Trump Officials Overseeing Health Care Overhaul Previously Lobbied for Health Insurance Firms

The political appointees tapped by President Donald Trump to oversee federal health care programs — including the potential transition to a new Republican bill to replace the Affordable Care Act — joined the government just after working as lobbyists and attorneys for the largest health care interests in America.

Several senior Health and Human Services Administration appointees previously worked for insurers seeking to influence the consumer regulations mandated by the ACA, according to new political appointee financial disclosures obtained by The Intercept. The appointees work closely under HHS Secretary Tom Price — a former member of Congress and longtime ACA opponent who has pushed his old colleagues on the Hill to repeal the ACA.

Eric Hargan, the nominee for deputy secretary at HHS, and Paula Stannard, Price’s senior counselor, previously worked in the lobbying and government affairs departments of their respective law firms, Greenberg Traurig and Alston & Bird. Hargan and Stannard both disclosed serving health insurance giant UnitedHealth as a client.

UnitedHealth, which prompted worries about the ACA’s tenability when it exited most of the health exchanges that underpin President Barack Obama’s signature health care reform law, has lobbied the federal government on a number of issues. The group targeted its work in Washington at ACA policies dealing with mandating insurers cover series of basic medical services known as essential health benefits; limits on how much insurance prices can differ between age groups; and the health insurance industry taxes. All these policies are in Republicans’ sights as they move to repeal Obama’s reforms.

Hargan is but one of several top HHS appointees with health insurance industry ties.

HHS Associate Deputy Secretary for Health Reform Randolph Wayne Pate previously worked as the vice president for public policy for Health Care Services Corporation, an insurance company that operates Blue Cross Blue Shield plans in five states. In recent months, Pate’s previous employer has lobbied on bills to provide waivers for health insurance companies to duck costly consumer mandates, such as prohibiting discrimination over age.

Price’s chief of staff Lance Leggitt listed 40 previous health care-related clients as a partner of the law firm Baker, Donelson, Bearman, Caldwell & Berkowitz. Leggitt served as the chair of the federal health care practice of the firm, which lobbies for the insurer Aetna and the Pharmaceutical Research & Manufacturers of America, a trade group. Leggitt disclosed bring paid $801,008 in compensation.

Keagan Lenihan, who serves as a senior counselor to Price, previously worked as a top lobbyist for McKesson Specialty Health, the largest distributor of drugs and other health care products in the country. As recently as last year, Lenihan attempted to influence lawmakers on “pharmacy reimbursement issues and implementation of the Affordable Care Act,” according to disclosures.

McKesson has faced accusations that it ignored warning signs and distributed dangerous opioids to pill mills, worsening the drug overdose crisis. In January, the firm paid a record $150 million settlement for failure to report suspicious orders of controlled substances, including oxycodone and hydrocodone pills.

The Intercept reached out to HHS for comment on the appointees’ past ties to health care industries and their lobbying, but did not receive a response.

Private health care interests, particularly health insurers, have worked closely with Republican leaders to shape the next iteration of health reform. House Speaker Paul Ryan. R-Wisc., attended a fundraiser hosted by health insurance lobbyists just before appearing to explain his party’s approach to repealing and replacing the ACA. The major provisions of the plan passed by House Republicans includes a major tax cut for insurers, along with an option for states to opt-out of consumer protections — proposals demanded by health insurance companies.

Top photo: UnitedHealthcare signage is displayed outside of a store in the Queens borough of New York, in 2013.

The post Trump Officials Overseeing Health Care Overhaul Previously Lobbied for Health Insurance Firms appeared first on The Intercept.

Inside a Porn-Pimping Spam Botnet

For several months I’ve been poking at a decent-sized spam botnet that appears to be used mainly for promoting adult dating sites. Having hit a wall in my research, I decided it might be good to publish what I’ve unearthed so far to see if this dovetails with any other research out there.

In late October 2016, an anonymous source shared with KrebsOnSecurity.com a list of nearly 100 URLs that — when loaded into a Firefox browser — each displayed what appeared to be a crude but otherwise effective text-based panel designed to report in real time how many “bots” were reporting in for duty.

Here’s a set of archived screenshots of those counters illustrating how these various botnet controllers keep a running tab of how many “activebots” — hacked servers set up to relay spam — are sitting idly by and waiting for instructions.

One of the more than 100 panels linked to the same porn spamming operation. In October 2016, these 100 panels reported a total of 1.2 million active bots operating simultaneously.

At the time, it was unclear to me how this apparent botnet was being used, and since then the total number of bots reporting in each day has shrunk considerably. During the week the above-linked screen shots were taken, this botnet had more than 1.2 million zombie machines or servers reporting each day (that screen shot archive includes roughly half of the panels found). These days, the total number of servers reporting in to this spam network fluctuates between 50,000 and 100,000.

Thanks to a tip from an anti-spam activist who asked not to be named, I was able to see that the botnet appears to be busy promoting a seemingly endless network of adult dating Web sites connected to just two companies: CyberErotica, and Deniro Marketing LLC (a.k.a. AmateurMatch).

As affiliate marketing programs go, CyberErotica stretches way back — perhaps to the beginning. According to TechCrunch, CyberErotica is said to have launched the first online affiliate marketing firm in 1994.

In 2001, CyberErotica’s parent firm Voice Media settled a lawsuit with the U.S. Federal Trade Commission, which alleged that the adult affiliate program was misrepresenting its service as free while it dinged subscribers for monthly charges and made it difficult for them to cancel.

In 2010, Deniro Marketing found itself the subject of a class-action lawsuit that alleged the company employed spammers to promote an online dating service that was overrun with automated, fake profiles of young women. Those allegations ended in an undisclosed settlement after the judge in the case tossed out the spamming claim because the statute of limitations on those charges had expired.

What’s unusual (and somewhat lame) about this botnet is that — through a variety of botnet reporting panels that are still displaying data — we can get live, real-time updates about the size and status of this crime machine. No authentication or credentials needed. So much for operational security!

The “mind map” pictured below contains enough information for nearly anyone to duplicate this research, and includes the full Web address of the botnet reporting panels that are currently online and responding with live updates. I was unable to load these panels in a Google Chrome browser (perhaps the XML data on the page is missing some key components), but they loaded fine in Mozilla Firefox.

But a note of caution: I’d strongly encourage anyone interested in following my research to take care before visiting these panels, preferably doing so from a disposable “virtual” machine that runs something other than Microsoft Windows.

That’s because spammers are usually involved in the distribution of malicious software, and spammers who maintain vast networks of apparently compromised systems are almost always involved in creating or at least commissioning the creation of said malware. Worse, porn spammers are some of the lowest of the low, so it’s only prudent to behave as if any and all of their online assets are actively hostile or malicious.

A “mind map” tracing some of the research mentioned in this post.

FOLLOW THE HONEY

So how did KrebsOnSecurity tie the spam that was sent to promote these two adult dating schemes to the network of spam botnet panels that I mentioned at the outset of this post? I should say it helped immensely that one anti-spam source maintains a comprehensive, historic collection of spam samples, and that this source shared more than a half dozen related spam samples. Here’s one of them.

All of those spams had similar information included in their “headers” — the metadata that accompanies all email messages.

Received: from minitanth.info-88.top (037008194168.suwalki.vectranet.pl [37.8.194.168])
Received: from exundancyc.megabulkmessage225.com (109241011223.slupsk.vectranet.pl [109.241.11.223])
Received: from disfrockinga.message-49.top (unknown [78.88.215.251])
Received: from offenders.megabulkmessage223.com (088156021226.olsztyn.vectranet.pl [88.156.21.226])
Received: from snaileaterl.inboxmsg-228.top (109241018033.lask.vectranet.pl [109.241.18.33])
Received: from soapberryl.inboxmsg-242.top (037008209142.suwalki.vectranet.pl [37.8.209.142])
Received: from dicrostonyxc.inboxmsg-230.top (088156042129.olsztyn.vectranet.pl [88.156.42.129])

To learn more about what information you can glean from email headers, see this post. But for now, here’s a crash course for our purposes. The so-called “fully qualified domain names” or FQDNs in the list above can be found just to the right of the open parentheses in each line.

When this information is present in the headers (and not simply listed as “unknown”) it is the fully-verified, real name of the machine that sent the message (at least as far as the domain name system is concerned). The dotted address to the right in brackets on each line is the numeric Internet address of the actual machine that sent the message.

The information to the left of the open parentheses is called the “HELO/EHLO string,” and an email server administrator can set this information to display whatever he wants: It could be set to bush[dot]whitehouse[dot]gov. Happily, in this case the spammer seems to have been consistent in the naming convention used to identify the sending domains and subdomains.

Back in October 2016 (when these spam messages were sent) the FQDN “minitanth.info-88[dot]top” resolved to a specific IP address: 37.8.194.168. Using passive DNS tools from Farsight Security — which keeps a historic record of which domain names map to which IP addresses — I was able to find that the spammer who set up the domain info-88[dot]top had associated the domain with hundreds of third-level subdomains (e.g. minithanth.info-88[dot]top, achoretsq.info-88[dot]top, etc.).

It was also clear that this spammer controlled a great many top-level domain names, and that he had countless third-level subdomains assigned to every domain name. This type of spamming is known as “snowshoe” spamming.

Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used by spammers to spread spam output across many IPs and domains, in order to dilute reputation metrics and evade filters,” writes anti-spam group Spamhaus in its useful spam glossary.

WORKING BACKWARDS

So, armed with all of that information, it took just one or two short steps to locate the IP addresses of the corresponding botnet reporting panels. Quite simply, one does DNS lookups to find the names of the name servers that were providing DNS service for each of this spammer’s second-level domains.

Once one has all of the name server names, one simply does yet more DNS lookups — one for each of the name server names — in order to get the corresponding IP address for each one.

With that list of IP addresses in hand, a trusted source volunteered to perform a series of scans on the addresses using “Nmap,” a powerful and free tool that can map out any individual virtual doorways or “ports” that are open on targeted systems. In this case, an Nmap scan against that list of IPs showed they were all listening for incoming connections on Port 10001.

From there, I took the IP address list and plugged each address individually into the URL field of a browser window in Mozilla Firefox, and then added “:10001” to the end of the address. After that, each address happily loaded a Web page displaying the number of bots connecting to each IP address at any given time.

Here’s the output of one controller that’s currently getting pinged by more than 12,000 systems configured to relay porn spam (the relevant part is the first bit on the second line below — “current activebots=”). Currently, the entire botnet (counting the active bots from all working bot panels) seems to hover around 80,000 systems.

pornbotpanel

At the time, the spam being relayed through these systems was advertising sites that tried to get visitors to sign up for online chat and dating sites apparently affiliated with Deniro Marketing and CyberErotica.

Seeking more information, I began searching the Web for information about CyberErotica’s affiliate offerings and I found that the affiliate program’s marketing division is run by a guy who uses the email address scott@cecash.com.

A Google search quickly reveals that scott@cecash.com also advertises he can be reached using the ICQ instant messenger address of 55687349. I checked icq.com’s member lookup page, and found the name attached to ICQ# 55687349 is “Scott Philips.”

Mr. Philips didn’t return messages seeking comment. But I couldn’t help wonder about the similarity between that name and a convicted Australian porn spammer named Scott Phillips (NB: two “l’s in Phillips).

In 2010, Scott Gregory Phillips was fined AUD $2 million for running a business that employed people to create fake profiles on dating websites in a bid to obtain the mobile phone numbers of dating website users. Phillips’ operation then sent SMS texts such as “get laid, text your number to…”, and then charged $5 on the mobile accounts of people who replied.

Phillips’ Facebook page and Quora profile would have us believe he has turned his life around and is now making a living through day trading. Reached via email, Phillips said he is a loyal reader who long ago quit the spam business.

“I haven’t been in the spam business since 2002 or so,” Phillips said. “I did some SMS spam in 2005, got about 18 million bucks worth of fines for it, and went straight.”

Phillips says he builds “automated commodity trading systems” now, and that virtually all modern spam is botnet-based.

“As far as I know the spam industry is 100% botnet these days, and not a viable proposition for adult sites,” he told KrebsOnSecurity.

Well, it’s certainly a viable proposition for some spammer. The most frustrating aspect of this research is that — in spite of the virtually non-existent operational security employed by whoever built this particular crime machine, I still have no real data on how the botnet is being built, what type of malicious software may be involved, or who’s responsible.

If anyone has additional research or information on this botnet, please don’t hesitate to leave a comment below or get in touch with me directly.

Trump’s planned EPA cuts will hit America’s most vulnerable | Mustafa Santiago Ali

The road the Trump Administration is taking us down puts us full-speed in reverse to a time when rivers caught fire and air pollution darkened the skies

The Trump Administration is using a deliberate and systematic approach to undermine, weaken and disempower America’s most vulnerable communities. The United States Environmental Protection Agency’s proposed budget cuts are a clear-cut example of this ongoing attack. The cuts will gravely reduce the ability to enhance communities across the United States – including low-income communities made up of white, blacks, Latino, Indigenous and Asian Americans, in urban and rural settings alike.

As President Trump’s appointed leader of the EPA gets set to testify on Capitol Hill this Thursday, it is important to understand the consequences of the actions they want to take. The bottom line is that real people will get sick and many will prematurely die. Communities, particularly our most vulnerable, will greatly suffer if these cuts happen.

Continue reading…

FC Cincinnati upset Columbus Crew in US Open Cup before record crowd

A crowd of 30,160 turned out to watch FC Cincinnati’s 1-0 upset of the top-flight Columbus Crew on Wednesday night in the fourth round of the US Open Cup.

Djiby Fall’s header in the 64th minute made the difference for second-year club of the United Soccer League, which shares second-division status with the NASL in the United States pyramid.

Continue reading…