Tag Archives: Eastern Europe

Pumping Stock, Spam and the Criminal Underworld

If you ever feel the urge to trade on a spam stock tip, I offer this unsolved whodunnit as a cautionary tale.

If you’ve been getting an extra dumpster of spam in your inbox lately, it’s probably because of a little known company called Cana Petroleum. If you open the email in question (and I’ve counted nearly 300 in my spam dumps in the past three days alone) you’ll find it’s a pretty straightforward pump and dump scam, where the sender tries to raise buying interest in the stock (the pumping bit) to push up the price so he can make a killing selling his stock (the dumping bit.)

It worked: according to Don Mecoy of The Daily Oklahoman:

Cana Petroleum shares, which trade on the unregulated Pink Sheets via the over-the-counter market, lost 32 percent on Friday to close at $4. On Thursday, the stock traded as high as $10 a share. Seven months ago, it traded for about a dime.

But is this just a case of some day trader making a quick killing? Or is there something more sinister afoot? The company involved has been in trouble before for promoting its stock. Don says that “Information regarding the company is difficult to find. Internet searches reveal no Web site, and telephone listings for Cana Petroleum led to disconnected or wrong numbers:

The company changed its name, ticker symbol and business model in August. Previously called Global DataTel, the company sold personal computers, mainly in Latin America.

Securities regulators filed a complaint against Global DataTel in 2001, and obtained a judgment against a stock promoter hired by the company. He was accused of spreading groundless price projections and strong “buy” recommendations even as he sold his own shares of the company’s stock. The promoter and two Global DataTel executives were fined.

Global DataTel shut down operations in the spring of 2001, “due to the big financials problems,” according to a regulatory filing.

That’s pretty much where the trail ends. As Don points out, a lot of companies don’t like their stock being manipulated for obvious reasons. The promoter involved in the 2001 case, Stuart Bockler, seems to have kept a low profile since. The SEC complaint describes him as a “corporate public relations consultant who controlled and operated, as the sole employee, three public relations-related companies — International Market Advisors Inc., International Market Call Inc., and Imcadvisors, Inc. — and a related Internet website www.imcadvisors.com.” The website itself is under construction although it does offer an address in Columbus, Indiana and an email address under the name Don Michael. The WHOIS information is the same.

Archived copies of the site indicate it’s been pretty dormant since 2001, when its homepage touted a mailing list of “hot news” for $100 a year. (You can see the buy recommendations IMC put out on Global Data Tel at this archived page: In less than five months it put out six ‘breakout buy’ reports on the company, out of a total of nine. A copy of one of the reports is here.) According to the SEC complaint, Bockler sent out 30,000 emails drawing attention to the reports. The stock rose, according to the SEC, from $7.19 a share on Jan 12 1999 to reach a high of $18.84  in April. Within a month of Bockler’s last report the price had fallen to $2.875.

From there the trail goes cold. Or does it? In 2004 a Beverly Hills lawyer called Allen Barry Witz pleaded guilty in a Newark District Court to manipulating the same stock with the help of four other men. (Bockler was also indicted, but I can find no record of the case having gone to trial.) But more intriguing is the link to a murder case that has not been solved: One of Witz’s unindicted co-conspirators, Joe. T. Logan Jnr, was, according to the Asbury Park Press, closely connected to two pump and dump stock dealers, Albert Alain Chalem and Maier Lehmann, who were murdered execution-style in October 1999, the same time the Global Datatel pump fraud ended. The two men’s stock website, StockInvestor.com, was heavily promoting the stock in the last recorded snapshot of the site before their deaths, about two weeks before they were killed. The most recent news article on the unsolved killings, by AP’s David Porter on October 30, quotes one of the dead man’s attorneys as saying:

“It sounded like an extremely professional hit,” he said. “It sounded like the perpetrators were on a plane back to Eastern Europe before they even found the bodies.”

It all may be a coincidence, of course. But the killings, the indictments and the fraud in the Global Datatel case might help to remind us that the links between stock scams, spam and criminal organisations with access to ruthless killers are not the stuff of fiction.

Technorati tags: , , , , , , ,

The Phisher King is Back

I’m glad to report Australian phisher king Daniel McNamara has revived his Code Phish website which dissects phishing attacks and associated scams. He’s just taken a close peek at one ‘mule ad’ (as I call them) or job scam as he calls them: DHL Mail Job Scam.  These are efforts by the phishers to repatriate their illicit earnings by hiring unsuspecting individuals to let the stolen funds pass through their accounts. It seems that Eastern Europe is still the main source of such scams:

What’s really interesting however is where this scam is located. It’s sitting on the same hoster as the Ukrainian National Animal Welfare Foundation Job Scam and the GlobalFinances Job Scam. This would indicate they are mostly likely all being run by the same gang. The hoster is probably unaware of these sites scam status but we have seen them used numerous times over the last year to host scam sites which would indicate they most likely offer some sort of “get hosting working in minutes!” automatic setup for payments by credit cards and if it’s one things phishers have steady access to, it’s stolen credit card details.

Welcome back, Daniel.

Spanish Mules

Four Spanish ‘mules’ have apparently been arrested in Valladolid, according to an AFP report: Four face charges over phishing fraud :

Four people face charges in Spain after police uncovered an internet banking fraud believed to be conducted by computer experts in Eastern Europe.

However, the four who face charges in Valladolid, in northern Spain, were seen as merely pawns in the scam.

They had been recruited via the internet for “work at home” by “employers” protected by the anonymity of the internet and living in countries “with a weak level of international police and judicial cooperation”, Spanish police said on Wednesday.

The scam was conducted by “people from different countries, mainly Eastern Europe” who were well qualified in computer science and foreign languages, they said.

The recruits were offered jobs as intermediaries in “international money transfers” with remuneration in the form of a percentage of the transfers.

Nothing much surprising in there, but shows the same tactics are being used.
 

Meet The Mule, Or Correspondence Manager

Here’s how Russians and other scammers are getting their illicit gains back home.

The BBC website reports on a scam where (probably Russian) scammers are posting job ads claiming to be charities looking for people to forward donations made by hi-tech firms. Those responding to the job ads — usually for something like a “correspondence manager” — are then used as mules to forward goods probably obtained through fraudulent credit card usage online.

The BBC says this “re-shipping” or “correspondence manager” con has been seen in the US and is included in the FBI’s ongoing Operation Cybersweep investigation that targets hi-tech crimes. In some cases, the BBC says, the bank accounts of those who fall for the job ads are used to funnel cash from auction sales of stolen goods to the criminals.

The reason for all this? Many online commerce sites are reluctant to ship to Eastern Europe and Russia because of fraud. (The same thing has been true for the past couple of years in places like Indonesia, where many sites simply do not accept business from. In these cases, fraudsters would simply cite their normal address, but with a different country, hoping the outlet would not be smart enough to figure it out, and the courier would be , and then forward it to the right country. It usually worked.)

A Way To Filter Spam In Outlook (And Who The Hell Are Behind It?)

There’s a lot of software out there, but who is really behind it?

Reading a piping fresh press release from a company that may or may not be called FlowRuler, which has just released a product called, er, FlowRuler, I tried to find out a bit more about who was behind it (FlowRuler, by the way, looks like an interesting tool if you use Microsoft Outlook email. It is an add-in that enables you to “filter SPAM and organize your inbox” using “graphically designed rules”. There are two versions available: a free shareware version and the full version ($22.95). More here.

Now, back to who is behind this. I’ve noticed a growing number of press releases that appear without any details on company name, location, or whatever. Many of them turn out to be in Eastern Europe, or the former Soviet Union. That’s OK with me, but why go to such trouble to hide where you’re from?

The folk behind FlowRuler are a mystery. The website was registered in Cordoba, Argentina by an outfit called Ginkgosoft, but they don’t seem to exist as far as I can see (although I did find out that Ginkgo is a tree, the world’s oldest living species, and has been used in traditional Chinese medicine for over 4,000 years. Ginkgo soft capsules are apparently effective in improving memory, alleviating symptoms of Alzheimer’s disease, working as an anti-depressant, improving circulation, thin blood, cardiovascular health, antioxidant etc.)

Fascinating, but it doesn’t get me any closer to finding out who these guys are. More when I do.

 

Viruses And The Russian Connection

As feared, MyDoom seems to come from Russia. Or does it?

The Moscow Times quotes Kaspersky Labs as saying they used location-sensing software to trace the first e-mails infected with MyDoom back to addresses with Russian Internet providers. “It’s scary, but most serious viruses are written in Russia,” said Denis Zenkov, spokesman for Kaspersky, the country’s largest anti-virus software company.

This is not the first. Russians have long been virus writers. Dumaru, Mimail and Stawin may have Russian origins.

But what has changed in the last year or so, it seems, is the commercialisation of Russian virus writing. These viruses are no longer the product of idle, alienated, out-of-work minds, but of folk working for professional spammers and scammers. Another Kaspersky expert, Alexander Gostiyev, is quoted by AFP as saying the creators of MyDoom were not aiming to disrupt Internet traffic but to use infected computers to distribute unsolicited junk mail. The attack “was very well planned and prepared, perhaps for several months, and at least 1,000 computers were infected in advance,” Gostiyev said. “The virus could be of use above all to criminal groups seeking to distribute spam,” he added.

Spam, however, may be the least of it. There’s not much money to be made from spam, whereas there is from theft. Stawin, for example, records keystrokes when infected victims access their bank accounts, and sends the results to a Russian email address. British police are investigating the possibility that a wave of extortion attempts against gambling sites may come from Russia or Eastern Europe, according to Reuters. These attacks are related to the Superbowl: Those who don’t pay up are brought down by massive traffic, called a Distributed Denial of Service attack, or DDOS. A site dedicated to online betting has recorded at least 20 sports betting sites appeared to have been brought down over the weekend. With all the work that went into something like MyDoom, I can’t believe it’s only spam the creators are after.

Of course, this could all be a feint.

Agence France Presse quotes Kaspersky as saying “there is a still a 20-percent chance that this was an attempt to mislead. Virus programmers from other countries could have registered an email address in Russia” as a ruse. And it’s not entirely clear what Kaspersky means by ‘location sensing software’. This could mean more or less anything, and, as some folk have pointed out, the fact that Kaspersky is based in Russia makes it likely they will receive copies of the virus from Russian email addresses.

And it still leaves us with the fact that the virus was in part tooled to launch an attack on the website SCO, a company that has riled the Open Source community by claiming copyright over parts of the Linux operating system. The virus was designed to launch an attack on their website starting February 1: The website is presently down, apparently overwhelmed by traffic.

One final thing: There seems to be some confusion between the first and second MyDoom virus: Variations often follow when folk get inspired by the success of a virus, but that doesn’t mean the same guy, or guys, wrote both viruses. The presence of a note in English inside the second version of the virus, — sync-1.01; andy; I’m just doing my job, nothing personal, sorry — appears to have confused some folk. The source, and purpose, of the first MyDoom remains a mystery.

News: The Explanation Behind All Those Attacks?

 It seems that there’s a purpose behind the viruses we’ve all been getting: old-fashioned extortion. Reuters reports that extortionists — many thought to come from eastern Europe — have been targetting casinos and retailers, but one recent high-profile victim was the Port of Houston. The attacks, which can cripple a corporate network with a barrage of bogus data requests, are followed by a demand for money. An effective attack can knock a Web site offline for extended periods.
 
Online casinos appear to be a favorite target as they do brisk business and many are located in the Caribbean where investigators are poorly equipped to tackle such investigations. Police said because of a lack of information from victimized companies, they are unsure whether these are isolated incidents or the start of a new crime wave.
 
Last week, the online payment service WorldPay admitted to suffering a major DDoS attack that lasted three days. WorldPay, owned by the Royal Bank of Scotland, has been fully restored. The NHTCU spokeswoman said the investigation into the WorldPay is ongoing.