At the outset of their federal criminal trial for hijacking vast swaths of Internet addresses for use in large-scale email spam campaigns, three current or former executives at online advertising firm Adconion Direct (now Amobee) have pleaded guilty to lesser misdemeanor charges of fraud and misrepresentation via email.
In October 2018, prosecutors in the Southern District of California named four Ad employees — Jacob Bychak, Mark Manoogian, Petr Pacas, and Mohammed Abdul Qayyum — in a ten-count indictment (PDF) on felony charges of conspiracy, wire fraud, and electronic mail fraud.
The government alleged that between December 2010 and September 2014, the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.
Prosecutors said the men also sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.
All four defendants pleaded not guilty when they were charged back in 2018, but this week Bychak, Manoogian and Qayyum each entered a plea deal.
“The defendants’ jobs with Adconion were to acquire fresh IP addresses and employ other measures to circumvent the spam filters,” reads a statement released today by the U.S. Attorney for the Southern District of California, which said the defendants’ employer agreed to forfeit $5 million as fraudulent proceeds of the conspiracy.
“To conceal Adconion’s ties to the stolen IP addresses and the spam sent from these IP addresses, the defendants used a host of DBAs, virtual addresses, and fake names provided by the company,” the statement continues. “While defendants touted ties to well-known name brands, the email marketing campaigns associated with the hijacked IP addresses included advertisements such as ‘BigBeautifulWomen,’ ‘iPhone4S Promos,’ and ‘LatinLove[Cost-per-Click].’”
None of the three plea agreements are currently available on PACER, the online federal court document clearinghouse. However, PACER does show that on June 7 — the same day the pleas were entered by the defendants — the government submitted to the court a superseding set of just two misdemeanor charges (PDF) of fraud in connection with email.
Another document filed in the case says the fourth defendant — Pacas — accepted a deferred prosecution deal, which includes a probationary period and a required $50,000 “donation” to a federal “crime victims fund.”
There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market.
This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.
In May, prosecutors published information about the source of some IP address ranges from which the Adconion employees allegedly spammed. For example, the government found the men leased some of their IP address ranges from a Dutch company that’s been tied to a scandal involving more than four million addresses siphoned from the African Network Information Centre (AFRINIC), the nonprofit responsible for overseeing IP address allocation for African organizations.
In 2019, AFRINIC fired a top employee after it emerged that in 2013 he quietly commandeered millions of IPs from defunct African entities or from those that were long ago acquired by other firms, and then conspired to sell an estimated $50 million worth of the IPs to marketers based outside Africa.
“Exhibit A” in a recent government court filing shows that in 2013 Adconion leased more than 65,000 IP addresses from Inspiring Networks, a Dutch network services company. In 2020, Inspiring Networks and its director Maikel Uerlings were named in a dogged, multi-part investigation by South African news outlet MyBroadband.co.za and researcher Ron Guilmette as one of two major beneficiaries of the four million IP addresses looted from AFRINIC by its former employee.
Exhibit A, from a May 2022 filing by U.S. federal prosecutors.
The address block in the above image — 18.104.22.168/16 — was reportedly later reclaimed by AFRINIC following an investigation into the findings by MyBroadband.co.za. Inspiring Networks has not responded to requests for comment.
Prosecutors allege the Adconion employees also obtained hijacked IP address blocks from Daniel Dye, another man tied to this case who was charged separately. For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra. In 2018, Dye pleaded guilty to violations of the CAN-SPAM Act.
Optinrealbig’s CEO was the spam king Scott Richter, who changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, Microsoft, MySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.
The last-minute plea deals by the Adconion employees were reminiscent of another recent federal criminal prosecution for IP address sleight-of-hand. In November 2021, the CEO of South Carolina technology firm Micfo pleaded guilty just two days into his trial, admitting 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 700,000 IPs from the American Registry for Internet Numbers (ARIN) — AFRINIC’s counterpart in North America.
Adconion was acquired in June 2014 by Amobee, a Redwood City, Calif. online ad platform that has catered to some of the world’s biggest brands. Amobee’s parent firm — Singapore-based communications giant Singtel — bought Amobee for $321 million in March 2012.
But as Reuters reported in 2021, Amobee cost Singtel nearly twice as much in the last year alone — $589 million — in a “non-cash impairment charge” Singtel disclosed to investors. Marketing industry blog Digiday.com reported in February that Singtel was seeking to part ways with its ad tech subsidiary.
One final note about Amobee: In response to my 2019 story on the criminal charges against the Adconion executives, Amobee issued a statement saying “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”
Yet as the government’s indictment points out, the alleged hijacking activities took place up until September 2014, which was after Amobee’s acquisition of Adconion Direct in June 2014. Also, the IP address ranges that the Adconion executives were prosecuted for hijacking were all related to incidents in 2013 and 2014, which is hardly “years prior to Amobee’s acquisition of the company.”
Amobee has not yet responded to requests for comment.
from Krebs on Security https://ift.tt/DyePC04