Google notified buyers of the LuminosityLink Remote Access Tool, which has loads of nifty hacking features, that the FBI wants their identity information and user data.

by

“Dozens” of not-so-lucky people recently got an important email from Google, letting them know that the Federal Bureau of Investigation is “demanding the release” of their user data. In fact, Google may have already turned it over, the message doesn’t say.

One Reddit user posted a copy of what showed up in their inbox. “Google received and responded to legal process issued by Federal Bureau of Investigation (Eastern District of Kentucky) compelling the release of information related to your Google account.” Others confirm that the posting is accurate and matches the one they received.

Without specifically saying what prompted the FBI’s request, other than listing a case number which matches an active but sealed case, security researchers are convinced it’s related to the case of Colton Grubbs and his LuminosityLink “Remote Access Tool (RAT).”

According to industry analyst Motherboard, “several people who claimed to have received the notice said they purchased the software. Moreover, Grubbs’ case was investigated by the same district mentioned in the Google notice.”

The software is purported to have legitimate uses but the marketing materials spelled out the special features that would appeal more to illegitimate hackers. Last year, Grubs pleaded guilty to reduced charges of “creating and distributing” the malware to hundreds of users.

Internet coding pages on Reddit, Twitter and HackForums have been buzzing with the news after more and more recipients of the notice have come forward, Motherboard reports.

Cybercrime attorneys explain such notices are fairly routine because Google tends to disclose such requests from law enforcement “when it is allowed to.”

In this case, it looks, to lawyer Marcia Hoffman, “like the court initially ordered Google not to disclose the existence of the info demand, so Google was legally prohibited from notifying the user. Then the nondisclosure order was lifted, so Google notified the user. There’s nothing unusual about that per se.”

She adds that “it’s common when law enforcement is seeking info during an ongoing investigation and doesn’t want to tip off the target.”

What is unusual, Hoffman relates to Motherboard, “is for the FBI to try to unmask everyone who purchased software that may not necessarily be considered illegal.”

Not everyone had nefarious uses for the $40.00 software. Luca Bongiorni got one of the emails and he insists he only used LuminosityLink for his work as a security researcher “and only with his own computer and virtual machines.”

Gabriel Ramsey confirms there is nothing wrong with that kind of usage. “If one is just buying a tool that enables this kind of capability to remotely access a computer, you might be a good guy or you might be a bad guy.”

Ramsey is also a lawyer specializing in cybersecurity. “I can imagine a scenario where that kind of request reaches – for good or bad – accounts of both type of purchasers.”

Grubbs, a Kentucky resident, pleaded guilty last week on federal charges that he “developed, marketed, and provided technical support” for his program. Using the screen name KFC Watermelon, he advertised the LuminosityLink administrative tool on HackForums.

According to the indictment, “the tool provided a variety of malicious capabilities including the ability for purchasers to control others’ computers, surreptitiously record users’ activities, and to view their files, login credentials, and personal information.”

The clincher was the way Grubbs “also used the hacker forum and a website located at luminosity[dot]link to teach users how to conceal their identities and prevent antivirus programs from detecting the tool.”

In the plea agreement he admitted “he knew some customers were using it to control computers without owners’ knowledge or permission,” the Canton Caller reports.

The document states, that the marketing materials “emphasized” that the program “could be remotely installed without notification, record the keys that a victim pressed on their keyboard, surveil victims using their computer cameras and microphones, view and download the computer’s files.”

Not only that, the software could “steal names and passwords used to access websites, mine and earn virtual currency using victim computers and electricity, use victim computers to launch DDoS attacks against other computers, and prevent anti-malware software from detecting and removing LuminosityLink.”

Grubbs “also admitted he sent customers private messages that answered their questions about accessing and controlling victim computers without authorization.”

The young entrepreneur wasn’t doing this all by himself, he assembled an entire marketing team. He used HackForums to gather “a team of at least 19 people to support the remote access Trojan and recruit affiliates to sell it.” He admitted collecting payments through PayPal, Stripe, and Bitcoin.

While the FBI was raiding his apartment, he reached out to one associate on the phone telling him “clean your room.” Before the feds tossed his place, he tried to do the same but it didn’t help much.

“Defendant gave his laptop to his roommate and asked that it be concealed in the roommate’s car,” the indictment says. He hid a debit card linked to his bitcoin account “in his kitchen cabinet.”

“Defendant concealed a phone storing his bitcoin information in his roommate’s closet. Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses.”

After pleading guilty to three out of ten counts he is still awaiting sentencing. Under the appropriate federal guidelines, he is looking at a maximum of 25 years in prison and fines up to $750,000.