by QQAAZZ members in these forums included: 

qqaazz            globalqqaazz            markdevido 

richrich          donaldtrump55         manuel           krakadil                     

kalilinux         ritchie                      totala              totala22 

These forum exchanges helped to establish relationships between the malware gangs and the money launderers.  For example, QQAAZZ members using the name "richrich" chatted with members of the GozNym malware crime group about being a "drop handler" in the UK and Europe and having many accounts that could be used for money laundering, including an account in the name "Yaromu Gida" at a bank in Turkey.  That account received $176,500 in funds stolen from the medical device manufactuer in the Western District of Pennsylvania. 

"DonaldTrump55" provided bank account information for a drop belonging to Ruslans Nikitentko at a bank in Portugal opened using a counterfeit Polish identity card in the name Krzysztof Wojciech Lewko.  The account later received $121,360 from a US victim. 

 On November 6, 2020, the US Attorney in the Eastern District of Virginia announced the sentence for a husband and wife, Chirag Choksi and Shachi Majmudar, both 36 years old.  This pair had involved themselves in the money laundering side of an international scam ring that preys on the elderly via call centers located in India.  Chirag will serve 78 months in prison while his wife Shachi will serve 14 months in prison.  

I've had the pleasure of presenting my research on Indian Call Centers at a meeting the Federal Trade Commission hosted in Washington DC last year.  The scope of these networks and the absolute impunity with which they operate should be a cause of national shame in India.  In 2019, according to the Consumer Sentinel Network Data Book 2019, assembled by the Federal Trade Commission, reported 647,472 "Imposter Scams" with total losses of $667 Million, primarily to the elders who are most deserving of our protection.  (These scams are increasing rapidly.  In 2017 there were 461,476 Imposter Scam complaints, in 2018 there 549,732 complaints.)

The Scam: Law Enforcement Impersonation

The Money Mules: Choksi and Shachi

Strangley, that 1600 square foot duplex claims to have seven current residents, according to WhitePages.com, including Shachi!

According to their Facebook pages, Shachi moved to Minneapolis, Minnesota in 2013.  (The "moved" actually says 2016, but she says in her comments "I actually moved here in 2013, Facebook is just acting weird.")  Sadly for the family, the parents who are now headed to prison, posted photos of their newborn baby in January 2019. 

The Mule Recruiter: Shehzadkan Pathan

The co-conspirator, Shehzadkhan Khandakhan Pathan, goes by the name Shehzad Khan on Facebook and, like his Facebook friend Chirag, is from Ahmedabad, India. He was arrested by the FBI in Houston, Texas on January 16, 2020 and taken into custody by the US Marshall's Service.

Shehzadkhan Khan Pathan

This structure was VERY familiar to me, as it works in exactly the same way as the case we documented in 2016 in our blog post Major Call Center Scam Network Revealed - 56 Indicted.

In fact the similarities are extreme.  In that case, the primary call centers involved included a major group in Ahmedabad India, but had money mule "runners" all over the United States, who not only handled financial transactions, but also sought out victim candidates!  

Not only are the cases STRUCTURALLY  similar, but Pathan SEEMS to be linked to one of the key players in that network on Facebook.  Pathan's Facebook friend "Hardik Dave" who is likely Hardik Patel, also from Ahmedabad, from the previous case.  Although Hardik's friends marked as private, but has several interactions on his Facebook page from "Hitesh Patel" who was at the core of the 2016 case.  In that case, Ahmedabad call center companies including Call Mantra, Sharma BPO, Worldwide Solutions, and Zoriion Communications were involved in the scams.

A superseding indictment relating to Pathan was announced June 17, 2020, and names several additional co-conspirators. 

In addition to Chirag and Shachi, the new indictment includes: 

• Pradipsinh Dharmendrasinh Parmar
• Sumer Kantilal Patel 
• Jayeshkumar Prabhudas Deliwala

In the new indictment we learn that the  "conspirators regularly communicated using WhatsApp Messenger." We also learn additional details about the scam calls:

"The messages told the recipients that they had some sort of serious legal problem. Often the purported problem related to potential criminal charges for the victim, tax problems, or THE RISK OF LOSING A FEDERAL BENEFITS PROGRAM SUCH AS SOCIAL SECURITY PAYMENTS." (emphasis added)

We also learn that a number of the victims had recently applied for a loan, making them aware that the victim now had cash available!  

Pathan, the recruiter, provided the counterfeit identity documents, including fake drivers licenses, and alerted his mule network where the package was being delivered and which identity they should use to retrieve the package.  After they had the cash, Pathan would let them know how much they could keep and give them details of what bank account they should deposit the additional funds into. In some cases the funds were sent via wire transfer, and Pathan would alert his money mules via WhatsApp where the money had been wired and which identity documents they would need to present in order to pick up the money from the bank account where they had been deposited.

More Mules: Parmar, Patel

Both Pradipsinh Dharmendrasinh Parmar and Sumer Kantilal Patel were money mules like Chirag.  They are charged with retrieving and signing for packages of cash, photographing or videoing themselves opening the packages and counting the cash, receiving and using counterfeit identification bearing their likeness but the name of another person, and picking up money transfers via Western Union, MoneyGram, and Walmart to Walmart, and resending portions of that amount to other locations. 

Pradispsinh Parmar is also Facebook friends with Pathan, and also from Ahmedabad, India.  His Facebook page says he lives in Spotswood, New Jersey.  HIS Facebook friend Sumer Patel is not friends with any of the other co-conspirators and may be a name coincidence as he seems to be in Brisbane, Australia.

Pradispsinh Parmar

Parmar, for example, picked up a package containing $20,000 cash sent to the name of "Neon Fredo" at 55 Stratford Village, Lancaster, Pennsylvania.  

Parmar also picked up a MoneyGram of $820 sent from a victim to the name of Larry A Lauzon, in North Carolina.  (Because he had the reference number, it was not necessarily picked up in that location.)

Patel similarly received Walmart-to-Walmart funds, including funds sent from Texas to "Caleb N Cranstone" in Virginia. 

Deliwala received and distributed a set of 20 counterfeit identification documents.

Charges in the case include: 

18 U.S. Code § 1341 - Mail fraud

18 U.S. Code § 1343 - Wire fraud

18 U.S. Code § 1349 - Attempt and conspiracy

18 U.S. Code § 982 - Criminal forfeiture

 ENISA, the European Union Agency for CyberSecurity, met on October 6, 2020 to review their current recommendations and get any last minute changes.  On October 20, 2020, they released a huge batch of reports that many folks seem to have not seen.  We wanted to take a moment to give you the guided tour and strongly recommend the consumption of these report.  Each publication is available "flip book" style on the ENISA website, and also as a downloadable PDF.

Let's get started!

https://www.enisa.europa.eu/publications/year-in-review

This is the 8th Year In Review for ENISA and their reporting just keeps getting better!  This year the main components of the report break down into topics like this: 

• The Year In Review
• Cyber Threat Intelligence Overview 
• Sectoral and Thematic Threat Analysis 
• Main Incidents in the EU and WorldWide
• Research Topics
• Emerging Trends
• List of Top 15 Threats 

The Year In Review 

1. Attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation 
2. There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.
3. The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.
4. Finely targeted and persistent attacks on high-value data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors
5. Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft
6. The motivation behind the majority of cyberattacks is still financial 
7. Ransomware remains widespread with costly consequences to many organisations
8. Still many cybersecurity incidents go unnoticed or take a long time to be detected
9. With more security automation, organizations will invest more in preparedness using Cyber Threat Intelligence as its main capability
10. The number of phishing victims continues to grow since it exploits the human dimension being the weakest link.

Another key section in this area was the "What To Expect" which broke the topic into three areas -- Nation States, Cyber Offenders, and Cyber Criminals.  The reader is invited to view the full report, but I did want to mention that with regards to Nation States, ENISA describes the coming year as an "Uncontrolled cyber-arms race" with a free-for-all of nation states trying to buy up and acquire the best attack tools for the "cyberspace warfare domain" possibly through sponsored agents who may not present as the purchasing nation.

In the area of What to Expect From Cyber Criminals ... BEC - Business Email Compromise, and BPC - Business PROCESS Compromise are expected to continue, along with malware targeting Managed Service Providers.  They predict that "Deep Fakes Used for Fraud" may be a rising trend.  I'm not sold on this concept as being a 2021 reality, but it is certainly something to watch for.

I also wanted to call attention to the prediction that Cyberbullying is likely to greatly increase as a growing number of adolescents are spending a much greater time online, possibly with limited parental oversight of their activities, as Mom and Dad are busy working from home as well!

Cyber Threat Intelligence Overview 

https://www.enisa.europa.eu/publications/cyberthreat-intelligence-overview<= Flipbook

https://www.enisa.europa.eu/publications/cyberthreat-intelligence-overview/at_download/fullReport<= PDF 

In this area, training resource links are offered, however the report begins by calling attention to the great gap between higher performing CTI practices and the training and tools available to the average user.  While praising existing frameworks, such as MITRE: ATT&CK, they also point out the short-comings in addressing specialized sector-specific systems, emerging systems, and cloud-computing and managed service threats.

The call is made to spend more emphasis on PREVENTION, DETECTION, and MITIGATION rather than the current near-total obsession with IOCs and APT-naming. Some sectors are especially trailing in the CTI area due to the specialty nature of their equipment and practices.  ALL SECTORS need to be greatly improving their capabilities in PDR (to use the more common Prevent, Detect, Respond term that I still prefer.)  The report calls attention to the fact that trailing sectors are often dealing with limited trust between organizations.  The more isolated your organization is from its peers, the more likely that your sector is struggling in this way.  Improved information sharing is a key.  To quote the report: "one should note that the deficiencies described are not due to a lack of CTI knowledge per se but rather to the lengthy cross- and intra-sector communication and coordination cycles for exchanging CTI knowledge."  A related quote => "Existing offerings concentrate on operational and tactical CTI, while strategic CTI is mostly offered independently."

Results are shared of a "Comprehensive CTI Survey" conducted by ENISA.  Some key findings include: 

• CTI is still primarily a MANUAL PROCESS in most organizations.
• Much CTI data is still primarily being passed through spreadsheets and email.
• CTI Requirements are becoming more defined and beginning to take significant guidance from business needs and executive input.
• CTI from Public Sources combined with observations from internal network and system monitoring is a popular model
• Open-source information, enriched by threat feeds from CTI vendors is a "clear upwards trend" indicating more focus on internal CTI production.
  
• Threat Detection is described as the main use for CTI, with IOCs being a base, but more interest in TTPs in the area of threat behavior and adversary tactics.
• Only 4% of respondents felt they could measure the effectiveness of their CTI programs!  OUCH!  Machine learning was ranked especially low, with most saying the skill of the analysts was the best predictor of success!

Several areas of interest in the "Next Steps" section to me included:

-  an emphasis on coordinating CTI requirements.  While the report called for this at the EU-member state level, I would say that SECTORS should be working together to determine appropriate CTI requirements and encouraging a sector-wide improvement through collaboration.  

- development of a CTI Maturity model and Threat Hierarchies model.

- ensuring that CTI is taking into account the geopolitical world state and not just the state of bits and bytes.

Please refer to the full report for more details!  

Sectoral and Thematic Threat Analysis 

https://www.enisa.europa.eu/publications/sectoral-thematic-threat-analysis<= Flipbook

https://www.enisa.europa.eu/publications/sectoral-thematic-threat-analysis/at_download/fullReport<= PDF

This report begins by describing the difficulty of measuring and categorizing differences by sector. I must confess to being disappointed by the lack of insights in this particular report.  As sectors shifted to the cloud during the COVID-19 Pandemic, much of the "targeting" became less sector-targeting and more "target of opportunity" focused. 

While most attack trends were "stable" there were some "cross-sector" attack types described as "Increasing" ... specifically Web Application Attacks, Phishing, and Malware.

The only sector actually that was called out as being at significantly greater risk than others based on incident trends was "Health/Medical" where increases in Malware, Insider Threat, and Web Application Attacks were all marked as Increasing.

After a lack-luster "trends" report, all of two pages long, the remainder of the report focuses on Threats to Emerging Technologies, where there are some interesting observations regarding 5G Mobile communications, Internet-of-Things (IoT), and Smart Cars.

The reader is invited to visit the report for more details.

Main Incidents in the EU and WorldWide

Unfortunately, with the official timeline of this report being January 2019 through April 2020, many of the "main incidents" here are quite dated.  Good to cover them for historical documentation, but not really worth re-hashing them at this time. Significant data breaches included the 770 million email addresses stolen from MEGA (the cloud data storage service in New Zealand run by "Kim Dot Com".) They also mention breaches such as ElasticSearch, Canva, Dream Market, Verifications.io, and a couple big MongoDB breaches.

The most targeted services, according to this report, are Digital Services, Government Administration, Tech Industry, Financial Institutions, and Healthcare entitites.  In the area of Digital Services, we know that the primary use is to take the email address/password pairs and use them to attempt password replay attacks attempting to use the same pair against many additional online properties.  ENISA refers to those as "credential stuffing" attacks and indicates that "companies experience an average of 12 credential-stuffing attacks each month!" 

The report indicates that 84% of cyber attacks "rely on social engineering" and that 71% of the organizations with malware activity have seen the malware spread from one employee to another. 

Groups that are depicted in the report as "Most active actors" don't really align with what we've seen from other sources, but are listed as: 

• TURLA - attacking Microsoft Exchange serveres
• APT27 - mentions attacks against government SharePoint servers in the Middle East 
• Vicious Panda - targeting Mongolian government entities
• Gamaredon - spear-phished the Ministry of Defence in Ukraine in December 2019

The report indicates that ENISA believes most cyber attacks originate from Organized Crime groups.

The Top Five motivations for attackers are: Financial, Espionage, Disruption, Political, and Retaliation.

The Top Five "Most Desired Assets" by Cyber Criminals are listed as: 

1. Industrial property and Trade secrets
2. State/Military classified information
3. Server infrastructure
4. Authentication Data
5. Financial Data 

I won't detail is here, but the report also has advice on "What changed in the landscape with the COVID-19 Pandemic?" and refers to several previous publications from ENISA for that topic.

Research Topics

https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-research-topics<= Flipbook

https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-research-topics/at_download/fullReport<== PDF 

ENISA says that "apart from basic cybersecurity hygiene and training, investing in research and innovation is the most viable option for defenders." Some of the key areas that they are encouraging research to be performed are: 

• Better understanding of the human dimension of security - (I know so many great researchers in this space, from UAB's own Nitesh Saxena, to UAB's Ragib Hasan and his current survey on "User Preferences in Authentication" to Carnegie Mellon's Lorrie Cranor and the IIIT Delhi PreCog lab run by Ponnurangam "PK" Kumaraguru.) 
• Cybersecurity research and innovation - with a special focus on building "test labs and cyber ranges" that better reflect real world deployments. 
• 5G Security 
• EU Research and Innovation Projects on Cybersecurity 
• Rapid dissemination of CTI methods and content 

Emerging Trends

https://www.enisa.europa.eu/publications/emerging-trends<== Flipbook

https://www.enisa.europa.eu/publications/emerging-trends/at_download/fullReport<== PDF 

This report begins by pointing out that COVID-19 has initiated "new and profound changes in the physical world and in cyberspace" and pointing out that "cybersecurity risks will become harder to assess and interpret due to the growing complexity of the threat landscape, adversarial ecosystem and expansion of the attack surface."

The Emerging Trends are given as three trend lists -- Ten Cybersecurity Challenges; Five Trends with cyber threats; and Ten emerging trends in attack vectors.  As I've said a few times, go check out the report for the full details, but a few really caught my eye, which I'll comment on below:

Cybersecurity Challenge 1 - Dealing with systemic and complex risks.  The interconnectedness of our systems and networks means that a risk introduced in one part of the environment can quickly spread throughout our organizations.  The demands of reducing complexity and increasing ease of management has unfortunately caused many organizations to create flat network structures where a single Active Directory domain may touch every resource in the environment and where network segmentation has become almost non-existent.

Unfortunately many of the other "emerging trends" in the cybersecurity challenges are seem more like wishful thinking than an emerging trend.  Reducing unintentional errors, automation of CTI ingestion, Reducing alarm fatigue and false positives, and cloud migration protections are all things we would love to see, but calling them an "emerging trend" strikes me as premature.  A few that I definitely agree with however include the role of CTI and the lack of a skilled workforce.

Cyber Threat Intelligence (CTI) is needed to help with the WHY, the HOW, and the WHAT questions.  The report points out "the value proposition of any CTI capability or program is to improve the preparedness of the organization to protect its critical assets from unknown threats." Anticipating the unknown requires a deeper understanding of both threat and adversary - not just in the form of specific Indicators of Compromise (IOCs) but in the form of TTPs - based on the Tactics, Techniques and Procedures - as evidenced by observations made both from open source intelligence (OSINT) but also through same sector and cross-sector intelligence sharing is going to be a key to hardening and preparing the organization to address forth-coming attacks instead of constantly reacting to known attacks.

Just as we see in the US, a shortage in cybersecurity skills is hitting the EU hard. 70% of firms say that lack of skills is hampering investment in new technologies, and 46% of firms report difficulty filling vacancies in cybersecurity due to a lack of skilled applicants.  In the US, I constantly refer students to the Cybersecurity Supply/Demand Heatmap maintained by Cyberseek.org.  Currently they are showing 521,617 cybersecurity vacancies just in the United States!

The final "Emerging Trends" area - Ten Emerging Trends in Attack Vectors -  has a few that I wanted to call attention to as well.  I'll share the list and comment on a few:

1. Attacks will be massively distributed with a short duration and a wider impact
2. Finely targeted and persistent attacks will be meticulously planned with well-defined and long-term objectives
3. Malicious actors will use digital platforms in targeted attacks
4. The exploitation of business processes will increase
5. The attack surface will continue expanding 
6. Teleworking will be exploited through home devices
7. Attackers will come better prepared 
8. Obfuscation techniques will sophisticate 
9. The automated exploitation of unpatched systems and discontinued applications will increase
10. Cyber threats are moving to the edge 

A key thread that flows through many of these trends is that attacks will move to new less defended "soft spots."   The report mentions banking trojans being downloaded from the Google Play store, attacks against routers, switches and firewalls rather than servers, and attacks being presented through apps that are skating on the edge between personal and business apps, such as SMS, WhatsApp, SnapChat and various messaging platforms, as well as gaming and streaming apps that may be present on devices being used to "work from home."

List of Top 15 Threats 

The next post will address the ENISA "Top 15 Threats" 

 An Interpol headline on November 25, 2020 announces "Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group" however the article does not name the suspects.  The Interpol article says the three are "believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams."  Interpol's Craig Jones says the year-long investigation was known as "Operation Falcon."

	The Nigerian Police actually did a press release about the trio on November 19th.  From that we find photos of the three criminals and more information about their crimes and names. The leader of the trio, Onuegwu Ifeanyi, is known online as SSGToolz.  According to the Nigerian Police, he "specializes in creating, designing, and selling phishing links and hosting malware on websites used by the gang for phishing and hacking purposes.  He collects charges running into several millions of naira from other fraudsters he mentors and improves their phishing capabilities."
	Onwuka Emmanuel Chidiebere, also known as Ceeceeboss TMT, graduated from Imo State University and specializes in Business Email Compromise (BEC) and hacking. His laptop had over 50,000 email accounts with passwords harvested from various individuals and businesses worldwide.
	CeeCeeBoss TMT recruited the third of the trio, Ikechukwu Ohanedozie, who was known as Dozzy. A medical school student also from Imo State, Dozzy's job was sorting out the email accounts and doing research "to determine financial strengths of prospective victims and pass the information to Ceeceeboss.

Gotta admit, I'm thinking of finding that green track suit and shoes combo for myself.  What do you think?  Also, can anyone tell me which South African airport that top left shot was taken in?

 This week law enforcement agencies around the world made press releases about the arrest of SIM Swapping criminals.  The UK's National Crime Agency says "eight men have been arrested in England and Scotland as part of an investigation into a series of SIM swapping attacks, in which criminals illegally gained access to the phones of high-profile victims in the US.  They say these attacks targeted "numerous victims throughout 2020, including well-known influencers, sports stars, musicians, and their families."  NCA credits the US Secret Service, Homeland Security Investigations, the FBI, and the Santa Clara California District Attorney's Office for helping to uncover the network.

Paul Creffield, head of operations in the NCA's National Cyber Crime Unit and Assistant Director Michael D'Ambrosio were quoted in the NCA's press release, "Brits arrested for sim swapping attacks on US celebs" on February 9th.  The @NCA_UK Twitter thread shared the additional details that the men were between the ages of 18 and 26.

https://twitter.com/NCA_UK/status/1359232883118981133

A SIM, or Subscriber Identity Module, is the little chip that goes inside a phone and ties that phone to a particular account at a particular mobile provider.  If the phone provider believes you have a new phone, they can tell their system, this is the new SIM number that should be linked to your account.  They don't actually need to know what model of phone it is, or where in the world it is.  If your account says your phone number is assigned to a new SIM, your phone stops ringing and the new phone starts.

The group used SIM swapping to intercept SMS messages intended for the true owner of the phone and route those messages to a phone controlled by the criminals.  This allowed them to access many apps and ask for password resets, which often confirm the request is intended for the correct user by sending a "Two Factor Authentication" request in the form of an SMS message.  Some crypto currency exchanges use an even stronger method, of requiring confirmation both by an SMS to the phone and by email. Unfortunately, if the criminals have SIM-swapped the phone, they also may have used it to gain control of the email used by the victim as well!  

Europol correctly describes the primary method of SIM-swapping when they say in the press release above, "This is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques."

How do Phone Company Insiders enable these scams? In a case that was curiously released to the public simultaneously with those above, we get a US-based example.

The simultaneous announcement by the FBI of charges against a Verizon Customer Service employee, Stephen DeFiore of Brandon, Florida is curiously timed, given that his charges thus far were based on crimes from 2018.  According to Stephen's LinkedIn, he worked from 2014 to 2017 as a Verizon Customer Service Rep in  Rochester, New York, and afterwards in Bradon, Florida:

On February 8, 2021, the US Attorney in the Eastern District of Louisiana announced charges against Stephen Daniel Defiore"for his role in a SIM Swap scam that targeted at least nineteen people, including a New Orleans-area physician."  It goes on to say "From August 2017 until November 2018, DEFIORE worked as a sales representative for Phone Company A. In that capacity, DEFIORE had access to the accounts of Phone Company A's customers, including the ability to switch the subscriber identification module (SIM) card linked to a customer's phone number to a different phone number.  Between October 20, 2018 and November 9, 2018, DEFIORE accepted multiple bribes, typically in the amount of approximately $500 per day, to perform SIM swaps of Phone Company A customers identified by a co-conspirator."

DEFIORE would receive a message telling him a customer's phone number, their four-digit PIN, and a SIM card number to which the phone number was to be swapped.  Defiore received his payments via CashApp to his account: $Beefy123.  H

The New Orleans doctor lost his Binance, Bittrex, Coinbase, Gemini, Poloniex, ItBit, and Neo Wallet accounts.  In this case, Defiore swapped his SIM card address to one that was actually in an Apple iPhone 8 with the IMEI (Interrnationa Mobile Equipment Identity number) 356703087816582, which was in the possession of Richard Li. 

His co-conspirator in the US, Richard Li, was actually charged by the Department of Justice on 09JUN2020.  Li is why the UK case mentions California, rather than Louisiana or Florida.  Richard Yuan Li was a 20 year old college student in San Diego, California, living in a dorm room in Argo Hall on the campus of UCSD (The University of California San Diego). He registered the cell phone to which the SIM swap occurred using his own "me.com" email address, which began with "ryli" (Richard Yuan Li).

According to the charges against Li, he participated in at least 28 SIM swaps between 11OCT2018 and 06DEC2018. In the case of the Louisiana doctor, even after the doctor regained his cell phone, he was contacted by Li who said he had accessed nude photos on the doctor's gmail account that was also linked to the phone and that he demanded 100 Bitcoins or he would release the photos.

My favorite photo of the US SIM swapper.  (Sorry, couldn't resist!)  Master criminal? Or dumb kid who happened to work at a phone store and couldn't resist the temptation of $500 per day.  You decide.

This case would not be the first linking UK criminals with US Phone company employees.  In 2019, a hacking group calling itself "The Community" paid bribes to three phone company employees, Jarratt White and Robert Jack, both 22 year-olds working at phone stores in Tucson, Arizona, and Fendley Joseph, a 28 year-old in Murrietta, California, to carry out SIM swaps for their group.  Ireland-based hacker Conor Freeman, aged 20, was charged in that case for seven SIM-swaps that led to the theft of $2,416,352 worth of cryptocurrency.  It is unknown at this time if the current cases are further work of "The Community" or its former members.  The Community wasn't a place online, just the name of their group.  Most of their members were participants on the OG Users forum. For example Jarratt White, who worked at an AT&T store, used the handle ".O." on Telegram and received payments via LocalBitcoins and PayPal, where his email "jarrattw@gmail.com" was linked.  AT&T confirmed that WHITE had performed 29 unauthorized SIM swaps.  Robert JACK, also an AT&T contractor who worked in their store in Tucson, also performed 12 SIM swap.  Fendley JOSEPH worked at a Verizon store in Murrietta and also communicated with The Community members via Telegram. He was also identified by his PayPal account where he received $3,500 in bribes (fendleyvzw@gmail.com) 

Ireland's Conor Freeman was ultimately not extradited to the US, although he was arrested by the Garda at his home in Glenageary Court, Dun Laoghaire in May 2019, based on the US charges.  The failure to extradite was another example of the US Attorney's boasts of maximum sentence backfiring.  They often will make public threats at the time of arrest such as "if the maximum sentence is given, they will face 108 years in prison!"  Then when the actual sentence is handed out, they get six years.  Or two.  The threat, however, is enough that European courts say "what a cruel and unusual sentence!" and argue that sentencing a SIM swapper to a greater sentence than a rapist or murdered is ludicrous.  

 Yesterday we were reviewing a Work From Home "Mystery Shopper" scam, and ended by pointing out some of the scam shipping companies hosted on the same IP address.  But still on our same IP address, we hit a gold mine!  The complete Romance Scam with an Imaginary Soldier support site!  The webpage is: usmdept.com ... you know? the US Military Department?

https://usmdept.com/care-package/

The real goal of having an Imaginary Soldier Boyfriend or Girlfriend is marriage though, right?  Good News!  That is TOTALLY OK with the US Military Department of Scammers!

Although, "There are also rules on who can receive a military ID card and military benefits. To receive a military ID card and benefits, including health care, a military spouse must be legally married to the service member. The military does not recognize common law marriage or engagements.  Registering a spouse for benefits has its fee."  Just click "Contact Us" and the scammers will gladly walk you through the process of getting a MILITARY Marriage License, based entirely on how much money they think you might have, of course.

Although it should not be necessary, if you really need your Imaginary Soldier to resign from the military, that is possible as well.  Doing so, however, "attracts a one time fee, which will be needed to process the request."  As with declination of deployment, "only a loved one ... is eligible to apply."

While this is the first time that *I* saw a site like this, as usual, FireFly and the experts at ScamSurvivors.com had already seen the pattern.  A great post there which talks about a previous or similar version of this site from August 2020 is here on her forum ==> Article: US Military Welfare - usamilitarywelfare.com

 Have you ever seen those spam messages claiming they have a great job for you as a Mystery Shopper?  After seizing a check from a client (and then shredding it) a local bank let us check out the scam!  In this scam, a company claiming to be "Private Mart Auditors" says they have been contracted by WalMart to try to identify stores that are violating their policies by refusing to sell Gift Cards!  The project claims to actually be a partnership with the gift card companies themselves and the major retailers who sell them.

The Website - and possibly related scams!

APWG 4th Quarter 2020 Report

ZoneCruncher data

One of my favorite things about ZoneCruncher's data is that it shows the "Start of Authority" record.  In this case it is telling us that the reseller to which this IP address space is assigned is "csf@smartweb.com.ng" 

One of the most common West African scams, besides the shipping of counterfeit checks, is various "delivery" scams.  These started with the earliest Nigerian Prince scams, but more frequently today involve a package of value (a box of diamonds, for example) that a soldier finds overseas and wants to ship to you to sell and split the profits.  Other times it is a "pet delivery" scam, where you anticipate having a pet shipped to you and the pet gets caught up in shipping.  As anticipated, we had plenty of these on this IP address.

But then we hit a gold mine!  The complete Soldier Romance Scam Support site!  (but that's the next blog post ...)

On March 2, 2021, Microsoft accused a Chinese APT group which they name Hafnium of compromising 30,000 Exchange servers.  They announced four security vulnerabilities, known as 0-days, which refers to the fact that attackers had a reliable means of exploiting the vulnerability for which there was no patch.  In case your organization didn't go into full panic mode, GO PULL THE FIRE ALARM!  THIS IS SERIOUS!

Tom Burt, Microsoft's VP of Customer Security & Trust, released a blog post about Hafnium: New Nation-State Cyberattacks. Microsoft describes Hafnium as "primarily targeting entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs." According to my favorite APT Cross-reference chart, maintained by Florian Roth (Twitter: @Cyb3rOps) Hafnium is also referred to by Symantec as Ant. (They chose the name because one of the common webshells used for post exploitation was regularly hit by a web browser using the user agent "antSword/v2.1".  Both AntSword (中国蚁剑 ) and ChinaChopper (中国菜刀) are popular webshells used by Chinese attackers for many years.  

FireEye says there is no reason to believe the activity is limited to one threat actor and refers to the clusters of attacks as UNC2639, UNC2640, UNC2643.

FireEye associates UNC2639 with activity from IP addresses 165.232.154.116 and 182.18.152.105, both active at the time of the Microsoft announcement (March 2 and March 3).

FireEye associates UNC2640 with activity involving "web shell" files named "help.aspx" (MD5 4b3039cf227c611c45d2242d1228a121) and "iisstart.aspx" (MD5 0fd9bffa49c76ee12e51e3b8ae0609ac)

FireEye associates UNC2643 with the deployment of a Cobalt Strike Beacon (MD5 79eb217578bed4c250803bd573b10151) and the IP addresses 89.34.111.11 and 86.105.18.116.

FireEye says they began seeing this activity in January, which matches the reports from Microsoft that they were notified of this activity by security firm Volexity in January, however DEVCORE Research Team gets credit for trying to exploit marketing of the bug by calling the attack "ProxyLogon" and making a sexy webpage and logo for the attack, a la HeartBleed.  Fortunately, that really hasn't caught on, however their timeline is still very interesting. They found the first bug 10DEC2020 and the second 30DEC2020 and reported both to Microsoft on 05JAN2021 (as Tweeted by their Taiwanese researcher, Orange Tsai.)

Symantec makes clear that the actor which they call Ant (and Microsoft calls Hafnium) is definitely no longer the only attacker using these vulnerabilities. Symantec's diagram of the attack is useful:

Symantec's attack flow diagram

Both Forbes and WIRED now say that hundreds of thousands of servers have been compromised and the compromise count at one point was growing by "thousands per hour."

What To Do?  PATCH! (But it is quite possibly too late...)

Obviously, the most important thing to do is apply Microsoft's patches.  However it is VERY IMPORTANT TO UNDERSTAND that you may already be compromised.  Patching DOES NOT make you "un-hacked!"  Patch, but also follow the guidance from CISA on determining if you are already hacked.

The vulnerabilities are listed here, each linking to the Microsoft security alert associated with the CVE.

• CVE-2021-26855 -
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

WHAT TO DO?  SEE IF YOU ARE HACKED!

The CyberSecurity & Infrastructure Security Agency, CISA, part of the Department of Homeland Security, has provided comprehensive information on how to detect the attack, including a nice guide on how to use FTK Imager to capture memory from your Exchange Server and where to look for evidence of being compromised.

Please thoroughly review their recommendations found as Alert AA21-062A.

Many of their indicators come from Volexity, who also shares a video explaining the attack in their blog post from 02MAR2021, "Operation Exchange Marauder."  It should be noted that neither of the IP addresses from FireEye are included on this list.

In addition to the CISA guidance, Microsoft has released a script which can be run on your Exchange Server to look for signs of being compromised.  Their script is described in their Hafnium Targeting Exchange Servers blog post, but a direct link to the script is: 

https://github.com/microsoft/CSS-Exchange/tree/main/Security

This script scans the HttpProxy logs, the Exchange logs, and the Windows Application event logs for signs of exploitation.  Hopefully the bad guys haven't WIPED the logs!

 If you are one of the thousands of people who fraudulently filed for a Paycheck Protection Program or PPP Loan under the CARES Act, pay attention!  This blog post  is going to explain why you should return the money and turn yourself in.  The CARES Act provided $349 Billion in forgivable loans that a business could use to cover payroll, mortgage interest, rent, lease, or utilities during the trying times of the pandemic.  But many people are assuming they can just steal that money and never pay a penalty.

Let's use as our example the case of Zsa Zsa Bouvier Couch, whose case was just unsealed in the Middle District of Alabama.

Zsa Zsa is an entrepreneur in the Montgomery area.  She operated seven businesses, according to the Alabama Secretary of State:

• Trinity Christian Ministry, LLC, incorporated on 26MAR2008.
• Kidz Academy Christian Child Care Center, Inc, incorporated as a non-profit on 12JUN2007.
• Bouvier Hair Boutique LLC, incorporated 22JAN2008.
• Slim Fit Weight Loss Medical Clinic & Spa I Inc, incorporated 07APR2020.
• Zsa Zsa's Boutique, LLC, incorporated 02MAY2020.
• ABC Christian Ministries, LLC, incorporated 22JAN2008.
• Walters Academy Corporation, incorporated 26MAY1999.

PPP Loan Time!

Time to Go Shopping!

Time to Go To Prison!

Let's Review . . . 

Would you like to see someone's head explode? 

Observe what happens when I'm researching a topic and I see a headline like this AVG story which claims "Ransomware is set to cause $6 trillion in damages by 2021."  Wow.  Makes you want to run right out and buy cybersecurity products, doesn't it?  Fear, Uncertainty, and Doubt, the marketing department's dream formula!

AVG's Marketing Department can't help themselves

You really can't fault the marketing folks at AVG though ... every cybersecurity marketing department is jumping on the bandwagon.  And when places like CISO Magazine share the number blindly with no examination of the facts, how can they be blamed?

How much is $6 Trillion?  That would be the GDP of Brazil, Italy, and France lost to cybercrime each year.  That would be the entire GDP of Japan lost to cybercrime each year. 

The source, every time you see this preposterous number the source will be traced to a Cybersecurity Ventures report that was designed to scare people into spending more money on cybersecurity defenses.  I did an analysis of that report back in October 2017 and wanted to walk you through it here, gentle reader, so that you would have a place to point people who quote the Six Trillion Dollar Charlatan.  Here is where things started for me, when I saw this report:

The entire report seems to hinge on a single blog post from Microsoft, entitled, "The Emerging Era of Cyber Defense and Cybercrime" published 27JAN2016.  The Cybersecurity Ventures article has a footnote listing this as their source for their $3 trillion base.  Their Editor-in-Chief, Steve Morgan, by the way, continues to misunderstand this number and use it in his fresh forecast.  In his 13NOV2020 prognostication, he now claims "Cybercrime to Cost the World $10.5 Trillion Annually by 2025" and STILL references the Microsoft blog in the highlighted link "$3 Trillion USD in 2015." 

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

What the Microsoft blog post by Pete Boden, General Manager of Cloud and Enterprise Security,  actually says is that "The World Economic Forum estimates the economic cost of cybercrime to be $3 trillion worldwide." 

But even that is a mis-statement.  The World Economic Forum certainly doesn't believe that the cost of cybercrime is two orders of magnitude higher than any reasonable estimate.  What did they actually say?

The report is "Risk and responsibility in a Hyperconnected World" published by the World Economic Forum, in collaboration with McKinsey & Company.  

"Current trends could result in a backlash against digitization, with huge economic impact.  Major technology trends like massive analytics, cloud computing, and big data could create between US $9.6 trillion and US $21.6 trillion in value for the global economy.  If attacker sophistication outpaces defender capabilities -- resulting in more destructive attacks -- a wave of new regulations and corporate policies could slow innovation, with an aggregate economic impact of around US $3 trillion." - p.3 

Three things to note: 

1) the loss they are forecasting is A REDUCTION IN FUTURE ECONOMIC VALUE of certain technologies (analytics, cloud computing, big data) DUE TO A SLOW DOWN IN INNOVATION.

2) that loss would only come about IF THERE ARE NEW REGULATIONS IMPOSED that would stifle creativity in these areas.

3) The CUMULATIVE EFFECT between the time of the report (2014) and SIX YEARS LATER (2020) was said to have a potential of reaching $3 Trillion. 

So how on earth did Cybersecurity Ventures reach their number?

First, they clearly never read the World Economic Forum / McKinsey report, or they would certainly have been unable to say that the impact of Cybercrime had been $3 trillion in 2015.  Again, the $3 trillion was OVER THE COURSE OF SIX YEARS (or $500 Billion per year on the average) and ONLY IF REGULATORY CONDITIONS CHANGED DRAMATICALLY causing "unrealized potential economic value" to the tech industry.

But how did they get from $6 Trillion to $3 Trillion, even if they wrongly believed that the $3 Trillion was an annual number?  Simple.  The number of people on the Internet was predicted to double from 2015 to 2021.  If there are twice as many people, then there must be twice as much impact of cybercrime.  Right?  Wrong.

According to their report, the $6 Trillion in damages would consist of: 

• Damage and destruction of data
• Stolen money
• Lost productivity
• Theft of intellectual property
• Theft of personal and financial data
• Embezzlement
• Fraud
• Post-attack disruption
• Forensic investigation
• Restoration and deletion of hacked data
• Reputation harm

Ransomware Math 

Now if RANSOMWARE is the number one source of cybercrime damages, and ransomware is 0.33% of the total cost of cybercrime, what are the other 99.7% of the costs made of?  That's right.  Thin Air.

Please do me a favor? If you see someone quote the $6 Trillion Cost of Cybercrime, please send them a link to this story.  

It seems nearly every week that the Garda National Economic Crime Bureau (the GNECB) announces a new arrest in Operation SKEIN.  In a newly released featured interview, Ireland's "The Journal" had Detective Chief Superintendent Pat Lordan, and Superintendent Michael Cryan of the Garda National Economic Bureau discuss what they described as "a pandemic boom in scams." 

Chief Supt Lordan says "fraud has changed from a cottage industry to a global organized crime epidemic." 

Det Supt Michael Cryan and Det Chief Supt Pat Lordan lead the GNECB (photo from The Journal, click image for full story)

Cryan says: "It is at the highest level of scams. At the bottom of the ladder you have the money mule, a boy or girl letting money be laundered through their account.  Then there's the mule herder, who we have found in Ireland -- they are the next level up, acting as a handler for the mules.  There is a next level up then, managing operations across the region.  From examining phones we've seized we found messages from West Africa set to people in various countries. They send out a message to the herder looking for an account, for example, that can manage two or three thousand euro." 

Lordan says they have managed to recover more than 25 million Euros by freezing accounts before the full amount could be withdrawn, including $500,000 stolen from an American company based in Ireland.

The Egmont Group, a partnership of 166 financial intelligence agencies around the world, including the GNECB, has been a great help in recovering funds.  The FIU.net group within Europol has also been helpful in making contact with other police financial intelligence units.

Cryan says "the money is coming victims across the globe" citing an example of a €3.8 million transfer from Lebanon or Syria into an Irish account.  He claims at least €15 million from businesses in Chile, Russia, China, and Palestine are flowing into the country, but the directions for how to receive and handle the money? Those are coming from messages on the phones sent from West Africa.

Targeting The Young (Mules)

Operation Skein

The current focus of the Irish Garda is called Operation Skein.  The operation focuses on a form of international Business Email Compromise (BEC) that begins with Invoice re-direction fraud and ends with money being laundered through bank accounts first in Ireland and then around the world.  Operation SKEIN was launched in June of 2020.  The name is possibly based on the word used in Knitting.  A Skein of yarn (like these from an Irish knitting shop) is arranged so that when you pull the string, it just keeps feeding the knitter. High praise to the gardaí for continuing to pull the string and achieving arrest after arrest!

Three Skeins of Irish Yarn (thisisknit.ie)

Earlier and parallel operations include Operation Joggle and Operation Boxplot.  Both also involve Invoice Redirection Fraud, the preferred Garda term for what we would call BEC in the USA.   By reviewing Irish press and Garda Press Releases, we can learn just how extensive these on-going investigations have been.

A Long Skein of Arrests 

31JUL2020 - Operation Joggle - a man in his 30s arrested in relation to international invoice redirection frauds totaling  €110,000 in West-African directed fraud

21AUG2020 - Operation Joggle - a fourth arrest in Operation Joggle involving two international invoice redirection frauds totaling  €36,000. So far Operation Joggle has led to searches of fifteen premises in Dublin, Louth, Meath, Kildare, and Laois going back to September 2018.

#3/#4 - 14OCT2020 - two men, one in his teens and the other in his 40s were arrested after searches in Dundalk, Tralee, and Dublin.  At this time, over  €4,000,000 has been laundered through bank accounts in Ireland.  

29OCT2020 - a man in his 20s arrested as part of Operation Skein investigating invoice redirect fraud has now been charged. He was held at Tallaght Garda station. 

29NOV2020 - Operation Joggle - a man and woman arrested for trade-based money laundering as part of an ongoing investigation into a West African organised crime gang involved in trade-based money laundering worth €14.6 million over two years!)

#5/#6/#7 - 08DEC2020 - three men arrested after searches in Dublin 2 and Dublin 8.  All three are in their 20s.  

#9/#10 - 03FEB2021 -  a 37 year-old man and a 37 year-old woman were arrested (and the female released without charges) and "a large amount of stolen property was recovered" after searches in Dublin 9 and Dublin 12.  The property was purchased via the proceeds of Business Email Compromise / Invoice Re-Direct Frauds which occurred in Asia during December 2020.  Purchases were made in Dublin over the Christmas period in 2020.  (At this time, Operation Skein had identified €6,000,000 stolen worldwide of which €5,000,000 was laundered through accounts in Ireland.  90 suspects have been identified throughout the country!) Reporting in The Independent revealed that the man arrested in Crumlin was a Nigerian, and that the woman, arrested in the Santry area of Dublin, was from Ghana.  They were arrested after victim funds from Dubai and Hong Kong were duped in separate invoice redirect frauds.  Ireland's The Sun says the man, from Nigeria, is suspected of being a leader of the organised crime gang. Just in December, he moved €55,000 through one of his accounts. 

The two spend €33,000 in Grafton Street, Dublin, between St Stephen's Day and December 31. (photo from Independent.ie, click for their story)

More seizure photos from RTE.ie (click for story)

#11 - 25FEB2021 - a woman in her early 40s arrested after a search in Monaghen.

#15 -  15MAR2021 - The 15th individual arrested in Operation SKEIN was described as "extremely significant" by gardai speaking to Ken Foy of the Irish Independent.  Detectives found a number of fake ID documents at his home in Naas and said "this Nigerian national has played a key role in the international crime gang involved in the massive fraud operation.  He can be described as money management in that he is suspected of recruiting money mules and then managing their accounts. He decides what goes in and what goes out of the bank accounts and is deeply involved in the coordination of where the money goes."  He had been arrested two years earlier opening a bank account with his real name but a fake passport, and is believed to have been continuously involved in fraudulent finances since that time. He is closely tied to arrest #9 above, the 37 year old living in south Dublin "considered one of the main players in the mob." The investigation also revealed that the gang is using Irish-based women from Ghana and Zimbabwe in their schemes.

#16 - 19MAR2021 - a male juvenile arrested after searches in Tallaght, County Dublin. 

#17 - 07APR2021 - a 29 year-old woman arrested in Dublin. (The Garda Press Office actually called her #16, but we already had #16 and the next pair "bring to 19 the number arrested" so ...)

#18-19 - 15APR2021 - a man and woman in their late teens, arrested in Longford as part of both Operation BOXPLOT and Operation SKEIN were released without charges. 

15APR2021 - four men, ages 23 to 35, were arrested after searches in Cork, Tipperary, and Roscommon.  Three were arrested as part of Operation BOXPLOT, which targets a Criminal Organization based in the North Cork area, believed to be laundering the proceeds of international invoice re-direct (BEC) fraud through bank accounts in Ireland.  The fourth was arrested under Operation SKEIN, which targets a Criminal Organization based in Ireland involved in similar international criminal activity.  Later in the day, a fifth person was also arrested as part of BOXPLOT in County Westmeath.  

Reporting in the Sunday World (See "Five Men arrested in operation targeting multi million euro fraud") revealed that four of the men were Romanian and one was Nigerian.  Atttention was drawn to the group when a female associate was arrested in County Tipperary late last year when she attempted to withdraw €31,000.  The money was suspected of being the proceeds of an Invoice Redirect Fraud (BEC) where a Hungarian company was targeted by criminals in Ireland. "Senior sources" called the arrest of the Nigerian "highly significant" as he has close links to the main garda target of the operation which targets multi-million euro fraud.  Sunday World's source went on "What is unusual about this case is that it has shown that Romanian and Nigerian crime gangs are working together in Ireland in relation to a huge money laundering conspiracy.

According to The Journal, €65,000 was frozen in 14 bank accounts controlled by the Romanians, along with €31,000 in cash and €3,000 worth of alcohol.  The group was charged with laundering €1.5 million with funds from a variety of sources, including cyber fraud, organized prostitution, and theft. 

#WhoKnows - 16APR2021 - two additional people, another man and woman in their late teens, were also arrested in Longford as part of both Operation BOXPLOT and Operation SKEIN.  I give up on counting because this release says 5 people were arrested on 15APR and two more on 16APR "which brings to 19 the number of persons arrested."

18APR2021 - a man arrested in his 20s after a search in Clondalkin.

23APR2021 - a man in his 20s arrested after searches in Ennis, County Clare. 

02JUN2021 - Balbriggan, County Dublin - a 32 year-old man arrested who is said be the 3rd leader arrested in Operation SKEIN.  The criminal organization to which he belongs is said to have "stolen over €14 million worldwide in invoice redirect frauds/BEC frauds with at least €8 - €9 million laundered through the bank accounts of gang members and money mules all over Ireland." This man is described as a leader because of his role in recruiting money mules and directing the laundering of the proceeds of crime through multiple bank accounts.  A large amount of potential evidence was seized, including phones, laptops, bank cards, and other documents.  According to the Independent, the arrested man "is suspected of having links to the feared Nigerian crime organization called Black Axe." They continue, "The detained man is an expert computer programmer who works for a company who is contracted to a major multinational corporation based in Dublin." He is tied to >€10,000 in Smishing profits,  €60,000 in an Invoice Redirection fraud against an Irish company, and  €250,000 in fraud against an Irish bank. €120,000 in funds in another of his accounts may be linked to the proceeds of a major fraud in Germany in which there were five victims.  He is one of 30 arrested so far in 2021 as part of Operation SKEIN. 

18JUN2021 - a man in his 30s arrested after searches in Milltown area of Dublin 14. 

24JUN2021 - Limerick - a suspect in his late teens was detained for laundering  €139,211 through his bank account, sending invoice redirection fraud funds to Russia, Slovakia, Taiwan, India, and South Korea. The funds were then forwarded on, primarily to Turkey and Germany.

More Details From Court

American audiences may not understand that in Ireland and much of Europe, the name of an arrested person cannot be shared until the person is charged before a prosecutor, so in many cases, we do not yet know the names in the cases above.  But there are exceptions.

Steven Sylvester, aged 27, claimed asylum from Nigeria six years ago and has since married a woman from Dublin and had a child with her.  He continues to draw welfare from the state, living at The Alley Apartments, Fairgreen Street, in Naas, County Kildare. He faces five counts of money laundering, four charges of handling stolen ID cards, and one count of using a false passport to open bank accounts.  He was charged with receiving €190,000 in funds from invoice redirection fraud targeting businesses in Hong Kong, Finland, and the United States. The GNECB showed that he had used four stolen foreign ID cards to open bank accounts. He was released on €5,000 bail despite the protests of the GNECB.

 On Monday (19JUL2021) President Biden announced that the US and its allies were joining together to condemn and expose that China was behind a set of unprecedented attacks exploiting vulnerabilities in Microsoft Exchange servers conducted earlier this year.  The White House press release was titled: "The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People's Republic of China." 

After praising recent actions by world governments to condemn Russian ransomware attacks, today's memo goes on the offensive against China, reminding the world that the PRC intelligence enterprise hires contract hackers who operate both for the state and for their own profits.  Biden reminds us of charges brought against PRC Ministry of State Security (MSS) hackers in October 2018, July 2020, and September 2020 and says they have "engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft." Today additional charges were brought against additional MSS hackers.

While many court cases, agreements and foreign government statement were mentioned in the article, we thought it would be helpful to have all the links in one place.  In this article, we share links to the mentioned charges against MSS-sponsored hackers, indicators and characteristics of the APT40 attacks, including advisories from CISA and NSA, links to foreign government statements joining in condemning China's cyber attacks, and lastly, policy statements from G7, NATO, and EU supporting new Ransomware policy initiatives.

Justice.gov Previous Charges Against Chinese MSS-supported Hackers

The previous incidents referred to by the White House can be found on the Justice.gov website at the links below: 

30OCT2018 - "Chinese Intelligence Officers and their Recruited Hackers and Insiders conspired to steal sensitive commercial aviation and technological data for years" 

Zha Rong and Chai Meng were intelligence officers in the Jiangsu Province office of the Ministry of State Security (MSS).  Their hacking team included Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi and insiders of a French aviation company, Gu Gen and Tian Xi.  Their cyber attacks went back to at least 08JAN2010.  The indictment of these Chinese hackers which provides several aliases including leanov, Cobain, sxpdlcl, Fangshou, mer4en7y, jpxxav, zhuan86, and Sam Gu is available.

21JUL2020 - "Two Chinese Hackers working with the Ministry of State Security charged with Global Computer Intrusion Campaign targeting Intellectual Property and Confidential Business Information, including COVID-19 Research" 

LI Xiaoyu (李啸宇)and DONG Jiazhi (董家志).  The 27-page indictment of these Chinese hackers, which reveals Li's hacker handle of "Oro0lxy" and the fact they worked for Guangdong State Security Department, is also available from DOJ.

16SEP2020 - "Seven International Cyber Defendants, including 'APT41' actors, charged in connection with Computer Intrusion Campaigns against more than 100 victims globally."

Jiang Lizhi (蒋立志), Qian Chuan (钱川), and Fu Qiang (付强) operated Chengdu 404 Network Technology.   Zhang Haoran (张浩然) and Tan Dailin (谭戴林) of China were part of a conspiracy targeting the video gaming industry, along with Wong Ong Hua and Ling Yang Ching of Malaysia  who operated through Sea Gamer Mall.  A transcript of the press conference about these three indictments of Chinese hackers is available.

Justice.gov Newly revealed Charges

19JUL2021 - "Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research"

The current case charges that the Hainan state Security Department set up a shell company, Hainan Xiandun Technology Development Company (海南仙盾).  Three HSSD Intelligence officers, Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), interacted with a lead hacker at Hainan Xiandun, Wu Shurong (吴淑荣).  Working with his team, Wu and his hackers attacked universities and research facilities across the United States and the world, planting malware and stealing intellectual property.  The indictment against Ding, Cheng, Zhu, and Wu, which also uses the aliases Ding Hao, Manager Chen, Manager Cheng, Zhu Rong, and gives Wu Shurong's hacker aliases as goodperson and ha0r3n is available from justice.gov. 

Many research groups have referred to them and their malware by a variety of names, including APT40, Bronze, Mohawk, Feverdream, Goo65, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope, and Temp.Jumper.   A few reports on these would include: 

• FireEye - "APT40 Examining a China Nexus Espionage Actor" 
• Malpedia (at Fraunhofer.de) - "Leviathan" 
• Crowdstrike - "Two Birds One Stone Panda" - which also includes discussions of how MSS Technology/13th Bureau uses source code review to reveal Microsoft vulnerabilities to their hackers, such as APT40, prior to their public disclosure by Microsoft! 
• MITRE - Leviathan Group Report 

CISA.gov has released an APT40 TTP Advisory, available as "Alert (AA21-200A) Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department"

The Malware families and malicious tools named in the CISA advisory (with links to MITRE tool description pages) are:

• BADFLICK/Greencrash
• China Chopper [S0020]
• Cobalt Strike [S0154]
• Derusbi/PHOTO [S0021]
• Gh0stRAT [S0032]
• GreenRAT
• jjdoor/Transporter
• jumpkick
• Murkytop (mt.exe) [S0233]
• NanHaiShu [S0228]
• Orz/AirBreak [S0229]
• PowerShell Empire [S0363]
• PowerSploit [S0194]
• Server software component: Web Shell [TA1505.003]

NSA Advisory on Chinese State-Sponsored Cyber Operations

The National Security Agency, working with CISA.gov and the FBI, also released an advisory today, detailing in 31 pages more details about observed Tactics, Techniques, and Procedures (TTPs) used by Chinese hacking groups.  Their description, provides Tactics, Threat Actor Techniques, Threat Actor Procedures, and Defensive Tactics and Techniques using the MITRE ATT&CK and D3FEND models. Detailed Detection and Mitigation Recommendations are also shared for each tactic.

Just to share one example ... here is the way "TA0004" is described in the report.

International Coalition Joining In

European Union Press Release

ENISA, the European Union Agency for Cybersecurity, actually put out technical guidance on addressing Microsoft Exchange Vulnerabilities back in March, mentioning the LemonDuck cryptocurrency mining botnet, and DearCry Ransomware being delivered via these methods. At that time they referred to the first broad attackers using this technique as "Hafnium" (based on Microsoft's reporting of Hafnium Targeting Exchange Servers.)

NATO Press Release: Statement by the North Atlantic Council in solidarity with those affected by recent malicious cyber activities including the Microsoft Exchange Server compromise

Previous Ransomware Actions

The White House memo makes reference to three recent advances in international communications about cyber security, from the G7, NATO, and the EU.

In June, the G7 Summit Communique specifically called out Russia's inattention to Ransomware issues:

51. We reiterate our interest in stable and predictable relations with Russia, and will continue to engage where there are areas of mutual interest. We reaffirm our call on Russia to stop its destabilising behaviour and malign activities, including its interference in other countries’ democratic systems, and to fulfil its international human rights obligations and commitments. In particular, we call on Russia to urgently investigate and credibly explain the use of a chemical weapon on its soil, to end its systematic crackdown on independent civil society and media, and to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.

Also in June, the NATO Brussels Summit Communique reaffirmed the NATO Cyber Defence Pledge and again called out Russia's behavior:

12. In addition to its military activities, Russia has also intensified its hybrid actions against NATO Allies and partners, including through proxies.  This includes attempted interference in Allied elections and democratic processes; political and economic pressure and intimidation; widespread disinformation campaigns; malicious cyber activities; and turning a blind eye to cyber criminals operating from its territory, including those who target and disrupt critical infrastructure in NATO countries.  It also includes illegal and destructive activities by Russian Intelligence Services on Allied territory, some of which have claimed lives of citizens and caused widespread material damage.  We stand in full solidarity with the Czech Republic and other Allies that have been affected in this way.

32.         Cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent.  This has been recently illustrated by ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm.  To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defence Policy, which will support NATO’s three core tasks and overall deterrence and defence posture, and further enhance our resilience.  Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law.  We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.  Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack. ( ... ) If necessary, we will impose costs on those who harm us.  Our response need not be restricted to the cyber domain.  We will enhance our situational awareness to support NATO’s decision-making.  Resilience and the ability to detect, prevent, mitigate, and respond to vulnerabilities and intrusions is critical, as demonstrated by malicious cyber actors’ exploitation of the COVID-19 pandemic.  NATO as an organisation will therefore continue to adapt and improve its cyber defences.  ...

The European Union held their US-EU Justice and Home Affairs summit on 21-22JUN2021.  European Commissioner Ylva Johansson, and US Secretary of Homeland Security Alejandro Mayorkas met along with the European External Actions Service, Europol, Eurojust, and others agreed to create a new U.S.-EU working group dedicated to fighting against ransomware.  DHS reporting of the event can be found as "Readout of Secretary Mayorkas’s Trip to Portugal."  The EU's reporting of the same event can be found as "Joint EU-US statement following the EU-US Justice and Home Affairs Ministerial Meeting."

6. The United States and the European Union acknowledged the need to cooperate and shape a digital future based on our shared democratic values. The United States and the European Union acknowledged the potential benefits and risks of using Artificial Intelligence technologies for law enforcement and the judiciary. They also reaffirmed their dedication to develop and use such technologies in a trustworthy manner in conformity with human rights obligations. They further exchanged views on current and upcoming European Union efforts on tackling illegal content online, including the need to improve the cooperation between the authorities and online platforms to detect ongoing criminal activity. The United States and the European Union commit to continue to work together on how law enforcement and judicial authorities can most effectively exercise their lawful powers to combat serious crime both online and offline. They agreed on the importance of together combating ransomware including through law enforcement action, raising public awareness on how to protect networks as well as the risk of paying the criminals responsible, and to encourage those states that turn a blind eye to this crime to arrest and extradite or effectively prosecute criminals on their territory.

The US government and the White House like to talk tough on Ransomware.  If you listen to Joe Biden, fighting Ransomware is a top priority of the US Government.  He's spent time convincing the G7, NATO, and the EU to take pledges about how earnestly they want to fight Ransomware, a judge in Connecticut has decided that spammers who distribute Ransomware should walk free.

15OCT2007 - "Is Your Fifth Grader Smarter Than a Laughing Cat?"

17NOV2007 - "Private Detective Spam"

26DEC2007 - "A Stormy Christmas and a Botnet New Year" 

16JAN2008 - "Storm Loves You!"

06JUN2008 - "A Romantic June Storm"

01JUL2008 - "July Storm Worm gives us some Love" 

03JUL2008 - "Storm Worm Salutes Our Nation on the 4th!"

22JUL2008 - "Amero to Replace Dollar? Could Storm Worm Be Right?"

29JUL2008 - "FBI & Facebook: Storm Worm gets it all wrong!"

03JAN2009 - "Happy New Year! Here's a Virus! (New Year's Postcard Malware)"

25FEB2009 - "Money Tight? Watch out for Coupon Offers from CyberCriminals" 

16MAR2009 - "Waledac: Fake Dirty Bomb in Your City"

18MAR2009 - "Carders do battle through spam - carder.su" 

09APR2009 - "Is There a Conficker E? Waledac makes a move..."

15APR2009 - "Waledac shifts to SMS Spy Program" 

29APR2009 - "Waledac Moving on to . . . Canadian Pharmacy?"

03MAR2010 - "Spamming Botnets - Strategies welcome" 

03JUL2009 - "Are You Ready for Independence Day Fireworks? Waledac Is!"

31DEC2009 - "New Year's Waledac Card" 

In 2008, Levashov was secretly indicted for his spamming and Federal agents were deployed to Moscow to ask for Levashov.  I actually created a Google Map showing that every city in Russia had thousands of infected IP addresses that were being used to send the spam. Despite a mountain of evidence, he was protected.  He kept on spamming, but honestly, I gave up on there being any hope he would be captured.

After others tried to take down the Kelihos botnet, it re-emerged in the form of a Spam Campaign taking advantage of the Boston Marathon Bombing.  I attempted to get law enforcement interest in him again at that time. Surely a criminal who would use the Boston Marathon attack to relaunch the new version of his botnet would be worth interest.  Nothing.  I was reminded of 2009 and told "The Russians are protecting him."

10APR2013 - "New Spam Attack accounts for 62% of our spam!"

17APR2013 - "Boston Marathon explosion spam leads to Malware" 

18APR2013 - "Boston Explosion Spammer shifts to Texas Fertilizer Plant Explosion" 

TrendMicro confirmed this was Kelihos as well in their post: 

16APR2013 - "Kelihos Worm Emerges, Takes Advantage of Boston Marathon Blast" 

In 2016, we decided to try again, with the "Kelihos Must Die" task force.  We provided regular updates of the bad things Kelihos was doing.  Students in my lab, led by my friend (now) Dr. Arsh Arora, produced daily documentation of the behavior of the botnet, and we were starting to get excited that something might actually happen this time.  We believed that Kelihos was sending FOUR BILLION SPAM MESSAGES PER DAY, and took the time to prove it was delivering ransomware attacks, banking trojan attacks, and phishing attacks.  Levashov would send spam to deliver any payload you paid him to deliver.  

09JUL2016 - "Kelihos botnet delivering Dutch WildFire Ransomware"

04AUG2016 - "American Airlines spam from Kelihos delivers Ransomware"

12AUG2016 - "Kelihos botnet sending Panda Zeus to German and UK Banking Customers"

16AUG2016 - "Kelihos botnet sending geo-targeted Desjardins Phish to Canadians"

30AUG2016 - "Amazon Gift Card from Kelihos!"

14SEP2016 - "Long-Lived Pill Spam from Kelihos"

09NOV2016 - "Kronos Banking Trojan and Geo-Targeting from Kelihos"

30NOV2016 - "NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos"

01FEB2017 - "Kelihos infection spreading by Thumb Drive and continues geo-targeting" 

And then on April 20, 2017, it was over!  

Spanish authorities arrested Levashov in Barcelona and he was sent to the United States to stand trial. 

After initially pleading not guilty, he changed his plea to guilty on 12SEP2018.  He admitted controlling and operating Storm, Waledac, and Kelihos, and to disseminating spam that distributed other malware, including banking trojans and ransomware.  He admitted that he actively advertised the Kelihos botnet and his ability to deliver spam and malware and that he did so in order to enrich himself.  He admitted to stealing identities and credit cards and buying and selling them.

The US Prosecutor in the case filed this Sentencing Memo as he told the Judge what the Department of Justice thought should be done in this case: 

Overt Acts 1 to 17

Hushpuppi boasted on Instagram: "Quarter a million dollar watch as New Years gift to they self #RichardMille #RM1103 #EpainThem

The Penalties of Crime

"Defendant admits that all of the money laundering described above was sophisticated, extensive, and involved multiple persons." 

In the United States there are Sentencing Guidelines that are supposed to be used by the judge to ensure that sentences are standardized and consistent across different courts.  These sentencing guidelines are explained in the U.S. laws and each judge and prosecutor in Federal Courts is well aware of these guidelines.

The defendant agrees that these are fair interpretations of how to determine a sentence:

• Underlying Offense Level:  7 Points 
• Fraud Scheme outside the U.S. using Sophisticated Means:  +2 Points 
• Conviction under 18 USC § 1956 (which is the law on Money Laundering):  + 2 Points 
• Sophisticated Money Laundering: +2 Points 
• Financial Losses between $9.5 Million and $25 Million:  +20 points 

===============

Total Sentencing Guideline Points: 33 Points

According to the Sentencing Guidelines Table available on the United States Sentencing Commission website, a 33 Point offense with no previous criminal history SHOULD indicate a sentence of between 135 and 168 months, or 11 1/4 to 14 years.

Hushpuppi and his lawyer both understand this and have signed the plea agreement anyway.  While there may be extenuating circumstances lying behind some of the redacted pages, here is Hushpuppi's signature to these terms:

However, who is to say what else may be stated in the plea agreement behind all of the Redaction markings? Seven pages of the 29 page document look like this!  

Alaumary's Guilty Plea Sentencing Guidelines calculation

 The Taliban announced the leadership of their new Afghan government this week.  As expected, there were many familiar names to those who follow terrorism sanctions.  What does this mean for financial organizations who do business with Afghanistan?  Probably too early to tell.  This will likely be "a living document" as we update it with new information as we have time to integrate it.

Our first pass it to provide UN Sanctions designations where possible.  All "TAi" indications come from the current UN Security Commissions Consolidated Sanctions List as retrieved on 08SEP2021.

Mullah Muhammad Hassan Akhund - Prime Minister

TAi.002  Name: 1: MOHAMMAD 2: HASSAN 3: AKHUND 4: na
Name (original script): محمد حسن آخوند
Title: a) Mullah b) Haji Designation: a) First Deputy, Council of Ministers under the Taliban regime b) Foreign Minister under the Taliban regime c) Governor of Kandahar under the Taliban regime d) Political Advisor of Mullah Mohammed Omar DOB: a) Approximately 1955-1958 b) Approximately 1945-1950 POB: Pashmul village, Panjwai District, Kandahar Province, Afghanistan Good quality a.k.a.: na Low quality a.k.a.: na Nationality: Afghan Passport no.: na National identification no.: na Address: na Listed on: 25 Jan. 2001 (amended on 3 Sep. 2003, 20 Dec. 2005, 9 Jul. 2007, 21 Sep. 2007, 29 Nov. 2011 ) Other information: A close associate of Mullah Mohammed Omar (TAi.004). Member of Taliban Supreme Council as at Dec. 2009. Belongs to Kakar tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 21 Jul. 2010.

Mullah Abdul Ghani Baradar - 1st Deputy to Prime Minister

TAi.024  Name: 1: ABDUL GHANI 2: BARADAR 3: ABDUL AHMAD TURK 4: na
Name (original script): عبدالغنی برادر عبد الاحمد ترک
Title: Mullah Designation: Deputy Minister of Defence under the Taliban regime DOB: Approximately 1968 POB: Yatimak village, Dehrawood District, Uruzgan Province, Afghanistan Good quality a.k.a.: a) Mullah Baradar Akhund b) Abdul Ghani Baradar (previously listed as) Low quality a.k.a.: na Nationality: Afghan Passport no.: na National identification no.: na Address: na Listed on: 23 Feb. 2001 (amended on 3 Sep. 2003, 18 Jul. 2007, 21 Sep. 2007, 13 Feb. 2012 ) Other information: Arrested in Feb. 2010 and in custody in Pakistan. Extradition request to Afghanistan pending in Lahore High Court, Pakistan as of June 2011. Belongs to Popalzai tribe. Senior Taliban military commander and member of Taliban Quetta Council as of May 2007. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010.

Maulvi Abdul Salam Hanafi (Uzbek) - 2nd Deputy to Prime Minister

TAi.027  Name: 1: ABDUL SALAM 2: HANAFI 3: ALI MARDAN 4: QUL
Name (original script): عبدالسلام حنفی علی مردان قل
Title: a) Mullah b) Maulavi Designation: Deputy Minister of Education under the Taliban regime DOB: Approximately 1968 POB: a) Darzab District, Faryab Province, Afghanistan b) Qush Tepa District, Jawzjan Province, Afghanistan Good quality a.k.a.: a) Abdussalam Hanifi b) Hanafi Saheb Low quality a.k.a.: na Nationality: Afghan Passport no.: na National identification no.: na Address: na Listed on: 23 Feb. 2001 (amended on 3 Sep. 2003, 18 Jul. 2007, 21 Sep. 2007, 27 Sep. 2007, 1 Feb. 2008, 29 Nov. 2011 ) Other information: Taliban member responsible for Jawzjan Province in Northern Afghanistan until 2008. Involved in drug trafficking. Believed to be in Afghanistan/Pakistan border area. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010.

Maulvi Mohammad Yaqub Mujahid - Minister of Defense

Alhaj Mullah Siraj Ud Din Haqqani - Interior Minister (H)

The new Interior Minister is also on the FBI Most Wanted list!

https://www.fbi.gov/wanted/terrorinfo/sirajuddin-haqqani/

Maulvi Ameer Khan Muttaqi - Foreign Minister

TAi.026 Name: 1: AMIR KHAN 2: MOTAQI 3: na 4: na
Name (original script): امیر خان متقی
Title: Mullah Designation: a) Minister of Education under the Taliban regime b) Taliban representative in UN-led talks under the Taliban regime DOB: Approximately 1968 POB: a) Zurmat District, Paktia Province, Afghanistan b) Shin Kalai village, Nad-e-Ali District, Helmand Province, Afghanistan Good quality a.k.a.: Amir Khan Muttaqi Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Member of the Taliban Supreme Council as at June 2007. Believed to be in Afghanistan/Pakistan border area. Belongs to Sulaimankhel tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 21 Jul. 2010. 

Mullah Hidayatullah Badri (Gul Agha) - Finance Minister

TAi.147 Name: 1: GUL 2: AGHA 3: ISHAKZAI 4: na
Name (original script): كُل آغا اسحاقزی
Title: na Designation: na DOB: Approximately 1972 POB: Band-e Temur, Maiwand District, Kandahar Province, Afghanistan Good quality a.k.a.: a) Mullah Gul Agha b) Mullah Gul Agha Akhund Low quality a.k.a.: a) Hidayatullah b) Haji Hidayatullah c) Hayadatullah Nationality: na Passport no: na National identification no: na Address: Pakistan Listed on: 20 Jul. 2010 ( amended on 29 Nov. 2011, 31 Dec. 2013 ) Other information: Member of a Taliban Council that coordinates the collection of zakat (Islamic tax) from Baluchistan Province, Pakistan. Head of Taliban Financial Commission as at mid-2013. Associated with Mullah Mohammed Omar (TAi.004). Served as Omar's principal finance officer and one of his closest advisors. Belongs to Ishaqzai tribe. 

Sheikh Maulvi Noorullah Munir - Education Minister

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Khairullah Khairkhwa - Minister Information and Culture

TAi.093 Name: 1: KHAIRULLAH 2: KHAIRKHWAH 3: na 4: na
Name (original script): خيرالله خيرخواه
Title: a) Maulavi b) Mullah Designation: a) Governor of Herat Province under the Taliban regime b) Spokesperson of the Taliban regime c) Governor of Kabul province under the Taliban regime d) Minister of Internal Affairs under the Taliban regime DOB: Approximately 1963 POB: Poti village, Arghistan district, Kandahar province, Afghanistan Good quality a.k.a.: a) Mullah Khairullah Khairkhwah b) Khirullah Said Wali Khairkhwa, born in Kandahar on 01 Jan.1967 Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 3 Oct. 2008, 12 Apr. 2010, 29 Nov. 2011, 31 Dec. 2013, 7 Sep. 2016 ) Other information: Belongs to Popalzai tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010. 

Qari Din Hanif - Minister of Economy 

TAi.043 Name: 1: DIN MOHAMMAD 2: HANIF 3: na 4: na
Name (original script): دین محمد حنیف
Title: Qari Designation: a) Minister of Planning under the Taliban regime b) Minister of Higher Education under the Taliban regime DOB: Approximately 1955 POB: Shakarlab village, Yaftali Pain District, Badakhshan Province, Afghanistan Good quality a.k.a.: a) Qari Din Mohammad b) Iadena Mohammad born 1 Jan. 1969 in Badakhshan Low quality a.k.a.: na Nationality: Afghanistan Passport no: OA 454044, issued in Afghanistan National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 9 Jul. 2007, 21 Sep. 2007, 29 Nov. 2011, 25 Oct. 2012, 7 Sep. 2016 ) Other information: Member of Taliban Supreme Council responsible for Takhar and Badakhshan provinces. Believed to be in Afghanistan/Pakistan border area. Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. 

Sheikh Maulvi Noor Muhammad Saqib - Minister Hajj and Religious Affairs

TAi.110 Name: 1: NOOR MOHAMMAD 2: SAQIB 3: na 4: na

Name (original script): نور محمد ثاقب
Title: na Designation: Chief Justice of Supreme Court under the Taliban regime DOB: Approximately 1958 POB: a) Bagrami District, Kabul Province, Afghanistan b) Tarakhel area, Deh Sabz District, Kabul Province, Afghanistan Good quality a.k.a.: na Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Member of Taliban Supreme Council and Head of Taliban Religious Committee. Belongs to Ahmadzai tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010.

Maulvi Abdul Hakim Sharia - Minister of Justice

(no apparent UN sanctions under TAi - please provide more information in comments below!)
possibly QDi.120

Mullah Noorullah Noori - Minister for Borders and Tribal Affairs

TAi.089 Name: 1: NURULLAH 2: NURI 3: na 4: na
Name (original script): نور الله نوری
Title: Maulavi Designation: a) Governor of Balkh Province under the Taliban Regime b) Head of Northern Zone under the Taliban regime DOB: a) Approximately 1958 b) 1 Jan. 1967 POB: Shahjoe District, Zabul Province, Afghanistan Good quality a.k.a.: Norullah Noori Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011, 31 Dec. 2013, 7 Sep. 2016 ) Other information: Belongs to Tokhi tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 29 Jul. 2010. 

Mullah Muhammad Younas Akhundzada - Minister for Rural Rehabilitation and Development

(no apparent UN sanctions - please provide more information in comments below!)

Sheikh Muhammad Khalid - Minister for Dawat & Irshaad (Preaching and Guidance) and Amr Bil Maroof Wa Anil Munkar 

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Abdul Mannan Omari - Minister for Public Works

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Muhamad Essa Akhund - Minister for Mines and Petroleum

TAi.060 Name: 1: MOHAMMAD ESSA 2: AKHUND 3: na 4: na
Name (original script): محمد عیسی آخوند
Title: a) Alhaj b) Mullah Designation: Minister of Water, Sanitation and Electricity under the Taliban regime DOB: Approximately 1958 POB: Mial area, Spin Boldak District, Kandahar Province, Afghanistan Good quality a.k.a.: na Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Belongs to Nurzai tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. 

Mullah Abdul Latif Mansoor - Minister for Water and Power

TAi.007 Name: 1: ABDUL LATIF 2: MANSUR 3: na 4: na
Name (original script): عبد اللطيف منصور
Title: Maulavi Designation: Minister of Agriculture under the Taliban regime DOB: Approximately 1968 POB: a) Zurmat District, Paktia Province, Afghanistan b) Garda Saray District, Paktia Province, Afghanistan Good quality a.k.a.: a) Abdul Latif Mansoor b) Wali Mohammad Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 31 Jan. 2001 ( amended on 3 Sep. 2003, 18 Jul. 2007, 21 Sep. 2007, 13 Feb. 2012, 18 May 2012, 22 Apr. 2013 ) Other information: Taliban Shadow Governor for Logar Province as of late 2012. Believed to be in Afghanistan/Pakistan border area. Belongs to Sahak tribe (Ghilzai). Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. I

Hameedullah Akhundzada - Minister for Civil Aviation & Transport

(no apparent UN sanctions - please provide more information in comments below!)

Abdul Baqi Haqqani - Minister for Higher Education

Not a positive match ==> possibly TAi.038  Please comment if you can clarify!

TAi.038 Name: 1: ABDUL BAQI 2: BASIR 3: AWAL SHAH 4: na
Name (original script): عبد الباقي بصير أول شاه
Title: a) Maulavi b) Mullah Designation: a) Governor of Khost and Paktika provinces under the Taliban regime b) Vice-Minister of Information and Culture under the Taliban regime c) Consular Department, Ministry of Foreign Affairs under the Taliban regime DOB: Between 1960 and 1962 (Approximately ) POB: a) Jalalabad City, Nangarhar Province, Afghanistan b) Shinwar District, Nangarhar Province, Afghanistan Good quality a.k.a.: Abdul Baqi (previously listed as) Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 7 Sep. 2007, 21 Sep. 2007, 29 Nov. 2011, 13 Aug. 2012 ) Other information: Believed to be in Afghanistan/Pakistan border area. Taliban member responsible for Nangarhar Province as at 2008. Until 7 Sep. 2007 he was also listed under number TAi.048. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010.

Najibullah Haqqani - Minister for Communications

Ai.071 Name: 1: NAJIBULLAH 2: HAQQANI 3: HIDAYATULLAH 4: na
Name (original script): نجیب الله حقانی هدايت الله
Title: Maulavi Designation: Deputy Minister of Finance under the Taliban regime DOB: 1971 POB: Moni village, Shigal District, Kunar Province Good quality a.k.a.: Najibullah Haqani Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: Afghan national identification card (tazkira) number 545167 (issued in 1974) Address: na Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 18 Jul. 2007, 21 Sep. 2007, 27 Sep. 2007, 29 Nov. 2011, 16 May 2014 ) Other information: Cousin of Moulavi Noor Jalal. Grandfather’s name is Salam. Taliban member responsible for Laghman Province as of late 2010. Believed to be in Afghanistan/Pakistan border area. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010. 

Khalil ur Rehman Haqqani - Minister for Refugees

TAi.150 Name: 1: KHALIL 2: AHMED 3: HAQQANI 4: na
Name (original script): خلیل احمد حقانی
Title: Haji Designation: na DOB: a) 1 Jan. 1966 b) Between 1958 and 1964 POB: Sarana Village, Garda Saray area, Waza Zadran District, Paktia Province, Afghanistan Good quality a.k.a.: a) Khalil Al-Rahman Haqqani b) Khalil ur Rahman Haqqani c) Khaleel Haqqani Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: a) Peshawar, Pakistan b) Near Dergey Manday Madrasa in Dergey Manday Village, near Miram Shah, North Waziristan Agency (NWA), Federally Administered Tribal Areas (FATA), Pakistan c) Kayla Village, near Miram Shah, North Waziristan Agency (NWA), Federally Administered Tribal Areas (FATA), Pakistan d) Sarana Zadran Village, Paktia Province, Afghanistan Listed on: 9 Feb. 2011 ( amended on 1 Jun. 2012 ) Other information: Senior member of the Haqqani Network (TAe.012), which operates out of North Waziristan in the Federally Administered Tribal Areas of Pakistan. Has previously traveled to, and raised funds in, Dubai, United Arab Emirates. Brother of Jalaluddin Haqqani (TAi.040) and uncle of Sirajuddin Jallaloudine Haqqani (TAi.144).

Mullah Abdul Haq Wasiq - Director General of Intelligence

TAi.082 Name: 1: ABDUL-HAQ 2: WASSIQ 3: na 4: na
Name (original script): عبد الحق وثيق
Title: Maulavi Designation: Deputy Minister of Security (Intelligence) under the Taliban regime DOB: a) 1971 b) Approximately 1975 POB: Gharib village, Khogyani District, Ghazni Province, Afghanistan Good quality a.k.a.: a) Abdul-Haq Wasseq b) Abdul Haq Wasiq Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 31 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 3 Oct. 2008, 29 Nov. 2011, 31 Dec. 2013, 11 Feb. 2014, 7 Sep. 2016 ) Other information: Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. 

Haji Muhammad Idris - Director General of Afghanistan Bank

(no apparent UN sanctions - please provide more information in comments below!)

Maulvi Ahmed Jan Ahmadi - Director General of Administrative Affairs

Possibly TAi.159 - but unclear.  If you can help clarify, please comment below

TAi.159 Name: 1: AHMED JAN 2: WAZIR 3: AKHTAR MOHAMMAD 4: na
Name (original script): احمد جان وزیر اختر محمد
Title: na Designation: Official of the Ministry of Finance during the Taliban regime DOB: 1963 POB: Barlach Village, Qareh Bagh District, Ghazni Province, Afghanistan Good quality a.k.a.: a) Ahmed Jan Kuchi b) Ahmed Jan Zadran Low quality a.k.a.: na Nationality: na Passport no: na National identification no: na Address: na Listed on: 6 Jan. 2012 ( amended on 31 Dec. 2013, 11 Feb. 2014 ) Other information: Key commander of the Haqqani Network (TAe.012), which is based in Afghanistan/Pakistan border area. Acts as deputy, spokesperson and advisor for Haqqani Network senior leader Sirajuddin Jallaloudine Haqqani (TAi.144). Liaises with the Taliban Supreme Council. Has travelled abroad. Liaises with and provides Taliban commanders in Ghazni Province, Afghanistan, with money, weapons, communications equipment and supplies. Reportedly deceased as of 2013. 

Mullah Muhammad Fazil Mazloom Akhund - Deputy to Defense Minister

TAi.023 Name: 1: FAZL MOHAMMAD 2: MAZLOOM 3: na 4: na
Name (original script): فضل محمد مظلوم
Title: Mullah Designation: Deputy Chief of Army Staff of the Taliban regime DOB: Between 1963 and 1968 POB: Uruzgan, Afghanistan Good quality a.k.a.: a) Molah Fazl b) Fazel Mohammad Mazloom Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 3 Oct. 2008, 31 Dec. 2013, 7 Sep. 2016 ) Other information: Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010.

Qari Fasihuddin (Tajik) - Chief of Army

(said to be killed by airstrike according to the Afghanistan Ministry of Defense) 

https://twitter.com/MoDAfghanistan/status/1169927836813209600

Sher Muhammad Abbas Stanakzai - Deputy Foreign Minister

https://en.wikipedia.org/wiki/Sher_Mohammad_Abbas_Stanikzai

Maulvi Noor Jalal - Deputy Interior Minister 

(no apparent UN sanctions - please provide more information in comments below!)

Zabihullah Mujahid - Deputy Minister of Information and Broadcasting

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Taj Mir Jawad - 1st Deputy to Intelligence Chief (H)

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Rahmatullah Najib - Administrative Depty to Intelligence Chief

possibly TAi.137 - if you can clarify, please comment below!

TAi.137 Name: 1: RAHMATULLAH 2: KAKAZADA 3: na 4: na
Name (original script): رحمت الله کاکا زاده
Title: a) Maulavi b) Mullah Designation: Consul General, Taliban Consulate General, Karachi, Pakistan DOB: 1968 POB: Zurmat District, Paktia Province, Afghanistan Good quality a.k.a.: a) Rehmatullah b) Kakazada Low quality a.k.a.: Mullah Nasir Nationality: Afghanistan Passport no: D 000952, issued on 7 Jan. 1999, issued in Afghanistan National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 25 Jul. 2006, 18 Jul. 2007, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Taliban member responsible for Ghazni Province, Afghanistan, as of May 2007. Head of an intelligence network. Believed to be in Afghanistan/Pakistan border area. Belongs to Suleimankheil tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 21 Jul. 2010. 

Mullah Abdul Haq Akhund  - Deputy Minister of Interior for Counter Narcotics Affairs 

possibly TAi.051 - if you can clarify,please comment below!

TAi.051 Name: 1: ABDULHAI 2: MOTMAEN 3: na 4: na
Name (original script): عبدالحی مطمئن
Title: Maulavi Designation: a) Director of the Information and Culture Department in Kandahar Province under the Taliban regime b) Spokesperson of the Taliban regime DOB: Approximately 1973 POB: a) Shinkalai village, Nad-e-Ali District, Helmand Province, Afghanistan b) Zabul Province, Afghanistan Good quality a.k.a.: Abdul Haq son of M. Anwar Khan (عبد الحق ولد محمد انور خان) (Afghan passport number OA462456, issued on 31 Jan. 2012 (11-11-1390) by the Afghan Consulate General in Peshawar, Pakistan) Low quality a.k.a.: na Nationality: Afghanistan Passport no: Afghanistan number OA462456, issued on 31 Jan. 2012 (issued under the name of Abdul Haq) National identification no: na Address: na Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011, 31 Dec. 2013, 16 May 2014 ) Other information: Family is originally from Zabul, but settled later in Helmand. Member of the Taliban Supreme Council and spokesperson for Mullah Mohammed Omar (TAi.004) as of 2007. Believed to be in Afghanistan/Pakistan border area. Belongs to Kharoti tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010. 

 If you live in the United States and have an AT&T phone, you are almost certainly receiving SMS messages that look something like this:

AT&T Free Msg: August bill is paid. Thanks, MARY! Here's a little gift for you: n9cxr[.]info/dhmxmcmBTQ (from +1 (718) 710-0863) 

or 

AT&T Free Msg: August bill processed. Thanks, Mary! Here's a little something for you: l4bsn[.]info/C2Lx3oggFi (from +1 (332) 220-7291) 

or 

AT&T Free Msg: Latest bill is paid. Thanks, Fedencia!  Here's a little freebie for you: k5amw[.]info/VloTBdytEl  (from +1 (870) 663-5472) 

AT&T has sort of trained us that it's cool to get messages from them with links in them.  Every time your bill is available, or paid, or has a new charge, you get a text message from them that starts with "AT&T Free Msg:" and ends with a link such as "att.com/myattapp" or "att.com/myViewBill."

This is where some independent amateur researchers make a mistake.  If you visit the URL in the first message from your Windows computer, you are automagically forwarded to Google.

Once I change my Chrome Virtual Machine to pretend to be "Safari on iPhone" we revisit the URL that was sent to my phone: 

Notice on line 5 that where it previously said I was "Windows NT 10" it nows says I am "(iPhone; CPU iPhone OS 9_2 like Mac OS X)." (Which is super out-of-date, but apparently good enough for this criminal's scheme, because now I get this!

We've written several times in the past about these never-ending surveys.  Their objective is to gather as much personal data from you as they can and to show you as many advertisements as they can.  They then experience revenue by both showing you ads during the survey, but also by selling the personal information that they gather you to organizations that need "qualified sales leads."  They will tell those organizations that you are looking for things like savings on college tuition, health insurance, car insurance, electronics, a new vehicle, etc, and you will start getting more spam messages from those organizations who will have believed that you asked for their spam! 

We asked our friends at Zetalytics, via their Zone Cruncher tool, "So where in the world is the IP address n9cxr[.]info?"  They told us that it is located in Hong Kong on a server that is hosted by Alibaba Inc.  

That's very interesting!  Thanks, Zetalytics!  Could you also tell us OTHER DOMAIN NAMES that have recently been seen on that same IP address?  After all, we've received three such domains in the three messages that I received on my personal phone!

All of those domains are of course registered at the scummy domain registrar NameCheap.  They claim that if we inform them of bad domains, they will de-register them.  Once I post this, I'll send them a copy and report back what happens.

By the way, the content is not exactly the same with each visit.  My next visit to the n9cxr URL gave me this pop-up instead:

So how are we getting to the fake AT&T page?  That's where a tool that CAUCE Director Neil Schwartman showed me comes in.  While I don't recommend the company necessarily, this little Chrome plug-in is gold for mapping out redirect paths!  (Search for the Chrome Extension "Ayima Redirect Path" and please remember you should only be reviewing potentially hostile URLs in a Virtual Machine!)

What does all that mean? It tells us that the first URL's webserver claimed that the page we were looking for "dhmxmcmBTQ" had been temporarily redirected to "themechallenge[.]club" and that we should ask that server for a particular "key."

That key caused the server to send us a Javascript that redirected us to another URL on their website, which in turn did a "META Redirect" to the webserver "go.metreysi[.]info" where we should tell them we were sent by a certain "cnv_id."  That server then pretended that we had clicked on it, and sent us via another "302 temporary redirect" to a webserver called "redirect.usersupport[.]net." UserSupport then did yet another redirect which took us to the webside "att.usersupport[.]net."

More domains to look up in ZoneCruncher!

https://themechallenge[.]club/click.php?key=abrrkduwznt79g18cx66

go.metreysi[.]info => hosted on LeaseWeb at 23.108.57[.]187
redirect.usersupport[.]net => hosted on 2606:4700:3032::6815:2b25

att.usersupport[.]net => hosted on 2606:4700:3031::ac43:da02

I'm guessing that all of these other "go" sites that are sharing the same IP address will also be involved in illegal "redirection" scams that start off with SMS Blasting.

By the way, do you remember the "key" we had to pass?  In a similar way to our User-Agent, if you visit one of these sites and fail to pass it a "key" it will just redirect you to 127.0.0.1, which means, "visit your own machine." 

Not just AT&T!

One of Zetalytics other tricks is being able to show me other hostnames on the same domain.  (The term for this is called "PassiveDNS")

It looks like "UserSupport[.]net" is also being used to imitate TikTok, CostCo, Walmart, and Google, shipping company UPS, FedEx, and US Postal Service, and Cell phone providers, AT&T, Comcast, Spectrum, T-Mobile, and Verizon!

Because I haven't received those particular SMS messages, I can't navigate to them.  (I have the wrong "key" to get the chain started.) But I'd love to see some more of these if you would be willing to share a screenshot! 

List of SMS-spam-abusing .info (and .xyz) domains believed to be associated with these campaigns.  It sort of makes sense that there are exactly 100 of them.

1find[.]info

1fwnx[.]info

1nvc[.]info

2edcc[.]info

2gtex[.]info

2ofgm[.]info

3mgie[.]info

3ohmd[.]info

4gogm[.]info

4onnr[.]info

4onnr[.]info

6ghme[.]info

6nbfu[.]info

6omrf[.]info

6wqbv[.]info

7botm[.]info

7gboe[.]info

7gboe[.]info

7uwhn[.]info

7wxcd[.]info

8bmxw[.]info

9bmdx[.]info

a2sct[.]info

a7tev[.]info

appsc[.]info

appsf[.]info

bjdz2[.]xyz

bmeq9[.]info

bookc[.]info

bookx[.]info

cartm[.]info

cartm[.]info

cartz[.]info

faceg[.]info

faceg[.]info

faceh[.]info

facem[.]info

faceu[.]info

facey[.]info

fuwd2[.]info

gg0l[.]info

gi3t[.]info

gi3t[.]info

gitn4[.]info

goen4[.]info

gotr6[.]info

gr8f[.]info

havec[.]info

havec[.]info

havec[.]info

havec[.]info

havec[.]info

havec[.]info

havej[.]info

havew[.]info

hidej[.]info

hidej[.]info

hidem[.]info

hidep[.]info

hidep[.]info

j1bcs[.]info

j1bcs[.]info

j2bmf[.]info

k2ave[.]info

k4acr[.]info

k4acr[.]info

k8bvz[.]info

kpl5[.]info

kpp8[.]info

kpp8[.]info

kse0[.]info

ktf4[.]info

l1bmz[.]info

l5brv[.]info

lgte3[.]info

m2cxn[.]info

m6cda[.]info

mbdz2[.]xyz

mqbvn[.]info

n4csv[.]info

n9cxr[.]info

nameb[.]info

pexw0[.]xyz

qkkk2[.]xyz

raini[.]info

rainl[.]info

rainz[.]info

s1vrk[.]info

s2avr[.]info

s2avr[.]info

s4asc[.]info

s6axe[.]info

s7axm[.]info

s8avx[.]info

toer9[.]info

toer9[.]info

vbjh9[.]xyz

wodm7[.]info

wordc[.]info

wosn9[.]info