Somnath Bharti: when a spammer becomes a government minister

More than a decade ago I came across an outfit called TopSites LLC which was running a spam operation which was pestering webmasters to renew their listings in the Topsites directory which was basically an unlicensed rip-off of the Open Directory Project in what was basically a business directory scam.

I documented the saga in a five-part series (plus a couple of follow-ups) and eventually TopSites shut up shop, with the main person behind it (Paul Aunger) cashing out from the business and buying into another firm called Inova Technology instead. There's a long story to that particular business and its I won't cover it here, but if you're really interested a trip to InvestorsHub is kind of interesting.

Part way through the TopSites spamming operation, they picked up a partner in India called Somnath Bharti. India was an ideal place to send spam from because it had no anti-spam laws at the time (and is still very lax in this area), so the act of spamming by itself was not illegal.. although the act of selling paid directory listings when they were actually free is a lot more questionable.

Mr Bharti denied any involvement, but since I had a copy of his business card it was pretty clear that he was lying. After I identified him, Mr Bharti was listed in the Spamhaus ROKSO list which is basically a list of the world's worst spammers. An example of the spam can be found here, linking Topsites to Mr Bharti's Madgen Solutions.

I didn't really pay much attention to Mr Bharti after that, although for a long time my site was the number one result in Google for Somnath Bharti which must have irritated him, and I did learn that he moved from IT to become a lawyer.

So I was rather surprised to find that Mr Bharti is now a government minister at the centre of a growing political storm in India, and now journalists are beginning to check his background, which is leading some of them back to what I wrote a decade ago.

Now, I'm not an expert in Indian law (and detractors of Mr Bharti say that he isn't either) but anti-spam laws in India basically do not exist, and certainly a decade ago I don't think that there was anything under Indian law that Mr Bharti was doing wrong. Even so, he was successfully sued in California [doc] for those same spam emails. Rather more seriously, being involved in a business that sells worthless directory listings is certainly legally questionable, although no case about that aspect was ever brought against Topsites or Mr Bharti.

One thing is certain - Mr Bharti lied about his involvement with TopSites. After I published details of his connection, he sent a somewhat threatening email denying involvement but inadventendly confirming it at the same time:

Subject: surprising and serious
From: Somnath [somnath.bharti@gmail.com]
 
Hi Conrad,
I was taken by surprise to find you listing my name, one of my properties address and my picture in an article on a company named "TopSites LLC" on your site. I don't know on what basis you have been talking so emphatic without cross verifying with the person you are talking about. To my utter surprise, you have been having this article on your site accusing me of being related to a company I have heard only through your article. Please have the same removed ASAP and explain to me what made you write all this about a person, not even remotely attached to any such company.
Please acknowledge of this email and have any and everything related my name, my pic and c-28 address removed. I am available at +91-9891819893, if you have anything to talk about. Also, post on the same page an apology for this grievous mistake on your part.
--
Regards,
Somnath Bharti

In that email, Mr Bharti emphatically denies involvement, but confirms that the photograph and address I published of him are correct.

What Mr Bharti didn't know was that I had a copy of his business card, not only confirming his connection, but listing him as CEO.

If you are interested in researching the topic for youself, a good place to start is Google Groups, especially searches relating Topsites, Bharti and Madgen Solutions (Bharti's IT company). I don't know if Mr Bharti is still denying his involvement in Topsites, but the evidence is damning if you look for it.

By TopSites LLC's own admission, they were turning in $1.8 million a year by 2005. How much of that money made its way to Mr Bharti is a mystery. And quite how Mr Bharti reconciles his questionable past business practices with his membership of an anti-corruption political party is also a mystery.

I don't know if Mr Bharti accepts or denies his role as a spammer for TopSites LLC, but his name is all over several public records and I also have private unpublished data that places him firmly near the centre of the operation. Perhaps he thinks that selling something that should be free is also an ethical way to do business, I don't know. And how does he explain a blatant and rather pathetic lie about involvement? That's something I don't know either. But I would certainly be interested in seeing what he has to say for himself..

Update:  after being exposed in the Times of India, Mr Bharti denies being reponsible.. but I look deeper at his involvment with the spamming operation here.

"Legal Business Proposal" spam has a malicious attachment

This email looks like it should be an advanced fee fraud, but instead it comes with a malicious attachment. I love the fact that this is a Legal Business Proposal as opposed to an Illegal one.

Date:      Thu, 23 Jan 2014 12:45:11 +0000 [07:45:11 EST]
From:      Webster Bank [WebsterWeb-LinkNotifications@WebsterBank.com]
Subject:      Legal Business Proposal

Hello, I'm Norman Chan Tak-Lam, S.B.S., J.P, Chief Executive, Hong Kong Monetary Authority (HKMA).

I have a Business worth $47.1M USD for you to handle with me.

 Detailed scheme of business can be seen in the attached file.

Attached is a file business-info.zip which in turn contains a malicious executable business-info.exe with a VirusTotal detection rate of 16/49.

Automated analysis tools [1] [2] [3] show attempted connections to dallasautoinsurance1.com on 38.102.226.239 and wiwab.com on 38.102.226.82. Both those IPs are Cogent Communications ones that appear to be rented out to a small web hosting firm called HostTheName.com. For information only, that host has these other IPs in the same range:
38.102.226.82
38.102.226.5
38.102.226.7
38.102.226.10
38.102.226.12
38.102.226.14
38.102.226.17
38.102.226.19
38.102.226.21

Password hand-wringing misses the point

Recently doing the rounds of news outlets is a list compiled by SplashData of weak passwords found in data breaches in 2013. There's nothing wrong with this list, but as ever, the media completely miss the point.

SplashData's list is as follows:

Rank	Password	Change from 2012
1	123456	Up 1
2	password	Down 1
3	12345678	Unchanged
4	qwerty	Up 1
5	abc123	Down 1
6	123456789	New
7	111111	Up 2
8	1234567	Up 5
9	iloveyou	Up 2
10	adobe123	New
11	123123	Up 5
12	admin	New
13	1234567890	New
14	letmein	Down 7
15	photoshop	New
16	1234	New
17	monkey	Down 11
18	shadow	Unchanged
19	sunshine	Down 5
20	12345	New
21	password1	Up 4
22	princess	New
23	azerty	New
24	trustno1	Down 12
25	000000	New

The presence of "adobe123" and "photoshop" as passwords show the influence of the Adobe data breach on the list. Back in 2010 when Gawker was breached, one of the popular passwords was.. you guessed it.. "gawker".

The media has a habit of picking up the wrong point.. they look at a password of "123456" and ask how can anyone be so stupid to use it? But my somewhat NSFW response is what the fuck does it matter?

Almost everything these days requires registration for which you need to supply an email address and password, and often for trivial things. One of the reasons that gawker featured so highly in the Gawker breach was that to the vast majority of users it matters not one jot if someone hacks into their account. The same is true for a lot of Adobe users.. in most cases the accounts are of absolutely no value to an attacker, so it really doesn't matter if you have adobe123 as a password or not.

So, the media (or at least some of it) says that you should choose a secure password such as fJ4C62GY0I8C15D but their advice is misleading because the real problem is password re-use and not the security of the password per se.

Despite the obvious security problems in doing so, many sites store passwords in plain text or in an insufficiently encrypted format. In these cases, it doesn't matter how secure your password is because the attackers will just be able to read it. Even in cases where the password is encrypted, with enough time and/or rainbow tables the password can often be determined, even it is a complex one.

And if you have re-used that email address and password on other sites.. well, you're buggered basically.

In an ideal world, you would have a nicely secure password for each site and you would remember it in your head. But of course, that's practically impossible, so one option is to use a password manager (SplashData themselves make these) to remember them all for you. There are several different password managers available, but of course there is always the possibility that one of these tools might get hacked itself which could be catastrophic for users.

If you don't want to use a password manager, then you'll have to do it the old-fashioned way, and either remember your passwords or store them in some other manner. You should always have a secure and unique password for your web mail, banking/finance, work and major shopping sites. But for all the cruft that you have to register, there's probably little harm in using a password that it easy to remember. Does it matter if the password I use for ranting at the BBC is abc123? Perhaps it doesn't.

But perhaps one problem is that there are simply too many times that you have to create an account in the first place. Sometimes it is nice to come across a retailer (for example) that will allow you to order stuff without creating a damned account.. something that seems to go against the grain, but it does mean that there's one less password to worry about..

Something evil on 5.254.96.240 and 185.5.55.75

This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I do have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank.


URLquery shows one such download in this example, the victim has been directed to [donotclick]gf-58.ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48.

The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server (according to URLquery and VirusTotal) are:

[donotclick]gdevseesti.ru/telekom_deutschland/
[donotclick]gdevseesti.ru/vodafone_online/
[donotclick]gf-58.ru/telekom_deutschland/
[donotclick]gf-58.ru/volksbank_eg/
[donotclick]goodwebtut.ru/fiducia/
[donotclick]goodwebtut.ru/telekom_deutschland/
[donotclick]goodwebtut.ru/vodafone_online/
[donotclick]mnogovsegotut.ru/fiducia/
[donotclick]uiuim.ru/fiducia/

The Anubis report and ThreatExpert report [pdf] show that the malware calls home to dshfyyst.ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below).

All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.

Recommended blocklist:
5.254.96.240
gf-58.ru
uiuim.ru
okkurp.ru
gdevseesti.ru
goodwebtut.ru
mnogovsegotut.ru
185.5.55.75
gossldirect.ru
dshfyyst.ru

Update: this appears to be Cridex aka Feodo, read more.

WhatsApp "A friend of yours has just sent you a pic" spam

This fake WhatsApp spam has a malicious attachment:

Date:      Mon, 20 Jan 2014 06:23:28 -0500 [06:23:28 EST]
From:      WhatsApp [{messages@whatsapp.com}]
Subject:      A friend of yours has just sent you a pic

Hey!

Someone you know has just sent you a pic in WhatsApp. Open attachments to see what it is.

� 2013 WhatsApp Inc

Attached to the message is a an archive file IMG9900882.zip which in turn contains a malicious exectuable IMG9900882.exe which has a VirusTotal detection rate of 20/49. The Malwr analysis gives few clues as to what the malware does, other automated analysis tools are inconclusive.

"Thank you for scheduling a payment to Bill Me Later" spam

This fake Bill Me Later spam has a malicious attachment:

Date:      Mon, 20 Jan 2014 14:23:08 +0000 [09:23:08 EST]
From:      Bill Me Later [service@paypal.com]
Subject:      Thank you for scheduling a payment to Bill Me Later

BillMeLater
   
Log in here
       
Your Bill Me Later® statement is now available!

Dear Customer,

Thank you for making a payment online! We've received your
Bill Me Later® payment of $1603.57 and have applied it to your account.

For more details please check attached file

Summary:

Your Bill Me Later Account Number Ending in: 0266

You Paid: $1603.57

Your Payment Date*: 01/20/2014

Your Payment Confirmation Number: 971892583971968191

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PQW688PP1

Attached is an archive file PP_03357442.zip which in turn contains a malicious executable PP_03357442.exe which has a VirusTotal detection rate of just 4/45. Automated analysis tools [1] [2] show an attempted connection to jatit.org on 72.9.158.240 (Colo4, US) which appears to be a legitimate (but presumably compromised) site.