A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

� September 2004 | Main | November 2004 �

October 29, 2004

Phishers caught in dragnet

An online undercover operation headed up by the US Secret Service has resulted in the arrest of 28 people around the world. At least ten of the defendants were members of a site called Shadowcrew.com and were allegedly involved in, among other crimes, credit-card and debit-card fraud.


The Secret Service has apparently disabled member log-ins, but you can still browse through the member list or check out the message forums. Lots of handy information, such as advice on how to use stolen bank log-in data, or how to trick Hotmail users into divulging their secret answer so you can take over their accounts.

The Secret Service says the defendants are part of a "highly organized international criminal enterprise." But I have a hard time believing that we're talking about a real sophisticated group of criminals here. One of the defendants, 20-year-old Paul A. Mendel Jr., aka Mintfloss, lives with his grandparents in Albany, NY, according to one report. Shadowcrew has frequently been involved in noisy, sophomoric online tussles with other groups, which often result in Joe-job attacks between the parties.

On the other hand, the Shadowcrew apparently wasn't just a bunch of kids. According to the case docket, among those busted was David Appleyard, 45, of Linwood, NJ, who went by the alias Black Ops. Appleyard apparently had his stock broker's license suspended (scroll down) in July 2004. Another defendant, Andrew P. Mantovani, aka Deck, is 47. (Here's a list of the other defendants.)

Time will tell whether these arrests reduce the phishing attacks on the Internet. Members of another "carder" forum are currently discussing the crackdown at Shadowcrew.com.

Posted by Brian at 12:10 PM

October 28, 2004

More ISP lawsuits against spammers

For maximal PR value, AOL, Yahoo, Microsoft, and Earthlink simultaneously announced new lawsuits against numerous spammers today.

One of AOL's lawsuits, which targets 20 "John Does" (unidentified spammers), is the first to target the practice of sending IM spam ("spim") to AOL Instant Messenger users. AOL's other suit goes after ten John Does who spammed AOL users with email messages about buying Vicodin and other drugs without a prescription.

Yahoo is going after Epoth LLC, aka East Coast Exotics, a New Jersey-based porn & pills spammer that has apparently tangled with anti-spammers in the past.

By this point, junk emailers in the USA know they risk getting sued every time they click the "send" button on their spamware programs. So why do they do continue to spam? From talking to spammers, I've come to the follow conclusion.

A lot of junk emailers haven't had much success in life prior to entering the business. When they take up spamming, they (literally) have nothing to lose. They see only the upside: making hundreds of thousands of dollars (or much more) for very little work.

Say one of these spammers gets hit with a civil lawsuit, and the ISP prevails. A court will probably order the spammer to pay the ISP damages, in an amount that basically empties the spammer's bank accounts of all ill-begotten profits.

In other words, the spammer is just back to where he or she started.

Posted by Brian at 9:41 AM

October 27, 2004

Davis Hawke, election saboteur?

The FBI called the other day. The agent wanted to know whether I thought Davis Hawke (one of the central figures of Spam Kings) was likely to try to disrupt the approaching presidential election. Apparently FBI field personnel have been instructed by headquarters to go through their lists of miscreants and identify any who might pose a threat to the balloting process. Hawke's name came up because of his neo-Nazi past (back when he called himself "Bo Decker").

Davis Hawke

I told the FBI agent that, as far as I could tell, Hawke no longer has the slightest interest in politics, let alone messing with election results. Since becoming a spammer in late 1999, Hawke's been driven mostly by a desire for money. (The agent seemed to share this view, that Hawke wasn't plotting any kind of election sabotage.) Anyway, even when he was head of the Knights of Freedom, Hawke didn't advocate violence.

Right now, I'd guess Hawke is primarily motivated by a desire to stay warm. Winter is approaching fast here in New England, and, according to his friends, Hawke is hiding out in the woods somewhere up north. Then again, maybe they're just covering for him. Maybe he's taken his greenbacks to a tropical island somewhere.

Posted by Brian at 1:09 PM

October 19, 2004

Spammin' is slammin'

More proof that young hackers regard spamming differently than their older brethren. In 1999, at the age of 17, Bryce Case Jr. gained notoriety for hacking government web sites. Now 22, the Colorado computer geek (who uses the hacker handle "ytcracker") lists his occupation as an "affiliate manager" for a network of porn sites. Case has also been producing rap music extolling life as a spammer.
ytcracker photo
Some of Case's tunes are available in mp3 format at his web site. They include "Spam City", with lyrics such as:

How do you think I get green like the incredible hulk?
It's because I'm sending the incredible bulk ...
Every time I mail relay, headers disappear like Florida votes ...

Another one of Case's raps, "Fuck Antis", [anti-spammers] includes the lines

I'm a spammer ...
My ROSKO and SPEWS they got it twisted ...
I aint sent an email in almost two years.

In a biographical note at his site, Case explains his work for the porn industry: "I love money and it happens to make money--this is where i derive my love for pornography." [Photo credit: Randal Kohtek]

Posted by Brian at 4:08 PM | Comments (16)

October 12, 2004

Point-and-click Phishing

Bysin, aka Ben Kittridge I've got a new story up at O'ReillyNet about a hacker named Bysin (a.k.a. Ben Kittridge). He's just 18 but apparently is one heck of a programmer. Problem is, Bysin has chosen to consult to the spam business and is selling a spamware program called Fahrenheit. ("Spamming is our last resort to pay rent," he says in the article.)

Turns out someone (not Bysin) recently used a copy of Fahrenheit to send out a "phishing" scam designed to rip off US Bank customers. Bysin's apologetic, but he says he couldn't have done anything to prevent it. (Check out the article for the details.)

A section of Spam Kings ("Rise of the Spam Zombies") delves into the alliance between hackers and spammers. Things have certainly changed since Hacker-X targeted Sanford Wallace in the late 90s.

Posted by Brian at 8:21 PM

October 8, 2004

More on Wallace's spyware business

OK, I think I understand now why Wallace is being sued.

If you visit this page (be careful!) at one of Wallace's sites, it will try to launch a pop-up that runs a script (don't click that link with IE!) at his freevegasclubs.com site. (According to Norton AntiVirus, the page also attempts to exploit a vulnerability in Microsoft's Internet Explorer browser.)

The script at freevegasclubs.com attempts silently to log the victim into an ftp server (located at that downloads and runs nine executable files. Some are identified by anti-virus software as "adware" or downloader programs. (E.g. istinstall_154074.exe, which Symantec calls Download.Adware.)

All of this technical sleight of hand is designed to happen automatically without any user intervention ... or permission.

Posted by Brian at 11:32 AM

October 7, 2004

Sanford Wallace Relapses

sanford-head.JPG The Federal Trade Commission is reportedly going after reformed Spam King Sanford Wallace for installing spyware on unsuspecting computer users. I haven't seen the complaint yet, so no idea whether Wallace's former partner Walt Rines is also involved. A year ago, I reported that Rines was distributing a spyware program called Kazanon. This is disappointing news. A lot of people, including Pete Wellborn, the attorney who sued Spamford out of business, have upheld Wallace as a model.

Posted by Brian at 9:19 PM

October 6, 2004

Targeting EDU

I had a feeling this would happen sooner or later. A spammer is offering to sell a list of 1.7 million .EDU email addresses for $370. "Are you targeting the student sector? Do you want students to buy your product or visit your website?" says the ad that hit my inbox today. (Someone else posted a copy here.)

The company behind this little effort at target marketing appears to be PgUp Host, which seems to be located in California. The site is on a server in Russia, however.

How did PgUp acquire its list? "Carefully" says the site. More likely, they used something like the vulnerability in Majordomo, which is present at lots of universities, to hoover up addresses.

To add insult to injury, PgUp Host forged the "From" address line in its spams. The message I received listed a return address belonging to a Delaware company called Atlas Copy. Right now, emails to atlascopy.com bounce with a "quota exceeded" error, probably due to all the complaints and bounces generated by PgUp's spam.

Posted by Brian at 8:59 PM

October 5, 2004

Pet Pantry Spammer

There's often a strange story behind the most innocuous looking spam. Since last Friday, I've received four identical spams from a dial-up connection in the Philippines, advertising DAL LLC, a Nevada company that operates a telemarketing center in Manila specializing in outbound calls. "At this time we have extra capacity and are actively looking to offer quotes for our services," says the spam, which is signed by Don Lockman, president of the company. No opt-out link and no physical address, as required by CAN-SPAM. Oddly, the return address on the message was "petpantry@pacific.net.ph."
I did a little research and discovered that Mr. Lockman is also president of Pet Pantry International. In May 2003, the FDA forced Pet Pantry to recall dog food that may have contained "rendered material" from a Canadian cow that tested positive for BSE ("Mad Cow Disease"). The FDA announcement advised consumers to call Pet Pantry's toll-free number to arrange the return of the product. A month later, Pet Pantry laid off its Nevada-based telemarketing staff of 70 and moved the operation to Manila, citing "adverse legislation" such as the FTC's Do Not Call registry.

So, to recap, Pet Pantry moved its telemarketing business to the Philippines to get around the U.S. law. Now, it's sending spam (not compliant with CAN-SPAM) to advertise that business.

Posted by Brian at 10:43 AM

October 4, 2004

Update on USA vs Smathers et al.

seand-sm.jpg Interesting convo over AIM the other day with Sean Dunaway. As you may recall, Dunaway was one of the guys accused last June of stealing AOL's entire member database and selling it to spammers. Can't go into details, but seems this case is much more complicated than it first appeared. According to the case docket, neither Dunaway nor his alleged accomplice, Jason Smathers, has been indicted yet. (Federal prosecutors have had to ask for two continuances.) The case was among those bundled into Operation Web Snare, recently announced by the Department of Justice.

Posted by Brian at 7:02 AM

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: