Cybercriminals Leveraging Facebook - Socology · 2018-10-17 · These malicious actors are creating Facebook profiles using fictitious names and a methodology which follows a distinctive

Page | 2

Cybercriminals Leveraging Facebook

Eric Feinberg, Ian Malloy and Frank Angiolelli

7/8/2013

Page | 3

Table of Contents:

Executive Summary & Diagram..................................................................................................................... 4

Fake User Profiles ......................................................................................................................................... 7

The Posts for Counterfeit Merchandise ........................................................................................................ 8

Using the Russian Business Network as an Intermediary ........................................................................... 10

Evidence of Replication ............................................................................................................................... 10

Examples of Mass Redirection Using .tk Websites ..................................................................................... 11

Patterns ....................................................................................................................................................... 11

Scope of Fraud ............................................................................................................................................ 12

Paid Advertisements on Facebook to Counterfeit Merchandise: ............................................................... 12

The Need For a Detection Mechanism ....................................................................................................... 13

Threat Detection as a Continuous Process ................................................................................................. 14

Conclusion ................................................................................................................................................... 16

Appendix A: Evidence Of .TK Redirection ................................................................................................... 16

Appendix B: Evidence of POST Method in Unencrypted HTTP ................................................................... 18

Appendix C: Matrix of Some Counterfeit Merchandise Websites ............................................................. 19

Appendix D: Multiple Types of Suspicious Activity ..................................................................................... 20

Appendix E: Paid Advertisements for Counterfeit Merchandise ................................................................ 22

Steps Forward……………………………………………………………………………………………………………………………………….31

Page | 4

Executive Summary & Diagram Malicious actors and cybercriminals are now leveraging social media as a mass distribution system for

advertising counterfeit consumer goods through Facebook and infecting computers to become part of a

botnet, or ring of malicious acting computers operating through a remote mechanism. This activity is

trafficking in goods using counterfeit trademarks, leveraging insecure transport for Personally

Identifiable Information and utilizing dubious payment processors. The activity is growing to include

money mule recruitment and “loan origination” as well as operating under a Chinese and Russian

Business Network banner.

This document will lay out evidence that this “system” appears highly organized including creation,

masking and distribution system utilizing a definable pattern of replication. These actors are exploiting

Facebook’s inability to detect and react as well as weaknesses in its API to expose mass numbers of

unsuspecting citizens to counterfeit merchandise advertisements per fake profiles. The mechanism by

which the malicious actors are intruding and avoiding detection is through the use of facebook’s graph

API.

In addition,

these actors

are creating

advertisement

s which are

using

Facebook’s ad

distribution to

present their sites across thousands of groups, more specifically fan pages related to professional sports.

In this document, we will present evidence showing the organized and distributed network these actors

are using, the clearly identifiable patterns and the need for a detection mechanism.

“The clear onus is on the social media site to protect users from exposure, not just

to inappropriate or offensive material, but from material that can steal their

identity or money.” – Frank Angiolelli

Page | 5

Page | 6

Figure 1: Ecosystem of Facebook Cybercrime

Page | 7

Fake User Profiles These malicious actors are creating Facebook profiles using fictitious names and a methodology which

follows a distinctive pattern. The actors are creating profiles using the most basic settings and mass

joining public groups. The number of groups joined ranges from approximately 100 to 400+ per profile

and in virtually all cases, the user has never posted anything on their timeline. Using these groups, the

“advertisement” posts reach upwards of 300,000 people per fake profile.

Using the profile of Zoe Lim (See Figure 2: Fake Profile of Zoe Lim) as a case study, this “user” joined 194

groups reaching 377,8521 people without placing a single post or liking a single page. Some of the

accounts have up to 5 liked movies or music pages; however none of them have any content posts

outside of public groups.

Figure 2: Fake Profile of Zoe Lim

A full accounting of all the Facebook profiles is outside the scope of this paper, however, further

examples of fake Facebook profiles engaged in this activity include:

1 A review of fake profile Zoe Lim revealed 194 groups with 377,852 members, not accounting for duplicate membership.

Page | 8

Betty Roan, Member of 121 groups2

Diana Tellez, Member of 301 groups3

Ward Kelsie, Member of 323 groups4

The Posts for Counterfeit Merchandise Once the account is created, it joins hundreds of groups and posts ads. The pattern for the posts these

fake profiles are proliferating consist primarily of

a sales pitch, a website link containing various

domains primarily made up from .tk websites

without canonical references followed by a

picture of the supposed merchandise to be sold.

There are patterns to the post, primarily at this

time a mixture of Ray-Ban and Oakley

Sunglasses, Louis Vuitton and discount shoes (i.e.

www.hotshoessale25.tk, www.niceshoeso.tk,

www.outletshoes.tk, www.discountshoes10.tk)

as well as other counterfeit merchandise

including NFL jerseys. For the purposes of

brevity, this document will focus mostly on the

counterfeit Sunglasses as evidence of the

pattern, with some brief documentation of the

other merchandise.

The .tk websites are used as redirectors [See Appendix A]

to the counterfeit merchandise “retail” websites as

evidenced in the traffic below, delivering the victim to 2bestmall.com.

This replicated website [See “Evidence of Replication”] is

2 https://www.facebook.com/betty.roan.71?hc_location=stream 3 https://www.facebook.com/diana.tellez.7545?hc_location=stream 4 https://www.facebook.com/ward.kelsie?hc_location=stream

Example Advertisement Post 2

Example Advertisement Post 1

Page | 9

leveraging cnzz.com (See Figure 5), which is a Chinese Content Delivery Network (CDN)[See Figure 5 &

Figure 6] that has an extremely poor reputation for hosting exploit code5. The payment systems

employed by these websites have a very poor reputation6 .

Realpay-checkout.com is registered at Godaddy and billingcheckout.com is registered at todaynic.com.

Figure 3: Leveraging bilingcheckout.com & Chinese CDN

Figure 6: Using realpay-checkout.com & Chinese CDN

5 http://www.mywot.com/en/scorecard/cnzz.com 6 http://www.webutation.net/go/review/realypay-checkout.com, http://www.webutation.net/go/review/billingcheckout.com, http://www.sitejabber.com/reviews/www.realypay-checkout.com

Page | 10

Using the Russian Business Network as an Intermediary These actors are using Russian Business Network IP addresses as intermediaries to host the .tk

redirectors. This technique is being used as an evasion tactic to prevent easy discovery and blocking of

the offending counterfeit merchandise website. The #1 IP address of these .tk redirectors observed in

this study were hosted at 93.170.52.217(See Figure 7).

Figure 7: Russian Business Network Hosting .tk Redirectors

Evidence of Replication The method being used here is replicated over multiple domains, with multiple redirectors. The domain,

nice-sunglasses.com is registered to a “Zerubbabel Kahance”. This name is associated with other

domains. Refer to Appendix C for a full accounting of these, and an example is listed here.

• here-store.com8 - Selling “cheap oakley sunglasses”

• here-best.com9 – Selling “cheap oakley sunglasses”

• come-sale.com10 – Selling “cheap oakley sunglasses”

• Here-emall.com11 – Selling “cheap bikinis”

• here-new.com – Selling “cheap oakley sunglasses”

• here-yes.com – Selling “cheap oakley sunglasses”

The Title being “Top Ray-Ban® And Oakley® Sunglasses Online Store-Up To 80% Off !” is shown on

statscrop.com to match 37 results in total12.

These sites have the same setup as nice-sunglasses.com13 using Zen cart14 and the exact same title HTML

tag15. The site itself is, for all intensive purposes, a copy of the site at nice-sunglasses.com. The

distribution network is the same as well, leveraging .tk redirectors16.

7 http://urlquery.net/report.php?id=3280151 8 http://whois.domaintools.com/here-store.com 9 http://www.statscrop.com/www/here-best.com 10 http://whois.domaintools.com/come-sale.com 11 http://www.statscrop.com/Here-emall.com 12 http://www.google.com/#safe=off&site=&source=hp&q=site:statscrop.com+Top+Ray-

Ban%C2%AE+And+Oakley%C2%AE+Sunglasses+Online+Store-Up+To+80%25+Off+!&oq=site:statscrop.com+Top+Ray-Ban%C2%AE+And+Oakley%C2%AE+Sunglasses+Online+Store-Up+To+80%25+Off+!&gs_l=hp.3...740.4231.0.5355.23.22.1.0.0.0.169.1915.15j7.22.0...0.0.0..1c.1.17.hp.vPdrev-VGD4&bav=on.2,or.&bvm=bv.48572450,d.dmg&fp=f53ef48681d7c10d&biw=1214&bih=920 13 http://urlquery.net/report.php?id=3403164 14 <meta·name="generator"·content="shopping·cart·program·by·Zen·Cart&trade;,·http://www.zen-cart.com·eCommerce"

Page | 11

Examples of Mass Redirection Using .tk Websites The actors create multiple redirectors hosted on the same IP address over time. The IP address

176.9.241.1 is associated with 39 .tk redirectors between 05/01/2013 and 06/23/201317. Some

examples are listed here:

• hxxp://yatl-chaffer.tk/ → here-store.com18

• hxxp://vrymall-oks.tk → here-store.com

• hxxp://bueall-loves.tk → here-store.com

• hxxp://supermall-malls.tk → here-yes.com

• hxxp://chain-shoping.tk → here—ok.com

• hxxp://service-promote.tk → here-best.com

• hxxp://four-transactions.tk → here-new.com19

The majority of these .tk sites observed and discovered20 were hosted on the IP addresses 93.170.52.21,

176.9.241.1 and 93.170.52.31.

Patterns The counterfeit merchandise websites rotate domain, hosting, registrar and geo-location, however

distinct patterns exist

across all the websites

being distributed

centered primarily

against the actual

content. Commonalities exist in the Title and Keywords inside the HTML code which affords a possible

detection. This would seem to support the deficiencies of detecting bad actors based on registrar, host,

IP address or domain name and the need for a tiered based anomaly and known bad detection

mechanism by social

networking providers,

particularly Facebook.

For example Google “Top·Ray-

Ban & And Oakley Sunglasses

Online Store-Up To 80% Off!”

results in 135,000 results at

15 <title>Top·Ray-Ban&reg·And·Oakley&reg·Sunglasses·Online·Store-Up·To·80%·Off·!</title> 16 http://urlquery.net/report.php?id=3280040 17 http://urlquery.net/search.php?q=176.9.241.1&type=string&start=2013-05-01&end=2013-06-29&max=50 18 http://urlquery.net/report.php?id=3242754 19 http://urlquery.net/report.php?id=2324346 20 http://urlquery.net/search.php?q=%28mall%7Cshoes%7Cshop%7Clove%7Ctransac%7Coakley%7Crayban%7C%5C-like%7Clike%5C-%29.*%5C.tk&type=regexp&start=2013-05-01&end=2013-06-30&max=400

Page | 12

this time. Not all of these are counterfeit merchandise sites; however it reveals a problem so prolific

that individual legal agency seizure of domains may be ineffective. The actors will copy their code to

another domain and stand up hosting setting up .tk redirectors.

The speed at which this process can occur without detection is fast enough to cause harm to the

economy on what is likely a very large scale. When these techniques are tied with social networking

sites like Facebook and those networks are not equipped to detect and prevent such distribution, the

reach vs. cost of this operation makes it very attractive to the criminal element.

Scope of Fraud The scope of the fraud involved here is not limited to counterfeit merchandise. Throughout the

investigation and information gathering activity on Facebook, our group discovered examples of

• Payday Loans (See Appendix E)

• Facebook sites with redirectors21,22

• Suspected Money Mule Recruitment (See Appendix E)

• Counterfeit NFL Jerseys (See Appendix E)

• The installation of remote control capabilities, i.e. a zombie computer or ‘bot’

Paid Advertisements on Facebook to Counterfeit Merchandise: In Appendix E, a sample of evidence of paid advertisements for counterfeit merchandise is presented.

These ads are tied to what users “Like” on Facebook. The same methodology that Facebook uses to

target ads to users is being leveraged to present counterfeit merchandise… to users most likely to buy it.

While a network forensic professional can review and identify suspicious behavior in these sites, the

average user cannot. The onus must be on the service provider to minimize criminal operations on their

sites. This appears to be a new “type” of malvertisement, not necessarily deploying exploit kits, but

deploying financial fraud and risk of identity theft.

The advertisement pattern does differ from the current .tk post pattern, tending to use 51.la as their

CDN, however the sites observed in this review used the same dubious billing processors. The site

“luisvuittonoutletcheaps.net” has an unencrypted registration mechanism [see Appendix E] and only

after you register and place an order is it revealed that the payment processor is billingcheckout.com.

21 hxxps://www.facebook.com/Isellshoe/app_208195102528120 22 hxxp://www.ucool.co/?pagejd

Page | 13

The difference of patterns from the Facebook Fake Profile “Posts” and the Counterfeit Ads leads to a

question of MO, or modus operandi, a concept familiar to law enforcement. Predictable patterns must

be leveraged against the bad actors, which aren’t appearing to happen at this time.

The Need for a Detection Mechanism There is a clear use case here which appears to have a void at

this time.

This document demonstrates clear patterns of activity by

actors that is detectable using forensic techniques

investigating nothing more than the public information

available on Facebook. Our group has clear take-away from

this investigation showing that a detection mechanism is not

only possible but would protect the public in general and

enhance the reputation of social media sites like Facebook.

Additionally, the economy as a whole would benefit from lowering losses due to such fraud. The

detection mechanism incorporates aspects of applied artificial intelligence called a ‘Best-First Search’ to

detect anomalies in the system and then a Proactive Automated Defense Unit (PAD Unit) will be utilized

to complete the solution.

Our group believes that the patterns observed here can be expanded upon considerably by performing

data analytics using the full data collected by those sites. This data should be used to extrapolate

predictive behavioral models which can be used in a mature process to prevent this activity

programmatically and take down bad actors. The clear onus is on the social media site to protect its

users from exposure, not just inappropriate or offensive material, but from material that can steal their

identity or money.

The activity in question must be detected through a system that checks the user making the post, the

post text itself, the URLs being posted and then taking action based on acceptable or unacceptable

behavior models programmatically.

“The clear onus is on the

social media site to

protect its users …from

material that can steal

their identity or money.”

Page | 14

For example, canonical checks, content grabbing, IP reputation and a host of other checks can be

performed against the URLs being posted in a staggered approach to allow for high speed, high volume

vetting in a programmatic fashion. Scoring

mechanisms can be designed to allow for a tiered

processing of links in real time thereby allowing

Facebook to pull posts that are suspect based on

defined parameters.

The accounts themselves can be vetted along multiple

key points to limit the distribution of these events.

Account Creation Process The account creation process should contain vetting

mechanisms where by the account is checked for

established patterns in a methodical way. The process

itself should adhere to the Continuous Improvement

Lifecycle and would require human as well as machine intelligence. Initial accounts can be tagged for

validity and passed onto a processor to monitor for suspicious patterns. As part of the quality control

process, any accounts tagged as suspicious should include an automated challenge response capability

closing in termination of the account.

The Posting Patterns The posts themselves must run through a series of checks in a tiered manor that will allow for scoring

and action. Predictive analytics and human generated patterns must be input into a vetting engine that

can then be passed on to deeper inspections. The

process itself must contain automatic challenge

responses and post removal processes to protect the

public from fraud, maliciousness and identify theft

without the need for user interaction.

Threat Detection as a Continuous

Process This kind of exploitation is not static and requires a

combination of human intelligence and analysis along

with algorithmic detection of anomalous patterns. As

shown in the diagram below, this process can be best

represented by a sine wave, which allows for variable

frequency and amplitude. The frequency and amplitude represent the speed of the threat lifecycle and

the attack surface, or exposure, respectively.

Page | 15

Page | 16

Conclusion When mass distribution of counterfeit merchandise is coupled with mass distribution of difficult to

detect redirecting links through the premier social networking site, Facebook.com, there is a clear

mechanism to engage in criminal enterprise. It would appear that criminals have the opportunity, means

and motive and Facebook currently lacks a capable preventive and response mechanism. Unless a

proper threat response to the lifecycle exists, this activity will be proliferated across as many social

engineering sites as possible.

Our solution, a PAD Unit is both within the scope of solving this issue and also addressing the need for a

software program capable of protecting both the users of social media like Facebook© and also the

private industries being taken advantage of. This solution is in the interest of all parties involved except

the criminal element.

Appendix A: Evidence Of .TK Redirection

Parameters:

URL = http://discount-oppud.tk/

UAG = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116

Safari/537.36

REF = http://www.facebook.com

AEN =

REQ = GET ; VER = 1.1 ; FMT = AUTO

Sending request:

GET / HTTP/1.1

Host: discount-oppud.tk

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)

Chrome/27.0.1453.116 Safari/537.36

Referer: http://www.facebook.com

Connection: close

• Finding host IP address...

• Host IP address = 128.204.201.9

• Finding TCP protocol...

• Binding to local socket...

• Connecting to host...

• Sending request...

• Waiting for response...

Receiving Header:

HTTP/1.1·301·Moved·Permanently(CR)(LF)

Date:·Thu,·27·Jun·2013·22:34:16·GMT(CR)(LF)

Server:·Apache/2.2.24·(Unix)·mod_ssl/2.2.24·OpenSSL/1.0.0-

fips·mod_auth_passthrough/2.1·mod_bwlimited/1.4·FrontPage/5.0.2.2635·mod_perl/2.0.6·Pe

rl/v5.10.1(CR)(LF)

Location:·http://2bestmall.com(CR)(LF) Redirection to counterfeit merchandise website

Content-Length:·228(CR)(LF)

Page | 17

Connection:·close(CR)(LF)

Content-Type:·text/html;·charset=iso-8859-1(CR)(LF)

(CR)(LF)

Sending request:

GET / HTTP/1.1

Host: 2bestmall.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)

Chrome/27.0.1453.116 Safari/537.36

Referer: http://www.facebook.com

Connection: close

• Finding host IP address...

• Host IP address = 185.3.133.182

• Finding TCP protocol...

• Binding to local socket...

• Connecting to host...

• Sending request...

• Waiting for response...

Receiving Header:

HTTP/1.1·200·OK(CR)(LF)

Server:·nginx/1.2.4(CR)(LF)

Date:·Thu,·27·Jun·2013·22:18:47·GMT(CR)(LF)

Content-Type:·text/html;·charset=iso-8859-1(CR)(LF)

Transfer-Encoding:·chunked(CR)(LF)

Connection:·close(CR)(LF)

Vary:·Accept-Encoding(CR)(LF)

X-Powered-By:·PHP/5.2.17(CR)(LF)

Set-

Cookie:·zenid=6d71bea6330b900388ca93b3af9c72f0;·path=/;·domain=.2bestmall.com;·HttpOnl

y(CR)(LF)

Expires:·Thu,·19·Nov·1981·08:52:00·GMT(CR)(LF)

Cache-Control:·no-store,·no-cache,·must-revalidate,·post-check=0,·pre-check=0(CR)(LF)

Pragma:·no-cache(CR)(LF)

(CR)(LF)

Content (Length = 46893):

b720(CR)(LF)

(LF)

<!DOCTYPE·html·PUBLIC·"-

//W3C//DTD·XHTML·1.0·Transitional//EN"·"http://www.w3.org/TR/xhtml1/DTD/xhtml1-

transitional.dtd">(LF)

(LF)

<html·xmlns="http://www.w3.org/1999/xhtml"·dir="ltr"·lang="en">(LF)

(LF)

<head>(LF)

(LF)

<title>Top·Ray-Ban&reg·And·Oakley&reg·Sunglasses·Online·Store-

Up·To·80%·Off·!</title>(LF) Counterfeit Sunglass Sales Website

-----------------------------END TRAFFIC PATTERN ----------------------------------

Page | 18

Appendix B: Evidence of POST Method in Unencrypted HTTP

HTTP/1.1 Host: 2bestmall.com Connection: keep-alive Content-Length: 169 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Origin: http://2bestmall.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://2bestmall.com/index.php?main_page=checkout_shipping_address Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: zenid=e482158d1a4fc0bb3e2b8218f4cd83b6; CNZZDATA5264794=cnzz_eid%3D1499499975-1372379098-http%253A%252F%252F2bestmall.com%26ntime%3D1372379098%26cnzz_a%3D10%26retime%3D1372380023470%26sin%3Dnone%26ltime%3D1372380023470%26rtime%3D0; RpCookie=6k8hup5ph6pl60eqvn3v3agjs4 DNT: 1 gender=m&firstname=Bob&lastname=Jones&street_address=15+Main+Street&suburb=&city=Beverly+Hills&zone_id=12&postcode=90210&zone_country_id=223&action=submit&x=39&y=7

Page | 19

Appendix C: Matrix of Some Counterfeit Merchandise Websites

Site Daily Bandwidth Age Title

Name Server -

Primary IP Address Keywords Date Reference

here-store.com

24.23 MB (726.87

MB/month) 4 months

Cheap Oakley

Sunglasses ,

Cheap Ray-Ban

Sunglasses On

Sa le

ns1.cloudang.com

(50.115.129.33) 172.245.213.118

home base cash

advance debt

consol idation here-

store.com 2/19/2013

http://www.statscr

op.com/www/here-

store.com

here-best.com

Taken Down by

Greer Burns &

Cra in 4 months Taken Down Taken Down Taken Down Taken Down

Taken

Down

come-sa le.com

42.84 MB (1.25

GB/month) 4 months

Top Ray-Ban®

And Oakley®

Sunglasses

Onl ine Store-Up

To 80% Off ! Free

Shipping On

Orders Over 5

Items.

mns01.domaincont

rol .com

(216.69.185.34) 204.74.216.23

Cheap Oakley

Sunglasses , Cheap

Ray-Ban

Sunglasses On

Sa le 2/21/2013

http://www.statscr

op.com/www/come-

sa le.com

here-emal l .com Unknown 4 months

Cheap·Bikinis ,C

heap·Brand·Prod

uct

mns01.domaincont

rol .com

(216.69.185.34) 204.74.215.59

Cheap Bikinis ,

Cheap Brand

Product 2/19/2013

http://www.statscr

op.com/www/here-

emal l .com

here-new.com

1.30 GB (39.10

GB/month) 4 months

Ray-Ban® And

Oakley®

Sunglasses

Onl ine Store-Up

To 80% Off ! ns1.oraco.net 192.227.139.187

Cheap Oakley

Sunglasses , Cheap

Ray-Ban

Sunglasses On

Sa le 2/19/2013

http://www.statscr

op.com/www/here-

new.com

here-yes .com

Taken Down by

Greer Burns &

Cra in Taken Down Taken Down Taken Down Taken Down

Taken

Down Taken Down

Page | 20

Appendix D: Multiple Types of Suspicious Activity

Payday loans

Counterfeit NFL Merchandise

Page | 21

Suspected Money Mule Recruitment

Suspect “Loan”

Providers

Suspected Money Mule Recruitment with Unencrypted Data Transport

This tiny.cc URL redirects you to wobmr1r66.blogspot.tw, which requests your personal information.

Page | 22

Appendix E: Paid Advertisements for Counterfeit Merchandise The advertisements listed on the right hand side of this screenshot are for counterfeit merchandise

hosted in China.

Page | 23

While not pictured here, this site uses billingcheckout.com

Page | 24

When creating an account, the data is transmitted unencrypted:

POST /create_account.html HTTP/1.1

Host: www.louisvuittonoutletcheaps.net Connection: keep-alive Content-Length: 386 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Origin: http://www.louisvuittonoutletcheaps.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://www.louisvuittonoutletcheaps.net/create_account.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: zenid=76307818ab1ac31f6e65fe6b1b0005be; AJSTAT_ok_pages=2; AJSTAT_ok_times=1 securityToken=9dc4a61d1389c0332b58a2ce8ec0a767&action=process&email_pref_html=email_format&firstname=Magilla&lastname=Gorilla&street_address=1+Main+Street&should_be_empty=&city=Beverly+Hills&zone_id=12&state=CA&postcode=90210&zone_country_id=223&telephone=874-478-9874&email_address=ilovetoscam%40gmail.com&password=password1&confirmation=password1&email_format=TEXT&x=45&y=19

Page | 25

Registrant Contact Details:

PrivacyProtect.org

Domain Admin ([email protected])

ID#10760, PO Box 16

Note - Visit PrivacyProtect.org to contact the domain owner/operator

Nobby Beach

Queensland,QLD 4218

AU

Tel. +45.36946676

Once you create an account, you can place your order which is processed by Billingcheckout.com

Page | 26

Page | 27

As evidenced in the transaction listed below, this website is leveraging Chinese CDNs and the disreputable payment website “billingcheckout.com”

The ownership information traces back to China

Domain ID:CNIC-DO473296

Domain Name:51.LA

Created On:2005-01-17T01:00:00.0Z

Last Updated On:2012-03-14T16:59:32.0Z

Expiration Date:2017-01-17T23:59:59.0Z

Status:TRANSFER PROHIBITED

Status:RENEW PERIOD

Registrant ID:P-23189298

Registrant Name:Yang Fucheng

Registrant Street1:5-32, 55 Jingsan Road

Registrant City:Zhengzhou

Registrant Postal Code:450008

Registrant Country:CN

Registrant Phone:+86.37168712665

Registrant Email:[email protected]

Admin ID:P-23189298

Admin Name:Yang Fucheng

Admin Street1:5-32, 55 Jingsan Road

Admin City:Zhengzhou

Page | 28

Admin Postal Code:450008

Admin Country:CN

JerseysCheapWholeSaler.us The below information shows a single advertisement for jerseyscheapwholesaler.us. This website is a Chinese counterfeit merchandise operation for NFL Jerseys. http://urlquery.net/report.php?id=3405561

Page | 29

Domain Name: JERSEYSCHEAPWHOLESALER.US

Page | 30

Domain ID: D35251725-US

Sponsoring Registrar: ENOM, INC.

Sponsoring Registrar IANA ID: 48

Registrar URL (registration services): whois.enom.com

Domain Status: clientTransferProhibited

Registrant ID: DD78B8C58242F7FF

Registrant Name: shi manyang

Registrant Address1: taijiang qu

Registrant City: fuzhou

Registrant State/Province: fujian

Registrant Postal Code: 350004

Registrant Country: China

Registrant Country Code: CN

Registrant Phone Number: +86.13358216111

Registrant Email: [email protected]

Registrant Application Purpose: P1

Registrant Nexus Category: C12

Administrative Contact ID: 324AF205097DFF8C

Administrative Contact Name: shi manyang

Administrative Contact Address1: taijiang qu

Administrative Contact City: fuzhou

Administrative Contact State/Province: fujian

Administrative Contact Postal Code: 350004

Administrative Contact Country: China

Administrative Contact Country Code: CN

Administrative Contact Phone Number: +86.13358216111

Administrative Contact Email: [email protected]

Billing Contact ID: DD78B8C58242F7FF

Billing Contact Name: shi manyang

Billing Contact Address1: taijiang qu

Billing Contact City: fuzhou

Billing Contact State/Province: fujian

Billing Contact Postal Code: 350004

Billing Contact Country: China

Billing Contact Country Code: CN

Billing Contact Phone Number: +86.13358216111

Billing Contact Email: [email protected]

Billing Application Purpose: P1

Billing Nexus Category: C12

Technical Contact ID: B23D2804097DFF8C

Technical Contact Name: shi manyang

Technical Contact Address1: taijiang qu

Technical Contact City: fuzhou

Technical Contact State/Province: fujian

Technical Contact Postal Code: 350004

Technical Contact Country: China

Technical Contact Country Code: CN

Technical Contact Phone Number: +86.13358216111

Technical Contact Email: [email protected]

CustName: Anxin

Address: Chengdu

City: Chengdu

StateProv: SICHUAN

PostalCode: 55001

Country: CN

RegDate: 2012-06-30

Updated: 2012-06-30

Page | 31

Steps Forward

A solution has been suggested in this write-up, namely the Proactive

Automated Defense Unit. The PAD Unit will be detailed now to a degree,

though a complete description will be withheld at this time to protect Malloy

Labs’ proprietary intellectual property. The complete PAD Unit relies on

proprietary algorithms to actively search through anomalies using methods

from artificial intelligence that are quantitatively shown to be superior to

using decision trees.

The use of AI in cyber defense is a burgeoning but young field, but

Mr. Malloy is confident in his ability to combine the two given his funding

from the United States of America National Aeronautics and Space

Administration South Dakota Space Grant Consortium to design multi-sensory

AI. Mr. Malloy has taken from this several aspects of AI that can be applied

safely to cyber security, a field in which he has received awards from

competing in the South Dakota Governor’s Giant Vision and also the South

Dakota Technology Business Center’s accelerator program for start-ups.

This unique knowledge gives a key advantage to the authors to produce

a solution. Mr. Angiolelli is extremely gifted in big data analysis as well

as reverse engineering of malware and offers key insight into how to produce

an automated solution to solving problems such as the one Facebook now faces

and has faced for over a year. Mr. Feinberg excels in Human Intelligence and

Social Engineering offering a much needed “EyeOn” the threats. Combined with

Mr. Malloy’s gifts the team can easily implement both a short term and long

term solution to the problem, should companies need such a solution.

Mr. Malloy outlined a three PAD unit approach to solving governmental

defense and attack needs as outlined in his write-up to the NATO CyCon 2013.

Only the defensive PAD Unit will be deployed to fix the problems social

networks such as Facebook have, limiting the response Unit to block as

opposed to shutting down the servers associated, despite the fact that all

servers associated with the problems outlined in this white-paper only

involve those known for acting maliciously. The team is fully capable of

mitigating loss and preventing fraud should companies need such action to be

taken.

Ian Malloy – CEO Malloy Labs Llc. 605-251-4662

Eric Feinberg – CEO EyeOn Intellectual Property Protection 917-566-0661

Frank Angiolelli – Independent Security Researcher 914-589-4474