Hilbert on the Web

That ad that is displayed on the header of webpage you are viewing; you weren’t supposed to see that… The website owner had a very special ad in mind for you, based in part on the articles you read on the site.  But that doesn’t matter, you see your computer was infect by Zeus and is part of a botnet, a network of computers that serve as robots to a botmaster. 

One of the unique aspects of Zeus that few if anyone recognized in the past is that Zeus will block ads from being displayed on certain sites and will instead serve you an ad the botmaster wants you to see.  Those ads can include malware to increase the botnet size, phishing schemes or simply ads the botmaster gets paid to deliver.

 

The cool, scary, freaky (you pick the adjective) part is that the website has no clue what ad the user is seeing but when a user gets infected, they blame the infection on the site.  (I.e. I was on MSNBC.com and my computer got infected with a virus resulting in the loss of a MSNBC user)

 

Over the last year the biggest name in botnets has been Zeus.  The software package created by an unknown hacker was created to take over computer systems, steal their user’s data, and grow a network of zombie “bot” computers waiting to be instructed on task to do next.

 

Security firm after security firm have been trying to reverse engineer Zeus to see exactly how it does what it does in the hopes of building a tool to block or remove it from systems. 

It has been a struggle but recently things changed…

 

Just last week the full source code for Zeus was made available for free download on the cyber underground.  And now those security firms can truly dissect how Zeus works.

 

A lot of time and energy will be spent at looking into how Zeus compromises a computer, how it circumvents the anti-viral and/or security software and how to stop it. 

  

Fixes will be released in the coming weeks if not days and though these fixes will address some pieces of the code, they will likely fall short of full protection because every criminal who has been using the software has been modifying it to their tastes but I digress.

 

Honestly, I’m not smart enough to truly understand how the computers are taken over.  In that regard I am very similar to those criminals using the software… We don’t really care how it does it rather we care how we can make money by using it.

 

To that end, the fact that Zeus controls the ads infected users sees has a very big “wow” factor. 

When it comes to cybercrime and botnet discussions, most is focused around the theft of a user’s username and password for bank records, credit cards and financial institutions.  These are big money makers that are easy to understand.  Meaning we all understand that someone steals your “credentials” then impersonates you online to make purchases or wire transfer money or even apply for loans.

 

What are rarely focused on are the other schemes that involve your friends, your online habits and other uses of the data.

 

When the creator of Zeus included the ability to substitute the advertisement users saw on certain websites, he/she likely considered it a propagation tool.  Given the size of the program, over 6 mb, it is likely the initial infection came from a malware laden ad that was placed on a site through the use of a stolen credit card or through a person being tricked into a minor download.  Once that infection occurred the ads would be taken over and a new payload would be delivered by controlling the sites/ads the user viewed.  The process is piece meal until the full software package is in place and the computer has been zombie-ized.  (Please understand I am just theorizing here)

 

But its criminal uses are so much more.  (It should be noted that when I was an FBI agent, I worked undercover online devising criminal schemes with hackers to steal data.  One hacker actually called me a “criminal mastermind,” prior to my scheme being run and the FBI busting him/us.)

 

Everyday hundreds of millions of people view online ads. In fact, online advertising is a $26 billion industry.  Companies spend billions to devise better algorithms to serve the right ad to the right user to try to insure a sale.  Laws are being bantered around and debated on how to limit what companies can collect about the user and what they can do with the data they do collect. 

So if I have a tool that allows me to push my ads to everyone no matter which site they are on and to make sure those users sign up for those offers, well now I’m a billionaire.

 

To understand this you have to understand the basics of the online ad industry.

 

Websites charge advertiser a fee for displaying their ads on the site.  These fees are either per click aka CPC (someone clicks on your ad, you pay the site $1.00) or per 1000 views aka CPM (your ad is displayed 1000 times on the site, you pay the site $1.00)

 

But websites owners can not have contact with every advertiser out there.  As such they outsource the management and display on their sites to third party ad servers who “serve up the ads on the site.

 

On the flip side advertisers/companies do not have a large enough sales force to go to all the websites to negotiate CPC and CPM prices and then monitor all the traffic. 

Instead they work with ad networks and pay those networks a bounty for every person who comes to the company’s site and signs up.  This model is call CPA or cost per acquisition.

 

But again the ad network is not large enough to handle all the sites to arrange display ads so the ad network sub-contracts the display of advertisement, known as media buys, to independent marketers known as affiliates.  In doing this, the affiliate is paid between 80-85% of the bounty/commission the ad network receives from the company/merchant/advertiser but they also have to pay the website owners or ad servers on a CPC or CPM pricing model.

 

The more traffic and sign ups the affiliate sends through the more money they make. CPA offers can range from $.25 per sign up to $350 per sale.

 

This is where the abuse, fraud, schemes and scams come into play.  The affiliates have to pay to get their ads on certain sites and once there, there is no guarantee people will click on them or sign up for the offer. 

How do you get people to click on ads or sign up for offers while spending the least amount of money?

 

It seems almost every day that “affiliates” come up with new and “interesting” ways to drive traffic and profit, from Flogs (fake blogs) to Content Unlock to Cookie stuffing.

 

(Online Intelligence, the firm I work for, monitors traffic and its sources to try to insure those signing up for offers are real people and that they were not tricked or misled by the advertisement)

 

Now we know Zeus was included in the mix.

 

A Zeus backed botnet can not only determine which advertisement the computer user sees, it can also be used to “sign up” for the offers without the user knowing. 

CNN, MSNBC, WSJ, FOX, etc may not have been infected by Zeus. Rather the users’ computer was infected and when they went to those sites, the requests for “ads” were hijacked and the botmaster’s “special” ads were shown instead.  Amongst those ads are ads touting investment vehicles that have been revealed to actually be con jobs intent on stealing you money and your banking information, malware downloads and adware.  In other cases the ads are only those of a partner affiliate marketer. And without the user knowing the credentials that have been stolen from the computer are being used to sign up for an Acai berry product or a work from home packet.  The cost to the consumer is $79.99 per month.  The commission payment to the affiliate is $39.50 per sign up; with 100 fake sign ups a day the affiliate is making $3950/day or $122,000 per month.  The cost to the affiliate to drive the traffic…. $0.

 

As a defense to the affiliate marketers, they too may be victims as they may be buying traffic from a third party.  These third parties will guarantee a certain amount of website page views per month for a relatively low fee and affiliates will gladly pay, not knowing that the traffic is not real but rather botnet driven.

 

Some of the third party traffic sellers are bot masters while others are affiliates who have been ban from networks and are now working with/for “cleaner affiliates” (Botnet masters often rent the use of their botnets to others to use as they choose, such as spam, phishing, credential stealing, and now it appears display ads.)

 

Zeus software also looks to include a “layer technology” piece.  For those websites where the software does not hijack/redirect the ad serve calls, it simply fits an overlay on top of the ad space and displays the ad it wants the user to see. 

 

This technique should give website owners and their advertisers pause because, for all intent and purpose the website is delivering an ad to the user and thus charging that advertiser for the ad view but the user never sees the ad as it hidden behind the Zeus overlay.

 

As such an advertiser could be charged $10,000 a month for ad views but the computer users are only seeing half of those ads because their systems are infected by Zeus.

 

Additional revelations are that Zeus also steals your social media credentials thus allowing the botmaster to become you, contact all of your friends and direct them to a website where once again he controls the ads or can force a malware download.

 

It appears all of these “modules” can act independently so a user could be protected against the theft of financial data but not from the ad redirect or the social media credential harvesting.

 

So next time you are surfing the web and checking out your favorite sites,   be leery of that banner ad you see on the top, side or bottom of the page. You don’t know who or what is truly behind that ad. 

Rogue Agent

The Story of the Greatest Hack in History and the Agent Assigned to Investigate It

 

“Three O’clock, where had the day gone?”  There I was standing in line at the Target in suit and jacket, trying to hide my gun as I paid for my lunch Pizza Hut pepperoni pizza and fountain coke.   I had popped into Target to grab some diapers and household supplies as I was returning form an interview.  It was only after I bad the purchases that I realized I had forgotten lunch.  Not that missing lunch was unheard of but it was New Years Eve 2004 and I was on call until the wee hours of the morning. 

I needed to eat.

 

I grabbed my lunch, placing it in the child seat section of the shopping cart and headed out the door to the parking lot and my 1999 Gold Chrysler Cirrus with hideous multi-colored interior and a large dent on the right rear corner panel where a safe had hit the car.  Yes a safe. 

As I got to the car, I fumbled with the remote and keys.  The remote to unlock the doors and pop the trunk and the keys to unlock the master lock attached to two sections of  heavy gauge chain used to secure the trunk lid to the car frame from the inside.  The trunk chain and lock were an extra precaution to protect the radio, shot gun and MP5 machine gun I stored in the trunk along with my ballistic vest, spare rounds and other tools of the trade.

 

I finally got the trunk opened and began loading the diapers and other Target purchases into the trunk when my cell phone began to vibrate on my left hip. Understand the mid section of my body looked something like a Batman utility belt going from right to left I had my Glock 22, a spare magazine, handcuffs, a retractable asp (which I was only carrying because I just been on an interview) two more magazines, a can of pepper spray (again only because of the interview), my cell phone and of course my badge.  In my pocket I also carried one more trade tool, a thumb drive with some cool software I used in special circumstances.

 

But back to the phone…

 

As I glanced at the caller ID I noted it was coming form an International exchange.  Very few people had this number and even fewer lived or worked outside the US.

 

When I recognized the prefix as being from Easter Europe, the caller’s identity was limited to either a select group of associates within the Ministries of the Interior (MVD) of Russia, Belorussia or the

Ukraine or it was one of my sources who provided information about criminal activities.

“Hello, this is EJ.”

 

“E.J., E.J.  we got a big problem.  You’ve been hacked.  They have my name, they have everyone’s name and its up for sale.  They could come after me.  If you don’t stop this, Im dead.”

 

For the next twenty minutes, I tried to calm my source and get the details I needed to address the issue. 

 

Based on the documents being shared and the names contained within the documents, the email systems of the DOJ.gov, USSS.gov and FBI.gov may had been compromised by hackers.  Worse was, the breach appeared to grant complete access to all communications about cases, suspects, sources and techniques.

 

Sometimes, that which is stolen is way too hot for anyone to buy it.  Anyone, except for me, or so I thought.

 

For my part, this hack would turn my world upside down.  It would make me question everything and everyone I worked with and eventually it would murder a dream.

 

For the world, this hack will seemingly never have occurred.  Only one 3 paragraph article was ever written about the hack.

 

Publically the hack never occurred but its impact was felt around the world.

 

Why?  Because if the information made available by the access obtained had been made public, it would have rattled the foundation of federal law enforcement for the whole of the  United States.

 

My name is E.J. Hilbert and I was a Special Agent with the Federal Bureau of Investigation.

 

I joined the FBI in August 1999, 5 days before my 30^th birthday.  As long as I can remember I wanted to be an FBI agent.  I graduated from college in 1992 with a degree in History and a

California teaching credential.  I did not enter college thinking I was going to be a teacher, I wanted to join the FBI and like many I thought I would need law enforcement or military experience.  I fully intended to join the Marines like my father, a career marine and veteran of the both the Korean and Vietnam wars, but I promised I would not join the military until I graduated college.  As such, throughout college I changed majors several times, from business, to biology, to communication, to pre law and then pre-med.  How I ended on History I don’t know and then in education is as yet another mystery. 

When I graduated, the FBI had a hiring freeze, no new agent classes were being accepted.  The military was still an option but as I had a teaching credential I thoguth I would give it a try.  I was hired to teach High School history to 9-12^th graders three weeks before my 23^rd birthday.

After 6 years of teaching, I had decided I needed a change.  Originally, I thought the change would simply be a new school but one day while I was teaching a publications class  (Im pretty good with computer but, Ill explain more later) I was showing my class the difference between computer aided layouts versus manual page layouts.  I had brought in my high school year books as example.  Well as in any yearbook, my friends had made comments and a couple of my students zeroed in on the numerous references to me wanting to be in the FBI.  “Good luck making it into the FBI.”  or “Hope your goal of being in the FBI comes true.”  And my students called me out. 

“What’s this about wanting to be in the FBI?” They asked. 

I replied “Oh its just what I wanted to do when I was your age.” 

“Well then you are a hypocrite,” they said.  “You force us to follow our dreams and try for the things we want, yet you never did.”

 

And they were right.  So a month later, scared to death, I went to the FBI office in San Diego, CA and picked up an application to become an FBI agent. One year after my initial testing I was sitting in classroom in Quantico, VA at the FBI

Academy suffering through week one of a 22 week training program. 

In the year between application and new agent appointment , my life had changed for the better, not only was I in great shape I had met the love of my life and gotten engaged.

 

One of the hardest parts about the FBI

Academy is not the course work or physical training or practical testing but rather it’s the lack of knowing where you are going to be stationed.  The FBI has field offices in 56 different cities and each of those have satellite offices known as Resident Agencies.  An example is the FBI Field Office in Honolulu, Hawaii with a Resident Agency on the

island of

Guam, 3820 miles away.  The FBI also has agents in over 40 different countries around the world serving as legal attaches as well as other roles. 

 

Now a new agent would never be sent overseas he or she was at the mercy of the FBI to determine where they would be sent.  Some speculate that the way new agents are assigned to offices relies solely on the shoulders of a monkey throwing darts with agent’s names on them at a map of the United States.

 

During your first couple of week in Quantico, new agents are asked to rank the 56 field offices in order of preference.  Then on the 7^th week, provided you have survived, you will be notified which of your picks you received.  Some would receive their first pick and others their 56^th.

 

For me, being newly engaged and my future bride having been accepted to law school in southern

California really turned my plans topsy-turvy.  I had planned on packing up and moving to the east coast but now I had a reason to comeback home.

 

As such, I ranked San Diego #1, Los Angeles #2,  then Atlanta, New York,

Boston and then randomly selected the others.  Since LA and

New York were large field offices, I was sure to get one of the two and I did. I was assigned to Los Angeles Field Office (LAFO).  But what type of crime I was going to be working was still in unknown.

Understanding that as much as a new agent could request an assignment and the type of crime they would be working, again you were placed based on the needs of the Bureau.  This could mean you were working drugs in headquarters city or assigned to one of the field office’s satellite offices known as Resident Agencies. 

 

One of the greatest things about working out of an RA was because it was not a field office manpower was often limited. So, though an agent was assigned to work one crime, he or she would often be called upon to help out on all the other crimes  to include search warrants, arrests, surveillances, buy bust, the works.

 

My weekly calls from Quantico to LAFO to try to determine my investigative fate became something of a nuisance to the Assistant Special Agent in Charge’s (ASAC) secretary.  As a result, she finally told me that if I stopped calling I would be sent to wherever I wanted.  I requested the Santa Ana RA in

Orange County, CA and stopped calling.   My fiancé was attending law school in

Orange

County and we planned to live in the area after we were married.

 

Upon graduation from Quantico and true to the ASAC secretary’s word I was assigned to Santa Ana Resident Agency Squad 3 (SARA-3) to work white collar crime.  WCC included public corruption, bank fraud, wire fraud, environmental cases and several others.  Also included in this category was cyber crime, namely using a computer to commit a crime such as hacking, but also identity theft, stalking and fraud schemes.  I was extremely happy with my assignment.  Not that I knew a lot about fraud schemes but in my youth I was something of a hacker.  I have no formal computer training, meaning I never took programming classes but my brain just comprehends computers and though my parents did not have much money, I got my first computer at 12 yrs old, a Commodore 64. When I was 16, I used every dime I had saved to buy an Apple IIe.  And In 1992, when America Online started their service I jumped online. 

 

To this day, I have not had formal classroom computer instruction but I still understand the systems, obtained my Certified Information Security System Professional credential after 5 days of review and understand the schemes behind computer fraud and intrusions better than most.

Let me interject something of significance at this point.  In 1999, when I entered the FBI, cyber crime was the dream of Hollywood script writers.  Sure some big time hackers had done their thing and when they damage systems or stole data they crossed into the realm of criminals but cyber crime and identity theft were not prevalent.  In fact, the FBI really was not prepared from a investigative methodology and procedure prospective to handle what was about to occur.  As more people, companies and commerce moved online, so did the criminals.

I saw an amazing thing this evening and after it occurred I was also saddened. 

Here is the scene.

Little League Baseball, two equally matched teams of 7 and 8 year olds, score is very close, bottom of 6th inning.  Batter hits the ball to shortstop and the short stop throws the ball to first base, first baseman catches the ball and the umpire in the field, a ten year old calls the runner out.

But then the Ump calls time, runs over to the first baseman and asks him, “did you pull you foot?”  Those of us watching the play know that in fact the first basemen did pull his foot but we waited for the Ump in the field to finish the call.

The first baseman responded to the ump, “yes.”  and the Ump agian a 10 yr old reversed his call and called the runner safe.

I could not have been prouder of the palyer for being honest but as play resumed, the kids focused in the parents began to talk.  Comments like, “this isn’t golf with friends you dont have to be honest.” Or “If that was my kid he would have said the runner was out” or even “the ump called him out, he cant reverse his call” were mumbled amongst the parents.

And that is where I was saddened.

Here are a group of kids enjoying the game and playing fair and the adults who are supposed to lead by example are condemning the action. 

At 7 and 8 years old we are teaching our kids to lie in order to win in a game where score is not kept and no team wins. 

When did that become ok or normal?

When did we dump fairplay?

What is scary is if we adults left the kids to their own devises on game play they would come up with the rules and would enforce them and all would play fair.  But instead we interject the win at all cost attitude.

My disappointment in the parents and teams was later muted by a ray of hope.  It was pointed out by another who was equally disappointed that maybe a shift is in play.

Professional sport refs and ump are now admitting blown calls and apologizing.  I have also noticed that some NBA players have taken to the old sportsmanship stand by of raising their hand when they failed another player. 

Maybe sportsmanship is not dead, mayber this season we’ll see MLB players like Jeter or Puljols admit when they missed a tag or took a flop at the plate and maybe MLB will prises them for being honest and a good sport.

They say everything swings on a pendulum between the two extremes and maybe we are swinging back toward the honest side.  Maybe!!

So parents and coaches of young men and women, dont screw this up.  Praise your players for being honest.  Dont use sneaky tricks or rule manipulations to “win at all costs.”  Kids know how to be fair if you let them just as you know how to be fair if you are objective.  You had your chance to play ball, now let them have their glory years.

Recently, I have noted an increase in the number of companies offering to send traffic thru an affiliate’s links to an offer for a cut of the profit.  Though some of these are legit companies, the first question that always comes to mind for me is if they have a good traffic source why are they not an affiliate themselves?  Why the offer to split the profits?

The answer is simple, for a cut of the profit, these individuals/companies are using stolen credit cards and a bot net to make purchases on a particular affiliate’s links.  To insure they get the proper cut, the leads/sales are routed through third party tracking systems, then the affiliate’s tracking system, then the affialite network’s traffic system.

In many cases, the affiliate’s have no clue of the nature of the leads or the fact that stolen cards are being used.  And since the affiliates are paid within 14 days and often these cc fraud complaints are not recieved for 30-60 days after the purchase, the networks are out the money.

These fraudsters are playing on the fact that not all parties in the order path have access to the card information and on the turn around time on fraud reports from consumers.

The days of selling stolen credit cards for $1-$5 each are long gone and the monetization process of buying products online and shipping them around the world have also dried up.  

The result is a cyber criminal has to launder the stolen cards by making purchases that  do not require resell.  Credit card purchases on gift cards, use of encoded plastic cards at convenience stores that allow cash back or by buying a product through a unsuspecting third party and splitting the commisssion.

For the third party and for those watching the thrid party’s traffic to online advertisers, the fraud is often not seen because the credit cards are collected and processed by the end merchant/advertiser.

For those not familiar with the online ad space, an advertiser/merchant wants traffic sent to their page.  Rather than buy online billboard space on a thousand different locations, they outsources that “media” buying to affiliate networks.  The networks in turn outsource that to independent marketers known as affiliates. 

The merchant pays the network for the traffic based on ad views, clicks on ads or clicks then sign up from an ad.  All of this is tracked via traffic routing systems.  If the merchant pays the network $10 for everyone who signs up, the network will pay the affiliate $8.50 for each person he/she brought to the site.  This means the more people you get tot he site, the higher your commission if you are an affiliate.  Thus if you can game the system and make yourself appear as 100 different people from different locations then you make $850 vs. $8.50. 

If someone offers to double your traffic for 40% of the profit, you as an affiliate may not think twice about the opportunity to make more money and thus will not likely research where the “new” traffic is coming from.

I share all this as food for thought.  The next time you see a weird charge on your card, think of all the hands that had a part in that and make sure you cancel that card.

Recently I contacted Twitter on behalf of a celebrity client to request the image of my clients child be removed from the profile of a fan.    Understand the child is under 13, the parent has asked me to request the image be removed and the profile owner has no connection to the child or the parent.  The image was used to get the celebrity’s attention to cause them to “follow” them

Twitter did not remove the image because the use of the image did not violate their policy.  When I pushed the issue further, I was told I need to file a DMCA request and show I owned the rights or represented the perosn who owned the rights to the child’s image.  Again we are talking about the image of a non-celebrity child, used without the parents’ permission.

As a parent of three kids under the age of 8, I was amazed at the difficulty in trying to protect a child online. 

When I was with MySpace, requests like this were dealt with swiftly and with no run around.  Maybe Twitter needs to revisit this policy or at least give members of their staff over ride authority when an issue involving a child is brought to their attention.

I know members of the Twitter Trust and Safety Staff and I trust their trust their judgement beyond a shadow of a doubt but judging by the “canned” response to my request, the staff is being hamstrung and not allowed to use their own common sense.

Below are the two responses from Twitter

The, Oct 14 01:17 pm (PDT):
Hello,
Thanks for providing this information. Twitter reviews avatar and background images for violations such as nudity or pornographic content.
Users are allowed to use their Twitter accounts for a variety of purposes, including for parody, commentary, or other informational uses. Because Twitter is an open communications platforms, some user content may be inflammatory or disagreeable. We don’t mediate user content, including images, unless it violates our Terms of Service. Based on this policy, we will not remove the reported image.
You can find information about Twitter Rules violations that we investigate here:
http://support.twitter.com/articles/15789
If you are making an allegation of copyright infringement (please note that in most instances, the subject of a photograph is not the copyright owner), our copyright page has more information about the proper process for requesting removal:
http://support.twitter.com/articles/15795
Thanks,
Twitter Trust & Safety

This was my response:

“To be clear, Twitter will not remove images of another person’s children from an account even if the parents of the children request the image be taken down?  Especially when no permission has been granted by the childrens parents to use the image in the first place or that the pictures were ever posted online prior to this instance?  ”

Twitter’s Response

The, Oct 14 01:37 pm (PDT):
Hello,
Per our Copyright Policy, found in our Terms of Service (http://twitter.com/tos), Twitter responds to compliant Digital Millennium Copyright Act (”DMCA”) notices. Please see this help page on how to file a notice:
http://twitter.zendesk.com/entries/15795-filing-a-copyright-complaint-or-dmca-take-down-notice
More information about the DMCA can be found here:
http://www.chillingeffects.org/dmca512/faq.cgi#QID601
Thank you,
Twitter Trust and Safety

Earlier this week I was a guest on MSNBC’s Dylan Ratigan show  http://www.msnbc.msn.com/id/31510813/#39387665,  to talk about Stuxnet.   Stuxnet is a highly complex virus written to attack the command and control systems of industrial machinery.  To make it easier to understand, if it were installed in your car, it would be able to disable your ignition control, your acceleration, your braking, stop you water pump or disable the distributor.  The key is that when you look at the system trying to figure out what is happening it will appear as if nothing is wrong despite the fact the virus is overriding other commands. 

It is believed that Stuxnet was created by a state sponsored group to attack systems like nuclear powerplants.  It is specifically built to manipulate the Seimens PLC control systems used for various different industries. 

For the moment let’s forget about the complexity of the virus and the potential impact and lets focus on two other very real threats showcased by this virus.

First, the virus works on a very specific operating system.  This means that the writer(s) had access to such a system, know the ins and out of the system and were able to test against such a system.  These facts are disturbing primarily because few groups have such access or do they?  Is the Seimens PLC systems schematics and “user manuals” readily available on the web?  IF so it is just a matter of time before others, using Stuxnet as the primer find new and more destructive ways to use the information.  They will also start looking for other “brands” of operating systems to see if they are as “easily” manipulated.

The other big concern is the attack vector or more simply how the systems got infected. 

All reports claim an infected thumb drive is to blame but who carried that thumb drive around and did the infecting.  Despite all the computer security in the world, the human factor is the biggest threat and is nearly impossible to defend against. In the world of computer hacking, gaining trusted physical access to a system is the most effect way to infect/harm/own the system.  Such access can come through social engineering the switchboard operator to get access to the building or manipulating a person who already has access.  

If the story of a contractor carrying the bad thumb drive is to be believed, I am certain that a number of groups are currently “looking” for that contractor.  My bet is it was not one person. 

If I was trying to infect a system I would do the following:

Place the virus on the web with a code that said “install on removal drives if attached to a system.”  Though this is a sure fire way to cause infections, the code is big and thus the victim would have to be clueless of the download.  (Not likely to occur with computer contractors working on sensitive projects)

Give the worm to a spy and have him/her sneak it into the facility.  (Given security protocols again not likely)

Give out free swag at a computer conference and hope for the best.  This is most likely what occurred because for some reason free thumb drives are snatched up like mad at conferences and immediately plugged into computers with little concern for what is on the drive.  Maybe it is assumption that the AV software on your computer will catch the infection. 

As a hypothetical, meaning I never did this during my time with the government, if I wanted to infect a multitude of “off the grid” systems, the free thumb drive or Cd/DVD would be an easy route.  It would start by looking for a vendor at a show who is giving out free drives on day one and by day two show up with similar drives that I leave lying around the conference  (sometimes called road apples).  I might even drop them on the vendors booth for others to scoop up as they walk bye.  I could also steal a case of the drives from the booth, install the infection and then return the case for the vendor to unwittingly hand out. 

My point is it is easy to get things in systems “off the grid” if you know who to target and play to the human weakness.

So I wonder, was there a computer conference held around the time of the first infection and if so who was giving away free drives and who was picking them up. 

I understand that IT folks are scrambling to find a way to protect against Stuxnet but part of that scramble needs to address the physical attack vector.  Not all virus/worms come via the net. Many come from a hand shake over drinks and an exchanging of gifts.

Stuxnet is bad but the access to the system and the method of attack is what makes me concerned. 

Below are three of the most recent “nigerian scam” letters I have received.  I thought I would share them with the public and also tell you these do work.  Meaning people do fall for these scams.  When I was with the FBI I handled, amongst other things, internet fraud complaints.  Every couple of weeks I would receive a complaint from someone who actually fell for one of these letters.  They would send between $3000 and in one case $400000 to the scammers.  but what shocked me most was the profession of the people who fell for these scams.  Amongst the more notable victims was a criminal defense attorney, a medical doctor, the COO of a major company and a police detective.

 Below the scam letters is a list of some of the email accounts that have signed up to be able to leave comments or become a “user” on this blog.  They are all spammer/scammers and again I thought I would share them with the public.

ATTEN:

 From: MARIA SANCHEZ [morgan.ptrs@yahoo.com]

EURO MILLIONS LOTTERY INTERNATIONAL.INTERNATIONAL PROMOTION PROGRAM.FROM: THE PROMOTION DIRECTOR

INTERNATIONAL PROMOTIONS DEPT.

REF: NBDJH087/HJSDS098/7633/10

BATCH: 4566FG/GYFGH54/SAS5465

　

Attention:

WINNING NOTIFICATION

We are pleased to inform you of the release, of the long awaited results of the EURO MILLIONS LOTTO INTERNATIONAL PROMOTION PROGRAM held on the 11th SEPTEMBER

2010.You were entered as dependent clients with:

ReferenceNumber:7652NGP/IJKFMF/DNDD

Batch number: DTTT482/56TR/765GHG.

Your email address attached to the ticket number

1 12 14 19 29 65 that drew the lucky winning number, which consequently won the sweep take in the category (B), in four parts. You have been approved for a payment of one Million euros (?1,000,000.00) in cash is credited to file reference number: .This is from a total cash/prize of ?50,000,000 Euro(fifty Million Euros) shared among the ten international winners in the two category (B)

Congratulations!

All participants were selected through a computer ballot system drawn from (90,000) ninety thousand names of email users around the world, as part of an international promotion program meant solely for enhancing and encouraging human development across the globe.

But note that due to a mixed up of some names and addresses, we would appreciate that you keep your winning to your self, untill your claims has been processed and your funds has bein remitted to you.

This is part of our security measures to avoid double claiming or unwarranted taking advantage of the situation by other participants or impersonators.

To begin your claim, do file for the release of your winning by contacting your/our accredited agent the security .

Mr Michael Anderson.

Euro union securities. S.L.

TEL:+34-615-747-597.

E-MAIL:micanderson13@yahoo.es.

Please note that these informations are needed to prosess your winning price,when you are contacting your claims agent.

1. Full Names:

2. Date of birth:

3. Sex:

4. Martial status:

5. Nationality:

6. Contact Address:

7. Telephone Number:

8. Next of kin:

This agent is responsible for the processing and transfer of your winning fund. Your security file number is 345DF/E5A*X903 (keep personal) Remember, your winning must be claimed not later than (18-07-05) after which it will be declared unclaimed and will be add to next stake of 70,000.000 euro international lottery program. And should there be any change in your address, do inform your claims agent as soon as possible.

Note-non-resident winners will require a notarization / ligalization of his or her winning in the Area Court of Justice (ACJ) this is going to expedite the processment/remittance of your prize funds.

Congratulations once more from our members of staff and thank you for being part of our promotional program.

Anybody under the age of eighteen(18) is automatically disqualified.

Yours Sincerely,

Mary Sanchez.

 awaiting for your response

From: Mr.peter lee [drpeterlee5@aol.com]

Compliment of the DayIt is understandable that you might be a little bit apprehensive because you do not know me but I have a lucrative business proposal of mutual interest to share with you. I got your reference in my search for someone who suits my proposed business relationship. I am Mr. Peter. Lee a South Korean, happily married with children, and i am a Director of Hang Seng Bank Ltd, in charge of the International Remittance department. I have a confidential business suggestion for you.I will need you to assist me in executing a business project from Hong Kong to your country. It involves the transfer of a large sum of money. Everything concerning this transaction shall be legally done without hitch. Please endeavour to observe utmost discretion in all matters concerning this issue. Once the funds have been successfully transferred into your account, we shall share in the ratio to be agreed by both of us.

I will prefer you reach me on my private email address below (drpeterlee55@yahoo.com) and finally after that I shall furnish you with more information’s about this operation

Should you be interested, please forward the following to me urgently:

1. Full names

2. Occupation

3. Private phone number

4. Current contact address

Please if you are not interested delete this email and do not hunt me because I am putting my career and the life of my family at stake with this venture. Although nothing ventured is nothing gained. Your earliest response to this letter will be appreciated.

Kind Regards,

Mr.Pt. Lee

Hang Seng Bank Limited

Hong Kong. {Asia}

Email:drpeterlee55@yahoo.com

 Loteria Nacional Special Global 2010

From: Loteria Nacional [mail@chinabidding.com.cn]

Attention Email ID User,We happily announce to you the draw of the Loteria Nacional Special Global 2010 Promotional Draw held in Madrid Spain.Your e-mail address attached to REF No;ESP/62934LN/2010, with Batch No: CH 200 drew the Winning No: 02 10 16 18 27 41, Bonus No: 28 for LN-49 Lotto under the choice of the lottery in the 2nd category.All participants were selected randomly from World Wide Web site through computer draws system and extracted from over 10,000,000 companies and personal e-mails. So your email is your online automatic ticket that qualified you for this draw. You have therefore been approved to claim a total sum of 895,910 Euros (Eight Hundred and Ninety Five Thousand Nine Hundred and Ten Euros)

Therefore, you are required to forward your details to our claims Agent to help facilitate the processing of your fund as stated below:

1. FULL NAMES: ________

2. ADDRESS: __________

3. AGE AND SEX: ________

4. MARITAL STATUS: _____

5. OCCUPATION: ________

6. E-MAIL ADDRESS: ______

7. TELEPHONE NUMBER: ________

8. AMOUNT WON:_____________

Contact Person: Dr. Marc Santos

TEL: +34 634 015 899

EMAIL: bilbaodiret@ozu.es

marcsantos@consultant.com

Congratulation!!

Sincerely,

Sandra Luque (Mrs.)

Lottery Controller

LN-49 Lottery.

List of spammer email accounts

Name	Website
cepeneusash	chmoki@golfwidows.com
FreekingDelphina	molodushev8pexqe@mail.ru
Gregorstxt	godovnikovakzuec@mail.ru
haullysax	septombers@unlimlover.com
InsipSpeeve	m.i.c.ha.ellmcken.zi.e.s@gmail.com
JosephCars	jozephmain@gmx.com
kinommanka	STEALKMET@emailpopfree2010.co.cc
Kopotosa	x9zj@yandex.ru
Leantypap	qolusoye@fromru.com
MubCrumbCal	bizyukinai3iru9@mail.ru
Papabaze	papabaze@boxinf.com
Pebabaza	pebabaza@boxinf.com
phethoapy	baydarova72h70j@mail.ru
preeptisa	lannyroman@gmail.com
SaunieraLuxe	poleshchikovaeg1@mail.ru
Stolenfinche	durosovand8pg@mail.ru
tomasnolantr	tomas.nolan6@gmail.com
tramalsprinter	viagraselldez55@mail.ru
zadrikovzz	zennodrocher@gmail.com
zemIrotobom	Jabbemangerne@firstdancer.info

Below is a list of some recent url’s that are spreading scareware/malware.  the people behind the sites are using illegal profits, stolen credit cards and/or bad checks to buy display ads on various sites via various display networks.

 

This one the recenly crossed my desk was Innovyxinc.com not to be confused with Innovyx.com

Other sites connected with INNOVYXINC.com are as follows and should be avoided at all costs. 

Blueglad.com, Greenhad.com, Hadsplash.com, Lackstack.com, Ladwhite.com, Mashslack.com, Thehyipzone.com, Highyieldpros.com, Danafund.com, Web-wizard-solution.com, Opprutinv.com, Drunkbots.com, Hacklabonline.com, Indeshawadenaw.com, Indeshawadenaw.net, Onlineaddons.com, Outsistem.net, Rapiddownloads.eu, Steamcomnnity.com, Steamstuff.info, Nettoolz.info, Edskahn.com, Hourluck.com, Deliver2.net, Runelive.org, Vkasse.com, Fap247.com, Fckn.tv, Coraladnetwork.com, Welconetwork.com, Vipps-nabp.net, Kerbconsult.com, Ad-amazing.com, Hyipjurists.com, Imperialex.com, Kolosolutions.com, Newtonad.com, Livebroad.com, Maskbrown.com, Labteh-td.com, Labteh-td.ru, Scriptmafia.org, Ulgsm.net, Vpnshield.net, Nlkoddos.com, Legion-x.com, Hababam.biz, Download–limewire.com, New-limewire-2010.com, Jaamerp.com, Hyip-status.net, Hyipcourt.com, Y-action.com, Yahooaction.com, Yahooaction.net, Yahooaction.org, Bahtimos.com, Hababam.org, Letsvisittrabzon.com, Gratt.net, Abpp.biz, Actpopcorn.com, Adle.info, Aint.biz, Cozzle.com, Fbpnet.com, Forexbotpro.com, Freehondakybs.com, Generationxinvestment.com, Genxclub.com, Hyipalert.com, Hyiptrainwreck.com, Iwwleads.com, Make200bucks.com, Make30bucks.com, Someguyslife.com, Stainlesstoaster.info, Unitedforexfund.com, Woodrefinishing.us, Worldroi.com, Stevehell.com, Childrenofchile.org, Media-beau.com, Intercomm2.com, Intercommweb.com, Intercomp2.com, Lciinternational.com, Mysteryshopnet.com, Veritybuilding.com, Veritybuildingco.com, Bstbuilding.com, Bstbuildingco.com, Netxs.sc, Silverblue.cc, W00h00.nl, Woohoo.nl, Cumhitz.com. Innovyxinc.com, 4revenuegroup.com, Lacekgroup.com, Flamingonetwork.com, Mindadsint.com, Sunnnysidemedia.com, Red-ads.com, Calinet.info, Casey-computing.com, Casey-consulting.com, Adrenalinepoker.com, Adrenalinepoker.net, Teamvisionz.com, Gamekeys.us, Pleasehack.me, Embedsports.com, Ichuj.be, Bassline-nation.info, Ultimate-shoutcasts.com, Iafst.ir, Mobilestanshop.net, Optical-digital-camera.info, Alasebook.com, Thehappywalrus.org, Nacoobags.com, Cheapgoogleshop.com, Cheapgooglestore.com, Nfljerseysky.com, Packyours01.com, Porn99.info, Transientattack.com, Proebook.net, Icctv.info, Hqsports.info, Cn-puma.com, Discount-puma.com, Picksheepskinboot.com, Sunglasseshats.com, Usapuma.com, A-puma.com, Productsfrominternet.com, Sell-replicawatch.com, Jerseyinus.com, Tigersupermall.com, Serverorigin.nl, Feelshock.com, Dexingzy.com, Chinahandbagssupplier.com, Cn-jersey.com, Webcheapshop.com, Edhardyretail.com, Replicachinese.com, Edhardyshipping.com, Discountrosetta-stone.com, Rosetstones.com, Edhardystock.com, Edhardysuppliers.com, Gemreplica.com, Gemswiss.com, Embedtv.in, Wsm.co.in, Youngnnmodels.biz, Mobilereplicas.com, Tec-cart.com, Watchandbag.com, Sale-ugg.co.uk, Madden-leagues.com, Pllug.com, Ftaboys.com, Softtorrents.net, 7buae.info, Alkhaja-style.com

One of the things I do on the side is try to get my test computers infected with malware.  Another thing I do is try to identify the individuals behind pirated movies and software for some of my friends in the industry.  These two side gigs often go hand and hand because a large portion of pirated movies and software are also laden with malware for all the various reason. 

Of course when I pirate gets infected with malware and his/her identity is stolen, they are unlikely to tell law enforcement, “I was downloading the new torrent of Iron Man 2, when my computer got infected…”  Nothing like becoming a victim while committing a crime. 

Anyways, while i was conducting some tests for friends of the latest pirated movies available via bit torrent I came across a very interesting online advertising traffic source.  One of the “movies”  actually it was a malware file was password protected.  Along with the download was “read me” html file.  When I opened that file, it told me that if I wanted to get the password for my “movie” I needed to fill out one of the linked surveys or sign up for one of the trial offers. Now these offers were “legit” offers from advertisers via networks like Tatto Media and Copeac but they were “incentivized” by forcing a person to sign up for the offer in order for them to gain access to the illegal bounty.

Lets leave the legality out of this and focus on the fact that the people downloading pirated movies are also the people likely to give false info for online ads or even use stolen information on the leads.  Basically these affiliate marketers are abusing the “down-loader”, the ad network and the advertisers.  This is just a BAD traffic source. 

To me these facts seemed like common sense but then you have to think of which affiliates would do this and realize they may not be the smartest.  Why you ask?  Because by tracking offers that I was forced to sign up for to get my password, I also know which affiliate network they work for and the affiliate’s code.  A quick call to my friends at Tatto and Copeac and they can identify the affiliate right down to the SSN that is being paid and the location the checks are being sent. 

So if the guys at Warner Brothers, Fox, Sony, et. al want to know who is uploading pirated copies of their recent films, all they have to do is ask.  More likely, Ill just give them a call.

In the world of cyber crime, no online activity is more profitable than “spam”  but, before we go any further lets define “spam.”  For the sake of this post, “spam” is defined as unsolicited commercial email, texts, blog comments, friend requests, etc.  Unsolicited means you did not ask for information and commercial means they are selling you something.  This definition is different than those used by the media and others because they often define spam as unwanted email. 

 I make the definition distinction because spam as I have defined it equals profits to the senders.  It is a form of advertising and advertisers are paying people to bring users to their sites.  The catch here is 95% of advertisers don’t know where the consumer first saw the ad and thus are unsure about how the consumer ended up on the advertisers site.  Now to be fair, many advertisers don’t really care as long as sales are made but as that is the wrong approach, it is also a topic for another day.

Getting back to the online advertising….  In a nutshell, here is how it works:

An advertiser wants people to come to their online store but rather than try to buy ads themselves they hire ad agencies/networks to place the ads.  The agencies/networks in turn hire independent marketers to place the ads on the millions of various location across the web.  Users go to those websites, see the ads, click on them and then go to the advertiser’s online store.

 That is the simple explanation but the process is far more complicated.   To start with, online ads are performance based, in other words, the ad agency and the independent marketer, often called an affiliate, are only paid when an action by the consumer occurs.  Basically its a commission on each sale thus it is in the affiliate’s best interest to make alot of sales, to the tune of about $10-$20 per consumer action.  This process lent itself to alot of un-regulated fraud but as agencies and advertisers become more savvy to the fraud techniques through the help of companies like Online Intelligence (onlineintel.com)  the bad guys need to develop new ways to defraud the system.

Let me stop here, not all affiliates/independent marketers are fraudsters.  In fact many realize that they can make twice the money by running cleaning traffic to advertisers and see online ads as a long term career.  But there are bad apples and since they are using stolen funds to back their ad buys, they are the ones you see more because there stuff pops to the top.

One of the more common fraud methods was to use stolen credit cards to make purchases via your personal affiliate code and thus reap the commission for the sale.   

As ad network build tools and reports to flag that activity, those affiliates have been banned from many major online advertising networks.  So what do they do now?

Well simply put, they use their knowledge and game the system one level deeper.

A large number of traffic sale groups/sites have re-emerged in the market.  They sell traffic to the affiliates, reporting to drive consumers to the affiliates pages, where they will see the ads, hopefully click on them and then make a purchase thus causing the affiliate to get paid.

The problem is much of this “bought” traffic is fake and as the affiliates have no way of tracking/reviewing the traffic, they assume it is real and they pay the traffic provider.  (Fake means that their is no real consumer behind the traffic, rather it was generated by a bot network or some virus on a person’s computer).

This is where the money laundering comes into play, the fraudster will charge more for traffic that convert to a sale, thus includes a credit card, versus traffic that is simply a click or view of an ad.  (Sale payouts to the affiliates are average of $25 where clicks are $.50). 

The affiliate will gladly pay $10 per sale if he/she is making $30.  The fraudster will gladly accept the $10 because the sale they are generating are on stolen credit cards.  They will run 1000 sales on this affiliate’s account, 1000 sales on another affiliate’s account, the affiliate will pay them weekly, the affiliate will get paid from the network bi weekly and the network will get paid monthly.  This means the fraudster, using the stolen cards will be paid 21 days before the bad sale is recognized.

So who is left holding the bag, well it once was the advertiser, but as fraud is detected and people complain, that loss is pushed to the ad networks.   For a long time the ad networks took the hit because they feared losing their affiliate if they charged them back but that is not the case anymore.  Ad networks will take the cost of the bad sales out of the affiliate’s future earnings. 

In the end, the cost of the fake traffic with the stolen credit card is on the shoulders of the affiliates. 

The fraudsters who were once affiliates themselves are now targetting affiliates for their fraud schemes. 

In summary, Affiliate beware and if you are one of those stuck with the costs and you have the contact info for who you bought the fake traffic from, feel free to send it my way and Ill share it with the world and my former colleagues in the FBI.