Digital Wallpaper

More info strukt

Robovie Nano

More info designboom

Blu & David Ellis - Combine Forces

More info motionographer

FBI Director Mueller, and remember Special Agent Sang Jun

Director Mueller gave a briefing to Congress yesterday that you can read here.

Director Mueller briefs Congress


Mueller outlined the work and challenges of the FBI in the areas of:

CounterTerrorism,

Counter Intelligence,

Cyber Attacks (including the National Investigative Joint Task Force)

White Collar (including Public Corruption, Mortgage Fraud, Health Care Fraud, Corporate Fraud)

Violent Crime (including Criminal Gangs, Border Violence, and Crimes Against Children)

If you aren't familiar with the National Cyber Investigative Joint Task Force, there's a pretty decent article describing it from Internet Business Law Services. As they point out, the NCIJTF was in a line item in the DOJ 2009 budget that read like this, although we can't tell how much of it was for the NCIJTF alone:

15. Comprehensive National Cybersecurity Initiative
The FBI requests 211 positions (35 Agents and 113 Intelligence Analysts) and $38,648,000 in personnel and non-personnel funding in support of investigative, intelligence, and technical requirements of the Comprehensive National Cybersecurity Initiative. Included in this request are resources for counterintelligence/computer intrusions investigatory requirements, National Cyber Investigative Joint Task Force (NCIJTF) infrastructure requirements, cyber training, intelligence/information sharing and analysis resource requirements, equipment funding for the continued operations and maintenance costs of its Consolidated Collection CALEA Cell Site Server and Carrier Records Digital Interfacing efforts. FY 2009 Current Services for this program are 89 positions (33 agents), 89 FTE, and $36,000,000.

There's also an interesting chart from the White House showing How the NCIJTF links to other Federal Cyber Centers. Despite that chart, the NCIJTF is a real item and moving forward. The FY10 Intelligence Appropriations bill authorizes a greater involvement in the JTF from the Intelligence community, and I believe this year we will see even greater accomplishments, although its possible we'll never learn about their best work, as is true in so much of the activities of the FBI and others as they defend our nation from attack.

Fallen Agents

At the end of Mueller's remarks, he shared the fact that since his last annual address to Congress, the FBI lost three agents, and he asked that they be remembered:

Special Agent Sam Hicks, "a decorated Baltimore police officer who was part of the Pittsburgh Joint Terrorism Task Force";

Special Agent Sang Jun, "a top-notch cyber agent who served in the El Paso Division";

Special Agent Paul Sorce, "a lifelong street agent who worked on the Detroit Violent Crimes Task Force"

---

I wanted to mention Sang Jun, because he actually re-arrested my very first cyber-criminal, Robert Lyttle, when he got out the first time and hacked NASA, which gave me a tiny connection to him.

-----------
Here's a picture of Sang Jun (right) with Sung-ki Lim, who also went "from geek to g-man":



Sang Jun was a cybercrimes agent who was interviewed by the San Francisco Chronicle in 2005, along with his co-worker Sung-ki Lim, about his new job working in cyberterrorism investigations. At the time, Jun said he took a 25% cut in pay to walk away from a great computer job to join the FBI.

In that interview, it describes his decision making process like this (which I've added and re-ordered slightly):

Jun took a somewhat different route. A high school teacher persuaded him to join the computer club, and he took an advanced Pascal class "and fell in love with it."

In 1994, he graduated from Jacksonville University in his native Florida with a degree in computer science. He worked for three years as a systems analyst with Blue Cross/Blue Shield, then for a year in a similar job at Merrill Lynch. He then joined consulting giant Capgemini, traveling to many Fortune 500 firms.

During that time, he applied to the FBI, but ultimately rejected a job because the salary couldn't compete. He jumped from Capgemini to Andersen Consulting and kept up his glamorous high-flying career.

Until Sept. 11. "That hit me," he said. "I did a lot of traveling on the airlines. I said, 'That could have been me. I want to do something. I want to contribute.' "

He called the FBI again and was hired in 2003.

Both men loved the training. Jun dropped 35 pounds just getting in shape for the training.

Now that they're full-fledged special agents, they can't talk much about their jobs. In Jun's time on the computer intrusions squad, he helped bring down the "Deceptive Duo," a case in which Robert Lyttle, 21, of Pleasant Hill pleaded guilty in March to hacking into computer systems at NASA Ames Research Center and other government sites.

Now Jun works on cyberterrorism, which is the FBI computer unit's top priority. Although cyberterrorism can be defined in many ways, the FBI is particularly concerned with terrorists who might use computer systems to compromise real world infrastructure, such as dams or the power grid.

Much of Jun's work in that arena is pro-active, meaning it involves securing those systems before an attack, rather than waiting until they've been hit.

Now, as a special agent assigned to combating cyberterrorism, Jun said, "You can't beat this. There, I was making a difference on a small scale. Here, I'm protecting the country. ... At the end of the day, all in all, I feel like I accomplished something."

Citizens like Sang Jun deserve our highest respect, and should challenge us to ask ourselves what we are doing to protect the country we love. When Jun thought about September 11th, he walked away from his ten years in a comfortable job at Accenture/Anderson to serve our country in a greater mission. How will you help your country?

Sang died in El Paso on October 22, 2008. His friends and family made a memorial page for him. His best friend, Mel, remembers teasing him about driving to Quantico in his convertible BMW. His sister remembers playing together at their home in Korea and the long plane ride to the US when they were children, and his other sister says because of his inspiration she finished college.

Zeitguised

Me parecen increíbles los vídeos que realiza Zeitguised, todo lo que crea se desenvuelve en un entorno paranoico. Los cortes que aplica a los objetos son fabulosos dejando al descubierto el interior de cada uno de ellos.
Dejo a continuación dos trabajos más, se pueden ver más en su perfil de vimeo, o en su site.

A Growing Pile of Work

Me parece interesante la forma en la cual Siggi Eggertsson presenta todas sus ilustraciones creadas desde eñ 2003 hasta ahora.

In Brief: The New York Times fake anti-virus redirect

Several people have emailed asking if the fake anti-virus products I mentioned in today's blog article, US Open and VMAs top rogue anti-virus efforts, was the same fake anti-virus that was reported as being launched from advertisements at the New York Times website over the weekend. The truth is, I didn't know! So I looked into it.

The New York Times fessed up that they were having problems in This note on September 13th:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.

A second NYT story today tells only SLIGHTLY more information:
http://bits.blogs.nytimes.com/2009/09/14/times-site-was-victim-of-a-malicious-ad-swap/?hpw, see also: http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/


A new advertising network that fed ads to the NYT ran "normal" ads for about a week, then suddenly started advertising malware sites over the weekend. An ad, that at least part of the time redirected to russell-brand.cn, contained hostile javascript, which redirected to the actual fake AV site.

Some of the domains involved included:

protection-check07.com which resolved to IP address 88.198.107.25. That IP was also used by:

antivirusonlinescan03.com
antispywarescanner07.com
antispywarescanner08.com
best-antivirus03.com
best-spyware-scan01.com
best-spyware-scan03.com
intellectual-vir-scan08.com
intellectual-vir-scan09.com
malwareinternetscanner03.com
online-antivir-scan09.com
protection-check07.com
quick-virus-scanner01.com
quick-virus-scanner02.com
quick-virus-scanner08.com
reliable-scanner02.com
reliable-scanner05.com


These actually were shared across several IPs, including:

78.46.251.43 - Berlin, Germany, "your-server.de"
88.198.107.25 - Sweden, - "your-server.de"
88.198.120.177 - your-server.de
91.212.107.5 - Cyprus - Ricomm
91.212.127.200 - UK - Telos Solutions
94.102.51.26 - Netherlands - Ecatel

As I was not a first-hand witness, I'm going to wrap this up short as promised by pointing to a few other blogs:

http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html


http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com

US Open and Video Music Awards top rogue anti-virus efforts

Saturday night I got an email from Brian Tanner, the leader of our UAB Malware Analysis team. Brian plays a bit of tennis, and was doing a search for the "US Open Finals Schedule" in Google, when he noticed some strange links in the top ten results. He wrote me a note to tell me that for some reason "conklinsystems.com" and "mauiwedding.net" were both showing up as top sites on Google for his search, but when he tried to follow either link, it took him to a fake anti-virus product instead.

After a little digging Monday morning, and with some helpful pointers from some fellow researchers, it looks like we have a fairly complete story of what's going on here.

On one level, we start with the fact that several webservers have been hacked, and loaded up with extremely powerful Search Engine Optimization terms, what we call "Black SEO" in the community. In this case, the hackers have searched some news sites for their top headlines, and then repeated the search with those headlines as the search terms to pull other related headlines. Then they've created webpages which are loaded with all of those headlines. That's how they are getting into the top searches. By doing some searches with "inurl" and "site" tags on Google, we're able to pull a pretty complete list of the headlines which are being seeded by this Black SEO technique.

For example, here are four sites which are coming up regularly in the searches, with whatever string we are looking for showing up after the question mark in the URL:

conklinsystems.com/xmarks/index.php?(string)
mauiwedding.net/ssp_director/albums/?(string)
www.kerryjohnson.com/images/look/?(string)

Just as an example, I did the Google search:

inurl:look site:kerryjohnson.com US Open

and received 210 results, including:

Us Open Mens Final 2009
Us Open Final Schedule
Us Open 2009 Mens Final
Us Open Womens Final 2009
Us Open Final 2009
Roger Federer Us Open
Serena Williams Outburst Transcript
Us Open Final
You Tube Serena Wililams
Serena Williams Outburst What Did She Say
Serena Williams Outburst Video

Then I did the same search, without the "US Open" to learn what other headlines this Black SEO technique was trying to capture, and found these headlines:

Tory Shulman
Jay Z VMA
ESPN Boston
Roger Federer US Open
Megan Fox Thumb Pictures
Avaya Nortel
Chicago Bears 2009 schedule
Megan Fox VMA
Beyonce Twitter
VMA Outfits
New Moon Trailer 3 Leaked
Kay Perry Vma Dress
Lil Mama Vma
Kim Clijsters Baby
This is it
Music Awards Taylor Swift
Federer Between the Legs
Beyonce Vma 2009
Defying Gravity Cancelled
Jawbone 2 Review
The Ruins MTV
VMAs
Bears vs Packers
Lauren London Baby
Lauren London Baby Pictures
Pink Vmas

Students kindly informed me what VMAs are - apparently some people like watching music videos so much they have their own awards show, the Video Music Awards. Most of the top hits in the resulting headlines (more than 1,000 of them) from KerryJohnson.com were either for the VMAs or the US Open.

Some other sites, that we aren't going to dig into as deeply, include:

24blackbirds.net
86queensgate.com
desertstarlimo.com
envision-ren.com
filmgenius.com
harmonyhall.com
homeremediesweb.com
mawawrestling.ca
mcd4x4.com
packetslave.com
penupdesigns.com
real-ism.com
resilience-europe.com
saintbrigids.ca
sandpointidahoinfo.com
stuartkinmond.com
uglyoutfitsnyc.com
unchain-vu.net
vinhhuynh.com
yakultpuebla.com

First, I'd like to acknowledge a pair of great blog articles from the Unmask Parasites Blog:
Unmasking the Antivirus 2009 .htaccess Exploit
and
Bogus Antivirus 2009 .htaccess Exploit.

The "guts of it" are that the Apache .htaccess includes:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://(BadSiteHere) [R,L]

What this means is that if I visit the webpage by accessing it directly, I see the webpage. But if I visit the page after having been referred by a search engine, I get sent to the hacker's page instead.

Currently the main websites that websearchers are landing on are:

#1. best-virus-scanner5.com
#2. online-systemscan.net
#3. searchscan-online.com
#4. securityscantooldirect.com
#5. mysecuredsystem.net

#1. Best-virus-scanner5.com is hosted on the IP addresses 91.213.126.100 and 193.169.12.70.

Some of the live sites also hosted on 91.213.126.100 include:

best-virus-scanner5.com
clean-all-spyware01.com
clean-all-spyware10.com
fast-virus-scan01.com
fast-virus-scan2.com
fast-virus-scan7.com
fast-virus-scan9.com
remove-all-adware10.com
remove-all-spyware03.com
remove-all-spyware07.com

Several of those domains, including best-virus-scanner5.com
are also hosted on the IP address, 193.169.12.70, which also
hosts the following domains:

becomemybestfriend.com
bestinvestmentssolution.com
best-virus-scanner5.com
bravemousepride.com
chooseyourluck.com
clean-all-spyware01.com
clean-all-spyware10.com
fast-virus-scan01.com
fast-virus-scan2.com
fast-virus-scan7.com
fast-virus-scan9.com
getbestusprices.com
imbade-yourself.com
indianapolis-sales.com
jurassic-secrets.com
justintimberlakestream.com
justseethisonline.com
justthingsyouneedtoknow.com
lounge-officers.com
madonnasecretphoto.com
movies-hidden-places.com
newcellphones-overview.com
news-feedster.com
newsoverworldhot.com
obamanewterror.com
obbeytheriver.com
overviewforexbids.com
perky-videos.com
remove-all-adware01.com
remove-all-spyware03.com
remove-all-spyware07.com
spacestations-online.com
storyofthesuccess1.com

#2. online-systemscan.net was hosted on 64.86.16.11, a Canadian-based address belonging to Velcom, a customer of TATA Communications (AS6453).

That ip is also hosting:

gosearchguard.net
and
itgosearch.net

#3 searchscan-online.com was hosted on 64.86.16.9, also Velcom.

That IP is also hosting:

search-win.com
fastscan-protection.com
safetysystem-protect.com
go-searchandsecure.net


#4. securityscantooldirect.com was hosted on 62.90.136.237, an Israeli based address belonging to "Loads Internet Solutions", a customer of Netvision.net.il (AS1680). How bold can they be? "Loading" is the term criminals use for the merchandising and monetizing of botnets by using them to download other people's malware. "Loads" are the malware someone else pays you to put on your botnet.

That IP is also hosting:

securityscantoolguide.com
scantoolsite.com
safetyscantool.com
bestsecurityjobs.com
bestwebsitesecurity.com
yourcommunitysecurity.com

#5. mysecuredsystem.net was also a VELCOM IP address, 64.86.16.49.

That IP address was used to host:

searchsecureguard.com
mysecured-zone.com
ptotectmy-system.com
newscan-protect.com
windowsprotection-zone.net
fastsearchandsecure.net
mysecuredsystem.net
online-securescanner.net

Gee . . . at this point I'm tempted to scan this whole Class C (64.86.16.0/24) and see what other forms of badness reside there . . . Sadly, Velcom's phone number listed in their IP whois data has been disconnected or is not in service. We went ahead and called their upstream, who asked us to send them an email. Hello, TataCommunications! I hope you read this! Thank you for your help!

Here's some I found on IPs 64.86.16.1 through 64.86.16.50:

checkviruszone.com
checkvirus-zone.com
fastscan-protection.com
fastsearchandsecure.net
go-scanandsecure.com
go-scanandsecure.net
goscan-protect.net
go-searchandprotect.com
go-searchandsecure.com
go-searchandsecure.net
gosearchguard.net
gosearch-protection.net
itgosearch.net
mysecuredsystem.com
mysecured-system.com
mysecuredsystem.net
mysecured-zone.com
mysecured-zone.net
mysecurityshield.net
newpcguard.net
newscan-protect.com
onlinescansystem.com
onlinescansystem.net
online-scansystem.net
onlinesearch-protection.com
onlinesecurescanner.net
online-securescanner.net
online-systemscan.com
online-systemscan.net
pconlinescan.net
protect-andsecure.com
protectand-secure.com
ptotectmy-system.com
safetysystem-guard.net
safetysystem-protect.com
safetysystem-protect.net
scanandsecure.net
scansystem-online.com
searchsafetyprotection.net
searchscan-online.com
searchsecureguard.com
search-win.com
systemguard-zone.com
systemscan-secure.com
virusfilter-zone.net
windowsprotection-zone.net

And here are some nameservers from the same range . . .

ns1.100booth.com
ns1.10gala.com
ns1.1ingeen.com
ns1.2009elf.com
ns1.2flipflop.com
ns1.7sevenseas.com
ns1.adriafin.com
ns1.adviceswarning.com
ns1.alleips.com
ns1.alphabet10.com
ns1.antivirusfilter-zone.com
ns1.applic137.net
ns1.as34as.com
ns1.ascoprguide.net
ns1.bestbewell.com
ns1.bigbestbbb.com
ns1.bigbestbbb.net
ns1.brovobing.com
ns1.casabl10.net
ns1.champions100.com
ns1.checkviruszone.net
ns1.checkvirus-zone.net
ns1.clarksinfact.com
ns1.cosmoset.net
ns1.coverlight.net
ns1.creamesfl.com
ns1.displayclub.net
ns1.displaylive.net
ns1.earring0.com
ns1.entrotus.com
ns1.factoria6.com
ns1.farfar5.com
ns1.fastantivir.net
ns1.fastscan-protection.com
ns1.fastsearchandsecure.net
ns1.fistano4r.com
ns1.freehostwap.com
ns1.gavaring1.com
ns1.go-checkvirus.com
ns1.go-checkvirus.net
ns1.goprotection.net
ns1.go-scanandprotect.com
ns1.go-scanandsearch.com
ns1.go-scanandsecure.com
ns1.goscansystem.com
ns1.go-scansystem.com
ns1.go-scansystem.net
ns1.go-searchandscan.net
ns1.go-searchandsecure.com
ns1.go-searchandsecure.net
ns1.gosearchguard.net
ns1.gosearchinweb.com
ns1.go-searchprotection.com
ns1.gosearch-protection.com
ns1.gosearch-protection.net
ns1.gosearchsecurity.net
ns1.gotomyprotectedzone.com
ns1.gotomyprotectedzone.net
ns1.gotospace7.com
ns1.go-virusscanner.com
ns1.hilotavus.com
ns1.hot2009.net
ns1.immitations-all.net
ns1.ironins.com
ns1.ispscenter.com
ns1.ispspartners.com
ns1.itgosearch.net
ns1.jetztips.com
ns1.lanacess.com
ns1.limestee.com
ns1.magnoliastr.com
ns1.mmdmm.net
ns1.mycataloge.com
ns1.myofficeguard.com
ns1.myonlineguard.com
ns1.myprotectedsystem.net
ns1.myprotected-zone.com
ns1.myprotectedzone.net
ns1.myprotected-zone.net
ns1.my-safetyprotection.net
ns1.mysecuredsystem.com
ns1.mysecured-system.com
ns1.mysecurityzone.net
ns1.mysystemdefender.com
ns1.mysystemguard.com
ns1.my-systemprotection.com
ns1.mysystemshield.com
ns1.mysystemshield.net
ns1.myvirusscanner.com
ns1.myvirusscanner.net
ns1.new-onlinescanner.com
ns1.new-onlinescanner.net
ns1.new-systemguard.com
ns1.new-systemguard.net
ns1.new-systemprotection.net
ns1.new-systemshield.com
ns1.onlineguardgo.com
ns1.online-scanandsecure.com
ns1.onlinescansystem.com
ns1.online-scansystem.com
ns1.onlinescansystem.net
ns1.online-scansystem.net
ns1.online-securescanner.com
ns1.onlinesecurescanner.net
ns1.onlinesystemscan.com
ns1.pconlinescan.net
ns1.pcscanneronline.net
ns1.protectedfield.com
ns1.protection-secure.com
ns1.protectionsecure.net
ns1.protectsystem.net
ns1.ptotectmy-system.com
ns1.realsystemguard.com
ns1.rumba200.com
ns1.safeguardshield.com
ns1.safetydefender.net
ns1.safetyscanner.net
ns1.safetysystem-guard.net
ns1.safetysystem-shield.com
ns1.safetysystem-shield.net
ns1.scanandprotect-zone.com
ns1.scanandsecure.net
ns1.scaninfo.net
ns1.scanonline-protect.net
ns1.scan-secure.com
ns1.scan-secure.net
ns1.scansystemonline.com
ns1.scansystem-online.com
ns1.scansystem-online.net
ns1.scan-virus.net
ns1.searchandprotect.net
ns1.searchdefender.net
ns1.searchpcguard.com
ns1.searchpcguard.net
ns1.searchsafetyprotection.net
ns1.searchscanner.net
ns1.searchscan-online.com
ns1.searchsecureguard.com
ns1.searchsecureshield.com
ns1.search-security.net
ns1.search-systemprotection.net
ns1.search-systemshield.com
ns1.search-win.com
ns1.securepcshield.com
ns1.secure-systemguard.com
ns1.securesystemguard.net
ns1.secure-systemshield.com
ns1.secure-systemshield.net
ns1.securitypath.net
ns1.shieldinfo.net
ns1.shieldsystem.net
ns1.system-protection.net
ns1.systemscan-secure.com
ns1.system-shield.com
ns1.system-shield.net
ns1.thelocatemissing.com
ns1.timeforfuck.com
ns1.ultimaguard.com
ns1.virusfilter-zone.net
ns1.webssearch.net
ns1.webssecurity.net
ns1.windowsprotection-suite.com
ns1.windows-protectonline.com
ns1.windows-protectonline.net
ns1.windows-systemguard.com
ns1.windows-systemshield.com
ns1.windows-systemshield.net
ns1.winprotectionsuite.com
ns1.winprotection-suite.net
ns1.winsecuritysuite-pro.com

IRS Version of Zeus Bot continues

Update - 16SEP09 - the Zeus Bot trojan, or Zbot, continues to be spread

The extremely heavy spam campaign described below continues. A list of 130 more domains being used to spread this malware is appended to the bottom of this article. Current detection rate of this malware at VirusTotal? ONE of forty-one Anti-virus products detect this malware. MD5 = 34cee60590817be6f8dd1115c6a1883f

Researchers at the University of Alabama at Birmingham continue to study the Zeus Bot trojan this week as a new spam campaign seeks to extend this already prolific bank robbery malware. This is the fourth major Zeus-spreading spam campaign that we've seen hit the UAB Spam Data Mine in the past few months.

On July 24th, we reported on the "1001 Postcards" spam campaign in our story From Russia, With Love...new Postcard spam spies on your PC.

On June 30th, we reported on the "Michael Jackson" spam campaign in our story Michael Jackson headline used in Password Stealing.

On June 24th, we reported on the "Microsoft Outlook Update" spam campaign in our story Malware in the Mail (Email that is!).

The current spam campaign has been proven by malware analysts on the UAB Computer Forensics research team to be in the same family as each of these additional versions. On September 9th and 10th, we received 1281 copies of the current Zeus spreading email, this time pretending to be an email from the Internal Revenue Service. On September 11th we received 764 more copies of the email, some of which point to websites which are still live on the morning of September 12th as I write this.



The email, which uses a subject line "Notice of Underreported Income" and claims to be sent from "Internal Revenue Service" claims that you need to visit a website to review an issue of "Unreported/Underreported Income" which seems to have been detected by the "Fraud Application" at the IRS.

The website you are sent to contains your email address, and claims that you need to download and execute a program to review the problem with your tax statement.



The image above was taken from one of the several sites which are still live as of this writing on the morning of September 12, 2009. Many websites have been created by the criminal, and many of them have already been shutdown.

During the first 24 hours of the spam campaign, we saw these websites used in the spam email:

www.irs.gov.hyg12zi.eu
www.irs.gov.hyg12zk.eu
www.irs.gov.hyg12zo.eu
www.irs.gov.hyg12zq.eu
www.irs.gov.hyg12zr.eu
www.irs.gov.hyg12zu.eu
www.irs.gov.hyg12zw.eu
www.irs.gov.hyu11hea.eu
www.irs.gov.hyu11heb.eu
www.irs.gov.hyu11hec.eu
www.irs.gov.hyu11heg.eu
www.irs.gov.hyu11heh.eu
www.irs.gov.hyu11hej.eu
www.irs.gov.hyu11hem.eu
www.irs.gov.hyu11hep.eu
www.irs.gov.hyu11her.eu
www.irs.gov.hyu11hes.eu
www.irs.gov.hyu11heu.eu
www.irs.gov.hyu11hew.eu
www.irs.gov.hyu11hez.eu
www.irs.gov.hyu11hic.eu
www.irs.gov.nyusa2a.eu
www.irs.gov.nyusa2b.eu
www.irs.gov.nyusa2e.eu
www.irs.gov.nyusa2i.eu
www.irs.gov.nyusa2l.eu
www.irs.gov.nyusa2s.eu
www.irs.gov.nyusa2y.eu
www.irs.gov.ringrins.co.uk

After all of these were successfully terminated, the spammer took almost 26 hours to regroup and relaunch, using these additional websites during the September 11th version of his spam campaign:

www.irs.gov.ger11zd.com
www.irs.gov.ger11zd.net
www.irs.gov.ger11zf.com
www.irs.gov.ger11zf.net
www.irs.gov.ger11zh.com
www.irs.gov.ger11zh.net
www.irs.gov.ger11zr.com
www.irs.gov.ger11zr.net
www.irs.gov.ger11zx.com
www.irs.gov.ger11zx.eu
www.irs.gov.ger11zx.net
www.irs.gov.losawza.cn
www.irs.gov.losawza.eu
www.irs.gov.losawzd.cn
www.irs.gov.losawzd.eu
www.irs.gov.losawze.cn
www.irs.gov.losawze.eu
www.irs.gov.losawzf.cn
www.irs.gov.losawzf.eu
www.irs.gov.losawzg.cn
www.irs.gov.losawzg.eu
www.irs.gov.losawzs.cn
www.irs.gov.losawzs.eu
www.irs.gov.losawzx.cn
www.irs.gov.losawzx.eu
www.irs.gov.merfaslo.biz
www.irs.gov.merfaslo.com
www.irs.gov.merfaslo.info
www.irs.gov.merfaslo.net
www.irs.gov.tersab1.cn
www.irs.gov.tersab1.eu
www.irs.gov.tersac1.cn
www.irs.gov.tersad1.cn
www.irs.gov.tersad1.eu
www.irs.gov.tersan1.cn
www.irs.gov.tersan1.eu
www.irs.gov.tersav1.eu
www.irs.gov.tersaw1.eu
www.irs.gov.tersax1.eu
www.irs.gov.tersaz1.cn
www.irs.gov.tersaz1.eu
www.irs.gov.yh1ferz.com
www.irs.gov.yh1ferz.info
www.irs.gov.yh1ferz.net
www.irs.gov.yh1ferz.org

The malware itself has also been modified to be MUCH more difficult to detect. When we first scanned the copy of the Zeus bot on September 9th, it was already detected as Zeus by 21 of the 41 anti-virus products at VirusTotal, and the detection continued to rise through the day.

When we scanned the current malware during the evening of September 11th, we found that only 6 of the 41 anti-virus products at VirusTotal were able to detect the malware as being the Zeus bot. See this VirusTotal Report for the current malware with MD5: 04eb70edf674d7bf376994aec68785ee (file size = 96,256 bytes). Rescanning this morning - more than 12 hours after our initial submission - still only shows 6 of 41 products detecting the malware:

BitDefender and GData call it "Trojan.Spy.Zbot.BFK"
Kaspersky calls it: "Trojan-Spy.Win32.Zbot.gen"
McAfee+Artemis calls it: "Suspect-29"
NOD32 calls it: "a variant of Win32/Kryptik.AET"
Sunbelt calls it: "Trojan-Downloader.Tibs.gen"

That detection was so poor, we really wondered if it was corrupt or broken malware.

So, what do you do if you want to know if your malware is real? Fire it up!

I'm not in the lab today, but I have the Malware Analysis VM that UAB Malware Analyst Brian Tanner put together for my team, so I fired it up. I self-infected the VM by visiting the website above, confirming that my MD5 was the same as I did so. Within a couple seconds, I was making HTTP Post messages to:

nerinsk.com on the path /livs/gate.php

The traffic was flowing to 91.213.72.51, an IP address that was used by the "gorodu.com" domain name in the malware earlier this week. "gate.php" is a file name we've seen repeatedly associated with Zeus Malware.

I'm going to call this "Confirmed Badness", and say that despite the HORRIBLE AV detection on this one, we have a confirmed, live, Zeus Bot trojan / ZBot trojan that people need to worry about.

UPDATED September 28th . . . here are the domain names we've seen, and the number of spam samples we've received for each of these domains, and the dates on which those domains were used in spam.

receiving_date | count | machine
----------------+-------+-----------------------------
2009-09-09 | 18 | www.irs.gov.hyg12zi.eu
2009-09-09 | 16 | www.irs.gov.hyg12zk.eu
2009-09-09 | 21 | www.irs.gov.hyg12zo.eu
2009-09-09 | 19 | www.irs.gov.hyg12zq.eu
2009-09-09 | 11 | www.irs.gov.hyg12zr.eu
2009-09-09 | 15 | www.irs.gov.hyg12zu.eu
2009-09-09 | 24 | www.irs.gov.hyg12zw.eu
2009-09-09 | 10 | www.irs.gov.hyu11hea.eu
2009-09-09 | 17 | www.irs.gov.hyu11heb.eu
2009-09-09 | 37 | www.irs.gov.hyu11hec.eu
2009-09-09 | 9 | www.irs.gov.hyu11heg.eu
2009-09-09 | 27 | www.irs.gov.hyu11heh.eu
2009-09-09 | 44 | www.irs.gov.hyu11hej.eu
2009-09-09 | 9 | www.irs.gov.hyu11hem.eu
2009-09-09 | 431 | www.irs.gov.hyu11hep.eu
2009-09-09 | 11 | www.irs.gov.hyu11her.eu
2009-09-09 | 9 | www.irs.gov.hyu11hes.eu
2009-09-09 | 38 | www.irs.gov.hyu11heu.eu
2009-09-09 | 17 | www.irs.gov.hyu11hew.eu
2009-09-09 | 6 | www.irs.gov.hyu11hez.eu
2009-09-09 | 8 | www.irs.gov.hyu11hic.eu
2009-09-09 | 15 | www.irs.gov.nyusa2a.eu
2009-09-09 | 13 | www.irs.gov.nyusa2b.eu
2009-09-09 | 16 | www.irs.gov.nyusa2e.eu
2009-09-09 | 13 | www.irs.gov.nyusa2i.eu
2009-09-09 | 9 | www.irs.gov.nyusa2l.eu
2009-09-09 | 17 | www.irs.gov.nyusa2s.eu
2009-09-09 | 16 | www.irs.gov.nyusa2y.eu
2009-09-09 | 47 | www.irs.gov.ringrins.co.uk
2009-09-10 | 152 | www.irs.gov.hyu11hep.eu
2009-09-10 | 523 | www.irs.gov.ringrins.co.uk
2009-09-11 | 35 | www.irs.gov.ger11zd.com
2009-09-11 | 36 | www.irs.gov.ger11zd.net
2009-09-11 | 45 | www.irs.gov.ger11zf.com
2009-09-11 | 45 | www.irs.gov.ger11zf.net
2009-09-11 | 57 | www.irs.gov.ger11zh.com
2009-09-11 | 54 | www.irs.gov.ger11zh.net
2009-09-11 | 50 | www.irs.gov.ger11zr.com
2009-09-11 | 40 | www.irs.gov.ger11zr.net
2009-09-11 | 38 | www.irs.gov.ger11zx.com
2009-09-11 | 48 | www.irs.gov.ger11zx.eu
2009-09-11 | 40 | www.irs.gov.ger11zx.net
2009-09-11 | 5 | www.irs.gov.losawza.cn
2009-09-11 | 4 | www.irs.gov.losawza.eu
2009-09-11 | 11 | www.irs.gov.losawzd.cn
2009-09-11 | 6 | www.irs.gov.losawzd.eu
2009-09-11 | 10 | www.irs.gov.losawze.cn
2009-09-11 | 8 | www.irs.gov.losawze.eu
2009-09-11 | 7 | www.irs.gov.losawzf.cn
2009-09-11 | 3 | www.irs.gov.losawzf.eu
2009-09-11 | 4 | www.irs.gov.losawzg.cn
2009-09-11 | 8 | www.irs.gov.losawzg.eu
2009-09-11 | 6 | www.irs.gov.losawzs.cn
2009-09-11 | 4 | www.irs.gov.losawzs.eu
2009-09-11 | 7 | www.irs.gov.losawzx.cn
2009-09-11 | 8 | www.irs.gov.losawzx.eu
2009-09-11 | 14 | www.irs.gov.merfaslo.biz
2009-09-11 | 13 | www.irs.gov.merfaslo.com
2009-09-11 | 10 | www.irs.gov.merfaslo.info
2009-09-11 | 11 | www.irs.gov.merfaslo.net
2009-09-11 | 7 | www.irs.gov.tersab1.cn
2009-09-11 | 6 | www.irs.gov.tersab1.eu
2009-09-11 | 4 | www.irs.gov.tersac1.cn
2009-09-11 | 10 | www.irs.gov.tersad1.cn
2009-09-11 | 7 | www.irs.gov.tersad1.eu
2009-09-11 | 8 | www.irs.gov.tersan1.cn
2009-09-11 | 10 | www.irs.gov.tersan1.eu
2009-09-11 | 5 | www.irs.gov.tersav1.eu
2009-09-11 | 5 | www.irs.gov.tersaw1.eu
2009-09-11 | 6 | www.irs.gov.tersax1.eu
2009-09-11 | 10 | www.irs.gov.tersaz1.cn
2009-09-11 | 8 | www.irs.gov.tersaz1.eu
2009-09-11 | 19 | www.irs.gov.yh1ferz.com
2009-09-11 | 10 | www.irs.gov.yh1ferz.info
2009-09-11 | 15 | www.irs.gov.yh1ferz.net
2009-09-11 | 10 | www.irs.gov.yh1ferz.org
2009-09-12 | 1 | www.irs.gov.ger11zx.eu
2009-09-14 | 13 | www.irs.gov.1kikyd.cn
2009-09-14 | 27 | www.irs.gov.1kikyf.cn
2009-09-14 | 15 | www.irs.gov.1kikys.cn
2009-09-14 | 19 | www.irs.gov.1kikyt.cn
2009-09-14 | 26 | www.irs.gov.1kikyt.eu
2009-09-14 | 21 | www.irs.gov.ersawe1.net
2009-09-14 | 3 | www.irs.gov.ersawec.com
2009-09-14 | 5 | www.irs.gov.ersawec.net
2009-09-14 | 1 | www.irs.gov.ersaweq.com
2009-09-14 | 3 | www.irs.gov.ersaweq.net
2009-09-14 | 3 | www.irs.gov.ersawet.net
2009-09-14 | 4 | www.irs.gov.ersaweu.com
2009-09-14 | 1 | www.irs.gov.ersaweu.net
2009-09-14 | 1 | www.irs.gov.ersawew.com
2009-09-14 | 8 | www.irs.gov.ersawew.net
2009-09-14 | 3 | www.irs.gov.ersawey.com
2009-09-14 | 17 | www.irs.gov.ersawey.net
2009-09-14 | 2 | www.irs.gov.ersawez.net
2009-09-14 | 16 | www.irs.gov.ikhrtyg1.com
2009-09-14 | 9 | www.irs.gov.ikhrtyg1.net
2009-09-14 | 17 | www.irs.gov.ikhrtygf.com
2009-09-14 | 16 | www.irs.gov.ikhrtygf.net
2009-09-14 | 21 | www.irs.gov.ikhrtyrf.com
2009-09-14 | 22 | www.irs.gov.ikhrtyrf.net
2009-09-14 | 18 | www.irs.gov.ikhrtysa.com
2009-09-14 | 23 | www.irs.gov.ikhrtysa.net
2009-09-14 | 16 | www.irs.gov.ikhrtyth.com
2009-09-14 | 13 | www.irs.gov.ikhrtyth.eu
2009-09-14 | 18 | www.irs.gov.ikhrtyth.net
2009-09-14 | 10 | www.irs.gov.muk11de.cn
2009-09-14 | 24 | www.irs.gov.muk11de.eu
2009-09-14 | 6 | www.irs.gov.muk11do.cn
2009-09-14 | 12 | www.irs.gov.muk11dp.cn
2009-09-14 | 51 | www.irs.gov.muk11dp.eu
2009-09-14 | 14 | www.irs.gov.muk11dq.cn
2009-09-14 | 9 | www.irs.gov.muk11dr.cn
2009-09-14 | 9 | www.irs.gov.muk11du.cn
2009-09-14 | 20 | www.irs.gov.muk11du.eu
2009-09-14 | 5 | www.irs.gov.muk11dy.cn
2009-09-14 | 29 | www.irs.gov.muk11dy.eu
2009-09-14 | 22 | www.irs.gov.olrfder.com
2009-09-14 | 8 | www.irs.gov.oolqj.cn
2009-09-14 | 6 | www.irs.gov.oolqp.cn
2009-09-14 | 18 | www.irs.gov.oolqp.eu
2009-09-14 | 27 | www.irs.gov.oolqq.eu
2009-09-14 | 6 | www.irs.gov.oolqw.cn
2009-09-14 | 11 | www.irs.gov.oolqx.cn
2009-09-14 | 7 | www.irs.gov.oolqy.cn
2009-09-14 | 11 | www.irs.gov.oolqz.cn
2009-09-14 | 38 | www.irs.gov.oolqz.eu
2009-09-14 | 28 | www.irs.gov.strmodesa.com
2009-09-14 | 25 | www.irs.gov.strmodesa.co.uk
2009-09-14 | 49 | www.irs.gov.strmodesa.eu
2009-09-15 | 27 | www.irs.gov.dirvsdl.co.kr
2009-09-15 | 38 | www.irs.gov.dirvsdl.kr
2009-09-15 | 26 | www.irs.gov.dirvsdl.ne.kr
2009-09-15 | 35 | www.irs.gov.dirvsdl.or.kr
2009-09-15 | 7 | www.irs.gov.ersawe1.net
2009-09-15 | 8 | www.irs.gov.ersawey.net
2009-09-15 | 23 | www.irs.gov.fhqw1sae.eu
2009-09-15 | 8 | www.irs.gov.fhqw1say.eu
2009-09-15 | 16 | www.irs.gov.fhw1sa1.eu
2009-09-15 | 11 | www.irs.gov.fhw1sae.eu
2009-09-15 | 29 | www.irs.gov.hrtfe11l.eu
2009-09-15 | 32 | www.irs.gov.hrtfe11l.mn
2009-09-15 | 28 | www.irs.gov.hrtfe11q.mn
2009-09-15 | 9 | www.irs.gov.hrtfe11s.eu
2009-09-15 | 22 | www.irs.gov.hrtfe11s.mn
2009-09-15 | 8 | www.irs.gov.hrtfe11u.eu
2009-09-15 | 10 | www.irs.gov.hrtfe11u.mn
2009-09-15 | 26 | www.irs.gov.hrtfe11y.mn
2009-09-15 | 3 | www.irs.gov.ikhrtyg1.com
2009-09-15 | 2 | www.irs.gov.ikhrtyg1.net
2009-09-15 | 7 | www.irs.gov.ikhrtygf.com
2009-09-15 | 8 | www.irs.gov.ikhrtygf.net
2009-09-15 | 8 | www.irs.gov.ikhrtyrf.com
2009-09-15 | 4 | www.irs.gov.ikhrtyrf.net
2009-09-15 | 4 | www.irs.gov.ikhrtysa.com
2009-09-15 | 6 | www.irs.gov.ikhrtysa.net
2009-09-15 | 7 | www.irs.gov.ikhrtyth.com
2009-09-15 | 10 | www.irs.gov.ikhrtyth.eu
2009-09-15 | 10 | www.irs.gov.ikhrtyth.net
2009-09-15 | 15 | www.irs.gov.mtkstrip.co.kr
2009-09-15 | 26 | www.irs.gov.mtkstrip.com
2009-09-15 | 24 | www.irs.gov.mtkstrip.kr
2009-09-15 | 9 | www.irs.gov.nyh11de.me
2009-09-15 | 10 | www.irs.gov.nyh11di.me
2009-09-15 | 7 | www.irs.gov.nyh11do.me
2009-09-15 | 9 | www.irs.gov.nyh11dq.me
2009-09-15 | 15 | www.irs.gov.nyh11dr.me
2009-09-15 | 7 | www.irs.gov.nyh11dt.me
2009-09-15 | 6 | www.irs.gov.nyh11du.me
2009-09-15 | 8 | www.irs.gov.nyh11dw.me
2009-09-15 | 6 | www.irs.gov.nyh11dx.me
2009-09-15 | 9 | www.irs.gov.nyh11dy.me
2009-09-15 | 22 | www.irs.gov.vstdrrr.com.cn
2009-09-15 | 15 | www.irs.gov.vstdrrr.mn
2009-09-15 | 20 | www.irs.gov.vstdrrr.us
2009-09-15 | 13 | www.irs.gov.yh11asd.eu
2009-09-15 | 13 | www.irs.gov.yh11asf.eu
2009-09-15 | 7 | www.irs.gov.yh11asg.eu
2009-09-15 | 3 | www.irs.gov.yh11ash.eu
2009-09-15 | 3 | www.irs.gov.yh11asq.eu
2009-09-15 | 10 | www.irs.gov.yh11asr.eu
2009-09-15 | 10 | www.irs.gov.yh11asu.eu
2009-09-15 | 3 | www.irs.gov.yh11asw.eu
2009-09-15 | 10 | www.irs.gov.yh11asy.eu
2009-09-15 | 5 | www.irs.gov.yhqw1sa1.eu
2009-09-15 | 8 | www.irs.gov.yhqw1saw.eu
2009-09-16 | 1 | www.irs.gov.dirvsdl.kr
2009-09-16 | 1 | www.irs.gov.dirvsdl.ne.kr
2009-09-16 | 1 | www.irs.gov.dirvsdl.or.kr
2009-09-16 | 1 | www.irs.gov.hrtfe11u.eu
2009-09-16 | 36 | www.irs.gov.hyuae1d.me
2009-09-16 | 43 | www.irs.gov.hyuae1e.me
2009-09-16 | 3 | www.irs.gov.hyuae1r.me
2009-09-16 | 42 | www.irs.gov.hyuae1u.me
2009-09-16 | 6 | www.irs.gov.hyuae1y.eu
2009-09-16 | 100 | www.irs.gov.jezz1f.eu
2009-09-16 | 24 | www.irs.gov.mdtsrv.bz
2009-09-16 | 6 | www.irs.gov.mdtsrv.com
2009-09-16 | 6 | www.irs.gov.mdtsrv.me
2009-09-16 | 14 | www.irs.gov.mdtsrv.mn
2009-09-16 | 15 | www.irs.gov.modesrv.bz
2009-09-16 | 62 | www.irs.gov.modesrv.com
2009-09-16 | 53 | www.irs.gov.modesrv.me
2009-09-16 | 11 | www.irs.gov.modesrv.mn
2009-09-16 | 1 | www.irs.gov.mtkstrip.co.kr
2009-09-16 | 3 | www.irs.gov.mtkstrip.com
2009-09-16 | 1 | www.irs.gov.mtkstrip.kr
2009-09-16 | 3 | www.irs.gov.nyh11de.me
2009-09-16 | 3 | www.irs.gov.nyh11di.me
2009-09-16 | 2 | www.irs.gov.nyh11do.me
2009-09-16 | 1 | www.irs.gov.nyh11dq.me
2009-09-16 | 4 | www.irs.gov.nyh11dr.me
2009-09-16 | 3 | www.irs.gov.nyh11dt.me
2009-09-16 | 1 | www.irs.gov.nyh11du.me
2009-09-16 | 4 | www.irs.gov.nyh11dw.me
2009-09-16 | 3 | www.irs.gov.nyh11dx.me
2009-09-16 | 3 | www.irs.gov.nyh11dy.me
2009-09-16 | 43 | www.irs.gov.rawq12qe.eu
2009-09-16 | 3 | www.irs.gov.rawq12qe.me
2009-09-16 | 43 | www.irs.gov.rawq12qi.me
2009-09-16 | 46 | www.irs.gov.rawq12qr.me
2009-09-16 | 42 | www.irs.gov.rawq12qt.me
2009-09-16 | 48 | www.irs.gov.rawq12qy.me
2009-09-16 | 14 | www.irs.gov.srvmode.bz
2009-09-16 | 13 | www.irs.gov.srvmode.com
2009-09-16 | 13 | www.irs.gov.srvmode.me
2009-09-16 | 20 | www.irs.gov.srvmode.mn
2009-09-16 | 6 | www.irs.gov.vsdsrv.bz
2009-09-16 | 7 | www.irs.gov.vsdsrv.com
2009-09-16 | 17 | www.irs.gov.vsdsrv.eu
2009-09-16 | 15 | www.irs.gov.vsdsrv.me
2009-09-16 | 17 | www.irs.gov.vsdsrv.mn
2009-09-16 | 13 | www.irs.gov.yh11asd.eu
2009-09-16 | 16 | www.irs.gov.yh11asf.eu
2009-09-16 | 13 | www.irs.gov.yh11asg.eu
2009-09-16 | 2 | www.irs.gov.yh11ash.eu
2009-09-16 | 21 | www.irs.gov.yh11asr.eu
2009-09-16 | 11 | www.irs.gov.yh11ast.eu
2009-09-16 | 15 | www.irs.gov.yh11asu.eu
2009-09-16 | 2 | www.irs.gov.yh11asw.eu
2009-09-16 | 4 | www.irs.gov.yh11asy.eu
2009-09-16 | 11 | www.irs.gov.yhferdh.eu
2009-09-16 | 19 | www.irs.gov.yhferdj.eu
2009-09-16 | 12 | www.irs.gov.yhferdk.eu
2009-09-16 | 15 | www.irs.gov.yhferdo.eu
2009-09-16 | 8 | www.irs.gov.yhferdp.eu
2009-09-16 | 5 | www.irs.gov.yhferdw.eu
2009-09-17 | 17 | www.irs.gov.akmas1.eu
2009-09-17 | 31 | www.irs.gov.hyu11db.eu
2009-09-17 | 24 | www.irs.gov.hyu11db.me
2009-09-17 | 33 | www.irs.gov.hyu11dc.me
2009-09-17 | 16 | www.irs.gov.hyu11de.eu
2009-09-17 | 35 | www.irs.gov.hyu11df.eu
2009-09-17 | 23 | www.irs.gov.hyu11df.me
2009-09-17 | 25 | www.irs.gov.hyu11dg.eu
2009-09-17 | 39 | www.irs.gov.hyu11dg.me
2009-09-17 | 41 | www.irs.gov.hyu11dn.eu
2009-09-17 | 24 | www.irs.gov.hyu11dn.me
2009-09-17 | 51 | www.irs.gov.hyu11dv.eu
2009-09-17 | 24 | www.irs.gov.hyu11dv.me
2009-09-17 | 24 | www.irs.gov.hyu11dx.eu
2009-09-17 | 28 | www.irs.gov.hyu11dx.me
2009-09-17 | 13 | www.irs.gov.ihmas1.eu
2009-09-17 | 16 | www.irs.gov.ikbas1.eu
2009-09-17 | 11 | www.irs.gov.ikmas1.eu
2009-09-17 | 9 | www.irs.gov.ikmls1.eu
2009-09-17 | 20 | www.irs.gov.ikmps1.eu
2009-09-17 | 16 | www.irs.gov.iktas1.eu
2009-09-17 | 17 | www.irs.gov.illas1.eu
2009-09-17 | 7 | www.irs.gov.iwmas1.eu
2009-09-17 | 57 | www.irs.gov.jezz1f.eu
2009-09-17 | 40 | www.irs.gov.lamsa1.com
2009-09-17 | 1 | www.irs.gov.uh1ahq.eu
2009-09-17 | 9 | www.irs.gov.uh1ahx.eu
2009-09-17 | 2 | www.irs.gov.uh1ahy.eu
2009-09-17 | 11 | www.irs.gov.uh1as1.eu
2009-09-17 | 10 | www.irs.gov.uh1asd.eu
2009-09-17 | 9 | www.irs.gov.uh1ase.eu
2009-09-17 | 12 | www.irs.gov.uh1ask.eu
2009-09-17 | 4 | www.irs.gov.uh1asm.eu
2009-09-17 | 4 | www.irs.gov.uh1aso.eu
2009-09-17 | 5 | www.irs.gov.uh1asp.eu
2009-09-17 | 7 | www.irs.gov.uh1asq.eu
2009-09-17 | 4 | www.irs.gov.uh1asr.eu
2009-09-17 | 13 | www.irs.gov.uh1ast.eu
2009-09-17 | 7 | www.irs.gov.uh1asu.eu
2009-09-17 | 8 | www.irs.gov.uh1asv.eu
2009-09-17 | 7 | www.irs.gov.uh1asx.eu
2009-09-17 | 6 | www.irs.gov.uh1asy.eu
2009-09-17 | 8 | www.irs.gov.uh1asz.eu
2009-09-17 | 21 | www.irs.gov.yh1wed.eu
2009-09-17 | 14 | www.irs.gov.yh1wee.eu
2009-09-17 | 19 | www.irs.gov.yh1wee.me
2009-09-17 | 21 | www.irs.gov.yh1wef.eu
2009-09-17 | 16 | www.irs.gov.yh1wej.eu
2009-09-17 | 18 | www.irs.gov.yh1wek.eu
2009-09-17 | 18 | www.irs.gov.yh1wel.eu
2009-09-17 | 25 | www.irs.gov.yh1weq.eu
2009-09-17 | 23 | www.irs.gov.yh1weq.me
2009-09-17 | 26 | www.irs.gov.yh1wes.eu
2009-09-17 | 18 | www.irs.gov.yh1wet.eu
2009-09-17 | 17 | www.irs.gov.yh1wet.me
2009-09-17 | 24 | www.irs.gov.yh1wew.eu
2009-09-17 | 25 | www.irs.gov.yh1wew.me
2009-09-17 | 9 | www.irs.gov.zkmas1.eu
2009-09-18 | 78 | www.irs.gov.kid1ax.eu
2009-09-18 | 66 | www.irs.gov.kid1bx.eu
2009-09-18 | 60 | www.irs.gov.kid1cx.eu
2009-09-18 | 39 | www.irs.gov.kid1ex.eu
2009-09-18 | 66 | www.irs.gov.kid1hx.eu
2009-09-18 | 58 | www.irs.gov.kid1ix.eu
2009-09-18 | 57 | www.irs.gov.kid1nx.eu
2009-09-18 | 13 | www.irs.gov.kid1ox.eu
2009-09-18 | 68 | www.irs.gov.kid1qx.eu
2009-09-18 | 64 | www.irs.gov.kid1sx.eu
2009-09-18 | 24 | www.irs.gov.kid1vx.eu
2009-09-18 | 63 | www.irs.gov.kid1xx.eu
2009-09-18 | 47 | www.irs.gov.kid1zx.eu
2009-09-18 | 77 | www.irs.gov.uh1ahq.eu
2009-09-18 | 46 | www.irs.gov.uh1ahx.eu
2009-09-18 | 31 | www.irs.gov.uh1ahy.eu
2009-09-18 | 30 | www.irs.gov.uh1as1.eu
2009-09-18 | 112 | www.irs.gov.uh1asd.eu
2009-09-18 | 94 | www.irs.gov.uh1ase.eu
2009-09-18 | 30 | www.irs.gov.uh1ask.eu
2009-09-18 | 27 | www.irs.gov.uh1asm.eu
2009-09-18 | 40 | www.irs.gov.uh1aso.eu
2009-09-18 | 111 | www.irs.gov.uh1asp.eu
2009-09-18 | 69 | www.irs.gov.uh1asq.eu
2009-09-18 | 119 | www.irs.gov.uh1asr.eu
2009-09-18 | 60 | www.irs.gov.uh1ast.eu
2009-09-18 | 76 | www.irs.gov.uh1asu.eu
2009-09-18 | 107 | www.irs.gov.uh1asv.eu
2009-09-18 | 26 | www.irs.gov.uh1asx.eu
2009-09-18 | 21 | www.irs.gov.uh1asy.eu
2009-09-18 | 68 | www.irs.gov.uh1asz.eu
2009-09-18 | 67 | www.irs.gov.yh1wed.eu
2009-09-18 | 67 | www.irs.gov.yh1wee.eu
2009-09-18 | 34 | www.irs.gov.yh1wee.me
2009-09-18 | 73 | www.irs.gov.yh1wef.eu
2009-09-18 | 38 | www.irs.gov.yh1wej.eu
2009-09-18 | 32 | www.irs.gov.yh1wek.eu
2009-09-18 | 33 | www.irs.gov.yh1wel.eu
2009-09-18 | 77 | www.irs.gov.yh1weq.eu
2009-09-18 | 22 | www.irs.gov.yh1weq.me
2009-09-18 | 105 | www.irs.gov.yh1wes.eu
2009-09-18 | 65 | www.irs.gov.yh1wet.eu
2009-09-18 | 23 | www.irs.gov.yh1wet.me
2009-09-18 | 69 | www.irs.gov.yh1wew.eu
2009-09-18 | 37 | www.irs.gov.yh1wew.me
2009-09-19 | 105 | www.irs.gov.kid1ax.eu
2009-09-19 | 97 | www.irs.gov.kid1bx.eu
2009-09-19 | 43 | www.irs.gov.kid1cx.eu
2009-09-19 | 27 | www.irs.gov.kid1ex.eu
2009-09-19 | 102 | www.irs.gov.kid1hx.eu
2009-09-19 | 22 | www.irs.gov.kid1ix.eu
2009-09-19 | 103 | www.irs.gov.kid1nx.eu
2009-09-19 | 15 | www.irs.gov.kid1ox.eu
2009-09-19 | 62 | www.irs.gov.kid1qx.eu
2009-09-19 | 59 | www.irs.gov.kid1sx.eu
2009-09-19 | 48 | www.irs.gov.kid1vx.eu
2009-09-19 | 61 | www.irs.gov.kid1xx.eu
2009-09-19 | 78 | www.irs.gov.kid1zx.eu
2009-09-19 | 43 | www.irs.gov.uh1asq.eu
2009-09-20 | 1 | www.irs.gov.her1da.eu
2009-09-20 | 3 | www.irs.gov.her1de.eu
2009-09-20 | 4 | www.irs.gov.her1df.eu
2009-09-20 | 1 | www.irs.gov.her1di.eu
2009-09-20 | 3 | www.irs.gov.her1dj.eu
2009-09-20 | 1 | www.irs.gov.her1dk.eu
2009-09-20 | 5 | www.irs.gov.her1do.eu
2009-09-20 | 4 | www.irs.gov.her1dp.eu
2009-09-20 | 3 | www.irs.gov.her1dq.eu
2009-09-20 | 1 | www.irs.gov.her1dr.eu
2009-09-20 | 2 | www.irs.gov.her1dt.eu
2009-09-20 | 1 | www.irs.gov.her1du.eu
2009-09-20 | 1 | www.irs.gov.her1dw.eu
2009-09-20 | 3 | www.irs.gov.her1dy.eu
2009-09-20 | 4 | www.irs.gov.her1dz.eu
2009-09-20 | 2 | www.irs.gov.jaha1ws.eu
2009-09-20 | 2 | www.irs.gov.jbha1ws.eu
2009-09-20 | 3 | www.irs.gov.jgha1ws.eu
2009-09-20 | 2 | www.irs.gov.jjha1ws.eu
2009-09-20 | 3 | www.irs.gov.jkha1ws.eu
2009-09-20 | 4 | www.irs.gov.jmha1ws.eu
2009-09-20 | 3 | www.irs.gov.jpha1ws.eu
2009-09-20 | 1 | www.irs.gov.jqha1ws.eu
2009-09-20 | 1 | www.irs.gov.jrha1ws.eu
2009-09-20 | 4 | www.irs.gov.jtha1ws.eu
2009-09-20 | 3 | www.irs.gov.juha1ws.eu
2009-09-20 | 3 | www.irs.gov.jvha1ws.eu
2009-09-20 | 3 | www.irs.gov.jwha1ws.eu
2009-09-20 | 1 | www.irs.gov.poi1qwa.eu
2009-09-20 | 3 | www.irs.gov.poi1qwb.eu
2009-09-20 | 1 | www.irs.gov.poi1qwd.eu
2009-09-20 | 6 | www.irs.gov.poi1qwf.eu
2009-09-20 | 4 | www.irs.gov.poi1qwg.eu
2009-09-20 | 1 | www.irs.gov.poi1qwm.eu
2009-09-20 | 1 | www.irs.gov.poi1qwq.eu
2009-09-20 | 3 | www.irs.gov.poi1qwr.eu
2009-09-20 | 3 | www.irs.gov.poi1qwt.eu
2009-09-20 | 5 | www.irs.gov.poi1qwv.eu
2009-09-20 | 3 | www.irs.gov.poi1qww.eu
2009-09-20 | 1 | www.irs.gov.poi1qwy.eu
2009-09-20 | 417 | www.irs.gov.uh1asq.eu
2009-09-21 | 4 | www.irs.gov.akuja1.eu
2009-09-21 | 10 | www.irs.gov.gkuja1.eu
2009-09-21 | 10 | www.irs.gov.her1da.eu
2009-09-21 | 12 | www.irs.gov.her1de.eu
2009-09-21 | 36 | www.irs.gov.her1di.eu
2009-09-21 | 2 | www.irs.gov.her1dj.eu
2009-09-21 | 1 | www.irs.gov.her1dk.eu
2009-09-21 | 21 | www.irs.gov.her1do.eu
2009-09-21 | 3 | www.irs.gov.her1dp.eu
2009-09-21 | 15 | www.irs.gov.her1dq.eu
2009-09-21 | 16 | www.irs.gov.her1dr.eu
2009-09-21 | 19 | www.irs.gov.her1dt.eu
2009-09-21 | 22 | www.irs.gov.her1du.eu
2009-09-21 | 18 | www.irs.gov.her1dw.eu
2009-09-21 | 13 | www.irs.gov.her1dy.eu
2009-09-21 | 4 | www.irs.gov.her1dz.eu
2009-09-21 | 15 | www.irs.gov.hkuja1.eu
2009-09-21 | 9 | www.irs.gov.hou1ma.eu
2009-09-21 | 17 | www.irs.gov.hou1me.eu
2009-09-21 | 4 | www.irs.gov.hou1mg.eu
2009-09-21 | 9 | www.irs.gov.hou1mi.eu
2009-09-21 | 2 | www.irs.gov.hou1mj.eu
2009-09-21 | 4 | www.irs.gov.hou1mk.eu
2009-09-21 | 1 | www.irs.gov.hou1ml.eu
2009-09-21 | 4 | www.irs.gov.hou1mo.eu
2009-09-21 | 3 | www.irs.gov.hou1mp.eu
2009-09-21 | 13 | www.irs.gov.hou1mq.eu
2009-09-21 | 11 | www.irs.gov.hou1mr.eu
2009-09-21 | 20 | www.irs.gov.hou1mt.eu
2009-09-21 | 4 | www.irs.gov.hou1mu.eu
2009-09-21 | 14 | www.irs.gov.hou1mw.eu
2009-09-21 | 3 | www.irs.gov.hou1my.eu
2009-09-21 | 4 | www.irs.gov.jaha1ws.eu
2009-09-21 | 40 | www.irs.gov.jdha1ws.eu
2009-09-21 | 22 | www.irs.gov.jgha1ws.eu
2009-09-21 | 23 | www.irs.gov.jjha1ws.eu
2009-09-21 | 17 | www.irs.gov.jkha1ws.eu
2009-09-21 | 10 | www.irs.gov.jkuja1.eu
2009-09-21 | 14 | www.irs.gov.jmha1ws.eu
2009-09-21 | 7 | www.irs.gov.jnha1ws.eu
2009-09-21 | 9 | www.irs.gov.jpha1ws.eu
2009-09-21 | 18 | www.irs.gov.jqha1ws.eu
2009-09-21 | 7 | www.irs.gov.jrha1ws.eu
2009-09-21 | 4 | www.irs.gov.jtha1ws.eu
2009-09-21 | 8 | www.irs.gov.juha1ws.eu
2009-09-21 | 6 | www.irs.gov.jvha1ws.eu
2009-09-21 | 19 | www.irs.gov.jwha1ws.eu
2009-09-21 | 14 | www.irs.gov.kkuja1.eu
2009-09-21 | 4 | www.irs.gov.lkuja1.eu
2009-09-21 | 17 | www.irs.gov.naj1za.eu
2009-09-21 | 5 | www.irs.gov.ncj1za.eu
2009-09-21 | 8 | www.irs.gov.nej1za.eu
2009-09-21 | 6 | www.irs.gov.nij1za.eu
2009-09-21 | 18 | www.irs.gov.nkuja1.eu
2009-09-21 | 13 | www.irs.gov.noj1za.eu
2009-09-21 | 13 | www.irs.gov.nuj1za.eu
2009-09-21 | 2 | www.irs.gov.nxj1za.eu
2009-09-21 | 2 | www.irs.gov.nye1za.eu
2009-09-21 | 10 | www.irs.gov.nyj1za.eu
2009-09-21 | 1 | www.irs.gov.nym1za.eu
2009-09-21 | 1 | www.irs.gov.nyo1za.eu
2009-09-21 | 2 | www.irs.gov.nyq1za.eu
2009-09-21 | 15 | www.irs.gov.pkuja1.eu
2009-09-21 | 32 | www.irs.gov.poi1qwa.eu
2009-09-21 | 13 | www.irs.gov.poi1qwb.eu
2009-09-21 | 25 | www.irs.gov.poi1qwd.eu
2009-09-21 | 10 | www.irs.gov.poi1qwf.eu
2009-09-21 | 20 | www.irs.gov.poi1qwg.eu
2009-09-21 | 22 | www.irs.gov.poi1qwm.eu
2009-09-21 | 16 | www.irs.gov.poi1qwn.eu
2009-09-21 | 1 | www.irs.gov.poi1qwq.eu
2009-09-21 | 1 | www.irs.gov.poi1qwr.eu
2009-09-21 | 12 | www.irs.gov.poi1qwt.eu
2009-09-21 | 13 | www.irs.gov.poi1qwv.eu
2009-09-21 | 1 | www.irs.gov.poi1qww.eu
2009-09-21 | 21 | www.irs.gov.poi1qwy.eu
2009-09-21 | 32 | www.irs.gov.poi1qwz.eu
2009-09-21 | 3 | www.irs.gov.qkuja1.eu
2009-09-21 | 10 | www.irs.gov.tkuja1.eu
2009-09-21 | 20 | www.irs.gov.ykuja1.eu
2009-09-21 | 1 | www.irs.gov.zkuja1.eu
2009-09-22 | 5 | www.irs.gov.akuja1.eu
2009-09-22 | 3 | www.irs.gov.gkuja1.eu
2009-09-22 | 1 | www.irs.gov.her1do.eu
2009-09-22 | 5 | www.irs.gov.herd1a.eu
2009-09-22 | 1 | www.irs.gov.here1a.eu
2009-09-22 | 4 | www.irs.gov.herf1a.eu
2009-09-22 | 4 | www.irs.gov.herq1a.eu
2009-09-22 | 3 | www.irs.gov.herr1a.eu
2009-09-22 | 6 | www.irs.gov.hert1a.eu
2009-09-22 | 2 | www.irs.gov.herw1a.eu
2009-09-22 | 1 | www.irs.gov.hery1a.eu
2009-09-22 | 5 | www.irs.gov.hkuja1.eu
2009-09-22 | 3 | www.irs.gov.hou1ma.eu
2009-09-22 | 7 | www.irs.gov.hou1me.eu
2009-09-22 | 8 | www.irs.gov.hou1mg.eu
2009-09-22 | 4 | www.irs.gov.hou1mi.eu
2009-09-22 | 7 | www.irs.gov.hou1mj.eu
2009-09-22 | 3 | www.irs.gov.hou1mk.eu
2009-09-22 | 5 | www.irs.gov.hou1ml.eu
2009-09-22 | 6 | www.irs.gov.hou1mo.eu
2009-09-22 | 7 | www.irs.gov.hou1mp.eu
2009-09-22 | 4 | www.irs.gov.hou1mr.eu
2009-09-22 | 4 | www.irs.gov.hou1mt.eu
2009-09-22 | 3 | www.irs.gov.hou1mu.eu
2009-09-22 | 8 | www.irs.gov.hou1mw.eu
2009-09-22 | 9 | www.irs.gov.hou1my.eu
2009-09-22 | 167 | www.irs.gov.ipdotfl.com
2009-09-22 | 4 | www.irs.gov.jkuja1.eu
2009-09-22 | 4 | www.irs.gov.kkuja1.eu
2009-09-22 | 19 | www.irs.gov.likka1.eu
2009-09-22 | 14 | www.irs.gov.likkb1.eu
2009-09-22 | 14 | www.irs.gov.likkc1.eu
2009-09-22 | 13 | www.irs.gov.likkd1.eu
2009-09-22 | 20 | www.irs.gov.likke1.eu
2009-09-22 | 19 | www.irs.gov.likkh1.eu
2009-09-22 | 15 | www.irs.gov.likkm1.eu
2009-09-22 | 9 | www.irs.gov.likkn1.eu
2009-09-22 | 11 | www.irs.gov.likko1.eu
2009-09-22 | 16 | www.irs.gov.likkt1.eu
2009-09-22 | 21 | www.irs.gov.likkv1.eu
2009-09-22 | 14 | www.irs.gov.likkx1.eu
2009-09-22 | 11 | www.irs.gov.likky1.eu
2009-09-22 | 15 | www.irs.gov.likkz1.eu
2009-09-22 | 15 | www.irs.gov.likzn1.eu
2009-09-22 | 4 | www.irs.gov.lkuja1.eu
2009-09-22 | 2 | www.irs.gov.naj1za.eu
2009-09-22 | 5 | www.irs.gov.ncj1za.eu
2009-09-22 | 3 | www.irs.gov.nej1za.eu
2009-09-22 | 5 | www.irs.gov.nij1za.eu
2009-09-22 | 7 | www.irs.gov.nkuja1.eu
2009-09-22 | 3 | www.irs.gov.noj1za.eu
2009-09-22 | 19 | www.irs.gov.nuhh1b.eu
2009-09-22 | 15 | www.irs.gov.nuhh1c.eu
2009-09-22 | 5 | www.irs.gov.nuhh1d.eu
2009-09-22 | 17 | www.irs.gov.nuhh1f.eu
2009-09-22 | 14 | www.irs.gov.nuhh1g.eu
2009-09-22 | 17 | www.irs.gov.nuhh1h.eu
2009-09-22 | 14 | www.irs.gov.nuhh1k.eu
2009-09-22 | 18 | www.irs.gov.nuhh1l.eu
2009-09-22 | 22 | www.irs.gov.nuhh1m.eu
2009-09-22 | 24 | www.irs.gov.nuhh1n.eu
2009-09-22 | 3 | www.irs.gov.nuhh1s.eu
2009-09-22 | 20 | www.irs.gov.nuhh1v.eu
2009-09-22 | 10 | www.irs.gov.nuhh1x.eu
2009-09-22 | 14 | www.irs.gov.nuhh1z.eu
2009-09-22 | 3 | www.irs.gov.nuj1za.eu
2009-09-22 | 4 | www.irs.gov.nxj1za.eu
2009-09-22 | 2 | www.irs.gov.nye1za.eu
2009-09-22 | 6 | www.irs.gov.nyj1za.eu
2009-09-22 | 3 | www.irs.gov.nyjnza.eu
2009-09-22 | 2 | www.irs.gov.nym1za.eu
2009-09-22 | 5 | www.irs.gov.nyo1za.eu
2009-09-22 | 6 | www.irs.gov.nyq1za.eu
2009-09-22 | 3 | www.irs.gov.nzj1za.eu
2009-09-22 | 6 | www.irs.gov.pkuja1.eu
2009-09-22 | 1 | www.irs.gov.poi1qwz.eu
2009-09-22 | 6 | www.irs.gov.qkuja1.eu
2009-09-22 | 128 | www.irs.gov.strmodefs.bz
2009-09-22 | 123 | www.irs.gov.strmodefs.com
2009-09-22 | 6 | www.irs.gov.tkuja1.eu
2009-09-22 | 19 | www.irs.gov.xyg1qe.eu
2009-09-22 | 9 | www.irs.gov.xyg1qq.eu
2009-09-22 | 8 | www.irs.gov.xyg1qr.eu
2009-09-22 | 4 | www.irs.gov.xyg1qt.eu
2009-09-22 | 18 | www.irs.gov.xyg1qu.eu
2009-09-22 | 15 | www.irs.gov.xyg1qw.eu
2009-09-22 | 22 | www.irs.gov.xyg1qy.eu
2009-09-22 | 5 | www.irs.gov.ykuja1.eu
2009-09-22 | 6 | www.irs.gov.zkuja1.eu
2009-09-23 | 5 | www.irs.gov.ea1asb.eu
2009-09-23 | 8 | www.irs.gov.ea1asc.eu
2009-09-23 | 4 | www.irs.gov.ea1asd.eu
2009-09-23 | 2 | www.irs.gov.ea1ase.eu
2009-09-23 | 6 | www.irs.gov.ea1asf.eu
2009-09-23 | 6 | www.irs.gov.ea1asg.eu
2009-09-23 | 1 | www.irs.gov.ea1ash.eu
2009-09-23 | 6 | www.irs.gov.ea1ask.eu
2009-09-23 | 3 | www.irs.gov.ea1asm.eu
2009-09-23 | 3 | www.irs.gov.ea1asn.eu
2009-09-23 | 4 | www.irs.gov.ea1aso.eu
2009-09-23 | 7 | www.irs.gov.ea1asu.eu
2009-09-23 | 1 | www.irs.gov.ea1asv.eu
2009-09-23 | 5 | www.irs.gov.ea1asx.eu
2009-09-23 | 4 | www.irs.gov.ea1asz.eu
2009-09-23 | 7 | www.irs.gov.herd1a.eu
2009-09-23 | 6 | www.irs.gov.here1a.eu
2009-09-23 | 9 | www.irs.gov.herf1a.eu
2009-09-23 | 11 | www.irs.gov.herq1a.eu
2009-09-23 | 9 | www.irs.gov.herr1a.eu
2009-09-23 | 10 | www.irs.gov.hert1a.eu
2009-09-23 | 6 | www.irs.gov.herw1a.eu
2009-09-23 | 9 | www.irs.gov.hery1a.eu
2009-09-23 | 5 | www.irs.gov.ipdotfl.com
2009-09-23 | 11 | www.irs.gov.likka1.eu
2009-09-23 | 11 | www.irs.gov.likkb1.eu
2009-09-23 | 9 | www.irs.gov.likkc1.eu
2009-09-23 | 9 | www.irs.gov.likkd1.eu
2009-09-23 | 7 | www.irs.gov.likke1.eu
2009-09-23 | 16 | www.irs.gov.likkh1.eu
2009-09-23 | 10 | www.irs.gov.likkm1.eu
2009-09-23 | 7 | www.irs.gov.likkn1.eu
2009-09-23 | 2 | www.irs.gov.likko1.eu
2009-09-23 | 8 | www.irs.gov.likkt1.eu
2009-09-23 | 8 | www.irs.gov.likkv1.eu
2009-09-23 | 3 | www.irs.gov.likkx1.eu
2009-09-23 | 3 | www.irs.gov.likky1.eu
2009-09-23 | 5 | www.irs.gov.likkz1.eu
2009-09-23 | 7 | www.irs.gov.likzn1.eu
2009-09-23 | 7 | www.irs.gov.nuhh1b.eu
2009-09-23 | 4 | www.irs.gov.nuhh1c.eu
2009-09-23 | 7 | www.irs.gov.nuhh1d.eu
2009-09-23 | 7 | www.irs.gov.nuhh1f.eu
2009-09-23 | 4 | www.irs.gov.nuhh1g.eu
2009-09-23 | 2 | www.irs.gov.nuhh1h.eu
2009-09-23 | 10 | www.irs.gov.nuhh1k.eu
2009-09-23 | 2 | www.irs.gov.nuhh1l.eu
2009-09-23 | 6 | www.irs.gov.nuhh1m.eu
2009-09-23 | 10 | www.irs.gov.nuhh1n.eu
2009-09-23 | 7 | www.irs.gov.nuhh1s.eu
2009-09-23 | 10 | www.irs.gov.nuhh1v.eu
2009-09-23 | 10 | www.irs.gov.nuhh1x.eu
2009-09-23 | 6 | www.irs.gov.nuhh1z.eu
2009-09-23 | 11 | www.irs.gov.xyg1qe.eu
2009-09-23 | 7 | www.irs.gov.xyg1qq.eu
2009-09-23 | 6 | www.irs.gov.xyg1qr.eu
2009-09-23 | 11 | www.irs.gov.xyg1qt.eu
2009-09-23 | 9 | www.irs.gov.xyg1qu.eu
2009-09-23 | 7 | www.irs.gov.xyg1qw.eu
2009-09-23 | 11 | www.irs.gov.xyg1qy.eu
2009-09-24 | 10 | www.irs.gov.awh7kio.eu
2009-09-24 | 6 | www.irs.gov.do11juy.eu
2009-09-24 | 2 | www.irs.gov.fo11juy.eu
2009-09-24 | 8 | www.irs.gov.ger11sa.com
2009-09-24 | 3 | www.irs.gov.ger11se.com
2009-09-24 | 2 | www.irs.gov.ger11si.com
2009-09-24 | 3 | www.irs.gov.ger11so.com
2009-09-24 | 4 | www.irs.gov.ger11sy.com
2009-09-24 | 7 | www.irs.gov.ger11za.com
2009-09-24 | 1 | www.irs.gov.ger11ze.com
2009-09-24 | 6 | www.irs.gov.ger11zi.com
2009-09-24 | 11 | www.irs.gov.ger11zo.com
2009-09-24 | 4 | www.irs.gov.ger11zy.com
2009-09-24 | 7 | www.irs.gov.go11juy.eu
2009-09-24 | 14 | www.irs.gov.hu1wev.eu
2009-09-24 | 7 | www.irs.gov.i11ate.eu
2009-09-24 | 3 | www.irs.gov.i11bte.eu
2009-09-24 | 4 | www.irs.gov.i11ete.eu
2009-09-24 | 1 | www.irs.gov.i11hte.eu
2009-09-24 | 7 | www.irs.gov.i11ite.eu
2009-09-24 | 8 | www.irs.gov.i11mte.eu
2009-09-24 | 4 | www.irs.gov.i11nte.eu
2009-09-24 | 4 | www.irs.gov.i11ote.eu
2009-09-24 | 4 | www.irs.gov.i11pte.eu
2009-09-24 | 7 | www.irs.gov.i11rte.eu
2009-09-24 | 7 | www.irs.gov.i11tte.eu
2009-09-24 | 7 | www.irs.gov.i11ute.eu
2009-09-24 | 7 | www.irs.gov.i11wte.eu
2009-09-24 | 3 | www.irs.gov.i11xte.eu
2009-09-24 | 6 | www.irs.gov.i11zte.eu
2009-09-24 | 18 | www.irs.gov.ijh7kio.eu
2009-09-24 | 4 | www.irs.gov.ikh7kio.eu
2009-09-24 | 6 | www.irs.gov.io11juy.eu
2009-09-24 | 12 | www.irs.gov.iz1fd2.eu
2009-09-24 | 10 | www.irs.gov.iz1ff2.eu
2009-09-24 | 9 | www.irs.gov.iz1gf2.eu
2009-09-24 | 10 | www.irs.gov.iz1hf2.eu
2009-09-24 | 14 | www.irs.gov.iz1if2.eu
2009-09-24 | 15 | www.irs.gov.iz1jf2.eu
2009-09-24 | 4 | www.irs.gov.iz1kf2.eu
2009-09-24 | 8 | www.irs.gov.iz1lf2.eu
2009-09-24 | 5 | www.irs.gov.iz1pf2.eu
2009-09-24 | 12 | www.irs.gov.iz1qf2.eu
2009-09-24 | 7 | www.irs.gov.iz1rf2.eu
2009-09-24 | 10 | www.irs.gov.iz1tf2.eu
2009-09-24 | 8 | www.irs.gov.iz1uf2.eu
2009-09-24 | 7 | www.irs.gov.iz1wf2.eu
2009-09-24 | 9 | www.irs.gov.iz1yf2.eu
2009-09-24 | 3 | www.irs.gov.jo11juy.eu
2009-09-24 | 11 | www.irs.gov.mah7kio.eu
2009-09-24 | 4 | www.irs.gov.mi11f1.eu
2009-09-24 | 6 | www.irs.gov.mi11fa.eu
2009-09-24 | 6 | www.irs.gov.mi11fd.eu
2009-09-24 | 5 | www.irs.gov.mi11fe.eu
2009-09-24 | 8 | www.irs.gov.mi11ff.eu
2009-09-24 | 3 | www.irs.gov.mi11fi.eu
2009-09-24 | 5 | www.irs.gov.mi11fo.eu
2009-09-24 | 7 | www.irs.gov.mi11fp.eu
2009-09-24 | 2 | www.irs.gov.mi11fq.eu
2009-09-24 | 6 | www.irs.gov.mi11fr.eu
2009-09-24 | 3 | www.irs.gov.mi11fs.eu
2009-09-24 | 2 | www.irs.gov.mi11ft.eu
2009-09-24 | 6 | www.irs.gov.mi11fu.eu
2009-09-24 | 2 | www.irs.gov.mi11fw.eu
2009-09-24 | 4 | www.irs.gov.mi11fy.eu
2009-09-24 | 5 | www.irs.gov.nuh7kio.eu
2009-09-24 | 4 | www.irs.gov.nuko7u1.eu
2009-09-24 | 8 | www.irs.gov.nuko7ue.eu
2009-09-24 | 3 | www.irs.gov.nuko7ug.eu
2009-09-24 | 3 | www.irs.gov.nuko7uh.eu
2009-09-24 | 4 | www.irs.gov.nuko7ui.eu
2009-09-24 | 11 | www.irs.gov.nuko7uj.eu
2009-09-24 | 6 | www.irs.gov.nuko7uk.eu
2009-09-24 | 6 | www.irs.gov.nuko7uo.eu
2009-09-24 | 7 | www.irs.gov.nuko7up.eu
2009-09-24 | 7 | www.irs.gov.nuko7uq.eu
2009-09-24 | 14 | www.irs.gov.nuko7ur.eu
2009-09-24 | 3 | www.irs.gov.nuko7ut.eu
2009-09-24 | 7 | www.irs.gov.nuko7uu.eu
2009-09-24 | 7 | www.irs.gov.nuko7uw.eu
2009-09-24 | 7 | www.irs.gov.nuko7uy.eu
2009-09-24 | 2 | www.irs.gov.oo11juy.eu
2009-09-24 | 1 | www.irs.gov.po11juy.eu
2009-09-24 | 17 | www.irs.gov.poh7kio.eu
2009-09-24 | 16 | www.irs.gov.qyh7kio.eu
2009-09-24 | 5 | www.irs.gov.ro11juy.eu
2009-09-24 | 4 | www.irs.gov.so11juy.eu
2009-09-24 | 3 | www.irs.gov.to11juy.eu
2009-09-24 | 2 | www.irs.gov.uij7yj.eu
2009-09-24 | 2 | www.irs.gov.uij7yl.eu
2009-09-24 | 1 | www.irs.gov.uij7ym.eu
2009-09-24 | 2 | www.irs.gov.uij7yq.eu
2009-09-24 | 3 | www.irs.gov.uij7yt.eu
2009-09-24 | 2 | www.irs.gov.uij7yy.eu
2009-09-24 | 2 | www.irs.gov.uij7yz.eu
2009-09-24 | 4 | www.irs.gov.uo11juy.eu
2009-09-24 | 14 | www.irs.gov.veh7kio.eu
2009-09-24 | 4 | www.irs.gov.xo11juy.eu
2009-09-24 | 7 | www.irs.gov.yoky1a.eu
2009-09-24 | 2 | www.irs.gov.yoky1c.eu
2009-09-24 | 3 | www.irs.gov.yoky1d.eu
2009-09-24 | 4 | www.irs.gov.yoky1e.eu
2009-09-24 | 2 | www.irs.gov.yoky1f.eu
2009-09-24 | 7 | www.irs.gov.yoky1g.eu
2009-09-24 | 4 | www.irs.gov.yoky1n.eu
2009-09-24 | 3 | www.irs.gov.yoky1r.eu
2009-09-24 | 6 | www.irs.gov.yoky1s.eu
2009-09-24 | 4 | www.irs.gov.yoky1t.eu
2009-09-24 | 3 | www.irs.gov.yoky1w.eu
2009-09-24 | 5 | www.irs.gov.yoky1x.eu
2009-09-24 | 2 | www.irs.gov.yoky1y.eu
2009-09-24 | 5 | www.irs.gov.yoky1z.eu
2009-09-24 | 4 | www.irs.gov.zah7kio.eu
2009-09-24 | 18 | www.irs.gov.zuh7kio.eu
2009-09-25 | 2 | www.irs.gov.bbasza.com
2009-09-25 | 2 | www.irs.gov.bbaszb.com
2009-09-25 | 3 | www.irs.gov.bbaszc.com
2009-09-25 | 3 | www.irs.gov.bbaszd.com
2009-09-25 | 3 | www.irs.gov.bbasze.com
2009-09-25 | 5 | www.irs.gov.bbaszf.com
2009-09-25 | 2 | www.irs.gov.bbaszg.com
2009-09-25 | 3 | www.irs.gov.bbaszl.com
2009-09-25 | 2 | www.irs.gov.bbaszq.com
2009-09-25 | 3 | www.irs.gov.bbaszs.com
2009-09-25 | 4 | www.irs.gov.bbaszt.com
2009-09-25 | 3 | www.irs.gov.bbaszv.com
2009-09-25 | 2 | www.irs.gov.bbaszw.com
2009-09-25 | 3 | www.irs.gov.bbaszx.com
2009-09-25 | 4 | www.irs.gov.bbaszz.com
2009-09-25 | 1 | www.irs.gov.fedas1ah.com
2009-09-25 | 15 | www.irs.gov.ger11sa.com
2009-09-25 | 12 | www.irs.gov.ger11se.com
2009-09-25 | 4 | www.irs.gov.ger11si.com
2009-09-25 | 14 | www.irs.gov.ger11so.com
2009-09-25 | 16 | www.irs.gov.ger11sy.com
2009-09-25 | 8 | www.irs.gov.ger11za.com
2009-09-25 | 4 | www.irs.gov.ger11ze.com
2009-09-25 | 21 | www.irs.gov.ger11zi.com
2009-09-25 | 19 | www.irs.gov.ger11zo.com
2009-09-25 | 11 | www.irs.gov.ger11zy.com
2009-09-25 | 14 | www.irs.gov.nuko7u1.eu
2009-09-25 | 17 | www.irs.gov.nuko7ue.eu
2009-09-25 | 13 | www.irs.gov.nuko7ug.eu
2009-09-25 | 27 | www.irs.gov.nuko7uh.eu
2009-09-25 | 29 | www.irs.gov.nuko7ui.eu
2009-09-25 | 15 | www.irs.gov.nuko7uj.eu
2009-09-25 | 14 | www.irs.gov.nuko7uk.eu
2009-09-25 | 28 | www.irs.gov.nuko7uo.eu
2009-09-25 | 12 | www.irs.gov.nuko7up.eu
2009-09-25 | 16 | www.irs.gov.nuko7uq.eu
2009-09-25 | 19 | www.irs.gov.nuko7ur.eu
2009-09-25 | 11 | www.irs.gov.nuko7ut.eu
2009-09-25 | 24 | www.irs.gov.nuko7uu.eu
2009-09-25 | 14 | www.irs.gov.nuko7uw.eu
2009-09-25 | 15 | www.irs.gov.nuko7uy.eu
2009-09-25 | 1 | www.irs.gov.nuya1ze.eu
2009-09-25 | 14 | www.irs.gov.nuya1zg.eu
2009-09-25 | 6 | www.irs.gov.nuya1zh.eu
2009-09-25 | 3 | www.irs.gov.nuya1zi.eu
2009-09-25 | 3 | www.irs.gov.nuya1zl.eu
2009-09-25 | 9 | www.irs.gov.nuya1zo.eu
2009-09-25 | 7 | www.irs.gov.nuya1zp.eu
2009-09-25 | 9 | www.irs.gov.nuya1zq.eu
2009-09-25 | 9 | www.irs.gov.nuya1zt.eu
2009-09-25 | 6 | www.irs.gov.nuya1zw.eu
2009-09-25 | 2 | www.irs.gov.nuya1zy.eu
2009-09-25 | 26 | www.irs.gov.y11dera.com
2009-09-25 | 28 | www.irs.gov.y11derc.com
2009-09-25 | 24 | www.irs.gov.y11derd.com
2009-09-25 | 15 | www.irs.gov.y11dere.com
2009-09-25 | 34 | www.irs.gov.y11derf.com
2009-09-25 | 12 | www.irs.gov.y11derq.com
2009-09-25 | 7 | www.irs.gov.y11derr.com
2009-09-25 | 4 | www.irs.gov.y11ders.com
2009-09-25 | 20 | www.irs.gov.y11derv.com
2009-09-25 | 19 | www.irs.gov.y11derw.com
2009-09-25 | 8 | www.irs.gov.y11derx.com
2009-09-25 | 14 | www.irs.gov.y11derz.com
2009-09-26 | 1 | www.irs.gov.berfa1b.com
2009-09-26 | 1 | www.irs.gov.berfa1j.com
2009-09-26 | 2 | www.irs.gov.berfa1k.com
2009-09-26 | 7 | www.irs.gov.berfa1m.com
2009-09-26 | 3 | www.irs.gov.berfa1p.com
2009-09-26 | 1 | www.irs.gov.berfa1q.com
2009-09-26 | 8 | www.irs.gov.berfa1r.com
2009-09-26 | 2 | www.irs.gov.berfa1s.com
2009-09-26 | 3 | www.irs.gov.berfa1w.com
2009-09-26 | 1 | www.irs.gov.berfa1z.com
2009-09-26 | 7 | www.irs.gov.fedas1aa.com
2009-09-26 | 3 | www.irs.gov.fedas1ab.com
2009-09-26 | 5 | www.irs.gov.fedas1ad.com
2009-09-26 | 8 | www.irs.gov.fedas1af.com
2009-09-26 | 5 | www.irs.gov.fedas1ag.com
2009-09-26 | 7 | www.irs.gov.fedas1ah.com
2009-09-26 | 6 | www.irs.gov.fedas1ak.com
2009-09-26 | 7 | www.irs.gov.fedas1am.com
2009-09-26 | 8 | www.irs.gov.fedas1an.com
2009-09-26 | 3 | www.irs.gov.fedas1ao.com
2009-09-26 | 6 | www.irs.gov.fedas1aq.com
2009-09-26 | 2 | www.irs.gov.fedas1ar.com
2009-09-26 | 6 | www.irs.gov.fedas1as.com
2009-09-26 | 2 | www.irs.gov.fedas1av.com
2009-09-26 | 5 | www.irs.gov.fedas1az.com
2009-09-26 | 5 | www.irs.gov.juhh1we.com
2009-09-26 | 6 | www.irs.gov.juhh1wf.com
2009-09-26 | 3 | www.irs.gov.juhh1wg.com
2009-09-26 | 4 | www.irs.gov.juhh1wh.com
2009-09-26 | 4 | www.irs.gov.juhh1wi.com
2009-09-26 | 5 | www.irs.gov.juhh1wj.com
2009-09-26 | 3 | www.irs.gov.juhh1wn.com
2009-09-26 | 5 | www.irs.gov.juhh1wo.com
2009-09-26 | 5 | www.irs.gov.juhh1wp.com
2009-09-26 | 3 | www.irs.gov.juhh1wq.com
2009-09-26 | 2 | www.irs.gov.juhh1wr.com
2009-09-26 | 3 | www.irs.gov.juhh1wt.com
2009-09-26 | 5 | www.irs.gov.juhh1wu.com
2009-09-26 | 2 | www.irs.gov.juhh1wy.com
2009-09-26 | 47 | www.irs.gov.y11dera.com
2009-09-26 | 46 | www.irs.gov.y11derc.com
2009-09-26 | 38 | www.irs.gov.y11derd.com
2009-09-26 | 36 | www.irs.gov.y11dere.com
2009-09-26 | 35 | www.irs.gov.y11derf.com
2009-09-26 | 49 | www.irs.gov.y11derq.com
2009-09-26 | 39 | www.irs.gov.y11derr.com
2009-09-26 | 34 | www.irs.gov.y11ders.com
2009-09-26 | 47 | www.irs.gov.y11derv.com
2009-09-26 | 50 | www.irs.gov.y11derw.com
2009-09-26 | 40 | www.irs.gov.y11derx.com
2009-09-26 | 44 | www.irs.gov.y11derz.com
2009-09-27 | 17 | www.irs.gov.fedas1aa.com
2009-09-27 | 22 | www.irs.gov.fedas1ab.com
2009-09-27 | 10 | www.irs.gov.fedas1ad.com
2009-09-27 | 17 | www.irs.gov.fedas1af.com
2009-09-27 | 16 | www.irs.gov.fedas1ag.com
2009-09-27 | 16 | www.irs.gov.fedas1ah.com
2009-09-27 | 15 | www.irs.gov.fedas1ak.com
2009-09-27 | 20 | www.irs.gov.fedas1am.com
2009-09-27 | 23 | www.irs.gov.fedas1an.com
2009-09-27 | 17 | www.irs.gov.fedas1ao.com
2009-09-27 | 13 | www.irs.gov.fedas1aq.com
2009-09-27 | 17 | www.irs.gov.fedas1ar.com
2009-09-27 | 16 | www.irs.gov.fedas1as.com
2009-09-27 | 18 | www.irs.gov.fedas1av.com
2009-09-27 | 17 | www.irs.gov.fedas1az.com
2009-09-27 | 29 | www.irs.gov.juhh1we.com
2009-09-27 | 15 | www.irs.gov.juhh1wf.com
2009-09-27 | 12 | www.irs.gov.juhh1wg.com
2009-09-27 | 18 | www.irs.gov.juhh1wh.com
2009-09-27 | 23 | www.irs.gov.juhh1wi.com
2009-09-27 | 17 | www.irs.gov.juhh1wj.com
2009-09-27 | 22 | www.irs.gov.juhh1wn.com
2009-09-27 | 28 | www.irs.gov.juhh1wo.com
2009-09-27 | 19 | www.irs.gov.juhh1wp.com
2009-09-27 | 24 | www.irs.gov.juhh1wq.com
2009-09-27 | 17 | www.irs.gov.juhh1wr.com
2009-09-27 | 26 | www.irs.gov.juhh1wt.com
2009-09-27 | 15 | www.irs.gov.juhh1wu.com
2009-09-27 | 24 | www.irs.gov.juhh1wy.com
2009-09-27 | 19 | www.irs.gov.y11dera.com
2009-09-27 | 23 | www.irs.gov.y11derc.com
2009-09-27 | 15 | www.irs.gov.y11derd.com
2009-09-27 | 18 | www.irs.gov.y11dere.com
2009-09-27 | 24 | www.irs.gov.y11derf.com
2009-09-27 | 17 | www.irs.gov.y11derq.com
2009-09-27 | 16 | www.irs.gov.y11derr.com
2009-09-27 | 17 | www.irs.gov.y11ders.com
2009-09-27 | 13 | www.irs.gov.y11derv.com
2009-09-27 | 25 | www.irs.gov.y11derw.com
2009-09-27 | 22 | www.irs.gov.y11derx.com
2009-09-27 | 24 | www.irs.gov.y11derz.com
2009-09-28 | 5 | www.irs.gov.fedas1aa.com
2009-09-28 | 5 | www.irs.gov.fedas1ab.com
2009-09-28 | 4 | www.irs.gov.fedas1ad.com
2009-09-28 | 5 | www.irs.gov.fedas1af.com
2009-09-28 | 5 | www.irs.gov.fedas1ag.com
2009-09-28 | 4 | www.irs.gov.fedas1ah.com
2009-09-28 | 12 | www.irs.gov.fedas1ak.com
2009-09-28 | 8 | www.irs.gov.fedas1am.com
2009-09-28 | 7 | www.irs.gov.fedas1an.com
2009-09-28 | 9 | www.irs.gov.fedas1ao.com
2009-09-28 | 3 | www.irs.gov.fedas1aq.com
2009-09-28 | 4 | www.irs.gov.fedas1ar.com
2009-09-28 | 2 | www.irs.gov.fedas1as.com
2009-09-28 | 5 | www.irs.gov.fedas1av.com
2009-09-28 | 6 | www.irs.gov.fedas1az.com
2009-09-28 | 7 | www.irs.gov.juhh1we.com
2009-09-28 | 4 | www.irs.gov.juhh1wf.com
2009-09-28 | 8 | www.irs.gov.juhh1wg.com
2009-09-28 | 4 | www.irs.gov.juhh1wh.com
2009-09-28 | 7 | www.irs.gov.juhh1wi.com
2009-09-28 | 6 | www.irs.gov.juhh1wj.com
2009-09-28 | 7 | www.irs.gov.juhh1wn.com
2009-09-28 | 12 | www.irs.gov.juhh1wo.com
2009-09-28 | 9 | www.irs.gov.juhh1wp.com
2009-09-28 | 6 | www.irs.gov.juhh1wq.com
2009-09-28 | 4 | www.irs.gov.juhh1wr.com
2009-09-28 | 8 | www.irs.gov.juhh1wt.com
2009-09-28 | 9 | www.irs.gov.juhh1wu.com
2009-09-28 | 5 | www.irs.gov.juhh1wy.com
2009-09-28 | 6 | www.irs.gov.y11dera.com
2009-09-28 | 3 | www.irs.gov.y11derc.com
2009-09-28 | 7 | www.irs.gov.y11derd.com
2009-09-28 | 8 | www.irs.gov.y11dere.com
2009-09-28 | 9 | www.irs.gov.y11derf.com
2009-09-28 | 3 | www.irs.gov.y11derq.com
2009-09-28 | 9 | www.irs.gov.y11derr.com
2009-09-28 | 9 | www.irs.gov.y11ders.com
2009-09-28 | 7 | www.irs.gov.y11derv.com
2009-09-28 | 2 | www.irs.gov.y11derw.com
2009-09-28 | 5 | www.irs.gov.y11derx.com
2009-09-28 | 5 | www.irs.gov.y11derz.com
(946 rows)

Tien Truong Nguyen pleads Guilty

In April of 2007, the Eastern District of California sent out a Press Release titled "SACRAMENTO MAN CHARGED WITH COMPUTER FRAUD AND AGGRAVATED IDENTITY THEFT" with the description, "Internet Phishing Scheme Used to Steal Thousands of Credit and Debit Card Numbers, Social Security Numbers."

At the University of Alabama at Birmingham, our UAB Computer Forensics program has a mix of Computer & Information Science and Criminal Justice students who are working together to research how phishing investigations are performed. When I saw this story back in the news today, I thought we might have another agent who could help us understand how the US Secret Service investigates phishing. While I'm very glad that Nguyen was picked up, and it looks like ECSAP-trained Senior Special Agent Brian Korbs did an excellent job on the Computer Forensics aspects of this case, unfortunately this wasn't a "phishing investigation."

Several of my students learned about the US Secret Service Electronic Crimes Special Agent Program (ECSAP) while visiting the National Computer Forensics Institute in Hoover, Alabama, about ten miles from our campus, earlier this month. Housed at the NCFI, the Electronic Crimes Task Force for the Birmingham field office of the Secret Service maintains a computer forensics lab where computer forensics examiners from the US Secret Service and the Alabama Bureau of Investigation work side-by-side with examiners from the Alabama District Attorneys Association and the Hoover Police Department to perform examinations and provide training and forensic services to all manner of law enforcement cases. The NCFI provides the equivalent of the Secret Service ECSAP training for state and local law enforcement officers across the country. ECSAP-based courses available in Hoover include "Basic Investigation of Computer and Electronic Crimes Program (BICEP)", "Network Intrusion Responder Program (NITRO)", "Basic Computer Evidence Recovery Training (BCERT)", and "Advanced Computer Evidence Recovery Training (ACERT)", which is ten full weeks of very hands-on training! The NCFI also offers two "Computer Forensics in Court" classes, CFC-J for Judges, and CFC-P for Prosecutors.

Back to the story . . . According to the Affidavit of SSA Brian Korbs, Nguyen was clearly involved in phishing. He was able to establish that from at least October 15, 2005 through January 26, 2007, Nguyen was involved in multiple identity theft, phishing, and credit card fraud activities.

The forensics examination covered:

A Dell Laptop Computer "Latitude" Serial Number 8P530B1
A Toshiba Laptop Computer "M-45" with black thumb drive Serial Number 26234221Q
A Hewlett Packard Laptop Computer "Pavilion D1000" with Serial Number CNF5382K5T
two black USB thumb drives and
A Dell Computer Model 470 Serial Number 37NQC61

These showed that Nguyen was regularly communicating with Eastern Europeans to acquire credit card and debit card numbers, social security numbers, and other personal identification information. Files on the computer were used to create phishing websites, including sites against eBay, Fairwinds Credit Union (Florida), Heritage Bank (Olympia, Washington), Honolulu City and County Employees Credit Union, and others. A program for encoding credit cards, lists of account information, a magnetic card writer, and a laminator were found. Thousands of email addresses, sorted by the state in which they were located, were found to be used for sending out phishing emails state-by-state. (For example, it would make sense to only send "Honolulu City and County Employees Credit Union" phishing emails to people who live in Hawaii.)

The fruit of the phishing was "thousands of pages of customer information" from companies "such as eBay, Western Union, and others." Korbs reported finding
"Hundreds of files of credit card numbers, many with PINs, as well as the true cardholders name, address, email address, password, bank account information, social security number, driver's license number, telephone number, etc." Korbs estimates that "tens of thousands" of identities were on the computer, which is certainly "more than 15" as described in the Federal statute (see below).

Yahoo! chat logs were also found on the computer, which, if printed, would be 16,000 pages of logs. Many of the chats related to buying and selling credit cards, and exchanging email addresses for phish targeting.

In Nguyen's case, the whole story seems to be that he worked with several Romanians to build phishing sites and steal personally identifiable information. Then he provided that information to local accomplices who cashed out in an interesting manner. Apparently GE Capital runs a system of kiosks in California Wal-Mart stores where you can enter your information and be approved for an instant line of credit, which is provided as Wal-Mart coupons that can be used to shop in the store. According to Special Agent Korbs, they did this for more than $200,000 worth of merchandise. In the full indictment, it lists many of the items purchased with these cards, including laptops, monitors, satellite radio systems, 8 ipods, infrared night light, a "Nightowl" night vision scope, CB radios, GPS units, watches, televisions, a radar detector, etc.

When Detective Jim Hudson, from the Placer County Sheriff, and Special Agent Korbs talked to Tien Nguyen after he was arrested on January 26, 2007, he waived his Miranda rights and told them pretty much everything. He admitted to using his computer to trade identities and credit card information, and he explained the GE Capital / Wal Mart scheme.

Enter the 9th Circuit

So, why after all this time is Nguyen just now pleading guilty? Apparently the defense's plan all along has been to say that all of the evidence that was obtained from Nguyen, INCLUDING HIS CONFESSION, was based on a warrantless search of the premises, which meant all of the evidence should be suppressed. After the recent 9th Circuit ruling, Nguyen's lawyer, Micheal K. Cernyar of Long Beach, California, thought he had fresh evidence, and on September 8, 2009 a hearing was held before the Honorable Morrison C. England, Jr, to hear this a plea to establish a new hearing for a new motion to suppress. Here are the basics outlined in the Motion to Suppress:

* Mr. Nguyen was arrested on or about January 26, 2007 on a Ramey Warrant at his residence located at 8225 & 8229 Gerber Road, Sacramento, California. "A warrantless search of the residence" uncovered all of the information, while Nguyen and his companion were detained in the living room of the home.

* On March 27, 2007, Special Agent Korbs applied for a federal search warrant seeking the items seized on January 26, 2007. After receiving this search warrant, Nguyen was indicted April 26, 2007.

* Nguyen moved "to suppress all evidence and any statements obtained" claiming his Fourth Amendment rights were violated, and his motion was denied October 15, 2008.

Here's the new part . . .

7. Last week, in United States v. Gonzalez -- F.3d --, (9th Cir. 2009) (D.C. No. 07-30098), the Ninth Circuit reversed a matter regarding suppression of evidence based upon a warrentless search when applying the recent ruling in Arizona v. Gant. The Ninth Circuit held that Mr. Gonzalez was entitled to benefit from the Supreme Court's ruling in Gant.

8. Counsel believes that the facts in Mr. Nguyen's warrentless search incident to arrest are at the very list similarly situated to those in the Gant and Gonzalez matter.

Rodney Joseph Gant v. Arizona was a case where a man was arrested, and after his arrest police went and searched his vehicle, which he was not in at the time of the arrest. In the car, they found cocaine, not related to the charges for which he had just been arrested, and expanded the charges to include drug possession. Because they did not have a warrant for the vehicular search, and because the perp was not in the vehicle, the Supreme Court ruled that they should not have searched the vehicle without a warrant. (This has been standard practice, called "The Bright Line rule" since 1981 . . .)

How does this relate to the 9th Circuit decision in US. v. Gonzales? It is well-established practice that police can perform a warrantless search "incident to arrest", meaning that after I've arrested you, it is "not unreasonable" to search for evidence related to the crime for which you have been arrested, both on your person, as well as in the immediate vicinity. The question of what is meant by the immediate vicinity is one that has had the legal scholars appealing searches on Fourth Amendment grounds over and over. In this case, it all starts with Chimel v. California. The Supreme Court held that when someone is arrested in their home, officers would be reasonable to search not only the room of the arrest, but other "sufficiently large spaces" where someone might be hiding that could be a risk to officer safety. So, the idea was, if I arrest you in your living room, but I feel that someone might be hiding in the closet, I can look in the closet, without a warrant, to see if your brother is hiding in their with a shotgun planning to jump out and shoot me. I couldn't search the drawer in the end-table, because it is unlikely a potential attacker is hiding in that drawer. Several arguments since then have argued whether you should only be able to do such a search if there was a suspicion that such a risk to officer safety was probable, and then, only in certain "reasonable areas", with three cases helping define those boundaries and expectations -- Maryland v. Buie, Belton v. New York, and Thornton v. United States. Arizona v. Gant reset those expectations by overruling some of those prior standards of when it was reasonable to do an "suspicionless search", which lead to the 9th Circuit Decision.

The judge rightly denied the motion to suppress, since this WAS a search "INCIDENT TO ARREST", and there was EVERY REASON to believe that the computers held relevant evidence of the crime for which Nguyen was being arrested, based on his own statements, and his own permission to search, meaning that NONE of those prior cases really had anything to do with this case.

With his last hope extinguished, Nguyen pleaded guilty, but even then went all the way to the wire. I really thought he was going to go to trial! His lawyer had submitted Questions for the Jury (Voire Dire) as recently as September 2, 2009! I had to chuckle as I read through them . . . he asks if they Bank Online, if they use their Debit Card online, if they have purchased online items in the past year . . . I thought the next question might be "Please state your debit card number slowly, and tell us your PIN." When it came down to the start of the Jury Trial, at 9:00 am on September 8th, the Courtroom minutes tell us that Nguyen asked for a five minute recess, and came back in and pleaded guilty to counts 1-4. He then asked for another recess, and came back and pleaded guilty to count 5.

The Penalty Slip with the indictment includes the charges. Especially sweet that the Aggravated Identity Theft adds an automatic +2 years. Nguyen was found to have a shotgun in his bedroom as well, a Remington 870 Express Magnum.

18 USC § 371 - Conspiracy to Commit Computer Fraud and Access Device Fraud:
- Not more than $250,000 or notmore than gross gain or loss;
- Not more than 5 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 1029(a)(2) - Access Device Fraud
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 5 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 1029(a)(3) - Possession of More than 15 Unauthorized Access Devices
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 10 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 1028A(a)(1) - Aggravated Identity Theft
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 2 years imprisonment, or both
- Not more than 3 years of supervised release

18 USC § 922(g)(1) - Felon in Possession of a Firearm or Ammunition
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 10 years imprisonment, or both
- Not more than 3 years of supervised release

(Nguyen had already spent "more than a year" in jail back in 1999 for "Receipt of Stolen Property" and "Making and Passing Fictitious Checks", but these were state of California crimes rather than Federal crimes.)

The sentencing for Nguyen will be on November 19th, at 9:00 am.

The question for my student's research project is - "Was this a phishing investigation?" We haven't talked to Special Agent Korbs yet, but from a reading of the court documents, I believe the answer will be "No." This was a credit card fraud investigation, which uncovered a phishing case after the Computer Forensics evidence was evaluated.

The on-going and unsolved question for our research is, "Could this case have been worked the other way around?" If we had started with the Honolulu City and County Employees Credit Union phishing site, would we have still ended up at Tien Truong Nguyen's front door? If you are a law enforcement officer with first-hand experience in phishing investigations, we'd love to talk with you and get your opinion.

References: Stranger than Dictum: Why Arizona v. Gant Compels the Conclusion that Suspicionless Buie Searches Incident to Lawful Arrests are Unconstitutional by Colin Miller, Assistant Professor of the John Marshall Law School.