Brian Krebs

More than two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the  criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows.

Source: FBI

The malware, known as the “DNSChanger Trojan,” quietly alters the host computer’s Internet settings to hijack search results and to block victims from visiting security sites that might help scrub the infections. DNSChanger frequently was bundled with other types of malware, meaning that systems infected with the Trojan often also host other, more nefarious digital parasites.

In early November, authorities in Estonia arrested six men suspected of using the Trojan to control more than four million computers in over 100 countries — including an estimated 500,000 in the United States. Investigators timed the arrests with a coordinated attack on the malware’s infrastructure. The two-pronged attack was intended to prevent miscreants from continuing to control the network of hacked PCs, and to give Internet service providers an opportunity to alert customers with infected machines.

But that cleanup process has been slow-going, according to at least one security firm. Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities.

“Yes, there are challenges with removing this malware, but you would think people would want to get this cleaned up,” said Rod Rasmussen, president and chief technology officer at Internet Identity. “This malware was sometimes bundled with other stuff, but it also turns off antivirus software on the infected machines and blocks them from getting security updates from Microsoft.”

Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

Rasmussen said there are still millions of PCs infected with DNSChanger. “At this rate, a lot of users are going to see their Internet break on March 8.”

Tom Grasso Jr., an FBI supervisory agent at the National Cyber Forensics & Training Alliance in Pittsburgh, Pa., said the DNSChanger Working Group — the industry and law enforcement coalition that’s handling the remediation — has been discussing what to do about the upcoming deadline, but he declined to offer specifics.

“We’re certainly exploring all different options to minimize whatever impact there’s going to be on a lot of people,” Grasso said.

Even if the DNS Changer working group manages to get the deadline extended, the cleanup process will likely take many years.  At least, that’s been the experience of the the Conficker Working Group, a similar industry consortium that was created to help contain and clean up infections from the infamous Conficker Worm. That working group was formed in 2009, yet according to the group’s latest statistics, nearly 3 million systems remain infected with Conficker.

Given the Conficker Working Group’s experience, shutting down the surrogate DNS network on March 8 may actually be a faster — albeit more painful — way to clean up the problem.

“I’m guessing a lot more people would care at that point,” Rasmussen said. “It certainly would be an interesting social experiment if these systems just got cut off.”

Individuals in charge of a large network can learn if any systems are infected with DNSChanger by sending a request to one of the members of the DNS Changer Working Group. Home users can avail themselves of step-by-step instructions at this link to learn of possible DNSChanger infections.

Where do you come down on the decision to extend the Mar. 8 deadline? Register your vote in the poll below. Feel free to sound off in the comments.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released -  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!”

Around the same time that SpamIt’s database was leaked, hackers plundered the networks of ChronoPay, one of Russia’s biggest online payment processors. The company’s top executive, Pavel Vrubelvsky, was reputed to have been a co-founder of SpamIt’s biggest competitor — a rogue pharmacy operation called Rx-Promotion. The data that hackers leaked from ChronoPay included emails showing ChronoPay executives passing credentials to Rx-Promotion’s administrative back end database.

KrebsOnSecurity.com obtained a comprehensive data set showing all of the sites advertised by Rx-Promotion affiliates in 2010, as well as the earnings of each affiliate. That information was shared with several University of California, San Diego researchers who would later incorporate it into their landmark Click Trajectories study (PDF) on the economics of the spam business. The researchers spent four months in 2010 observing the top spam botnets, keeping track of which pharmacy affiliate programs were being promoted by different top botnets.

The GeRa-Stupin chats show that by the time the researchers started recording the data, GeRa had defected from SpamIt to work for Rx-Promotion. Indeed, the UCSD researchers found that Rx-Promotion and Grum were synonymous. Each RX-Promotion pharmacy includes a “site_id” in its HTML source, which uniquely identifies the store for later assigning advertising commissions.  The researchers discovered that whenever Grum advertised an Rx-Promotion site, this identifier was always the same: 1811. According to the leaked Rx-Promotion database, that affiliate ID belongs to a user named ‘gera.’

A tiny snippet of GeRa's sales from Rx-Promotion sites, which all bore his affiliate ID 1811 in the source.

“It doesn’t prove that GeRa owned Grum,” said Stefan Savage, a professor in the systems and networking group at UCSD and co-author of the study. “But it does show that when Grum advertised for Rx-Promotion, it was for sites where commissions were paid to someone whose nickname was ‘GeRa’.”

WHO IS GERA?

GeRa uses the alternative nickname “Ger@” on Internet forums, including the now-defunct Spamdot.biz, where top spammers from SpamIt and competing programs used to gather. Google’s search engine largely ignores the “@” character, which makes searching for that nickname difficult. But infiltrate enough invite-only cybercrime communities and eventually you will find a user named Ger@ who announces that he is buying traffic.

GeRa routinely purchases traffic from other botmasters and malware writers who control large numbers of hacked PCs. As he explained in the following post to an exclusive forum, victim browsers sent his way are typically funneled through sites hosting a gauntlet of exploits designed to install a copy of his spam bot (see below).

Ger@ writes: "We continue to buy all your traffic which goes to Eleonor (Exploit Pack) to load the spam bot..."

GeRa did not respond to multiple requests for comment sent via email and ICQ. He appears to have been much more careful with his identity than other top SpamIt botmasters, but he did leave several tantalizing clues. GeRa appears to have used a number of separate affiliate accounts for himself on SpamIt (possibly to make his earnings appear lower than they really were. Among his personal accounts were “GeRa,” “Kostog,” “Scorrp,” “Scorrp2,” “Scorrp3,” “UUU,” and “DDD.”

GeRa received commission payments for all of those accounts to a WebMoney purse with the ID# 112024718270. According to a source who has the ability to look up identity information attached to WebMoney accounts, that purse was set up in 2006 by someone who walked into a WebMoney office in Moscow and presented a Russian passport #4505016266. The name on the passport was a 26-year-old named Nikolai Alekseevich Kostogryz.

One of GeRa’s most successful referrals was a SpamIt affiliate who used the nickname “Anton,” and the WebMoney ID 186103845227. The information on the Russian passport used to open that account was Vasily Ivanovich Petrov. According to SpamIt records, Anton was the 18th most valuable affiliate overall, bringing in sales of nearly $1 million and earning commissions above $422,000.

A "mind map" that helped piece together data about GeRa and his associates.

Looking at the earnings of spammers from both SpamIt and Rx-Promotion, it’s difficult to ignore the remarkable asymmetry between their incomes and the global cost of dealing with junk email. In the United States alone, spam has been estimated to cost businesses more than $40 billion annually in lost productivity, anti-spam investments, and related costs. By comparison, the entire SpamIt program produced revenues just above $150 million over a four year period, while Rx-Promotion spammers generated a fraction of that revenue.

SpamIt, Glavmed earnings over the life of the programs.

This is the latest in my Pharma Wars series. In case you missed them, check out my profiles of other top botmasters, including:

Mr. Waledac: The Peter North of Spamming
‘Google,’ the Cutwail Botmaster
Mr. Srizbi vs. Mr. Cutwail
Chats with Accused ‘Mega-D’ Botnet Owner?
Rustock Botnet Suspect Sought Job at Google

A prominent affiliate program that pays people to promote knockoff luxury goods is closing its doors at the end of January. The program — GlavTorg.com — is run by the same individuals who launched the infamous Glavmed and SpamIt rogue pharmacy operations.

Launched on July 4, 2010 and first announced on the Glavmed pharmacy affiliate forum, GlavTorg marketed sites that sold cheap imitations of high priced goods, such as designer handbags, watches, sunglasses and shoes.

“July 4 – U.S. Independence Day! Now, Russian craftsmen have a reason to celebrate this holiday. And on this occasion, the launch of GlavTorg.com. The all-new niche for all Russian search engine optimization (SEO) masters. Adult has died, online pharmacies are under pressure, and [fake anti-]spyware is dying. It’s time to move into a new direction. FASHION – that’s the trend this year! High demand, myriad of opportunities… Competition is almost non-existent.  High commissions.”

The program apparently was not profitable, or there was a mismatch between supply and demand, because on Dec. 21, 2011, GlavTorg affiliates were told it was being shut down and that they would not be paid after Jan. 31, 2012:

“Dear partners, We would like to inform you that we have decided to close the trade direction replica handbags and clothing. The reasons for this decision and are associated with economic deterioration in the quality of products provided by our suppliers. We believe that any business should be to balance the interests of buyers and sellers, which has recently become disturbed.”

GlavTorg’s failure may have had more to do with pressure from brand owners. In September 2011, handbag maker Chanel filed suit to shutter dozens of sites selling knockoff versions of its products. Among the domains seized and handed over to the company was topbrandclub.com, a primary GlavTorg merchandising site whose home page now bears a warning from Chanel about buying counterfeit goods.

It’s difficult to say whether other knockoff affiliate programs are feeling the same pressures as GlavTorg, but it is fascinating to see how spammers and fraudsters are constantly adapting. Igor Gusev, a Russian businessman closely tied to Glavmed and GlavTorg, has been trying to work out which “grey” Internet business he will pursue next. Gusev is in self-imposed exile from his native Moscow, due to pending criminal charges against him of running a spam operation in Glavmed and SpamIt.

In a phone interview with KrebsOnSecurity.com last July, Gusev said he was considering going into the consulting business, advising online affiliate programs on how to navigate the choppy waters of shady credit card processors and dodgy banks that support those industries.

“Honestly, I am looking into this business,” Gusev said. “From one point of view, it’s pretty risky because I want to stay as far as possible away from doing stuff which could lead to another criminal case. But from another point of view, I can earn some money just to make some consultations with merchants such as this if the merchants agreed to paid some percentage for my expertise,” because the banks are the vital thing to all of this stuff.”

Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.

On Thursday, Trend Micro said it had encountered malware that leverages a vulnerability in the way Windows handles certain media files. This is a browse-and-get-owned flaw for Windows XP, Windows Vista, Windows Server 2003 and 2008 users, meaning these folks can infect their machines merely by browsing to a hacked or malicious site hosting a specially crafted media file. If you run Windows and have delayed installing this month’s updates, consider taking care of that now by visiting Windows Update.

Trend Micro competitor Symantec also issued a warning this week — about threats to its own software. Responding to a now widely-publicized break-in that resulted in the theft of its proprietary source code in 2006, Symantec issued a 10-page white paper with recommendations for customers still using this software. The company says fewer than 50,000 people are still using pcAnywhere, but those who are should consider applying newly-released updates, or removing the program altogether.

From that whitepaper (PDF):

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.

On Thursday, Symantec released updates to address at least three security vulnerabilities in pcAnywhere 12.5 for Windows. The company said it plans to issue additional updates for pcAnywhere 12.0, pcAnywhere 12.1 and pcAnywhere 12.5, although it didn’t say precisely when those updates would be available.

It’s generally a bad idea to leave remote administration tools like pcAnywhere always on and always accessible via the Internet. If you must use them, I’d strongly recommend limiting allowable connections to specific computer names or Internet addresses, limiting the number of consecutive logon attempts, and — if feasible– incorporating some type of token based solution.

Microsoft on Monday named a Russian man as allegedly responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from a huge spam affiliate program suggests that the driving force behind Kelihos is a different individual who commanded a much larger spam empire, and who is still coordinating spam campaigns for hire.

Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used novel legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.

On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.

“It’s the same code with modifications,” said Brett Stone-Gross, a security analyst who came into possession of the Kelihos source code last year and has studied the two malware families extensively.

Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.

WHO IS SEVERA?

A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5). Spamhaus alleged that Severa was the Russian partner of convicted U.S. pump-and-dump stock spammer Alan Ralsky, and indeed Peter Severa was indicted by the U.S. Justice Department in a related and ongoing spam investigation.

It turns out that the connection between Waledac and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. The data also include tantalizing clues about Severa’s real identity.

In multiple instances, Severa gives his full name as “Peter North;” Peter Severa translates literally from Russian as “Peter of the North.” (The nickname may be a nod to the porn star Peter North, which would be fitting given that Peter North the spammer promoted shady pharmacies whose main seller was male enhancement drugs).

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period. He also was a moderator of Spamdot.biz (pictured at right), a vetted-members-only forum that included many of SpamIt’s top earners, as well as successful spammers/malware writers from other affiliate programs such as EvaPharmacy and Mailien.

Severa seems to have made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send 1 million pieces of spam; junk email campaigns touting employment/money mule scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Spamhaus says Severa’s real name may be Peter Levashov. The information Severa himself provided to SpamIt suggests that Spamhaus’s intelligence is not far off the mark.

Severa had his SpamIt earnings deposited into an account at WebMoney, a virtual currency popular in Russia and Eastern Europe. According to a source that has the ability to look up identity information tied to WebMoney accounts, the account was established in 2001 by someone who entered a WebMoney office and presented the Russian passport #454345544. The passport bore the name of a then 26-year-old from Moscow — Viktor Sergeevich Ivashov.

SPAMDOT SECRETS

So where are the clues suggesting that Severa ran Waledac? Krebs On Security also managed to secure a copy of the Spamdot.biz forum, including the private messages for all of its users. On August 27, 2009, Severa sent a private message to a Spamdot.biz user named “ip-server.” Those communications show that the latter had sold Severa access to so-called “bulletproof hosting” services that would stand up to repeated abuse claims from other ISPs. The messages indicate that Severa transacted with ip-server to purchase dedicated servers used to control the operations of the Waledac botnet.

In the private message pictured in the screen shot to the left, Severa writes (translated from Russian):

“Hello, writing to your ICQ, you are not responding.  One of the servers has been down for 5 hours. The one ending on .171.  What’s the problem, is it coming up or not, and when?”

ssh 193.27.246.171
ssh: connect to host 193.27.246.171 port 22: No route to host”

Ip-server must have resolved the outage, because the server that Severa was complaining about — 193.27.246.171 — would be flagged a day later by malware analysts, and tagged as a control server for the Waledac botnet.

There are clues that suggest a relationship between Severa and Kelihos that go beyond similarities in the code that powers the two botnets. Last summer, prior to Microsoft’s takedown of Kelihos, I wrote about another venture that Severa widely advertised on hacker forums: “Sevantivir,” an affiliate program that rewarded hackers for tricking people into installing and ultimately paying for fake antivirus software.

In that story, I cited research by French malware investigator and blogger Steven “Xylitol” K, who found that the installer program that Severa was giving to affiliates seeded infected PCs with both fake antivirus and a copy of Kelihos. From that story:

“Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.”

It’s not clear what botnet infrastructure he is using now, but Severa is still the spam service administrator on several underground forums, pimping his spam services, remarkably under most of the same prices he offered them for in 2008.

Contacted via instant message and presented with the evidence, Severa denied everything, saying he only did small opt-in mailings, had never used a botnet, and had been out of the business for years. When pressed about his fake antivirus affiliate program, Severa said he didn’t realize his antivirus program was fake, and that he didn’t know anyone named Sabelnikov, or even Ralsky. When presented with the screen shot below — which shows Severa complaining on Spamdot about how his broker ran away and that he was faced to find a new sponsor for spamming penny stocks just days after Ralsky’s arrest in Jan. 2008 — Severa said someone else must have been using his Spamdot account.

“The truth is that some people sharing servers, spamdot account and some other forum accounts [in] those years,” he explained. He gave the same reply when asked about the screen shot showing his renting the server used to control Waledac.

Kelihos may not be completely gone. Stone-Gross said he recently uncovered a malware sample that appears to be another installer for Kelihos.

“The guys running these botnets are making lots of money,” Stone-Gross said. “They’re not just going to sit back and say, ‘Oh no, they took down our botnet, let’s give up on our business.’ They’ll use pay-per-install affiliate programs to reinfect more machines and bring the botnet right back up.”

Severa writes: "Because of issues with Ralsky my broker ran away along with two other people who could supply stocks. I am forced to look for new contacts. So -- I AM LOOKING FOR STOCK SPONSOR"

In a surprise filing made late Monday, Microsoft said a former technical expert at a Russian antivirus firm was the person responsible for operating the Kelihos botnet, a global spam machine that Microsoft dismantled in a coordinated takedown last year.

Andrey Sabelnikov

In a post to the Official Microsoft Blog, the company identified 31-year-old Andrey N. Sabelnikov of St. Petersburg, Russia as responsible for the operations of the botnet. Microsoft’s amended complaint (PDF) filed with the U.S. District Court for the Eastern District of Virginia states that Sabelnikov worked as a software engineer and project manager at a company that provided firewall, antivirus and security software.

Microsoft doesn’t specify where Sabelnikov worked, but according to Sabelnikov’s LinkedIn page, from 2005 to 2007 he was a senior system developer and project manager for Agnitum, a Russian antivirus firm based in St. Petersburg. One of the company’s most popular products is Outpost, a free firewall program. Sabelnikov’s profile says he most recently worked for a firm called Teknavo, which makes software for companies in the financial services sector.

A source close to the investigation told Krebs On Security that Sabelnikov’s alleged role was discovered after a security researcher obtained a copy of the source code to Kelihos. The researcher noticed that the source contained debug code that downloaded a Kelihos malware installer from the domain sabelnikov.net, a photography site registered to Sabelnikov’s name. That site currently links to Sabelnikov’s profile page at Russian social networking site Vkontakte.ru, which includes the same pictures found in the LinkedIn profile mentioned above.

Microsoft doesn’t mention the source code discovery in its amended complaint, but it does reference the availability of new evidence in naming Sabelnikov. The company said it also had cooperation from the original defendants in the case — Dominique Alexander Piatti and the dotFREE Group, which owned the domains allegedly used to control the botnet.

Update, Jan. 27 9:38 a.m. ET: Sabelnikov on Thursday posted a response on his blog denying Microsoft’s allegations, saying he had never participated in the management of botnets and any other similar programs. Sabelnikov also stated that he has just returned from a business trip to the United States earlier this month. Interestingly, he says he arrived in the U.S. on Jan. 21, and stayed for two days — meaning he left either the same day or a day after Microsoft filed its brief with the court.

Also on Thursday, I published a follow-up investigation which suggests that Kelihos and its predecessor Waledac were almost certainly the work of a well-known spammer named Peter Severa.

Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as a social network that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.

A screenshot of the Citadel botnet panel.

The ZeuS offshoot, dubbed Citadel and advertised on several members-only hacker forums, is another software-as-a-service malware development. Its target audience? Those frustrated with virus writers who decide that coding their next creation is more lucrative and interesting than supporting current clients.

“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers,” Citadel’s developers claim in an online posting. “One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”

In the following excerpt, taken from a full description of Citadel’s innovations, the developers of this malware strain describe its defining feature as a social networking platform for malware users that is made available through a Web-based portal created by the malware itself.

“We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:

- Report bugs and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.

-Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.

-Each client has a right to vote on new ideas suggested by other members and offer his/her price for development of the enhancement/module. The decision is made by the developers on whether to go forward with certain enhancement or new module depending on the voting results.

-Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.

- You can see all stages of module development, if it is approved other members. We update the status and time to completion.

- You may pay a deposit, if module is approved (50%). After the deposit is paid by the members, the project starts moving forward, so that the money is paid directly to coders and there will be no laziness or inaction. Everything is clear: every stage of development is thoroughly shown.

-Easy jabber [instant message] notification of new member or developer comments, or the availability of new custom applications.

The Citadel store lets users file and track bug reports, and request and vote on new features.

Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity.

The basic Citadel package — a bot builder and botnet administration panel — retails for $2,399 + a $125 monthly “rent,” but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.

Citadel also boasts a feature that hints at its creator’s location(s). According to the authors, if the malware detects that the victim’s machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan’s creators if there are no local victims.

The Citadel bot builder.

It will be interesting to see if these malware developers hold true to their word. The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation. For now, the miscreants behind Citadel appear upbeat about their chances of ushering in such a reality.

“It’s very interesting for us to work with our clients,” they wrote in an online forum posting. “A lot of authors write in forums that they ‘support the product,’ but at the end the updates only come out once every three months or the author disappears forever. Problem is in author’s motivation. You support us, we support you. It is easy.”

A new service aims to be the Google search of underground Web sites, connecting buyers to a vast sea of shops that offer an array of dodgy goods and services, from stolen credit card numbers to identity information and anonymity tools.

MegaSearch results for BIN #423953

A glut of data breaches and stolen card numbers has spawned dozens of stores that sell the information. The trouble is that each shop requires users to create accounts and sign in before they can search for cards.

Enter MegaSearch.cc, which lets potential buyers discover which fraud shops hold the cards they’re looking for without having to first create accounts at each store. This free search engine aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.

According to its creator, the search engine does not store the compromised card numbers or any information about the card holders. Instead, it works with card shop owners to index the first six digits of all compromised account numbers that are for sale.  These six digits, also known the “Bank Identification Number” — or BIN — identify which bank issued the cards. Searching by BIN, MegaSearch users are given links to different fraud shops that are currently selling cards issued by the corresponding bank.

I first read about this offering in a blog post by RSA Fraud Action Research Labs. It didn’t take much time poking around a few hacker boards to find the brains behind MegaSearch pitching his idea to the owners of different fraud shops. He agreed to discuss his offering with me via instant message, using the search service as his screen name.

“I’m standing on a big startup that is going to be [referred to as] the ‘underground Google,’” MegaSearch told KrebsOnSecurity. “Many users spend a lot of time looking [through] shops, and I thought why not make that convenient?”

The service currently indexes compromised BINs from five different card shops, although he said several more shops are close to completing their integration with MegaSearch. He acknowledged garnering a small advertising fee for each relationship, although he repeatedly declined to discuss the particulars of those arrangements. But he said both sides benefit: stolen card data grows less reliable with age, and fraud shops that are indexed by MegaSearch stand a better chance of clearing their inventory faster, the hacker argues.

MegaSearch said that when his site first launched at the end of 2011 and began indexing the five card shops he’s now tracking, those shops had some 360,000 compromised accounts for sale, collectively. Since then, those shops have moved more than 200,000 cards. The search engine currently has indexed 352,000 stolen account numbers that are for sale right now in the underground.

According to BIN search stats published on the site, Citibank cards are the most sought-after, followed by cards issued by FIA Card Services, Capital One and Chase.

In the coming weeks, he said, the site will include new features that index other types of criminal wares, including Social Security numbers and proxies — addresses of hacked PCs that paying clients can use as a relay to anonymize their online communications.

“I’m about to add more services to that site that would help newbie underground, including proxies, stolen identity information, etc.,” MegaSearch told me. “I’m also going to add a survey [to rate] the best shop.”

2011 has been called the Year of the Data Breach. If services like MegaSearch are indicative of a trend, 2012 may well become known as the year the criminal underground started getting a clue about how to better index and use all of its stolen data.

A new open source toolkit makes it ridiculously simple to set up phishing Web sites and lures. The software was designed to help companies test the phishing awareness of their employees, but as with most security tools, this one could be abused by miscreants to launch malicious attacks.

Simple Phishing Toolkit admin page

The Simple Phishing Toolkit includes a site scraper that can clone any Web page — such as a corporate Intranet or Webmail login page — with a single click, and ships with an easy-to-use phishing lure creator.

An education package is bundled with the toolkit that allows administrators to record various metrics about how recipients respond, such as whether a link was clicked, the date and time the link was followed, and the user’s Internet address, browser and operating system. Lists of targets to receive the phishing lure can be loaded into the toolkit via a spreadsheet file.

The makers of the software, two longtime system administrators who asked to be identified only by their first names so as not to jeopardize their day jobs, say they created it to help companies educate employees about the dangers of phishing scams.

“The whole concept with this project started out with the discussion of, “Hey, wouldn’t it be great if we could phish ourselves in a safe manner,’” said Will, one of the toolkit’s co-developers. “It seems like in every organization there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame.”

First released in October 2011, the Simple Phishing Toolkit is already in its fourth revision. The latest version includes an education module with the options to ‘educate on link click’ (to warn users about the dangers of drive-by malware downloads), upon form submission (credential harvesting), or not at all.

Partly to deflect criticism about the tool’s potential for abuse by miscreants, the toolkit doesn’t include the capability to capture data that recipients enter into forms in the phishing pages, although its creators say this feature will be offered in a future version as an optional add-on.

While more comprehensive open source phishing toolkits (the Social Engineer Toolkit for Backtrack/Metasploit, e.g.) have been in existence for some time, Will and project co-developer Derek said they wanted a more lightweight approach.

“We wanted a stand alone project that doesn’t cost money and doesn’t take a lot of devotion to learning,” Derek said.

The toolkit lives up to its name: It’s extremely simple to install and to use. Using a copy of WampServer — a free software bundle that includes Apache, PHP and MySQL — I was able to install the toolkit and create a Gmail phishing campaign in less than five minutes.

It seems that not long ago, the idea of organizations phishing their own employees was controversial. These days, there are a number of organizations that offer this awareness training as a service. If you’d rather design and execute the training in-house, SPT looks like a great option.

Given the heightened security surrounding air travel these days, it may be hard to believe that fraudsters would try to board a plane using stolen tickets. But incredibly, there are a number of criminal travel agencies doing business in the underground, and judging from the positive feedback left by patrons, business appears to be booming.

Ad above says: Maldives Turkey Goa Bora-Bora, Carribes, Any country, any hotels and resorts of the world.

The tickets often are purchased at the last minute and placed under the criminal buyer’s real name. The reservations are made using either stolen credit cards or hijacked accounts belonging to independent contractors in the travel industry.  Customers are charged a fraction of the cost of the tickets and/or reservations, typically between 25 and 35 percent of the actual cost.

Criminal travel services are contributing to a recent spike in airline ticket fraud. In December, the Airlines Reporting Corporation, an industry clearinghouse, said it was seeing a marked increase in unauthorized tickets issued. Between August and November of last year, 113 incidents of fraudulently booked tickets were reported to ARC, up from just 18 such incidents reported in all of 2010. The aggregate face value of the unauthorized tickets in 2011 was more than $1 million. The ARC believes the increase in fraud is mainly due to an surge in phishing emails targeting travel agency employees and contractors.

Some of the travel agencies in the criminal underground are full-service, pitching package deals that  include airfare, car rentals and even hotel stays. A hacker using the nickname “Yoshimo” on one prominent fraudster forum offers “80-95 percent working flight tickets in most countries (some restrictions apply),” for 25 percent of the original price, and 40 percent of the price for carded hotel stays and car rentals. He has been offering this service for more than two years, and has at least 275 positive reviews from current and former customers.

At first glance, it may seem unlikely that your typical paranoid fraudster would dare take advantage of such a service. But according to the proprietors, few customers are ever stopped, and those that are can simply claim that they were victims of fraud. At least that’s how it’s explained by “Jeferi,” a criminal travel agent who has set up shop on the fraudster forum Kurupt.su.

To assuage fears of potential customers, Jeferi allows buyers to verify the status of their e-tickets the day of travel before paying for them. And of course, none of these bogus travel services accept credit cards: They only take payment via virtual currencies, such as WebMoney and Liberty Reserve.

“The story is simple,” Jeferi explained in a discussion thread that spans five pages and includes questions from dozens of skeptical and interested members. “The thing is, you are thinking as a criminal. Think about yourself as a victim of an online scam. You saw an advertisement of a “Travel Agency” in the Internet, and it seemed interesting. So you contacted them through a forum and finally arranged a deal. The travel agency told you that the tickets were last-hour tickets and that they were affiliate with the airlines, so they could offer these kinds of prices, and you thought they were legit. OMG! I never thought it was going to be a scam! Bastards!”

Chalk it up to professional pride or just greed, but it seems that many people who steal for a living have difficulty legitimately purchasing anything online. There is probably also a strong emotional jolt that these guys receive from getting a stranger to pick up the tab for a tropical vacation. As Jeferi says in his ad: “What’s better? Money for one day to buy some chips? Or Big Money each day to do whatever your want?”

Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their  products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.

Microsoft released seven security bulletins addressing at least eight vulnerabilities in Windows. The lone “critical” Microsoft patch addresses a pair of bugs in Windows Media Player. Microsoft warns that attackers could exploit these flaws to break into Windows systems without any help from users; the vulnerability could be triggered just by browsing to a site that hosts specially crafted video content.

The other Windows patches earned a less severe “important” rating from Microsoft, although not everyone agrees with that assessment. Symantec’s Joshua Talbot said another bug fixed today — a glitch in the way Windows handles Microsoft Office files — is potentially more dangerous because it appears to be easier to exploit than the Media Player flaw.

“The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file,” Talbot said. “Email attachments will probably be the most common attack method in which this vulnerability is exploited. As usual, we strongly recommend users only open email attachments from people they know.”

More information on the other patches Microsoft released today is available here.

I want to call attention to a security issue that Microsoft addressed over the holiday break that I neglected to write about earlier, but which deserves equal attention and patching. On Dec. 29, Microsoft issued an out-of-band update to address a flaw in ASP.Net that could allow an attacker to force a user to visit a malicious web site. The vulnerability affects all versions of the .NET Framework on Windows XP and later versions of Windows. If you use Windows and see a .NET Framework patch awaiting your approval in Windows Update this month, don’t neglect it.

In a separate release, Adobe pushed out security updates for Adobe Reader and Acrobat. At the forefront of the Adobe patch batch is a fix for a zero-day flaw in Acrobat and Reader that Adobe first warned about in early December. Shortly after that warning, Adobe issued a fix for the flaw in Reader 9.x and Acrobat 9.x, but said it would wait until today (its scheduled, quarterly update) to address it in the new Reader X and Acrobat X versions of the software. Adobe recommends that users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Updates are available for Windows and Mac versions of these titles; see the Adobe advisory for the patch download links.

As ever, if you experience any problems as a result of installing these updates, please drop a note in the comments below.

Jobs in the hi-tech sector can be hard to find, but employers in one corner of the industry are creating hundreds of full-time positions, offering workers on-the-job training and the freedom to work from home. The catch? Employees will likely toil for cybercrooks, and their weekly paychecks may barely cover the cost of a McDonald’s Happy Meal.

Kolotibablo.com home page

The abundance of these low-skilled, low-paying jobs is coming from firms that specialize in the shadowy market of mass-solving CAPTCHAs, those blurry and squiggly words that some websites force you to retype. One big player in this industry is KolotiBablo.com, a service that appeals to spammers and exploits low cost labor in China, India, Pakistan, and Vietnam.

KolotiBablo, which means “earn money” in transliterated Russian, helps clients automate the solving of puzzles designed to prevent automated activity by bots, such as leaving spammy comments or mass-registering accounts at Webmail providers and social networking sites. The service offers an application programming interface (API) that allows clients to feed kolotibablo.com CAPTCHAs served in real time by various sites, which are then solved by KolotiBablo workers and fed back to the client’s system.

Paying clients interface with the service at antigate.com, a site hosted on the same server as kolotibablo.com. Antigate charges clients 70 cents to $1 for each batch of 1,000 CAPTCHAs solved, with the price influenced heavily by volume. KolotiBablo says employees can expect to earn between $0.35 to $1 for every thousand CAPTCHAs they solve.

The twin operations say they do not condone the use of their services to promote spam, or “all those related things that generate butthurt for the ‘big guys,’” mostly likely a reference to big free Webmail providers like Google and Microsoft. Still, both services can be found heavily advertised and recommended in several underground forums that cater to spammers and scam artists.

Registered antigate.com users can read more about why customers typically purchase the service, and how KolotiBablo is run. From the description:

“All CAPTCHAs in our service are completely solved by real humans, there are usually 500-1000 (and growing) workers online from all the world. That’s why we can process any CAPTCHAs at any volume for a fixed price $1 per 1000 CAPTCHAs.

You may probably think that using human resource inappropriate or inhumane. However, keep in mind that we pay the most of collected money to our workers who sit in the poorest corners of our planet and this work gives them a stable ability to buy food, clothes for themselves and their families. Most of our staff is from China, India, Pakistan and Vietnam.”

To get started as a CAPTCHA-solving worker at Kolotibabo.com (pictured at left), you’ll need to provide a working account at WebMoney, a virtual currency. After that, the system will start feeding you live CAPTCHAs to solve, prefacing each with an notice about the rate that the client has agreed to pay per batch.

Depending on the demands that clients place on the service, there may be a brief delay between CAPTCHAs, but generally only a few seconds pass between the time a solved puzzle is submitted and when a new one is offered. Each new puzzle is preceded by an audible “beep,” and workers are expected to solve and type each of the CAPTCHAs in less than 10 seconds. During downtime, the system displays workers’ average puzzle solving times, as well as actual and projected weekly earnings.

If sort of drudgery sounds like easy money, take a moment to work out the math. Assuming that you can solve six CAPTCHAs per minute and work eight hours straight, you’d be able to solve about 2,880 puzzles each day. Even at the highest CAPTCHA solving rate, you’d only make $2.88 daily; at the lowest rate, you’d make just over a dollar a day.

No, the real earnings only come when you assemble an army of workers to solve CAPTCHAs for your WebMoney account, as described by this FAQ at KolotiBablo.com.

As long as there is low-cost human labor willing to do this kind of work for pennies per day, CAPTCHAs will continue to be an ineffective way to prevent automated account creation and spammy Web site comments. But at least experts are working on making CAPTCHAs less annoying: Some firms are starting to pitch more user-friendly alternatives to the hard-to-read squiggly CAPTCHAs.

If you’d like to learn more about CAPTCHAs and the semi-automated systems being built to defeat them, I’d suggest reading this paper (PDF) on CAPTCHA-solving services, from researchers at University of California, San Diego. Also, in Nov. 2010, I wrote about CAPTCHABot, another puzzle-solving service with similar rates and practices.

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

ICQ 360000 (alias “SPM”): I want my logo to be next to yours on the forum.

Stupin: Understood.

SPM: Let’s decide.

Stupin: We can think of something.

SPM: Let’s do it. Fakir suggests that I start recommending your partnerka to my clients. I am not against that.

SPM: But I want to have the status of official software for spamdot. It will come to it, since majority of moderators on the forum are with me already.

Stupin: We can think of something like this  – we are placing your logo with ours,  in return you add our logo to your software, like you are recommending us.

SPM: Not a problem. I am leaving to draw the logo.

SPM: Give me a piece of the header, and I will draw right on it. I mean the header for the forum.

Stupin: Wait,  it cannot be decided that fast,  I need to discuss it with my partner and simply think all of this over.

SPM: Fine. Let me know when you discuss it.

Stupin: Certainly.

SPM: Thanks in advance. And when you are discussing this matter with your partner, let him know, that SPM’s plan is to become the ONLY system on the market, and I stay by my words

Stupin: Google is saying the same thing

SPM: Google is no match, believe me. I’ve already destroyed one competitive system on the market. So I have the experience

SPM: Google offered me a bribe for my going out of business That’s his method )

Stupin: Honestly, it’s more pleasurable to deal with you than with him.

SPM: I was surprised that someone is competing with me on spam soft market.  On the other hand, competition is always a good thing. So I am not against it.

The exchange above is part of a much longer conversation thread that is translated and reproduced in its entirety at this link. It recounts how SpamIt administrators debated and ultimately acquiesced to SPM’s demands, and how they later distanced themselves from Srizbi when security researchers turned up the heat on the criminal operation.

WHO IS SPM?

Clues about the identity and location of SPM are all over the SpamIt database and the chats. When SPM first registered with SpamIt in early 2007, he provided the email address mserver@mail.ru, and of course the ICQ address 360000. Early forum posts show that SPM rented his Reactor/Srizbi botnet to spammers who would log in to their accounts at reactormailer.com. The original Web site registration records for that domain list the same email address SPM provided to SpamIt: mserver@mail.ru.

When reactormailer.com was shuttered, SPM moved operations to www.reactor2.com, a domain originally registered to ronnich@gmail.com. SpamIt affiliate records show that a spammer who registered in 2007 with that same email address was a referral of SPM’s. Records also show that SPM referred at least two other affiliates, a “nenastnyj” who used the email address nenastnyj@gmail.com, and a programmer who used two accounts under separate nicknames, “Vladie” (volodyja@gmail.com) and “SigmaZ” (vlaman@gmail.com).

These names show up in an insightful analysis of Srizbi published in 2007 by Joe Stewart, senior security researcher at Atlanta-based SecureWorks. That report was prompted in part by a strange blast of spam sent via Srizbi that promoted the presidential candidacy of Texas Congressman Ron Paul.

Stewart wrote:

Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm” He calls his company “Elphisoft,” and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true; by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.

Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj.”

So Stewart’s conclusions about SPM’s business associates seem to have been spot-on. But what about SPM? Some of the more promising leads come from the spam king himself. As Stewart noted, SPM gave an interview in Jan. 2007 with the storied Russian hacker magazine Xakep.ru, in which he discusses how his Reactor Mailer botnet — “wholly owned” by him but built with the help of “some of the best coders from the former Soviet Union” –  had recently seized a quarter of the market for spam services. Early in the profile, SPM says he is the “owner of a company producing game software.”

The game company lead is the most tantalizing. Here’s why: Googling around for SPM’s ICQ — 360000 — I discovered that SPM has indeed been developing freeware games for many years. At freeware.ru, there are a number of games posted by a guy named Philipp Pogosov, who uses that same ICQ and the mserver@mail.ru address.

Things started really heating up when I located this thread from 2005 on the user forum of UCA Networks, an Internet service provider serving the Southwestern and Southern districts of Moscow. In it, a user named “spm” says he is selling his 2001 BMW 530ia. SPM tells interested buyers to contact him at ICQ 360000, and that pictures of the car are available at http://www.reactor2.com/bossmobile. Later in the thread, SPM tells a fellow forum member to send his resume to game@gameprom.com.

I had a look at Gameprom, which seems to be doing very well developing and selling video games for mobile devices. Russian incorporation records show that Gameprom was founded in 2004 and is owned by Philipp Pogosov. This is also the name on the domain registration records of gameprom.com. What is the email address used to register gameprom.com? You guessed it: mserver@mail.ru.

I made several unsuccessful attempts to contact Mr. Pogosov. Gameprom did not respond to requests for comment. Having no luck with email, I turned to social networking sites. LinkedIn.com includes 19 users who list their current or former employer as Gameprom, including a “Philipp P.” who is listed as the company’s owner. My attempts at convincing two of my mutual LinkedIn.com connections to introduce me to Pogosov failed, but I did learn one interesting thing from his LinkedIn profile: He is apparently based in Thailand.

If Pogosov really is SPM, then it seems he has resided in Thailand for several years. Earlier in my Pharma Wars series, I detailed the activities of Cosma — the top SpamIt affiliate who appears to have been responsible for a botnet that competed directly with SPM’s – Rustock.. In a chat between Cosma and Stupin on Oct. 1, 2008, Cosma jokes that he may soon be making enough money spamming that he can ditch his day job and go join SPM in Thailand. Here’s a snippet from that chat:

ICQ 761474 (alias=Cosma): When we reach $6-7k a day, I will leave you alone….I will go to SPM in Thailand and will drink cognac with him all day long =)

REACH OUT AND SPAM SOMEONE

It’s not clear why SPM left SpamIt, but it may have been because his botnet got clobbered in a double-whammy. First, the takedown of cybercriminal hosting hub McColo kneecapped Srizbi for a few weeks because all of its control servers were hosted there. Srizbi briefly recovered in Feb. 2009, only to be hammered again by Microsoft, which pushed out an update to its malicious software removal tool that uninstalled Srizbi from Windows PCs.

There is a year-long gap in the chat records between Stupin and SPM during 2009. When SPM does turn up again early 2010, it’s to pitch an ambitious scheme to spam mobile phones with text message ads for SpamIt’s rogue pharmacies.

The following chat was recorded on Jan. 24, 2010, roughly 9 months before SpamIt’s demise:

ICQ: 635635 alias “Namaste”: Hi. This is SPM. What’s new in the community?

Stupin: Nothing new. Everything repeats itself.

SPM: That’s the law of life.  How’s business?

SPM: Am I interrupting something?  I can knock later if I am.

Stupin: No, you are not interrupting. Business is going fine. It’s going and growing.

SPM: There are a couple of ideas to discuss. Idea 1) In short – I can do SMS spam. It is serious, many and fast. I believe the friends of ours told you about that already.

SPM: Maybe not.

Stupin: I am very happy for you.

SPM: In other words, you are not interested in using SMS for SpamIt spam?

Stupin: Well, I have not really heard an offer from you.

SPM: Well, we can produce an offering together. I do not have a finished offer yet. Simply, there is a way to send SMS spam, that’s it. Any text. Speed is about 100 SMS per second. Any provider. Inbox delivery – 80%, but outcome cannot be predicted by anyone, since, as far as I know nobody has been doing SMS spam yet.

Stupin: Well, go get our URLs and try.

SPM: We’ll need a version of your shops adapted for smartphones. With limited graphics.

Stupin: They are adapted automatically, using User-Agent.

SPM: Give me any link, and I will check on the phone.

Stupin: http://canadian-medshop.com

SPM: Do you have stats of connections to shops from smartphones?

Stupin: Yes, a small percent from overall traffic.

SPM: What kind of phones? Do you have this information?

Stupin: No surprises…iPhones, and Blackberry

SPM: How about Nokias?

Stupin: Very few.

SPM: Inconvenience that URL should be entered manually, but on the other hand – Inbox 80%….

Stupin: Databases are not targeted also, as far as I understand.

SPM: Surely, but on the other hand, there is a possibility to spam the entire provider’s space.

Stupin: Ask some hackers to give you a phone listing generated from an on-line pharmacy.

SPM: I thought about it. Is my account still alive? I forgot my password.

Stupin: Tell us login and which new password you want us to set.

SPM: spam101

Stupin: Okay.

SPM: Does your pharmacy serve Russia?

Stupin: No.

SPM: Pity. Our providers are very easy to harvest. All three of them.

Stupin: Password is done.

Stupin: Tell us if everything is okay.

SPM: Everything is okay. My GOD, there is even some money there Will you send to my WM?

Stupin: Yes. Let support know, if you need domains,  we can leave one theme for smartphones,  similar to what we have here: http://www.medshop.mobi

Previous stories in my Pharma Wars series have identified top kingpins behind the some of the biggest spam botnets. Today’s post does that and more, including never-before-published information on “Google,” the lead hacker behind the world’s busiest spam botnet — Cutwail.

December 2011 spam stats from M86Security

For many years, Cutwail has been among the top three most prolific spam botnets. With the recent takedown of the Rustock botnet, Cutwail now is the top spam bot; according to M86 Security, versions of Cutwail are responsible for about 22 percent of the daily spam volumes worldwide.

Security researchers have extensively dissected the technical machinery that powers Cutwail (a.k.a. “Pushdo” and “Pandex”), but until now little has been published about the brains behind it. Krebs On Security has learned that the individual principally responsible for developing and renting this crime machine to other miscreants was a top moneymaker for SpamIt, until recently the world’s largest rogue Internet pharmacy affiliate program.

By the time he joined SpamIt in early 2007, the hacker named Google had already spent several years fine-tuning his spam botnet. Just months prior to its closure in Oct. 2010, SpamIt was hacked, and its customer and affiliate data leaked online. The data shows that Google used close to a dozen affiliate accounts at SpamIt, and made nearly $175,000 in commissions advertising SpamIt’s rogue online pharmacies with the help of Cutwail.

But Google would make far more money renting his botnet to other spammers, and SpamIt affiliates quickly became his biggest client base. Interestingly, the proprietors of SpamIt initially asked for Google’s help not to spam rogue pharmacies, but to jump-start a new affiliate program called Warezcash to sell “OEM” software — mostly pirated copies of Microsoft Windows and other high-priced software titles.

That relationship is evident from hundreds of chat logs between Google and SpamIt co-founder Dmitry “Saintd” Stupin. The conversations were part of thousands of hours of logs obtained by Russian cybercrime investigators who examined Stupin’s computer. The chats were later leaked online, and provide a rare glimpse into the day-to-day operations of Cutwail from the botmaster’s perspective. They also provide tantalizing clues as to the real-life identity of Google and his co-workers. Snippets of those conversations appear below, translated from their original Russian into English by native Russian speakers.

THE CUTWAIL MACHINE

Some of the best techical analysis of Cutwail came earlier this year in a paper from researchers at the University of California, Santa Barbara and Ruhr-University Bochum, which described in detail how the Cutwail botnet was operated, rented and promoted on the exclusive SpamIt forums. From their paper (PDF):

“The Cutwail spam engine is known in spam forums by the name 0bulk Psyche Evolution, where it is rented to a community of spam affiliates. These affiliates pay a fee to Cutwail botmasters in order to use their botnet infrastructure. In return, the clients are provided with access to a Web interface (available in Russian or English language) that simplifies the process of creating and managing spam campaigns…”

SpamIt affiliate records show that Google registered with the program using the email address psyche.evolution@gmail.com (according to historical WHOIS records, the domain name psyche-evolution.com was registered in 2005 by that same email address, to an organizations called “0bulk corp.” in Moscow).

In several chats with Stupin, Google describes how he and his pals switched to pharmacy spamming when promoting stocks via spam became less lucrative. In a discussion on Feb. 25, 2007, Google said he was “renting software for spam,” to competing spam affiliate programs “Mailien,” “Bulker,” and “Aff Connection,” and that all of his clients had great success converting traffic into sales. “We have been spamming stocks, however now stocks started converting badly, so we decided to spam in parallel with some affiliate programs. We organized people, gave them tasks to do. We’ve been spamming them for a week only, but I think we’ll do good.”

From a chat dated August 16, 2007, Google explains how to use the Cutwail botnet:

1) Access to the interface: http://208.72.173.10:3571/login.cgi

2) Stats and loader: http://208.66.194.231:3081/ldr/vn.cgi

3) Manual about our software: http://208.72.173.10:3571/man.cgi

4) Technical support contacts/Personal ICQ addresses for support:

198922489 – Psyche Support 1

468559240 – Psyche Support 2

481896712 – Psyche Support 3

353149439 – Psyche Sypport 4

5) Contact of Manager:  He handles questions about payments and all non-technical questions, also questions regarding complaints about the software and technical support, ICQ: 43266131

6) Technical support forum: http://psychetalk.com, Login  saintd, Password: VeryNice

Google’s alliance with SpamIt would quickly cement the Cutwail botnet as a top contender. On Sept. 7, 2007, Google bragged to Stupin that his malware had “made it to #14″ on Kaspersky’s most prevalent malware threats, pasting this link into the conversation. Kaspersky Labs confirmed that the Trojan Downloader.Win32.Agen.brk listed at #14 in that index is one of the aliases for a downloader Trojan used to deploy Cutwail.

GOOGLE’S IDENTITY REVEALED?

According to the Stupin logs, the SpamIt administrators worried that Google would not be mature enough to handle such a big operation, noting in one chat that Google was said to be only about 25 years old. Shortly after that conversation, on May 14, 2007 Stupin and Google agreed to hold a face-to-face meeting in Moscow to discuss the Warezcash OEM partnership. In that chat, Google asks Stupin to call him on his mobile number, which he gives as +7-916-4444474.

That same phone number is tied to the historic Web site registration records for several domains, including  antirootkit.ru, einfinity.ru, electronicinfinity.ru, hoha.ru, lancelotsoft.com, and ssbuilder.ru. In each record, the name of the initial registrant is “Dmitry S Nechvolod,” and the contact phone number is +7-916-4444474.

According to the Web site of Russian software firm Digital Infinity Developers Group (the search engine Google currently flags diginfo.ru as malicious), Nechvolod is part of a team of developers, and is described as an “administrator of UNIX-based systems (ATT/BSDi),” an “administrator of Cisco routers,” and “a specialist in information security software.”

It’s unclear whether Nechvolod is Google’s real name, a pseudonym, or merely clever misdirection to implicate someone else. But there are other interesting connections: spam.hoha.ru was at one point listed as a reliable place to rent mass spam campaigns, at least according to several members participating in this Russian Webmaster forum discussion.

Probably the best clue in support of a connection between Google and Nechvolod comes from the payment data that Google himself provided to SpamIt. Google asked SpamIt administrators to send his affiliate payments via WebMoney, a virtual currency that is quite popular in Russia and Eastern Europe. He requested that his commissions be paid to the WebMoney purse Z046726201099. According to a source that has the ability to look up identity information tied to WebMoney accounts, the personal information provided when this account was opened in 2004 was:

Нечволод Дмитрий Сергеевич (“Nechvolod Dmitry Sergeyvich”)

•  Passport  – 4507496669
•  Date of Issue (ММ/DD/YYYY) – 7/23/2004
•  Place of Issue – Moscow/Russia
•  Issued – ATS District Cheryomushki
•  Date of birth (as on passport) – July 9, 1983
•  E-mail – wm.lancelot@gmail.com
•  Telephone – +7 9164444474

Another strong link provided by Google (the search engine Google, not the spammer) stems from one of the domains registered to Nechvolod — einfinity.ru. In 2006, a Stanislav representing himself as a job recruiter for a company called “E-infinity” posted a message to the Russian programmer forum Delphimaster.net that he was seeking UNIX programmers for work at an E-infinity office in Moscow. Stanislav asked interested applicants to contact him at ICQ number 903445.

The Diginf.ru Team

SpamIt affiliate records show that in Sept. 2007, a new spammer signed up with the usernames Feligz/Eagle providing the email address maravanio@gmail.com and ICQ 903445 as his contact information. Stupin’s ICQ chat logs show that on Sept. 3, 2007, Stupin contacted Google’s manager (ICQ 43266131, see above) about an urgent problem, complaining that he was unable to reach Google or two of Google’s usual support personnel by ICQ or by phone. The manager says he will try to get in touch with the technical director within Google’s operation, a hacker who uses the screen name Eagle. Minutes later, Stupin receives an instant message from Eagle, who is using the ICQ number…wait for it….. 903445.

Remember the page at Diginf.ru referenced above that lists Dmitry Nechvolod as a system administrator? That same page lists a Stanislav Kuznetsov as another team member. What is Stanislav’s email? Eagle@diginf.ru.

CRIMEWARE EVOLUTION

For a variety of reasons, spam is not nearly as prevalent as it once was. According to a recent report (PDF) from Symantec, just 70 percent of email sent worldwide was spam in November 2011, the lowest rate since the rogue ISP McColo was shut down in late 2008. At that time, about 90 percent of email was junk.

Cutwail may have begun as a popular vehicle for sending male enhancement and OEM software spam, but in recent years it has morphed into a major spam cannon for malicious software. These days it seems more often involved in sending emails that try to trick recipients into opening malware-laden attachments, most often variants of the ZeuS and SpyEye trojans.

Information obtained by KrebsOnSecurity.com shows that as early as 2009, Google’s botnet was hired by a Ukrainian cyber fraud gang known as the JabberZeuS crew to help spread malicious emails that the gang used to conduct a number of lucrative cyber heists.

More recently, Cutwail has been seen sending out malicious spam campaigns with a variety of themes such as airline ticket orders, wayward Automated Clearing House (ACH) payments, Facebook notifications, and scanned documents. On Dec. 19, Microsoft warned about a Cutwail campaign that was blasting out ransomware attacks that used information about the recipient’s geographic location to tailor the email lure, which spoofed various national law enforcement organizations and warned victims that they were being investigated for possessing child pornography.

Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.

At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.

Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.

But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.

One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.

Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.

“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with KrebsOnSecurity.com. “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”

Separately, Craig Heffner, a researcher with Columbia, Md. based security consultancy Tactical Network Solutions, has released an open-source tool called “Reaver” to attack the same vulnerability. Heffner notes that once an attacker has successfully guessed the WPS PIN, he can instantly recover the router’s encryption passphrase, even if the owner changes the passphrase. In addition, he warns, “access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.”

Source: Stefan Viehböck

The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.

First the good news: Blocking this attack may be as simple as disabling the WPS feature on your router. The bad news is that it may not be possible in all cases to do this.

In an advisory released on Dec. 27, the U.S. Computer Emergency Readiness Team (US-CERT) warned that “an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.” The advisory notes that products made by a number of vendors are impacted, including Belkin, Buffalo, D-Link, Linksys, Netgear, TP-Link and ZyXel.

Viehböck said none of the router makers appear to have issued firmware updates to address the vulnerability. The US-CERT advisory makes no mention of updates from hardware vendors. The advisory also says little about which models may be affected, but if your router has a “WPS PIN” notation on its backside, then it shipped with this WPS feature built-in.

I’m taking a short break from some year-end downtime to observe that KrebsOnSecurity.com turns two years old today!

This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site.

My research and reporting involved more than a dozen public speaking events around the globe in 2011. The highlights of my work-related travel included trips to Austria, Canada, Poland, Russia, and The Netherlands. 2012 promises more interesting destinations.

When I founded Krebs On Security LLC in late 2009, I had no idea if it would work out. This past year, I’ve respectfully turned down some very flattering offers to work at important publications. The money and (apparent) stability those opportunities held out were certainly enticing, but I’m having way too much fun on my own, and today I can scarcely imagine doing anything else.

I look forward to continuing my investigative reporting on cybercrime, cybersecurity, and the underground economy. Most of all, I look forward to your continued readership and support. Thank you.

In case you missed them, here are some of the most-read investigative stories on KrebsOnsecurity.com from 2011:

Russian Cops Crash Pill Pusher Party

SpamIt, Glavmed Pharmacy Networks Exposed

Is Your Computer Listed “For Rent”?

Rent-a-Bot Networks Tied to TDSS Botnet

Who’s Behind the TDSS Botnet?

Gang Used 3D Printers for ATM Skimmers

Digital Hit Men for Hire

Beware of Juice-Jacking

Coordinated ATM Heists Net Thieves $13 Million

Rustock Botnet Suspect Sought Job at Google

Apple Took 3+ Years to Fix FinFisher Trojan Hole

Advanced Persistent Tweets: Zero-Day in 140 Characters

Pro-Grade (3D-Printer Made?) ATM Skimmer

How Much is Your Identity Worth?

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.

The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil.  The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.

A woman who answered the phone this morning at Amnesty International’s research and policy branch in the U.K. declined to give her name, but said she would pass on the information about the break-in. The site remains compromised.

This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack.  In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability. 

The UK site is not particularly popular – its global rank is 90,203 according to Alexa.com – but the chances are good that the attackers behind this are not after financial data. It appears more likely that the exploit maybe part of an ongoing campaign by Chinese hacking groups to extract information from dissident and human rights organizations.

The attack against the Amnesty International’s Hong Kong site last year loaded malware that belongs to a notorious family of backdoor Trojans from China. According to a ThreatExpert analysis of the malicious Java file currently being served by Amnesty’s UK site, the malware downloaded appears to be associated with China.

Paul Royal, a research consultant with Barracuda Networks, said the attack fits the profile of previous campaigns against human rights non-governmental organizations.

“Certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists,” Royal wrote in an email to KrebsOnSecurity, noting that the site appears to have been compromised since at least Dec. 16.  “Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.”

These attacks highlight the importance of staying up to date on security patches. In the case of Java, removing oft-targeted software that you don’t really need may be a safer option. Either way, tools like Secunia’s Personal Software Inspector or FileHippo’s Update Checker can help you stay on top of the latest security updates for popular software titles.

Update, 12:59 p.m. ET: Barracuda Labs just published a blog post about this.

Update, Dec. 24, 9:40 a.m. ET: Emerson Povey, digital communications editor for Amnesty International UK, wrote in to say that the exploit has been removed from the site.

A new service on the cyber criminal underground can be hired to tie up the phone lines of any targeted mobile or land line around the world. The service is marketed as a diversionary tactic to assist e-thieves in robbing commercial customers of banks that routinely call customers to verify large financial transfers.

For just $5 an hour, or $40 per day, you can keep anyone’s phone so tied up with incoming junk calls that the number is unable to receive legitimate calls.

The seller offers discounts for frequent buyers of his service, and promises that each call to the targeted number will appear to come from a unique phone number, thereby foiling any efforts to block the bogus calls by caller ID. The vendor also is offering this service under escrow payment, which many fraud forums use to ensure both parties to a transaction are happy before payment is rendered.

The FBI first warned about these attacks in June 2010, advising that that receiving rapid-fire “dead air” calls could be a sign that your bank account is being emptied. From that advisory:

“Denial-of-service attacks, by themselves, are nothing new—computer hackers use them to take down websites by flooding them with large amounts of traffic.”

“In a recent twist, criminals have transferred this activity to telephones, using automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens.”

“Why are they doing it? Turns out the calls are simply a diversionary tactic: while the lines are tied up, the criminals—masquerading as the victims themselves—are raiding the victims’ bank accounts and online trading or other money management accounts.”

The easy availability of this criminal offering highlights once again how nearly every aspect of the cyber underground has been converted into a service for hire. Take cyber heists, for instance: Everything about them can now be outsourced to third party services.

You can rent a botnet to send your Trojan-laced emails and steal online banking credentials from thousands who click the booby-trapped attachments. You can purchase Web injects that allow you to change the behavior of targeted bank Web sites as they are displayed in the victim’s browser. If you want help hauling the loot, you can rent access to money mules that are hired by mule recruitment gangs. And if you need a diversion to distract or otherwise occupy your victims while you rob them, you can rent this service.

Authorities in Manhattan today unsealed indictments against 55 people suspected of operating an identity theft and financial fraud ring, including a number of insiders at banks and companies throughout New York who allegedly helped to steal more than $2 million from hundreds of customers and clients.

Prosecutors say the 18-month-long investigation is notable because it underscores the ways in which traditional street crooks are moving their activity online: New York authorities maintain that more than a dozen of the defendants have violent criminal records and belong to different street gangs in Brooklyn.

At the center of the alleged conspiracy are employees at New York institutions that had access to large amounts of sensitive consumer and business data. Among those being arraigned today in a New York state court are JP Morgan Chase employees Karen Chance, Mercy Adebandjo and Joanna Gierczack; Tracey Nelson, an employee of the United Jewish Appeal-Federation; Roberto “Robbie” Millar, a car salesman for Open Road-Audi in Brooklyn; and Nicola Bennett, a compliance officer employed by AKAM Associates Inc., a residential property management company.

“These insiders used their positions to gain access to client data, and then sold that data to make money for themselves and their accomplices,” District Attorney Vance said in a written statement. “We will continue to work with our partners to build significant cases to disrupt identity theft and dismantle these criminal organizations.”

The indictments allege that middlemen named in the conspiracy purchased personal information on customers and donors from Nelson and Millar, and then either re-sold the data or used it themselves to commit fraudulent financial transactions.

Prosecutors also charge that the Chase employees abused their access to steal personal data on account holders, and sold the information to counterfeit check makers and to individuals who specialized in setting up and executing fraudulent bank transfers.

Some of the defendants are alleged to have recruited other indicted members for the purpose of using their bank accounts to conduct fraudulent transactions. Prosecutors say the recruiters played a dual role: trafficking in stolen personal information bought from others, and recruiting people to provide bank accounts through which they could commit fraud.

These so-called “collusive account holders” — effectively complicit money mules — make up the bulk of the individuals named in the indictments. New York authorities charge that when defendants wanted to withdraw money quickly from collusive accounts, they purchased US Postal Service money orders with the debit cards linked to the accounts.

The indictments state that some the defendants arraigned today used automated systems set up by Citibank and TD Bank to change the personal information on ID theft victims’ bank records, including the victims’ contact address, phone numbers and email addresses.

For example, prosecutor alleged that one of the defendants,  Josiah “Pespi” Boatwains, would request that stolen credit cards be mailed to an address where a co-conspirator Richard Ramos, an employee at United Parcel Service (UPS) would intercept the cards on Boatwain’s behalf in exchange for money.

Boatwains and two other defendants allegedly then used those stolen cards to purchase luxury items that other defendants sold to co-conspirators named in the indictments. Other defendants allegedly used hijacked credit card account numbers to make online purchases buying airline tickets, movie ticket, credit reports, pizza and iTunes products.

A statement of facts filed with the New York State Supreme Court notes that there is a large amount of violent activity that surrounds the defendants in this case. The statement reads:

“During the course of our investigation 2 targets of the investigation were murdered. One of the deceased was brutally murdered. When his body was found by the police, they recovered personal identifying information of victims linked to our case. Specifically, on his person, a copy of a check was found that was from one of our identity theft victims that had donated to the United Jewish Appeal.”

“In addition, we are informed by the police department that many of these defendants are members of the Brooklyn Gang called “The Outlaws,” and others are Bloods and Crypts [sic]. Many of our defendants have violent criminal convictions.”

New York authorities say they expect the dollar losses to increase as the investigation continues.

A decorated Ukrainian general was arrested last week in Romania along with two other men suspected of being part of an organized cybercrime gang that laundered at least $1.4 million stolen from U.S. and Italian firms.

Gen. Valeriu Gaichuck, far right.

Apprehended in Iasi, Romania last week were Matei Vitalie, 37, of Moldova; Konstantin Ossipov, a 42-year-old Israeli citizen; and 54-year-old Valeriu Gaichuk, a Ukrainian general who, according to his Facebook page, once studied at Florida International University in Miami.

Romanian prosecutors allege that the men created fake companies and business contracts to help to launder funds that were stolen from at least two firms, including $952,800 from the Society of Corporate Compliance and Ethics, an organization based in Minneapolis. Roy Snell, the society’s chief executive, declined to comment for this story.

Romanian authorities, working with the FBI and Italian special forces, were tipped off by banks in Italy, which denied a request allegedly by the accused to transfer $400,000 from a victim company there to a fictitious firm. According to documents released by prosecutors, the men were caught red handed on Dec. 9 trying to withdrawn nearly $1 million stolen from the American company.

A U.S. law enforcement investigator familiar with the case who spoke on condition of anonymity said keystroke logging Trojans were used to steal the online banking credentials of the victim organizations, and that the case is connected to at least one other cyber fraud investigation that is still pending. 

The judge overseeing the case approved the prosecutor’s request to have the men detained for at least 29 days pending further investigation, saying that authorities have information that the defendants belong to much larger organized criminal group.