Military Romantic Scams – The Theory and Practice

The US Army Captain Doctor who Broke my Heart

Romantic scams a la Casanova style have been around forever but its Military Romantic scam variant has only taken off since the advent of social media. According to a 2018 BBB’s Online Romance Scams study, since 2015 this type of scam has become a $1billion dollar industry in the US alone. The lifecycle of this scam is well documented and understood but the low level details and logistics have never been made public. Little is known about their operations, network, organization structure, payment collection and clearance methods, money laundering techniques, technology used, their relationship with domestic financial institutions, law enforcement, and politicians. To the majority of the public, scammers are like modern day pirates: an amorphous entity shrouded in mystery that operates anonymously from somewhere overseas with what appears to be complete impunity form prosecution.

The Victims
Two victims of military romance scams (L-R) Kate Roberts and Esther Ortiz-Rodeghero

The impact of military romantic scams on the victims who are typically older women living on a fixed income is devastating. Some end up going into debt to pay the scammers, others lose their entire life savings. To add insult to injury, many of the victims continue to be blackmailed and forced into committing crimes like trafficking counterbid long after they discover that they have been defrauded. This can happen even if they try to terminate their communications with the scammer. Due to the international nature of these scams and the social stigma they carry, most victims have no legal recourse nor a chance of ever recovering their losses.

So in the spirit of Proverbs 31:8-9 “Speak up for those who cannot speak for themselves…”  I’ll try to pull the curtain back on one military romantic scam and do a deep dive into its inner workings and its perpetrators.

Military Romantic Scams 101
At its bare bones, the military romance scam has a number of variants, all of which revolve around repurposing images of some serviceman or woman and using them to create a fake profile on social media or a dating site, then reaching out to a victim and proceeding to con them out of money or use them as mules for some other illegal transaction.

As can be seen from Image 1 and Table 1, a single set of stolen images can become a source of dozens fake identities and over 500 concurrently running scams. 

The Many Faces of Richard Canon  Military Personal Identity Theft
Image 1
: (L-R) The many personalities of Richard Canon and 12 other stolen identities used in concurrent romantic scams

#

Fake Name

Running Scam Count

1

Richard Williams

36

2

Burks Richard

27

3

Richard Tonsom

11

4

Canon Hendryx

16

5

Jimmy Bernett

24

6

Richard Canon Miller

12

7

Johnson Smith

15

8

Richard Canon

25

9

Canon Richard

28

10

Thomas Lavallee (Richard)

18

11

Richard Thomas

11

12

Thomas Rick

23

13

Jeff Mathew

15

14

Thomas Hunter Richard

25

15

Charles Richard

19

16

Seth Berman

10

17

Romos Johnson

17

18

Mark Brandon

10

19

Richard Wilson

19

20

Mata James

26

21

Thierry Pienaar

16

22

Sherman Massingale

27

23

Brain Kobi

15

24

Elijah Grayson

19

25

Richard Canon Martin

22

26

Richard Chocktoot Kenneth

10

27

Mark Richard

39

28

Richard Smiff

16

29

Ballantyne Richard

9

30

Burks Richardws

13

31

Richards Jack Hanan

20

32

Richard Billy

27

33

Randy Moore

32

34

Richard Steven Nelly

16

35

William David Mark

25

36

Larry Brent Richards

23

37

Cannon Richard

33

38

Richie Arrow

27

39

Sivewright Richard

1

40

Richard Thorpe

15

41

Richard E Garlock

28

42

Richard Clark

24

43

Froylan Richard

17

44

Canon J Richard

14

45

Richard C Brain

30

47

Canon M Richard

21

48

Ryann Camryn

19

49

Cannoon Richard

13

Total Concurrent Running Scams

922

Table1: Same image with different name variations

Once the fake on-line profile is created, the scammer will then pursue certain victim demographics and concentrate their efforts on a previously proven cross-section of susceptible individuals—for example, a divorced or widowed woman over 50.

After the initial contact is established with a victim, the scammer will then engage in a trust-building campaign that can take weeks or months. As part of this process, the scammers will transmit to the victim a wide range of collateral that can include a fake military ID, service photographs, additional social network images, and even address and property information about their fake residence.

The emails, text messages, and step-by-step logic used in these exploits are all based on hundreds of previously tested and successful scams. This makes their decision trees robust and the playbooks plausible and effective. Also, because the operator doesn’t have to waste any time on trial and error approaches, improvisation, or real-time content creation, they can effectively run dozens of concurrent scams by just picking up some template based material, such as handwritten love letters, and minimally customize them to the specific victim.

Fake Love Signs
Raymond Ward Fake ID
Image 2: An example of template based collateral ready for customization and a fake military ID with typical errors that include wrong service branch, capitalization errors, different font use, bolding, a mixture of imperial and metric units, and reuse of DOG TAG numbers from other IDs

Any compromising information such as sexually explicit material, family, legal, or medical information the victim shares about themselves will be used by the scammer to continue to exercise leverage on the victim through extortion.

The Psychology
Two contributing factors as to why romantic military scams are so effective are the link between our perception of authority (people in uniform) and the sense of intimacy inherent in written communications. In a paper titled An Attributional Extension of the Hyperpersonal Model that analysis the relationship between computer-based communications and the willingness to disclose intimate information, the authors conclude that:

“…In the experiment participants were randomly assigned to a face‐to‐face or computer‐mediated interaction with a confederate who made either high‐ or low‐intimacy self‐disclosures. Results indicated that computer‐mediated interactions intensified the association between disclosure and intimacy relative to face‐to‐face interactions, and this intensification effect was fully mediated by increased interpersonal (relationship) attributions observed in the computer‐mediated condition.”

The reason why we trust people in uniform is obvious but paradoxically, it also seems that we are more willing to disclose intimate details about ourselves via electronic communications than in person. For some psychological reason, the written nature of these communications adds a level of conviction and earnestness that verbal communications lack. In romantic scams, this results in the victim developing confidence in what the other party says because they view the text messages and emails as proof of sincerity.

The Scam Lifecycle
Regardless of its details, all scams are formulaic and follow a certain algorithmic lifecycle pattern. Every successful romantic scam follows these four sequential phases:

  1. Establish an online profile and make contact with a vulnerable victim
  2. Develop a trusting relationship with the victim, isolate them, and groom them
  3. Learn as much as possible about the victim’s family, background, aspirations, and assets
  4. Gain access to the victim’s money and use them as a money mole or goods mover to process money or merchandise for other scams

The Law Enforcement Challenge
Traditional crime or terror network analysis is expensive, time-consuming, and resource intensive. It requires dedicated task forces, access to fused HUMINT, GEOINT, MASINT, SIGINT, TECHINT, INT/DNINT, real-time surveillance data, and the support of many subject matter experts. Trying to reconstruct a modern criminal or terror network is not a straightforward matter because these networks do not follow the classical organized crime models and rigid hierarchical structures.

Cyber crime networks and operators are loosely coupled and are assembled from among a tightknit group of ethnically related individuals. They lack central organization, command hierarchy, official communications channels, and consistent geographical location. They are also shielded by local politicians and have the full support and cooperation of senior law enforcement officials. These organizations also utilize a brutal code of loyalty and enforcement that can result in violent punishment for any member that deviates from their assigned responsibilities.

To complicate things further, most of the individuals involved in cyber crime networks are non-US nationals that operate overseas in multiple international jurisdictions. They also effectively utilize countermeasures such as data anonymization techniques, burner phones, and non-traceable payment methods to evade detection and tracking.

So the upshot is that traditional law enforcement and prosecution techniques like the use of informants, bank accounts seizer, and search warrants are mostly ineffective and practically useless.

The Analysis
The ultimate goal of this research wasn’t to locate specific individuals but rather to discover the patterns of life, flora, fauna and and lay of the land in this mysterious Kingdom of Scam-Land.  I personally have no interest in the individuals identified at all but I do believe that the information and analytics framework used here would be useful to the general public and Western LEA in trying to develop an automated and more effective real-time scam fighting strategies and programs. You can find more details about the analytics solution architecture and system components that I’ve used in this project in a previous post titled the Mechanics of Deception.

The Analytics Framework
To generate the synthetic imagery, interactive dialogs, and wide scale video and image searches, I’ve utilized the following software tools and machine learning frameworks:

Video analytics utilizing Convolutional Neural, Support Vector Machine, Multi-Task Network Cascade, CAFFE Framework, Haar Cascades, Ensemble of Regression Trees and Learning, P-N and Supervised Learning

For the video analytics, I’ve trained the ML engine to detect known scammer characteristics such as certain car makes, fashion brands, accessories, and hand signs. The training of the model included the extraction of known objects (Image 3) as well as seeding the engine with new insight matches that were confirmed to be related to some relevant search topics. So for example, the results from a search of a person wearing a Gucci belt buckle yields new insight that these individuals also carried certain pattered style bags. So moving forward, new searches incorporated the patterned bags into the query criteria, etc.

Object Search Criteria
Image 3: A sample of graphic objects used to train the ML based search engine used to identify fashion and other accessories with known scammer associations

The object of interest database contained 6K classified samples. When fully operational, the system was delivering an object match true detection rate of about 86% accuracy. The total number of objects found and confirmed as relevant was over 17K (Image 4). The total runtime for all object detection and re-classification was about 9 hours.

Golden Watches
Image 4: A sampling of a results set for video and image searches using a combinations of “dark skin shade” + “golden watch” objects

Another type of object classification was used in combination with the BigData engine to locate certain keywords and identify trends like fashion. This included a combinations of more than 23K stop words and graphic object like shoes, shirts, pants, bags, and various accessories. The stop words were scraped from both OCR images and text.

Distressed Jeans
Image 5: An example trend detection involving “distressed Jeans”

Scammer Shoes 
Image 6: An example of a trend detection involving “visible toes” footwear

Car Keys
Image 7: An example of a trend detection involving car keys suspended from the belt loops

The Fashion of Yõüñg Blãck Amëricäñ
Image 8: An example of trend detection involving daily wardrobe arrangements and custom made designer outfits and shoes belonging to the scammer “Yõüñg Blãck Amëricäñ”

The Fashion of Theophilus Adugyamfi
Image 9: An example of video cataloging and identification of a fashion trend of T. Adugyamfi aka “Billion$King”

The Scammer Models
Image 10
: An example of a trend detection of a “modeling” pose that is characterized by the subject facing the ground

Hand Signals
Image 11
: An example of a trend detection of over 40 types of “hand signal” gestures

The system flagged the matches, anomalies, and trends and then converted them into insight that was used in more complex queries. This resulted in the identification of several hundred trends such as haircuts, hand signs, body poses, footwear, clothing styles and color palettes. One interesting anomaly turned out to be a fashion ritual that was practiced by some of the scammers where they would once a week arrange their wardrobe in coordinated outfits (Image 8) for every day of the week and post them on internal chat boards.

A key component of the searching and linkage strategy was based on face recognition and face indexing. In total, I’ve indexed about 19K unique faces that constituted the POIs, their friends, families, and associates. The face recognition ran on multiple image sources such as CCTV cameras, phone cameras, laptop cameras, off-line video files, images stored in files, and social media albums and libraries.

Face Recognition KVNG DD 
Image 12
: Usage of Face Recognition to identify an individual in a large collection of images and reconstruct their social and professional network. Featured in the image is “Play Bowy” and his “KVNG DD” team

All image captures in real-time from CCTV cameras, phones, land laptops were indexed and processed for face matches and linkage analysis. The indexed images were then used for geospatial analysis to identify the place and time of individuals and group linkage.

Objects Database
The following is a summary of the objects in the inventory database:

Object Type

Quantity

Comments

Facial Images

7,820

Used for Person of Interest (POI) searches

IP Addresses

6,881

Computer and other device IP addresses

Emails & Text Messages 38,145 Individual and group communications
Linkages

19,537

Total number of individuals in the network

Cars

271

Make, model, and color

License Plates 156

License plate numbers

Image Patterns

1,150

Used for entity searches

Phone Numbers

1,340

Mobile and computer phone numbers

Financial Records

182

Account numbers and details

Voice Recordings

261

Phone and conference calls

Video Files

89

Video sessions

General Objects 17,209 General graphic objects like logos and graphics

Note on Speech to Text Conversions
Even though I captured several hours of conversation via open microphones and active chats sessions, I couldn’t accurately translate large parts of the content due to a limitation in Amazon’s, and Google’s transcribe and translation support for Nigerian and Gahanna dialects. In an operational deployment, this problem can be easily solved if a native language resource was available to review and translate the materials.

3 Way Conferance 
Image 13
: Capturing a 3 way tech support conference

Love is in the Air
It was time to get scammed. The first step was to create a fictitious person named Olga Schmatova and use her as bait.  I didn’t want to use stock photographs because of their easy tractability or utilize a real person for obvious reasons, so, I resorted to creating her images synthetically. I generated several photograph versions of Olga that accounted for age and weight variation. I then created the background information that supported her cover, such as a resume, biography, diplomas, online shopping profiles, employment history, as well as several other artifacts that would ensure that even an in-depth background search would yield valid results.

Olga-3 Olga-1 
Image 14: AI generated images of Olga Schmatova

Next, I created several social media, email, and dating site profiles and SEOd them and waited for the search engines to index the content. As soon as Olga started showing up in general internet searches, I was ready to go.

Olga Match
Image 15: One of Olga’s dating site profiles

Olga’s Dating Profile
My name is Olga. I am friendly, fun-loving, easy-going, and kind. My friends say that I bring a smile to the people around me. I consider myself to be balanced and a calm person at the same time I am very energetic, active and purposeful. I am full of positive energy and I project it to others.

I work as an emergency room nurse, I am family oriented and soft spoken, and at the same time I am a passionate and sensual woman, with oceans of love in my heart where we can swim together.

I like handmade art, visiting museums, cooking, and music is a big relief in my life.

Ideal Match Description
I want to find a man who is ready to accept my love and love me in return. I need stable and firm relations, I do not want to play with feelings or any drama. I would like to find a mature and wise man who is a doctor or a dentist who knows what he wants and can share with me some of his wisdom.

I didn’t have to wait long, within a several days I got the following hit:

Subject
Hello My 110% Match

Message
Wow was the first thing I said when I went through your pictures/ profile and I wonder why a woman like you is still single. Perhaps, all the men around you are blind (lol)…

We can hook up and hopefully, be wonderful soul mates… A little about myself. Hmmm, I am easy going and kind. When people meet me, they sense it before long. I am a military doctor with the US Army, I love epic movies cos I love adventure, stories from ancient history and anything related to real life.  I love the great outdoors, hiking, swimming, and travel.

I love family a lot! My favorite saying is “never look back”.  Well, the only thing lagging in my life now is that lovely woman that will follow me to my dream land. I believe ‘ONLY THOSE WHO SEEK, FIND’, and that is why I want to get to know you. I prefer direct email contact because of my deployment I don’t have access to this site at all times. Kindly email me on my gmail at the account at brandonrsmith2X@gmail.com or leave your email address. Sometimes, we are dumbfounded answering love related matters cos love is beyond human comprehension. I Hope to hear from u soon. Cheers!

Brandon

Just to make sure that this wasn’t a legitimate dating ping, I responded by asking Brandon for more personal details to which after several more emails and text exchanges he eventually sent me an image of his fake military ID (image 16). From the recycled verbiage in his responses (matches for which the search spider found online), the poor grammar, typos, and the fake ID, I knew that I found my scammer;

Subject: Dearest Olga,
Message:  I’m just a normal guy who is searching for real love and wants to enjoy life to the fullest, I’m an american soldier.I come from a family of 4 which is me, dad, mum and my sister.I have my own house in Florida.We were living happily until my wife was diagnose of Cancer, it was a bad experience for me and my family it shattered us, my wife leaved with it for good 6 yrs before she gave up. It was a terrible experience but i just have to move on and hoping for the best. I have a daughter who I love dearly. My favorite color is blue (sky blue), Sunday is one of the day i don’t like , I lost my wife on Sunday so i don’t feel so much happiness on that day or maybe you can help me through that.

Been in the US Army for 5 years now as a surgeon. I enjoy my job but on deployment life is hard because you are restricted to do some things but I’m used to it. I love my job and I really need a family at the moment because I think we all deserve happiness in this life, My personality is outgoing and I have a good sense of humor. I am a kind and very tender hearted person. I am loving, in fact I sometimes think that I love too deeply when I love someone. I am a very honest person. I am too trusting at times and I am loyal to my companion and friends. i have a romantic heart and I like that. I want to be respected for being a man. I like to act, dress and look like a guy. i’m looking for a nice, honest,kind and caring woman, a woman that will love and be with me for the rest of my life. I’m not looking for someone to date but someone to spend the rest of my life with. All i need from her is just being sincere to me,make me feel secured,appreciate,love,care and being understanding. My recent life has been engulfed with misery and loneliness.

Everything in life happen for a reason, my being lonely for a very long time makes me want a companion and a woman to share my feelings with, I’m in search of a soul mate to spend the rest of our life together. No one is perfect and we could only give it a trial. Though it is right for us to learn from our mistakes. Which makes us resisting and having hard time trusting again in your life. A relationship is all about TRUST, SINCERITY and HONESTY, all this Paramount fact must exist in a relationship before anything can work out of it. Faith is the substance of things not seen, but the evidence of things being hoped for, lets strengthen our faith and see where this will lead us to. You are a beautiful woman and I want to get closer to you and see maybe this will work out for us.

Yours truly,

Brandon

Fake Militery ID
Image 16: Brandon’s fake military ID with scraped internet image of the Russian actor Oskar Ruchera

Our romance lasted for about two weeks and included several exchanges of emails, voice, and text messages. I am not going to bother you with all of the details of the lengthy and steamy conversations that ensued. The skinny of it is that Brandon loved me and wanted to spend the rest of his life with me. We were even going to get married in Indonesia and spend the honeymoon in Nusa Penida! All of this, of course, depended on him completing his “contract” combat deployment in Afghanistan in two years.

Then came the con. Brandon said he could leave earlier and meet me in Indonesia, but he would have to pay the US Army an administration fee of about $20,000, which he didn’t have because all of his money was tied up in some high tech investment in Google. He promised that if I helped him with this payment, he would repay me the money with interest in no time. I then received an email from williambdaniels1122@gmail.com who claimed to be one Colonel William Daniels of the US Army HR team requesting that I transfer these administrative fees to him via Western Union.

I didn’t have $20K on hand, so instead I decided to give in to Brandon’s insistent request for some intimate pictures of me. Following Ursula’s advice to the Little Mermaid that one should “…never underestimate the power of body language!” I sent Brandon several steamy images of Olga in and out of a bathing suit. I also added some extra loving payload to one of the images to help take our relationship to the next level.

Olge Swiming Olge in a Little Black Dress
Image 17: Olga in a swimming suit and her little black dress

Olga’s AI generated voice

The payload deployed successfully and the initial probe came back indicating that most machines on Brandon’s sizable local network were running Windows 7 and were unpatched. That was followed by several more payloads. I mapped his network and devices and started monitoring his internet traffic and messaging activity. Interestingly, Brandon and his team were somewhat security conscious as they were using dedicated machines for scamming and separate computers for banking and business operations and logistics. They were also careful to use burner phones for business communications and other phones for voice and internet browsing.

While taking inventory of the drives and storage media, I found a directory full of images that Brandon was using to assemble his social media profiles on what appeared to be a graphics editing machine. surprisingly, it even had a licensed version of Adobe Creative Suit. As the VA spider was sifting through these images, it flagged two anomalies. The first was the OCR’d word “Verizon LTE” (Verizon doesn’t operate in Ghana), the second was a face match on two mobile phone screenshots of a FB page that contained the fake photos of Brandon and actual photos of two scammers (Image 18).

Burner Phones
Image 18: Phone screenshots capture used for the network entry point

Now that I had actual faces, the FR took over and traversed the photograph datasets on his storage devices and on his and his networks on-line profiles and filled-in the matching names, addresses, phone numbers, car license plate, make, and car color (image 19). Altogether, the data collection took about 24 hours and involved some man-in-the-loop operations like the verification of anomalies and the termination of dead-end searches.

One interesting insight from the face recognition mapping is that Brandon and other individuals on his network use multiple ‘legal’ names and alternate spellings in official documents such as drivers licenses and passports.  Brandon for example was using the names “Nana Osei Kwadwo Boakye”, “Osei Kwadwo Boakye”, and “Osei Kwadwo”.

LPR Make and Color
Image 19
: Sample from over 150 license plates, car makes, and color details collected from the scammer network

From the keystroke logs and login schedules it was clear that multiple operators were involved as each exhibited distinctive ‘fist’ through Keystroke dynamics. Monitoring the login activity in real-time and screenshots confirmed that many of the operators shared the login details for their ‘bait’ profile.

The Scammer Enterprise and R&R
One surprising find was that the scammer operations used specialists. This makes sense because If a scammer had to carry out all of the work individually, it would take them years to develop the necessary cross-domain expertise. The substantial resource expenditure required to obtain the logistic and operational proficiency needed to support a massive scam campaign such as this would also be prohibitive. In the scammer community, members specialize according to their seniority, interests, and talents; this allows them to reach higher levels of productivity more rapidly.

The persons roles and responsibilities in the layered scammer enterprise depends on their ranking within the organizational structure. At the lowest level, there are the ‘factory workers’ who conduct their operations in teams of 5-15 individuals in internet cafes located in the suburbs and villages surrounding Lagos and Accra. Most don’t own their equipment and pay a fee for computing resources and internet access. At the next level are the home-based operator ‘managers’ who own their equipment and manage several low-level teams. These managers are responsible for training, recruitment, mentoring, and operational support for the lower tiers.

The next level above them are the ‘supervisors’ who are responsible for maintaining proper ‘sales’ quotas, conversation rate, and logistics and the development of new scam products.

At the top of this pyramid are the king pins who control several territories. They liaise with senior command of law enforcement, military, media, and politicians and are considered to be the pillars of the community. They engage in wide scale philanthropic activity such as sponsoring public works and structures.

Dr. Osei Kwame Despite Wiamoase Police Station in Ashanti Region Wiamoase Police Station donated by Osei Kwame
Image 20: The opening of the new Wiamoase Police station in the Ashanti Region. Courtesy donation by Dr. Osei Kwame

An interesting anomaly that was later confirmed to be a wide scale trend was the frequent appearance of President Obama’s picture in many of the scammer workspace images (Image 21). Seventeen out of forty workspace images exhibited this trend. It turns out that BHO is considered to be the patron saint of the scammer industry in Nigeria and Ghana and is viewed as the ultimate scamming success story that everyone is trying to emulate.

The OfficeImage 21: (L-R) Tier 3 scammers “KingKash” hard at work in the office and “Baron Osty” in a live session with a mark. Many scammers keep images of President Obama in their work space and view him as the patron saint of the craft of the scam

The Anatomy of a Scam
Based on the large volume of case data retrieved from the computers on Brandon’s network and the postmortem on these cases, it appears that many operators run hundreds of concurrent scams. In once example from January 2017- February 2018, a mid-level manager/supervisor named Asuaden Rich AKA “Goal Digger” (Image 22) operated over 105 simulation scams in the US alone with 40 of these scams paying over $630K USD. For these, “Goal Digger” assembled and used a library of over 300 stolen identities from Facebook and LinkedIn.

Between June 2018 and August 2018, Goal Digger spent on average 7 hours a day working 7 days a week, splitting his time between boarding new victims and maintaining active accounts.

The Dating Setup
Image 22: An illustration of the scam details run by a the tier 2 scammer “Goal Digger”

Money Makes the Scam go Around
Since most victims are too humiliated to report their ordeals, it is difficult to calculate the exact amount of money lost each year as a result of these scams. In 2013 the estimated figure was about $12.7 billion dollars. Adjusting for a modest 10% growth per year could bring it to 20 billion dollars. So, this industry makes more than the GDP of counties like Albania, Jamaica, and Afghanistan.

Just like in any other form of illegally generated revenue, the vast amounts of money that is collected from these scams must be laundered. In the case of the Nigerian and Ghanan networks, most of the placement, layering, and integration activity associated with money laundering took place locally via cash purchases of luxury goods, investment in large commercial and residential real-estate developments, and the purchase of drugs, arms, and human trafficking. Additionally, in at least several instances, the scams were also financing Jihadi operations in Africa and over seas. 

The Package
Image 23
: An example of a UK based courier services used by Brandon’s network for mailing goods and money laundering. The UK network is also affiliated with a local Stockton Jihadi mosque and recruitment center and a number of active Jihadist

It is worthy to note that local law enforcement and financial institutions are more than willing participants in this venture and they also have the full support of the local media. For example, the banks and money transfer/exchange organizations that service the scammers deliberately misplace the security cameras at the branches in order to avoid capturing the faces of the scammers. They also frequently purge their VMS systems and any internal records that contain the scammer’s national identification numbers, address, or other traceable PII data.

Richard Mark Hooten AKA Nana Kwadwo Boakye EcoBank Cash Pickup
Image 24: Nana Kwadwo picking up the cash transferred via Western Union at the Ecobank branch near Medina Estate Gbagada Lagos. Camera field of view inside the teller does not capture the customer’s face.  Cameras mounted on the branch ceiling only provide a rough view of customers.

Richard Mark Hooten AKA Nana Osei Kwadwo Shows me the money The 500K Run Weekly Payment
Image 25: (L-R) Daily cash withdrawals, over $500K in freshly laundered money and weekly police and political payment bundles

Deep Gray the Transporter
Image 26
: Over a million dollars transported to Nigeria from Ghana via charted flight by a tier 1 scammer

Scammers International
All of the Nigerian and Gahannan scammers networks examined show that they also maintain an international presence in many western countries like the US and Europe. These relationships are based on family members who legally reside in the host country and turists. These relationships provide a home-based network with access to local organized crime for the purpose of money and goods transfer. For example, Brandon’s network included individuals in multiple cities in the US, England, Germany, Italy, and France.

US Network
Image 27
: One US node of the network

Brandon’s network was also working closely with several local UN officials and Aid organizations who utilized UN and NGO trucks, planes, helicopters, and facilities to transport and store cash and drugs in and out of the country.

The International face of scamming
Image 28: Osei Kwadwo Boakye AKA Brandon Smith and his domestic and international scammer network

The Derivative Economy
An interesting aspect of the scammer economy is its deep integration into the local marketplace.  Many of the ‘manager’ and ‘supervisor’ level scammers eventually branch out and establish a variety of legitimate businesses such as appliance and computer stores. The seed money and inventory for these ventures initially comes directly from the scams, but eventfully these businesses develop sufficient customer and revenue traction to operate independently. In one illustrative example, a scammer named “Ruona Fundz” built a small retail empire of 6 electronic stores (Image 28), all of which were managed and operated by his extended family.

The Retail Empire of Ruona Fundz
Image 29: Reselling the loot, the electronics retail empire of “Ruona Fundz”

Network Structure and Communications
All cybercrime networks depend on the contributions of a wide cast of professionals working in concert including malware developers, script writers, customer-facing operators, spammers, botnet masters, payment processors, IT, InfoSec, and, finance. These communities require efficient and reliable methods to collaborate, communicate, and coordinate by sharing tips and tricks that help them defeat security measures and evade detection.

The stratified division of labor in the scammer networks allows actors to specialize in domains for which they have natural talent. This facilitates ‘personal growth’ and the achievement of the level of expertise in their particular area of specialization beyond what could be accomplished if they were responsible for all of the elements in the scam chain. Also, the acquisition of human talent is simplified because the professional barrier of entry is lower for newcomers. As the recruits don’t have to spend significant time and money building the capacity themselves and just  have to purchase a starter kit and be productive immediately.

The traditional meeting place for cyber criminals used to be online messaging boards or web forums. There, scammers would get together, obtain support, buy technical tools like phishing kits and malware, and sell their illicit gains. Due to the effective shutdown of many of these sites by western law enforcement, this is no longer the case. This resulted in the wholesale migration of the scammer community to various peer-to-peer (P2P) messaging platforms.

The majority of the scammers on Brandon’s’ network utilized one or more of the following tools for their business communions:

  • Skype
  • Telegram
  • WhatsApp
  • Burner Phone messaging
  • Social Media messaging

Deep Grey Dead Grandma Messaging
Image 30: Bogus postings of a obituary used for email, user ID, and password exchanges

Brandon’s network had a playbook for information security that included pointers on how to secure voice and data communicators (via encrypted channels like Skype and WhatsApp) and even advice on maintaining anonymity on social media. For example, some recommendations included best practices such as:

  • Using burner phones for all business exchanges. The burner phones are typically recycled every 3 months
  • Obfuscating their car license plate numbers in images that they share on social media
  • Always using aliases and never use their actual name in any online communication
  • Obscuring the house number and street name in images uploaded to social media
  • Recycle work computers once a year
  • Not traveling internationally especially in the US with any ‘work’ equipment
  • Disabling Geo Tagging and GPS tracking on cellphones

Interestingly, most individuals in the network opted not follow many of the InfoSec safeguards and precautions. In several cases, Ghana-based laptops showed up in Europe and the US. The exit nodes of these were not TOR based and they used local hotel and residential ISPs. In two examples, laptops that belonged to “Prince Pero” and “Halid The-General” that were used for dating site scamming activity in Ghana, beaconed an IP address in Marietta, GA, and Chicago, IL. From IP address history and use, it appears that their owners came to the US, traveled there for 2-4 weeks, then headed back to Ghana, all the while continuing to scam their victims.

Burner Phones
Image 31: Extensive use of burner phones for internal communications and coordination

car license plate obfuscation by scammers
Image 32
: An example of car license plate obfuscation by scammers in order to prevent traceability on images posted to social media

Summary of Findings
When I started the search, I only expected to identify a handful of enterprising individuals that ran these types of scams from an internet cafe or their basement. But I was wrong. I was taken aback by the sheer scale and sophistication of these operations and the amount of revenue they generate. It also became clear that these scams are not private operations that are run by some enterprising individuals but rather a national industry that involves banking, law enforcement, some UN bodies (mostly local), politicians, and local and international corporations across multiple jurisdictions.

Tracing the 1-degree operator network in the city of Madina in Ghana alone yielded over 10K individuals (total city population is about 132K) that were directly active in scamming. This represents about 7.5% of the total city population. A 2-degree linkage would triple this figure. If we account for a similar distribution across the whole of Ghana we could potentially be looking at 15%-30% of the entire population working in or supporting scamming as a national industry. And these numbers don’t account for the impact that hundreds of millions of dollars have on the overall Ghana’s economy and political structure! It is revealing that the official 2016 -Statistical-Report-Ministry-Of-Employment-and-Labor Ghana report completely ignores this phenomenon and fails to identify this market segment/industry as a major source of national revenue.

Most of the scammers identified in the analysis fit into a specific age and socio-economic cross sections. They are between 14-30 years old and the majority have some high school education. Many had IT training through a local network of centers called IPMC. Only a handful have collage degrees and these are mostly supervisors. The majority of the member of the network come from the surrounding villages and towns around Accra, Abuja, and Lagos.

Scamming is a family business and is based on personal relationships; this is especially the case for the low-level operators. Many of them arrive to the city in search of fame and fortune from smaller villages and live in crowded rentals with as many as 5-10 per room.

Baron Norway and the Rich Bad Boys
Image 33
: “Baron Norway” and his Tier-3 “Rich Boys” team chillin’ out

The operations have a quasi-hierarchical and fluid structure that is based on tiers. These tiers are roughly divided to the low level teams (tier-4-5) that work in the internet cafés (which are owned by the tier-1-2 operators). They are responsible for creating the on-line profiles and generating the leads and the constant cash flow. The tier-2-3 have management responsibilities and run multiple production facilities that can range from 10-50 tier 4-5 operators. They are responsible for recruitment, training, and meeting sales quotas. The tier-1 group sits at the top of the pyramid and mangers multiple tier-2-3 mangers. They finance the overall operations, provide the political and security coverage, and also collect the bulk of the revenue from their territories.

The Tier System
Image 34
: The scammer tier hierarchy

This tiered structure is, to a large degree, merit based and provides for constant upward mobility. In many ways it resembles a classic sales organization: the more you sell, the higher your commission is and the faster you move up to a more lucrative tier. It is not unusual to see a tier-5 operator move to tier-2 level in just a few years. 

From rags to riches
Image 35
: From rags to riches in 4 easy steps. The success story of “Goal Digger”

The tier-1 operators only function in specific territories that are controlled by the police and politicians. They have strict “payment” responsibilities for their territory.

Fast and furious
Image 36
: Examples of some of the the sweet rides owned by the tier-1 and 2 scammers. The cars are exclusively Mercedes, Lexus, Land Rover, or Porsche

The revenue collection is controlled by a strict commission structure with every individual who is involved in the supply chain taking his cut based on the following rates per transaction. 

Party

Commission Per Transaction in Percent

Bank

~ 5

Military (if involved)

~ 7

Police

~ 10

Political Patronage ~ 10

Tier 5

3

Tier 4

5

Tier 3

10

Tier 2

20

Tier 1

30

The police provides the security services to protect the carriers and money as it’s being transferred to various locations in the city. The police will also provide the scammers with additional anti robbery protection to ensure that nonaffiliated gangs won’t whack them en route from and to the bank. 

One illustrative case for this protective service (Image 36) is the altercation between the police officer Frederick Amanor Godzi and Ms. Patience Osafo at Midland bank branch in Ghana. The popular explanation for the beating she received was that she was at the bank trying to withdraw about $50 USD to buy some food for her baby grandchild and that the bank refused to give her the money. This lead to an argument with the bank manager who called the police. The policeman then proceeded to beat her up and literally kick her out of the bank. But the internal communications suggest that she was working as a lookout for an armed gang that was waiting nearby for scammers to come into the bank to withdraw large amounts of cash.

Police at the bank Pay Day
Image 37: Police beating at the Midland bank and “Crym Payys” and “Da Genneral’s” doing the weekly cash runs

After the initial public outcry that followed the posting of the violent video on social media, the court and the police ended up dismissing all charges against the policeman and the bank employees. The reason given was that the victim failed to appear in court to testify and cooperate with the police investigation. Ms. Osafo ended up getting a new luxury house as compensation and the bank officials even released the following statement:

“We just closed a generous offer that removes her from the ‘kiosk’ to owning a brand new house, and from the streets hawking toffees to now owning multiple bank accounts

Ironically, Ms. Osafo’s house as well as several other developments in the Fettah Kakabra Top King estate were funded by scammer investment money.

This form of cooperation between politicians, justice officials, law enforcement, and financial institution where they ‘work things out privately’ is the norm in scammer land rather than the exception.

Police at the Bank Beating
Image 38
: The main characters of the Midland Bank police beating saga

The police strictly enforces ‘permits’ to operate and the payment of commissions from the scammers by partnering with the money exchanges and financial institutions. For example, the security guards at the electronic payment vendors are responsible for collecting a copy of each money transfer invoice that is cashed to insure proper accounting of all payments. As can be seen from Image 38, the failure to pay or cheating is dealt with promptly and severely.

Protection Money
Image 39: Money collection and the payment of ‘protection money’

The payment to the scammers varies based on KPI such as closing rate, month to month performance, and seniority. The banks, police, and other facilitators such as the UN/NGOs, and politicians typically deduct their commissions at the teller. What is left is then distributed among the hierarchy on a weekly basis. The final form of payment can take different forms including cash, drugs, or even gold bars.

Payment Methods
Image 40: Forms of payment include pre-paid bank cards (Access Bank), gold bars, cash, pre-paid cards, drugs, electronic funds transfer, pre-paid ecommerce cards, laptops, and phones

Real estate development
Image 41: Example of large scale money laundering operations through investment in residential development projects in Ghana. The Qyarifa development, one of dozen such projects cleared over $12 million USD through the sale of units each going for $65K-$100K USD.

International Travel
Image 42: International travel and coordination with local scammer teams. Global scammer networks are located in many major cities in the US, Europe, and Asia

Show me the money
Image 43: “Crym Payys” at home piling up the cash and bling

There is no sliver bullet solution for keeping vulnerable individuals safe online but there is a lot that we can do to strengthen our ability to disrupt the scammer networks. International cooperation is important in tackling this ever-growing form of cybercrime but ultimately it is important to remember that some UN personnel, diplomats, government policy makers, NGO’s, politicians, and local law enforcement in the host countries are the largest financial beneficiaries of this industry and are themselves part of the problem.

As the data suggest, the solution to the scammer challenge is not to use more law enforcement to post-fact persecute the perpetrators but rather to preemptively disrupt and destroy these networks before they become operational or drain them financially once they are active. This is a classic OODA loop problem that every large western intelligence organization deals with every day. Even the scope of gathering, processing, and analyzing national security information from around the world fits in squarely with the capabilities and charter of agencies like the CIA and NSA which already collect this type of intelligence and operate on it in similar environments internationally.

Although history doesn’t repeat the same exact tune, it does tend to play the same scales over and over again. In 75 BCE, the 25-year-old Julius Caesar was sailing the Aegean Sea when he was kidnapped by Cilician pirates. According to Plutarch, the pirates asked for a hefty ransom for his release and Caesar sent several of his friends to Rome to gather the silver, a task that took 38 days. Caesar told the pirates that after he was set free, he would hunt them down and hang them. Once he was freed, he made good on that promise: he quickly raised a fleet in Miletus and went right back to Pergamon where he had been held captive. He captured the pirates and as he originally promised ordered that they be crucified.

The moral of the story is that cybercrime is the modern version of piracy and the only effective way to deal with it is with diligence and force. The pirate infestation of the cost of Somalia is a good illustration of what happens when this problem is not dealt with promptly. The current approach of trying to combat international on-line fraud by relying on international treaties, the Interpol, and UN resolutions amounts to little more than standing in a malaria infested swamp and swatting at individual mosquitos.

You can rest assured that there is no need for Caesar’s brutal form of punishment to solve this problem. Following these six easy steps is guaranteed to quickly drain the international scammer swamp:

  1. Place OFAC sanctions against key cybercrime, political, UN, NGO, and law enforcement personal involved in the scamming activity.
  2. Shutdown the access of the cybercrime facilitating states to internet services like SWIFT, Airline Reservations System, etc. for several days as a warning.
  3. Start a media campaign to inform the scammer sponsoring governments that their continues support of this industry would have severe consequences to their economy.
  4. Create and maintain a real-time database (using a framework such as demonstrated here) of all known scammers and arrest them when they attempt to travel internationally. The required bond for their release should be the total amount they scammed plus interest. That money should then be electronically transferred back to the victims accounts.
  5. Charge the management of the dating sites and social media hosters that so far have done little to combat this phenomenon with negligence and open them to civil actions by their customer victims.
  6. Bring RICO, mail and wire fraud, and money laundering charges against the C-level executives/board members of the US based money transfer companies that are the lifeblood of these scams.

Finally, If you are reading this Captain Brandon, I’m sorry, but I don’t think this relationship is going to work out, it just wasn’t meant to be chéri. 

Olga

I'm not that kind of a girl

References
The Disclosure–Intimacy Link in Computer Communication – Human Communication Research
Understanding Romance Fraud: Insights From Domestic Violence Research – The British Journal of Criminology, Volume 58, Issue 6, November 2018, Pages 1303–1322.
Generating and Tuning Realistic Artificial Faces – ML based face generation by Rani Horev
A Style-Based Generator Architecture for Generative Adversarial Networks – Tero Karras NVIDIA Research
A Style-Based Generator Architecture for Generative Adversarial Networks – Cornell University
Generative Adversarial Networks  – Cornell University

Articles About Online Romance Scams
Better Call Harry: Stolen Heart, Stolen Identity
This Army Veteran Became The Face Of Military Romance Scams. Now He’s Fighting Back
Brown County Browser: Don’t fall for veterans romance scams
Fake US Soldiers Robbing Women Online
How a billion-dollar Internet scam is breaking hearts and bank accounts
“Prince Charming” Behind Bars: Nigerian Romance Scammer Nets 27-Year Prison
Love a man in uniform? Online dating scammers hope so
Love me don’t: the West African online scam using U.S. Soldiers
Australian grandmother on drug ice charges in Malaysia: Maria Elvira Pinto Exposto may be victim of a military romance scam

 

 

Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

My Can-tuck-ee Girl

My Can-tuck-ee Girl

Fresh of the lathe and CNC machine, a 4140 chrome-moly steel, 42” octagonal barrel, 45 caliber, and a 1:56 twist rate with 8 groves. Maple stock, brass patch box, and adjustable iron sights. She is a beauty.

Keep your bony AR chick, I like mine with some meat,
My curvy Can-tuck-ee girl, always sweeps me off my feet.

I love her lines and the solid weight of her body,
She’s a straight shooter, never vain or haughty.

Her dark maple wood stock, In my arms it lies content,
Her black powder perfume, intoxicates me with its scent.

She is a thrifty girl, takes sixty grains of powder, that is all,
Down her 42” grooved barrel slides the ramrod patch and ball.

I align the plain iron sights and gently pull her set trigger,
She instantly recoils with a youthful vim and vigor.

Practice, patience, and discipline, these are her demands,
A tight grouping at two hundred yards requires loving hands.

Cromwell’s Soldier Pocket Bible

Oliver Cromwell Old Ironside
An Ironsides cavalry cornet flag with the inscription ASCENDIA [INCENDIA] CVRA SIONIS
“Ascend to the help of Zion” or “Burning with the desire to help Zion”.

The Soldier’s Pocket Bible was issued to Cromwell’s New Model Army in 1643. It came in pamphlet edition and was a condensed version of the Protestant Bible. The booklet octavo format was 5½” × 3″ in size, had 16 pages and a total of 150 war related verses from the Bible.

Cromwell’s soldiers, nicknamed “the Ironsides” in recognition of their fortitude kept the Pocket Bible in a buttoned pocket on the inside waistcoat—near the heart—under the outer leather buff coat. They would go into battle singing hymns like Psalms 46:7 “The Lord of hosts is with us, the God of Jacob is our Refuge.” 

Ironsides Uniform
Image 1: Cromwell’s Ironsides lobster helmet, armor, and leather buff coat

In an era where military leadership came from wealthy aristocratic families, Cromwell revolutionized the constellation of the parliamentary army by meritoriously appointing men of humble origin and strong Puritan convictions as officers in his cavalry regiment. These man, in turn, recruited similar minded individuals who eventually formed the core of the New Model Army.

Cromwell attributed his army’s almost unbroken chain of victories against the superior and better equipped royalist forces to their moral superiority and to G-d’s favorable intervention. In true biblical fashion, he lead cavalry charges himself and applied a strict ethical code to everyday conduct. At camp, the soldiers didn’t get drunk or gamble and were instructed in general to behave decently with orders such as:

A Souldier must not doe wickedly”

Following strict, self imposed battlefield discipline, his soldiers did not rape, pillage, nor partake in the spoils of war. This is unusual considering the atrocities that other European armies were perpetuating on each other and inflicting on the civilian population during the contemporary Thirty Years’ War.

The Great Miseries of War) by Jacques Callot, 1632
Image 2
: Mass executions during the Thirty Years’ War – Jacques Callot: “The miseries and misfortunes of war”  The text reads: ‘Finally these infamous and abandoned thieves [soldiers who plundered and raped], hanging from this tree like wretched fruit, show that crime (horrible and black species) is itself the instrument of shame and vengeance, and that it is the fate of corrupt men to experience the justice of heaven sooner or later.’

Cromwell’s extraordinary practices and the quality of soldiers they produced weren’t confined to the English Civil War. As the English Puritans immigrated to the Americas in the mid to late 1600s, they brought these ideals with them. 

Fast forward the clock by 130 years to June 17th, 1775, the eve of the go/no-go engagement of the American revolution. Posted at Breeds Hill was one Francis Merrifield. Previously, Merrifield served with the New England Ipswich militia at Ticonderoga in the French and Indian War in 1759. After hostilities with England began in April 19th 1775, Merrifield was part of the militia that pursued British soldiers retreating from the battles of Lexington and Concord. Just like the Ironsides of Cromwell’s day, he too carried his bible into battle, fighting as a sergeant at Bunker Hill in the company of Captain Nathaniel Wade in Colonel Moses Little’s regiment.  

Merrifield inscribed his experience on the verso of the New Testament title page and on the inside back cover, thanking G-d for his safe deliverance from the battlefield and the details of his regiment and the serial number of his musket.

The inscription reads:

1775. Cambridge, June 17th. A batel fought on bunkers hill, on Saterday in the afternoon, which lasted an hour and a quarter, two men were wounded, and … the number of my gun, one hundred eighty three, 183, the seventeenth Rigement, 17.

Cambridge, Jun 17 1775. I desire to bless God for his Kind aperince in delivering me and sparing my life in the late battle fought on Bunker’s Hill. I desire to devote this spared life to His glory and honour. In witness my hand, Francis Merrifield.

Francis Merrifield Bible
Image 3
: Francis Merrifield’s Bible

It is noteworthy just how far reaching Cromwell’s influence has been on the concept of ‘the citizen soldier’, a stable English parliamentary system, the American and French Revolutions, and the formation of every modern republic variant since.

We trace many of the revolutionary republican ideas to individuals such as Adams, Franklin, Warren, and Rousseau, but its easy to overlook the fact that the core concepts of this ideology such taxation with representation are steeped in Cromwell’s social, religious, and political policies. It was Cromwell’s refusal to become a king that later inspired Washington to follow in his footsteps and go into retirement in 1797. It also inspired John Stark’s and Thomas Jefferson’s resistance to the American Cincinnatus movement, which they viewed as an imitation of the old-world inherited form of aristocracy. Subsequently, it was this mindset that enabled congress to set term limits on the presidency 150 years later in 1947.

Most of us also misattribute the concept of natural rights of life, liberty, and property to John Locke. But Locke, was only a wee one year old baby (his father served as a captain in Cromwell’s cavalry) when Cromwell was already hard at work implementing what he termed “freeborn rights” which he defined as the G-d given rights that every human has at birth, as opposed to the rights bestowed on them by government or by human law. Echoing Cromwell sentiment, John Stark just before the 1777 battle of Bennington told his troops that they were fighting for their “natural born rights as Englishmen”.

Without Cromwell’s successful challenge to the belief in the divine right of kings which he based on 1 Samuel 8:11-18 and the execution of Charles I, it is unlikely that King George III would have ever been challenged with the list of grievances and labeled a tyrant or that Luis the XVI would have been guillotined.

Cromwell the Father of the Modern Republic
Image 4: (L-R) The execution of Charles I (1649), the toppling of George III lead statue in New York (1776), the execution of Luis XVI (1793)

It seems that history has a well developed sense of Irony, during the English civil war, the royal party known as the cavaliers referred to Cromwell’s army with the derogatory term “roundheads”. This mucking nickname first described the soldiers, and then the whole Parliamentary party. The term arose, from the puritan custom of getting buzz cuts. This was done to demonstrate their contempt for stylish hairdressing. This practice was in contrast to the long flowing hair styles of the royalist. Instead of getting offended, the parliamentarians embraced it. A roundhead, announced one pamphlet, was “a good, honest, zealous, and true protestant’, called by God to do his work.”

100 years later, in 1754, during the French Indian wars, the British came up with another coiffure related pejorative term “Yankee doodle” to describe the colonists of New England, insinuating that they were uncouth, low-class men lacking a sense of style and masculinity. The New Englanders, just like the roundheads, happily adapted the term and used it proudly.

Yankee Doodle is the tune
That we all delight in;
It suits for feasts, it suits for fun,
And just as well for fightin’.

Cromwell’s words about “A Souldier must not doe wickedly”  also aged well with the passage of time, almost 300 years after they were put down in writing, Colonel Theodore Roosevelt, the 26th president of the United States, wrote in his preface to the soldier’s bible:

“LOVE MERCY; treat prisoners well, succor the wounded, treat every woman as if she was your sister, care for the little children, and be tender to the old and helpless.”

The word indeed is mightier than the sword!

Military Pocket Bibles in History
Image 5: Military Pocket bibles

The following is a full copy of the original 1643 Soldiers Pocket Bible. The footnote section at the bottom of the post has a link to the printable PDF version.

Feel free to download and distribute it.

P1 P2P3 P4P5 P6P7 P8P9 P10P11 P12P13 P14P14 P16

 

References
The Soldier’s pocket Bible – PDF version
P1

1861 Edition of The Soldier’s Pocket Bible – South Carolina Tract Society
The Soldier’s pocket Bible: issued for the use of the army of Oliver Cromwell. The Soldier’s pocket Bible, containing the most (if not all) of those places contained in Holy Scripture, which do show the qualifications of his inner man that is a fit soldier to fight the Lord’s battles, both before the fight, in the fight, and after the fight: which scriptures are reduced to several heads, and fitly applied to the soldier’s several occasions, and so may supply the want of the whole Bible, which a soldier cannot conveniently carry about him; and may be also useful for any Christian to meditate upon, now in this miserable time of war : with the soldier’s prayer, and battle hymn.

Preface to The Soldier's pocket Bible

Bunker Hill
Map of the Battle of Bunker Hill Breeds Hill is located at the center right

Yankee Doodle Dandy in the 18th century style – The Towpath Volunteers Fife and Drum Corps

The Statue of George III – Journal of The American Revolution

Cincinnatus – An excerpt from the 1783 poem about Washington by Philip Freneau 

Despising pomp and vain parade,
At home you stay, while France and Spain
The secret, ardent wish convey’d,
And hail’d you to their shores in vain:
In Vernon’s groves you shun the throne,
Admir’d by kings, but seen by none.

President Woodrow Wilson's Preface
President Woodrow Wilsons’s Preface to the World War I Soldier’s Bible

Theodore Roosevelt Bible Preface
Colonel Theodor Roosevelt’s Preface to the Soldier’s Bible

President Roosevelt's Preface
President Franklin D. Roosevelt’s Preface to the WW II Soldier’s Bible

George Fords bible carried to the battle of the Somme
1916 Private George Ford’s pocket bible carried by him to the battle of the Somme

US Marine WWII Reading Bible
1944 US Marine in Saipan reading his pocket bible

The Angel of Death as an Outsourced Service

Angel of Death in Egypt

The Hagaddah which is recited at the Seder on the first night of Passover retells the biblical story of the infliction of the ten plagues on Egypt and the exodus of the Israelites slaves. One four verse passage referencing chapter 12 in the book of Exodus stands out in the narrative because of the redundant emphasis on who was responsible for these acts:

  1. “I will pass through the land of Egypt”, I and not an angel;
  2. ”And I will smite every first-born in the land of Egypt”, I and not a seraph;
  3. ”And I will carry out judgment against all the gods of Egypt”, I and not a messenger;
  4. ”I G-d”, and none other!

;וְעָבַרְתִּי בְאֶרֶץ מִצְרַיִם בַּלַּיְלָה הַזֶּה – אֲנִי וְלֹא מַלְאָךְ
;וְהִכֵּיתִי כָל בְּכוֹר בְּאֶרֶץ־מִצְרַים. אֲנִי וְלֹא שָׂרָף
;בְכָל־אֱלֹהֵי מִצְרַיִם אֶעֱשֶׂה שְׁפָטִים. אֲנִי וְלֹא הַשָּׁלִיח
.ואֲנִי ה’. אֲנִי הוּא וְלֹא אַחֵר

The 1320 Golden Hagadah P36-37
Image 1: The passage in the Golden Hagaddah circa 1320 CE

The context of the verses makes it clear that G-d alone inflicted the punitive measures and that they were executed directly by Him and not through other intermediaries like an angel, seraph, or messenger. Further support for this can be found in verse 12:12:

“For I will go through the land of Egypt on that night and will smite all the first-born in the land of Egypt, both man and beast; and against all the gods of Egypt I will execute judgment: I am G-d.

וְעָבַרְתִּי בְאֶרֶץ-מִצְרַיִם, בַּלַּיְלָה הַזֶּה, וְהִכֵּיתִי כָל-בְּכוֹר בְּאֶרֶץ מִצְרַיִם, מֵאָדָם וְעַד-בְּהֵמָה; וּבְכָל-אֱלֹהֵי מִצְרַיִם אֶעֱשֶׂה שְׁפָטִים, אֲנִי יְהוָה

But despite this clear and repetitive language regarding G-d’s direct responsibility, some Jewish and Christian scholars argue that the term “destroyer” used in verse 12:23 does not refer to G-d and should instead be read as the “angel of death”. They also postulate that G-d doesn’t act directly or get involved in the ‘hands-on’ day to day minutiae. Thus, he must have been using an agent of some sort to perform this work.

This textual dichotomy has been the source of endless arguments between theologians, translators and scholars. For example, the Pseudo-Jonathan Targum (translation) of Exodus 12 uses both the terms מַלְאָכָא מְחַבְּלָא (Aramaic for “destroying angel”) and מַלְאָךְ מוֹתָא, (Aramaic for the “angel of death”). Obviously, this interpretation suggests that besides G-d there is another entity—angelic or otherwise—with a certain degree of autonomy at work here.

From the contextual point of view, the arguments in favor of an angelic agent raise a number of questions about the role of this “destroyer” and the scope of his responsibility and autonomy. For example, can this destroyer exercise free judgment? Is he constrained by any boundaries?

The Hebrew bible emphasizes the idea that the entire universe falls under G-d’s jurisdiction and that all of nature falls under his control. He is the creator of light and darkness, good and evil. As Genesis 1:31 and Isaiah 45:7 state, He is the creator of all things:

“And G-d saw every thing that He had made, and, behold, it was very good. And there was evening and there was morning, the sixth day.”

וַיַּרְא אֱלֹהִים אֶת-כָּל-אֲשֶׁר עָשָׂה, וְהִנֵּה-טוֹב מְאֹד; וַיְהִי-עֶרֶב וַיְהִי-בֹקֶר, יוֹם הַשִּׁשִּׁי

I form the light, and create darkness; I make peace, and create evil; I am G-d, that doeth all these things.

יוֹצֵר אוֹר וּבוֹרֵא חֹשֶׁךְ, עֹשֶׂה שָׁלוֹם וּבוֹרֵא רָע; אֲנִי יְהוָה, עֹשֶׂה כָל-אֵלֶּה

The scripture also makes it clear that G-d is not dependent on his creation and the creation cannot exist independently of Him. Even Satan’s depiction in Job 1.7 illustrates that he is not a rival of G-d nor does he possess the ability to oppose him in any way, he is just one of many tools that G-d uses to maintain the world in working moral order. Job 1.21 further reinforces the idea that the life and death cycle entirely emanates from G-d:

“And he said; naked came I out of my mother’s womb, and naked shall I return thither; G-d gave, and G-d hath taken away; blessed be the name of G-d.”

וַיֹּאמֶר עָרֹם יָצָתִי מִבֶּטֶן אִמִּי, וְעָרֹם אָשׁוּב שָׁמָּהיְהוָה נָתַן, וַיהוָה לָקָח; יְהִי שֵׁם יְהוָה, מְבֹרָךְ

So if the scripture consistently states that G-d has complete and undisputed sovereignty, what then is the basis for the existence of an independent angelic agent who manages death, destruction, and the afterlife?

Broadly speaking, the basis for this argument can be classified into these three categories of references:

  1. Specific scriptural terminology such as: Abaddon, destroyer, messengers of death, angel that destroys, executioner, slayer, angel of G-d, Ashmedai, Satan, the harvester of souls, the angel that smites, serpent, adversary, captain of the host of G-d, leviathan the slant serpent, leviathan the tortuous serpent, and dragon
  2. Allegorical Sources such as: Personification of death in the scripture, messengers of death, Day-Star, cherub that walks on stones of fire, and anointed cherub
  3. Legend Sources such as: Testament of Solomon, The Zohar, The Talmud, the book of Tobit, and Thanksgiving Hymns

Specifically, these implied angelic associations can be found in some of the following passages:

Genesis 3:2-5
Now the serpent was more subtle than any beast of the field which G-d had made. And he said unto the woman: ‘Yea, hath G-d said: Ye shall not eat of any tree of the garden?’

וְהַנָּחָשׁ, הָיָה עָרוּם, מִכֹּל חַיַּת הַשָּׂדֶה, אֲשֶׁר עָשָׂה יְהוָה אֱלֹהִים; וַיֹּאמֶר, אֶל-הָאִשָּׁה, אַף כִּי-אָמַר אֱלֹהִים, לֹא תֹאכְלוּ מִכֹּל עֵץ הַגָּן

Exodus 12:23
“For G-d will pass through to smite the Egyptians; and when He seeth the blood upon the lintel, and on the two side-posts, G-d will pass over the door and will not suffer the destroyer to come in unto your houses to smite you.” 

וְעָבַר יְהוָה, לִנְגֹּף אֶת-מִצְרַיִם, וְרָאָה אֶת-הַדָּם עַל-הַמַּשְׁקוֹף, וְעַל שְׁתֵּי הַמְּזוּזֹת; וּפָסַח יְהוָה, עַל-הַפֶּתַח, וְלֹא יִתֵּן הַמַּשְׁחִית, לָבֹא אֶל-בָּתֵּיכֶם לִנְגֹּף

Joshua 3:13-14
And he said: ‘Nay, but I am captain of the host of G-d; I am now come.’ And Joshua fell on his face to the earth, and bowed down, and said unto him: ‘What saith my lord unto his servant?’

וַיֹּאמֶר לֹא, כִּי אֲנִי שַׂר-צְבָא-יְהוָה–עַתָּה בָאתִי; וַיִּפֹּל יְהוֹשֻׁעַ אֶל-פָּנָיו אַרְצָה, וַיִּשְׁתָּחוּ, וַיֹּאמֶר לוֹ, מָה אֲדֹנִי מְדַבֵּר אֶל-עַבְדּוֹ

Zechariah 3:1-2
And he showed me Joshua the high priest standing before the angel of G-d, and Satan standing at his right hand to accuse him.

וַיַּרְאֵנִי, אֶת-יְהוֹשֻׁעַ הַכֹּהֵן הַגָּדוֹל, עֹמֵד, לִפְנֵי מַלְאַךְ יְהוָה; וְהַשָּׂטָן עֹמֵד עַל-יְמִינוֹ, לְשִׂטְנוֹ

Ezekiel 28:13-19
thou wast in Eden the garden of G-d; every precious stone was thy covering, the carnelian, the topaz, and the emerald, the beryl, the onyx, and the jasper, the sapphire, the carbuncle, and the smaragd, and gold; the workmanship of thy settings and of thy sockets was in thee, in the day that thou wast created they were prepared.

בְּעֵדֶן גַּן-אֱלֹהִים הָיִיתָ, כָּל-אֶבֶן יְקָרָה מְסֻכָתֶךָ אֹדֶם פִּטְדָה וְיָהֲלֹם תַּרְשִׁישׁ שֹׁהַם וְיָשְׁפֵה, סַפִּיר נֹפֶךְ, וּבָרְקַת וְזָהָב; מְלֶאכֶת תֻּפֶּיךָ וּנְקָבֶיךָ בָּךְ, בְּיוֹם הִבָּרַאֲךָ כּוֹנָנוּ

Job 1:6-12
Now it fell upon a day, that the sons of G-d came to present themselves before G-d, and Satan came also among them.

וַיְהִי הַיּוֹם–וַיָּבֹאוּ בְּנֵי הָאֱלֹהִים, לְהִתְיַצֵּב עַל-יְהוָה; וַיָּבוֹא גַם-הַשָּׂטָן, בְּתוֹכָם

Job 16:14
The wrath of a king is as messengers of death; but a wise man will pacify it.

חֲמַת-מֶלֶךְ מַלְאֲכֵי-מָוֶת; וְאִישׁ חָכָם יְכַפְּרֶנָּה

Job 33:22
Yea, his soul draweth near unto the pit, and his life to the destroyers.

וַתִּקְרַב לַשַּׁחַת נַפְשׁוֹ; וְחַיָּתוֹ, לַמְמִתִים

Isaiah 14:12
How art thou fallen from heaven, O day-star, son of the morning! How art thou cut down to the ground, that didst cast lots over the nations!

אֵיךְ נָפַלְתָּ מִשָּׁמַיִם, הֵילֵל בֶּן-שָׁחַר; נִגְדַּעְתָּ לָאָרֶץ, חוֹלֵשׁ עַל-גּוֹיִם

Isaiah 27:1
In that day the LORD with His sore and great and strong sword will punish leviathan the slant serpent, and leviathan the tortuous serpent; and He will slay the dragon that is in the sea.

בַּיּוֹם הַהוּא יִפְקֹד יְהוָה בְּחַרְבּוֹ הַקָּשָׁה וְהַגְּדוֹלָה וְהַחֲזָקָה, עַל לִוְיָתָן נָחָשׁ בָּרִחַ, וְעַל לִוְיָתָן, נָחָשׁ עֲקַלָּתוֹן; וְהָרַג אֶת-הַתַּנִּין, אֲשֶׁר בַּיָּם

Isaiah 37:36
And the angel of G-d went forth, and smote in the camp of the Assyrians a hundred and fourscore and five thousand; and when men arose early in the morning, behold, they were all dead corpses.

.וַיֵּצֵא מַלְאַךְ יְהוָה, וַיַּכֶּה בְּמַחֲנֵה אַשּׁוּר, מֵאָה וּשְׁמֹנִים וַחֲמִשָּׁה, אָלֶף; וַיַּשְׁכִּימוּ בַבֹּקֶר, וְהִנֵּה כֻלָּם פְּגָרִים מֵתִים

Proverbs 16:14
The wrath of a king is as messengers of death; but a wise man will pacify it.

חֲמַת-מֶלֶךְ מַלְאֲכֵי-מָוֶת; וְאִישׁ חָכָם יְכַפְּרֶנָּה

Psalm 109:6
Set Thou a wicked man over him; and let an adversary stand at his right hand.

הַפְקֵד עָלָיו רָשָׁע; וְשָׂטָן, יַעֲמֹד עַל-יְמִינוֹ

2 Samuel 24:16
”And when the angel stretched out his hand toward Jerusalem to destroy it, G-d repented Him of the evil, and said to the angel that destroyed the people: ‘It is enough; now stay thy hand.’ And the angel of G-d was by the threshing-floor of Araunah the Jebusite.”

וַיִּשְׁלַח יָדוֹ הַמַּלְאָךְ יְרוּשָׁלִַם, לְשַׁחֲתָהּ, וַיִּנָּחֶם יְהוָה אֶל-הָרָעָה, וַיֹּאמֶר לַמַּלְאָךְ הַמַּשְׁחִית בָּעָם רַב עַתָּה הֶרֶף יָדֶךָ; וּמַלְאַךְ יְהוָה הָיָה, עִם-גֹּרֶן האורנה (הָאֲרַוְנָה) הַיְבֻסִי

Chronicles 21:14-16
So G-D sent a pestilence upon Israel; and there fell of Israel seventy thousand men.

וַיִּתֵּן יְהוָה דֶּבֶר, בְּיִשְׂרָאֵל; וַיִּפֹּל, מִיִּשְׂרָאֵל, שִׁבְעִים אֶלֶף, אִישׁ

And G-d sent an angel unto Jerusalem to destroy it; and as he was about to destroy, G-d beheld, and He repented Him of the evil, and said to the destroying angel: ‘It is enough; now stay thy hand.’ And the angel of G-d was standing by the threshing-floor of Ornan the Jebusite.

וַיִּשְׁלַח הָאֱלֹהִים מַלְאָךְ לִירוּשָׁלִַם, לְהַשְׁחִיתָהּ, וּכְהַשְׁחִית רָאָה יְהוָה וַיִּנָּחֶם עַל-הָרָעָה, וַיֹּאמֶר לַמַּלְאָךְ הַמַּשְׁחִית רַב עַתָּה הֶרֶף יָדֶךָ; וּמַלְאַךְ יְהוָה עֹמֵד, עִם-גֹּרֶן אָרְנָן הַיְבוּסִי

And David lifted up his eyes, and saw the angel of G-d standing between the earth and the heaven, having a drawn sword in his hand stretched out over Jerusalem. Then David and the elders, clothed in sackcloth, fell upon their faces.

וַיִּשָּׂא דָוִיד אֶת-עֵינָיו, וַיַּרְא אֶת-מַלְאַךְ יְהוָה עֹמֵד בֵּין הָאָרֶץ וּבֵין הַשָּׁמַיִם, וְחַרְבּוֹ שְׁלוּפָה בְּיָדוֹ, נְטוּיָה עַל-יְרוּשָׁלִָם; וַיִּפֹּל דָּוִיד וְהַזְּקֵנִים מְכֻסִּים בַּשַּׂקִּים, עַל-פְּנֵיהֶם

II Kings 19:35
And it came to pass that night, that the angel of G-d went forth, and smote in the camp of the Assyrians a hundred fourscore and five thousand; and when men arose early in the morning, behold, they were all dead corpses.

וַיְהִי, בַּלַּיְלָה הַהוּא, וַיֵּצֵא מַלְאַךְ יְהוָה וַיַּךְ בְּמַחֲנֵה אַשּׁוּר, מֵאָה שְׁמוֹנִים וַחֲמִשָּׁה אָלֶף; וַיַּשְׁכִּימוּ בַבֹּקֶר, וְהִנֵּה כֻלָּם פְּגָרִים מֵתִים

Hosha 13:14
Shall I ransom them from the power of the nether-world? Shall I redeem them from death? Ho, thy plagues, O death! Ho, thy destruction, O nether-world! Repentance be hid from Mine eyes!

מִיַּד שְׁאוֹל אֶפְדֵּם, מִמָּוֶת אֶגְאָלֵם; אֱהִי דְבָרֶיךָ מָוֶת, אֱהִי קָטָבְךָ שְׁאוֹל–נֹחַם, יִסָּתֵר מֵעֵינָי

The argument advocating for the concept of an independent destroyer goes back to dawn of Egyptian and Canaanite religions. Egyptian texts that describe Osiris as the god of the dead and the lord of underworld date as early as 2500 BCE. According to passages in the book of the dead, after death, the deceased would face forty-two divine judges that evaluated If he lived in conformance with the guidelines of goddess Ma’at, who represented truth and rightness living. If the they passed the test, they were welcomed into the heavenly kingdom of Osiris. If they failed, they did not share in eternal life and were taken by Ammit, the “devourer” and subjected to terrifying punishments and then thrown to the soul-eating demons in hell.  Sort of Dante’s inferno, Egyptian style.

Ones in hell, the goddess Sekhmet inflicted further punishments on them in the place of “destruction”. The dead were thrown into lakes of fire kindled by flame spitting snakes, where demons fed on the victims entrails and drank their blood. The demons then butchered and hacked their victims to pieces and burned them with inextinguishable fire, in deep pits or in cauldrons, where they were scorched, cooked, and reduced to ashes. 

Egyptian Hell
Image 2: Egyptian view of hell

Not as detailed as the Egyptian book of the dead, the Canaanites developed similar concepts about their god of death and the underworld.

The Canaanite deity Mavet  מָוֶת Mavet (who shares some traits with Osiris), played a central role in the The Baal Cycle written circa 1500 BCE. The hymn describes the god of death and the underworld as a predator with an unsatieted appetite for consuming the living by:

…Mavet (Death) would open His mouth wide.
“A lip to earth,
A lip to heaven,
And a tounge to the stars,
So that Baal may enter His inwards,
Yea, descend into His mouth,
As scorched is the olive,
The produce of the Earth,
And the fruit of the Trees.”

In addition to a detailed description of Mavet’s character and exploits, several other passages in the text detail the rivalry between Baal (the Canaanite equivalent of Zeus) and his brother Mavet (the Canaanite equivalent of Hades). In one example, goddess Anath informs El, the head of the gods about a battle she witnessed between the two deities:

Then Anath went to El, at the source of the rivers, in the middle of the bed of the two oceans.
She bows at the feet of El, she bows and prosternates and pays him respects.
She speaks and says:
“the very mighty Baal is dead.
The prince, lord of the earth, has died” (…)
“They fight like heroes. Mavett wins, Baal wins.
They bit each other like snakes.
Mavett wins, Baal wins.
They jump like horses.
Mavett is scared. Baal sits on his throne”.

In the final part of the Baal cycle, Mavet informs Baal that he, “like a lion in the desert, hungers constantly for human flesh and blood”. Mavet threatens to cause the heavens to wilt and collapse and break Baal into pieces and eat him. Baal is also warned by Shapash, the sun-goddess, about Mavet’s superior power and advises that he submit to him:

Do not draw near the god Mavet,
Lest He make You like a lamb in His mouth,
Like a kid in His jaws Ye be crushed!
The Torch of the gods, Shapash, burns;
The heavens halt on account of El’s darling, Mavet.
By the thousand acres,
Yea the myriad hectares
At the feet of Mavet bow and fall.
Prostrate Yourselves and honor Him!

The goodess Anath Text
Image 3
: Text from the goddess Anath epic referencing Baal’s rivals

The Hebrew Bible rejected these polytheistic concepts of an independent god of death and the rivalry between deities. According to Isaiah 45:7, G-d is the only source of both good and evil and is the master of life and death.

Cassuto in his commentary on the Pentateuch argued that the bible was written in the language of the common man, and thus, the personification of death and the allusions to his other emissaries such as the leviathan the slant serpent, leviathan the tortuous serpent, and the dragon as described in Genesis 1:21 and Isaiah 23:1 were remnants of the ideological war that the Hebrew bible waged against the pervasive culture that was infused with these concepts. In opposition to the dominant beliefs of the time, the scripture emphasized the notion that no other entity but G-d possessed the power to create and return man to dust Job 10:9.

A careful reading of the roles of the “destroyer”, “the harvester of souls”, the “angel of the Lord” who “smites” and “destroys” human beings in the scripture shows that they are always temporary messengers with limited scope of operation and windows of opportunity of action. In the few instances where death is personified as in Psalms 49:15; 91:3; Job 18:14, and Proverbs 16:14; 17:11 it is clear that he does not possesses any permanent power nor has the ability to terminate life of his own volition.

From a historical prospective, the western concept of an independent angel of death only emerged in the post-biblical period and can be attributed to the fusion of Egyptian, Canaanite, and Greek religions in the Hellenistic world.

This amalgam of deities the likes of Hades, Osiris, and Mavet formed the distinct figure of the angel of death who became associated with the terrifying demons and evil spirits commonly found in the ancient near east literature. By this time, this hybrid deity retained only a tangential association with the biblical concepts of the destroyer as a vehicle for delivering morally driven divine retribution. 

This new manifestation of evil, death, cruelty, and wretchedness also incorporated the concept of the morally deficient, cunning, and deceitful snake from the garden of Eden (Genesis 3:1-14) and after several additions and enhancements such as evil spirits, demons, and Liliths, it appeared in the literature and theology of 2nd century BCE-1st century CE as בְּלִיַעַל‎ Belial. One example dated to the second Temple period found in a Dead Sea Scroll titled the “Songs of the Sage”, contains the following apotropaic prayer: 

“And, I the Sage, declare the grandeur of his radiance in order to frighten and terri[fy] all the spirits of the ravaging angels and the bastard spirits, demons, Liliths, owls”

In another Dead Sea scroll, a fragment entitled “Curses of Belial” contains a reference to Belial בְּלִיַעַל (wicked or worthless), “sons of Belial”, the “angel of the Pit” and a “spirit of destruction” and carries the following curses against him and his lot:

“The Community Council shall say together in unison, ‘Amen. Amen.’ Then [they] shall curse Belial and all his guilty lot, and they shall answer and say, ‘Cursed be [Be]lial in his devilish and damned be he in his guilty rule.”

From the 2nd century CE through the early middle ages, Belial became affiliated with the devil in gospel texts and assumed a central and permanent role of the ultimate evil that seeks to seduce, sabotage, harm, and fight mankind. He is described as a rebellious fallen angel who rose against G-d and challenged his sovereignty.

Lacking direct biblical sources to support these assertions, some prominent theologians such as Cyprian, Clement of Alexandria, Augustine, Dionysius the Pseudo-Areopagite, and John of Damascus, Origen used unrelated passages such as Isaiah 14:12-15 to buttress their claims:

“And thou saidst in thy heart: ‘I will ascend into heaven, above the stars of G-d will I exalt my throne, and I will sit upon the mount of meeting, in the uttermost parts of the north;
I will ascend above the heights of the clouds; I will be like the Most High.”

The Satanic Verses V1
Image 4: L-R Cyprian, Clement of Alexandria, Augustine, Dionysius, John of Damascus, Origen 

The absence of supporting scriptural provenance didn’t stop the widespread dissemination of these daemonic ideas. Now instead of using biblical exegesis, writers resorted to speculative fiction to describe in detail the devil’s nature, domain, powers, and attributes. For example, Cyprian in his Treatise 10.4 claimed that the reason for the fall of Satan was:

“When he saw human beings made in the image of God, he broke forth into jealousy and malevolent envy” and thus rebelled against God.

Where the biblical world experienced a rare and indirect interaction with a “destroyer”, the religious universe of late Roman period swarmed with pitched battles between angels and demons, with humanity caught in between. Even the most mundane matters including eating, marriage, and bearing children became a battleground between good the evil. Origen in his Commentary on Matthew and Clement of Alexandria in his Stromata discuss these prevailing contemporary views including one that the institute of marriage “is fornication” and that it was “introduced by the devil”.

By now, the previous narrative of the “destroyer” as mere messenger or the delivery mechanism for divine retribution regressed to the ancient idolatrous relationship between factions of warring deities reflected in the Enuma Elish. The new pantheon of the devil and his cohorts grow steadily and by the 6th century CE authors were dedicating entire treatises to the cataloging of the demonic and angelic realms. Early medieval writers such as Pseudo-Dionysius the Areopagite also produced an encyclopedic works such as the The Celestial Hierarchy that classified angels by function and utility and discussed in great details subjects such as:

“Which is the first Order of the Heavenly Beings? which the middle? and which the last? How many, and of what sort, are the Orders of the super-celestial Beings, and how the Hierarchies are classified amongst themselves”

Pseudo-Dionysius the Areopagite, The Celestial Hierarchy
Image 5: The Celestial Hierarchy of Pseudo-Dionysius the Areopagite

By the Second Council of Nicaea in 787 CE, angles and saints (who are in affect demi-angles) became official objects of veneration and adoration and patrons of every mundane daily function such as food preparation, travel, and athletic activity

St. Sebastian Sterling Silver Medals
Image 6: The St. Sebastian athletic emulates

By the middle ages, Archangel Michael acquired an affiliation with certain functions of the angel of death who—among other responsibilities—was tasked with evaluating and carrying the souls of all the deceased to heaven and fighting Satan. Just like in the case of the Egyptian Anubis, Byzantine and Catholic liturgy and art assigned Michael the role of weighing the souls of the dead with his scales. Another popular depiction of him is being armed with a spear or sword and locked in mortal combat with Satan—In which for some unknown reason, he consistently fails to win a decisive victory.

Archangel Michael
Image 7: Depiction of Archangel Michael in medieval and renaissance art

Anubis Weighing of the Heart
Image 8: Anubis weighing the souls of the dead

From the late middle ages through the late renaissance, we an increasing a number of works on demonic classification. These works progressively become more detailed and pseudo scientific. They detail the nature of each demon, the category of sins which they impart to their human victims, the month in which their power is strongest, and the saints that are their adversaries. Some of the more notable classification works from this period are:

The 1410 Lantern of Light by John Wycliffe. A daemon classification system that was based on the Seven Deadly sins and the following association of sin and demon:

  1. Lucifer – Pride
  2. Beelzebub (Belzebub) – Gluttony (Glotouns)
  3. Satan (Sathanas) – Wrath (Wraþþe)
  4. Leviathan (Leviathan) – Envy (Envous)
  5. Mammon – Greed (Auarouse)
  6. Belphegor –  Sloth (Slow)
  7. Asmodeus – Lust (Leccherouse)

The 1459 Fortalitium Fidei by Alphonso de Spina. In the chapter on demons, Asphonso took daemon accounting to a new level or precision and stated that the total number of angels who sided with Lucifer’s revolt against G-d was 133,306,668. He also classified demons based on the following criteria:

  1. Incubi and succubi
  2. Familiars
  3. Drudes
  4. Cambions born from the union of a demon with a human being (AKA witches and warlocks).
  5. Demons that induce old women to attend Witches’ Sabbaths

The c. 1486 Malleus Maleficarum (Hammer of Witches). This most ‘thorough’ treatise on witchcraft and demons was written by two German Dominican monks, Heinrich Kramer and Jacob Sprenger and came with an official papal bull. The book sold more copies than any other book except the Bible until 1678. It was single-handedly responsible for the murder of hundreds of thousands (if not millions) of innocent woman and young girls across Europe. According to the book, it has been proven that it is normal for many woman to embrace sorcery and “to perform filthy carnal acts with demons.”

The 1533 De Occulta Philosophia by Cornelius Agrippa. A demon classification system based on the number 4 and the cardinal directions that included:

  1. Oriens – East
  2. Paymon – West)
  3. Egyn – North
  4. Amaymon – Sout

The 1591 The Confessions of Warlocks and Witches by Peter Binsfeld. A demon classification system similar to the Lantern of Light’s seven deadly sins but with a slight variation in the classification as follows:

  1. Lucifer – Pride
  2. Mammon – Greed
  3. Asmodeus – Lust
  4. Leviathan – Envy
  5. Beelzebub – Gluttony
  6. Satan – Wrath
  7. Belphegor – Sloth

The 1597 Daemonologie by King James (the same James who later sponsored the translation of the Bible to English better known as the “King James Bible”). A demon classification treatise in three volumes dedicated to the study of demonology and the methods demons used to inflict and torment mankind. The classification included:

  1. Spectra – Used to describe spirits that trouble houses or solitary places
  2. Oppression – Used to describe spirits that follow upon certain people to outwardly trouble them at various times of the day
  3. Possession – Used to describe spirits that enter inwardly into a person to trouble them
  4. Fairies – Used to describe spirits that prophesy, consort, and transport

The books also covered important topics such as werewolves and vampires. It was aimed at educating the ignored citizenry of England on the history, practices and implications of practicing sorcery and all things demonic.

The Observer's Book of Monsters by Claude Savagely
Image 9: The Observer’s Book of Monsters by Claude Savagely

The 1608 Compendium Maleficarum by Francesco Maria Guazzo (a copy of the the 11th century Classification of Demons by Michael Psellus). The work classified demons into:

  1. Empyreal – Fiery
  2. Aerial – Airborne
  3. Subterranean – Underground
  4. Lucifugous – Heliophobic
  5. Aqueous – Water based
  6. Terrene – On the ground

The 1686 Semiphoras and Schemhamforas by Andreas Luppius which was based on a similar system of classification as “De Occulta Philosophia” but instead of 4 used the number 9 and had the following orders of demons:

  1. False spirits
  2. Spirits of lying
  3. Vessels of iniquity
  4. Avengers of wickedness
  5. Jugglers
  6. Airy powers
  7. Furies sowing mischief
  8. Sifters or triers
  9. Tempters or ensnarers

Demonic classification books
Image 10: A sampling of a few demonic classification books from the 14th-17the centuries

Some ancient and modern Jewish scholars, like Richard Friedman, also erroneously made the correlation between the “destroyer” and the angel of death. These errors were based on anecdotal evidence in the secondary literature and art. Friedman for example came to this conclusion based on a sword bearing figure in one of the illustrations on the Golden Haggadah whom he identified as the angel of death (top right corner of Image 11). This led him to conclude that the authors of the 14th century Haggadah must have also subscribed to the textual and theological interpretation that the “destroyer” was in fact the angel of death.

Golden Haggadah Angel of Death
Image 11: Illustration from the Golden Haggadah (Note figure in top right corner)

Ironically, the same Golden Haggadah that is used as proof for the existence of the angel of death contains a hand written note, which is a combination of some biographical details and poetry. In line 6 of the note it reads:

״…בחוכמה בתבונה ובדעת, חי העולמים יושב המרומים ומשגיח התחתונים אחד ונעלם אלקי חיים ומלך עולם…״

“…In wisdom, understanding, and Knowledge, the creator of the universe who sits on high and oversees the underworld (i.e. the dead), who is one and unseen, the king of the world…”

From the context it’s clear that the writer of the text (and likely the owner of the book) did not buy into the angel of death idea or his ability to challenge the sovereignty of G-d.

Intro Text to Golden Haggadah
Image 12: The hand written note in cursive script in the Golden Haggadah and its in-line transliteration to block script

I think that the confusion about the meaning of the “destroyer” in the verses in Exodus can be attributed to the misreading of the text and failure to identify the wordplay and the variant usage of the root N-G-F נגפ. This root and its derivatives can be read as smite, obstacle, defeated, plague, blow, and strike. Depending on its usage and context, it can also be used as a noun such as in ‘bubonic plague’ and as a verb such as in ‘I’ve been plagued by ill health”.  Keeping this in mind, we can try to reconcile the contextual problem by reading verses 12:12-29 as follows:

12–For I will go through the land of Egypt in that night, and will smite [וְהִכֵּיתִי] all the first-born in the land of Egypt, both man and beast; and against all the gods of Egypt I will execute judgments: I am G-d.

13–And the blood shall be to you for a token upon the houses where ye are; and when I see the blood, I will pass over you, and there shall no plague [נֶגֶף] be upon you to destroy [לְמַשְׁחִית] you, when I smite [בְּהַכֹּתִי] the land of Egypt.

22–Take a bunch of hyssop, and dip it in the blood that is in the basin, and strike the lintel and the two side-posts with the blood that is in the basin; and none of you shall go out of the door of his house until the morning.

23–For G-d will pass through to smite [לִנְגֹּף] the Egyptians; and when He seeth the blood upon the lintel, and on the two side-posts, G-d will pass over the door, and will not suffer the destroyer [הַמַּשְׁחִית] to come in unto your houses to smite [לִנְגֹּף] you.

27–that ye shall say: It is the sacrifice of G-d’s Passover, for that He passed over the houses of the children of Israel in Egypt, when He smote [בְּנָגְפּוֹ] the Egyptians, and delivered our houses.’ And the people bowed the head and worshipped.

29–And it came to pass at midnight, that G-d smote [הִכָּה] all the firstborn in the land of Egypt, from the first-born of Pharaoh that sat on his throne unto the first-born of the captive that was in the dungeon; and all the first-born of cattle.

Putting all of these elements together gives us: the destroyer [הַמַשְׁחִית] smites [לִנְגֹּף] using a plague [מגיפה] the first born in Egypt via “the destroyer’s plague” [ נֶגֶף לְמַשְׁחִית], with plague [נֶגֶף].

A similar word play in English would be along the lines of:

The striker (destroyer), stroke (inflicted), the stricken (victims), with a strike (affliction).

So, G-d Himself “passes through” (עָבַר) the land of Egypt and smites all the firstborn in the land of Egypt. This is accomplished via “the destroyer” which happens to be the plague, that plagues the firstborn of Egypt with a plague. In this context, the destroyer is G-d’s mechanism for delivering the destruction. 

To paraphrase Sherlock Holmes: “This Exodus story stands flat-footed upon the ground and there it must remain. The world is big enough for us. No angel of death need apply.”

Considering this, I propose a practical alternative reading of the “destroyer” to be a software function that looks like the following:

Function Destroyer(Identity, DateTime, Agent, Cause, Delay, Reason, Place, Duration, Awareness, Terminate)
  Identity = Identity of the deceased (VictimID)
  DateTime = Date&Time of death (from the creation of the universe)
  Agent = Delivery Mechanism (e.g. Carbon monoxide)
  Cause = Actual cause of death (see CDC codes)
  Delay = In hours:minutes:seconds
  Reason = Triggering event
  Place = Location of victim in universal XYZ coordinates
 
Duration = Timed (use ‘Delay’ as an offset) or Permanent
  Awareness = Premonition value 0-9 about the impending death
  Terminate = A real-time abort flag (True or False)

End Function

Module TenthPlague

    KillFirstBorn()

    DeceptionInvolved = Use cases like Egyptians using fake blood
    or paint on their door, hiding in an Israelite home, etc.

            
       
‘Test if everything is Kosher

        If BloodFoundOnDoor = true DeceptionInvolved = false Then

         
         
Nothing to see here, move along…

          Exit

       
        ‘Are they cheating?
        ElseIf
 DeceptionInvolved = True Then

                         
          ‘Is there a first born inside?
          If FirstBornPresent and Terminate = False Then

         
          Get’em!       
          Destroyer(VictimID,4.54×109,Anthrax,Pneumonia-Cardiac
          Arrest,0,Disobedience10,30°0’47.001656”
          N 31° 12’31.870834” E 12.920,Permanent,0,False)

         
         
End If

       
        ‘There is no blood on the door or we are in the open
        ElseIf BloodFoundOnDoor = False
Then
                

       
  ‘Is there a first born present? 
          If FirstBornPresent and Terminate = False Then
 
         
Get’em!
    
     Destroyer(VictimID,4.54×109,Anthrax,Pneumonia-Cardiac
          Arrest,0,Disobedience10,30°0’47.001656”
          N 31° 12’31.870834” E 12.920,Permanent,0,False)

         
End If

       
       
End If

   
   
End
Sub


End
Module

The destroyer is no more good or bad than any other types of delivery system is good or bad and has no more free will than a carrier delivering a package. Thus, the destroyer is a mere mechanism that G-d uses to execute judgment upon Egypt, Israel, and others. it is not a separate entity. The same dual reference to G-d’s ‘action’ and His ‘delivery mechanism’ can be seen in Samuel 15-16, where G-d sent a plague to punish Israel:
 
“So G-d sent a pestilence  upon Israel from the morning even to the time appointed; and there died of the people from Dan even to Beer-sheba seventy thousand men.”

וַיִּתֵּן יְהוָה דֶּבֶר בְּיִשְׂרָאֵל, מֵהַבֹּקֶר וְעַד-עֵת מוֹעֵד; וַיָּמָת מִן-הָעָם, מִדָּן וְעַד-בְּאֵר שֶׁבַע, שִׁבְעִים אֶלֶף, אִישׁ

and in Samuel 24:16, where the “destroyer” is described as:
 
”And when the angel stretched out his hand toward Jerusalem to destroy it, G-d repented Him of the evil, and said to the angel that destroyed the people: ‘It is enough; now stay thy hand.’ And the angel of G-d was by the threshing-floor of Araunah the Jebusite.”

וַיִּשְׁלַח יָדוֹ הַמַּלְאָךְ יְרוּשָׁלִַם, לְשַׁחֲתָהּ, וַיִּנָּחֶם יְהוָה אֶל-הָרָעָה, וַיֹּאמֶר לַמַּלְאָךְ הַמַּשְׁחִית בָּעָם רַב עַתָּה הֶרֶף יָדֶךָ; וּמַלְאַךְ יְהוָה הָיָה, עִם-גֹּרֶן האורנה (הָאֲרַוְנָה) הַיְבֻסִי

It is ironic, that the same ideas that the scripture fought so hard to invalidate are still as popular today as they were 3500 years ago. The prevalence of psychic readers on every street corner, Satanism in movies, literature, and popular culture just show you that regardless of how clear the instructions are, there is always a way to misinterpret them.

Death and Hollywood
Image 13: Satanic and demonic motifs in mainstream entertainment

Berkeley Psychics
Image 14
: Distribution and density of Psychics, Tarots Card Readers, and Clairvoyant Mediums in Berkeley

All of this makes you wonder: what is it about these simple four self-explanatory statements that can possibly be confusing?

  1. “I will pass through the land of Egypt”, I and not an angel;
  2. ”And I will smite every first-born in the land of Egypt”, I and not a seraph;
  3. ”And I will carry out judgments against all the gods of Egypt”, I and not a messenger;
  4. ”I G-d”, and none other!

Happy Passover and Happy Easter. 

References

Special thanks to Dr. Alshech for his help with translating portions of the introduction to the Golden Haggadah.

He Smote the First Born of Egypt – Handel Israel In Egypt

Campin’ In Canaan’s Happy Land – Stanley Brothers Old Time Camp Meeting Album

I have left the land of bondage with its earthly treasures
I’ve journeyed to the place where there is love on every hand
I’ve exchanged the land of heartaches for the land of pleasure
I’m camping, I’m camping, in Canaan’s happy land

Every day I’m camping (camping) in the land of Canaan (Canaan)
And in rapture I survey its wondrous beauty grand (Oh, Glory)
Glory, hallelujah (I have) found the land of promise
(And I’m) camping, I’m camping, in Canaan’s happy land

Out of Egypt I have traveled through the darkness dreary
Far over hills and valleys and across the desert sands
Thoughts of land that’s safe and homeward I shall not go weary
I’m camping, I’m camping, in Canaan’s happy land

Yes I’ve reached the land of promise with the saints of glory
My journey ended in a place so lovely and so grand
I’ve been led by Jesus to this blessed land of story
I’m camping, I’m camping, in Canaan’s happy land

The Promised Land – Hymn 128 Sacred Harp Tunebook
128 The Promised Land

On Jordan’s stormy banks I stand,
And cast a wishful eye,
To Canaan’s fair and happy land,
Where my possessions lie.

I am bound for the promised land,
I am bound for the promised land,
Oh, who will come and go with me,
I am bound for the promised land.

Oh, the transporting, rapt’rous scene,
That rises to my sight,
Sweet fields arrayed in living green,
And rivers of delight.

I am bound for the promised land,
I am bound for the promised land,
Oh, who will come and go with me,
I am bound for the promised land.

Filled with delight, my raptured soul
Would here no longer stay!
Though Jordan’s waves around me roll,
Fearless I’d launch away.

I am bound for the promised land,
I am bound for the promised land,
Oh, who will come and go with me,
I am bound for the promised land.

The Curse of Belial – Dead Scroll 394, 4Q2864Q287, fragment 6
Curse of Belial

(1) The Community Council shall say together in unison, ‘Amen. Amen.’ Then [they] shall curse Belial (2) and all his guilty lot, and they shall answer and say, ‘Cursed be [Be]lial in his devilish (Mastematic) scheme, (3) and damned be he in his guilty rule. Cursed be all the spir[its of] his Mot in their Evil scheme. (4) And may they be damned in the schemes of their [un]clean pollution. Surely [they are the to]t of Darkness. Their punishment (5) will be the eternal Pit. Amen. Amen. And cursed be the Evi[1] One [in all] of his dominions, and damned be (6) all the sons of Bel[ial] in all their times of service until their consummation [forever. Amen. Amen.’] (7) And [they are to repeat and say, ‘Cursed be you, Angel of the Pit and Spir[it of Destruction in al[1] the schemes of [your] gu[ilty] inclination, (8) [and in all the abominable [purposes] and counsel of [your] Wick[edness. And damned be you in [your] [sinful] d[omi]n[ion] (9) [and in your wicked and guilty rule,] together with all the abom[inations of She]ol and [the reproach of the P]it, (10) [and with the humiliations of destruction, with [no remnant and no forgiveness, in the fury of [God’s] wrath [for]ever [and ever.] Amen. A[men.] (11) [And cursed be al]1 who perform their [Evil schemes,] who establish your Evil purposes [in their hearts against] (12) Go[d’s Covenant,] so as to [reject the words of those who see] his [Tru]th, and exchange the Judge[ments of the Torah…]

Targum of Yonatan ben Uzziel (in Aramaic)
Targum (translation) Jonathan is a western targum of the Torah (Pentateuch) from the land of Israel as opposed to the eastern Babylonian Targum Onkelos (which was written by the nephew of the Roman emperor Titus). Its correct title was originally Targum Yerushalmi (Jerusalem Targum), which is how it was known in medieval times. But because of a printer’s mistake it was later labeled Targum Jonathan, in reference to Jonathan ben Uzziel. Some editions of the Pentateuch continue to call it Targum Jonathan to this day.

Most scholars refer to the text as Targum Pseudo-Jonathan. This targum also includes Aggadic material (non legal or narrative material, as parables, maxims, or anecdotes) collected from various sources as late as the Midrash Rabbah and the Talmud. It is a combination of a commentary and a translation. In the translation portions, it often agrees with the Targum Onkelos. The date of its composition is disputed. It cannot have been completed before the 633 CE Arabic conquest as it refers to Mohammad’s wife Fatimah, but might have been initially composed in the 4th Century CE. However, some scholars date it in the 14th Century (which would make this document contemporary with the Golden Haggadah). 

The Goddess Anath:Canaanite Epics of the Patriarchal Age – Umberto Cassuto

The Observer’s Book of Monsters – Gavin Lines
The Observer's Book of Monsters

Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The LinkedIn Real-time Messaging Phish of 2019

The LinkedIn Gangsters

A few days ago I received an invite from an old fintech colleague over the LinkedIn messaging service, the message read:

“Hi, I have attached a document for our new business financial proposal for your review. Access the proposal through the extension below and get back to me at your earliest convenience.

https://onedrive.live.com/?authkey=%21AFbNEI4K8RcVpmE&cid=EBDC72C570C985A5&id=EBDC72C570C985A5%21180&parId=root&o=OneUp

Coming from a 1st degree connection made this look like a legitimate communication. But, I haven’t been in touch with my friend for a while or have discussed any business with him recently, so this seemed a bit odd.

I texted him back via LinkedIn to verify that he indeed sent it. To my surprise, he responded in real-time with a confirmation. When I asked him if it was intended for me, he again confirmed it via the messenger application (Image 1).

LinkedIn RT Message Phish
Image 1: LinkedIn texting session

By all phishing standards, this one takes the cake. The attacker was actually conducting his exploit in real-time using my colleague’s compromised LinkedIn account. This was alarming because (1) the relatively high degree of trust that exists between you and your 1st degree network opens the door to a wide range of trust based attacks and (2) the real-time text messaging helped validate that the person that I was talking to was indeed the sender.

I switched to a sandboxed machine, clicked on the link, and went down the rabbit hole…

LinkedIn Link to OneDrive PDF
Image 2: Link from texting session to a OneDrive hosted PDF with a secondary login required to “View Message Folder”

The link to the business proposal routed to a PDF file that was hosted on a publically accessible Microsoft OneDrive folder (Image 2).

The PDF medatada indicated that it was created recently and dynamically using an Office365 MS Word. The file name was based on my colleague’s LinkedIn profile and the subject of the proposal was also related to his line of work. The author name of the PDF document had the wishful name “Incoming Wire”.

LinkedIn Phish PDF Metadata
Image 3
: The phishing PDF metadata

In order to “Continue reading your messages from OneDrive for Business”, I had to click on a second link titled “VIEW MESSAGE FOLDER”.  

The second link routed to the URL: ”https://normaav.ga/review”. This appeared to be a general access portal that aggregated different email systems and allowed the user to select their email provider of choice in order to view the “business proposal”.

LinkedIn Phish Login Portal
Image 4
: The logion portal loaded after clicking the PDF link

Clicking on the Office365 button option loaded a sign-in page and prompted me to enter my email address and the password for my Office365 account.

Normaav GA Office 365 Login
Image 5
: The fake Office365 logion page

Clicking on the other buttons resulted in the same functionality but with different email client login screens (Image 6).

LinkedIn Phish Logins
Image 6
: Other email client login pages

The amount of details built into the site was impressive. Where most phishing login pages deactivate superfluous links and features for efficiency reasons, this site was fully functional and even included the ability to reset your password–which came with a functional glyph generator and voice word reader.

Password Reset
Image 7
: Sample password reset screen

Next, I checked the .GA domain for some clues. It came back as a Gabon based account, however, the details of the registrar had the following Netherlands address:

Domain name:NORMAAV.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

After a little more digging, I found that the same owner also registered several other phishing domains that included sites like:

Domain name:TECHGURUHELP.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

So, from the look of it, this phishing site was just an elaborate email address and password collection utility. It wasn’t used for malware distribution or payload delivery.

The structure Narmaav.ga was made-up of several directories each comprised of PHP, html, images, Zip file, and some JavaScript files. The zip file housed all of the executable and site code and also provided an additional layer of obfuscation from the anti malware scanners that would be running on the hosting server.

Normaav GA File
Image 8: Sample content of one of the Narmaav.ga website “file” directory

LinkedIn Phish Directory Content
Image 9: The content of the “assets” directory showing the images and icons used to create the fake login screens

As far as the mechanics of the user data collection, clicking the “Next” button on the email login screen executed the following post function:

if (isset($_POST[‘username’]) && isset($_POST[‘password’])) {
    if ($_POST[‘username’] !== “” && $_POST[‘password’] !== “”) {

        $date = date(‘l d F Y’);
        $time = date(‘H:i’);
        $user = $_POST[‘username’];
        $pass = $_POST[‘password’];
        $source = $_POST[‘from’];
        $ip = $_SERVER[‘REMOTE_ADDR’];
        $systemInfo = systemInfo($_SERVER[‘REMOTE_ADDR’]);
        $VictimInfo1 = “| Submitted by : ” . $_SERVER[‘REMOTE_ADDR’] . ” (” . gethostbyaddr($_SERVER[‘REMOTE_ADDR’]) . “)”;
        $VictimInfo2 = “| Location : ” . $systemInfo[‘city’] . “, ” . $systemInfo[‘region’] . “, ” . $systemInfo[‘country’] . “”;
        $VictimInfo3 = “| UserAgent : ” . $systemInfo[‘useragent’] . “”;
        $VictimInfo4 = “| Browser : ” . $systemInfo[‘browser’] . “”;
        $VictimInfo5 = “| Os : ” . $systemInfo[‘os’] . “”;
        $data = “
+ ————- Scampage ————–+
+ Account Details
| Username : $user
| Password : $pass
| Source: $source
+ ——————————————+
+ Victim Information
$VictimInfo1
$VictimInfo2
$VictimInfo3
$VictimInfo4
$VictimInfo5

| Received : $date @ $time
+ ——————————————+

Its evident from the comments that the developer didn’t even bother anonymizing the variables, they just matter-of-factly named them: “Victim Information”, “Victim1”, “Scampage”, etc. Apparently, in the scammer industry, ripping off people is just another dehumanized banal job, not much different than stuffing hot dogs into a box on a production line.

Phish Victims
Image 10: Phishing victims as hot dogs

The data upload logic was also rudimentary without any fancy command and control features. Once all of the user information was collated, the content was simply posted to a “boxoffice794@gmail.com” email address. This Gmail account turned out to be just one of over 8134 emails used for data collection. The phishing site itself also came in a number of variations, with different version utilizing one or more of the listed email addresses (see a few samples below).

Password Collection Email Addresses

adamandeve10000@gmail.com

emailresult1000cc@gmail.com

boxresult81@gmail.com

johnbeng95@gmail.com

tingyangting111@gmail.com

sharoncute48@gmail.com

mrtrqbing@gmail.com

chingy555@gmail.com

cleverin15@gmail.com

edu.logs1@gmail.com

Table 1: A sampling of 10 emails out of the 8134 used by the phishing sites.

From a linguistic/semantic point of view, the creator of the site and the email accounts is most likely a native American English speaker who pays close attention to details. The verbiage on site has no spelling or major grammar issues. The composite names used in the email accounts demonstrate cleaver wordplay and use of contemporary idioms. The word generation algorithm also takes into account human readable combinations such as:

sql-injection
alibaba-reloaded
blood-money
call-me-ghost
extremely-blessed-007

Another interesting observation about the code is that it utilizes defensive strategies and countermeasures. For example, it uses a blacklist of IP addresses to stop the data uploader from running on high risk networks (like Fortinet, Kaspersky, Avg Technologies, etc.) where this activity would most likely be quickly detected and stopped. So in essence, this is a signature based form of reverse malware protection.

# _blacklist.dat  — contains address ranges to always be blocked.
#   Only IPv4 addressing is supported.
#
#   legal range formats are:
#
#   255.255.255.255                             Single address
#   255.255.255.255/16                       CIDR Mask
#   255.255.255.255/255.255.0.0       address w/mask
#   255.255.*.*                                        wildcards
#   255.255.255.0-255.255.255.255   low to high address
#
#   Comments may be added to a line starting with ‘#’ character
#   and inline comments may be added starting with ‘#’ character.
#


#  TOR SERVERS IP RANGES

96.47.226.16-96.47.226.23
74.120.15.144-74.120.15.159
96.44.189.96-96.44.189.103

 

#  AMAZON IP RANGES

54.219.0.0-54.219.255.255
54.193.0.0-54.193.255.255
204.236.128.0-204.236.255.255
54.242.0.0-54.243.255.255
107.20.0.0-107.23.255.255

Table 2: Extract from the blacklist used by the application in order to avoid high risk networks

It’s noteworthy that several of the PHP functions (see sample below) contain a reference to “MADEMEN CYBER TEAM”. The code also contains references to a specific developer who is using the alias “Sage The Hurt Ice”, this name is also associated with an active PayPal account called “payp algent” and “paya_ldirect”. 

Paypa_ldirect
Image 11: The author “SAGE THE HURT ICE”

 <TABLE>
    <tr><td>________MADEMEN CYBER TEAM_________</td></tr>
    <tr><td><STRONG>$domain I.D: $login<td/></tr>
    <tr><td><STRONG>Password: $passwd</td></tr>
    <tr><td><STRONG>IP: $ip</td></tr>
    <tr><td><STRONG>Date: $server</td></tr>
    <tr><td><STRONG>country : $country</td></tr>
    <tr><td>Browser : $browserAgent</td></tr>
    <tr><td>____HACKED BY SAGE THE HURT ICE (SKYPE =PAYP ALGENT)____</td></tr>
    </BODY>

What makes this exploit so potent is that the operation is combining machine generated content, large degree of automation, and the creation of near real-time customized payloads that are based on LinkedIn account user data. Just like with a traditional mail merge operation where the customization of each letter is done by pulling content from different databases, the same takes place here, with a slight variation that the database is the user’s LinkedIn profile and the ‘mail to’ is his entire LinkedIn network.

With all of these dynamic orchestration capabilities, the cheery on the cake is that there was also a human in the loop that chatted with the target in real-time in order to confirm the authenticity of the phish.

This exploit should be a major concern for LinkedIn and its users. in 2016, LinkedIn lost 117 million user accounts (they were hacked as early as 2012 but didn’t discover it until 2016). Many of these passwords have not been changed by the users who are still unaware of the breach. This means that the perpetrators of the current phishing expedition are essentially shooting fish in a barrel.

Based on the Narmaav.ga site uptime of 4 days (before it was flagged as ‘deceptive” by the search engines), the volume of recovered passwords, and the number of concurrent phishing campaigns (about 10K), a conservative estimate for this campaign’s yield is over 100K new breached accounts.

So what can you do to avoid getting your LinkedIn account hacked? Obviously, don’t click on any links sent to you via the messenger. You should stop reusing the same password for multiple accounts and make it more complex. You should also consider using a password management system. In the long run though, your best bet is to enable two factor authentication (using your phone) for all of your accounts. Most ecommerce sites like Amazon, PayPal, and email providers already offer this as a free service and activating it is just a simple two step process.

Notes
Soon after detecting the exploit, I notified LinkedIn about the details of the breach. It took LinkedIn more than 48 hours to reply. The response I got was “We have provided this information to the correct team to review further and act based on their results.”  I haven’t heard back from them since. I have also followed up with several of the victims, who were completely unaware that someone took over their LinkedIn account and was using it to mount a phishing expedition.

If you haven’t done this for a while, It may also behoove you to login to your LinkedIn and other social media accounts just to make sure that it’s still accessible.

References
2019 State of the Phish Report (page 11-19 cover estimated recovery rates) – Proofpoint.com
The complete phishing kit  (source code and files)
The phishing email addresses directory (where the stolen credentials are sent after harvesting)
LinkedIn Breach Exposed 117 Million User Accounts – eSecurity Planet
Facebook stored 200-600 millions of Instagram passwords in plain text – IT ProPortal
Password Safe – A free and open source password management system

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The Great Password Storage Survey

Find Milton's Password

The idea for the password survey came about more than fifteen years ago when I managed a security team in a large fortune 500 organization. While designing a new fraud detection platform, we discovered that a significant number of previous security incidents were attributed to compromised user passwords and credentials. The data suggested that this problem effected all business divisions and departments across the company and our partners. After a successful campaign to launch a corporate-wide root cause initiative, we ran a pilot that examined the password storage and retrieval practices in one of our regional offices with about 900 employees. After concluding the initial survey, we expanded the sampling to three other corporate locations.

The results of the first survey were supplemented by data I collected a few years later while working for a managed security service company that provided hosted proxy, firewall, IDS, and anti-malware service to several hundred credit unions and community banks. The focus of the second survey was on small to medium size U.S. based financial institutions.[1]

The total population examined in the study was about 3700 accounts and individuals. The corporate units included development, IT administration, business groups, and general staff. The sampled data reflects a typical cross-section of large (20K-40K) and small to medium (20-750) sized organizations and represents a historical snapshot of password practices in a typical regulated financial service company circa 2003-2010.

4-Password found by unit

Chart 1: Password found by business unit

Background
Knowledge-based authentication that utilizes passwords is different from other access control methods because it promotes the idea that by increasing the password entropy we can resist and discourage a brute force password recovery attack.

For many security practitioners this seems like a panacea. Policies calling for additional password complexity appear attractive at first but their practical enforcement on a multi-platform and enterprise scale are difficult to implement.

This is especially the case when we prohibit users from writing their passwords down or reusing them. The user’s inability to manage numerous complex and frequently expiring passwords can eventually compromise even the most secure environments that support multi-tiered firewalls and utilize the most advanced IDS, and robust VPN connectivity.

Paradoxically, it seems that when it comes to passwords, the user is caught between a rock and a hard place; the more secure the password is, the less so is the user.

Heterogynous Environments and a Glut of Passwords
The never ending cycle of M&A continues to create heterogynous platforms within the enterprise. This phenomenon results in the proliferation of systems with different rules for password lifecycles, login procedures, and authentication standards. The impact on the users has been overwhelming as they need to deal with an ever increasing number of login challenges.

Even in well consolidated enterprise that utilize state of the art Active Directory and Single Sign-On, there are a handful of work issued standalone devices and online accounts that are not tied to the central login infrastructure. Even in these integrated environments, the expiration of individual passwords is rarely synchronized, often causing a cascade of resets on other systems with user lookouts and loss of productivity.

To further complicate this, all employee also maintain dozens of non work-related passwords that they use during their work day. This significantly increases their cognitive burden, so in an effort to conserve energy, some resort to consolidating their private and work passwords into a single file. The survey suggests that if we tally the work and private accounts, the average number of user passwords each person has can exceed 60 (Chart 2).

The number of work related accounts varied with the user’s corporate responsibility (Chart 3), but on average, each had between 10-20 passwords.

1-Average number of passwords per user
Chart
2
: Average number of passwords per user

Information Overload
The human factor plays a significant role in the challenge of creating, storing, and retrieving complex passwords. A number of psychological experiments have demonstrated that subjects are able to repeat accurately around eight meaningful combinations of letters, numbers, and words.[2]

When a user is given several random passwords that are eight characters long, most will remember only one. If a user is required to remember two or more such passwords, he or she will likely resort to writing them down.

When asked how many IDs and passwords did they have to keep track of, the user’s immediate answer was “way too many!” The majority of users have also stated that it was bad enough when they only needed a handful of passwords to access e-mail, the network and mainframe accounts. But now, every internal and external application required a complex password.

2-Average number of passwords per user type
Chart 3:
Average number of passwords per user type        

3-Reason for writing passwords down

Chart 4: Reasons for writing passwords down

So how did the users resolve the problem of maintaining dozens of strong passwords? When pressed, most admitted—as the research suggested—that they resorted to keeping a written list or that they have been using the same password or a variant of it for multiple systems. 

On the record, administrative staff denied that they followed this practice but off the record they admitted that they were powerless to stop it and that they themselves were guilty of these same offenses. Other industry sources suggest that this is indeed a widespread phenomenon.[3]

When questioned about their memorization techniques (the policy requires that passwords be memorized), many of them indicated that utilizing mnemonics, backronym, and other techniques were tiresome and this resulted in forgetfulness, mistakes, and system lockouts. 

The majority of users (75%) stated that they could not memorize complex passwords and when they attempted to achieve this in the past it always resulted in password resets. It is interesting to note that as much as 10% of the users felt that the high frequency of the password expiration did not warrant the investment in memorizing it. Another 10% of the users felt that actually writing the password down made them more productive.

5-Password issued vs. password memorized
Chart 5: Password issued vs. password memorized

Password Storage Strategies
The password searches identified the existence of two types of password storage strategies. The first group (1) which consisted of 27% of the recovered passwords was made-up of data that was either handwritten or printed and stored in the user’s immediate work area. 

The written documents included artifacts such as post-it notes, legal pads, notebooks, and text on dry erase board. The second category (2) consisted of 73% of the recovered passwords found on electronic storage in the form of digital files on portable storage devices, PDAs, phones, hard drives, and network shares.

7-Password hiding locations
Chart 6: Password storage areas

The large percentage of electronically stored password suggests that users are somewhat security conscious and they do look for the middle ground between the two evils of keeping passwords out in the open and memorizing them.

The high rate of spreadsheet utilization (35%) for password storage suggests that without a proper company sponsored tool for managing passwords like a password safe, users will instinctively gravitate toward the next ‘best’ technology available in-house.

Password Hangouts
The majority (5% each) of users hid passwords either under a mouse pad or on sticky notes that were kept in a book or folder somewhere in the user’s immediate work area. The total percentage of passwords hidden ‘under’ various items (Table 1) was 27%.

Password Locations Office Work Area

# Found

% of Total

Under mouse pad, stapler, or tape dispenser

174

5%

Under keyboard

86

2%

Under desk calendar

77

2%

Under flower pot

32

1%

Under garbage can

11

0.3%

Under printer

29

1%

Under phone or phone reference card

51

1%

Under carpet or mat

7

0.2%

Under bookshelf

38

1%

Under paper tray

30

1%

Under or on whiteboard or clipboard

61

2%

Under trivet, coaster, paper weight, or pencil holder

18

0.5%

Interior door of coat cabinet

18

0.5%

Sticky note on the monitor

40

1%

Note inside a book or wallet

180

5%

Note in music CD box

67

2%

On whiteboard obfuscated using letter or number padding

72

2%

Total

1058

        27%

Table 1: Hidden password locations – Office work area

 

Password Locations on Electronic Storage

# Found

  % of Total

On floppy disk inserted in drive

15

0.4%

On USB, flash drive, or other device

80

2%

Protected spreadsheet on a password protected network share

613

17%

MS Access database on a network share

216

6%

Spreadsheet on a network share

620

17%

Text file located on a network share

281

8%

e-mail file (user would create and e-mail himself the new password)

408

11%

MS Word document

103

3%

File stored on an Intranet web site

300

8%

File stored on an Internet web site

26

1%

Total

2662

73%

Table 2: Hidden password locations – Electronic storage

 

The majority (73%) of the hidden passwords were kept on electronic storage (spreadsheets, documents, and e-mails) on a variety of locations, the most common being (1) 34% on network drive, and (2) 11% on the e-mail server (Table 2).  

Only 1% of the users openly placed the latest password on their monitor (Figure 1). It is interesting to note the password generation algorithm used. The first password on the list (which was complex) was used as the seed for all future passwords permutations. Each time the system required a new password; the user wrote the new one down and erased the previous one.

Whenever the system permitted the re-use of old passwords, we found a high degree of password recycling via password variances and sequential use. This included 62% of developers, 86% of administrators, 97% of business users, and 94% of admin and facility staff.  

8-User Passwords Written on a Sticky Pad 

Figure 1: User passwords written on a sticky note

 

Is there a Method in the madness?
75% of the user interviewed cited poor memory as the main reason (1) for writing and hiding passwords. The second (2) reason cited was the unspoken legitimacy of this practice and its widespread use. The third (3) reason was that the password was shared by several users and so having it written in a central location was the most convenient way to synchronize it and keep all users informed of any changes. This was primarily the case amongst DBAs, system administrators, and developers (87% combined). The majority of interviewees also acknowledged that they were aware of existing security policy that clearly discouraged such practices.

From conversations with administrative staff, ignorance of the law was not a factor in writing down passwords (Chart 8). Over 90% of the admins acknowledged that they knew that writing their system password down was against policy and information security directives, but they did it because they were located in a physically “secure area” that had strict access controls roles and that it was a calculated risk.

9-Percent of administrator told not to write down passwords
Chart 7: Percent of administrator told not to write down passwords

An interesting usage relationship shows that systems which periodically require users to change passwords actually trigger more people to ‘hide’ them in written form near their workstations. We estimated that the likelihood of finding written passwords near a workstation subjected to frequent password changes was 35% to 55%. At the same sites, the likelihood was only 10% to 20% for workstations connected to systems that did not enforce frequent password changes.

In many cases, over a third of the users created sequential passwords (Chart 8) such as changing Pa$$w0rd_1 to Pa$$w0rd_2. The stats for administrative users show that this practice was higher than 80% when permitted by the system. This information again is confirmed by other studies that show the user’s tendency to avoid constantly memorizing new, complex passwords and writing them down.[4]

 10-Used sequential passwords

Chart 8: Used sequential passwords

Social Factors that Contribute to Password Mismanagement
Password security relies on the premise that passwords are kept secret at all times. This is not a trivial requirement because in a typical password life cycle, there are many opportunities for compromise whenever a password is created, used, transmitted, or stored. Passwords are always vulnerable to compromise because:

  1. They need to be initially created and assigned to a user
  2. They need to be transmitted
  3. They need to be changed
  4. They need to be stored and retrieved

In this context, sharing passwords among a group of users would completely negate the need to keep it secret. When we asked the users about the practice of sharing passwords, the unanimous response was that this was a common practice exercised by all. In fact, the system and database administration and InfoSec teams which should have led the charge in fighting this phenomenon, were the largest practitioner of group password sharing (Charts 9-10).

11-Password sharing among administrators
Chart 9: Password sharing among administrators

12-Password sharing among developers
Chart 10
: Password sharing among developers

This contradictory situation raised several questions. When we asked the users about the clearly prohibited practice of password sharing they provided the following rationale:

  1. Friendliness––Users try to avoid behavior that would put them in a negative social light. Individuals who strictly protect their passwords by steadfastly refusing to write them down or share them with colleagues can be seen as anti-social.
  2. Conformity––Due to strong emphasis placed on “being a team player” and the importance of collaboration, many individuals determine that conformity is important and work hard to be sure that others see them as easygoing and trustworthy. For example, if a system administrator (an authority figure) asks a user for his log-in password, he is likely to reveal it because he doesn’t wish to seem suspicious of an authority figure.
  3. Trust––Sharing passwords between team members can be seen as a sign of collegial affiliation. If a user refuses to share a password with a co-worker, especially where such practice is commonplace, it could be seen as a sign of distrust.
  4. Unwritten work procedures––A team of co-workers will develop ‘informal’ procedures and workarounds to deal with occasional situations that impact their productivity (sharing workstations, using each other’s e-mail program, etc). Some of these workarounds may contradict official policies. Users who follow such informal procedures are normally acting in good faith; they are trying to be helpful and practical in an effort to get the job done.
  5. Responsibility––Users are aware of password policies, but continue to violate them nevertheless because they do not expect to be held accountable for breaking the rules, because “everyone” regards the regulations as unrealistic.
  6. Management Privileges––Senior employees believe that they are too busy to be expected to follow what they perceive as petty rules (which often IT and InfoSec are known to disregard).
  7. Relevancy––Some users believe they and their systems are not important enough to merit serious attention from an attacker. Some users also believe that rigorous passwords are neither truly realistic nor necessary and they do not see following information security policies as being relevant to their job requirements and/or professional reputation.

Security, Perception vs. Reality
Another interesting self-contradiction that affected user perception of password security was password reuse. When questioned about the practice of resetting passwords to previous ones, a large number of administrative users and developers stated that whenever the system permitted they did reset the new password to an older familiar one. In some cases administrator deliberately disabled password expiration policies in order to avoid the hustle. Clearly, this practice completely defeats any advantages associated with frequent password changes. 

12-Changed passwords back to original password left administrators, right developers
Chart 11: Changed passwords back to original password

When we asked the users for their rationale for ignoring security policy directives and making this and other judgment calls, the answer clustered around these topics:

  1. Lack of account privacy affected general work habits and security––When a user was regularly forced to write down his password because they lacked a tool to manage them properly, they also tended to justify keeping other sensitive information out in the open.
  2. Security mandates elicited strong emotional reactions––Users often spoke in emotional terms about unrealistic decrees, using terms like: “smoke and mirrors”, “lip service”, and “window dressing”. Further more, they said that they wanted their information to be secure and private but at the same time they had a fatalistic attitude towards security. That is, they felt resigned to accepting security breaches and privacy compromises.
  3. Inability to differentiation between security and privacy—Users didn’t distinguish between these two concepts and mostly focused on the outcome of a security breach and its impact on their work product. In one example, an administrator did not consider the common practice of shared usage of passwords by a fellow administrator to be a privacy or a security issue, when their password was discovered during the survey, they simply mitigated the damage by resetting the password and continuing the sharing practice.
  4. Multi-user applications and social interactions influenced information sharing—Collaborative work assignments and certain business process promoted password sharing. When it comes to account and password privacy, users working in a collaborative environment tended to have a more liberal and collective sense of account ownership.
  5. Few differences existed between home and business account management practices––User’s lack of concern for account privacy did not depend on their work location. They were consistent in their practices whether at home or at work. Remote users who connected via VPN were less concerned about the security of their work files because they considered the likelihood of someone hacking them at home to be minimal despite the fact that their off-site network was much less secure (many had no firewalls or up to date anti-malware protection). Also, most users working from home did not consider themselves to be the a potential target of an attack.

Conclusion
The survey results suggest that the widespread practice of users writing down passwords and keeping them in unsecured locations is a natural response to unrealistic security mandates. Users in general are concerned with productivity and view passwords management as an overhead and a dreaded chore. 

Practical password security depends on the availability of password management and enforcement mechanisms. Any password policy must on one hand balance the benefits of protection and enforcement and on the other minimize user impact. Without maintaining this careful balance, we run the risk of users coming to view policy mandates such as expiring passwords as tyrannical decrees that should be cleverly circumvented.

If a good personal and corporate security strategy depends on strong passwords—and few will argue that it does not—then the keystone of good password security is the establishment of an enterprise wide solution that will either completely eliminate passwords or facilitate the management of the entire password’s life cycle via an on-line, mobile, and off-line access.

Or as Milton Waddams would say, “Well, Ok. But… that’s the last straw. And, and I’m telling you It’s not okay because if they lock me out again and force me to memorize another complex password, I’m I’ll, I’ll, set the building on fire…”

 

Notes and References
Authentication in Internet Banking: A Lesson in Risk Management – FDIC (2007)
Uncovering Password Habits – Are Users’ Password Security Habits Improving?
The death of passwords is premature – Keeper (2016)
Microsoft admits expiring-password rules are useless – CNet (2019)

[1] Due to the sensitive nature of password surveys, conducting password storage searches should be planned and executed carefully and discreetly. Before conducting any searches, you should secure written approval from your IT, InfoSec, HR, and legal team. You should also coordinate all such activities with the local facilities team. Another good rule of thumb is to conduct all surveys in a team composed of representatives from HR and building security, this will eliminate the perception that some unknown individual is just pillaging and violating the privacy of employees after hours. Follow-up conversations with users regarding their password storage and recovery habits should be done in a private setting in a non-threatening or confrontational manner. You should make it clear to the interviewee that their cooperation is appreciated, that this will not reflect poorly on their evaluation, and the ultimate goal of this exercise helps improve the both personal and corporate data security and privacy. A $20 gift certificate to Starbucks or another popular outlet would go a long way towards easing the tensions.

[2] C. Coombs, R. Dawes, and A. Tversky, Mathematical Psychology: an Elementary Introduction. Prentice-Hall Press, (1970). And  The study by Yan, Blackwell, Anderson, and Grant “The Memorability and Security of Passwords-Some Empirical Results” (research paper, Cambridge University Computer Laboratory, 2001).  And Miller, George A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63, 81-97.

[3] Schneier on Security Write Down Your Password (2005)
Write Down Your Password

[4] Spafford, Eugene H. (1992). “Observations on reusable password choicesProceedings of the 3rd Security Symposium. Usenix, September.

 

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.