syscom3
Pacific Historian
Something of interest for those that know spam is a scam.
Operation GreenDot, Following the SPAM - CA Security Advisor Research Blog
Find out what our research team is saying about the latest security threats in the CA Security Advisor blog
Operation GreenDot, Following the SPAM
Do you ever wonder what is at the other end of the SPAM email that you receive in your inbox? You often see emails advertising cheap software, hot stock tips, and various pharmaceuticals. I think that we have all gotten the v1gra and Cialis emails. One day I decided I would investigate and see just where this little message would take me. So, if you are ready for an adventure, follow me on a virtual trip that will take you all the way around the world. Don't forget your passport, you will need it.
Our journey begins outside of Washington, DC. I am sitting at my desk, going through my SPAM filtered email, when I see one that catches my eye, "Dreams can cost less repl1ca w4tches from r0lex here". Sounds interesting I thought, and I could use a new watch. Knowing the harmful effects of opening unsolicited email, I decided to open the email in a controlled virtualized environment. Below is the content of the email:
A T4g Heuer w4tch is a luxury statement on its own. Unfortunately, that luxury comes with a price... Except when you visit Prest1ge Repl1cas, the web's most comprehensive collection of brand name repl1ca w4tches. In Prest1ge Repl1cas, any T4g Heuer is available for just over $200. htxp://www.lagetyo.com
Going back to the original email I received, I decided to look at who the email was from and who it was actually sent to. According the spam filter email headers, the email was sent from "[email protected]". I did a quick search on the domain, "hisplacechurch.com". This led me to a small church in Burlington, Washington. That is Washington state, not Washington, DC. So I peruse the site and find the church staff link where I find Cheryl Neff, the Sr. Pastor's Assistant. Sure enough, her email was the same. While you might think that Cheryl Neff's computer is the origin of the email selling prestigious watches, it is actually not. Unfortunately for us, and you the reader, we will never know where the actual email came from. We can be pretty sure that Cheryl's computer had some kind of Malware on it that contained a mail engine that sent out hundreds or even thousands of emails all around the world promoting these luxurious watches. Unfortunately Cheryl is not alone in this. I received the same email message from many other unsuspecting senders, ranging from various home users to Fortune 500 companies. I have also seen the same email content blindly posted on numerous blogs. Hopefully for Cheryl and the His Place Church, they got their computer systems cleaned up.
I viewed the source code from the site to see if there were any behind-the-scenes deceptions, such as any malicious iFrames. The site looked pretty clean.
Next I decided to read the "About Us" link on their site. The owners mention that they have been the leading online retailer of quality luxury timepieces since 2003. Oddly enough, every one of the aforementioned websites was only in operation for one or two weeks. As a matter of fact, from the start of this investigation the http://www.lagetyo.com/ website was no longer up and operational. Since my work was not done and I still needed a watch, I went to another one of the websites that was still active. I picked www.aeiwkee.com. Just like the previous site, it was up for a few days, then down just long enough to change the IP address from 218.53.147.152 to 116.199.128.6. I found out that both IP addresses resolve to different companies, Hananet in Korea, and newpower-cn in China. If you enter http://218.53.147.152 in a web browser, you get the message "site not found on our server!" This is a common practice for these types of operations.
Now that I have a site that is up, I think that it's time to make a purchase. Regardless of their four-year track record of being the #1 online retailer, and Sara Berry's raving testimonial, I was still leery about using my credit card to make a purchase. In following my gut, I decided to go undercover to make the purchase. I made trip to my local CVS store and purchased a GreenDot Visa debit card. I put $100.00 dollars on the card and proceeded back to the office. For safety precautions, I decided not to use my real name and address when registering the card. So I took on an alias, Alain Tibberman. I needed to find something that cost under a $100.00 dollars. I was not able to find a watch for under that price. Knowing that I could always buy my wife a gift, I decided to look at their selection of earrings. I found a nice pair for only $52.00 (plus $29.00 for shipping and handling). First, I made sure that my trusty packet sniffer was running so I could see everything that was going on behind the scenes. I input all of my personal information - name, address, credit card number, etc. I was really curious where my credit card information was going to be sent. After the transaction was complete, I started going through the packet sniffer logs. Remember earlier when I said that I was happy to see that the web sites shopping cart was using SSL to encrypt the traffic? As you can see from the image below, there is my credit card number and CVV number in plain text. My name, address and email address were also sent in clear text. Good thing Alain Tibberman was a fictitious name.
I checked my newly created email account to see if I have received anything from the vendor. Sure enough, I have received a confirmation thanking me for my purchase and informing me that my order has been successfully processed, also providing an order number. It even provided me with an email address to contact if I need help.
Hmmm, very interesting. I went to domain from the support email, top-esupport.com, and the domain is not longer resolving. Through the Whois database, the top-esupport.com site is registered to a group called CSMJBS Enterprise, located in Las Vegas, NV. So I decided to conduct a Google search on CSMJBS Enterprise to see what I could find. The first site returned in my search was referencing Fake Sites Database, with a WARNING: "Please be aware that the fake banks, lotteries and companies on the list are used by dangerous criminals. We don't encourage anyone to engage in any form of communication with them. If you chose to communicate them for whatever reason, you will be doing so at your own risk". I decided to do a little poking around. I called the City of North Las Vegas and inquired about CSMJBS Enterprise. First of all the address that was listed in the Whois database was false. The company went into default in April of 2007. Jeremy Stamper, the head of the company resides in Seattle, Washington and has recently been accused by the Department of Financial Institutions Securities Division as running several fraudulent financial websites that has tricked numerous numbers of people into sending in money. Over $2 million dollars have been seized by Las Vegas police.
So let's get back to my earrings. I was pretty sure that the vendor was going to charge my card, so I logged into my GreenDot Online account to see what transactions had occurred. Sure enough, there was a charge for $77.00 for the earrings, with the vendor name ElegantReplica.com and a phone number. Ah, another lead. Well, conducting a search on the ElegantReplicate.com led me nowhere. I found a few dead links, but mostly sites complaining about the domain being a part of a spam operation. So then I searched on the phone number. That lead was a little more promising. Out of 5 search results returned, two of them led to websites that resembled www.aeiwkee.com where I purchased the earrings. The other three results lead to web sites that no longer resolved. No surprise there. I did find out that the number is registered to a group called TwoBucks Trading Ltd. located in Nicosia, Cyprus.
So on our virtual tour we started off in Washington state, with the poor church lady; then to Herndon Virginia, where a nosy research started investigating; then to NanChang, China, where the websites were registered. From there it was a short hop to Shenzhen, China, Seoul, Korea, where the two IP addresses were registered; back to the United State where a suspicious shell company in Las Vegas, Nevada, was registered as the registrant to the support email; back up to Seattle Washington and Jeremy Stamper's shell companies; then finally to Nicosia, Cyprus, where my money was ultimately collected. That took you across America and got you 3 different stamps in your passport.
I was still wondering if I was going to get my earrings. So I called the phone number in Cyprus, and after calling 5-6 different times I finally got a live person on the other end of the phone who was able to provide me with a tracking number. I plugged my tracking number into the shipper's website and obtained the following transaction log.
Foreign Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPForeign International Dispatch, August 23, 2007, 4:09 pm, BEIJING., CHINA PEOPLES REP Foreign Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPInbound International Arrival, August 25, 2007, 9:58 pm, KENNEDY AMC In route, August 26, 2007, 9:21 am, MERRIFIELD, VA 22081 Arrival at Unit, August 26, 2007, 12:52 pm, RESTON, VA 20190Notice Left, August 26, 2007, 2:19 pm, HERNDON, VA 20171
Unfortunately I never got the shipment. I called the post office and they were not able to locate the package. I guess my post office could have lost it.
Operation GreenDot, Following the SPAM - CA Security Advisor Research Blog
Find out what our research team is saying about the latest security threats in the CA Security Advisor blog
Operation GreenDot, Following the SPAM
Do you ever wonder what is at the other end of the SPAM email that you receive in your inbox? You often see emails advertising cheap software, hot stock tips, and various pharmaceuticals. I think that we have all gotten the v1gra and Cialis emails. One day I decided I would investigate and see just where this little message would take me. So, if you are ready for an adventure, follow me on a virtual trip that will take you all the way around the world. Don't forget your passport, you will need it.
Our journey begins outside of Washington, DC. I am sitting at my desk, going through my SPAM filtered email, when I see one that catches my eye, "Dreams can cost less repl1ca w4tches from r0lex here". Sounds interesting I thought, and I could use a new watch. Knowing the harmful effects of opening unsolicited email, I decided to open the email in a controlled virtualized environment. Below is the content of the email:
A T4g Heuer w4tch is a luxury statement on its own. Unfortunately, that luxury comes with a price... Except when you visit Prest1ge Repl1cas, the web's most comprehensive collection of brand name repl1ca w4tches. In Prest1ge Repl1cas, any T4g Heuer is available for just over $200. htxp://www.lagetyo.com
Going back to the original email I received, I decided to look at who the email was from and who it was actually sent to. According the spam filter email headers, the email was sent from "[email protected]". I did a quick search on the domain, "hisplacechurch.com". This led me to a small church in Burlington, Washington. That is Washington state, not Washington, DC. So I peruse the site and find the church staff link where I find Cheryl Neff, the Sr. Pastor's Assistant. Sure enough, her email was the same. While you might think that Cheryl Neff's computer is the origin of the email selling prestigious watches, it is actually not. Unfortunately for us, and you the reader, we will never know where the actual email came from. We can be pretty sure that Cheryl's computer had some kind of Malware on it that contained a mail engine that sent out hundreds or even thousands of emails all around the world promoting these luxurious watches. Unfortunately Cheryl is not alone in this. I received the same email message from many other unsuspecting senders, ranging from various home users to Fortune 500 companies. I have also seen the same email content blindly posted on numerous blogs. Hopefully for Cheryl and the His Place Church, they got their computer systems cleaned up.
I viewed the source code from the site to see if there were any behind-the-scenes deceptions, such as any malicious iFrames. The site looked pretty clean.
Next I decided to read the "About Us" link on their site. The owners mention that they have been the leading online retailer of quality luxury timepieces since 2003. Oddly enough, every one of the aforementioned websites was only in operation for one or two weeks. As a matter of fact, from the start of this investigation the http://www.lagetyo.com/ website was no longer up and operational. Since my work was not done and I still needed a watch, I went to another one of the websites that was still active. I picked www.aeiwkee.com. Just like the previous site, it was up for a few days, then down just long enough to change the IP address from 218.53.147.152 to 116.199.128.6. I found out that both IP addresses resolve to different companies, Hananet in Korea, and newpower-cn in China. If you enter http://218.53.147.152 in a web browser, you get the message "site not found on our server!" This is a common practice for these types of operations.
Now that I have a site that is up, I think that it's time to make a purchase. Regardless of their four-year track record of being the #1 online retailer, and Sara Berry's raving testimonial, I was still leery about using my credit card to make a purchase. In following my gut, I decided to go undercover to make the purchase. I made trip to my local CVS store and purchased a GreenDot Visa debit card. I put $100.00 dollars on the card and proceeded back to the office. For safety precautions, I decided not to use my real name and address when registering the card. So I took on an alias, Alain Tibberman. I needed to find something that cost under a $100.00 dollars. I was not able to find a watch for under that price. Knowing that I could always buy my wife a gift, I decided to look at their selection of earrings. I found a nice pair for only $52.00 (plus $29.00 for shipping and handling). First, I made sure that my trusty packet sniffer was running so I could see everything that was going on behind the scenes. I input all of my personal information - name, address, credit card number, etc. I was really curious where my credit card information was going to be sent. After the transaction was complete, I started going through the packet sniffer logs. Remember earlier when I said that I was happy to see that the web sites shopping cart was using SSL to encrypt the traffic? As you can see from the image below, there is my credit card number and CVV number in plain text. My name, address and email address were also sent in clear text. Good thing Alain Tibberman was a fictitious name.
I checked my newly created email account to see if I have received anything from the vendor. Sure enough, I have received a confirmation thanking me for my purchase and informing me that my order has been successfully processed, also providing an order number. It even provided me with an email address to contact if I need help.
Hmmm, very interesting. I went to domain from the support email, top-esupport.com, and the domain is not longer resolving. Through the Whois database, the top-esupport.com site is registered to a group called CSMJBS Enterprise, located in Las Vegas, NV. So I decided to conduct a Google search on CSMJBS Enterprise to see what I could find. The first site returned in my search was referencing Fake Sites Database, with a WARNING: "Please be aware that the fake banks, lotteries and companies on the list are used by dangerous criminals. We don't encourage anyone to engage in any form of communication with them. If you chose to communicate them for whatever reason, you will be doing so at your own risk". I decided to do a little poking around. I called the City of North Las Vegas and inquired about CSMJBS Enterprise. First of all the address that was listed in the Whois database was false. The company went into default in April of 2007. Jeremy Stamper, the head of the company resides in Seattle, Washington and has recently been accused by the Department of Financial Institutions Securities Division as running several fraudulent financial websites that has tricked numerous numbers of people into sending in money. Over $2 million dollars have been seized by Las Vegas police.
So let's get back to my earrings. I was pretty sure that the vendor was going to charge my card, so I logged into my GreenDot Online account to see what transactions had occurred. Sure enough, there was a charge for $77.00 for the earrings, with the vendor name ElegantReplica.com and a phone number. Ah, another lead. Well, conducting a search on the ElegantReplicate.com led me nowhere. I found a few dead links, but mostly sites complaining about the domain being a part of a spam operation. So then I searched on the phone number. That lead was a little more promising. Out of 5 search results returned, two of them led to websites that resembled www.aeiwkee.com where I purchased the earrings. The other three results lead to web sites that no longer resolved. No surprise there. I did find out that the number is registered to a group called TwoBucks Trading Ltd. located in Nicosia, Cyprus.
So on our virtual tour we started off in Washington state, with the poor church lady; then to Herndon Virginia, where a nosy research started investigating; then to NanChang, China, where the websites were registered. From there it was a short hop to Shenzhen, China, Seoul, Korea, where the two IP addresses were registered; back to the United State where a suspicious shell company in Las Vegas, Nevada, was registered as the registrant to the support email; back up to Seattle Washington and Jeremy Stamper's shell companies; then finally to Nicosia, Cyprus, where my money was ultimately collected. That took you across America and got you 3 different stamps in your passport.
I was still wondering if I was going to get my earrings. So I called the phone number in Cyprus, and after calling 5-6 different times I finally got a live person on the other end of the phone who was able to provide me with a tracking number. I plugged my tracking number into the shipper's website and obtained the following transaction log.
Foreign Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPForeign International Dispatch, August 23, 2007, 4:09 pm, BEIJING., CHINA PEOPLES REP Foreign Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPInbound International Arrival, August 25, 2007, 9:58 pm, KENNEDY AMC In route, August 26, 2007, 9:21 am, MERRIFIELD, VA 22081 Arrival at Unit, August 26, 2007, 12:52 pm, RESTON, VA 20190Notice Left, August 26, 2007, 2:19 pm, HERNDON, VA 20171
Unfortunately I never got the shipment. I called the post office and they were not able to locate the package. I guess my post office could have lost it.
