Thursday, November 04, 2010

Sextortion Hacker: Victims sought by FBI

On September 9, 2007, I received a forwarded email that had been sent to several high school parents in the Birmingham, Alabama area. It described a chilling scenario:

We have received SEVERAL reports of an unknown subject infiltrating students' Facebook and MySpace accounts. The unknown subject has taken over several students accounts and the student no longer has access to their account. The subject has made threats for the student to do what he demands or he/she will keep their accounts locked. ... The unknown subject has been using a screen name of 'metascape'.


In April of 2009, the public learned that Metascape was actually a 24 year old from Auburn, Alabama, who had taken over more than 200 accounts from young women from ages 14 to 26, with victims in at least Alabama, Pennsylvania, and Missouri. The Birmingham News headline was Facebook Helps Fight Cybercrime and detailed more of the situation. Metascape, whose real name was Jonathan Vance, had blackmail power over the girls through sexual statements of photos he had obtained from them. In at least 50 cases, he leveraged this information to force the girls to perform more and more graphic sexual acts for him on their webcams, which he then used for greater leverage.

Birmingham FBI Cybercrime Supervisor, Dale Miskell, put it this way to the Birmingham News:

"The embarrassment factor was big in this case," said Dale Miskell, supervisory spe­cial agent for the FBI's cyber­crimes squad in Birmingham. "How can a girl go to her pa­rents and tell them what hap­pened? Even the adult victim didn't come forward until we contacted her."


Jonathan Vance was sentenced to eighteen years in his case, mostly because of the severe emotional trauma that the girls described when interviewed by prosecutors and law enforcement.

My friend Graham Cluley of Sophos mentions that there have also been similar cases in Spain, Great Britain, and Canada in his Cyber-Sextortionist blog story.

When the FBI and US Attorney's Office shared the details of the case with my Investigating Online Crime class in the summer of 2009, I hoped I would never hear of another case like it. Unfortunately, this week there has been another such case revealed.

On November 2nd, the FBI put out a press release called Web of Victims that described a nearly identical scenario involving a 31 year old Santa Ana man. Luis Mijangos was arrested in June, according to the Los Angeles Times and charged with taking over the webcams of 44 girls and 186 women. A June 22nd KABC News story reveals that the investigation was begun by the Glenndale Police Department. A UPI Story from the same day describes Mijangos as a Mexican citizen, wheelchair bound after being shot in "a gangland shooting." After that first court visit he was restricted to home and forbidden to use a computer while out on $10,000 bond. He was indicted on July 8th and charged with:

18 U.S.C. § 371 - Conspiracy
18 U.S.C. § 1341 - Mail Fraud
18 U.S.C. § 1028A - Aggravated Identity Theft
18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(ii) - Accessing Protected Computers to Obtain Information
18 U.S.C. § 875(d) - Extortion
18 U.S.C. §§ 2511(1)(a), (4)(a) - Wiretapping
18 U.S.C. §§ 1029(a)(3), (c)(1)(A)(i) - Possession of more than 15 Unauthorized Access Devices
18 U.S.C. § 2(a), (b) - Aiding and Abetting and Causing an Act to Be Done

The indictment calls Mijangos a "self-employed website developer and computer consultant" and says that he used the following screen names:

gui_blt, Woods05, CiFfEjUd914m EKEvatrGZrD03, Pimpcess03666, Your3name3here03, Bri23nice, Dmagecntr137, H2IOW14, ELEvATrhRZd03, Playrgrl37, Your3name3here3, goldlion14, and Hotchit13w

and the following email accounts:

yousoylammer@hotmail.com, christ@yahoo.com, gui_blt@live.com, mistahxxxrightme@aim.com, zapotin@hotmail.com, guich_x@aim.com, guicho_1.1@roadrunner.com, and mijangos3@msn.com

PARENTS - PLEASE TALK TO YOUR DAUGHTERS ABOUT THESE TYPES OF CASES

Let them know that if they, or any of their friends, has been subjected to something like this, they need to talk with you, and YOU need to talk with the FBI. Especially if you have information regarding one of the screen names or email addresses above. The 18 year sentence for Metascape was because victims came forward and talked freely (albeit painfully) about their victimization. Don't let these creeps get away with this, and don't let YOUR daughter live in shame because she is worried you will flip out.

The indictment names criminal acts from as far back as November 26, 2008, Mijangos and co-schemers throughout the world developed malware that would give him complete control of a computer, including keylogging for identity theft, and webcam and microphone control.

With the keylogged data, they would engage in credit card fraud. Mijangos was a better hacker than metascape. He would use computers belonging to teenage boys, and FROM THEIR COMPUTERS, trick their female friends into sharing intimate videos or images. He would then contact the women and girls directly, disclosing that he had these videos and images, and threatening to post them online if they did not share additional images and videos.

Some of the co-conspirators named (by screen name) include "Manhattan" and "Demonio666vip". One co-conspirator ordered stolen goods using the name "mauricio garza arcos" and the email "statikgto@gmail.com". This is probably "St4t1k" of the "Money Buster Team".

UAB Computer Forensics Research Laboratory has determined that demonio666vip and st4t1k were both members of the hacker website "indetectables.net" and were involved in the trade of "undetectable" BiFrost servers. BiFrost is a "RAT" or "Remote Administration Trojan" which was likely involved in the case above.



Indetectables.net, so named for their distribution of undetectable malware, has 30,242 users who have posted 133,942 messages about hacking and malware.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.