LIGATT Email on LulzSec Dox PR Appears to be Fake

Thursday, June 09, 2011

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

UPDATE: Robert Winkel (@RobertWinkel) reports that he has found the original LIGATT email that the header information was copied from to produce the document referenced in this article. Winkel states that the original email was part of the leaked data from the LIGATT network breach earlier this year, and posted the original header at Pastebin HERE. That still leaves a lot of good questions to be answered. Namely, who is producing these items and why? Thanks to Mr. Winkel for his efforts and alerting us.

*   *   *

On June 7, Infosec Island posted an article based on a press release issued at Free-Press-Release.com that announced LIGATT Security was engaged in an investigation of the hacker collective LulzSec.

The press release stated that LIGATT had successfully gathered information that would reveal the identities of several members of LulzSec, and that the company planned to release the data to the public as well as provide it to the FBI.

Rumors began circulating via Twitter posts that the press release was a forgery, and subsequently Infosec Island contacted LIGATT CEO Gregory Evans for comment.

Evans indicated that the press release "was completely made up," and that it had not been produced or submitted by any member of the LIGATT staff.

"They took elements of our real press releases and used them. they even added the Safe Harbor Act," Evans explained. "And we only use PR NewsWire, we never use Free Press Release."

Infosec Island updated the article to reflect the statements from Evans that the press release was in fact fraudulent. Free Press Release subsequently removed the posting.

Except for uncovering who might have issued the false press release and why, it was pretty much mystery solved. Right?

Wrong.

The update fueled some speculation in infosec circles that the media-hungry Evans may have manufactured the "false" release in an effort to garner some attention from the press. Speculation is one matter, and having evidence of such a manipulation of the press is another matter entirely.

In today's Google alerts for "LIGATT", right below links to the Free Press Release posting and Infosec Island's coverage, appeared the headline "Lulzsec and Infosecisland you're being played - Pastebin.com" with a link to an anonymous Pastebin posting.

The Pastebin posting appears to display an email sent by Evans on June 5th to a staff member instructing them to produce the LulzSec investigation press release that Evans claimed was fraudulent, and to distribute the release through outlets the company does not normally use.

The full Pastebin posting is as follows:

Lulzsec and Infosecisland you're being played

Received: (qmail 3276 invoked from network); 05 June 2011 06:49:33 -0000
Received: from unknown (HELO p3pismtp01-001.prod.phx3.secureserver.net) ([10.6.12.2])
          (envelope-sender )
          by p3plsmtp11-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP
          for ; 05 June 2011 06:49:33 -0000
X-IronPort-Anti-Spam-Result: AqcDANNxFk1AyqW1kGdsb2JhbACkRQEBAQEJCQwHEQMdBIgvtVKFSgSEZYYfgzeIZA
Received: from smtpauth01.prod.mesa1.secureserver.net ([64.202.165.181])
  by p3pismtp01-002.prod.phx3.secureserver.net with SMTP; 05 June 2011 23:49:31 -0700
Received: (qmail 21276 invoked from network); 05 June 2011 06:49:31 -0000
Received: from unknown (69.94.218.141)
  by smtpauth01.prod.mesa1.secureserver.net (64.202.165.181) with ESMTP; 05 June 2011 06:49:31 -0000
From: Gregory Evans
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Luizsec PR campaign
Date: Sun, 05 June 2011 01:49:29 -0500
Message-Id:
Cc: Greg Evans
To: Melanie Banks
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
X-Nonspam: None

I want you too create a PR peice saying we are going to out the lulzsec groups. Say that we are doin this because we have two FBI agents in our board and we are respond to the infraguard hack. We need press for Ligatt and Hitechcrimesolutions since we moved to los angels. Make the pr from another place then our usual place and make sure its FREE!! I aint spendin money on this!! Have the new girl write the pr shes a good writer.

Make sure I see it before you post it!


Have A Blessed Day!


Gregory D Evans

CEO

LIGATT Security International/Hitechcrimesolutions

6050 Peachtree Pkwy Ste 240-147

Norcross, GA 30092

Phone: (866) 517-1831 Fax: (678) 291-9631

Twitter: @GregoryDEvans

Facebook: www.facebook.com/GregoryDEvansPage

Website: www.gregorydevans.com www.hitechcrimesolutions.com

There seem to be two possible explanations for the posting: One, someone out there has a lot of time on their hands and knows a lot about Gregory Evans, LIGATT, and how to present a well-spoofed email header.

The alternate possibility is that the email is legitimate and Evans manufactured the entire LulzSec investigation press release for publicity, as the text in the Pastebin posting suggests.

Infosec Island has no interest in participating in the dissemination of false information, nor do we want to assist anyone else in the manipulation of the facts, so we are simply presenting the evidence along with some informed analysis and will let you, the reader decide what may be fact or fiction.

First, we made attempts to contact Gregory Evans at the same number we contacted him at for the prior article, as well as another that is included in the email in question, and were simply met with a recorded message: "The number you have dialed is unavailable from your calling area."

So we decided to contact several industry experts who are known to have done extensive research on the LIGATT emails that were leaked earlier this year following the company's well publicized breach.

Given Evans' extremely litigious tendencies, our contacts were happy to discuss the suspect email, but only Steve Ragan of The Tech Herald was willing to go on the record with some analysis.

We went over the Pastebin post with Ragan line by line, comparing the header and text to those known to be from Evans and LIGATT, and certain patterns stood out that would imply that the email is either legitimate, or an extremely well conceived hoax.

Text Analysis:

"Looking at the Pastebin document, a few things immediately stand out. First, there are the errors when dealing with proper nouns, in addition to the misspelling of LulzSec in the subject line. Notice, that his own company names are used properly, while the others are not. This is typical LIGATT, with regard to email communications," Ragan stated.

"Next, there is the use of 'too' instead of 'to' in the first sentence, as well as 'doin' instead of 'doing' in the second sentence. Slight slang and grammatical errors are another hallmark of LIGATT emails and communications."

Header Analysis:

"If you look at the IP address in the headers, 64.202.165.181 is owned by GoDaddy. Anyone who has ever researched LIGATT knows that they are GoDaddy customers. Also, it is known that since Spoofem was given a name change, LIGATT's IP addresses with GoDaddy changed some,"
Ragan noted.

"For example, the IP address in the same block can be seen in emails delivered to me at The Tech Herald. I was able to locate one from June 18 2010, the address in the header is 64.202.165.39. The same IP appeared in an email from December of that year as well. Both were from LIGATT's PR."

"GoDaddy would have likely moved LIGATT to a new system after their growth, but the IP addresses would remain close to, if not the same, as the originals. The public has been aware of LIGATT's server changes based on public comments and statements. So tagging a fake message with correct information isn't a hard task."


"Given everything that is known about LIGATT, as well as how emails and press releases are constructed, it wouldn't be a hard task to create a fake message. Anyone who read the leaked company emails will have plenty of examples on how to talk like GDE,"
Ragan surmised.

Conclusion

"In short, there is a high degree of likelihood that the email is legitimate. LIGATT would have no problem creating drama in order to profit from it. In interviews to your outlet, he has stated as much. According to Evans, LulzSec has generated business for his organization. So a fake press release - in an attempt to turn him into the next HBGary Federal - would be plenty of drama that could spin into what he would consider PR gold," said Ragan.

"However, this could be a case of someone spending a good deal of time to learn the technical and grammatical details needed, in order to create a replica LIGATT message. The question I'd have is why would anyone bother?"

And so, without the ability to reach Evans for comment, all we have is some reasoned speculation and conjecture, but given the level of involvement Infosec Island apparently has with the matter, we felt we should go ahead and present what we have.

On the one hand there could be an orchestrated campaign by an unknown party to put LIGATT and Evans in a position where they would be prime candidates for some LulzSec pwnage similar to what HBGary Federal experienced at the hands of Anonymous earlier this year.

This is not far-fetched, given the general level of disdain for Evans and his companies among many in the technology field.

Alternately, we have a company with a poor professional reputation where business practices are concerned, in the process of attempting to build a new brand, lead by a CEO who has been repeatedly sanctioned for a wide variety of indiscretions who and is known to be a skilled media player.

Considering how Evans consistently portrays himself as a victim, it struck me as odd that he was so absolutely pleased about the "false" press release and the attention he had already gained from discussing LulzSec in the press.

"They've been good for business... I did twenty interviews in the last week... Hackers are job security," Evans had said.

Until further evidence is presented either way, we simply have to leave it to our readers to decide for themselves just what the circumstances are behind the "false" press release and the unsubstantiated email.

We welcome your thoughts and comments on this whole brouhaha.

Editors Note: A special thanks to Steve Ragan for taking the time to provide some insight on the matter.

Possibly Related Articles:
12249
Network->General
Email fraud Infosec Island Press Release Ligatt Gregory Evans Lulzsec Doxing
Post Rating I Like this!
Default-avatar
Robert Winkel The email is a fake. The email header was copied from http://pastebin.com/GgnEpjPN and the date was changed. All other unique identifiers were left in.
The email in http://pastebin.com/GgnEpjPN can be verified by anybody that has downloaded the leaked Ligatt email spool.
@RobertWinkel
1307669391
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Thanks Robert, looks like you have just solved the riddle behind the legitimacy of the email. That still leaves a lot of good questions to be answered. Namely, who is producing these items and why. Evans had stated that he is seeking information on who submitted the press release, perhaps that will shine a little more light on the situation, but perhaps not. I think a dark ops campaign by an unknown party pitting Lulzsec against LIGATT would be a more interesting story than a ridiculous PR stunt any day. Let's see what comes up.
1307670120
Default-avatar
Robert Winkel LIGATT has many enemies and deservedly so. Pitting Lulzsec against LIGATT would be a laugh, but I would like to think that if this were to happen it would be for a valid reason (e.g. revenge for all of Gregory D Evans' plagiarism and charlatanism) rather than a falsified reason.
1307672367
Default-avatar
Dan Keeney Pretty easy to figure this out. Did a quick Google search (http://bit.ly/ll44aj) and came up with what Robert found.
1307724322
Default-avatar
Brian Baskin Dan, it was easy to figure out because someone had just uploaded that pastebin page. It did not exist at the time this article was written, so one would have to have the original email archive from LIGATT and search through the entirety of it to find a duplicate.
1307730133
Default-avatar
Asherah Wordvirus Press release reads like Topiary's writing, and the service is one he used for anon releases. He's a confirmed attention frak, and probably missed all the attention from HBGary. My guess is they found a vuln first and then tried to execute a public spectacle.
1307730622
Default-avatar
LIgatt security Wow!!!!!!! Robery defended me!!!! Wow!!!!! That is all I can say...Wow!!!!! I never thought I would say this to him, but thank you. You could have kept this information to yourself, but did not.... Wow!!!!!
1307735633
Default-avatar
Robert Winkel Ligatt (if that is really you Greg): Yes, as you were, ironically, the victim of misinformation in the infosec community in this case, I defended you. I would have defended anybody who was in the same circumstance, no matter how much of a douchebag they have been in the past.
Brian: I did not upload that pastebin, even though I said I was going to. I actually found that it had already been uploaded (on 10 March 2011). So it did exist at the time this article was written.
1307742979
Default-avatar
Brian Baskin So it was. It just never appeared with the searches I was doing so never saw it until afterward. My mistake.
1307762043
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.