Messaging

Toronto, October 4, 2017 –  M3AAWG honored two German law enforcement officials today for their work in developing the global public/private collaboration that shutdown a massive malware offensive infecting computers in 189 countries and costing victims over $6 million in ransomware payments. Lower Saxony Chief Police Inspector Jörn Bisping and Senior Prosecutor Frank Lange received the 2017 M3AAWG J.D. Falk Award from the Messaging, Malware and Mobile Anti-Abuse Working group for spearheading worldwide efforts to dismantle the criminalized Avalanche platform.

See the video with the recipients talking about their five-year investigation that led to the the takedown.

The global cooperative efforts initiated by the German police and prosecutor’s office resulted in eight arrests, 500 court orders, 37 onsite searches and 39 servers seized worldwide.  Over 800,000 domains were seized, blocked or had their traffic diverted to a safe server rather than one controlled by criminals – a process known as sinkholing – making it the largest law enforcement operation to redirect malicious domains to date. 

“There was unprecedented cooperation worldwide, including registries in Russia and China taking down malicious domains, and support from smaller countries with lesser-known domains. We worked out some of the processes for collaborating better, and future takedowns and activities against cybercriminals will move even faster,” Bisping said in discussing the award.

A massive and complex criminal platform, Avalanche was used to deploy several attack vectors. Bots on the Avalanche network could determine if the targeted victim was accessing online banking and, if so, would plant key loggers and other malware on these systems to steal the user’s login credentials. Other users would be targeted with ransomware malware.  The platform also was used to recruit money laundering “mules” with a convoluted scheme to move stolen funds and ransom out of the country of origin by diverting payments between contracted sources.

In announcing the award at the M3AAWG four-day meeting in Toronto, Canada, the organization’s Chairman of the Board Severin Walker said, “Global action is the only way to protect our local citizens. It’s our professional responsibility to take the initiative in identifying major threats and then reach out to the international community to help confront them.  Chief Inspector Bisping and Senior Prosecutor Lange did just this and millions of end-users are much safer now and have benefited from their dedication.”

Five Years of Meticulously Detailed Investigation

The work behind the November 30, 2016 global Avalanche takedown started five years earlier when Bisping, with the Lower Saxony Police in Luneburg, began investigating a single cyberattack that appeared to be responsible for 200 local ransomware cases. In 2013, Lange, a senior prosecutor with the Public Prosecutor's Office in Verden, escalated the investigation to include more than 6,000 similar attacks throughout Germany.  As the global scope and complexity of the Avalanche platform became known, they reached out to cybercrime experts such as the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE), which eventually analyzed over 130 TB of captured data to identify the botnet server structure.

Lange said, “We realized through reverse engineering and other detailed analysis that Avalanche was more than just a botnet or a network running a few types of malware; it was a complete infrastructure and it would be impossible to stop without the help of other countries. By this time, we were in a position to invite the international community to work with us on three goals: to take down the servers, issue arrest warrants to those running them, and sinkhole all the families of malware we identified on the platform.”

In July of 2015, German police officials asked the U.S. Federal Bureau of Investigation for assistance. This eventually led to the international takedown in late 2016 that diverted traffic headed to the known malicious domains to the collaboration team’s servers and to the arrests. The investigation and the subsequent operation also involved the European police agency Europol, the European Union's Judicial Cooperation Unit or Eurojust, the U.S. Department of Justice, cybersecurity organizations such as Shadowserver, and investigators and prosecutors in more than 40 countries.

The J.D. Falk Award recognizes a significant achievement that protects end-users and the people working behind the scenes to make a better online world.  The 2017 award was announced at the M3AAWG 41st General Meeting in Toronto, Canada, with over 300 cybersecurity participants from around the world at the Oct. 3-5 event. M3AAWG also hosted UCENet (previously known as the London Action Plan) during the week.  The M3AAWG 42nd General Meeting will be February 19-22, 2018 in San Francisco, USA.

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

The German Lower Saxony Minister of Justice, Antje Niewisch-Lennartz, congratulates both award winning recipients:

“The law enforcement agencies of Lower Saxony are fighting international crime in a persistent, effective and extremely successful manner.

The takedown of Avalanche is a testimony to the excellent international collaboration of the law enforcement agencies of participating states, as well as the support provided by authorities and private organizations. I am particularly pleased that this success is being acknowledged with this award by international entities.

Congratulations to the award recipients, as well as the various individuals whose behind-the-scenes efforts contributed to this success.”

The German Lower Saxony Minister for Internal Affairs and Sports, Boris Pistorius, commends and congratulates this extraordinary success:

“Lower Saxony set the course to fight cybercrime and related forms of criminality by establishing special investigation units to specifically fight crimes like this.

We are now in the process of hiring numerous additional external IT specialists. I was personally informed of the work that these special investigators performed onsite, particularly during the key phase of dismantling this criminal infrastructure.

I applaud the outstanding successes of this investigation; in regards to fighting the dynamic development of this criminal activity, this demonstrates that we are on the right path. Congratulations on this award, and my utmost respect; also to the many contributors, whose support and collaboration made this success possible.”

#  #  #

Media Contact: PR@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Oath (Yahoo and AOL); Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.

San Francisco, May 4, 2017 – The Latin American and Caribbean Network Operators Group (LACNOG) has chartered a new working group to serve as a regional voice in the global anti-abuse community. The new LAC Anti-Abuse Working Group (LAC-AAWG) will convene experts from regional network operator communities and the global Messaging, Malware and Mobile Anti-Abuse Working Group to encourage industry dialogue, develop recommendations and advance best practices for safeguarding online activities.

LAC-AAWG will hold its first face-to-face meeting at LACNIC 27 in Foz do Iguaçu, Brazil, May 22-26, where it is partnering with M3AAWG to organize trusted, open-discussion sessions on anti-abuse issues and best practices. These sessions are being coordinated by LAC-AAWG founding chairs Lucimara Desiderá, security analyst at CERT.br (Brazilian National Computer Emergency Response Team) which is maintained by the Brazilian Network Information Center (NIC.br), and Christian O’Flaherty, ISOC senior development manager for Latin America and the Caribbean.

“LAC-AAWG was created to be a place where regional network operators and anti-abuse experts can share their concerns about current and emerging online threats, discuss processes validated by their peers to reduce abuse, and develop best practices that address both local and global issues. The concept is that local involvement is essential to consider our specificities and global engagement is necessary to stay abreast of the latest threats traversing the internet and to help develop operations that will mitigate them,” Desiderá said.

Since its founding in 2004, M3AAWG has emphasized the importance of global cooperation within the online community in fighting spam, phishing, fraud and other cybercrime and has worked to provide a trusted venue where security and policy experts can share information. Participants from 26 countries attended the four-day M3AAWG 39th General Meeting in San Francisco in February and its annual European meeting will be June 12-15 in Lisbon, Portugal. 

Last year, M3AAWG began to explore means to improve collaboration with the LAC operator communities. As a result, LACNIC (the LAC Network Information Center) and M3AAWG formed a partnership to share expertise and information that could reduce regional and global abuse. The development of LAC-AAWG as an independent working group within LACNOG is one outcome of those efforts. The partnership also has paved the way for M3AAWG members to provide training on hosting anti-abuse operations and to work with the regional community on anti-abuse best practices.  

M3AAWG Chairman Severin Walker said, “Because cyber criminals ignore borders and only care about scamming the targeted victims, the reality is that we all face similar threats and malware. There is no question that online security and abuse are both local and international issues. We applaud LACNOG, and appreciate the efforts of LACNIC, in creating this new forum as a model of local participation and global engagement. It is a resourceful approach that could be effectively applied in other regions.”

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: pr@m3aawg.org

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); dotmailer; Endurance International Group; Facebook; Google; LinkedIn; Mailchimp; Microsoft Corp.; Orange (NYSE and Euronext: ORA); Rackspace; Return Path; SendGrid, Inc.; Vade Secure; and Yahoo Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; Exact Target, Inc.; IBM; iContact; Intel Security; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Liberty Global; Listrak; Litmus; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; Sparkpost; Sprint; Symantec; and USAA.

A complete member list is available at /about/roster.