River City Media, an email marketing company that was reported last month as allegedly one of the world's largest spam operators, has filed a lawsuit against the security researcher who made the revelations.
At the center of this lawsuits are two articles, one published on CSO Online, entitled "Spammers expose their entire operation through bad backups," and on the MacKeeper blog, entitled "Spammergate: The Fall of an Empire."
In these two articles, Chris Vickery, a security researcher, working together with Steve Ragan, a journalist for CSO Online, revealed details of "a massive, illegal spam operation," supposedly operated by RiverCity Media (RCM).
Vickery claimed he obtained access to a database of over 1.4 billion email accounts, including personal user information, stored on a Rsync backup server that was left exposed online without a password.
Based on their analysis of the data they discovered, the two concluded that RCM was one the biggest spam operators online today, and provided a copy of their database to Spamhaus, a global operator of email spam blacklists.
Following their exposés, published on March 6, RCM denied all accusations in a press release four days later, on March 10.
In a lawsuit filed March 21, RCM paints a totally different picture from the story put forward by Vickery and Ragan.
According to RCM's side of events, Vickery didn't find the Rsync backups on the Internet, but "perpetrated a coordinated, months-long cyberattack against River City and its principals."
The company claims Vickery skirted firewall rules to access its server, used a VPN to disguise his identity, deleted critical files, and published his findings "in order to make a name for himself as a security researcher."
But the complaint doesn't stop here. RCM claims Vickery used credentials he found in their database to access other systems on their network, such as company emails, Dropbox, HipChat, and PayPal accounts.
RCM also claims that Vickery used RCM's PayPal account to buy domains through AlpNames, a domain registrar. The only proof RCM provides this accusation is that "Vickery is known to use a 'protonmail.com' email address," like the one used by the intruder to register the domains paid using the company's PayPal account.
Furthermore, RCM accuses Vickery of sending emails using the account of an RCM executive with the subject line of "Donald Trump’s Transvestite Surprise" and the message of "Try and Stop Me [expletive]."
All of these accusations are mind-boggling. For most readers that are aware of Vickery's work during the past two years, all of these actions are extremely out of character.
The researcher, who was recently profiled in a ZDNet article, has helped many companies and government agencies secure their exposed databases. The list of companies and government agencies Vickery helped includes the TSA, the DoD, the Mexican government, Reuters, Hollywood studios, hotel chains, toy manufacturers and more.
Except for the case of uKnowKids, a child tracking platform, most companies reacted positively to Vickery's work, thanking the researcher.
In their complaint, RCM mentions the uKnowKids incident as another of Vickery's "unlawful attack[s]," although uKnowKids eventually fixed the problems reported by Vickery, and thanked the researcher for his work.
The RCM legal complaint is barren of any technical details that might link Vickery to the actual attacks the River City is reporting, and those could have very easily been carried out by another person altogether.
Taking into account that Vickery said RCM's Rsync server was left unprotected, anyone knowing where to look could have accessed the server, took the data it found inside, and then accessed other parts of the RCM network.
Furthermore, RCM claims "Vickery has already distributed a substantial amount of River City’s data on several hacker-friendly websites called 'leak forums'," something that is consistent with the actions of a black hat hacker, but not with any of Vickery's past actions.
Some might argue that RCM is mad because their operations, which were alleged spam operations, were exposed. Looking at outside evidence, this is a very valid point.
Vickery said he gave details about RCM's "spam-sending IP addresses to Spamhaus for blacklisting" in early January. About the same time, Spamcop, a tracker of global spam levels, recorded a huge dive in the amount of daily spam messages.
It looks like the blacklisting of its mail-sending infrastructure has put the email marketing company in a corner.
"River City is now on the verge of collapse," the complaint reads. "This negative publicity has caused and continues to cause River City to lose contracts, suffer canceled leases, and lay off employees. River City’s business partnerships have been destroyed. In short, Defendants have caused and continue to cause irreparable harm to River City."
Furthermore, the lawsuit cites a domino effect. For example, RCM's Chief Marketing Officer, Amber Paul, was asked to step down from the position of CEO at another company, because of the Vickery and Ragan articles.
Another wild accusation is that after Vickery exposed RCM files online, "outside forces also attacked the security cameras at Matt Ferris’s private residence."
Most people familiar with Vickery's work may scoff at most of these accusations. But this is not the first time we see a security researcher demonized in the eyes of the law, as is the case of Justin Shafer. Unlike Shafer, Vickery has ties to US law enforcement, who can attest and speak on his behalf.
If the involved parties don't agree to a settlement, the litigation is expected to turn ugly, empty wallets, and waste everyone's time for the coming years.
For its part, River City Media wants to go to trial and is seeking a temporary (and later a permanent) injunction to remove the two articles, along with yet-undetermined financial damages.
The parties in this lawsuit are Chris Vickery, the security researcher; Kromtech, the company where Vickery was working at the time as part of their MacKeeper security labs division; Steve Ragan, the journalist that broke the River City Media story; CXO, the company behind the CSO Online website; and IDG, CXO's parent company.
Shortly after RCM filed its complaint, Ragan, CXO, and IDG asked the case judge to be cut from the RCM's litigation with Vickery because they only reported on the incident and had no part in the actual "hacking" RCM is accusing Vickery of.
As of last week, Vickery is a full-time employee for UpGuard, a newly launched Silicon Valley cyber-security firm.