Released in a Pastebin dump earlier today, members of Anonymous published a long series of emails between Anonymous member “Yamatough” and a representative of Symantec going by the name of Sam Thomas. While there’s no Sam Thomas listed on LinkedIn as working at Symantec, the IP address within the header of the exchange linked to the original “firstname.lastname@example.org” email account can be traced back to Symantec’s Mountain View, California headquarters. Writing from a Venezuelan email address, Yamatough was eventually offered $50,000 by Thomas to deliver proof of pcAnywhere and Norton Antivirus source code as well as destroy the original code. Thomas also wanted Anonymous to release a statement that the group did not hack Symantec during 2006.
During the opening negotiations, Thomas shifted to a Gmail account on January 20, 2012 in an attempt to receive attachments related to the source code. Yamatough emailed proof of the source code as well as the directories where Anonymous discovered the files. In the next series of exchanges, Thomas stalled for time claiming that it took five days to setup a standalone FTP server for Yamatough to upload the files “securely”.
On Wednesday January 25, Yamatough told Thomas that he had until Monday to work out the details. During this exchange, Symantec released a public statement regarding the safety of pcAnywhere which said “At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks.”
The conversation between Yamatough and Thomas continued on Monday, January 30 and the discussion shifted to money. Yamatough was pushing for Thomas to use a payment company called Liberty Reserve in order to wire money into an offshore account. While Thomas claimed to check with Symantec’s finance department, Yamatough also offered the option of a wire transfer to a bank account in Lithuania or Latvia. Thomas returned with more claims of difficulty in setting up the Liberty Reserve account and offered to send Yamatough a $1,000 payment through Paypal as a sign of good faith.
Yamatough turned down the offer of the Paypal payment, but waited on a decision with Liberty Reserve. Thomas responded by increasing the overall payment amount to $50,000 and attempting to negotiate the payment into $2,500 blocks over the next three months. The bulk of the payment would be offered on proof of the destruction of the source code for both pcAnywhere and Norton Antivirus as well as a public lie about the hacking attempt.
Yamatough responded with the claim that the people running the offshore account wouldn’t process payments less than $50,000 at a time and immediately became wary that Symantec was working with the FBI in the form of Sam Thomas. Thomas attempted to continue negotiating with Yamatough, but all discussion fell apart a few hours ago.
In a comment released by Cris Paden, Sr. Manager for Corporate Communications at Symantec, he stated “In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property.”
Paden continued “The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide,” within a public comment at Infosec Island.
Assuming Paden’s comment is true, it’s highly likely that the $50,000 offer came from a law enforcement agent posing as Symantec employee Sam Thomas in order to entrap Yamatough. After posting the email exchange on Pastebin, a link to the pcAnywhere source code was posted on the official AnonymousIRC Twitter account as well as being confirmed by TheRealSabu. Symantec has not confirmed that the released file is the pcAnywhere source code at the time of this article’s publication.