Corrupt agent who investigated Silk Road is suspected of another $700k heist


Newly unsealed court documents have revealed that one of the corrupt federal agents investigating Silk Road, the online drug marketplace, is suspected of stealing hundreds of thousands of dollars worth of bitcoin—after he pleaded guilty last year.

Shaun Bridges is one of two agents who pled guilty to stealing from the Darknet market. Bridges stole about $800,000 worth of bitcoins from Silk Road drug dealers after he and a partner arrested a Silk Road admin and learned how to reset passwords. That led to Ross Ulbricht, who was convicted of running Silk Road in February 2015, attempting to order the murder of the admin, Curtis Green. Ulbricht was sentenced to life in prison last year.

Bridges’ scam was later discovered, though. The former Secret Service agent, who served on a Baltimore-based task force investigating Silk Road, was arrested in March 2015 and pled guilty a few months later. In January, Bridges was arrested again just one day before he was scheduled to turn himself in. The documents unsealed Thursday shed light on why the second arrest took place.

Access not denied

In November 2014, the US Attorney in Maryland seized 1606 bitcoins, worth about $600,000 (£400,000) at the time, from various accounts at a company called Bitstamp. Bridges was the affiant on the warrant, and the funds were put into a Bitcoin wallet he created. Later, some of the account owners “disputed the legality of the warrant,” according to an affidavit (PDF) signed by by IRS Special Agent Tigran Gambaryan, who headed up the Northern California-based investigation of Bridges’ crimes. In September 2015, a federal court in Maryland ordered the US Secret Service to return $30,616 worth of bitcoins to the affected Bitstamp clients.

When the Secret Service accessed the wallet, however, the the bitcoins were gone. They’d been moved on July 28, after Bridges signed his guilty plea.

The affidavit doesn’t outright state that Bridges took the money, but it looks mighty suspicious. It’s possible that other employees had access, but “at present the only individual that is conclusively known to have access was Bridges.” Secret Service had never revoked Bridges’ access to the wallet, even after he had been arrested and the agents were warned to do so. About a dozen other Secret Service employees were interviewed and all reported they did not have access to the wallet.

The stolen money was moved into an account at BTC-e associated with the e-mail account “” BTC-e is an unregistered foreign Bitcoin exchange that “operates without appropriate anti-money laundering” policies, according to the government. BTC-e ultimately did provide some records, but the logs showed that the money was accessed through Tor and run through a Bitcoin tumbler. When he was a federal agent, Bridges was a specialist in tumbler and the user of Tor.

The affidavit also recounts how Bridges petitioned a Maryland state court to change his name from “Shaun Wesley Bridges” to “Calogero Esposito.” (Bridges’ wife’s last name is Esposito). Bridges, who sought to have the name change sealed from the public record, neglected to mention that he had been arrested and was scheduled to plead guilty to money-laundering charges. His petition for a name change was denied, but he re-petitioned two more times.

Bridges’ PayPal account also showed that he had attempted to order a birth certificate from a company that claims to provide German documents.

The affidavit also asks for a warrant to obtain records from Microsoft related to the “” address, saying there’s probable cause the account was related to the theft.

While the documents lay out what the government was thinking in late January, there’s no indication of where the investigation proceeded after that. Bridges has begun serving his original sentence at the federal prison in Terre Haute, Indiana. It isn’t clear if or when additional charges will be filed against him.



Crooks Forget to Properly Secure Their Phishing Server


Security researchers for ISC (Internet Security Center) have uncovered a new phishing campaign that uses a login form on top of a blurred image of an Office document to trick users into handing over their login details.

This particular phishing campaign is distributed via spam email messages that also contain a blurred-out image, with a link to view the file at the end of the email message.

The link leads back to a Brazilian server, which didn’t appear to be hacked, as most phishing hosts regularly are.

Phishing page login form was very vague

All phishing campaigns have a weakness, and according to ISC researcher Xavier Mertens, this one had several.

For starters, the phishing campaign isn’t very well defined. Mertens says that crooks weren’t very specific when they crafted the login forms, and victims landing on this page wouldn’t have known what login details they should fill in.

“The strange fact is that it is not clear which credentials are targeted: Google, Microsoft or corporate accounts?” Mertens explains. “The success of an efficient phishing is to take the victim by the hand and ‘force’ him/her to disclose what we are expecting.”

Crooks forget phishing kit source code on the server

The researcher also adds that the crooks misconfigured the server hosting this phishing campaign, which allowed him to access all its files, including PHP resources. On the server, Mertens claims he discovered the kit with which the crooks crafted their phishing campaign.

Crooks created the blur effect by taking a low-res image (ex: 300*200px) and displaying it at very high resolutions. On top of this, they came up with a login form that featured JS-based validation of the email address the user entered.

The crooks would check to see if the user entered a valid email address, and showed errors in case the user tried to test the phishing page by entering non-standard data.

Phished data was sent via email to the crooks

Once the JS scripted detected a valid email address, it would send the following details via email to the attacker’s email address: email, password, GeoIP details, user-agent string, FQDN computer ID, and the victim’s IP address.

The phishing campaign had a second page, one that asked the user to enter their phone number. As with the first step, this detail, if filled in, was sent via email to the crooks.

Mertens says the crooks behind this campaign used two email addresses hosted on Gmail and to receive their phished credentials.

The lesson here is that if you look long enough at any phishing page, it’s quite a piece of cake to find easily detectable flaws, either in the GUI or the page’s source code.

By Catalin Cimpanu


Israeli Advertising Company Behind OSX.Pirrit Mac Adware


An Israeli company named TargetingEdge is behind the recent wave of Mac adware detected as OSX.Pirrit, Amit Serper, security researcher for Cybereason, explains in a report released today.

Pirrit is the name of a famous piece of Windows adware that appeared around 2014. Serper was the first one to spot a version of this adware targeting Mac users earlier in April, when he released a tell-all report detailing the adware’s nasty behavior.

Unlike the Windows version, which only injected ads in your Web traffic, Pirrit on Mac was far more dangerous because it also gained root privileges on infected Macs and had the capabilities to install other binaries, like a keylogger, for example.

New OSX.Pirrit version contains clues about its author

Serper continued to track the adware’s evolution and even created a script that removes Pirrit from infected systems. Recently, he was approached by a user who complained about the script failing to remove Pirrit from his computer.

The researcher quickly understood that Pirrit’s creators put out a new version that fixed the issues he revealed in his April report, such as the presence of leftover Windows code, but that they also managed to break the Pirrit remover script.

Luckily, Pirrit’s creators forgot to sanitize one of the archives that the adware dropped on infected systems. Serper’s explanation is below:

  The tar.gz archive format is a Posix format, which means that it also saves all of the file attributes (like owners and permissions) inside of the archive as they were on the computer that the archive was created on. So when I listed the files inside the archive, I could see the user name of the person who created the archive.  

Pirrit’s creator used his first and last name as the username for the computer on which he created the archive. The name belonged to an executive at TargetingEdge, an Israeli online marketing company. Ironically, the company’s LinkedIn profile states:

  TargetingEdge offers an mac approved installer to marketing and advertising companies worldwide and the company also provides the unique opportunity to monetize extensive remnant mac traffic and gain additional revenue from an already existing user pool.  

The same company also shared the same board of directors with two other companies, Feature Forward, a company that sells a video platform, and TLV Media, a company that markets an ad monetization platform.

OSX.Pirrit distributed as adware in legitimate installers from shady download sites

According to Serper, TargetingEdge’s “online marketing […] Mac approved installer” was the Pirrit adware, which the company was offering to download sites that, in turn, bundled it with legitimate Mac software, such as MPlayerX, NicePlayer, and VLC.

Unlike the Windows versions of this adware that provided clear opt-out choices and uninstall options, the Mac version of Pirrit was far more deceptive.

Serper says OSX.Pirrit doesn’t feature an end user license agreement that explains in clear language what Pirrit does, nor does it feature an easy uninstallation process.

The OSX.Pirrit installer buried uninstall instructions deep in the temp folders or inside a hidden user’s home directory, locations where no sane person will look for such details.

Analyzing the archive files downloaded via the April version of OSX.Pirrit, Serper found the same clues, confirming his findings, but this time, the adware was assembled by one of TargetingEdge’s Web developers.

This is the second advertising firm found behind a malware distribution campaign after Check Point released a report that tied Chinese firm Yingmob to the YiSpecter (iOS) and HummingBad (Android) malware.

By Catalin Cimpanu


Second Man Pleads Guilty in “The Fappening” Celebrity Hacking Scandal


Edward Majerczyk, 28, of Chicago and Orland Park, Illinois, agreed to plead guilty last Friday, July 1, in a criminal case that had him accused of hacking over 300 iCloud and Gmail accounts, of which 30 belonged to Hollywood and other celebrities.

Majerczyk was the second man accused of participating in The Fappening celebrity hacking scandal during which hackers breached the iCloud and Gmail personal email accounts of 100 celebrities and leaked private images and videos, sometimes adult in nature.

The first suspect was never charged, Majerczyk was the second

Prior to naming Majerczyk, the FBI raided the home of Emilio Herrera, another Chicago native, on October 15, 2014. This past January, it was revealed that the FBI conducted a mirror raid on the house of Majerczyk, on the same day.

Authorities said that Majerczyk registered the email address, similar to the official address. He then used it to send spear-phishing emails to various celebrities.

The FBI said the suspect accessed 330 accounts over 600 different times, downloading sensitive material, from November 23, 2013, through August 2014.

Court documents mentioned the celebrities’ initials: J.L., K.U., J.V. and A.L. The initials J.L. could stand for Jennifer Lawrence, K.U. for Kate Upton, and J.V. for Justin Verlander, all victims of The Fappening (or Celebgate).

According to his plea deal, once Majerczyk officially signs the document, he will face a statutory maximum sentence of five years in federal prison.

A third suspect has already pleaded guilty

In March, the US Department of Justice announced that they charged Ryan Collins, 36, of Lancaster, Pennsylvania, with hacking the Apple and Gmail accounts of several celebrities between November 2012 and September 2014.

FBI said Collins hacked 50 iCloud accounts and 72 Gmail accounts. Collins later pleaded guilty and agreed to a recommended prison term of 18 months.

Authorities state that neither Majerczyk nor Collins was the one who uploaded the pictures online. This could be the work of Herrera or a fourth suspect.

By Catalin Cimpanu