Adconion Employees Allegedly Hijacked IP Addresses for Spamming

Sep 3, 2019 by

Adconion Employees Allegedly Hijacked IP Addresses for Spamming

Jeff Morgan (Jeffrey Perry Morgan), Jonathan David, and Petr Pacas have long been associated with Adconion. It started out as Frontline Direct.  Kim Reed Perell started Frontline Direct and is CEO of Amobee which acquired Adconion while she was CEO there,.  Adconion is part of Amobee.  Kim Reed Perell is still listed as CEO of Adconion here.

An agency used to rely on Jeff Morgan when he owned AMS Global Online and Telic Interactive for email marketing from 2011 until 2014.

Jeff Morgan referred to Ms. Perell as his partner.  They have been associated since at least the year 2000 according to SEC filings for a company named Adaptive Media, Inc.  Shareholders are listed as: Morgan Family Trust (Jeff Morgan), Qayed Shareef, and Kim Reed Perell. Click here to learn more, SEC filings.

Kim Reed Perell and Jeffrey Perry Morgan (Jeff Morgan) seem to be very close.   In September, 2013, Adconion Direct, with Kim Reed Perell as CEO, acquired Telic Interactive assets.  In July, 2014 Amobee bought Adconion along with its Telic Interactive assets.

The breaking point for the agency came when it hired Jonathan David and Jeff Morgan to do an email marketing campaign for a huge insurance company.  The insurance company mandated that no Adconion lists were not to be used.  Jeff Morgan and Jonathan David promised it would use not Adconian email lists.  The insurance company flagged the data.   They were extremely upset.  They argued that the leads they received were low quality and generated from Adconion email lists rebranded as Amobee.

It seems that over the years Jeff Morgan and Jonathan David consistently misrepresented the quality and sourcing of the data they sold to the agency.  The agency paid hundreds of thousands for worthless data.  For example, picking numbers at random; Telic pays dubious sources $1.00 CPM for data, presents it as high quality data culled in a CAN-SPAM compliant fashion from Tier 1 sources and charges the agency $8.00 CPM.  Quite a margin.  And since the agency only brought name brands to Jeff Morgan and Jonathan David — they had the added value of being able to present themselves more legitimately.

Campaigns never worked.  Several of the agency’s clients complained that the data was spam.  There was no way to check other than to take the word of Jeff Morgan and Jonathan David.  When confronted, Jeff Morgan and Jonathan David always blamed the advertisers for not understanding how email marketing worked. The agency had no clue as to what was really going until it was alerted by the insurance company and then Spamhaus.

So that is a really brief overview of what brings us to this — reprinted from the Krebs Security site —

Federal prosecutors in California have filed criminal charges against four employees of Adconion Direct, an email advertising firm, alleging they unlawfully hijacked vast swaths of Internet addresses and used them in large-scale spam campaigns. KrebsOnSecurity has learned that the charges are likely just the opening salvo in a much larger, ongoing federal investigation into the company’s commercial email practices.

Prior to its acquisition, Adconion offered digital advertising solutions to some of the world’s biggest companies, including Adidas, AT&T, Fidelity, Honda, Kohl’s and T-Mobile. Amobee, the Redwood City, Calif. online ad firm that acquired Adconion in 2014, bills itself as the world’s leading independent advertising platform. The CEO of Amobee is Kim Perell, formerly CEO of Adconion.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark ManoogianPetr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment on charges of conspiracy, wire fraud, and electronic mail fraud. All four men have pleaded not guilty to the charges, which stem from a grand jury indictment handed down in June 2017.

‘COMPANY A’

The indictment and other court filings in this case refer to the employer of the four men only as “Company A.” However, LinkedIn profiles under the names of three of the accused show they each work(ed) for Adconion and/or Amobee.

Mark Manoogian is an attorney whose LinkedIn profile states that he is director of legal and business affairs at Amobee, and formerly was senior business development manager at Adconion Direct; Bychak is listed as director of operations at Adconion Direct; Quayyum’s LinkedIn page lists him as manager of technical operations at Adconion. A statement of facts filed by the government indicates Petr Pacas was at one point director of operations at Company A (Adconion).

According to the indictment, between December 2010 and September 2014 the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

The government alleges the men sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

“Members of the conspiracy would use the fraudulently acquired IP addresses to send commercial email (‘spam’) messages,” the government charged.

HOSTING IN THE WIND

Prosecutors say the accused were able to spam from the purloined IP address blocks after tricking the owner of Hostwinds, an Oklahoma-based Internet hosting firm, into routing the fraudulently obtained IP addresses on their behalf.

Hostwinds owner Peter Holden was the subject of a 2015 KrebsOnSecurity story titled, “Like Cutting Off a Limb to Save the Body,” which described how he’d initially built a lucrative business catering mainly to spammers, only to later have a change of heart and aggressively work to keep spammers off of his network.

That a case of such potential import for the digital marketing industry has escaped any media attention for so long is unusual but not surprising given what’s at stake for the companies involved and for the government’s ongoing investigations.

Adconion’s parent Amobee manages ad campaigns for some of the world’s top brands, and has every reason not to call attention to charges that some of its key employees may have been involved in criminal activity.

Meanwhile, prosecutors are busy following up on evidence supplied by several cooperating witnesses in this and a related grand jury investigation, including a confidential informant who received information from an Adconion employee about the company’s internal operations.

THE BIGGER PICTURE

According to a memo jointly filed by the defendants, “this case spun off from a larger ongoing investigation into the commercial email practices of Company A.” Ironically, this memo appears to be the only one of several dozen documents related to the indictment that mentions Adconion by name (albeit only in a series of footnote references).

Prosecutors allege the four men bought hijacked IP address blocks from another man tied to this case who was charged separately. This individual, Daniel Dye, has a history of working with others to hijack IP addresses for use by spammers.

For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra.

Optinrealbig’s CEO was the spam king Scott Richter, who later changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, MicrosoftMySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

Dye has been charged with violations of the CAN-SPAM Act. A review of the documents in his case suggest Dye accepted a guilty plea agreement in connection with the IP address thefts and is cooperating with the government’s ongoing investigation into Adconion’s email marketing practices, although the plea agreement itself remains under seal.

Lawyers for the four defendants in this case have asserted in court filings that the government’s confidential informant is an employee of Spamhaus.org, an organization that many Internet service providers around the world rely upon to help identify and block sources of malware and spam.

Interestingly, in 2014 Spamhaus was sued by Blackstar Media LLC, a bulk email marketing company and subsidiary of Adconion. Blackstar’s owners sued Spamhaus for defamation after Spamhaus included them at the top of its list of the Top 10 world’s worst spammers. Blackstar later dropped the lawsuit and agreed to paid Spamhaus’ legal costs.

Representatives for Spamhaus declined to comment for this story. Responding to questions about the indictment of Adconion employees, Amobee’s parent company SingTel referred comments to Amobee, which issued a brief statement saying, “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

ONE OF THE LARGEST SPAMMERS IN HISTORY?

It appears the government has been investigating Adconion’s email practices since at least 2015, and possibly as early as 2013. The very first result in an online search for the words “Adconion” and “spam” returns a Microsoft Powerpoint document that was presented alongside this talk at an ARIN meeting in October 2016. ARIN stands for the American Registry for Internet Numbers, and it handles IP addresses allocations for entities in the United States, Canada and parts of the Caribbean.

As the screenshot above shows, that Powerpoint deck was originally named “Adconion – Arin,” but the file has since been renamed. That is, unless one downloads the file and looks at the metadata attached to it, which shows the original filename and that it was created in 2015 by someone at the U.S. Department of Justice.

Slide #8 in that Powerpoint document references a case example of an unnamed company (again, “Company A”), which the presenter said was “alleged to be one of the largest spammers in history,” that had hijacked “hundreds of thousands of IP addresses.”

A slide from an ARIN presentation in 2016 that referenced Adconion.

There are fewer than four billion IPv4 addresses available for use, but the vast majority of them have already been allocated. In recent years, this global shortage has turned IP addresses into a commodity wherein each IP can fetch between $15-$25 on the open market.

The dearth of available IP addresses has created boom times for those engaged in the acquisition and sale of IP address blocks. It also has emboldened scammers and spammers who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, KrebsOnSecurity broke the news that Amir Golestan — the owner of a prominent Charleston, S.C. tech company called Micfo LLC — had been indicted on criminal charges of fraudulently obtaining more than 735,000 IP addresses from ARIN and reselling the space to others.

KrebsOnSecurity has since learned that for several years prior to 2014, Adconion was one of Golestan’s biggest clients. More on that in an upcoming story.

We publish PSA’s based on publicly available information.

Find out more here —

There’s a reason they don’t put trailer hitches on Hearses.  None of us is taking anything with us other than the truth of who we are, the way we lived our lives, how we treated others, and whether we made the world a better place for having been in it.

Adconion acquired Telic Interactive.  Click, here.

Jonathan David and Tapstone spamming?  Click here.

Tapstone is a spam operation? Click here.

Tapstone: Anatomy of a Spam Operation.  Click here.

Jeff Morgn, Ad Tech Swindle?  Click here,

Click here to read part 1, “Did Tapstone spin off from a spammer?

Click here to read part 2, “Tapstone is spammer Telic rebranded?

Click here to read part 3, “Tapstone and Telic. Spam operation?

Click here to read part 4, “Does Tapstone sell data of this quality?

Direct communications to Burnbrighter should be made through the contact link at the bottom of this page.

Digital Arteries