FYI.

This story is over 5 years old.

Tech

The Rise and Fall of a $2 Million Spam Shop

The conspiracy involved commandeering email servers, and turning a corporate employee against his company.
Image: Shutterstock

Spam is big business. Even though you might not pay attention to those gimmicky little emails that somehow end up in your inbox, they rake in millions upon millions of dollars for those firing them out.

On Tuesday, Timothy Edward Livingston, 30, from Florida; Tomasz Chmielarz, 32 of New Jersey; and Devin James McArthur, 27, of Maryland, were charged with being part of a massive spam campaign, according to an FBI press release. The conspiracy allegedly involved them breaking into the email accounts of several corporations, hacking using custom designed software, stealing the personally identifying information of tens of millions of Americans, and even having an insider turn against his employer to target a company's network.

Advertisement

Livingston was the leader of the scheme; Chmielarz, the computer programmer; and McArthur, the mole inside a telecommunications company who would assist in siphoning off data. The group targeted at least four companies, including a technology and consulting firm, an internet and email provider, and a credit monitoring service company.

In all, the indictment against them alleges, the trio made a cool $2 million, and Livingston would go on to buy a Ferrari F430 with some of those proceeds.

But it appears that this conspiracy had much more humble beginnings, and started off as a fairly standard spam shop, before spiralling out of control.

It all started with Livingston, who started a company called "A Whole Lot of Nothing LLC", or AWLN, in 2011. AWLN would send out spam emails on the behalf of its customers, which included legitimate businesses like insurance brokers, as well as more black market companies, like online pharmacies that sold drugs with no need for a prescription.

Livingston would charge between $5 and $9 for each email that ended up in a successful transaction for the client, the indictment claims.

But, spamming isn't as simple as sending an email to a load of people. For years, service providers have ramped up their anti-spam measures, making it much less likely that an unsolicited email from a suspicious source gets through the filters.

That's perhaps the reason Livingston, according to the indictment, hired Chmielarz in January 2012 to create custom computer programs to send spam that would hide its original location and circumvent any filters it might come across. Around this time, the pair also started using botnets and proxy servers to bombard targets with their emails and remain anonymous. Livingston also registered several sites using the alias "Mark Lloyd," in order to "avoid detection," the indictment reads.

Advertisement

But Livingston and Chmielarz weren't content with this strategy. They designed custom software to hack into email accounts belonging to a telecommunications company based in New York. Livingston paid his collaborator $1,500, although the indictment does not say whether this was as payment for creating the hacking tool.

"Once the Email Account Software gained access to a Corporate Victim #1 user's account, it then created sub-accounts," and used those to then send spam, the indictment reads. This way, the spam emails looked like they were coming from the telecommunications company, and would likely bypass any filters in their path.

They went on to create software to target the website of a technology and consulting company, also based in New York, which would send spam emails through a vulnerability in the customer contact section of the website.

In May 2013, Livingston provided Chmielarz with some staff login credentials for a credit monitoring company, and told him to scrap the contents of its database. That database, according to an online chat between the pair referenced in the indictment, contained around 10 million records.

And the heist quickly worked. After Chmielarz designed another custom tool, Livingston said in that same month he had managed to pilfer 200,000 records so far.

Many would be content with this level of criminality: multiple companies had already been hacked, and were sending out spam emails on behalf of Livingston and Chmielarz. But they weren't done yet, and launched an even more audacious plan.

Advertisement

A list of the victims affected by the conspiracy.

It is not clear how McArthur became involved in the conspiracy, but in August 2014, the trio discussed using McArthur's employment at a telecommunications company in Pennsylvania to steal confidential business information, including the personally identifiable information of millions of the company's customers.

Shortly after, McArthur gave his collaborators access to the target company's network via a "remote administration tool." The treasure trove of data they now had access to was likely bigger than anything else they had ever grabbed before: it included the details of 50 million people.

In fact, the sheer amount of data was apparently a problem. "Defendant LIVINGSTON also discussed the technical challenges associated with stealing such a large volume of data," according to the indictment.

By September, they had managed to steal around 24.5 million records from the company. Livingston and McArthur discussed selling the database off, but ultimately decided to use it for spamming purposes.

That moment was the height of their campaign. In July of this year, the contents of several of Livingston's bank accounts were seized, totalling nearly $300,000. His 2006 Ferrari F340 convertible was also snatched, along with a 2009 Cadillac Escalade SUV.

Some of the assets seized by law enforcement.

All three of the defendants could face up to 20 years in prison for their various roles in the conspiracy.

You might not even open any of those spam emails you receive. But someone, somewhere, is hoping to make a serious payday by flooding your inbox.

14584108-0--26455