Cybercriminals Leveraging
Facebook
Eric Feinberg, Ian Malloy and Frank Angiolelli
7/8/2013
Page | 2
Table of Contents:
Executive Summary & Diagram..................................................................................................................... 4
Fake User Profiles ......................................................................................................................................... 7
The Posts for Counterfeit Merchandise ........................................................................................................ 8
Using the Russian Business Network as an Intermediary ........................................................................... 10
Evidence of Replication ............................................................................................................................... 10
Examples of Mass Redirection Using .tk Websites ..................................................................................... 11
Patterns ....................................................................................................................................................... 11
Scope of Fraud ............................................................................................................................................ 12
Paid Advertisements on Facebook to Counterfeit Merchandise: ............................................................... 12
The Need For a Detection Mechanism ....................................................................................................... 13
Threat Detection as a Continuous Process ................................................................................................. 14
Conclusion ................................................................................................................................................... 16
Appendix A: Evidence Of .TK Redirection ................................................................................................... 16
Appendix B: Evidence of POST Method in Unencrypted HTTP ................................................................... 18
Appendix C: Matrix of Some Counterfeit Merchandise Websites ............................................................. 19
Appendix D: Multiple Types of Suspicious Activity ..................................................................................... 20
Appendix E: Paid Advertisements for Counterfeit Merchandise ................................................................ 22
Steps Forward……………………………………………………………………………………………………………………………………….31
Page | 3
Executive Summary & Diagram
Malicious actors and cybercriminals are now leveraging social media as a mass distribution system for
advertising counterfeit consumer goods through Facebook and infecting computers to become part of a
botnet, or ring of malicious acting computers operating through a remote mechanism. This activity is
trafficking in goods using counterfeit trademarks, leveraging insecure transport for Personally
Identifiable Information and utilizing dubious payment processors. The activity is growing to include
money mule recruitment and “loan origination” as well as operating under a Chinese and Russian
Business Network banner.
This document will lay out evidence that this “system” appears highly organized including creation,
masking and distribution system utilizing a definable pattern of replication. These actors are exploiting
Facebook’s inability to detect and react as well as weaknesses in its API to expose mass numbers of
unsuspecting citizens to counterfeit merchandise advertisements per fake profiles. The mechanism by
which the malicious actors are intruding and avoiding detection is through the use of facebook’s graph
API.
In addition,
these actors
“The clear onus is on the social media site to protect users from exposure, not just
are creating
to inappropriate or offensive material, but from material that can steal their
advertisement
identity or money.” – Frank Angiolelli
s which are
using
Facebook’s ad
distribution to
present their sites across thousands of groups, more specifically fan pages related to professional sports.
In this document, we will present evidence showing the organized and distributed network these actors
are using, the clearly identifiable patterns and the need for a detection mechanism.
Page | 4
Page | 5
Figure 1: Ecosystem of Facebook Cybercrime
Page | 6
Fake User Profiles
These malicious actors are creating Facebook profiles using fictitious names and a methodology which
follows a distinctive pattern. The actors are creating profiles using the most basic settings and mass
joining public groups. The number of groups joined ranges from approximately 100 to 400+ per profile
and in virtually all cases, the user has never posted anything on their timeline. Using these groups, the
“advertisement” posts reach upwards of 300,000 people per fake profile.
Using the profile of Zoe Lim (See Figure 2: Fake Profile of Zoe Lim) as a case study, this “user” joined 194
groups reaching 377,8521 people without placing a single post or liking a single page. Some of the
accounts have up to 5 liked movies or music pages; however none of them have any content posts
outside of public groups.
Figure 2: Fake Profile of Zoe Lim
A full accounting of all the Facebook profiles is outside the scope of this paper, however, further
examples of fake Facebook profiles engaged in this activity include:
1
A review of fake profile Zoe Lim revealed 194 groups with 377,852 members, not accounting for duplicate membership.
Page | 7
Betty Roan, Member of 121 groups2
Diana Tellez, Member of 301 groups3
Ward Kelsie, Member of 323 groups4
The Posts for Counterfeit Merchandise
Once the account is created, it joins hundreds of groups and posts ads. The pattern for the posts these
fake profiles are proliferating consist primarily of
a sales pitch, a website link containing various
domains primarily made up from .tk websites
without canonical references followed by a
picture of the supposed merchandise to be sold.
There are patterns to the post, primarily at this
time a mixture of Ray-Ban and Oakley
Sunglasses, Louis Vuitton and discount shoes (i.e.
www.hotshoessale25.tk, www.niceshoeso.tk,
www.outletshoes.tk, www.discountshoes10.tk)
as well as other counterfeit merchandise
including NFL jerseys. For the purposes of
brevity, this document will focus mostly on the
counterfeit Sunglasses as evidence of the
pattern, with some brief documentation of the
other merchandise.
The .tk websites are used as redirectors [See Appendix A]
Example Advertisement Post 1
to the counterfeit merchandise “retail” websites as
evidenced in the traffic below, delivering the victim to 2bestmall.com.
This replicated website [See “Evidence of Replication”] is
Example Advertisement Post 2
2
https://www.facebook.com/betty.roan.71?hc_location=stream
https://www.facebook.com/diana.tellez.7545?hc_location=stream
4
https://www.facebook.com/ward.kelsie?hc_location=stream
3
Page | 8
leveraging cnzz.com (See Figure 5), which is a Chinese Content Delivery Network (CDN)[See Figure 5 &
Figure 6] that has an extremely poor reputation for hosting exploit code5. The payment systems
employed by these websites have a very poor reputation6 .
Realpay-checkout.com is registered at Godaddy and billingcheckout.com is registered at todaynic.com.
Figure 3: Leveraging bilingcheckout.com & Chinese CDN
Figure 6: Using realpay-checkout.com & Chinese CDN
5
http://www.mywot.com/en/scorecard/cnzz.com
6
http://www.webutation.net/go/review/realypay-checkout.com,
http://www.webutation.net/go/review/billingcheckout.com,
http://www.sitejabber.com/reviews/www.realypay-checkout.com
Page | 9
Using the Russian Business Network as an Intermediary
These actors are using Russian Business Network IP addresses as intermediaries to host the .tk
redirectors. This technique is being used as an evasion tactic to prevent easy discovery and blocking of
the offending counterfeit merchandise website. The #1 IP address of these .tk redirectors observed in
this study were hosted at 93.170.52.217(See Figure 7).
Figure 7: Russian Business Network Hosting .tk Redirectors
Evidence of Replication
The method being used here is replicated over multiple domains, with multiple redirectors. The domain,
nice-sunglasses.com is registered to a “Zerubbabel Kahance”. This name is associated with other
domains. Refer to Appendix C for a full accounting of these, and an example is listed here.






here-store.com8 - Selling “cheap oakley sunglasses”
here-best.com9 – Selling “cheap oakley sunglasses”
come-sale.com10 – Selling “cheap oakley sunglasses”
Here-emall.com11 – Selling “cheap bikinis”
here-new.com – Selling “cheap oakley sunglasses”
here-yes.com – Selling “cheap oakley sunglasses”
The Title being “Top Ray-Ban® And Oakley® Sunglasses Online Store-Up To 80% Off !” is shown on
statscrop.com to match 37 results in total12.
These sites have the same setup as nice-sunglasses.com13 using Zen cart14 and the exact same title HTML
tag15. The site itself is, for all intensive purposes, a copy of the site at nice-sunglasses.com. The
distribution network is the same as well, leveraging .tk redirectors16.
7
http://urlquery.net/report.php?id=3280151
http://whois.domaintools.com/here-store.com
9
http://www.statscrop.com/www/here-best.com
10
http://whois.domaintools.com/come-sale.com
11
http://www.statscrop.com/Here-emall.com
8
12
http://www.google.com/#safe=off&site=&source=hp&q=site:statscrop.com+Top+RayBan%C2%AE+And+Oakley%C2%AE+Sunglasses+Online+Store-Up+To+80%25+Off+!&oq=site:statscrop.com+Top+RayBan%C2%AE+And+Oakley%C2%AE+Sunglasses+Online+StoreUp+To+80%25+Off+!&gs_l=hp.3...740.4231.0.5355.23.22.1.0.0.0.169.1915.15j7.22.0...0.0.0..1c.1.17.hp.vPdrevVGD4&bav=on.2,or.&bvm=bv.48572450,d.dmg&fp=f53ef48681d7c10d&biw=1214&bih=920
13 http://urlquery.net/report.php?id=3403164
14
<meta·name="generator"·content="shopping·cart·program·by·Zen·Cart&trade;,·http://www.zencart.com·eCommerce"
Page | 10
Examples of Mass Redirection Using .tk Websites
The actors create multiple redirectors hosted on the same IP address over time. The IP address
176.9.241.1 is associated with 39 .tk redirectors between 05/01/2013 and 06/23/201317. Some
examples are listed here:







hxxp://yatl-chaffer.tk/  here-store.com18
hxxp://vrymall-oks.tk  here-store.com
hxxp://bueall-loves.tk  here-store.com
hxxp://supermall-malls.tk  here-yes.com
hxxp://chain-shoping.tk  here—ok.com
hxxp://service-promote.tk  here-best.com
hxxp://four-transactions.tk  here-new.com19
The majority of these .tk sites observed and discovered20 were hosted on the IP addresses 93.170.52.21,
176.9.241.1 and 93.170.52.31.
Patterns
The counterfeit merchandise websites rotate domain, hosting, registrar and geo-location, however
distinct patterns exist
across all the websites
being distributed
centered primarily
against the actual
content. Commonalities exist in the Title and Keywords inside the HTML code which affords a possible
detection. This would seem to support the deficiencies of detecting bad actors based on registrar, host,
IP address or domain name and the need for a tiered based anomaly and known bad detection
mechanism by social
networking providers,
particularly Facebook.
For example Google “Top·RayBan & And Oakley Sunglasses
Online Store-Up To 80% Off!”
results in 135,000 results at
15
<title>Top·Ray-Ban&reg·And·Oakley&reg·Sunglasses·Online·Store-Up·To·80%·Off·!</title>
http://urlquery.net/report.php?id=3280040
17
http://urlquery.net/search.php?q=176.9.241.1&type=string&start=2013-05-01&end=2013-06-29&max=50
18
http://urlquery.net/report.php?id=3242754
19
http://urlquery.net/report.php?id=2324346
16
20
http://urlquery.net/search.php?q=%28mall%7Cshoes%7Cshop%7Clove%7Ctransac%7Coakley%7Crayban%7C%5Clike%7Clike%5C-%29.*%5C.tk&type=regexp&start=2013-05-01&end=2013-06-30&max=400
Page | 11
this time. Not all of these are counterfeit merchandise sites; however it reveals a problem so prolific
that individual legal agency seizure of domains may be ineffective. The actors will copy their code to
another domain and stand up hosting setting up .tk redirectors.
The speed at which this process can occur without detection is fast enough to cause harm to the
economy on what is likely a very large scale. When these techniques are tied with social networking
sites like Facebook and those networks are not equipped to detect and prevent such distribution, the
reach vs. cost of this operation makes it very attractive to the criminal element.
Scope of Fraud
The scope of the fraud involved here is not limited to counterfeit merchandise. Throughout the
investigation and information gathering activity on Facebook, our group discovered examples of





Payday Loans (See Appendix E)
Facebook sites with redirectors21,22
Suspected Money Mule Recruitment (See Appendix E)
Counterfeit NFL Jerseys (See Appendix E)
The installation of remote control capabilities, i.e. a zombie computer or ‘bot’
Paid Advertisements on Facebook to Counterfeit Merchandise:
In Appendix E, a sample of evidence of paid advertisements for counterfeit merchandise is presented.
These ads are tied to what users “Like” on Facebook. The same methodology that Facebook uses to
target ads to users is being leveraged to present counterfeit merchandise… to users most likely to buy it.
While a network forensic professional can review and identify suspicious behavior in these sites, the
average user cannot. The onus must be on the service provider to minimize criminal operations on their
sites. This appears to be a new “type” of malvertisement, not necessarily deploying exploit kits, but
deploying financial fraud and risk of identity theft.
The advertisement pattern does differ from the current .tk post pattern, tending to use 51.la as their
CDN, however the sites observed in this review used the same dubious billing processors. The site
“luisvuittonoutletcheaps.net” has an unencrypted registration mechanism [see Appendix E] and only
after you register and place an order is it revealed that the payment processor is billingcheckout.com.
21
22
hxxps://www.facebook.com/Isellshoe/app_208195102528120
hxxp://www.ucool.co/?pagejd
Page | 12
The difference of patterns from the Facebook Fake Profile “Posts” and the Counterfeit Ads leads to a
question of MO, or modus operandi, a concept familiar to law enforcement. Predictable patterns must
be leveraged against the bad actors, which aren’t appearing to happen at this time.
The Need for a Detection Mechanism
There is a clear use case here which appears to have a void at
this time.
“The clear onus is on the
social media site to
protect its users …from
material that can steal
their identity or money.”
This document demonstrates clear patterns of activity by
actors that is detectable using forensic techniques
investigating nothing more than the public information
available on Facebook. Our group has clear take-away from
this investigation showing that a detection mechanism is not
only possible but would protect the public in general and
enhance the reputation of social media sites like Facebook.
Additionally, the economy as a whole would benefit from lowering losses due to such fraud. The
detection mechanism incorporates aspects of applied artificial intelligence called a ‘Best-First Search’ to
detect anomalies in the system and then a Proactive Automated Defense Unit (PAD Unit) will be utilized
to complete the solution.
Our group believes that the patterns observed here can be expanded upon considerably by performing
data analytics using the full data collected by those sites. This data should be used to extrapolate
predictive behavioral models which can be used in a mature process to prevent this activity
programmatically and take down bad actors. The clear onus is on the social media site to protect its
users from exposure, not just inappropriate or offensive material, but from material that can steal their
identity or money.
The activity in question must be detected through a system that checks the user making the post, the
post text itself, the URLs being posted and then taking action based on acceptable or unacceptable
behavior models programmatically.
Page | 13
For example, canonical checks, content grabbing, IP reputation and a host of other checks can be
performed against the URLs being posted in a staggered approach to allow for high speed, high volume
vetting in a programmatic fashion. Scoring
mechanisms can be designed to allow for a tiered
processing of links in real time thereby allowing
Facebook to pull posts that are suspect based on
defined parameters.
The accounts themselves can be vetted along multiple
key points to limit the distribution of these events.
Account Creation Process
The account creation process should contain vetting
mechanisms where by the account is checked for
established patterns in a methodical way. The process
itself should adhere to the Continuous Improvement
Lifecycle and would require human as well as machine intelligence. Initial accounts can be tagged for
validity and passed onto a processor to monitor for suspicious patterns. As part of the quality control
process, any accounts tagged as suspicious should include an automated challenge response capability
closing in termination of the account.
The Posting Patterns
The posts themselves must run through a series of checks in a tiered manor that will allow for scoring
and action. Predictive analytics and human generated patterns must be input into a vetting engine that
can then be passed on to deeper inspections. The
process itself must contain automatic challenge
responses and post removal processes to protect the
public from fraud, maliciousness and identify theft
without the need for user interaction.
Threat Detection as a Continuous
Process
This kind of exploitation is not static and requires a
combination of human intelligence and analysis along
with algorithmic detection of anomalous patterns. As
shown in the diagram below, this process can be best
represented by a sine wave, which allows for variable
frequency and amplitude. The frequency and amplitude represent the speed of the threat lifecycle and
the attack surface, or exposure, respectively.
Page | 14
Page | 15
Conclusion
When mass distribution of counterfeit merchandise is coupled with mass distribution of difficult to
detect redirecting links through the premier social networking site, Facebook.com, there is a clear
mechanism to engage in criminal enterprise. It would appear that criminals have the opportunity, means
and motive and Facebook currently lacks a capable preventive and response mechanism. Unless a
proper threat response to the lifecycle exists, this activity will be proliferated across as many social
engineering sites as possible.
Our solution, a PAD Unit is both within the scope of solving this issue and also addressing the need for a
software program capable of protecting both the users of social media like Facebook© and also the
private industries being taken advantage of. This solution is in the interest of all parties involved except
the criminal element.
Appendix A: Evidence Of .TK Redirection
Parameters:
URL = http://discount-oppud.tk/
UAG = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116
Safari/537.36
REF = http://www.facebook.com
AEN =
REQ = GET ; VER = 1.1 ; FMT = AUTO
Sending request:
GET / HTTP/1.1
Host: discount-oppud.tk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36
Referer: http://www.facebook.com
Connection: close
• Finding host IP address...
• Host IP address = 128.204.201.9
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...
Receiving Header:
HTTP/1.1·301·Moved·Permanently(CR)(LF)
Date:·Thu,·27·Jun·2013·22:34:16·GMT(CR)(LF)
Server:·Apache/2.2.24·(Unix)·mod_ssl/2.2.24·OpenSSL/1.0.0fips·mod_auth_passthrough/2.1·mod_bwlimited/1.4·FrontPage/5.0.2.2635·mod_perl/2.0.6·Pe
rl/v5.10.1(CR)(LF)
Location:·http://2bestmall.com(CR)(LF) 
Content-Length:·228(CR)(LF)
Page | 16
Redirection to counterfeit merchandise website
Connection:·close(CR)(LF)
Content-Type:·text/html;·charset=iso-8859-1(CR)(LF)
(CR)(LF)
Sending request:
GET / HTTP/1.1
Host: 2bestmall.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36
Referer: http://www.facebook.com
Connection: close
• Finding host IP address...
• Host IP address = 185.3.133.182
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...
Receiving Header:
HTTP/1.1·200·OK(CR)(LF)
Server:·nginx/1.2.4(CR)(LF)
Date:·Thu,·27·Jun·2013·22:18:47·GMT(CR)(LF)
Content-Type:·text/html;·charset=iso-8859-1(CR)(LF)
Transfer-Encoding:·chunked(CR)(LF)
Connection:·close(CR)(LF)
Vary:·Accept-Encoding(CR)(LF)
X-Powered-By:·PHP/5.2.17(CR)(LF)
SetCookie:·zenid=6d71bea6330b900388ca93b3af9c72f0;·path=/;·domain=.2bestmall.com;·HttpOnl
y(CR)(LF)
Expires:·Thu,·19·Nov·1981·08:52:00·GMT(CR)(LF)
Cache-Control:·no-store,·no-cache,·must-revalidate,·post-check=0,·pre-check=0(CR)(LF)
Pragma:·no-cache(CR)(LF)
(CR)(LF)
Content (Length = 46893):
b720(CR)(LF)
(LF)
<!DOCTYPE·html·PUBLIC·"//W3C//DTD·XHTML·1.0·Transitional//EN"·"http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd">(LF)
(LF)
<html·xmlns="http://www.w3.org/1999/xhtml"·dir="ltr"·lang="en">(LF)
(LF)
<head>(LF)
(LF)
<title>Top·Ray-Ban&reg·And·Oakley&reg·Sunglasses·Online·StoreUp·To·80%·Off·!</title>(LF) 
Counterfeit Sunglass Sales Website
-----------------------------END TRAFFIC PATTERN ---------------------------------Page | 17
Appendix B: Evidence of POST Method in Unencrypted HTTP
HTTP/1.1
Host: 2bestmall.com
Connection: keep-alive
Content-Length: 169
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://2bestmall.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://2bestmall.com/index.php?main_page=checkout_shipping_address
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: zenid=e482158d1a4fc0bb3e2b8218f4cd83b6; CNZZDATA5264794=cnzz_eid%3D14994999751372379098http%253A%252F%252F2bestmall.com%26ntime%3D1372379098%26cnzz_a%3D10%26retime%3D1372
380023470%26sin%3Dnone%26ltime%3D1372380023470%26rtime%3D0;
RpCookie=6k8hup5ph6pl60eqvn3v3agjs4
DNT: 1
gender=m&firstname=Bob&lastname=Jones&street_address=15+Main+Street&suburb=&city=Beverly+
Hills&zone_id=12&postcode=90210&zone_country_id=223&action=submit&x=39&y=7
Page | 18
Appendix C: Matrix of Some Counterfeit Merchandise Websites
Site
here-s tore.com
here-bes t.com
Daily Bandwidth Age
24.23 MB (726.87
MB/month)
Ta ken Down by
Greer Burns &
Cra i n
4 months
4 months
come-s a l e.com
42.84 MB (1.25
GB/month)
4 months
here-ema l l .com
Unknown
4 months
here-new.com
here-yes .com
Page | 19
1.30 GB (39.10
GB/month)
Ta ken Down by
Greer Burns &
Cra i n
4 months
Title
Name Server Primary
IP Address
Keywords
ns 1.cl ouda ng.com
(50.115.129.33)
172.245.213.118
home ba s e ca s h
a dva nce debt
http://www.s ta ts cr
cons ol i da ti on hereop.com/www/heres tore.com
2/19/2013 s tore.com
Ta ken Down
Top Ra y-Ba n®
And Oa kl ey®
Sungl a s s es
Onl i ne Store-Up
To 80% Off ! Free
Shi ppi ng On
Orders Over 5
Items .
Chea p·Bi ki ni s ,C
hea p·Bra nd·Prod
uct
Ra y-Ba n® And
Oa kl ey®
Sungl a s s es
Onl i ne Store-Up
To 80% Off !
Ta ken Down
Ta ken Down
Ta ken Down
ns1.oraco.net
192.227.139.187
Chea p Oa kl ey
Sungl a s s es , Chea p
Ra y-Ba n
Sungl a s s es On
Sa l e
Chea p Bi ki ni s ,
Chea p Bra nd
Product
Chea p Oa kl ey
Sungl a s s es , Chea p
Ra y-Ba n
Sungl a s s es On
Sa l e
Ta ken Down
Ta ken Down
Ta ken Down
Ta ken Down
Chea p Oa kl ey
Sungl a s s es ,
Chea p Ra y-Ba n
Sungl a s s es On
Sa l e
mns 01.doma i ncont
rol .com
(216.69.185.34)
204.74.216.23
mns 01.doma i ncont
rol .com
(216.69.185.34)
204.74.215.59
Date
Reference
Ta ken
Down
http://www.s ta ts cr
op.com/www/come2/21/2013 s a l e.com
http://www.s ta ts cr
op.com/www/here2/19/2013 ema l l .com
http://www.s ta ts cr
op.com/www/here2/19/2013 new.com
Ta ken
Down
Ta ken Down
Appendix D: Multiple Types of Suspicious Activity
Payday loans
Counterfeit NFL Merchandise
Page | 20
Suspected Money Mule Recruitment
Suspect “Loan”
Providers
Suspected Money Mule Recruitment with Unencrypted Data Transport
This tiny.cc URL redirects you to wobmr1r66.blogspot.tw, which requests your personal information.
Page | 21
Appendix E: Paid Advertisements for Counterfeit Merchandise
The advertisements listed on the right hand side of this screenshot are for counterfeit merchandise
hosted in China.
Page | 22
While not pictured here, this site uses billingcheckout.com
Page | 23
When creating an account, the data is transmitted unencrypted:
POST /create_account.html HTTP/1.1
Host: www.louisvuittonoutletcheaps.net
Connection: keep-alive
Content-Length: 386
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://www.louisvuittonoutletcheaps.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.louisvuittonoutletcheaps.net/create_account.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: zenid=76307818ab1ac31f6e65fe6b1b0005be; AJSTAT_ok_pages=2;
AJSTAT_ok_times=1
securityToken=9dc4a61d1389c0332b58a2ce8ec0a767&action=process&email_pref_html=emai
l_format&firstname=Magilla&lastname=Gorilla&street_address=1+Main+Street&should_be_e
mpty=&city=Beverly+Hills&zone_id=12&state=CA&postcode=90210&zone_country_id=223&tel
ephone=874-4789874&email_address=ilovetoscam%40gmail.com&password=password1&confirmation=pa
ssword1&email_format=TEXT&x=45&y=19
Page | 24
Registrant Contact Details:
PrivacyProtect.org
Domain Admin
(contact@privacyprotect.org)
ID#10760, PO Box 16
Note - Visit PrivacyProtect.org to contact the domain owner/operator
Nobby Beach
Queensland,QLD 4218
AU
Tel. +45.36946676
Once you create an account, you can place your order which is processed by Billingcheckout.com
Page | 25
Page | 26
As evidenced in the transaction listed below, this website is leveraging Chinese CDNs and the
disreputable payment website “billingcheckout.com”
The ownership information traces back to China
Domain ID:CNIC-DO473296
Domain Name:51.LA
Created On:2005-01-17T01:00:00.0Z
Last Updated On:2012-03-14T16:59:32.0Z
Expiration Date:2017-01-17T23:59:59.0Z
Status:TRANSFER PROHIBITED
Status:RENEW PERIOD
Registrant ID:P-23189298
Registrant Name:Yang Fucheng
Registrant Street1:5-32, 55 Jingsan Road
Registrant City:Zhengzhou
Registrant Postal Code:450008
Registrant Country:CN
Registrant Phone:+86.37168712665
Registrant Email:nuduseng@hotmail.com
Admin ID:P-23189298
Admin Name:Yang Fucheng
Admin Street1:5-32, 55 Jingsan Road
Admin City:Zhengzhou
Page | 27
Admin Postal Code:450008
Admin Country:CN
JerseysCheapWholeSaler.us
The below information shows a single advertisement for jerseyscheapwholesaler.us. This website is a
Chinese counterfeit merchandise operation for NFL Jerseys.
http://urlquery.net/report.php?id=3405561
Page | 28
Domain Name:
Page | 29
JERSEYSCHEAPWHOLESALER.US
Domain ID:
Sponsoring Registrar:
Sponsoring Registrar IANA ID:
Registrar URL (registration services):
Domain Status:
Registrant ID:
Registrant Name:
Registrant Address1:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Country Code:
Registrant Phone Number:
Registrant Email:
Registrant Application Purpose:
Registrant Nexus Category:
Administrative Contact ID:
Administrative Contact Name:
Administrative Contact Address1:
Administrative Contact City:
Administrative Contact State/Province:
Administrative Contact Postal Code:
Administrative Contact Country:
Administrative Contact Country Code:
Administrative Contact Phone Number:
Administrative Contact Email:
Billing Contact ID:
Billing Contact Name:
Billing Contact Address1:
Billing Contact City:
Billing Contact State/Province:
Billing Contact Postal Code:
Billing Contact Country:
Billing Contact Country Code:
Billing Contact Phone Number:
Billing Contact Email:
Billing Application Purpose:
Billing Nexus Category:
Technical Contact ID:
Technical Contact Name:
Technical Contact Address1:
Technical Contact City:
Technical Contact State/Province:
Technical Contact Postal Code:
Technical Contact Country:
Technical Contact Country Code:
Technical Contact Phone Number:
Technical Contact Email:
CustName:
Anxin
Address:
Chengdu
City:
Chengdu
StateProv:
SICHUAN
PostalCode:
55001
Country:
CN
RegDate:
2012-06-30
Updated:
2012-06-30
Page | 30
D35251725-US
ENOM, INC.
48
whois.enom.com
clientTransferProhibited
DD78B8C58242F7FF
shi manyang
taijiang qu
fuzhou
fujian
350004
China
CN
+86.13358216111
smy21@126.com
P1
C12
324AF205097DFF8C
shi manyang
taijiang qu
fuzhou
fujian
350004
China
CN
+86.13358216111
smy21@126.com
DD78B8C58242F7FF
shi manyang
taijiang qu
fuzhou
fujian
350004
China
CN
+86.13358216111
smy21@126.com
P1
C12
B23D2804097DFF8C
shi manyang
taijiang qu
fuzhou
fujian
350004
China
CN
+86.13358216111
smy21@126.com
Steps Forward
A solution has been suggested in this write-up, namely the Proactive
Automated Defense Unit. The PAD Unit will be detailed now to a degree,
though a complete description will be withheld at this time to protect Malloy
Labs’ proprietary intellectual property. The complete PAD Unit relies on
proprietary algorithms to actively search through anomalies using methods
from artificial intelligence that are quantitatively shown to be superior to
using decision trees.
The use of AI in cyber defense is a burgeoning but young field, but
Mr. Malloy is confident in his ability to combine the two given his funding
from the United States of America National Aeronautics and Space
Administration South Dakota Space Grant Consortium to design multi-sensory
AI. Mr. Malloy has taken from this several aspects of AI that can be applied
safely to cyber security, a field in which he has received awards from
competing in the South Dakota Governor’s Giant Vision and also the South
Dakota Technology Business Center’s accelerator program for start-ups.
This unique knowledge gives a key advantage to the authors to produce
a solution. Mr. Angiolelli is extremely gifted in big data analysis as well
as reverse engineering of malware and offers key insight into how to produce
an automated solution to solving problems such as the one Facebook now faces
and has faced for over a year. Mr. Feinberg excels in Human Intelligence and
Social Engineering offering a much needed “EyeOn” the threats. Combined with
Mr. Malloy’s gifts the team can easily implement both a short term and long
term solution to the problem, should companies need such a solution.
Mr. Malloy outlined a three PAD unit approach to solving governmental
defense and attack needs as outlined in his write-up to the NATO CyCon 2013.
Only the defensive PAD Unit will be deployed to fix the problems social
networks such as Facebook have, limiting the response Unit to block as
opposed to shutting down the servers associated, despite the fact that all
servers associated with the problems outlined in this white-paper only
involve those known for acting maliciously. The team is fully capable of
mitigating loss and preventing fraud should companies need such action to be
taken.
Ian Malloy – CEO Malloy Labs Llc. 605-251-4662
Eric Feinberg – CEO EyeOn Intellectual Property Protection 917-566-0661
Frank Angiolelli – Independent Security Researcher 914-589-4474
Page | 31