Spam In your Calendar? Here’s What to Do.

/0 Comments/in /by

Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Here’s a brief primer on what you can do about it.

Image: Reddit

Over the past few weeks, a good number of readers have written in to say they feared their calendar app or email account was hacked after noticing a spammy event had been added to their calendars.

The truth is, all that a spammer needs to add an unwelcome appointment to your calendar is the email address tied to your calendar account. That’s because the calendar applications from Apple, Google and Microsoft are set by default to accept calendar invites from anyone.

Calendar invites from spammers run the gamut from ads for porn or pharmacy sites, to claims of an unexpected financial windfall or “free” items of value, to outright phishing attacks and malware lures. The important thing is that you don’t click on any links embedded in these appointments. And resist the temptation to respond to such invitations by selecting “yes,” “no,” or “maybe,” as doing so may only serve to guarantee you more calendar spam.

Fortunately, the are a few simple steps you can take that should help minimize this nuisance. To stop events from being automatically added to your Google calendar:

-Open the Calendar application, and click the gear icon to get to the Calendar Settings page.
-Under “Event Settings,” change the default setting to “No, only show invitations to which I have responded.”

To prevent events from automatically being added to your Microsoft Outlook calendar, click the gear icon in the upper right corner of Outlook to open the settings menu, and then scroll down and select “View all Outlook settings.” From there:

-Click “Calendar,” then “Events from email.”
-Change the default setting for each type of reservation settings to “Only show event summaries in email.”

For Apple calendar users, log in to your iCloud.com account, and select Calendar.

-Click the gear icon in the lower left corner of the Calendar application, and select “Preferences.”
-Click the “Advanced” tab at the top of the box that appears.
-Change the default setting to “Email to [your email here].”

Making these changes will mean that any events your email provider previously added to your calendar automatically by scanning your inbox for certain types of messages from common events — such as making hotel, dining, plane or train reservations, or paying recurring bills — may no longer be added for you. Spammy calendar invitations may still show up via email; in the event they do, make sure to mark the missives as spam.

Have you experienced a spike in calendar spam of late? Or maybe you have another suggestion for blocking it? If so, sound off in the comments below.

‘Satori’ IoT Botnet Operator Pleads Guilty

/0 Comments/in /by

A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors.

According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fiber-optic networking devices.

Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days).

Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems.

Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems.

The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard.

Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him.

Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.”

As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address nexuczeta1337@gmail.com. That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash.

People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity.

“Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains.

While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk.

Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet.

It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000.

However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.”

Endpoint Security | Winning the War Against Time

/0 Comments/in /by

What is the one common denominator against any adversary? What is the most precious commodity of all in the struggle between attackers and defenders? What is the one advantage the adversary has, up till now, always had over us? The answer is time itself. The reason why threats—from WannaCry and NotPetya to MegaCortex and RobinHood—succeed is not sophistication. They simply outpace our ability to stop them in their tracks. The threats move at machine-speed. Our defenses do not. The threats are hyper automated. Our defenses are not.

WannaCry was arguably one of the least sophisticated, most poorly written ransomware payloads ever. A large portion of it was corrupted, and it never even ran in many high-profile enterprises the worm component plowed through and wreaked havoc in. It was its sheer velocity that ultimately beat enterprise defenses and out-paced Incident Response teams in the trenches.

Indeed, the most important point of this post is that our defenses lack velocity. There is nothing terribly sophisticated about most threats: they are simply faster than we are! It is why we are still just as unprepared today against a pending BlueKeep worm as we were two years ago.

image winning war against time

The Lies We Tell Ourselves

So how can we get time back on our side? We can start by dumping untruths such as these:

“It’s a matter of when, not if, we will be compromised” and “An attacker only needs to be right once to succeed, whereas defenders need to be right 100% of the time to prevent a breach.”

The truth is that it is only a matter of “when not if” if we as defenders are unable to control the “when”.

The fact is most of us have spent the last 3-4 years building up an immense stack of extremely noisy solutions, the vast majority of which can only (by definition) help us after the fact. We’ve then spent another 1-2 years trying to get all of them to talk to each other in order to understand what bad thing just happened to the organization. Too little, too late.

The adversary benefits as we inundate our best (and hyper rare) talent with noise. With tracking down root cause analysis (RCA). With vetting false positives. With improving our playbooks to accommodate the incidents we’re resigned to expect. We have completely lost the plot… and there is no one to blame but ourselves. Most security vendors only build what they imagine enterprises want, and their investors all want them to have a cloud story… they all want them to have subscription-based OPEX model, they all want them to sell volumes of alerts, bandwidth, data retention, events per second, pew-pew laser maps, and ephemerally-challenged intelligence.

We are standing here doing the same thing over and over again while expecting better results. We have negative unemployment and millions of unfilled positions, yet we throw more after-the-fact noise/alerts/false positives and rabbit hole pivot/hunt/RCA activity at the few remaining burnt-out analysts we are lucky enough to retain.

The Battlefield Is The Endpoint

The key to winning against an adversary is to know where they are going to be, what they will do when they get there, and then taking an action that anticipates the enemy’s move in order to stop them in their tracks. The battlefield is the endpoint…namely, your endpoint. It is where attacks originate, and it is where persistence is gained. It is where lateral movement goes to and fro. It is where processes are injected into, where network packets originate from, where the data lives and where the end user creates. It is where the bad guys exfiltrate from, and it is nearly always what your RCA efforts end up pointing back to, after the fact.

I’ve run incident response teams, and I’ve been lucky enough to have had access to literally thousands of compromise assessment reports. I can already tell you what your RCA is going to be; I know how they are getting in. You do, too: spearphishing, creds, RDP, vulnerable web services, insider threat, and (sadly) your MSSP or third party/supply chain.

Yet, most of us are probably not running MFA on every externally-facing application. Or we are still running unneeded RDP services and hoping that plopping them inside a VPN makes any difference. Likely we still haven’t fixed our SSDLC because we don’t have the authority or ability to influence the cultural shift required to do so. And yes, our end users are still clicking on things because that’s what end users do on devices made for clicking things! They are not the problem, and training them effectively is only ever going to be a partial solution, even when we get measurable improvements on their behavior.

If we want to win, we have to control our own endpoints. Controlling an endpoint is not the same thing as having passive visibility into what happened on it, nor is it the ability to restore it from a back-up. It is controlling it at a process level, period.

If we have all the visibility in the world; crystal clear, 20/20 vision and perfect hindsight but it doesn’t inform us fast enough to take the action that actually matters before the bad thing happens, then all we have gained with that visibility is friction, noise, opportunity cost of precious (human) resources, and a perpetuation of the problem.

Turning the Tables Against the Adversary

It’s time to turn the tables and restore time to the defender’s advantage, and to do so on the defender’s soil. Earlier above I quoted a common misguided edict we tell ourselves:

“An attacker only needs to be right once to succeed, whereas defenders need to be right 100% of the time to prevent a breach.”

Let’s rearrange that statement to our advantage. Let’s be better hackers than the Darwinian criminals laughing at our after-the-fact cloud security platforms:

“An attacker needs to be right at every step to succeed, and a defender only needs to be right once to prevent a breach.”

The truth is we’ve had the advantage the whole time. We own the endpoint. It is our domain. We control what happens on it and what does not. We just haven’t implemented enough active machine-speed defenses to keep up with the threat.

We can hook the kernel before the bad actor does. We can identify legitimate processes before a bad actor ever gets a foothold. We can know what the majority of bad actors do once on the endpoint before they get there. We can leverage NLP and machine learning (ML) to understand entire worlds of potential malicious activity well before a bad actor steps foot in our domain. We can uninstall any software we deem vulnerable or a threat. We can reverse-out changes that unauthorized software or users make to the operating system.

We can outpace the bad actor. If we see PowerShell spawned from a Word document fetching a remote file, we can kill that process before it even completes running in memory. We can do all this because it is our domain; it is our endpoint.

There is no such thing as an attack that is only one step, other than maybe the Ping of Death from 20 years ago. If the MITRE ATT&CK framework illustrates one thing, it should be this: we can and need to be able to interject an active kill chain as it unfolds in real time.

Most attacks are automated, yet their automation is not sophisticated and it is not highly adaptable. It is not a human behind a keyboard ready to improvise. We can stop these attacks on our soil.

So let’s make the attacker be right 100% of the time. Let’s make them get it right at every step if they want to succeed. More importantly, let’s get really good at stopping them before they take the steps we know they must!

The Time is Now!

Time is the battle and the endpoint is the battlefield. To win at the game of time on a machine-speed field, we must automate. In order to allow for automation, we must have confidence that it will not break the enterprise or the mission. To gain confidence quickly enough, we must leverage both high-confidence static rules, and NLP and/or other forms of ML where and when and if it makes sense to do so. We must be able to quickly assemble enough events on a host to provide sufficient context to discern malicious activity and interject it immediately.

But let’s do this on the endpoint where the action is! Your Tesla doesn’t consult cloud intelligence before it decides to put on the brakes for you to avoid an impact. A Space-X rocket booster’s thruster controls don’t require a tether to the Cloud to adjust for pitch and yaw before landing on a floating platform at sea. Our intelligence must be where the battle is and allow automation to happen at machine speed. If we actually put first things first, and win back the time advantage on the endpoint, then we may finally be able to lean forward and solve our identity, credentials, IOT, insider threat, SSDLC, and supply chain problems.

Let’s roll!

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

OpenGov raises $51M to boost its cloud-based IT services for government and civic organizations

/0 Comments/in /by

OpenGov, the firm co-founded by Palantir’s Joe Lonsdale that helps government and other civic organizations organise, analyse and present financial and other data using cloud-based architecture, has raised another big round of funding to continue expanding its business. The startup has picked up an additional $51 million in a Series D round led by Weatherford Capital and 8VC (Lonsdale’s investment firm), with participation from existing investor Andreessen Horowitz.

The funding brings the total raised by the company to $140 million, with previous investors in the firm including JC2 Ventures, Emerson Collective, Founders Fund and a number of others. The company is not disclosing its valuation — although we are asking — but for some context, PitchBook noted it was around $190 million in its last disclosed round — although that was in 2017 and has likely increased in the interim, not least because of the startup’s links in high places, and its growth.

On the first of these, the company says that its board of directors includes, in addition to Lonsdale (who is now the chairman of the company); Katherine August-deWilde, Co-Founder and Vice-Chair of First Republic Bank; John Chambers, Founder and CEO of JC2 Ventures and Former Chairman and CEO of Cisco Systems; Marc Andreessen, Co-Founder and General Partner of Andreessen Horowitz; and Zac Bookman, Co-Founder and CEO of OpenGov .

And in terms of its growth, OpenGov says today it counts more than 2,000 governments as customers, with recent additions to the list including the State of West Virginia, the State of Oklahoma, the Idaho State Controller’s Office, the City of Minneapolis MN, and Suffolk County NY. For comparison, when we wrote in 2017 about the boost the company had seen since Trump’s election (which has apparently seen a push for more transparency and security of data), the company noted 1,400 government customers.

Government data is generally associated with legacy systems and cripplingly slow bureaucratic processes, and that has spelled opportunity to some startups, who are leveraging the growth of cloud services to present solutions tailored to the needs of civic organizations and the people who work in them, from city planners to finance specialists. In the case of OpenGov, it packages its services in a platform it calls the OpenGov Cloud.

“OpenGov’s mission to power more effective and accountable government is driving innovation and transformation for the public sector at high speed,” said OpenGov CEO Zac Bookman in a statement. “This new investment validates OpenGov’s position as the leader in enterprise cloud solutions for government, and it fuels our ability to build, sell, and deploy new mission-critical technology that is the safe and trusted choice for government executives.”

City Manager Dashboard Screen

It’s also, it seems, a trusted choice for government executives who have left public service and moved into investing, leveraging some of the links they still have into those who manage procurement for public services. Weatherford Capital, one of the lead investors, is led in part by managing partner Will Weatherford, who is the former Speaker of the House for the State of Florida.

“OpenGov’s innovative technology, accomplished personnel, market leadership, and mission-first approach precisely address the growing challenges inherent in public administration,” he said in a statement. “We are thrilled at the opportunity to partner with OpenGov to accelerate its growth and continue modernizing how this important sector operates.”

It will be interesting to see how and if the company uses the funding to consolidate in its particular area of enterprise technology. There are other firms like LiveStories that have also been building services to help better present civic data to the public that you could see as complementary to what OpenGov is doing. OpenGov has made acquisitions in the past, such as Ontodia to bring more open-source data and technology into its platform.

Kabbage acquires Radius Intelligence, the marketing tech firm with a database of 20M small businesses

/0 Comments/in /by

Data is the new oil, as the saying goes, and today Kabbage — a fintech startup backed by SoftBank that has built a business around lending up to $250,000 to small and medium enterprises, using AI-based algorithms to help determine the terms of the loan — is picking up an asset to expand its own data trove as it looks to expand into further SMB financial services. The company has acquired Radius Intelligence, the marketing technology firm that has built a database of information on some 20 million small and medium businesses in the U.S.

Terms of the deal are not being disclosed, but notably, it comes on the heels of a sightly tumultuous period for Radius . Last year, the company announced a merger with its big competitor Leadspace, only to quietly cancel the deal three months later. Then two months after that, it replaced its longtime CEO.

Radius — which is backed by some $120 million from investors that include Founders Fund, David Sacks, Salesforce Ventures, AME Cloud Ventures and the actor Jared Leto, among others — last had a valuation of around $200 million, according to PitchBook, but that was prior to these events. Kabbage, meanwhile, has raised hundreds of millions in equity and debt and is valued at more than $1 billion. The deal will be financed off Kabbage’s own balance sheet and will not require the company to raise more funds, I understand.

Rob Frohwein, Kabbage’s co-founder and CEO, said in an interview that the plan is to integrate Radius’ tech and IP into the Kabbage platform — the task will be overseen by Radius’ current CEO, Joel Carusone — as well as Radius’ tech team of 20 engineers, who will work for the Atlanta-based startup out of its office in San Francisco.

He also added that Radius’ current products — which include market intelligence and contact information for employees at SMBs in the U.S., along with a host of related solutions, which up to now had been gathered both via public sources and the businesses updating the information themselves; as well as the technology for merging disparate sources of data and ferreting out the “valid” pieces that are worth retaining and throwing out what is out of date — will not be sold any longer via Radius. From now on, there will be only one customer for all that data: Kabbage itself (the company had already been a user of Radius’ data to help its own marketing team connect with new and and existing customers).

“We have known the company for a long time,” said Frohwein. Other customers that Radius lists on its site include Square, American Express, LendingTree, FirstData, MetLife, Sam’s Club, Yahoo and more.

This doesn’t mean that Kabbage might not offer the SMB intelligence in a format to businesses directly via its own platform at some point, but it also means that as Kabbage expands into services that might compete with some of Radius’ now-former customers — payments and merchant acquirer services, as well as tools to help SMBs grow their own customer funnels are some that are on the cards for the coming months — it will have an edge on them because of the data on users that it will now own.

The deal underscores two bigger trends among startups that focus on enterprise customers. First, it points to  ongoing consolidation in the world of marketing tech, in part as businesses look for ways to better compete against the likes of Microsoft and Salesforce, which are also continually building out their stacks of services. And we likely will see more activity from stronger fintech companies keen to expand their platforms to provide more touchpoints and revenue streams from existing customers, as well as more services to expand the customer base overall.

“We’re thrilled to join the Kabbage team. As a company dedicated to small business analytics and data management, we’ve always had a deep respect for Kabbage’s data-driven technology and focus,” Radius CEO Carusone said in a statement. “Our companies have complementary technical architectures and domain experience for decision making. With Kabbage, we can build a more sophisticated analytics solution to identify, reach and serve small businesses.”

Kabbage itself is not looking for new funding at the moment, Frohwein said, but he added also that it is on a fast trajectory at the moment but still a ways away from an IPO, so I wouldn’t discount more raises in the future. The company is currently on track to see revenues up 40% versus last year, with customers up 60%.

“We’re always looking to grow,” he said.

Feds Allege Adconion Employees Hijacked IP Addresses for Spamming

/0 Comments/in /by

Federal prosecutors in California have filed criminal charges against four employees of Adconion Direct, an email advertising firm, alleging they unlawfully hijacked vast swaths of Internet addresses and used them in large-scale spam campaigns. KrebsOnSecurity has learned that the charges are likely just the opening salvo in a much larger, ongoing federal investigation into the company’s commercial email practices.

Prior to its acquisition, Adconion offered digital advertising solutions to some of the world’s biggest companies, including Adidas, AT&T, Fidelity, Honda, Kohl’s and T-Mobile. Amobee, the Redwood City, Calif. online ad firm that acquired Adconion in 2014, bills itself as the world’s leading independent advertising platform. The CEO of Amobee is Kim Perell, formerly CEO of Adconion.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark ManoogianPetr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment on charges of conspiracy, wire fraud, and electronic mail fraud. All four men have pleaded not guilty to the charges, which stem from a grand jury indictment handed down in June 2017.

‘COMPANY A’

The indictment and other court filings in this case refer to the employer of the four men only as “Company A.” However, LinkedIn profiles under the names of three of the accused show they each work(ed) for Adconion and/or Amobee.

Mark Manoogian is an attorney whose LinkedIn profile states that he is director of legal and business affairs at Amobee, and formerly was senior business development manager at Adconion Direct; Bychak is listed as director of operations at Adconion Direct; Quayyum’s LinkedIn page lists him as manager of technical operations at Adconion. A statement of facts filed by the government indicates Petr Pacas was at one point director of operations at Company A (Adconion).

According to the indictment, between December 2010 and September 2014 the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

The government alleges the men sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

“Members of the conspiracy would use the fraudulently acquired IP addresses to send commercial email (‘spam’) messages,” the government charged.

HOSTING IN THE WIND

Prosecutors say the accused were able to spam from the purloined IP address blocks after tricking the owner of Hostwinds, an Oklahoma-based Internet hosting firm, into routing the fraudulently obtained IP addresses on their behalf.

Hostwinds owner Peter Holden was the subject of a 2015 KrebsOnSecurity story titled, “Like Cutting Off a Limb to Save the Body,” which described how he’d initially built a lucrative business catering mainly to spammers, only to later have a change of heart and aggressively work to keep spammers off of his network.

That a case of such potential import for the digital marketing industry has escaped any media attention for so long is unusual but not surprising given what’s at stake for the companies involved and for the government’s ongoing investigations.

Adconion’s parent Amobee manages ad campaigns for some of the world’s top brands, and has every reason not to call attention to charges that some of its key employees may have been involved in criminal activity.

Meanwhile, prosecutors are busy following up on evidence supplied by several cooperating witnesses in this and a related grand jury investigation, including a confidential informant who received information from an Adconion employee about the company’s internal operations.

THE BIGGER PICTURE

According to a memo jointly filed by the defendants, “this case spun off from a larger ongoing investigation into the commercial email practices of Company A.” Ironically, this memo appears to be the only one of several dozen documents related to the indictment that mentions Adconion by name (albeit only in a series of footnote references).

Prosecutors allege the four men bought hijacked IP address blocks from another man tied to this case who was charged separately. This individual, Daniel Dye, has a history of working with others to hijack IP addresses for use by spammers.

For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra.

Optinrealbig’s CEO was the spam king Scott Richter, who later changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, MicrosoftMySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

Dye has been charged with violations of the CAN-SPAM Act. A review of the documents in his case suggest Dye accepted a guilty plea agreement in connection with the IP address thefts and is cooperating with the government’s ongoing investigation into Adconion’s email marketing practices, although the plea agreement itself remains under seal.

Lawyers for the four defendants in this case have asserted in court filings that the government’s confidential informant is an employee of Spamhaus.org, an organization that many Internet service providers around the world rely upon to help identify and block sources of malware and spam.

Interestingly, in 2014 Spamhaus was sued by Blackstar Media LLC, a bulk email marketing company and subsidiary of Adconion. Blackstar’s owners sued Spamhaus for defamation after Spamhaus included them at the top of its list of the Top 10 world’s worst spammers. Blackstar later dropped the lawsuit and agreed to paid Spamhaus’ legal costs.

Representatives for Spamhaus declined to comment for this story. Responding to questions about the indictment of Adconion employees, Amobee’s parent company SingTel referred comments to Amobee, which issued a brief statement saying, “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

ONE OF THE LARGEST SPAMMERS IN HISTORY?

It appears the government has been investigating Adconion’s email practices since at least 2015, and possibly as early as 2013. The very first result in an online search for the words “Adconion” and “spam” returns a Microsoft Powerpoint document that was presented alongside this talk at an ARIN meeting in October 2016. ARIN stands for the American Registry for Internet Numbers, and it handles IP addresses allocations for entities in the United States, Canada and parts of the Caribbean.

As the screenshot above shows, that Powerpoint deck was originally named “Adconion – Arin,” but the file has since been renamed. That is, unless one downloads the file and looks at the metadata attached to it, which shows the original filename and that it was created in 2015 by someone at the U.S. Department of Justice.

Slide #8 in that Powerpoint document references a case example of an unnamed company (again, “Company A”), which the presenter said was “alleged to be one of the largest spammers in history,” that had hijacked “hundreds of thousands of IP addresses.”

A slide from an ARIN presentation in 2016 that referenced Adconion.

There are fewer than four billion IPv4 addresses available for use, but the vast majority of them have already been allocated. In recent years, this global shortage has turned IP addresses into a commodity wherein each IP can fetch between $15-$25 on the open market.

The dearth of available IP addresses has created boom times for those engaged in the acquisition and sale of IP address blocks. It also has emboldened scammers and spammers who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, KrebsOnSecurity broke the news that Amir Golestan — the owner of a prominent Charleston, S.C. tech company called Micfo LLC — had been indicted on criminal charges of fraudulently obtaining more than 735,000 IP addresses from ARIN and reselling the space to others.

KrebsOnSecurity has since learned that for several years prior to 2014, Adconion was one of Golestan’s biggest clients. More on that in an upcoming story.