Tag Archives: Force Majeure

Pumping Stock, Spam and the Criminal Underworld

If you ever feel the urge to trade on a spam stock tip, I offer this unsolved whodunnit as a cautionary tale.

If you’ve been getting an extra dumpster of spam in your inbox lately, it’s probably because of a little known company called Cana Petroleum. If you open the email in question (and I’ve counted nearly 300 in my spam dumps in the past three days alone) you’ll find it’s a pretty straightforward pump and dump scam, where the sender tries to raise buying interest in the stock (the pumping bit) to push up the price so he can make a killing selling his stock (the dumping bit.)

It worked: according to Don Mecoy of The Daily Oklahoman:

Cana Petroleum shares, which trade on the unregulated Pink Sheets via the over-the-counter market, lost 32 percent on Friday to close at $4. On Thursday, the stock traded as high as $10 a share. Seven months ago, it traded for about a dime.

But is this just a case of some day trader making a quick killing? Or is there something more sinister afoot? The company involved has been in trouble before for promoting its stock. Don says that “Information regarding the company is difficult to find. Internet searches reveal no Web site, and telephone listings for Cana Petroleum led to disconnected or wrong numbers:

The company changed its name, ticker symbol and business model in August. Previously called Global DataTel, the company sold personal computers, mainly in Latin America.

Securities regulators filed a complaint against Global DataTel in 2001, and obtained a judgment against a stock promoter hired by the company. He was accused of spreading groundless price projections and strong “buy” recommendations even as he sold his own shares of the company’s stock. The promoter and two Global DataTel executives were fined.

Global DataTel shut down operations in the spring of 2001, “due to the big financials problems,” according to a regulatory filing.

That’s pretty much where the trail ends. As Don points out, a lot of companies don’t like their stock being manipulated for obvious reasons. The promoter involved in the 2001 case, Stuart Bockler, seems to have kept a low profile since. The SEC complaint describes him as a “corporate public relations consultant who controlled and operated, as the sole employee, three public relations-related companies — International Market Advisors Inc., International Market Call Inc., and Imcadvisors, Inc. — and a related Internet website www.imcadvisors.com.” The website itself is under construction although it does offer an address in Columbus, Indiana and an email address under the name Don Michael. The WHOIS information is the same.

Archived copies of the site indicate it’s been pretty dormant since 2001, when its homepage touted a mailing list of “hot news” for $100 a year. (You can see the buy recommendations IMC put out on Global Data Tel at this archived page: In less than five months it put out six ‘breakout buy’ reports on the company, out of a total of nine. A copy of one of the reports is here.) According to the SEC complaint, Bockler sent out 30,000 emails drawing attention to the reports. The stock rose, according to the SEC, from $7.19 a share on Jan 12 1999 to reach a high of $18.84  in April. Within a month of Bockler’s last report the price had fallen to $2.875.

From there the trail goes cold. Or does it? In 2004 a Beverly Hills lawyer called Allen Barry Witz pleaded guilty in a Newark District Court to manipulating the same stock with the help of four other men. (Bockler was also indicted, but I can find no record of the case having gone to trial.) But more intriguing is the link to a murder case that has not been solved: One of Witz’s unindicted co-conspirators, Joe. T. Logan Jnr, was, according to the Asbury Park Press, closely connected to two pump and dump stock dealers, Albert Alain Chalem and Maier Lehmann, who were murdered execution-style in October 1999, the same time the Global Datatel pump fraud ended. The two men’s stock website, StockInvestor.com, was heavily promoting the stock in the last recorded snapshot of the site before their deaths, about two weeks before they were killed. The most recent news article on the unsolved killings, by AP’s David Porter on October 30, quotes one of the dead man’s attorneys as saying:

“It sounded like an extremely professional hit,” he said. “It sounded like the perpetrators were on a plane back to Eastern Europe before they even found the bodies.”

It all may be a coincidence, of course. But the killings, the indictments and the fraud in the Global Datatel case might help to remind us that the links between stock scams, spam and criminal organisations with access to ruthless killers are not the stuff of fiction.

Technorati tags: , , , , , , ,

The Blue Frog vs PharmaMaster

I’ve been trying to make some sense of this recent drama involving Blue Security, an anti-spam registry that effectively tries to deter uncooperative spammers by overwhelming their servers, and recent outages at TypePad and LiveJournal apparently caused by a revenge attack by spammers on Blue Security. (Here’s some more information on Blue Security and the Blue Frog.) The outages were caused when Blue Security redirected the spammers’ attacks on its website to the company’s blogs which were hosted on TypePad and LiveJournal.

So what really happened?

  • Blue Security’s web site has been under attack for most of this past week, via a distributed denial-of-service (DoS) attack which basically tries to overwhelm a site with traffic sent from as many computers as possible (the site is now back up);
  • To try to deflect the attack, which effectively suspended its service, Blue Security changed its Internet address to its TypePad blog;
  • This overwhelmed SixApart’s servers, temporarily affecting all its blogging services, including TypePad and LiveJournal;
  • Meanwhile, spammers presumably linked to the DDoS attack sent threatening emails to, apparently, anyone on the list of the Blue Security do-not-intrude registry. Blue Security works by building a network of users who report spam. The source of the spam is then contacted and then asked to remove all email addresses of its members from their spam lists. If they fail to do so, software installed on users’ computers fills out forms on websites linked to in any subsequent spam, creating a wave of traffic to the spammer’s web site, that, in theory, brings the spammer’s activities to a stop.
  • The spammer, or another spammer, then contacted Blue Security via ICQ instant message, to taunt and threaten the company, apparently in a bid to stop its activities.
  • The spammer, or another spammer, has also been sending emails containing Blue Security contact and registration information. This might have been done in the hope of getting recipients to complain to those email addresses and phone numbers to further overwhelm the company’s resources.

This account is not uncontested. According to a Blue Security press release:

  • Blue Security claims that it was not the victim of a DDoS attack, but that the spammer — identified as PharmaMaster –– persuaded a staff member of a top-tier Internet Service Provider to block Blue Security’s IP address at the backbone. This would have blocked all traffic from outside Israel, where the Blue Security web site is located.
  • Blue Security then closed its web site and posted a note on its blog (hosted elsewhere.)
  • Shortly afterwards, Blue Security says, PharmaMaster launched a DDoS attack on any site associated with Blue Security, causing outages at five top hosting providers, a major DNS provider and a popular blog site.
  • Blue Security has denied reports, including one by the Associated Press, saying that its do-no-intrude lists have been compromised. Blue Security works by allowing compliant spammers to run its email list through a program which compares it with a special encrypted list of Blue Security members. While the spammer is not able to see or access the Blue Security list, Blue Security members’ email addresses will be removed from the spammer’s list. This is done, in part, so individual Blue Security members are not then known to a spammer, and so the spammer cannot gain access to the Blue Security registry for spamming purposes. The AP report suggests the spammer has figured out a way to work out which email addresses belong to Blue Security members by merely comparing its own list before and after running it through the Blue Security removal process. Those email addresses no longer on the spammer’s list must be Blue Security members, the report says.

This account is contested by some security analysts, who point out what they say are some inconsistencies in Blue Security’s account:

  • Elsewhere Blue Security’s Eran Reshef acknowledges that Blue Security didn’t just post a note on its blog, but it redirected traffic from its bluesecurity.com URL to the TypePad blog. He is quoted as saying he didn’t anticipate that the spammer would launch a DDoS attack on such a large player. “I didn’t think he was so crazy as to attack them,” said Reshef. This raises the question: Was this done before or after the DDoS began? Rashef says it was.
  • If Blue Security’s routing was changed internally, as Blue Security suggests, there should be a record. One analyst says he can find no record of anything “fishy.”

Blue Security clearly has its supporters. An article on one website has received, at the time of writing, more than 200 comments. The Blue Security blog’s single post received more than 100 before comments were closed.

Perhaps one of the most interesting aspects to all this is how clearly at least one spammer perceives Blue Security as a threat to its business. Not only is it trying to scare the company and members of its registry into abandoning their approach, but it is also adopting more open tactics: contacting the target directly via ICQ, perhaps in an effort to intimidate or negotiate, and to email and post comments to the above websites to try to scare members into removing their names from the registry and uninstalling the software that returns spam to the sender’s servers.

You don’t need to agree with Blue Security’s tactics to acknowledge they must be making some kind of impact for this to happen. What is perhaps a little bit scary is that Blue Security don’t seem to have been ready for this attack, and reveal some naivety and lack of understanding about how the Internet works by merely redirecting the assault to other servers. Not only would this not solve their problem, it also exposes them to legal action by the companies behind the redirected servers if it emerges that they were not informed beforehand. Still a lot of questions to be answered on this one.