Two Missouri Brothers Among Those Indicted in $4 Million Nationwide Spamming Conspiracy

Two Missouri Brothers Among Those Indicted in $4 Million Nationwide Spamming
Conspiracy

Millions of E-Mail Addresses Illegally Harvested from Computers at 2,000
Schools

KANSAS CITY, Mo., April 29 /PRNewswire-USNewswire/ -- Two Missouri men and
their company are among those indicted by a federal grand jury in a nationwide
e-mail spamming case that victimized more than 2,000 colleges and universities
in a scheme that sold more than $4 million worth of products to students,
announced Matt J. Whitworth, Acting United States Attorney for the Western
District of Missouri.

Amir Ahmad Shah, 28, of St. Louis., his brother, Osmaan Ahmad Shah, 25, of
Columbia, Mo., their business, I2O, Inc., Liu Guang Ming, a citizen of China,
and Paul Zucker, 55, of Wayne, N.J., were charged in a 51-count indictment
returned under seal by a federal grand jury in Kansas City, Mo., on April 23,
2009. That indictment was unsealed and made public today upon the arrests and
initial court appearances of Amir and Osmaan Shah.

"Nearly every college and university in the United States was impacted by this
scheme," Whitworth said. "Illegal hacking and e-mail spamming wreaks havoc on
computer networks. These schools spent significant funds to repair the damage
and to implement costly preventive measures to defend themselves against
future intrusions. We take computer crimes seriously and will aggressively
prosecute those who violate the federal CAN-SPAM Act."

The federal indictment alleges that the spam e-mail scheme targeted colleges
and universities across the United States. The Shahs allegedly developed
e-mail extracting programs, which they used to illegally harvest more than
eight million student e-mail addresses from more than 2,000 colleges and
universities. They allegedly used this database of e-mail addresses to send
targeted spam e-mails selling various products and services to those students.
They conducted at least 31 of these spam e-mail marketing campaigns directed
at students, the indictment says, selling more than $4.1 million worth of
products.

According to the indictment, the Shahs often initiated their spam campaigns,
sending millions upon millions of spam e-mail messages through the computer
network at the University of Missouri, where Osmaan Shah is a student. Osmaan
Shah either connected to the Internet via the campus wireless Internet service
or connected directly to the network through an ethernet cable connection in a
classroom or other campus building. The university's network sustained damage
from the large amount of network resources and bandwidth used during the
transmission of millions of spam e-mail through its system. The university
also expended a substantial amount of time, money and resources to respond to
and repair problems caused by the spam e-mail campaigns and to protect and
defend its network from future spam e-mail campaigns.

"The University of Missouri has worked closely alongside our office throughout
this investigation," Whitworth said. "We appreciate their partnership and
cooperation, which has been instrumental in bringing this case to indictment."

As part of the conspiracy, the indictment says, the Shahs used false and
misleading information in the spam e-mails, suggesting they had an association
with the university or college that the student receiving the spam attended.
They allegedly used fictitious names and purported to be "campus
representatives" from the college of the student receiving the spam. They also
falsely claimed that the businesses who manufactured or sold the products in
the spam e-mail were "alumni-owned" companies.

The Shahs allegedly made money from these spam e-mail campaigns in one of two
ways: by earning a "referral fee" for sending spam e-mail for products and
services sold by others, or by buying products in bulk themselves and then
selling those products.

The Shahs hired several employees - who are not named in the indictment, but
identified as unindicted co-conspirators - to help develop the e-mail
extraction program and create the Web sites to market and sell the products
and services advertised by their spam e-mails. The Shahs allegedly used mass
mailing software programs to materially falsify e-mail header information and
to avoid spam filters by rotating subject lines, reply addresses, message
content and URLs, and other information in the e-mail header and e-mail body
content.

The Shahs allegedly created dozens of identical Web sites for each campaign
(often more than 60 Web sites per campaign) in order to divide, obscure, and
conceal the source of the spam e-mails, and to attempt to keep the source of
their spam e-mails from being blocked by spam filters. These Web sites sold
products such as digital cameras, MP3 players, magazine subscriptions, spring
break travel offers, pepper spray and teeth whiteners. More recently, the
indictment says, the Shahs began sending spam e-mails soliciting students to
subscribe to their social networking Web site, www.noog.com.

According to the indictment, the Shahs initially set up hosting in China,
which provided them anonymity as to the origins of the spam e-mails and
shielded them from complaints from the recipients of their spam. Ming
allegedly partnered with the Shahs as early as 2002 and rented them access to
a network of 40 servers under his control in China for hosting Web sites and
sending spam e-mail. Ming also provided hosting and mailing services to other
spammers, the indictment says, with the Shahs acting as the middle-man in the
transactions. The Shahs solicited customers for what was advertised as
"Offshore Bullet Proof Hosting" and collected the money, which they sent to
Ming. Ming performed the network administration duties in China, and worked to
keep the Web sites operational.

After learning of the criminal investigation into their activities in 2005
when search warrants were executed on their residence and business, the
indictment says, the Shahs modified their scheme. Because officials at the
University of Missouri had identified them as the source of the spam e-mails,
they allegedly removed the e-mail addresses of students of the University of
Missouri from their database and continued to send their spam e-mail to all of
the other colleges and universities. According to the indictment, they began
leasing hosting and mail services from numerous companies for each subsequent
spam campaign in order to conceal the source and size of their spam e-mail
campaigns.

Zucker, allegedly a spammer sending spam e-mail for his own products,
partnered with the Shahs when they were leasing space on Ming's servers in
China. Zucker is alleged to have bought and sold proxies (computer servers
that allow clients to make indirect network connections to other computers in
order to camouflage the originating source of an e-mail) with the Shahs.

Each of the defendants is charged with participating in the conspiracy to
engage in an unlawful spam e-mail operation since Jan. 1, 2004. In addition to
the conspiracy charge, the indictment also contains the following charges:

Fraud in Connection with Computers

The Shahs are charged in each of five counts of computer hacking related to
the use of e-mail extractor programs to unlawfully harvest student e-mail
addresses.

Each of the defendants is charged in one count of aiding and abetting each
other to unlawfully use the University of Missouri computer network to send
spam e-mail. In 2004, the Shahs conducted at least seven spam e-mail campaigns
utilizing the university's network.

Fraud in Connection with E-mail

All of the defendants are charged in each of nine counts of aiding and
abetting each other to access a protected computer without authorization and
transmit multiple commercial e-mails.

All of the defendants are charged in each of nine counts of aiding and
abetting each other to materially falsify header information in multiple
commercial e-mails.

The Shahs and I2O are also charged in each of 26 counts of aiding and abetting
each other to access a protected computer without authorization and transmit
multiple commercial e-mails with the intent to deceive or mislead the
recipients (or any Internet access service) about the origin of those
messages.

Forfeiture Allegation

The indictment also contains a forfeiture allegation, which would require the
defendants to forfeit to the government $4,191,966, representing the proceeds
obtained as a result of the offense, for which the defendants are jointly and
severally liable, as well as two residential properties in St. Louis and a
2001 BMW belonging to Amir Shah and a residential property in Columbia and a
2002 Lexus sedan belonging to Osmaan Shah.

CAN-SPAM Act

In 2003, Congress passed the CAN-SPAM (Controlling the Assault of
Non-Solicited Pornography and Marketing) Act, making fraud in connection with
electronic mail a federal crime. Spam refers to unsolicited bulk commercial
e-mail. Under federal law, it is illegal to send multiple commercial e-mails
if the sender accesses a computer system without authorization, transmits the
e-mails in such a way as to hide their origin, or materially falsifies the
header information in the messages.

Whitworth cautioned that the charges contained in this indictment are simply
accusations, and not evidence of guilt. Evidence supporting the charges must
be presented to a federal trial jury, whose duty is to determine guilt or
innocence.

This case is being prosecuted by Assistant U.S. Attorney Matthew P. Wolesky.
It was investigated by the FBI. 


SOURCE  U.S. Department of Justice

Don Ledford of the Office of Acting United States Attorney Matt J. Whitworth,
Western District of Missouri, +1-816-426-4220, +1-816-426-4176 (TDD)