Spyware Sucks

Some quick notes re Jain and the charges of money laundering

The indictment filed against Sam Jain gives an indication of the sort of money Jain was making from his fake Symantec software.

The indictment lists the following international money transfers:

• approximately US$150,000 transferred on 15 March 2005 from a New York account into a Swiss account
• approximately US$561,000 transferred on 11 May 2005 from a New York account into a Swiss account
• approximately US$3,000,000 transferred on 23 May 2005 from a New York account into a Swiss account
• approximately US$50,000 transferred on 5 December 2005 from a New York account to a Swiss account

Total = US$3,761,000

Internal (within the USA) transfers included:

• US$5,658,761.15 transferred from an investment account to a New York account; and
• US$1,000,000 transferred from the New York account to another account.

U.S. v Bjorn Daniel Sundin, Shaileshkumar P Jain (aka Sam Jain) and James Reno

I am pleased to report that on 26 May 2010, in the United States District Court (Northern District of Illinois, Eastern Division) documents were filed by the Special March 2010 Grand Jury which charged Bjorn Daniel Sundin, Shaileshkumar P Jain (aka Sam Jain) and James Reno with one count of computer fraud and conspiracy to commit computer fraud.

In addition, Sundin and Jain have been charged with 24 counts of wire fraud.  Reno was charged with 12 counts of wire fraud.

According to Dan Goodin at The Register, each count of wire fraud carries a maximum sentence of 20 years in prison and a $250,000 fine, and the prosecutors are also seeking the forfeiture of $100 million held in a bank account in the Ukraine.

Also if, because of any act or omission by the defendants, the monies:

• cannot be located upon the exercise of due diligence
• has been transferred or sold to, or deposited with, a third party
• has been placed beyond the jurisdiction of the court
• has been substantially diminished in value or has been commingled with other property which cannot be divided without difficulty,

it is asked that the US be entitled to forfeiture of substitute property.

According to documents filed in the case so far, (Case 1:10-cr-00452-1) the Government will seek to have the defendants detained without bond pursuant to Title 18, United States Code, section 3142 (with a preliminary bail of $10,000 secured as to James Reno).

And that is not the last of Jain’s worries – Robert McMillan reports that the Department of Justice also filed international money laundering charges against Jain in the Federal Court in New York (Case 1:10-cr-00442-NRB-1)

Finally, here is an email that Reno sent to Bob McMillan back in September 2009.  While you are reading his email, and especially his claims that he didn’t know about about a lot of what Innovative were up to, don’t forget that Reno was also dragged into the Symantec lawsuit.  Back then, Jain was found to have committed trademark infringement, copyright infringement, false designation of origin, and unfair competition, and Reno, his company Bytehosting and Symantec came to a “confidential settlement” back then.

Also, let’s not forget the “thousands of pages” of chat transcript as supplied by James Reno to the FTC which included the following gems:

James: http: // 63.210.246.34/users/jreno/ksx12f2f-MalwareWarrior.png
James: :)
James: Right click -> exit on taskbar
James: brings up the window that wont disappear ;)
James: and i love the FALSE alerts, its lovely
James: thats on a VMWAre workstation running inside our LAN, behind a firewall, with nothing but other unix boxes ;) .. garunteed {sic} no worms spreading to that box.
James: interesting software ;)

And elsewhere:

James: the only entries in my passport
James: "ukraine"
James: :) about once a year
James: heh
James: maybe i need to go to some other nations, just to get their stamps
James: lol

Conversation attributed to the fugitive Sam Jain:

Sam: well thats why we have the slush fund
Sam: of extra $ from globaldat
Sam: just figure ot how much :)
Sam: no worries

And later, the two of them being sneaky:

Sam: ya, i just put b.s. names
Sam: and address on the customs form
Sam: no 1 looks
James: im not worried about entry to ukraine
James: just re-entry to the us
James: dont feel like being hassled by customs again
James: stupid govt :(
James: us is so screwed anymore
James: if you miss me, its good actully :)
James: cuz then they cant say, i came to "meet with you"
James: even if they found out you were there
James: heh
James: but id love to meet sometime, just sucks
Sam: ya, if u get stopped coming back and after basic questions
Sam: u'd have to sayi {sic} want my lawyer
Sam: heh
James: i dont know if your using 'your' passport or not {Sandi comment: if not ‘his’ passport, then whose? Note Reno’s emphasis on ‘your’}
James: but afaik, interpool {sic} is watching yours
James: but if they seen you leave
Sam: yep i use mine
Sam: freely heh
Sam: screw them
James: im just saying
James you 100% are not there :)
Sam: its cuz of that swiss *** {Sandi comment: now that's interesting...}
James: so how was i meeting you :)
Sam: ya, so i guess from that standpoint
Sam: works out well

ALERT: Please treat “Tuned ads” (tunedads.com), "Barkley & Davis Advertising" (barkleydavis.com), “AweMedia” (awemedia.net) and “Moksly Digital Advertising” (moksly.com) with extreme caution

Domains in this report:

tunedads.com - 95.143.193.252
rogloard.com - 95.143.193.246
roxantb.com - 188.72.192.52
moksly.com - 95.143.193.254
barkleydavis.com - 95.143.193.251
awemedia.net - 95.143.193.253
togueno.com - 95.143.193.244
smtpst.com - 95.143.193.228
nmtsm.com - 95.143.193.228

The important points to take away from this article about malvertizing and the miscreants behind malvertizing are:

1. They plagiarize content from legitimate websites
2. Their credit references are worthless, invariably being nothing more than the same people using a different pseudonym
3. Do not trust the names or phone numbers supplied for things like "account managers" at legitimate banks
4. It is extremely important to conduct research into the domains used by advertisers who approach you AND into the domains of any credit references supplied
5. They have become very professional over time; their grasp of the English language is vastly improved, and they have a detailed understanding of how the online advertising world works, and the terminology used
6. Don't trust voicemail.

I have written previously about spoofing of legitimate domains in this article.  In short, if you receive tags composed in such a way (gooddomain.com.unusualdomain.com) you should treat whoever gave it to you with extreme caution.

“Tuned ads” (tunedads.com) have been caught supplying such advertising tags.  The tags they have supplied include "view.atdmt.com.rogloard.com/..." and another tag ending in "roxantb.com".  The campaign being sold was a Best Western advertisement.

This is a screenshot of the malvertizement supplied by Tuned ads.  It is identical to a legitimate Best Western advertisement, except for the cursor overlaid close to the”Check Rates Now” button

tunedads.com
ICANN Registrar: BIZCN.COM, INC.
Created 17 April 2010

IP: 95.143.193.252 - Gavleborgs Lan - Hudiksvall - Abuse-mailbox: Abuse@serverconnect.se

Registrant: Elizabeth Anderson, domains@tunedads.com

Interestingly, the content at tunedads.com/advertisers.html is a copy of text taken from gorillanation.com/advertisers (note that whoever edited tunedads.com/advertisers.html screwed up their edits – cite “Whether we place your ads on a site-specific, vertical or mass market basis, the big Tuned Ads delivers and exceeds the reach numbers you expect”).

rogloard.com
ICANN Registrar: BIZCN.COM
Created 18 May 2010

IP: 95.143.193.246

Registrant: Andy Barton, dns@rogloard.com

*****

roxantb.com
ICANN Registrar: BIZCN.COM, INC
Created 14 April 2010

IP: 188.72.192.52 - Hessen, Frankfurt, Netdirekt E.K

Registrant: Andi Cooperman, info@registar.com

roxantb.com has been identified as malicious - see this URL:
http://www.malwaredomainlist.com/forums/index.php?topic=4077.msg17092#msg17092

“Found the advertising server that is redirecting to the intermediary and eventually the exploit sites:
adnet.media.roxantb.com
That domain was registered last month and serves up packed/obfuscated BLOCKED SCRIPT
Code:
<snipped>
Deobfuscated:
Code:
<snipped> 2x bad URLs, reference to curves.com and driveby kit.”

*****

Moksly Digital Advertising (moksly.com) have been caught supplying tunedads.com as a credit reference.  Also, the tags they supplied started with "a123.g.togueno.com/...". 

togueno.com resides in a bad part of the Internet.  Its IP is 95.143.193.244 (note how close that IP is to tunedad.com's IP).  When asked about togueno.com, Fergie of TrendMicro responded that:

"there appears to be Russkrainians hosting crimeware in that /20".

The referees supplied by Moksly Digital Advertising were “Tuned ads” (tunedads.com), “Barkley and Davis” (barkleydavis.com) and “Awemedia” (awemedia.net)

Moksly claim to be selling a campaign for StoryofMyLife.com, and Moksly’s correspondence was extremely professional.  The correspondent has an excellent grasp of the English language, and a strong understanding of online advertising.  They also claimed to have a policy of not prepaying companies with whom they had not worked before.

Staff at the web site approached by “Moksly Digital Advertising” made the following important observations:

1. On average the response time for Trade References is 24-48 hours. All three of Moksly's trade references returned completed reference form within 3 hours.
2. Moksly claimed to have an account manager at Brookline Bank by the name of "Randy Pollak".  But, when Brookline Bank's customer service were contacted directly, the customer service representative advised that Brookline Bank do not have anyone by that name working for them.

“Tuned ads” and “Moksly Digital Advertising” not only share IP range (95.143.193.252 and 95.143.193.254 respectively) but their tags show marked similarities.  I have obscured most of the tags below, but will point out that all of the tags, starting from “?rt=”, were identical except for the “&sid=” value.

Tuned ads: view.atdmt.com.rogloard.com/cr/j/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
Moksly:                   a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
                              a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
                              a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc

*****

moksly.com - interestingly, if you call the number in the WHOIS, you do get through to a voicemail for "Mary", but no company name is mentioned is the recorded message.

ICANN Registrar: BIZCN.COM
Created 14 April 2010

IP: 95.143.193.254

Registrant: Mary Valentine (admin@moksly.com)

*****

barkleydavis.com
ICANN Registrar: BIZCN.COM
Created 12 May 2010

IP: 95.143.193.251

Registrant: Max Glasper (admin@barkleydavis.com)

*****

awemedia.net
ICANN Registrar: BIZCN.COM
Created 17 April 2010

IP: 95.143.193.253

Registrant: Mary Johnson Anderson (it@awemedia.net)

*****

togueno.com
ICANN Registrar: BIZCN.COM
Created 18 May 2010

IP: 95.143.193.244

Registrant: Bob Merlot (domain@togueno.com)

*****

I think it is worthwhile looking at more domains in the 95.143.193.* range to see what other potential problems we can identify:

ad.mediabank.smtpst.com - IP 95.143.193.228

smtpst.com
ICANN Registrar: BIZCN.COM
Created 30 January 2010

Shares IP with nmtsm.com

Registrant: Simon Simon, simon@gmail.com

*****

nmtsm.com
ICANN Registrar: BIZCN.COM
Created 30 January 2010

Registrant: "ColoradoOralSurgeons", Alice Johnson Alice Johnson, aezeihia3@gmail.com

*****

ALERT: zedoadservices.com is NOT associated with Zedo

Some basic due diligence reveals that zedoadservices.com should be treated with extreme caution.  Check out the domain’s registration details.  Once again we have a newly registered domain, a Registrant hidden behind Moniker Privacy Services, and a host that you would not expect to be hosting zedo domains.

****

zedoadservices.com
ICANN Registrar: Moniker Online Services, Inc
Created 17 March 2010

IP: 209.132.192.182 - California, Woodland Hills, Colo.com

Sharing IP with approximately 36,359 other domains.

Registrant hidden behind Moniker Privacy Services

****

Zedo have confirmed that zedoadservices.com does not belong to them.

If you visit zedoadservices.com you are immediately redirected to zedo.com.  That is because the web page at zedoadservices.com contains the following code:

If you visit the web site using FF with NoScript (or any other web browser if you have javascript disabled), you see this:

ALERT: Please treat content from vastons.com with extreme caution

A contact has alerted me that he was approached by the “VP sales Vastons Marketing”.  This “VP” was using the domain “vastons.com”.

The VP for Vastons Marketing claims that JetBlue are their client.  My contact described the deal on offer as “too good”, being $45,000 for a 500K-1million impressions budget with the campaign to run for a period of 2-4 weeks and a 1/24 frequency capping. Of course, Vastons Marketing wanted the campaign to run in the same month.

So, who are “Vastons Marketing”?  The domain being used, vastons.com, was registered just last month via the ever problematic BIZCN and is currently hosted at the also problematic Netdirekt.

vastons.com
ICANN Registrar: BIZCN.COM
Created 7 April 2010

IP: 188.72.192.13 - Netdirekt E.k

The domain was originally created back in 2005, but was left parked at parked-domains.net until last month.  The Registrant details have not changed during this time.

Registrant: Steven Davies (it@vastons.com)

The IP address of the person who approached my contact was 188.72.192.208 (another Netdirekt IP).

When we look at their web site, we see that they list their address as:

2000 Auburn Drive
One Chagrin Highlands
Suite 200
Beachwood, Ohio 44122
United States

That address is virtual offices run by Regus in Beachwood, Ohio:

http://www.regus.com/locations/US/OH/Beachwood/OhioBeachwoodChagrinHighlands.htm?product=meetingrooms

So, to summarize we have a newly activated domain, a web site is located in Europe, and a domain was registered using a very problematic registrar, and hosted by Netdirekt.  Not only that, the computer used to approach my contact was also in Europe, yet the contact phone number supplied was an Ohio number, as is the listed business address of Vastons Marketing.

In short, please treat any contact from Vastons.com with extreme caution - at the very least, get on the phone to JetBlue and ask them if they are a client of "Vastons Marketing".  Do NOT phone any contact number for a JetBlue representative that may been given to you – grab your telephone directory, phone JetBlue’s head office, and go from there – that way you will know for sure that you are talking to the real JetBlue.  And be careful of any credit references supplied – don’t forget these tricks from the past:

http://msmvps.com/blogs/spywaresucks/archive/2009/04/23/1690197.aspx – in this example, contact details for a fake “Tribalfusion” referee were supplied.

http://msmvps.com/blogs/spywaresucks/archive/2007/12/07/1383504.aspx – in this case, a forged “letter of mandate” was supplied.

Malvertizers stealing old, watermarked graphics

There are reports of a malvertizement incident using a “Curves” malvertizement.

Note the watermark on the advertisement (which was being served via a domain that is attempting to spoof mediaplex:

adfarm.mediaplex.com.rulash.com/banners/load.php?id=215411729). 

I am sure that watermark belongs to Kimberley of Bluetack, which means that the miscreants have simply stolen a screenshot of an old malvertizement to use in the current campaign.  How lazy is *that*?

In fact, here is the graphic that was stolen, right here:
http://www.bluetack.co.uk/Kimberly/Logs/swf120.jpg

Taken from this thread:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=60&p=87195&#