Malware

Toronto, October 4, 2017 –  M3AAWG honored two German law enforcement officials today for their work in developing the global public/private collaboration that shutdown a massive malware offensive infecting computers in 189 countries and costing victims over $6 million in ransomware payments. Lower Saxony Chief Police Inspector Jörn Bisping and Senior Prosecutor Frank Lange received the 2017 M3AAWG J.D. Falk Award from the Messaging, Malware and Mobile Anti-Abuse Working group for spearheading worldwide efforts to dismantle the criminalized Avalanche platform.

See the video with the recipients talking about their five-year investigation that led to the the takedown.

The global cooperative efforts initiated by the German police and prosecutor’s office resulted in eight arrests, 500 court orders, 37 onsite searches and 39 servers seized worldwide.  Over 800,000 domains were seized, blocked or had their traffic diverted to a safe server rather than one controlled by criminals – a process known as sinkholing – making it the largest law enforcement operation to redirect malicious domains to date. 

“There was unprecedented cooperation worldwide, including registries in Russia and China taking down malicious domains, and support from smaller countries with lesser-known domains. We worked out some of the processes for collaborating better, and future takedowns and activities against cybercriminals will move even faster,” Bisping said in discussing the award.

A massive and complex criminal platform, Avalanche was used to deploy several attack vectors. Bots on the Avalanche network could determine if the targeted victim was accessing online banking and, if so, would plant key loggers and other malware on these systems to steal the user’s login credentials. Other users would be targeted with ransomware malware.  The platform also was used to recruit money laundering “mules” with a convoluted scheme to move stolen funds and ransom out of the country of origin by diverting payments between contracted sources.

In announcing the award at the M3AAWG four-day meeting in Toronto, Canada, the organization’s Chairman of the Board Severin Walker said, “Global action is the only way to protect our local citizens. It’s our professional responsibility to take the initiative in identifying major threats and then reach out to the international community to help confront them.  Chief Inspector Bisping and Senior Prosecutor Lange did just this and millions of end-users are much safer now and have benefited from their dedication.”

Five Years of Meticulously Detailed Investigation

The work behind the November 30, 2016 global Avalanche takedown started five years earlier when Bisping, with the Lower Saxony Police in Luneburg, began investigating a single cyberattack that appeared to be responsible for 200 local ransomware cases. In 2013, Lange, a senior prosecutor with the Public Prosecutor's Office in Verden, escalated the investigation to include more than 6,000 similar attacks throughout Germany.  As the global scope and complexity of the Avalanche platform became known, they reached out to cybercrime experts such as the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE), which eventually analyzed over 130 TB of captured data to identify the botnet server structure.

Lange said, “We realized through reverse engineering and other detailed analysis that Avalanche was more than just a botnet or a network running a few types of malware; it was a complete infrastructure and it would be impossible to stop without the help of other countries. By this time, we were in a position to invite the international community to work with us on three goals: to take down the servers, issue arrest warrants to those running them, and sinkhole all the families of malware we identified on the platform.”

In July of 2015, German police officials asked the U.S. Federal Bureau of Investigation for assistance. This eventually led to the international takedown in late 2016 that diverted traffic headed to the known malicious domains to the collaboration team’s servers and to the arrests. The investigation and the subsequent operation also involved the European police agency Europol, the European Union's Judicial Cooperation Unit or Eurojust, the U.S. Department of Justice, cybersecurity organizations such as Shadowserver, and investigators and prosecutors in more than 40 countries.

The J.D. Falk Award recognizes a significant achievement that protects end-users and the people working behind the scenes to make a better online world.  The 2017 award was announced at the M3AAWG 41st General Meeting in Toronto, Canada, with over 300 cybersecurity participants from around the world at the Oct. 3-5 event. M3AAWG also hosted UCENet (previously known as the London Action Plan) during the week.  The M3AAWG 42nd General Meeting will be February 19-22, 2018 in San Francisco, USA.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

The German Lower Saxony Minister of Justice, Antje Niewisch-Lennartz, congratulates both award winning recipients:

“The law enforcement agencies of Lower Saxony are fighting international crime in a persistent, effective and extremely successful manner.

The takedown of Avalanche is a testimony to the excellent international collaboration of the law enforcement agencies of participating states, as well as the support provided by authorities and private organizations. I am particularly pleased that this success is being acknowledged with this award by international entities.

Congratulations to the award recipients, as well as the various individuals whose behind-the-scenes efforts contributed to this success.”

The German Lower Saxony Minister for Internal Affairs and Sports, Boris Pistorius, commends and congratulates this extraordinary success:

“Lower Saxony set the course to fight cybercrime and related forms of criminality by establishing special investigation units to specifically fight crimes like this.

We are now in the process of hiring numerous additional external IT specialists. I was personally informed of the work that these special investigators performed onsite, particularly during the key phase of dismantling this criminal infrastructure.

I applaud the outstanding successes of this investigation; in regards to fighting the dynamic development of this criminal activity, this demonstrates that we are on the right path. Congratulations on this award, and my utmost respect; also to the many contributors, whose support and collaboration made this success possible.”

#  #  #

Media Contact: PR@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Oath (Yahoo and AOL); Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.

San Francisco, May 4, 2017 – The Latin American and Caribbean Network Operators Group (LACNOG) has chartered a new working group to serve as a regional voice in the global anti-abuse community. The new LAC Anti-Abuse Working Group (LAC-AAWG) will convene experts from regional network operator communities and the global Messaging, Malware and Mobile Anti-Abuse Working Group to encourage industry dialogue, develop recommendations and advance best practices for safeguarding online activities.

LAC-AAWG will hold its first face-to-face meeting at LACNIC 27 in Foz do Iguaçu, Brazil, May 22-26, where it is partnering with M3AAWG to organize trusted, open-discussion sessions on anti-abuse issues and best practices. These sessions are being coordinated by LAC-AAWG founding chairs Lucimara Desiderá, security analyst at CERT.br (Brazilian National Computer Emergency Response Team) which is maintained by the Brazilian Network Information Center (NIC.br), and Christian O’Flaherty, ISOC senior development manager for Latin America and the Caribbean.

“LAC-AAWG was created to be a place where regional network operators and anti-abuse experts can share their concerns about current and emerging online threats, discuss processes validated by their peers to reduce abuse, and develop best practices that address both local and global issues. The concept is that local involvement is essential to consider our specificities and global engagement is necessary to stay abreast of the latest threats traversing the internet and to help develop operations that will mitigate them,” Desiderá said.

Since its founding in 2004, M3AAWG has emphasized the importance of global cooperation within the online community in fighting spam, phishing, fraud and other cybercrime and has worked to provide a trusted venue where security and policy experts can share information. Participants from 26 countries attended the four-day M3AAWG 39th General Meeting in San Francisco in February and its annual European meeting will be June 12-15 in Lisbon, Portugal. 

Last year, M3AAWG began to explore means to improve collaboration with the LAC operator communities. As a result, LACNIC (the LAC Network Information Center) and M3AAWG formed a partnership to share expertise and information that could reduce regional and global abuse. The development of LAC-AAWG as an independent working group within LACNOG is one outcome of those efforts. The partnership also has paved the way for M3AAWG members to provide training on hosting anti-abuse operations and to work with the regional community on anti-abuse best practices.  

M3AAWG Chairman Severin Walker said, “Because cyber criminals ignore borders and only care about scamming the targeted victims, the reality is that we all face similar threats and malware. There is no question that online security and abuse are both local and international issues. We applaud LACNOG, and appreciate the efforts of LACNIC, in creating this new forum as a model of local participation and global engagement. It is a resourceful approach that could be effectively applied in other regions.”

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure; and Yahoo Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.

San Francisco, April 4, 2017 – Addressing current threats such as DDoS attacks and Internet of Things security, the Messaging, Malware and Mobile Anti-Abuse Working Group has released five new best practices papers and created new special interest groups to develop cybersecurity approaches that will help protect end-users. The organization also announced its 2017 leadership and committee chairs who are responsible for supporting the group’s ongoing collaborative efforts and identifying new areas of online vulnerability.

The new best practices papers outline recommended processes to help companies and service providers better safeguard their networks and are based on the experience of anti-abuse experts in computer security, business, public policy and academia.  The papers are:

• M3AAWG Initial Recommendations: Arming Businesses Against DDoS Attacks – outlines the various types of attacks and explains how to prepare for them, including the steps to take during and after an assault
• M3AAWG Multifactor Authentication Recommendations – explains why and when multifactor authentication should be used
• M3AAWG Recommendations Around Password Managers – a short overview defining when comprehensive password managers provide value
• M3AAWG Password Recommendations for Providers – guidelines on setting password requirements that balance security with complexity and cost
• M3AAWG Describes Costs Associated with Using Crypto – a brief guide to help plan for encryption deployments

M3AAWG currently has 42 papers available on its website under the For the Industry tab in its Best Practices section at /published-documents.  These best practices and tutorials address both emerging and ongoing anti-abuse challenges, such as methods to counter pervasive monitoring, abuse desk processes, anti-phishing and spam techniques, recommended senders best practices and other relevant topics.

Special Interest Groups Focus on Global Issues

M3AAWG also formed a new Internet of Things SIG to coordinate members’ efforts in resolving abuse issues from compromised IoT devices.  The new special interest group will develop reputation guidelines and processes for the supply chain while promoting consumer security awareness and working with manufacturers to build better security into devices.

The M3AAWG DDoS SIG is focused on helping ISPs, hosting companies and third-party DDoS security service providers understand existing and emerging Distributed Denial of Service attack types. It is developing additional papers that will explain prevention methods, monitoring and mitigation architectures, and business strategies.

2017 Leadership Takes the Helm

Along with finalizing the papers during the M3AAWG 39th General Meeting in San Francisco last month, Severin Walker, senior manager, Comcast Anti-Abuse Engineering, was elected the new Chairman of the M3AAWG Board. He has contributed to the organization over the past five years as a Board member and a chair of the M3AAWG Technical Committee. 

Also elected at the February 23 Board meeting were vice chairpersons Janet Jones, senior security program manager in Microsoft’s Trustworthy Computing Security organization; Len Shneyder, SendGrid, Inc. vice president of industry relations; and Matthew Stith, Rackspace anti-abuse specialist. Sam Silberman, Endurance International Group director of standards and industry relations, will serve his fourth term as treasurer and Jerry Upton continues as executive director.

Most of the work and best practices in M3AAWG are generated through dialogue among industry professionals in topical committees.  The committees meet on regularly scheduled conference calls and during the three M3AAWG working meetings each year to develop the anti-abuse recommendations and other projects.

“M3AAWG provides a critical space where hundreds of subject matter experts from across the spectrum can collaborate in a trusted and vetted environment and, because of this, our work is important for the long-term security of the internet. M3AAWG committees provide the structure – they are the super-highways – that ensure these discussions are meaningful and address the critical issues. So eventually, the volunteer M3AAWG committee chairs are the ones who keep the energy and our work flowing,” Walker said in announcing the 2017 committee chairs:

• Abuse Desk Co-Chairs Charles Helstein, PayPal; Tobias Knecht, Abusix, Inc.; and Justin Paine, Cloudfare
• Academic Committee Co-Chairs Dr. Manos Antonakakis, Georgia Tech, and Carel, Spamhaus
• Anti-Phishing SIG Co-Chairs Carlos Alvarez, ICANN, and Chelsea Maldonado, Mailchimp
• Awards Committee Co-Chairs Christine Borgia, Return Path, and Neil Schwartzman, CAUCE
• Brand SIG Co-Chairs Ryan Boyd, Groupon, and Mike Hammer, AG Interactive
• Collaboration Committee Co-Chairs Stephen Ford, Adobe Systems Inc.; Sven Krohlas, 1 & 1 Internet SE; and Mary Youngblood
• DDoS SIG Co-Chairs Mike Glenn, Cable Television Laboratories, Inc., and Glen Pirrotta, Comcast
• Hosting Committee Co-Chairs Matthew Stith, Rackspace, and Justin Lane, Endurance International Group
• Information Sharing SIG Co-Chairs Chris Boyer, AT&T, and Doug Pearson, REN-ISAC
• Internet of Things SIG Co-Chairs M3AAWG Senior Technical Advisor Michael O’Reirdan and Chris Roosenraad, NeuStar
• M3AAWG Guides Co-Chairs Alyssa Nahatis, Adobe Systems, Inc., and M3AAWG Privacy Advisor William Wilson, Breckenhill Inc.
• M3AAWG meeting Open Round Tables Co-Chairs Melinda Plemel, Proofpoint, and Vincent Schonau, Abusix
• Pervasive Monitoring SIG Co-Chairs Janet Jones, Microsoft, and Alex Brotman, Comcast
• Program Committee Co-Chairs Kurt Andersen, LinkedIn; Dennis Dayman, Return Path; and Len Shneyder, SendGrid, Inc.
• Public Policy Committee Co-Chairs Frank Ackerman, M3AAWG Public Policy Advisor; Chris Boyer, AT&T; and Chris Roosenraad, NeuStar
• Senders Committee Co-Chairs Andrew Barrett, Adobe Systems, Inc., and Tara Natanson, Endurance International Group
• Technical Committee Chair Severin Walker, Comcast.  The Technical Committee area co-chairs are:
• Messaging - Peter Goldstein, ValiMail, and James Hoddinott, Cloudmark, Inc.
• Malware - Jeremy Demar, Vigilant By Deloitte, and Loucif Kharouni, Deloitte
• Training Committee Co-Chairs Christine Borgia, Return Path; Kurt Diver, SendGrid, Inc.; Annalivia Ford, IBM; and Udeme Ukutt, Splio
• Voice and Telephony Abuse SIG Co-Chairs Alex Bobotek, AT&T, and Dr. Mustaque Ahamad, Georgia Tech
• Women in Messaging Abuse/Diversity and Inclusion Chair Janet Jones, Microsoft

Additionally, M3AAWG Senior Technical Advisor John Levine, founder of Taughannock Networks, was appointed M3AAWG liaison to ICANN.  Jesse Sowell continues as a special M3AAWG representative to LACNIC, the Latin America and Caribbean Network Information Center, and is helping to develop joint anti-abuse work with that organization.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: Pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure; and Yahoo! Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; MAPP Digital; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.