A federal grand jury indicted four men charged with running a $4 million spam campaign that specifically targeted college network users yesterday. The indictment marks the federal law enforcement agency's latest success in finding and pursuing mass-mailers who violate the CAP-SPAM Act in doing business online.
With cooperation from FBI investigators, three Americans and a Chinese national were charged with violating the Can-Spam Act through an enterprise that started in 2004 and spammed almost every secondary school in the U.S., DoJ press agents reported.
Brothers Amir Ahmad Shah, 28, of St. Louis., and Osmaan Ahmad Shah, 25, of Columbia, Mo., who spearheaded the spam campaign via their company I2O, Inc. were the primary targets of the investigation, which also led to the indictment of their business partners, Liu Guang Ming, a citizen of China, and Paul Zucker, 55, of Wayne, N.J.,
All four were charged in a 51-count indictment returned under seal by a federal grand jury in Kansas City, Mo., on April 23, 2009. That indictment was unsealed and made public Wednesday upon the suspects' arrests and initial court appearances of Amir and Osmaan Shah.
"Nearly every college and university in the United States was impacted by this scheme," said Matt J. Whitworth, Acting United States Attorney for the Western District of Missouri, in a statement. "Illegal hacking and e-mail spamming wreaks havoc on computer networks. These schools spent significant funds to repair the damage and to implement costly preventive measures to defend themselves against future intrusions. We take computer crimes seriously and will aggressively prosecute those who violate the federal CAN-SPAM Act."
The indictment claims that the Shahs developed e-mail extracting programs used to illegally harvest more than 8 million student e-mail addresses from more than 2,000 colleges and universities. The suspects allegedly used their database of e-mail addresses to send targeted spam selling various products and services to the involved students via 31 different campaigns. Many of the attacks were launched using the computer network at the University of Missouri, where Osmaan Shah is a student, DoJ officials claim.
Osmaan Shah reportedly used the campus' wireless Internet service or connected directly to the network through an ethernet cable connection in a classroom or campus building to conduct their work. The DoJ also charges that the university's network sustained damage from the huge amount of network resources and bandwidth used during the transmission of the millions of messages being generated through the attacks.
The university also "expended a substantial amount of time, money and resources to respond to and repair problems caused by the spam e-mail campaigns and to protect and defend its network from future spam e-mail campaigns," the investigators contend.
Whitworth thanks the U of M for lending a hand in tracking the spammers.
As part of the scheme, the two brothers and their partners used messages that suggested they had an association with the university or college that the student receiving the spam attended, making up fictitious names and claiming to be "campus representatives" from the college of the targets receiving the spam.
They also falsely claimed that the businesses who manufactured or sold the products in the spam e-mail were "alumni-owned" organizations. The group made their money by garnering referral fees for selling the products advertised in their messages, or by buying products themselves and selling them.
Among the goods offered in the messages were digital cameras, MP3 players, magazine subscriptions, spring break travel offers, pepper spray and teeth whiteners.
There were also other unnamed partners involved in the business, who are specifically credited with creating the e-mail harvesting tool, which reportedly falsified e-mail header information to avoid spam filters by rotating subject lines, reply addresses, message content and URLs, and other information in the headers and e-mails themselves. The schemers also launched "dozens" of identical Web sites for each campaign to further avoid detection, DoJ charges.
According to the indictment, the spammers first used hosting services based in China, which is how Ming became involved in the effort. The partner also helped maintain the many Web sites, and used the Shahs to market spam hosting services to others, including Zucker, the indictment claims. After learning that investigators were on their trail, the group moved to other hosts, said DoJ.
The Shahs are charged each with five counts of computer hacking related to the use of e-mail harvesting programs, with each of the defendants also charged with one count of aiding and abetting each other to unlawfully use the University of Missouri computer network to send spam e-mail.
All of the defendants are charged in each of nine counts of aiding and abetting each other to access a protected computer without authorization and transmit multiple commercial e-mails, and all of the defendants are charged in each of nine counts of aiding and abetting each other to materially falsify header information in multiple commercial e-mails.
The Shahs and I2O are also charged in each of 26 counts of aiding and abetting each other to access a protected computer without authorization and transmit multiple commercial e-mails with the intent to deceive or mislead the recipients, and the indictment also contains a forfeiture allegation requiring the defendants to forfeit $4,191,966 including their houses and cars.
Lesson of the story? You can cook up plenty of spam, but you better be ready to fry when you get caught.
(Correction - This piece originally implied that the indicted parties had ripped of end users, when in fact they've been charged with violating CAN-SPAM in selling products they actually supplied. Apologies.)
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.