Ligatt Security, the firm created by the self-styled World’s #1 Hacker, Gregory D. Evans, was breached on Wednesday. As a result, more than 80,000 company emails were released to the public. Possibly related to the breach, two domains associated with Evans were also taken offline yesterday.
Ligatt Security breached - company emails hijacked and released to public.
We’ve covered Ligatt Security quite extensively on The Tech Herald in the past. The company has faced scorn from the security community for a number of actions said to have been committed by its CEO, or staff acting on his behalf.
Most notably, there were the physical and legal threats against security researchers, issues of plagiarism within Gregory Evans’ books, and questionable business practices.
Not that long ago, Evans’ Twitter access was suspended for cyberbullying. Twitter took the action against him, after the addresses and personal information of those who are vocal critics appeared on his timeline. Ironically, the week Evans’s account was suspended; he was talking to school children about the threats they face from bullies on the Internet. His account access was returned after the messages were removed.
Fast-forward to Wednesday, and it would appear that the alleged bully has been bullied. Up until now, aside from exploiting XSS flaws on his domain last year, no one has actively attacked Evans or his business.
Instead, most of the security community opted to talk to businesses linked to Ligatt, in order to spread highly researched information about the company and its boss. Recently, the information campaign was directed towards CNN, who used Evans as a security expert on air.
There can be no mistake, Evans and Ligatt are the victims here. What started as a campaign of information gathering and sharing, moved on to criminal acts. Many in the anti-Ligatt camp are set against this latest move.
Word of the breach spread after the two accounts used by Evans on Twitter, Ligatt’s official account and his personal account, were hijacked. Wednesday, it would seem, was Evans’ birthday. In honor of that, someone left links to a torrent file containing more than 84,000 Ligatt emails and a personal message:
“Do not meddle in the affairs of hackers, for they are subtle and quick to anger.”
The letter [Mirror], left for Evans and the rest of the world, goes on to explain that the email release comes with some regret.
“Apologies much [sic] be given to all the bystanders, innocent or otherwise. Contained within his inbox is personal information of many, many people. Social security numbers, bank account routing numbers, credit reports, and other reports by private investigators. It was completely impractical to redact all of this information in any effective manner, and for that: sadness.”
The letter goes on to hint that the data leak was done with the help of an insider. A thank you is given to “the brave soul” who helped with the release, noting that it took “great personal risk” to bring the information forward.
“…none of it would be possible without you. It's unclear how you tolerate his lies day after day, but you've redeemed yourself by supporting this cause.”
The letter ends with a final parting shot for Evans himself.
“All your lies are out in the open. Your investors will know. Your lawyers will know. Your employees will know. Your mother will know. Your lovers will know. Just step away and move on. Stop the stock scams. Stop the lawsuits. Stop the harassment. Stop robbing your employees. Stop embezzling. Stop deceiving every person in your life. When your child grows up and learns about you, the only legacy you'll be leaving is one of deception and fraud.”
Shortly after the letter and torrent file appeared, Ligatt’s nationalcybersecurity.com and gregorydevans.com were removed from the Internet. What remains of the pages now are just blank place holders. Earlier in the evening on Wednesday, both domains showed index listings for skeleton WordPress installations.
The Tech Herald has obtained a copy of the Ligatt emails. The download itself is just over 4GB in size and contains 84,569 messages. For this report, we examined 3,268 emails from August of 2009. Our overview of these messages starts on page two.
As mentioned, The Tech Herald examined a sample of just over 3,000 Ligatt emails while working on this story. As we sort through them all, we will report further developments.
August of 2009 was a busy month for Gregory Evans, who is the main recipient of the emails in question. From the looks of things, he is mostly part of the CC or BCC list when the staff sends internal communications.
The first thing we noticed is that Evans gets a lot of CRON related email sent to him. All of them are errors. The CRON script keeps checking the “jobtest” directory, which doesn’t exist, and floods him with email several times a day.
The other emails include typical business dealings, but show a good deal of micromanagement. For example, the person responsible for running Spoofem, a Ligatt company dealing with phones, must keep a task list of work she has done that week and deliver her progress to Evans during their meetings.
There are financial documents for Spoofem as well, including budget requests seeking $18,777 USD for expenses. The Spoofem budget includes nearly $5,000 USD for advertising on BET’s 106 & Park television show, as well as Pay-Per-Click advertising on Facebook and Google.
Related to the micromanagement observations are the journals Evans requires Ligatt staffers to keep. Failure to keep a daily journal will result in a warning and possible write-ups from the HR department. Evans receives an email each day reporting on who has not updated a work journal, but there are no communications related to punishments. Based on the email chains, the journals themselves were created on his request.
We also viewed the settlement agreement for a well-known case against Evans and Spoofem. The case was brought by Marc Thalheim, and dismissed by the court with prejudice. In the documents, it would appear that Ligatt and Thalheim reached an agreement to settle for $10,080 USD. The settlement includes the stipulation that the money is not “admission of liability or wrongdoing by any party”.
At one point it would appear that Spoofem was used to harass a political figure. In communications with the politician’s office, Ligatt’s support commented that they could help them discover the person who abused the Spoofem service.
“You can then see if our system was used to contact you official's phone number. If that is indeed the case, we can assist you further in seeing who that person may be. If not, we can block that official's phone number from our services being used toward that number for a $5 fee. This will assure our system does not get used for this individual's phone number,” the support email explained.
When it comes to the financials, we were only able to examine one document. However, this document raises some interesting questions, and offers a detailed look into Ligatt’s operating costs.
The financial record is the Profit and Loss (PNL) report for June of 2009. In it, there are bank account numbers and transaction records for more than a dozen accounts. These are the accounts that manage Ligatt’s payroll, bill payment, marketing, and savings, as well as accounts for Greg Evans himself.
The PNL report details nearly $6,500 USD on business attire expenses, and almost $7,200 USD for entertainment. There are no records explaining what the business attire charges covered. The same can be said for the entertainment. An additional $5,962 USD was spent for a shareholders meeting, and another $2,766 on transportation and gas for the month. These are just some of the recorded expenses.
To cover all of these charges, Ligatt listed $127,000 USD in incoming wire transfers, but when the dust settled, managed to keep only $14,867 USD in the bank. This seems to be normal, as many of the accounts have trouble keeping positive balances.
This is compounded by the sheer volume of voicemail recordings from debt collectors. Several debt collection calls a day were hitting Evans’ inbox during the timeframe of our email examinations. This is in addition to people emailing him directly asking for money.
However, Evans is owed money too, and there are a few emails where it looks like people are ducking him for a few hundred dollars at a time. At one point, to get someone on the phone, Evans had to stipulate that his call wasn’t about money.
This is interesting, because another email detailed the contract to sell 11,000,000 shares of Cyber Defense Systems, Inc. (later renamed to Spoofem) for the aggregate principal amount of $1,000,000 USD.
While the sale was months after the PNL report, it is clear that Ligatt does generate income. This leads to speculation that perhaps they are spending it faster than they can make it, when it comes to money. So where is the money going?
Looking at Evans’ financials, considering his expenses are tied to the company, we were curious about the ATM fees charged to his checking account from Club Onyx, a gentlemen’s club in Atlanta. The $2.00 USD fees were the result of two withdrawals totaling $414.00 USD in funds later expensed to the company.
According to an email between employees, later forwarded to Evans, the club outings were a known practice.
“I don't understand how a "publicly traded company" can justify spending money in strip clubs and night clubs...Greg pays for what he wants to pay for and justifys [sic] it as it benefits him. At this point I just want to collect my final checks and move on with my life,” the email between staff starts.
Previous emails to Evans show invites to several parties and clubs around the Atlanta area. One such invite was to the CD release party for Jay-Z’s Blueprint 3. However, no records of expenses related to club visits, other than Club Onyx, were recorded in the PNL. There are several trips listed however, including some for business and a Carnival Cruise.
Other aspects of life at Ligatt, included in the email between staffers, are worth a mention here as well.
“I quit because I couldn't do it anymore, there is too much negativity and mistrust. I don't want that karma on my life. I couldn't rest at night knowing that at any time [Evans] would offer my job (and anyone elses [sic] in the office) to a woman he wants to sleep with or fire me for not agreeing with him. I can't sit there and watch people get belittled everyday and treated like children and witness the abuse, harassment and womanizing,” an ex-employee wrote to her replacement.
“Greg doesn't trust anyone because he knows he is not trust worthy himself. His staff betrays him because he is a tyrant. Loyalty has to be earned. I've never had anyone that worked for me turn on me. They hate him. He abuses them. He sexually harasses female staff members. He takes the manhood of male staff members. He abuses his power to hire and fire to intimidate and manipulate people...He manipulates people, he lies, he gossips, he makes people turn on one another because he knows people will do most anything to protect their income.”
Sources have told us that whispers of sexual harassment have followed Evans for years. This email exchange is the first time two employees discuss it. In December of 2009, Evans went to court against a former employee, Lakesha Wilson, facing an arrest warrant for stalking. The warrant was later recalled.
Wilson was involved in two other cases, after being sued by Ligatt, which were ultimately dismissed by the courts. Ligatt sued her for a number of reasons including theft, embezzlement, fraud, breach of confidentiality agreement, and slander.
We’re still sorting the Ligatt email leak. We’re not the only ones doing so either. One website, Ligatt Leaks, is also planning on covering the data in full.
We'll keep digging and update as needed.
Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter
© 2008 - 2011 The Tech Herald.com, TECHPUBLISH LTD. All photos are copyright their respective owners and are used under license or with permission. The Tech Herald cannot be held responsible for the content on other Web Sites.
Servers supplied by Servint