cybercrime134.rssing.com
Open in
urlscan Pro
69.30.212.90
Public Scan
URL:
https://cybercrime134.rssing.com/chan-6455418/all_p4.html
Submission: On November 28 via manual from US — Scanned from US
Submission: On November 28 via manual from US — Scanned from US
Form analysis 5 forms found in the DOM
Name: hmsearch — GET
<form name="hmsearch" method="get">
<input type="text" name="q" id="cs-header-menu-search-form-input" placeholder="Type and press enter..." value="" onkeydown="return dogsearch_if13(document.hmsearch.q.value, document.hmsearch.stype.value, event.keyCode);">
<input type="text" name="dummy" style="visibility:hidden">
<select name="stype" style="visibility:hidden">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_1 — GET
<form name="searchbox_1" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_1.q.value, document.searchbox_1.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_1.q.value, document.searchbox_1.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_2 — GET
<form name="searchbox_2" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_2.q.value, document.searchbox_2.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_2.q.value, document.searchbox_2.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_3 — GET
<form name="searchbox_3" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_3.q.value, document.searchbox_3.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_3.q.value, document.searchbox_3.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_4 — GET
<form name="searchbox_4" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_4.q.value, document.searchbox_4.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_4.q.value, document.searchbox_4.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Text Content
* Login
* Account
* Sign Up
* Home
* About Us
* Catalog
* Search
* Register RSS
* Embed RSS
* FAQ
* Get Embed Code
* Example: Default CSS
* Example: Custom CSS
* Example: Custom CSS per Embedding
* Super RSS
* Usage
* View Latest
* Create
* Contact Us
* Technical Support
* Guest Posts/Articles
* Report Violations
* Google Warnings
* Article Removal Requests
* Channel Removal Requests
* General Questions
* DMCA Takedown Notice
* RSSing>>
* Collections:
* RSSing
* EDA
* Intel
* Mesothelioma
* SAP
* SEO
* Latest
* Articles
* Channels
* Super Channels
* Popular
* Articles
* Pages
* Channels
* Super Channels
* Top Rated
* Articles
* Pages
* Channels
* Super Channels
* Trending
* Articles
* Pages
* Channels
* Super Channels
Switch Editions?
Cancel
Sharing:
Title:
URL:
Copy Share URL
English
RSSing.com
RSSing>> Latest Popular Top Rated Trending
Channel: CyberCrime & Doing Time
NSFW?
Claim
2
X Mark channel Not-Safe-For-Work? cancel confirm NSFW Votes: (0 votes)
X Are you the publisher? Claim or contact us about this channel.
X 2.5 stars on 2 votes
Showing article 61 to 80 of 265 in channel 6455418
Channel Details:
* Title: CyberCrime & Doing Time
* Channel Number: 6455418
* Language: English
* Registered On: December 13, 2012, 3:40 pm
* Number of Articles: 265
* Latest Snapshot: June 25, 2024, 1:22 pm
* RSS URL: http://garwarner.blogspot.com/feeds/posts/default?alt=rss
* Publisher: https://garwarner.blogspot.com/
* Description: A Blog about Cyber Crime and related Justice issues
* Catalog: //cybercrime134.rssing.com/catalog.php?indx=6455418
Remove ADS
Viewing all 265 articles
First Page Page 2 Page 3 Page 4 Page 5 Page 6 ... Last Page
Browse latest View live
↧
GAMEOVER ZEUS NOW USES ENCRYPTION TO BYPASS PERIMETER SECURITY
February 2, 2014, 6:49 am
≫ Next: Highest Malware Spam Rate since April 2013
≪ Previous: Yahoo reveals coordinated attack on Yahoo Emails - encourages
Password reset
$
0
0
The criminals behind the malware delivery system for GameOver Zeus have a new
trick. Encrypting their EXE file so that as it passes through your firewall,
webfilters, network intrusion detection systems and any other defenses you may
have in place, it is doing so as a non-executable ".ENC" file. If you are in
charge of network security for your Enterprise, you may want to check your logs
to see how many .ENC files have been downloaded recently.
Malcovery Security's malware analyst Brendan Griffin let me know about this new
behavior on January 27, 2014, and has seen it consistently since that time.
On February 1st, I reviewed the reports that Malcovery's team produced and
decided that this was a trend we needed to share more broadly than just to the
subscribers of our "Today's Top Threat" reports. Subscribers would have been
alerted to each of these campaigns, often within minutes of the beginning of the
campaign. We sent copies of all the malware below to dozens of security
researchers and to law enforcement. We also made sure that we had uploaded all
of these files to VirusTotal which is a great way to let "the industry" know
about new malware.
To review the process, Cutwail is a spamming botnet that since early fall 2013
has been primarily distributing UPATRE malware via Social Engineering. The spam
message is designed to convince the recipient that it would be appropriate for
them to open the attached .zip file. These .zip files contain a small .exe file
whose primary job is to go out to the Internet and download larger more
sophisticated malware that would never pass through spam filters without causing
alarm, but because of the way our perimeter security works, are often allowed to
be downloaded by a logged in user from their workstation.
As our industry became better at detecting these downloads, the criminals have
had a slightly more difficult time infecting people. With the change last week,
the new detection rate for the Zeus downloads has consistently been ZERO of
FIFTY at VirusTotal. (For example, here is the "Ring Central" .enc file from
Friday on VirusTotal -- al3101.enc. Note the timestamp. That was a rescan MORE
THAN TWENTY-FOUR HOURS AFTER INITIAL DISTRIBUTION, and it still says 0 of 50.
Why? Well, because technically, it isn't malware. It doesn't actually execute!
All Windows EXE files start with the bytes "MZ". These files start with "ZZP".
They aren't executable, so how could they be malware? Except they are.
In the new delivery model, the .zip file attached to the email has a NEW version
of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS
the file, placing it in a new location with a new filename, and then causing it
both to execute and to be scheduled to execute in the future.
I am grateful to William MacArthur of GoDaddy, Brett Stone-Gross of Dell Secure
Works, and Boldizsár Bencsáth from CrySys Lab in Hungary who were three
researchers who jumped in to help look at this with us. Hopefully others will
share insights as well, so this will be an on-going conversation. (UPDATE:
Boldizsár has published details of how the encoding works -- the file is first
compressed and then XOR'ed with a 32-bit key). Upatre reverses the process to
create the .exe file)
UPATRE CAMPAIGNS THAT USE ENCRYPTION TO BYPASS SECURITY
Here are the campaigns we saw this week, with the hashes and sizes for the .zip,
the UPATRE .exe, the .enc file, and the decrypted GameOver Zeus .exe file that
came from that file. For each campaign, you will see some information about the
spam message, including the .zip file that was attached and its size and hash,
and the .exe file that was unpacked from that .zip file. Then you will see a
screenshot of the email message, followed by the URL that the Encrypted GameOver
Zeus file was downloaded from, and some statistics about the file AFTER it was
decrypted.
ALL OF THESE SPAM CAMPAIGNS ARE RELATED TO EACH OTHER! They are all being
distributed by the criminals behind the Cutwail malware delivery infrastructure.
It is likely that many different criminals are paying to use this
infrastructure.
Campaign: 2014-01-27.ADPMessages Seen: 2606Subject: Invoice #(RND)From: ADP -
Payroll Servicespayroll.invoices@adp.comInvoice.zip9767
bytesb624601794380b2bee0769e09056769cInvoice.PDF.exe18944
bytes8d3bf40cfbcf03ed13f0a900726170b3
Image may be NSFW.
Clik here to view.
dcmsservices.com/images/stories/slides/pdf.encOFFLINE bytes OFFLINE decrypted
bytes
electriciansdublinireland.com/wp-content/uploads/2014/01/pdf.enc287920 bytes
09ced08856101f86c02890f4373623a4 decrypted 338432 bytes
b63415efcc70974269bd9d8da10b3ac1
--------------------------------------------------------------------------------
Campaign: 2014-01-27.BBBMessages Seen: 776Subject: FW: Complaint Case (RND)From:
Better Business Bureau(Random)@newyork.bbb.orgCase 463252349343.zip9762
bytes1ed259d9e7474cfe56df485be479ea97Case 463252349343.exe18944
bytes809ae1af04ab921aa60efeb7083d21d7
Image may be NSFW.
Clik here to view.
sigmau.co.uk/templates/hot_spicy/images/glass/pdf.encOFFLINE bytes OFFLINE
decrypted bytes
skipbagsdublin.com/wp-content/uploads/2014/01/pdf.encOFFLINE bytes OFFLINE
decrypted bytes
--------------------------------------------------------------------------------
Campaign: 2014-01-27.HMRCMessages Seen: 302Subject: Important Information for
EmployersFrom: HMRC Employer Alerts &
Registrationsemployers@alerts.hmrc.gov.ukEmployer_Bulletin_Issue_46_79520EEE31.zip7218
bytes413cda07e774a5ed7f98279dd9e8a087Employer_Bulletin_Issue_46_79520EEE31.exe17920
bytes2616babcdf0c5b9086ff63fa6682fe07
Image may be NSFW.
Clik here to view.
all-monitor.com/images/pdf.enc282449 bytes 9d1b8f296b5bfb0f4817c2aacb8815a3
decrypted 289280 bytes fa4d35b63a8485bc7c0b167ca9358b76
--------------------------------------------------------------------------------
Campaign: 2014-01-27.HSBCMessages Seen: 404Subject: FW: Payment Advice - Advice
Ref:[GB(RND)] / ACH credits / Customer Ref:[pay run 14/11/13]From: HSBC Advising
Serviceadvising.service.(RND).(RND).RND)@mail.hsbcnet.hsbc.comPaymentAdvice.zip7162
bytesc17396cddadf201f83074615824240c0PaymentAdvice.exe17920
bytese0595c4f17056e5599b89f1f9cf52d83
Image may be NSFW.
Clik here to view.
afrolatinotala.com/images/pdf.enc282448 bytes 414755f65ebbaf52669aaab649b3f274
decrypted 289280 bytes 5a393b283f42edd17c7da2625b8e1045
--------------------------------------------------------------------------------
Campaign: 2014-01-27.SkypeMessages Seen: 275Subject: Skype Missed voice
messageFrom: Administratordocs(#)@(many)Skype-message.zip10147
bytes79fb2e523fe515a6dac229b236f796ffVoice_Mail_Message.exe18944
bytes6e4857c995699c58d9e7b97bff6e3ee6
Image may be NSFW.
Clik here to view.
rockthecasbah.eu/templates/beez/css/wav.encOFFLINE bytes OFFLINE decrypted bytes
--------------------------------------------------------------------------------
Campaign: 2014-01-27.VoiceMessageMessages Seen: 271Subject: Voice Message from
UnknownFrom: Administratordocs(#)@(many)VoiceMessage.zip7273
bytesd2070f6a15312dec7882ca0d9ec7f431VoiceMessage.exe17920
bytes8a739776cf8316eba1bfae50e020c8f1
Image may be NSFW.
Clik here to view.
akhrisawal.com/images/marquee/wav.enc282448 bytes
73c811d0794de15906225d7d936fc6b7 decrypted 289280 bytes
2b0db77ac980be10b9ef4562269d8db4
ayeshaomar.com/images/host/wav.enc282446 bytes 1d30d5fe55585d24cd15ef97afb7322c
decrypted 289280 bytes b993b4cb332b979d6f8509f5765abfd4
--------------------------------------------------------------------------------
Campaign: 2014-01-28 DeptTreasuryMessages Seen: 223Subject: Department of
Treasury Notice of Outstanding Obligation - Case (RND)From:
support@salesforce.comFMS-Case-(RND).zip9462
bytes067617d990a861f87304bb08b6628524FMS-.exe18944
bytes40afe219c14a0a5f3a4ddd6c8e39bc23
Image may be NSFW.
Clik here to view.
almotawer.biz/img/pdf.enc328025 bytes 41d57ca4b8705247186e2f30d911d811 decrypted
387584 bytes 7178a455ee9a0d6e42465ad9967a177a
imagevillage.co.uk/images/pdf.enc328025 bytes 41d57ca4b8705247186e2f30d911d811
decrypted 387584 bytes 7178a455ee9a0d6e42465ad9967a177a
--------------------------------------------------------------------------------
Campaign: 2014-01-28.IRSMessages Seen: 192Subject: Complaint Case (RND)From:
IRS.govfraud.dep@irs.govComplaint_RND.zip7240
bytesf20768ed9f771a92950a5f5ab14bf57fComplaint_.exe17408
bytes8163d272c4975b1d7ed578b4d24b3d2a
Image may be NSFW.
Clik here to view.
farmyarddog.co.uk/images/pdf.enc282486 bytes 97b200826b7a526d91fda4c56dc438ae
decrypted 289276 bytes 542a5a6f04ddcad3effc72121c59e332
hamdanicoffee.com/up/pdf.enc282486 bytes 97b200826b7a526d91fda4c56dc438ae
decrypted 289276 bytes 542a5a6f04ddcad3effc72121c59e332
--------------------------------------------------------------------------------
Campaign: 2014-01-28.NewVoiceMessageMessages Seen: 165Subject: New Voice
MessageFrom: Voice Mail(RND)@(reflective)VoiceMail.zip6502
bytes2a048dfb3429155d552cb0c37b499b51VoiceMail.exe17920
bytesdc2e2f04a01009f3193b0df4ba0f6e81
Image may be NSFW.
Clik here to view.
hailantrdg.com/scripts/wav.enc282489 bytes 11a55dd1a756dbba6e7d404a7c22544a
decrypted 289280 bytes cae9c9614affac694320215228efcf27
morethanshelters.co.uk/images/banners/wav.enc282489 bytes
11a55dd1a756dbba6e7d404a7c22544a decrypted 289280 bytes
cae9c9614affac694320215228efcf27
--------------------------------------------------------------------------------
Campaign: 2014-01-28.RingCentralMessages Seen: 7720Subject: New Fax Message on
1/22/2013From: RNDRND@RNDfax.zip9929
bytesafa90762f6412173cf6e0e6d1d57531dfax.doc.exe18944
bytes81e425646f68d3adaddca0cf398f595f
Image may be NSFW.
Clik here to view.
ren7oaks.co.uk/images/al2701.enc441073 bytes f626ad2af056644ff4717e1cd80c6da3
decrypted 484352 bytes c7c4a875b90c86136e497af8ffc9a9e0
salahicorp.com/up/al2701.enc441073 bytes f626ad2af056644ff4717e1cd80c6da3
decrypted 484352 bytes c7c4a875b90c86136e497af8ffc9a9e0
--------------------------------------------------------------------------------
Campaign: 2014-01-28.WhatsAppMessages Seen: 767Subject: Missed voice message,
"(timestamp)"From: WhatsApp Messengerctaylor@magma.netMissed-message.zip6492
bytes494d6095b540dbc9f570e22b717a32dfMissed-message.exe17920
bytesa4c01917b7d48aa7c1c9a2619acb5453
Image may be NSFW.
Clik here to view.
inspireplus.org.uk/images/banners/wav.enc282491 bytes
33070eda34ccea632c3b4007a1e2beee decrypted 289268 bytes
dc5b998fd7a6f29ebac6365654d57609
zubayen.com/up/wav.enc282491 bytes 33070eda34ccea632c3b4007a1e2beee decrypted
289268 bytes dc5b998fd7a6f29ebac6365654d57609
--------------------------------------------------------------------------------
Campaign: 2014-01-28.Skype Messages Seen: 574Subject: Skype Missed voice
messageFrom: Administratordocs(#)@(many)Skype-message.zip9163
bytesdfa3db3c14ae1e369a4a9df6cb82832fSkype-message.exe18944
bytesab703881cb4b3fbd5ee13df30b7bb8d7
Image may be NSFW.
Clik here to view.
--------------------------------------------------------------------------------
Campaign: 2014-01-29.RingCentral1Messages Seen: 3811Subject: New Fax Message on
1/29/2013From: RNDRND@*.rufax.zip9473
bytes0842e4bcc8af1f0d54519a99834be218fax.pdf.exe18432
bytesd309df26dd91294dc4acd5fb78aa98f5
Campaign: 2014-01-29.RingCentral1Messages Seen: 2887Subject: New Fax Message on
1/22/2013From: RNDRND@RNDfax.zip9929
bytesafa90762f6412173cf6e0e6d1d57531dfax.pdf.exe19968
bytes5db38bd493ef2f9b35bb0015822b493d
Campaign: 2014-01-29.RingCentral1Messages Seen: 2353Subject: New Fax Message on
1/29/2013From: RNDRND@*.rufax.zip9994
bytes2d65747503e7b251ad597a650f352f4efax.doc.exe18944
bytes81e425646f68d3adaddca0cf398f595f
Image may be NSFW.
Clik here to view.
internetauctions.ca/img/apps/al2901.encOFFLINE bytes OFFLINE decrypted bytes
--------------------------------------------------------------------------------
Campaign: 2014-01-29.eFaxMessages Seen: 1016Subject: Fax transmission:
(RND-RND-RND-RND).zipFrom: eFax
Corporatemessage@inbound.efax.com(RND-RND-RND-RND.zip)9628
bytes9f2613dabe2a89ac21e9b55b6df51ebc{fax num123}.exe17920
bytes89f45f68a0568996a6a109a1d04b6670
Image may be NSFW.
Clik here to view.
amy-escort.com/amy/pdf.enc281970 bytes 42dda6f13b2c8df96321570e1fa84fe8
decrypted 289785 bytes ee038bdd137f518614599275add5b9bb
pakmailbarrie.com/images/banners/pdf.encOFFLINE bytes OFFLINE decrypted bytes
--------------------------------------------------------------------------------
Campaign: 2014-01-29.LloydsTSBMessages Seen: 551Subject: January SpendingFrom:
RNDRND@lloydstsb.comJanuary.zip9586
bytesea42b883dab711810243e8f138438733January.exe17920
bytesc28d9a0b3b2643a01fd3f3250a39a511
Image may be NSFW.
Clik here to view.
airconexpress.com.au/images/deac/pdf.enc281971 bytes
9c790bfd6def569362483192d6e1b9ba decrypted 289800 bytes
82dd0f87007fc0149183e1de8f0913f2
numantis.com/images/banners/pdf.encOFFLINE bytes OFFLINE decrypted bytes
--------------------------------------------------------------------------------
Campaign: Messages Seen: 166Subject: Voice Message from UnknownFrom:
Administratordocs(#)@(many)Message.zip8748
bytesff2c3e6b875803945b320e438304f506VoiceMessage.exe17920
bytes13d6046c575abe9c3072067135a57996
Image may be NSFW.
Clik here to view.
--------------------------------------------------------------------------------
Campaign: 2014-01-30.BanquePopulaireMessages Seen: 259Subject: Numero de cas:
RNDFrom:
Banquepopulaire.frresponse-automatique@banquepopulaire.frCas_RND.zip9476
bytesa21cd2697687ae6eb1b15175a8fb0ae2Cas_01302014.exe17920
bytes968779b34f063af0492c50dd4b6c8f30
Image may be NSFW.
Clik here to view.
doradoresources.com/images/ie6/pdf.enc282033 bytes
8cce7406f943daa81ef31411247491d3 decrypted 300544 bytes
092eb58dce516414908ecf6f3156372a
sportsstoreonline.in/wp-content/uploads/2013/03/pdf.encOFFLINE bytes OFFLINE
decrypted bytes
--------------------------------------------------------------------------------
Campaign: 2014-01-30.RemitMessages Seen: 206Subject: FW: Last Month RemitFrom:
Administratordocs(#)@reflectiveRemit.(domain).zip9465
bytes145d3da149cc8fa3bef38af648713fb6Remit.exe17920
bytes84a6030c8265b33c3c4e68d29975bd76
Image may be NSFW.
Clik here to view.
excelbizsolutions.com/templates/pdf.enc282036 bytes
5c7d5797e1f46c29dd9c7a9976d9d359 decrypted 299008 bytes
aaf1097da1e50b7fd8d8c5e1a95acd80
poragdas.com/images/Porag/pdf.enc282036 bytes 5c7d5797e1f46c29dd9c7a9976d9d359
decrypted 299008 bytes aaf1097da1e50b7fd8d8c5e1a95acd80
--------------------------------------------------------------------------------
Campaign: 2014-01-30.SkypeMessages Seen: 42Subject: Skype Missed voice
messageFrom: Administratordocs(#)@reflectiveMissed voice message.zip9336
bytes40453639a6fbd58b1d30099666ad32aMissed voice message.exe18944
bytes30e5d9d4d7da572fdef6f7253950a53c
Image may be NSFW.
Clik here to view.
aatextiles.com/images/gallery/wav.enc328784 bytes
75a9d6fd9fe34a4ff737c987938a8f6c decrypted 386048 bytes
f2bef403482c4dd70bd4e1be1fd4af8f
profitera.com/img/newsletter/auto/wav.enc328784 bytes
75a9d6fd9fe34a4ff737c987938a8f6c decrypted 386048 bytes
f2bef403482c4dd70bd4e1be1fd4af8f
--------------------------------------------------------------------------------
Campaign: 2014-01-30.AssortedFax Messages Seen: 2410Subject: Corporate eFax
message from (RND)
jConnect fax from (RND) - (RND) pages, Caller_ID (RND)From: eFax Corporate
jConnect
Dun & Bradstreetmessage / case.alert@inbound.j2.com
dnb.com
inbound.efax.comFAX_001_RND.zip10293
bytes18b72825aecde011bdc92c1526491571FAX_001_20143001_814.exe18944
bytes915fdc8403b26bac79801fa1a341495d
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
(These three all use the same binaries)
--------------------------------------------------------------------------------
Campaign: Messages Seen: 1627Subject: New Fax Message on 01/29/2013From:
RNDRND@*.rufax.zip10095 bytes8627ce01daaebc35610d05cdbdbde612fax.pdf.exe18432
bytes465c2656c07ab05e9349920f53dd0deb
Campaign: 2014-01-30.LaPoste Messages Seen: 101Subject: Scan de (RND)From:
LaPostereponse-automatique@laposte.netScan_RND_RND_RND.zip9494
bytesdaaf11e91c3cc3506042d633373aabd3Scan_301_30012014_001.exe17920
bytes968779b34f063af0492c50dd4b6c8f30
Image may be NSFW.
Clik here to view.
--------------------------------------------------------------------------------
Campaign: 2014-01-30.StaplesMessages Seen: 245Subject: Your order is awaiting
verification!From: Staples Advantage
OrdersOrder@staplesadvantage.comOrder_RND.zip9465
bytese669d0ff0238ed2f3601c01f1a532728Order.exe17920
bytes84a6030c8265b33c3c4e68d29975bd76
Image may be NSFW.
Clik here to view.
--------------------------------------------------------------------------------
Campaign: 2014-01-31.RingCentral1Messages Seen: 3488Subject: New Fax Message on
01/29/2014From: RNDRND@*.rufax.zip9815
bytesd373a3e96519612896facb6f18e89785fax.pdf.exe19968
bytes9a836550c9e74a46076a7292fb0d4ab1
Image may be NSFW.
Clik here to view.
aim2go.com/WEB-INF/al3101.enc329132 bytes ded1b7f7ea934faf84a8dcc5011316cd
decrypted 390144 bytes f07d3afab1eb150e8a315596b5fb23f9
bandwagondesign.com/scripts/al3101.enc329132 bytes
ded1b7f7ea934faf84a8dcc5011316cd decrypted 390144 bytes
f07d3afab1eb150e8a315596b5fb23f9
--------------------------------------------------------------------------------
↧
Search
RSSing.com
--------------------------------------------------------------------------------
HIGHEST MALWARE SPAM RATE SINCE APRIL 2013
February 8, 2014, 8:48 am
≫ Next: Interac Phishers try their hand at IRS
≪ Previous: GameOver Zeus now uses Encryption to bypass Perimeter Security
$
0
0
Since 2006, my lab at UAB, part of The Center for Information Assurance and
Joint Forensics Research has been gathering spam and finding creative ways to
analyze it to find new threats. Last December we licensed that technology to
form Malcovery Security who have picked up the reins on the work of finding and
reporting on new malicious threats in spam. Between the groups, we've evaluated
nearly a billion spam messages, so when one of my analysts says they are seeing
something "new" I pretty much listen to them.
This week they said "spam-delivered Malware is going through the roof!" I was
traveling when I got that first report but was able to spend some time in the
lab with the analysts yesterday, and they weren't kidding!
The new volume levels started on Wednesday, February 5th, with a campaign
imitating Bank of America. On February 6th it changed to Visa/Mastercard, and on
February 7th it was imitating FedEx. When we say it was extremely high volume,
we mean it!
DateMessages reviewedCountEmail SubjectFeb 5 1,066,187171,186 Bank of America
Alert: Online Banking Security MeasuresFeb 6 1,176,667303,646 ATTN: Important
notification for a Visa / MasterCard holder!Feb 7 1,113,739267,445 Some
important information is missing
Those numbers indicate that for the last three days this single malware
distributor was accounting for 16%, 25.8%, and 24% of all the spam we reviewed!
How does that compare to normal? The previous day, February 4th, we considered
the "Photos" malware campaign to be heavily spammed when it reached 5% of total
spam volume for the day.
Microsoft's Security Intelligence Report (volume 15) showed spam message
breakdown for the first half of 2013 like this:
Image may be NSFW.
Clik here to view.
Historically, we've only seen one day, either at UAB or at Malcovery, that had a
higher percentage of malware-laden spam. April 17, 2013, the day following the
Boston Marathon Bombing, broke all the records for heaviest spam campaign that
was distributing malware as we wrote about in Boston Marathon Explosion Spam
Leads to Malware. Cisco's 2014 Annual Security Report calls attention to that
spam campaign as well, saying that it accounted for 40% of all the spam messages
delivered worldwide that day. Their report included this caution of "Breaking
News" emails ...
> Because breaking news spam is so immediate, email users are more likely to
> believe the spam messages are legitimate. Spammers prey on people’s desire for
> more information in the wake of a major event. When spammers give online users
> what they want, it’s much easier to trick them into a desired action, such as
> clicking an infected link. It’s also much easier to prevent them from
> suspecting that something is wrong with the message.
Here are some more details about the spam messages that were seen in the past
three days:
--------------------------------------------------------------------------------
Image may be NSFW.
Clik here to view.
Computers opening this attachment would try to contact the URLs listed here. The
"404.php" is an exploit kit that results in the ".exe" files being dropped:
(http is changed to hYYp and spaces added to URLs for your protection)
hYYp://37.139.47.56 /srt/404.php
hYYp://37.139.47.56 /ssd/usa.exe
hYYp://37.139.47.56 /ssd/usa2.exe
hYYp://62.76.187.171 /srt/404.php
hYYp://62.76.187.171 /ssd/usa.exe
hYYp://62.76.187.171 /ssd/usa2.exe
hYYp://62.76.187.221 /ssd/usa.exe
hYYp://62.76.187.221 /ssd/usa2.exe
hYYp://62.76.187.221 /ssd/usa2.exe
hYYp://85.143.166.119 /srt/404.php
hYYp://85.143.166.119 /ssd/usa.exe
--------------------------------------------------------------------------------
Image may be NSFW.
Clik here to view.
hYYp://37.139.47.56 /srt/404.php
hYYp://37.139.47.56 /ssd/usa.exe
hYYp://37.139.47.56 /ssd/usa2.exe
hYYp://37.139.47.56 /ssd/ust2.exe
hYYp://37.139.47.56 /ssd/ust21.exe
hYYp://62.76.179.171 /punta/gae.php
hYYp://62.76.187.171 /srt/404.php
hYYp://62.76.187.171 /ssd/usa.exe
hYYp://62.76.187.171 /ssd/usa2.exe
hYYp://62.76.187.171 /ssd/ust2.exe
hYYp://62.76.187.171 /ssd/ust21.exe
hYYp://62.76.187.221 /ssd/usa.exe
hYYp://62.76.187.221 /ssd/usa2.exe
hYYp://62.76.187.221 /ssd/ust2.exe
hYYp://62.76.187.221 /ssd/ust21.exe
hYYp://62.76.42.144 /punta/gae.php
hYYp://62.76.46.249 /punta/gae.php
hYYp://85.143.166.119 /srt/404.php
hYYp://85.143.166.119 /ssd/usa.exe
hYYp://85.143.166.119 /ssd/usa2.exe
hYYp://85.143.166.119 /ssd/ust2.exe
--------------------------------------------------------------------------------
Image may be NSFW.
Clik here to view.
hYYp://37.139.47.56 /srt/404.php
hYYp://37.139.47.56 /ssd/ust12.exe
hYYp://62.76.187.171 /srt/404.php
hYYp://62.76.187.171 /ssd/ust12.exe
hYYp://85.143.166.119 /srt/404.php
hYYp://85.143.166.175 /ssd/ust12.exe
--------------------------------------------------------------------------------
The IP addresses that would be most critical to block to protect your network
would be these. Most of these addresses are on a Cloud hosting service in
Russia, "clodo.ru", some on the ASN - St. Petersburg, Russia (clodo.ru) -
AS48172 OVERSUN and others on AS56534 PIRIX-INET-AS PIRIX, ltd.
37.139.47.56
62.76.179.171
62.76.187.171
62.76.187.221
62.76.42.144
62.76.46.249
85.143.166.119
85.143.166.175
The .exe that gets dropped is ZeuS, though current detection would make that a
bit hard to tell. The main file being dropped this morning has the MD5 hash =
b32e5922c82208b5fdf6d60503d458f9. Here is the VirusTotal report for that URL as
of this timestamp, which is showing greatly improved detection over my original
run. ESET, Kaspersky, and Microsoft are all agreeing this is Zeus, while 9 other
vendors list some form of "Generic" as the detection name.
SPAMMING COMPUTERS ANALYSIS
How often were the same computers used to send these campaigns? We first created
three lists of IP addresses used to deliver the spam on each day. I called them
ss5ip, ss6ip, and ss7ip for the three days. ss5ip was a list of the 47,380 IP
addresses we saw deliver the Bank of America spam on February 5. ss6ip was a
list of the 58,532 IP addresses we saw deliver the Visa/MasterCard spam on
February 6. ss7ip was a list of the 51,883 IP addresses we saw deliver the FedEx
spam on February 7.
5 Intersection 6 = 22,500 shared IPs
6 Intersection 7 = 25,405 shared IPs
5 Intersection 7 = 18,261 shared IPs
16,255 IPs were seen in all three campaign.
107,987 unique IPs were seen if we combine all three campaigns.
Those 107,987 IP addresses sent Malcovery's spam accounts an average of 6.8
emails each and a median of 4 emails each. The two top spamming IP addresses
were 86.64.142.28 (France, 158 messages) and 200.123.8.123 (Peru, 142 messages).
I geo-coded those IP addresses that sent more than 10 emails to us, which was a
total of 21,955 IP addresses from 141 countries. A very unusual number of IP
addresses, more than 45%, are from Spanish-speaking countries, . At some point
this botnet probably enlarged itself on Spanish-language spam- or website-based
malware
ES 3052 - Spain
AR 2148 - Argentina
US 1841 - United States
CO 1387 - Colombia
MX 1374 - Mexico
IT 1263 - Italy
DE 1025 - Germany
PE 915 - Peru
RO 876 - Romania
BR 833 - Brazil
GB 666 - Great Britain
CL 634 - Chile
FR 537 - France
IL 489 - Israel
CA 379 - Canada
PL 342 - Poland
TR 325 - Turkey
BG 267 - Bulgaria
PT 259 - Portugal
GR 238 - Greece
VE 238 - Venezuela
AT 183 - Austria
RS 180 - Republic of Serbia
EC 131 - Ecuador
CH 118 - Switzerland
IN 116 - India
CZ 104 - Czech Republic
PA 104 - Panama
↧
↧
INTERAC PHISHERS TRY THEIR HAND AT IRS
February 17, 2014, 10:26 am
≫ Next: WhatsApp Spam: a malware distribution scam
≪ Previous: Highest Malware Spam Rate since April 2013
$
0
0
Last week Malcovery Security had an interesting phish show up claiming to be
related to the IRS. This one turns out to be a great example of the (activate
1940 horror movie narrator voice) The POWER OF CROSS BRAND INTELLIGENCE
(/activate). Here's what the website looked like:
Image may be NSFW.
Clik here to view.
Phish from: bursafotograf.com / profiles / interac / RP.do.htm
In this phish, the "big idea" is that you can escalate your IRS Tax Refund if
you specify which bank you would like the refund to be deposited into. When you
click the bank's logo, you are taken to a phishing site for that brand and asked
to provide your Userid and Password, which are then emailed to the phisher.
Here's an example of the page you would see if you clicked on the Regions Bank
logo (graphic courtesy of PhishTank submission 2254700.)
Image may be NSFW.
Clik here to view.
Things get quite fascinating though when we hide the graphics:
Image may be NSFW.
Clik here to view.
Why would an IRS phish have ALT TEXT including for four of the largest Canadian
banks? By looking at the source code for the phishing page, we see that this is
a very lightly rebranded Interac phish: First, the website Title is "INTERAC
e-Transfer" ...
INTERAC is a very interesting money transfer system used in Canada that allows
anyone to send money to anyone else simply by using either their email address
or cell phone text messaging service. A Transaction code is texted/emailed from
the payer to the recipient, allowing the recipient to login to the Interac
service and choose what account, and what bank, they would like to receive the
funds into.
The phish has some Javascript at the top that includes variables like "var
provinceList = new Array ("Alberta", "British Columbia", "New Brunswick",
"Newfoundland and Labrador", "Nova Scotia", "Ontario", "Prince Edward Island",
"Saskatchewan");" and a pull down menu with options "Select Institution",
"Select Province or Territory" and "Select Credit Union."
As we continue into the table of graphics, we see that the phisher has changed
his graphics and links to refer to the American banks, with code such as:
href = chasecustomerprofile
img src = chasecustomerprofile/css/images/chaseNew.gif .... but with "alt=CIBC"
href = navy/index.htm
img src = imgs/nfculogo.png .... but with "alt=President's Choice Financial"
href = suntrust
img src = imgs/suntrust.png .... but iwth "alt = RBC Royal Bank"
etc . . .
PHISHING CROSS-BRAND INTELLIGENCE
It seems fairly clear that we should be able to find more phishing sites that
used the original Interac code, and of course we can in the Malcovery PhishIQ
system.
Here is a phish that was seen on June 21, 2013 on the website
freevalwritings.com / wp / interacsessions / RP.do.htm
Image may be NSFW.
Clik here to view.
And another first seen on May 28, 2013 on the website anglaisacote.com / interac
/ RP.do.htm (note the common path on both of these that matches the current IRS
phish = "interac/RP.do.htm" RP.do.htm is used on the REAL Interac website.
Image may be NSFW.
Clik here to view.
PHISHING & SPAM CROSS-BRAND INTELLIGENCE
An interesting thing about phishing emails that differentiates them from
standard spam. While normal spam is often sent via botnets, phishing emails tend
to be sent from the same IP address over a period of time. When we use Malcovery
PhishIQ to examine the IRS version of the Interac phish, which attempts to steal
money from Bank of America, Chase Bank, Navy Federal Credit Union, SunTrust,
Regions Bank, Wells Fargo, USAA, and Citi, we see that the originally advertised
URL was actually "130.13.122.25 / irsjspmessageKey-IG09210358i /". That URL
forwarded visitors to the website "ernursusleme.com / Connections /
irsonlinedeposit /" which then forwarded the visitors to "bursafotograf.com /
profiles / interac / RP.do.htm" which is where the screenshot at the top of this
article was captured.
So, to find spam messages related to this phish, it seems reasonable to search
the Malcovery Spam Data Mine for emails that advertised URLs on 130.13.122.25.
We found two sets of spam messages that advertised URLs on that host in our spam
collection. One batch from January 8, 2014 and the other batch from January 28th
and January 29th, 2014.
The January 28th and January 29th emails claimed to be from "From: USAA
(USAA.Web.Services@customer.usaa.com)" with an email subject of "New Insurance
Document Online".
Two of the emails were sent from 122.3.92.116 (Philippines) and one email was
sent from 70.166.118.54 (Cox). What other emails were sent from those IP
addresses?
Here are the emails from 122.3.92.116
Date: Subject: From NameFrom EmailDec 13, 2013Your account has been limited
until we hear from youservice@ intl.paypal.comsurvey.research-3086@
satisfactionsurvey.comDec 13, 2013Your account has been limited until we hear
from youservice@ intl.paypal.comsurvey.research-3086@ satisfactionsurvey.comDec
14, 2013Your account has been limited until we hear from youservice@
intl.paypal.comsurvey.research-3086@ satisfactionsurvey.comDec 16,
2013Confirmation - personal information updateUSAAUSAA.Web.Services@
customermail.usaa.comDec 18, 2013INTERAC e-Transfer Receivednotify@
payments.interac.canotify@ payments.interac.caDec 18, 2013INTERAC e-Transfer
Receivednotify@ payments.interac.canotify@ payments.interac.caDec 18,
2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
payments.interac.caDec 23, 2013INTERAC e-Transfer Receivednotify@
payments.interac.canotify@ payments.interac.caDec 30, 2013INTERAC e-Transfer
Receivednotify@ payments.interac.canotify@ payments.interac.caDec 31,
2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
payments.interac.caDec 31, 2013INTERAC e-Transfer Receivednotify@
payments.interac.canotify@ payments.interac.caDec 31, 2013INTERAC e-Transfer
Receivednotify@ payments.interac.canotify@ payments.interac.caJan 5,
2014Notification of Limited Account AccessPayPalPayPal@ abuse.epayments.comJan
7, 2014Canada Tax send you an INTERAC e-Transfernotify@
payments.interac.canotify@ payments.interac.caJan 7, 2014Canada Tax send you an
INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.caJan 7,
2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
payments.interac.caJan 8, 2014View Your USAA Document
OnlineUSAAUSAA.Web.Services@ customermail.usaa.comJan 8, 2014View Your USAA
Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.comJan 8, 2014View Your
USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.comJan 8, 2014View
Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.comJan 8,
2014View Your USAA Document OnlineUSAAUSAA.Web.Services@
customermail.usaa.comJan 8, 2014View Your USAA Document
OnlineUSAAUSAA.Web.Services@ customermail.usaa.comJan 8, 2014View Your USAA
Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.comJan 17, 2014Canada
Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
payments.interac.caJan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@
payments.interac.canotify@ payments.interac.caJan 17, 2014Canada Tax send you an
INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.caJan 17,
2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
payments.interac.caJan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@
payments.interac.canotify@ payments.interac.caJan 17, 2014Canada Tax send you an
INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.caJan 17,
2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@
payments.interac.caJan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@
payments.interac.canotify@ payments.interac.caJan 17, 2014Canada Tax send you an
INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.caJan 19,
2014Your dispute has been ended 01/20/2014: Get your money
backPayPalpaypal.feedback@ email.comJan 19, 2014Your dispute has been ended
01/20/2014: Get your money backPayPalpaypal.feedback@ email.comJan 20, 2014View
and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
customermail.usaa.comJan 20, 2014View and Sign Your USAA Insurance
PolicyUSAAUSAA.Web.Services@ customermail.usaa.comJan 20, 2014View and Sign Your
USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.comJan 20,
2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
customermail.usaa.comJan 20, 2014View and Sign Your USAA Insurance
PolicyUSAAUSAA.Web.Services@ customermail.usaa.comJan 21, 2014View and Sign Your
USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.comJan 21,
2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@
customermail.usaa.comJan 21, 2014View and Sign Your USAA Insurance
PolicyUSAAUSAA.Web.Services@ customermail.usaa.comJan 21, 2014View and Sign Your
USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.comJan 21,
2014Your dispute has been ended 01/20/2014: Get your money
backPayPalpaypal.feedback@ email.comJan 28, 2014New Insurance Document
OnlineUSAAUSAA.Web.Services@ customermail.usaa.comJan 28, 2014New Insurance
Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.comFeb 8, 2014Canada
Revenue send you an INTERAC e-TransferTD Canada Trustnotify@ payments.interac.ca
And here are the emails from 70.166.118.54
Date: Subject: From NameFrom EmailJan 29, 2014New Insurance Document
OnlineUSAAUSAA.Web.Services@customermail.usaa.comFeb 3, 2014INTERAC e-Transfer
Receivednotify@ payments.interac.canotify@ payments.interac.caFeb 3, 2014INTERAC
e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.caFeb 3,
2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
payments.interac.caFeb 3, 2014INTERAC e-Transfer Receivednotify@
payments.interac.canotify@ payments.interac.caFeb 3, 2014INTERAC e-Transfer
Receivednotify@ payments.interac.canotify@ payments.interac.caFeb 3, 2014INTERAC
e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.caFeb 4,
2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@
payments.interac.caFeb 4, 2014INTERAC e-Transfer Receivednotify@
payments.interac.canotify@ payments.interac.caFeb 8, 2014Canada Revenue send you
an INTERAC e-TransferRBC Royal Banknotify@ payments.interac.caFeb 9, 2014Canada
Revenue send you an INTERAC e-TransferRBC Royal Banknotify@
payments.interac.caFeb 11, 2014Wells Fargo ATM/Debit Card Expires SoonWells
Fargo Onlinealerts@ notify.wellsfargo.comFeb 11, 2014Wells Fargo ATM/Debit Card
Expires SoonWells Fargo Onlinealerts@ notify.wellsfargo.com
THE POWER OF CROSS-BRAND INTELLIGENCE
To summarize, we started with a new IRS phish, and through some comparisons in
the Phishing and Spam Data Mines, ended with phish for USAA, PayPal, Wells
Fargo, and Interac all being linked together. Investigators interested in
learning more are encouraged to reach out!
↧
WHATSAPP SPAM: A MALWARE DISTRIBUTION SCAM
February 24, 2014, 7:47 am
≫ Next: 2013 FTC Consumer Sentinel Report - Identity Theft By U.S. City
≪ Previous: Interac Phishers try their hand at IRS
$
0
0
On February 19, 2014, Facebook Announced the purchase of WhatsApp for $4 billion
in cash and 183,865,778 shares of Facebook stock ($12 Billion in current value)
plus an additional $3 billion in shares to the founders that will vest over four
years, for a total purchase price of $19 Billion. Within 24 hours, spammers were
using WhatsApp lures to attract traffic to counterfeit pharmaceutical websites!
Journalists in the United States were scurrying trying to figure out what
WhatsApp even is, let alone why it should be worth $19 Billion.
Apparently WhatsApp has been growing in popularity in other parts of the world,
as documented by a survey released in November by OnDevice Research which was
headlined as Messenger Wars: How Facebook lost its lead which talked about the
top Social Message Apps for mobile devices in five major markets: US, Brazil,
South Africa, Indonesia, and China. While Facebook still lead in the US, and
WeChat clearly dominates China, WhatsApp was the leading app in Brazil 72%,
South Africa (68%), and Indonesia (43%).
Image may be NSFW.
Clik here to view.
But those of us who keep track of spam and email-based threats have been hearing
about WhatsUp for several months. As the popularity of WhatsApp grows due to the
new acquisition, we believe we will see it become an even more popular spam
lure. At least three distinct spamming groups have already used WhatsApp as a
lure for their scams.
According to Malcovery Security's Brendan Griffin, WhatsApp was being used as a
malware lure since at least September 19, 2013. I asked Brendan to give me a
list of days when a WhatsApp spam/malware campaign made Malcovery's "Today's Top
Threats" list. This campaign has been solidly in the top ten on:
SEPTEMBER 19, 23, 24, 25, 26
OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25
NOVEMBER 14
JANUARY 9, 13, 15, 20, 28
As Steve Ragan mentioned in his ComputerWorld article on November 8, 2013,
WhatsApp was one of our Top Five Imitated Brands for the delivery of malware via
spam for the quarter. (See ComputerWorld - Senior executives blamed for a
majority of undisclosed security incidents.) Curiously, when I asked Brendan
about the email I saw THIS WEEK imitating WhatsApp he said that was an example
of spammers using the WhatsApp notoriety to drive traffic to counterfeit
pharmaceutical websites!
WHATSAPP SPAM USED BY ASPROX BOTNET TO DELIVER KULUOZ MALWARE
We've seen tremendous variety in both the malware being delivered and in the
method of delivery over the course of so many spam runs. The first day we made
note of the WhatsApp malware, September 19, 2013, we observed 52 different
websites being advertised in the emails. Each of these websites had a file
called "info.php" that was being called with a very long unique "message"
parameter, such as:
/info.php?message=47lvQ31P1Nip+SkTsbYeAVNH+2aJDFeJ9djfprCHGa4= (a couple digits
have been tweaked for privacy)
Image may be NSFW.
Clik here to view.
Websites used for malware delivery,September 19, 2013
aki-kowalstwo.plkoshergiftsuk.comsamedaystationery.co.ukamicidelcuore.infolichtenauer-fv.deschweitzers.comarsenalyar.rulocweld.comsentabilisim.comart52.rumbuhgalter.rusewretro.combhaktapurtravel.com.npmdou321.ruspentec.cabluereefwatersports.commikemetcalfe.castructuredsettlementsannuities.comcateringjaipur.commirvshkatulke.ruthaiecom.netclockcards.iemrsergio.comtiarahlds.comdj220w.rumuzikosfabrikas.lttk-galaktika.rudjvakcina.commywebby.rutowi69.deeasywebmexico.comorbitmotion.comtrivenidigital.cometarlo.ruorderschering.comveerbootkobus.nleveryday24h.depaternocalabro.itvenetamalaysia.comglobalpeat.compaulhughestransport.comverfassungsschutz-bw.degourmetschlitten.compax-sancta.devitapool.ruidollighting.compennerimperium.dezdrowieonly.ovh.orgjuhatanninen.complaneta-avtomat.rukasutin.rurkbtservice.ru
Visiting the link from any of of those websites resulted in code on the server
resolving your IP address and creating a customer malware name based on your
geographic location. For example, when we visited from Birmingham, Alabama IP
addresses, we received a file called "VoiceMail_Birmingham_(205)4581400.zip" -
205 is the Area code for Birmingham, Alabama, so both the city name and the
telephone number provided were intended to enhance the believability that this
was a "real" VoiceMail message that we should open and listen to!
At the time we received this file, VirusTotal was showing a 7 of 48 detection
rate. (When the file was last checked, December 4, 2013, the detection rate had
improved to 36 of 48 AV products.)
This malware delivery mechanism, with the geographically labeled secondary
malware, is a signature of the ASPROX => Kuluoz malware. Kuluoz, which is also
known as DoFoil, is delivered as the second phase of a malware delivery scheme
that begins by having computers that are part of the ASProx botnet sending spam.
This is the same campaign that delivered Walmart/BestBuy/CostCo delivery
messages around the Christmas holiday, and that delivered Courthouse, Eviction,
and Energy bill spam. In the more recent VirusTotal report, AntiVir, DrWeb, and
Microsoft label this sample as Kuluoz, while Agnitum, CAT-QuickHeal, Kaspersky,
NANO-Antivirus, VBA32, and VIPRE call it DoFoil. Zortob is another popular label
seen for this malware, and Symantec calls it "FakeAVLock" while Ikarus and
Sophos calls it Weelsof. Weelsof is a Ransomware family and this label, as well
as the FakeAV label, are likely due to tertiary malware. When secondary malware
"drops" (a term that just means that ADDITIONAL malware is downloaded from the
Internet after the initial infection) it is common for AntiVirus vendors to
apply the label for the "ultimate intention" to all of the malware samples seen
in that particular infection chain.
An excellent student paper by Shaked Bar from August 15, 2013, describes
Kuluoz's role in dropping additional malware. This diagram is from his paper,
Kuluoz: Malware and botnet analysis which was submitted as Mr. Bar's
Dissertation for his Masters of Science in Computer Science.
Image may be NSFW.
Clik here to view.
At the time of Shaked Bar's paper, the prominent delivery mechanisms were spam
messages imitating UPS and DHL. He also notes an earlier spam campaign from
April 2013 imitating American Airlines. Bar's paper is well worth reading as he
explains how C&C traffic is XOR'ed with the byte 0x2B to test the ability of the
bot to send spam as well as other potential uses. Mr. Bar documents more fully
the possible tertiary malware including Zeus (Zbot), ZeroAccess, and FakeAV. The
malware uses the commercial geolocation service from MaxMind to identify its
location, and the location may be instrumental in determining what additional
malware should be installed.
Malcovery Security analysts also called attention in our September 19, 2013
report that the WhatsApp spam, when visited from an Android device, detected the
OS and dropped a file called "WhatsApp.apk". .apk files are Android's
"application package file" which is used to distribute and install Android apps.
Examination of the .APK file confirmed thta this was Fake antivirus for your
Android phone, containing descriptions of each supposedly detected malware in
both English and Russian, as exhibited by this snip from the .APK file:
Image may be NSFW.
Clik here to view.
The URLs used to drop the infection shifted constantly. For example, these are
the URLs from September 24th, each using "app.php" instead of "info.php":
abslmm.infoeasychurchsoftware.compsmagic.co.ukanimestyles.comeffectivewithpeople.comreggiegallery.comarcesubastas.comeuropainthewilderness.comscholarsbangladesh.comazagom16.comgigp01.comtcfurniture.combluereefwatersports.comkillmanheatingandair.comtrivenidigital.combodfish.netladuenails.comwfbsusa.combptca.comlisapetrilli.comwpsverige.comchester94.comlunchesruslawncare.comwww.jigsawpuzzlesnow.comclaytonhistorysociety.orglyallfamily.comwww.mindful-way.comclearthoughtfarm.commypowerlines.comwww.minimesa.netcolumbialivingmag.comnotedls.comwww.opalubka-spb.rucrumptonplats.comonline-kent.co.ukwww.scholarsbangladesh.comcvhi.caorbitmotion.com
And these were the sites for September 25th:
162.144.3.50gonzomarketing.ustejedoresdearte.comaandekleiput.beindianhotpeppers.comtheconservativeactivist.comabslmm.infointerbanc-me.comuhlit.comacademicgames.orgintercom-group.neturokshof.beacomputertech.comjsmengineering.co.nzuwes-futterkiste.deallworldhearing.comkepsballs.comvelomotoban.ruangelomasotti.itmaxmuscleraleigh.comvisibus.ruanimestyles.commiketrig.comwhatshisface.orgarcesubastas.commiwera.dewww.besttechmfg.comasca-info.commosobladvokatura.ruwww.bonnevilledrivingschool.combarkersofwindsor.co.ukneonett.netwww.citadelyachts.combelliottjr.comnight55.comwww.coaching-pattaya.combmitraining.co.idnotedls.comwww.dasluae.combrothermartin.comoysterbaytaxi.comwww.dmdservice.combuntingarchitecturalmetals.compeakkickboxing.comwww.doanevent.comcaseybarnett.compersonalcarephysio.cawww.gestiondutemps.becityofmossyrock.competerscreekauto.netwww.horseamour.comcvhi.caphoto2canvasdirect.comwww.kyhydropower.comdasluae.compts.kovrov.ruwww.mhbchurch.qwestoffice.netdebsownbusiness.comrevoltadvertising.cawww.mtnhwybaptistchurch.comdemaravillamassage.comrsme.co.ukwww.musango.cadnsprattcanada.comscholarsbangladesh.comwww.rhinocerose.frearnquick.coshahmaulik.comwww.wholepersonsoftware.comecuavantransportation.comsolardynamicsinc.comwww.zhelezno.rufinlandiasf.orgsumedacellular.comzhinengqigongworldwide.org
WHATSAPP SPAM USED BY CUTWAIL BOTNET TO DELIVER UPATRE => ZEUS MALWARE
More recently, the WhatsApp malware has been used by an entirely different spam
sending malware team. This group, which favors the Cutwail spam botnet, uses
spam messages to deliver a malware family known as UPATRE. UPATRE is a tiny
malware file that is repacked constantly to ensure deliverability and that has
little malicious behavior itself. The only function of UPATRE is to drop
additional malware. In this case, the malware is attached as a .zip file that,
when executed by the recipient in order to "play their missed message" will
cause Zeus to be downloaded as the secondary malware.
Here is what the Cutwail-delivered version of the WhatsApp spam looked like on
January 28, 2014:
Image may be NSFW.
Clik here to view.
This version of Upatre connects to the Internet to download an encoded version
of GameOver Zeus to allow safe passage through any blocking and detecting
methods. This model of downloading an undetectable version that is then decoded
into a fully functional Zeus malware by the Upatre module was documented in this
blog in our story GameOver Zeus now uses Encryption to bypass Perimeter
Security. In the case of the January 28th WhatsApp malware, the Zeus .enc file
came from either:
zubayen . com / up / wav.enc
or from inspireplus . org . uk / images / banners / wav.enc
(spaces added for your safety)
WHATSAPP SPAM DELIVERING CANADIAN HEALTH & CARE MALL LINKS?
As WhatsApp reaches the pinnacle of awareness among American spam recipients, it
is only natural that the Pharmaceutical spammers would get in on the game. On
February 20, 2014, the spammers sent out "Missed Voice Message" spam with a huge
number of random URLs belonging to compromised webservers. Each of the
compromised webservers, usually the spammer has harvested Userids and passwords
for their FTP credentials in previous malware runs, has a newly created .php or
.pl file that contains an encoded redirector to a pharmaceutical website. Image
may be NSFW.
Clik here to view.
On February 20th, the advertised spam all redirected to one of more than fifty
compromised webservers, each of which then redirected to a Canada Health & Care
Mall websites. The advertised URLs have a simple Javascript obfuscation to try
to hide the true destination, such as this page:
gjhqv1="\x30";qnnt2="\x68\x74\x74\x70\x3A\x2F\x2F\x74\x68\x65\x64\x69\x65\x74\x70\x68\x61\x72\x6D\x61\x63\x79\x2E\x63\x6F\x6D";setTimeout("\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x71\x6E\x6E\x74\x32\x3B",gjhqv1);
When interpreted as Javascript, the "setTimeout" portion says "make the
"window.top.location.href" equal to "gjhqv1". The top portion says "set gjhqv1"
equal to thedietpharmacy.com, and do it in "0" milliseconds.
Reviewing 50 URLs of this type, with names such as "reactivates.php" or
"bombarding.pl" or "gaelicizes.php", there were only the four redirections:
canadavasomax.com
lossdietpharmacy.com
thedietpharmacy.com
wellnessasaletraining.com
each of which looked like this:
Image may be NSFW.
Clik here to view.
↧
2013 FTC CONSUMER SENTINEL REPORT - IDENTITY THEFT BY U.S. CITY
February 27, 2014, 9:57 pm
≫ Next: American Express's new Phishing Criminal Brings Game!
≪ Previous: WhatsApp Spam: a malware distribution scam
$
0
0
Each year the Federal Trade Commission publishes a detailed report on the Fraud
and Identity Theft complaints they received during the previous year, not just
at the FTC, but throughout their Consumer Sentintel Network.
Some of the leading members of that network include the Better Business Bureau
and the FBI's Internet Crime and Complaint Center (IC3.gov).
You can review the entire 2013 Consumer Sentinel Network Data Book on your own
if you want to look up more about your state.
Just like last year, fraud that began by telephone/telemarketing was the top
category, but 33% of all Fraud complaints started with an email!
Complaints by category were:
14% - Identity Theft
10% - Debt Collection Fraud
7% - Banks and Lenders
6% - Imposter Scams
6% - Telephone and Mobile Service Scams
4% - Prizes, Sweepstakes and Lottery Scams
4% - Auto-related Fraud
3% - Shop-at-home and Catalog Sales fraud
3% - Television and Electronic Media fraud
2% - Advanced Payment for Credit Services fraud
In the Fraud categories, over 1 million complaints were filed including $1.6
billion in fraud, where the median reported amount paid was $400. (Only 61% of
those alleging fraud stated a loss amount.)
Within the category of Identity Theft, the top categories were:
34% - government documents/benefits fraud
17% - Credit Card Fraud
14% - Phone/Utilities Fraud
8% - Bank Fraud
6% - Employment-related Fraud
4% - Loan Fraud
In 2012, there were 369,145 Identity Theft Complaints registered by Consumer
Sentinel.
In 2013, there were 290,056 Identity Theft Complaints.
That's a 21.5% reduction in Identity Theft Complaints! Does this indicate that
Identity Theft improved from 2012 to 2013? Or does it indicate that Identity
Theft has become so common place that people don't get irate and call the Better
Business Bureau or the FTC when it occurs?
WIRE TRANSFER TOPS THE FRAUD LOSSES LIST
American consumers are just DESPARATE to throw their money away in Wire
Transfers. Even though every wire transfer place I've visited in the last two
years has big warning signs about the various forms of fraud involving sending
your money away in a wire transfer, it continues to be the top way in which
fraudsters separate their victims from their money.
YEARComplaintsMoney Wired
Out2011115,901$438,343,5772012109,138$456,541,4542013104,984$507,713,984
Western Union and MoneyGram both have warning pages to help protect consumers!
Follow their advice to not lose the average $4836 that more than 100,000
complained about last year!
Western Union has Eight Tips at their Knowledge Center:
1. Never send money to people you haven't met in-person
2. Never send money to pay for taxes or fees on lottery or prize winnings
3. Never use a test question as an additional security measure to protect your
transaction
4. Never provide your banking information to people you don't know
5. Never send money in advance to obtain a loan or credit card
6. never send money for an emergency situation without verifying that it's a
real emergency. (Gee - like a London Traveler Scam?)
7. Never send funds from a check in your account until it officially clears -
which can take weeks
8. Never send a money transfer for an online purchase
MoneyGram has a great page called The 11 Most Common Wire Transfer Frauds that
include:
1. The Vehicle Purchase Scam
2. The Fake Loan Scam
3. The Lottery or Sweepstakes Scam
4. The Internet Romance Scam
5. The Mystery Shopper Scam
6. The Charity Scam
7. The Relative in Need Scam
8. The Internet Purchase Scam
9. The Newspaper Ads Scam
10. The Check or Money Order Scam
11. The Elder Abuse Scam
They even have a nice Dodge the Scams Game to help you get it down pat!
GREEN DOT MONEYPAK
In the most significant change in fraud payment behavior, this year 28% of fraud
losses occurred via Prepaid cards, which was almost exclusively Green Dot Money
cards. Two years ago this category of fraud losses didn't even exist! From 2012
to 2013 the number of victims went up 500% and the amount of money lost went up
600%!!
YEARComplaintsPrepaid Card Fraud
Losses201110$9,054201216,914$6,946,619201384,671$42,858,396
Image may be NSFW.
Clik here to view.
(image from DotFab.com, click to visit)
How much of this fraud was due to the CryptoLocker and PoliceLock Ransomware? We
can't be sure, but this is a PROFOUND shift in fraud loss behavior and a great
deal of it is certain to be based on those two malware campaigns. We blogged
about CryptoLocker using Greendot late in the year in our story Tracking
CryptoLocker with Malcovery and IID, but the FBI's Donna Gregory reported on the
malware as far back as this August 2012 FBI Ransomware Story where she said
"We’re getting inundated with complaints!" referring to the complaints coming in
to the FBI's IC3.gov complaint form, which is one source of Consumer Sentinel
Data.
2013 - TOP CITIES FOR IDENTITY THEFT
Last year, 16 of the top 25 Identity Theft Metropolitan area were in Florida.
This year it has fallen to 13.
13 of top 25 in Florida (16 in 2012)
4 of top 25 in California (0 in 2012)
3 of top 25 in Georgia (6 in 2012)
1 each in Alabama, Arkansas, Michigan, Tenessee, and West Virginia
RankMetro/Micropolitan AreaPer 100,0001Miami-FortLauderdale-WestPalmBeach,
FL340.42Columbus, GA-AL214.73Naples-Immokalee-MarcoIsland, FL2144Jonesboro,
AR190.95Tallahassee, FL179.46CapeCoral-FortMyers,
FL174.97Atlanta-SandySprings-Roswell, GA170.78PortSt.Lucie, FL163.99Beckley,
WV160.910Tampa-St.Petersburg-Clearwater, FL155.511Orlando-Kissimmee-Sanford,
FL149.612Detroit-Warren-Dearborn, MI142.913Lakeland-WinterHaven,
FL140.214Stockton-Lodi, CA133.115Montgomery, AL132.216Vallejo-Fairfield,
CA128.217Jacksonville, FL125.718Memphis, TN-MS-AR125.519Valdosta,
GA125.420Ocala, FL12521Gainesville, FL122.622Sebastian-VeroBeach,
FL122.423LosAngeles-LongBeach-Anaheim,
CA119.124Deltona-DaytonaBeach-OrmondBeach, FL118.925Fresno, CA118.226Albany,
GA117.627SanFrancisco-Oakland-Hayward, CA116.828NorthPort-Sarasota-Bradenton,
FL116.629Bakersfield, CA116.530Macon, GA116.231Riverside-SanBernardino-Ontario,
CA115.232Savannah, GA115.133PuntaGorda, FL11534Dallas-FortWorth-Arlington,
TX114.835Crestview-FortWaltonBeach-Destin,
FL112.436PalmBay-Melbourne-Titusville, FL111.337Flint, MI109.738Lynchburg,
VA108.139Jackson, MS107.440Washington-Arlington-Alexandria,
DC-VA-MD-WV106.341HomosassaSprings, FL105.542Niles-BentonHarbor,
MI105.243Houston-TheWoodlands-SugarLand, TX104.744Fayetteville,
NC102.945Sacramento--Roseville--Arden-Arcade, CA101.346Modesto,
CA101.147Phoenix-Mesa-Scottsdale, AZ101.148LasVegas-Henderson-Paradise,
NV100.849Chicago-Naperville-Elgin, IL-IN-WI100.450Killeen-Temple,
TX99.451Auburn-Opelika, AL98.452NewYork-Newark-JerseyCity,
NY-NJ-PA97.753SanJose-Sunnyvale-SantaClara, CA96.454Reno,
NV96.155Philadelphia-Camden-Wilmington, PA-NJ-DE-MD95.556Chico, CA95.557Napa,
CA94.558Pueblo, CO94.359Baltimore-Columbia-Towson, MD93.460SanDiego-Carlsbad,
CA93.461Milwaukee-Waukesha-WestAllis, WI92.862Madera, CA92.863RockyMount,
NC92.564Laredo, TX92.365Beaumont-PortArthur, TX9266Denver-Aurora-Lakewood,
CO9267Cleveland-Elyria, OH91.768SantaCruz-Watsonville,
CA89.669Brownsville-Harlingen, TX89.470Goldsboro, NC88.971Mobile,
AL88.672Merced, CA88.473SantaMaria-SantaBarbara, CA88.274AnnArbor,
MI88.275Tucson, AZ87.976Augusta-RichmondCounty,
GA-SC87.877AtlanticCity-Hammonton, NJ87.478Redding,
CA86.979Greenville-Anderson-Mauldin, SC86.680Athens-ClarkeCounty,
GA86.281McAllen-Edinburg-Mission, TX85.682CorpusChristi, TX85.583BatonRouge,
LA85.484SierraVista-Douglas, AZ85.385Austin-RoundRock, TX85.286Florence,
SC85.187Albuquerque, NM8588Boulder, CO84.989Pensacola-FerryPass-Brent,
FL84.990ColoradoSprings, CO8491California-LexingtonPark, MD83.792Dalton,
GA83.793Hattiesburg, MS83.394SanAntonio-NewBraunfels, TX83.295WarnerRobins,
GA8396Oxnard-ThousandOaks-Ventura, CA82.897Trenton, NJ82.798Houma-Thibodaux,
LA82.699Dover, DE82.6100St.Louis, MO-IL82.1
ALABAMA IDENTITY THEFT: 2012 COMPARED TO 2013
Forgive me, dear reader, for focusing on my own state just this once . . .
In 2012, Alabama's top cities for Identity Theft, and their Per Capita
complaints received, were:
#15 - Columbus, GA/AL (205.9 per 100,000)
#16 - Montgomery, AL (203.7 per 100,000)
#42 - Auburn-Opelika, AL (124.1 per 100,000)
#62 - Birmingham-Hoover, AL (111 per 100,000)
#91 - Enterprise-Ozark, AL (97.8 per 100,000)
#97 - Huntsville, AL (95.5 per 100,000)
#100 - Mobile, AL (93.5 per 100,000)
#118 - Anniston-Oxford, AL (90.2 per 100,000)
#125 - Tuscaloosa, AL (88.4 per 100,000)
#132 - Dothan, AL (87.2 per 100,000)
#145 - Gadsden, AL (84.3 per 100,000)
#195 - Decatur, AL (72.8 per 100,000)
#198 - Daphne-Fairhope-Foley, AL (72.4 per 100,000)
#303 - Florence-Muscle Shoals, AL (56.4 per 100,000)
How does that compare to 2013's numbers?
The Columbus, Georgia/Alabama Metro area rose 13 places in the national rank to
be the second worst city in America for Identity Theft.
Montgomery, Alabama had a very slight rise in rank (from #16 to #15), although
the number of complaints per capita fell, it is still one of the worst cities in
America for Identity Theft.
Mobile, Alabama rose in rank by 29 places, moving from #100 to #71.
All other cities in Alabama FELL in their national rank for Identity Theft --
but one must ask, as above, is that because crime is declining? or is apathy
increasing? Have we become so desensitized to Identity Theft that we no longer
feel the need to complain?
#2 +13 - Columbus, GA-AL (214.7 per 100,000) = +8.8 per 100,000
#15 +1 - Montgomery, AL (132.2) = -71.5 per 100,000
#51 -9 - Auburn-Opelika, AL (98.4) = -25.7 per 100,000
#71 +29 - Mobile, AL (88.6) = -4.9. per 100,000
#117 -55 - Birmingham-Hoover, AL (77.7) = -33.3 per 100,000
#131 +1 - Dothan, AL (74.8) = -12.4 per 100,000
#152 -55 - Huntsville, AL (68.5) = -27 per 100,000
#167 -42! - Tuscaloosa, AL (65.2) = -23.2 per 100,000
#226 -81! - Gadsden, AL (57.5)
#234 -116! - Anniston-Oxford-Jacksonville, AL(56.5)
#268 -70! - Daphne-Fairhope-Foley, AL (52.1)
#316 -121! - Decatur, AL (44.2)
#357 -54! - Florence-MuscleShoals, AL (36.7) -
DO YOU KNOW HOW TO FILE AN IDENTITY THEFT, FRAUD, OR PHISHING COMPLAINT?
If someone scammed you out of your money or stole your identity, that is a
CRIME! What should you do? CALL THE POLICE!
But there are some other guidelines as well.
The Federal Trade Commission has two web pages that help you understand what to
do if you have been the victim of identity theft:
FTC: What to do if you have been a victim of Identity Theft
FTC: How to file an Identity Theft Complaint with the FTC
FTC: March 2-8 is National Consumer Protection Week - tips and videos you can
share with your friends are on this site!
You STILL want to call your local Police to let them know about the crimes
against you. If someone stole YOUR identity or scammed you, they are likely
targeting others as well! Besides your local law enforcement, it would be
helpful if you could take the time to share what happened to you with the FBI
Internet Crime & Complaint Center (ic3.gov). This unique center in West Virginia
gathers hundreds of thousands of cybercrime complaints per year into a database
that can be accessed by law enforcement across the country. Perhaps you will
only be another drop in the bucket, but you MAY provide the missing link that
ties many smaller losses together into a major investigation!
For PHISHING EMAILS, be sure to report that phish to Malcovery's PhishIQ system!
By sending us the address of that suspicious or fake bank website, our automated
systems will preserve forensic evidence about the phishing website and work on
linking it to other websites that may have been created by the same criminal!
APPENDIX: THE REST OF THE LIST (TOP IDENTITY THEFT CITIES BY RANK)
101NewOrleans-Metairie, LA82102Charlotte-Concord-Gastonia, NC-SC81.7103Prescott,
AZ81.5104SantaFe, NM81.2105Tyler, TX80.6106VirginiaBeach-Norfolk-NewportNews,
VA-NC80.4107Monroe, MI80.3108LittleRock-NorthLittleRock-Conway,
AR80.2109Gainesville, GA80.1110Hammond, LA80.1111Bridgeport-Stamford-Norwalk,
CT80.1112LakeHavasuCity-Kingman, AZ78.9113Seattle-Tacoma-Bellevue,
WA78.4114OklahomaCity, OK77.9115Columbia, SC77.8116Vineland-Bridgeton,
NJ77.8117Birmingham-Hoover, AL77.7118ElPaso, TX77.4119Muskegon,
MI77.2120NewHaven-Milford, CT77.2121Midland, TX76.9122Burlington,
NC76.8123Spokane-SpokaneValley, WA76.7124Odessa,
TX76.6125HiltonHeadIsland-Bluffton-Beaufort,
SC75.9126Indianapolis-Carmel-Anderson, IN75.3127Yakima, WA75.2128Concord,
NH75.1129SanLuisObispo-PasoRobles-ArroyoGrande, CA74.9130Reading,
PA74.9131Dothan, AL74.8132Brunswick, GA74.8133Lumberton,
NC74.5134Allentown-Bethlehem-Easton, PA-NJ74.3135Wichita,
KS74.2136Charleston-NorthCharleston, SC73.7137Richmond, VA73.1138Akron,
OH72.4139KansasCity, MO-KS71.9140Racine, WI71.6141Rockford,
IL71.5142Scranton--Wilkes-Barre--Hazleton, PA71.5143SantaRosa, CA70.9144Topeka,
KS70.6145Dayton, OH70.4146Spartanburg, SC69.9147Salinas,
CA69.9148Shreveport-BossierCity, LA69.8149Show Low, AZ69.8150YubaCity,
CA69.5151PanamaCity, FL68.8152Huntsville, AL68.5153FortCollins,
CO68.4154Raleigh, NC68.4155Portland-Vancouver-Hillsboro,
OR-WA68.1156Durham-ChapelHill, NC67.8157Charleston, WV67.4158Greeley,
CO66.8159Medford, OR66.4160Yuma, AZ66.4161Gulfport-Biloxi-Pascagoula,
MS66.4162Wilmington, NC66.3163Springfield, MA65.8164Columbus, OH65.7165NewBern,
NC65.5166Boston-Cambridge-Newton, MA-NH65.4167Tuscaloosa, AL65.2168Flagstaff,
AZ64.7169Lawton, OK64.5170Saginaw, MI64.4171Hartford-WestHartford-EastHartford,
CT64.4172Minneapolis-St.Paul-Bloomington, MN-WI64.2173Wausau, WI64.1174Duluth,
MN-WI64175Amarillo, TX63.9176Olympia-Tumwater,
WA63.8177Youngstown-Warren-Boardman, OH-PA63.8178Asheville, NC63.8179Toledo,
OH63.8180Bremerton-Silverdale, WA63.7181Kankakee, IL63.5182Chattanooga,
TN-GA63.4183Madison, WI63.4184Bend-Redmond, OR63.4185Greensboro-HighPoint,
NC63.1186Greenville, NC63187Rochester,
NY62.7188MyrtleBeach-Conway-NorthMyrtleBeach, SC-NC62.6189Pittsfield,
MA62.5190BattleCreek, MI62.4191Visalia-Porterville, CA62.4192EastStroudsburg,
PA62.4193Kingsport-Bristol-Bristol, TN-VA62.3194Winston-Salem,
NC62.3195Sherman-Denison, TX62196Nashville-Davidson--Murfreesboro--Franklin,
TN61.9197ElCentro, CA61.9198Jacksonville, NC61.9199Alexandria,
LA61.7200FortWayne, IN61.3201Kalamazoo-Portage, MI61.2202SouthBend-Mishawaka,
IN-MI61.1203Tulsa, OK60.8204Sumter, SC60.5205LasCruces, NM60.2206Ashtabula,
OH60.1207York-Hanover, PA60208Albany, OR60209Champaign-Urbana,
IL59.9210Cincinnati, OH-KY-IN59.6211BoiseCity, ID59.5212Missoula,
MT59.5213Wooster, OH59.4214Dunn, NC59.3215Salisbury,
MD-DE59.1216Omaha-CouncilBluffs, NE-IA59.1217Eureka-Arcata-Fortuna,
CA58.7218Elizabethtown-FortKnox, KY58.6219Anchorage, AK58.3220Elkhart-Goshen,
IN58.2221Jackson, MI58222Hagerstown-Martinsburg, MD-WV58223Pittsburgh,
PA58224PineBluff, AR57.9225Providence-Warwick, RI-MA57.8226Gadsden,
AL57.5227Lafayette, LA57.4228IowaCity, IA57229BarnstableTown, MA57230Waco,
TX57231Springfield, MO56.8232Springfield, IL56.6233Worcester,
MA-CT56.6234Anniston-Oxford-Jacksonville, AL56.5235Kingston,
NY56.4236CollegeStation-Bryan, TX56.4237Lubbock, TX56.4238Hanford-Corcoran,
CA56.2239Cleveland, TN56.1240Monroe, LA56.1241Longview, TX56242SaltLakeCity,
UT55.9243Canton-Massillon, OH55.9244Louisville/JeffersonCounty,
KY-IN55.8245Lexington-Fayette, KY55.5246Lima, OH55.5247Lansing-EastLansing,
MI55.4248Peoria, IL55.1249Decatur, IL55.1250Erie, PA54.9251Clarksville,
TN-KY54.9252GrandRapids-Wyoming, MI54.8253Bloomington,
IL54.8254Weirton-Steubenville, WV-OH54.6255Kennewick-Richland, WA54.5256Roanoke,
VA54.1257Buffalo-Cheektowaga-NiagaraFalls, NY54.1258DesMoines-WestDesMoines,
IA54.1259Lebanon, PA53.9260Williamsport, PA53.4261Harrisburg-Carlisle,
PA53.3262Bellingham, WA53.2263FortSmith, AR-OK53.1264Norwich-NewLondon,
CT52.9265Albany-Schenectady-Troy, NY52.8266Morristown, TN52.7267Winchester,
VA-WV52.2268Daphne-Fairhope-Foley, AL52.1269BayCity, MI52270Longview,
WA51.8271Salem, OR51.4272Lawrence, KS51.4273Meridian, MS51.2274St.Joseph,
MO-KS51275Texarkana, TX-AR50.9276WichitaFalls, TX50.9277London,
KY50.6278Ogden-Clearfield, UT50.1279Hickory-Lenoir-Morganton, NC50.1280Billings,
MT49.7281Lincoln, NE49.6282Manchester-Nashua, NH49.4283Coeurd'Alene,
ID49.1284Charlottesville, VA48.9285MountVernon-Anacortes,
WA48.8286JeffersonCity, MO48.7287Jackson, TN48.5288MichiganCity-LaPorte,
IN48.4289Syracuse, NY48.3290Chambersburg-Waynesboro, PA48.1291Cookeville,
TNMicropolitan48.1292Lafayette-WestLafayette, IN48.1293Janesville-Beloit,
WI48294Logan, UT-ID47.8295Evansville, IN-KY47.8296Bluefield,
WV-VA47.5297Knoxville, TN47.3298Whitewater-Elkhorn, WI47299Rochester,
MN46.9300Torrington, CT46.9301Sheboygan, WI46.8302Claremont-Lebanon,
NH-VT46.7303Davenport-Moline-RockIsland, IA-IL46.6304LakeCharles,
LA46.6305Lancaster, PA46.6306Pottsville, PAMicropolitan46.5307JohnsonCity,
TN46.3308Danville, VA46309Carbondale-Marion, IL45.8310Tupelo,
MS45.5311Springfield, OH44.8312Provo-Orem, UT44.8313Roseburg, OR44.6314Joplin,
MO44.4315Fayetteville-Springdale-Rogers, AR-MO44.3316Decatur, AL44.2317Abilene,
TX44.2318Huntington-Ashland, WV-KY-OH44.1319Morgantown, WV43.9320SiouxCity,
IA-NE-SD43.9321Johnstown, PA43.8322CedarRapids, IA43.8323Eugene,
OR43.8324GrandJunction, CO43.6325Salem, OH43.6326Mansfield,
OH43.4327Blacksburg-Christiansburg-Radford, VA43.2328Jamestown-Dunkirk-Fredonia,
NY43329Portland-SouthPortland, ME42.8330IdahoFalls,
ID42.8331Kahului-Wailuku-Lahaina, HI42.6332Cumberland, MD-WV42.6333FondduLac,
WI42.3334Wheeling, WV-OH41.9335GlensFalls, NY41.9336Wenatchee,
WA41.5337Gettysburg, PA41.4338TraverseCity, MI41.2339LaCrosse-Onalaska,
WI-MN41.1340SiouxFalls, SD40.7341Columbia, MO40.6342Watertown-FortDrum,
NY40.4343SanAngelo, TX40.2344RapidCity, SD40.1345Owensboro, KY40.1346St.George,
UT39.1347Binghamton, NY38.9348Tullahoma-Manchester, TN38.9349Bloomington,
IN38.9350GreenBay, WI38.9351TerreHaute, IN38.9352UrbanHonolulu,
HI38.8353Utica-Rome, NY38.7354Ithaca, NY38.4355Muncie,
IN38.2356Burlington-SouthBurlington, VT37.9357Florence-MuscleShoals,
AL36.7358EauClaire, WI36.6359Ottawa-Peru, IL36.2360BowlingGreen,
KY35.9361Holland, MI35.9362Appleton, WI35.9363Hilo, HI35.7364Lewiston-Auburn,
ME34.4365Oshkosh-Neenah, WI33.5366Staunton-Waynesboro,
VA32.9367Waterloo-CedarFalls, IA32.8368Ogdensburg-Massena, NY32.2369Fargo,
ND-MN32.1370St.Cloud, MN31.7371Bangor, ME31.2372Farmington, NM30.8373Altoona,
PA30.7374Harrisonburg, VA29.5375StateCollege, PA29.2376Augusta-Waterville,
ME28.7377Bismarck, ND27.9
↧
↧
AMERICAN EXPRESS'S NEW PHISHING CRIMINAL BRINGS GAME!
March 20, 2014, 9:55 am
≫ Next: The Carder.su indictment: United States v. Kilobit et. al.
≪ Previous: 2013 FTC Consumer Sentinel Report - Identity Theft By U.S. City
$
0
0
Every time I start to think that I've seen everything with regards to phishing
the criminals shake things up and get me excited again. Today I have to say the
American Express phishers are bringing their A Game to the table again. While
there are several different groups of phishers attacking most financial
institutions, the criminals behind this particular attack are at least showing
some creativity. Let's take a look at the spam message first.
We had two primary spam subject lines for this campaign. On March 17, 2014 the
Malcovery Spam Data Mine gathered:
468 copies = Subject: Important: Personal Security Key
290 copies = Irregular card activity
The messages were BEAUTIFUL! Here's one:
Image may be NSFW.
Clik here to view.
Isn't that gorgeous? Every single link in that email is actually just another
copy of the phishing URL. No matter what you click on, the phishing process
starts. And what a process it is! Just in the samples that we had at Malcovery
Security, we saw 574 distinct URLs on 77 different web hosts! (the full list is
available as amex.urls.txt.
THE AMEX PHISHING PAYLOAD
Why am I writing about this three days later? BECAUSE THE PHISH IS STILL LIVE!
Just a few minutes ago, I revisited one URL per webhost and found that 40 of the
77 servers were still delivering payload.
What was the payload?
Here's a sample from one of those 40 sites:
> A small box containing the words "Connecting to server..." appears, but in the
> background, the machine is trying to pull content from these scripts (defanged
> below):
>
>
>
>
> (script) src equals http://theblazingfiddles.com/responsive/rhone.js
> (script) src equals http://haus-an-der-treene.de/irrigated/bewaring.js
> (script) src equals http://qualifyformedi-cal.com/mortician/amicably.js
> (script) src equals http://ufofurniture.com.au/curries/searchlights.js
--------------------------------------------------------------------------------
But actually between the 40 sites I was able to access this morning (March 20,
2014) there were a total of 38 redirectors!
> hxxp: (slash) (slash) nebucom.com (slash) instanced (slash) inconsolable.js
> hxxp: (slash) (slash) e-translation.pl (slash) ditty (slash) appetizing.js
> hxxp: (slash) (slash) grupovordcab.com (slash) expiration (slash) eddies.js
> hxxp: (slash) (slash) user22809.vs.easily.co.uk (slash) healed (slash) pulsation.js
> hxxp: (slash) (slash) cescconstructionsupply.com (slash) diminished (slash) somalian.js
> hxxp: (slash) (slash) majstri.net (slash) donning (slash) slaved.js
> hxxp: (slash) (slash) ohsspiritwear.com (slash) nike (slash) robbing.js
> hxxp: (slash) (slash) songingeternally.com (slash) maracaibo (slash) your.js
> hxxp: (slash) (slash) 03629e3.netsolhost.com (slash) altaic (slash) scarify.js
> hxxp: (slash) (slash) mobifone-sy.com (slash) inflated (slash) minstrels.js
> hxxp: (slash) (slash) shashwathomes.com (slash) pleader (slash) socialized.js
> hxxp: (slash) (slash) www.netpolis.gr (slash) emulate (slash) loved.js
> hxxp: (slash) (slash) theblazingfiddles.com (slash) responsive (slash) rhone.js
> hxxp: (slash) (slash) haus-an-der-treene.de (slash) irrigated (slash) bewaring.js
> hxxp: (slash) (slash) qualifyformedi-cal.com (slash) mortician (slash) amicably.js
> hxxp: (slash) (slash) ufofurniture.com.au (slash) curries (slash) searchlights.js
> hxxp: (slash) (slash) amerapremier.com (slash) cesar (slash) viewers.js
> hxxp: (slash) (slash) www.deacomunicazione.it (slash) doyen (slash) undermining.js
> hxxp: (slash) (slash) orbitek.hosting24.com.au (slash) trespasses (slash) earthly.js
> hxxp: (slash) (slash) www.mypafamilylawyer.com (slash) desultory (slash) interrelated.js
> hxxp: (slash) (slash) blog.myragold.com (slash) hastening (slash) contemporaries.js
> hxxp: (slash) (slash) loveworks365.com (slash) howe (slash) corsets.js
> hxxp: (slash) (slash) SNC.NO-IP.ORG (slash) drywalls (slash) liquefy.js
> hxxp: (slash) (slash) conseguidomaquinaria.com (slash) hollyhocks (slash) propels.js
> hxxp: (slash) (slash) 034ED86.NETSOLHOST.COM (slash) lodestone (slash) shilled.js
> hxxp: (slash) (slash) almesa.gr (slash) furious (slash) zygotes.js
> hxxp: (slash) (slash) hosted.proaal.com (slash) enchanted (slash) handel.js
> hxxp: (slash) (slash) hnuaaa.org (slash) spitfires (slash) winks.js
> hxxp: (slash) (slash) www.tstn.org (slash) churchyard (slash) wealthy.js
> hxxp: (slash) (slash) filtron.gr (slash) skited (slash) menages.js
> hxxp: (slash) (slash) 3914f5c7a46c5f05.lolipop.jp (slash) andre (slash) fastidiously.js
> hxxp: (slash) (slash) geeologee.com (slash) bawls (slash) cubbyholes.js
> hxxp: (slash) (slash) ghs.boehmenkirch.de (slash) executrix (slash) straps.js
> hxxp: (slash) (slash) besttrainer.co.nz (slash) phrasings (slash) vehicle.js
> hxxp: (slash) (slash) ftp.fasady-zateplovani.eu (slash) conduces (slash) garrote.js
> hxxp: (slash) (slash) sewhot.ca (slash) househusbands (slash) piing.js
> hxxp: (slash) (slash) animalspirits-lva.de (slash) instruction (slash) propounds.js
> hxxp: (slash) (slash) wildtrackpictures.com (slash) dracula (slash) archenemy.js
Each of those actually does a "document location" to forward you to the actual
phishing page, which was hosted on five different URLS: hxxp: (slash) (slash)
e4business.net (slash) americanexpress (slash)
hxxp: (slash) (slash) paitoanderson.com:8080 (slash) americanexpress (slash)
hxxp: (slash) (slash) advisorbuysell.com (slash) americanexpress (slash)
hxxp: (slash) (slash) advisor-connect.info (slash) americanexpress (slash)
hxxp: (slash) (slash) 173.246.103.84 (slash) americanexpress (slash)
THE PHISH ITSELF
Here's a walk-through of the five page phish.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
(Each of those three pages actually had this footer on the bottom! Good to see
they included a link to the Fraud page at AmEx!)
Image may be NSFW.
Clik here to view.
When you were finished, you got a friendly thank you . . . letting you know your
certificate was all set up . . .
Image may be NSFW.
Clik here to view.
and then got forwarded to the real AmEx page:
Image may be NSFW.
Clik here to view.
↧
THE CARDER.SU INDICTMENT: UNITED STATES V. KILOBIT ET. AL.
April 10, 2014, 11:15 pm
≫ Next: Phishers, Framesets, and Grocery Surveys
≪ Previous: American Express's new Phishing Criminal Brings Game!
$
0
0
Today the U.S. government unsealed its indictment against Fifty-Five members of
the Carder.su carding forum. We wrote about Carder.su before on this blog, back
in March 2009 when a rival gang was trying to call attention to Carder.su by
sending out spam advertising the site. (See: Carders do battle through spam -
carder.su. No wonder they were jealous! Today's indictment shows the Carder.su
guys performed over $50 Million in fraudulent charges!
Named in the indictment were 39 individuals, all charged with "General
Allegations" called:
Count One (Participate in a Racketeer Influenced Corrupt Organization [RICO])
and
Count Two (Conspiracy to Engage in a Racketeer Influenced Corrupt Organization).
The whole group are described in the indictment like this:
"The defendants herein, and others known and unknown, are members of, employed
by, and associates of a criminal organization, hereafter referred to as "the
Carder.su organization," whose members engage in acts of identity theft and
financial fraud, including, but not limited to, acts involving trafficking in
stolen means of identification; trafficking in, production and use of couterfeit
identification documents; identity theft; trafficking in, production and use of
unauthorized and counterfeit access devices; and bank fraud; and whose members
interfere with interstate and foreign commerce through acts of identity theft
and financial fraud. Members and associates of the Carder.su organization
operate principally in Las Vegas, Nevada, and elsewhere.
Here's the list:
NAMEAKA ListCounts ChargedRoman ZolotarevAdmin, Support1-2, 19Konstantin
LopatinGraf1-2, 33, 44, 47Alexander Kostyukov *Temp, KLBS1-2, 3-17Maceo Boozer
IIIXXXSimone, G4, El Padrino, Mr. Right, MRDC871-2, 3-17Tin-Yueng WongRay Wong,
Ray1-2, 3-17Edward Montecalvo *N1ghtmare, Tenure441-2, 3-17, 22-55Yu Feng Wang
Ibatistuta1-2Mohamed Amr Mahmoud Amr Mahmoud, CC--Trader, Kengza1-2, 20,
22-55Jermaine Smith SirCharlie57, FairBusinessman 1-2, 61-62Makyl Haggerty Wave
1-2Aladelola Teslim Ajayi Bank Manager, Document Manager, Corey 1-2,
61-62Alexandru Ion AbagnaleFrank 1-2Jordan Georgievski Devica 1-2Roman Seleznev
Track2, Bulba, NCUX 1-2, 22-55Qasir Mukhtar Caliber 1-2, 56-60Roy Ayad Rabie
Ayad, Patistota 1-2, 22-55Mina MorrisSource 1-2, 22-55Rachid Idaali C4rd3r 1-2,
22-55Liridon Musliu Bowl 1-2, 22-55Sergei Litvinenko Dorbik, Matad0r 2Michael
Lofton Killit, Lofeazy 1-2, 3-17Shiyang GouCDER 1-2, 3-17David Ray CamezBadman,
DoctorSex 1-2, 3-17Cameron Harrison Kilobit1-2, 3-17Aleksandar BesarovicQiller
1-2, 3-17Duvaughn Butler Mackmann 1-2, 21, 61-62Fredrick Thomas 1Stunna 1-2John
Doe 1 Senna0711-2, 3-17John Doe 2 Morfiy 1-2, 3-17John Doe 3 Gruber 1-2, 18John
Doe 4 Maxxtro 1-2John Doe 5 Elit3 1-2John Doe 6 Fozzy 1-2, 22-55John Doe 7
Vitrum, Lermentov 1-2, 22-55Andrei BolovanPanther, Euphoric, Darkmth 1-2,
22-55John Doe 8 TM 1-2, 22-55John Doe 9 Zo0mer, Deputat 1-2, 22-55John Doe 10
Centurion 1-2, 22-55John Doe 11 Consigliori 1-2, 61-62
While it is true that many carders are Russian, several folks on this list
reside in the United States. This case, which DHS ICE calls "Operation: Open
Market", has already seen 19 arrested in the United States, primarily in Las
Vegas, where LOFTON, CAMEZ, BUTLER, LAMB, and VERGNETTI were arrested. (Some of
those arrested are indicted separately and do not appear above.
KOSTYUKOV was arrested in Miami from his home at 1100 Washington Avenue, Miami
Beach. (He sent a letter to the judge asking for his property back, including
his Hookah pipe and his Dr. Dre Beats headphones.
KOSTYUKOV, 27, was arrested in Miami, Florida.
Boozer, 23, was arrested in Detroit, Michigan.
Montecalvo, 20, was arrested in Morgantown, WV.
Jermaine Smith, 31, was arrested in Newark, NJ
Makyl Haggerty, 22, lived in San Francisco,
Qasir Mukhtar, 27, in New York
Shiyang Gou, 27, in New York
Cameron Harrison, 25, in Augusta, GA
Fredrick Thomas, 31, in Orlando, FL
Omar Butt, 28, in New York
Bill Steffey, 33, in Sacramento,
Jason Maclaskey, 32, (at large?)
Derek Carder, 38, Sacramento
Robert Kephart, 38, Sacramento
Heather Dale, 21, Springfield, Orlando
Herbert Morrell, 50, Orlando
Roger Grodesky, 49, Warren, Ohio
John Holsheimer, 53, San Diego
David Ray Camez, a Nevada resident, for example, was convicted and was due to be
sentenced today. (You may enjoy reading his Forfeiture document which includes
ATM machines, PVC Card Embossers, dozens of phones and computers as well as
printers, cameras, and video games. Camez was already serving a seven year
sentence in the State of Arizona for fraud charges he was convicted of there.
Back in 2012, ICE agents announced that they had arrested 19 in the US in an
operation called "Operation: Open Market."
--------------------------------------------------------------------------------
The full Fifty-one page indictment, originally introduced in court on January
10, 2012, and finally unsealed April 10, 2014, goes on to describe additional
charges and activities, sometimes in great detail. The case against "Defendant
24, Cameron Harrison, AKA Kilobit" is being tried in Las Vegas, Nevada as CASE
#: 2:12-cr-00004-APG-GWF-24.
The event that triggered the unsealing of the indictment was that Cameron
Harrison pleaded guilty, WITHOUT BENEFIT OF A PLEA AGREEMENT! His nineteen page
guilty plea. In addition to Count One and Count Two above, Cameron plead guilty
to:
Count Sixteen: Trafficking in and Production of False Identification Documents
and Aiding and Abetting, in violation of 18 U.S.C. § 1028(a)(1), (b)(1)(A)(ii),
and (c)(3) and 18 U.S.C. § 2.
The Sentencing Guidelines that the prosecution is asking for are HUGE because
they are describing the "Total amount of actual loss involved in the offense as
$50,893,166.35" which gives a +24 to the Sentencing guidelines just for the
financial losses!
Base Offense Level = 7
+ 24 (offense involved more than $50 Million of actual loss)
+6 (offense involved more than 250 victims)
+2 (offense involved receiving stolen property and the defendant was a person in
the business of receiving and selling stolen property)
+2 (fraud committed from outside the US, involving a sophisticated means)
+2 (fraud involving possession of device-making equipment and trafficking in
unauthorized and counterfeit access devices)
-3 (Acceptance of Responsibility)
Total Offense Level = 40
Restitutions that are declared in the Plea include:
American Express = $3,299,210.90
Discover Financial Services = $2,202,429.00
Master Card = $15,496,221.00
Visa Inc. = $29,895,305.45
Total = $50,895,305.45
Because this is a RICO case, EACH member of the Conspiracy can be found
responsible for the full restitution. The Indictment requests that each have $20
million of their assets seized to help cover the costs. (Most have nowhere near
that amount, of course...).
ROLES OF THE DEFENDANTS
Despite the news headlines being about Kilobit (Cameron Harrison) today,
Harrison was only a "Member" of the board. Far more important members are listed
below by their roles on the various Carder.su websites.
Administrator = "Roman ZOLOTAREV was the head of Carder.su.
As the head of the governing council, the administrator handles day to day
management decisions of the organizatoin, as well as long-term strategic
planning for its continued viability. Zolotarev was the leader of the
enterprise, appointing moderators, and directing other members and associates of
the enterprise in carrying out unlawful and other activities in futherance of
the conduct of the enterprise's affiars. In addition, ZOLOTAREV:
* determines which individuals can become and remain members of the Carder.su
organization.
* regulates the functions, responsibilities, and levels of access to
information accorded to each member.
* bestows the rewards accorded members for their loyalty to the Carder.su
organization, and sets the punishments to be meted out to members evidencing
disloyalty to the organization.
* decides when, how, and under what circumstances to attack and to retaliate
against members of rival criminal organizations and their associated Internet
website forums.
* has full access to, and privileges on, the computer servers hosting the
Carder.su organization's websites.
* has ultimate responsibility for the administration, maintenance, anonymity
and security of ther Carder.su organization's computer servers
Moderators = Konstantin LOPATIN and MAXXTRO
These defendants act as leaders of the enterprise, directing other members and
associates in carrying out unlawful and other activities in furtherance of the
conduct of the enterprise's affairs. Moderators are members of the Carder.su
organization's governing counsel. They oversee and manage one or more subject
matter specific areas on the Carder.su organization's websites. Their jobs
included assisting Zolotarev by:
* monitoring and policing websites by editing and deleting members' posts and
mediating disputes among members.
* serve as Reviewers for products or services through the enterprise with which
they have expertise.
* Both LOPATIN and MAXXTRO possessed at least 15 counterfeit or unauthorized
access devices.
Reviewers
Members are allowed to sell contraband, including counterfeit documents, stolen
bank accounts, and credit card information. Reviewers examine and test products
and services that members wish to advertise and sell on the websites. A
favorable review is a prerequisite to to selling contraband. Any member can be
appointed to do a review, although they are usually done by Moderators or the
Administrator.
Vendors
Vendors advertise and sell products, services, and other contraband after
receiving a favorable review.
Vendors among the defendants included:
Alexander KOSTYUKOV (Temp/Klbs) - a vendor of Cashout services. Cashout vendors
remove funds from bank and credit card accounts and receive a fee between 45%
and 62% of the funds received.
Maceo BOOZER (XXXSimone / G4 / El Padrino / Mr. Right / mrdc87) is a vendor of
dumps. "Dumps" are stolen credit and debit card account data. They sold for
between $15 and $150 per card, depending on the quantity purchased and the
geographic location. United States cards are least expensive, and European cards
are most expensive.
Ray WONG is a vendor of counterfeit plastic. A device-making implement used to
produce counterfeit credit cards. WONG sold blank counterfeit plastic cards for
$20 to $25 each, with a minimum order of 50 cards. Embossed counterfeit cards
were $65 to $75 each with a minimum order of ten. Wong was also a vendor of
dumps.
MONTECALVO (N1ghtmare / Tenure44) is a vendor or dumps, but also offered a dump
checking service. He had the ability to validate a card against a real financial
institution.
Yu Feng WANG (Ibatistuta) is a vendor of counterfeit cards, counterfeit
holograms, and signature panels used to manufacture counterfeit credit cards. He
sold blanks for $10-$15 each.
Mohamed Amr Mahmoud (AMR Mahmoud / CC--Trader / Kengza) is a vendor of CVV.
While dumps are magnetic card stripe reads, CVVs are all of the account holder
information - such as Name, DOB, SSN, address, telephone number, mother's maiden
name, and the CVV2 code from the back of the card. MAHMOUD also sold Paypal
accounts, Fullz (all of the above plus expiration date and PIN), and
Enroll/COBs. The latter included all of the previous data, as well as username
and password for the account's online access. Depending on the online balance,
he would charge $140 to $200 per account.
Jermaine SMITH (Sircharlie57 / Fairbusinessman) is a vendor of plastic and
counterfeit cards.
Makyl HAGGERTY (Wave) is a vendor of counterfeit identification documents and
counterfeit cards. He sold counterfeit drivers license for between $100 and $200
each, depending on state, including CA, TX, WI, OH, RI, NV, PA, IL, FL, LA, AZ,
HA, SC, GA, NJ, as well as BC Canada. He also sold blank counterfeit plastics
and embossed cards.
Aladelola Teslim AJAYI is a vendor of counterfeit identification documents,
stolen corporate account information, dumps, and counterfeit credit cards.
ALEXANDRUION (Abagnalefrank) is a vendor of dumps. He sells 100 mixed Visa and
Master Card accounts for $1,500 or 100 AmEx cards for $1,000.
Jordan GEORGIEVSKI is a vendor of counterfeit credit cards and blank plastic, as
well as embossed cards for $75 each.
Roman SELEZNEV (Track2 / Bulba / Neux ) is a vendor of dumps. He sold very large
volume product through an automated website where members could load their
desired cards into a shopping cart. Accounts sold for $20 each.
Qasir MUKHTAR (Caliber) is a vendor of counterfeit plastics, holograms, and
signature panels.
Roy AYAD (Rabie Ayad / Patistota) is a vendor of CVVs, selling through an
automated website.
Mina MORRIS (Source) is a vendor of dumps. Morris had an automated website to
sell dumps.
Rachid IDAALI (C4rd3r) is a vendor of Fullz.
Liridon MUSLIU (Bowl) is a vendor of CVVs.
Sergei Litvinenko (Dorbik / Matad0r ) is a vendor of Bullet Proof Hosting
services and infrastructure for criminal websites. These are ISPs that allow
criminals to run illegal websites used for phishing, carding forums, or dump
sites.
GRUBER is a vendor of counterfeit identification documents including drivers
licenses ranging from $150 to $200 each.
ELIT3 is a vendor of Fullz. He also sells Enroll/COBs.
FOZZY is a vendor of dumps ranging from $12 to $100 each, depending on quantity
and location.
VITRUM (Lermentov) is a vendor of dumps.
Andrei BOLOVAN (Panther / Euphoric / Darkmth) is a vendor of dumps.
TM is a vendor of dumps and CVVs, which he sells to members through an automated
website.
Zo0mer (Deputat) is a vendor of stolen PayPal accounts, Proxies, Fullz, Credit
Card Checking and Information Lookups.
CENTURION is a vendor of dumps.
CONSIGLIORI is a vendor of dumps and blank plastic.
Members
Members must successfully complete a number of security features intended to
keep out law enforcement and rival criminal organizations. Teams use a number of
Carder.su websites as "virtual clubhouses" to gather with other members in order
to share information, solicit and recruit other members and to achieve the
common objectives of the enterprise.
Members charged in this conspiracy include:
Michael LOFTON (Killit / Lofeazy
Shiyang GOU (Cder)
David Ray CAMEZ (Bad Man / DoctorSex )
Cameron HARRISON (Kilobit)
Alexsandar BESAROVIC (Qiller)
Duvaughn BUTLER (Mackmann)
Fredrick THOMAS (1STunna )
SENNa071
MORFIY
--------------------------------------------------------------------------------
THE CHARGES
Count One and Two given above deal with Racketeering:
COUNT ONE:
Acts 1 through 15 - Unlawful Trafficking In and Production of False
Identification Documents
Acts 16, 17, 19 - Attempt to Unlawfully Produce False Identification Documents
Acts 18, 20, 21 - Conspiracy to Unlawfully Produce False Identification
Documents
Act 22 - Conspiracy to Unlawfully Transfer False Identification Documents
Act 23 - Possession of Document-Making Implements
Act 24 - Conspiracy to Unlawfully Transfer, Possess, and Use a Means of
Identification
RACKETEERING ACTS 25 through 36
Acts of Wirefraud by MAXXTRO, MAHMOUD, HARRISON, ELIT3, LOFTON, THOMAS, MAHMOUD,
ION, AYAD
RACKETEERING ACTS INVOLVING COUNTERFEIT AND UNAUTHORIZED ACCESS DEVICES
Act 37 - Using and Trafficking in Unauthorized Access Devices
Acts 38 through 97 - Possession of 15 or more Unauthorized Access Devices
Acts 98 through 103 - Trafficking In and Possessing Access Device-Making
Equipment
Acts 104 through 109 - Conspiracy to Trafficking In and Possess Access
Device-Making Equipment
COUNT TWO
Dealing with General Allegations from November 22, 2005 through June 2011.
Counts Three Through Seventeen - Trafficking in and Production of False
Identification Documents
Count Eighteen - Attempting to Unlawfully Produce False Identification
Documents, Aiding and Abetting
Count Nineteen - Conspiracy to Unlawfully Transfer False Identification
Documents
Count Twenty - Unlawful Transfer, Possession and Use of a Means of
Identification, Aiding and Abetting
Count Twenty-One - Trafficking in and Use of Counterfeit and Unauthorized Access
Devices, Aiding and Abetting
Counts Twenty-Two through Fifty-Five - Possession of Fifteen or More Counterfeit
and Unauthorized Access Devices, Aiding and Abetting
Counts Fifty-Six through Sixty - Trafficking In and Possessing Access
Device-Making Equipment; Aiding and Abetting
Counts Sixty-One and Sixty-Two - Conspiracy to Traffick In and Possess Access
Device-Making Equipment
--------------------------------------------------------------------------------
↧
PHISHERS, FRAMESETS, AND GROCERY SURVEYS
April 11, 2014, 11:35 am
≫ Next: Zeus Criminals charged in Omaha, Nebraska
≪ Previous: The Carder.su indictment: United States v. Kilobit et. al.
$
0
0
Like most criminals, or let's face it, most programmers, Phishers are lazy. They
like to be able to create one website and have it live for an extended period of
time. Unfortunately for them, victim companies either smash new phishing sites
as fast as they can, or they hire companies to do it for them. At Malcovery
Security we concentrate on INTELLIGENCE rather than takedown, so our focus is in
understanding what the sites can teach us about the criminal behind the attack,
and how the many attacks against your brand are related to each other and to
attacks against other brands.
A friend of ours shared a link to a website today that was imitating Centra, a
convenience and grocery chain throughout Ireland.
Image may be NSFW.
Clik here to view.
The accompanying spam message promises that they will pay us 150 Euros just for
taking their survey!
For the convenience of the consumer, rather than having to wait for a check
(cheque) in the mail, you can just enter all of your Credit Card information,
and your Date of Birth and some other personal details, and they'll deposit the
money right into your credit account!
As we looked at the log files, we found an interesting fact. NONE of the more
than 900 visitors to the website had visited the site DIRECTLY. They were all
being referred from other URLs. This is our indicator that the spam messages did
NOT contain a link to the domain shown above. Instead, they were pointing at
websites with Chinese domain names!
...
[10/Apr/2014:01:06:08 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:07:46 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:07:52 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:08:28 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:08:51 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:14 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:24 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:28 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:42 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:45 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:55 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:10:27 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:10:31 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
...
[11/Apr/2014:00:46:22 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:00:58:02 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:06:46 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:16:22 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:18:38 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:18:48 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:23:23 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:25:27 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:25:49 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
...
When we look at the websites on "asp.sti.com.cn" and "www.jctz.cn" we see that
both of them actually consist ONLY of a "FrameSet" that sends us to the location
of the CENTRA phish:
Image may be NSFW.
Clik here to view.
The logs ALSO reveal that another brand is being hosted on the same server!
...
[10/Apr/2014:05:19:16 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:20:03 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:20:09 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:28:47 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:30:31 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:37:56 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:48:45 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:50:27 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:53:44 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:57:39 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
Image may be NSFW.
Clik here to view.
Since most of the time when I'm in the UK I am running dawn to dusk in meetings,
Tesco is the only store I've actually ever shopped in, since there is one on
every street corner in London. The phishers have correctly updated their
currency to use Pounds instead of Euros: "TESCO Supermarkets will add £150
credit to your account just for taking part in our quick survey." but other than
that, this is the same phish!
And, as with the other, the actual advertised URL from the spam campaign is
hosted in China, and simply updates the content with a Frame SRC = .
Image may be NSFW.
Clik here to view.
Remnants in the logs make it seem likely that this phisher has also targeted
Woolworths (many 404 messages in the very early part of the phish for paths with
/wps/woolworths/ in the path. Very likely that this is a throw-back to the
Woolworths phish from 2012. (Woolworths is a food chain in Australia - they got
so many of these scams that they did television news announcements warning about
it - see for example: Scam Alert (a Current Affair November 2012). Those spam
messages looked like this:
> Subject: Customer Satisfaction Survey! Win 150$
>
> Congratulations!
>
> You have been selected by Woolworths Online Department to take part in our
> quick and easy reward survey. In return we will credit $150 to your account -
> Just for your time!
>
> Helping us better understand how our members feel, benefits everyone.
>
> With the information collected we can decide to direct a number of changes to
> improve and expand our services. The information you provide us is all
> non-sensitive and anonymous. No part of it is handed down to any third party
> groups. It will be stored in our secure database for maximum of 3 days while
> we process the results of this nationwide survey.
>
> To access the form, please click on the link below :
↧
Search
RSSing.com
--------------------------------------------------------------------------------
ZEUS CRIMINALS CHARGED IN OMAHA, NEBRASKA
April 12, 2014, 10:10 am
≫ Next: Multi-Brand French Phisher uses EDF Group for ID Theft
≪ Previous: Phishers, Framesets, and Grocery Surveys
$
0
0
Legal documents analayzed below are available at the bottom of this DOJ article:
Nine Charged in Conspiracy to Steal Millions of Dollars using Zeus Malware
We've talked about Zeus in this blog for many years, including some good
arrests, such as Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested. But
we now have names for the ring leaders of the biggest Zeus case of all time,
Operation Trident BreACH. We knew the aliases of the Ring Leaders publicly
thanks to Microsoft's work back in 2012 (see Microsoft DCU, FS-ISAC and NACHA
vs. Zeus) but who were these mystery men: tank and petr0vich?
Now we know ... more anyway ... Two Ukrainian members of the Jabber Zeus gang
stood in federal court in Omaha, Nebraska last week to plead "Not Guilty" after
being extradicted from the UK. Yuriy Konovalenko and Yevhen Kulibaba are among
the nine people listed in the indictments that have been sealed since August of
2012. The list of defendents is:
* Yvacheslav Igorevich Penchukov, AKA tank, AKA father
* Ivan Viktorvich Klepikov, AKA petr0vich, AKA nowhere
* Alexey Dmitrievich Bron, AKA thehead
* Alexey Tikonov, AKA kusanagi
* Yevhen Kulibaba, AKA jonni
* Yuriy Konovalenko, AKA jtk0
* John Doe #1, AKA lucky12345
* John Doe #2, AKA aqua
* John Doe #3, AKA mricq
DOJ is still seeking four of the named criminals, and still has not publicly
acknowledged the names of the three John Does. If you have information on these,
please reach out to the FBI!
Tank == Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly
coordinated the exchange of stolen banking credentials and money mules and
received alerts once a bank account had been compromised.
Petr0vich == Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems
administrator who handled the technical aspects of the criminal scheme and also
received alerts once a bank account had been compromised.
TheHead == Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial
manager of the criminal operations who managed the transfer of money through an
online money system known as Webmoney.
Kusunagi== Alexey Tikonov, of Russia, an alleged coder or developer who assisted
the criminal enterprise by developing new codes to compromise banking systems.
Although jonni is only now coming to trial in the United States, the
Metropolitan Police of London arrested Kulibaba and his wife Karina Kostromina
back in October of 2011, as we learned from KrebsOnSecurity in his article ZeuS
Trojan Gang Faces Justice. Yuriy Konovalenko, AKA Pavel Klikov, was also in
custody in the UK and was "due to be sentenced" according to Krebs' article.
Many of the crimes covered in this indictment are well known to us already,
largely due to the work of journalist Brian Krebs. While Krebs was still at the
Washington Post writing his Security Fix column, he made Zeus a household name.
Selected Victims:
* Bank of America
* Bullitt County Kentucky - Security Fix, Brian Krebs, July 2009. -- Bullitt
County had $415,000 stolen from their accounts after being infected by Zeus.
* Doll Distributing of Des Moines, Iowa
* First Federal Savings Bank of Elizabeth Town, Kentucky
* Franciscan Sisters of Chicago, (Homewood, Illinois)
* Husker AG, LLC of Plainview, Nebraska
* Key Bank of Sylvania, Ohio
* ODAT LLC, d/b/a Air Treatment Company
* Parago, Inc of Lewisville, TX
* Salisbury Bank & Trust of Salisbury, MA
* Town of Egremont, Mass
* Union Bank and Trust of Lincoln, Nebraska
* Union Bankshares of Ruther Glen, VA
* United Dairy, Inc of Martins Ferry, OH
The version of Zeus at the heart of this investigation communicated stolen
credentials to a server located on the IP address 66.199.248.195 at Ezzi.net in
Brooklyn, NY. An FBI Agent interviewed Mohammed Salim in September 2009, who
confirmed that the server in question, called the Incomeet server, was custom
built for a Russian company "IP-Server Ltd" in Moscow, whose POC was "Alexey S."
Extensive chat logs were recovered from the server with four separate search
warrants - September 28, 2009, December 9, 2009, March 17, 2010, and May 21,
2010. Those web servers showed the criminals discussing their conspiracy,
including many instances of the criminals trading login credentials for bank
accounts.
Those chats also showed that the criminals closely follow Brian Krebs! Tank and
Aqua are shown discussing his Bullitt County article linked above and saying
"They laid out the entire scheme! I'm really pissed! They exposed the entire
deal!"
Doll Distributing had $59,222 stolen from them in two occasions. One of those
wire transfers went to "Pandora Service, LLC" and to "Kodash Consulting." FBI
Agents interviewed Heidi Nelson and Renee Michelli, the proprietors of those
organizations who had believed they were acting as "Financial agents" for a
Russian software company. In other words, they were money mules.
All of the victims named above were discussed in the chat logs by the criminals
charged in this case.
I especially enjoyed learning how TANK was identified by name. In the chat, on
July 22, 2009, he announced that his daughter, Miloslava, had been born and gave
her birth weight. A records search of Ukrainian birth records only showed one
girl named Miloslava with that birth weight born on that day. Her father was
Vyacheslav Igorevich Penchokov. This was enough to seize the computers from
Tank's home, which confirmed it was the same person!
Petr0vich was discovered because of mentions of the email address
"theklutch@gmail.com" in the chat logs. Gmail was subpoenaed to get records for
this email account, which showed "92.242.127.198" had been used to log in to
that email address at least 790 times. The secondary email for that account,
"petr0vich@ua.fm", was given when the account was created November 24, 2004.
Several other addresses were used to login to both the petr0vich jabber account
on the Incomeet server and the Gmail address, including 209.160.22.135. Similar
techniques were then used to find the computers located at those IP addresses.
Ivan Viktorovich Klepikov was found to be living in Donetsk, Ukraine.
TheHead stated his real name in the chat, and gave his gmail account as
"alexey.bron@gmail.com". He was telling the truth.
Kusunagi gave a phone number in the chat, and found that phone number on a
public webpage where Alexey Tikonov's real name and contact information were
given. He lived in Tomsk, Russia. He also used his Kusanagi identity to post
videos where WHOIS information related to those videos location confirmed his
location.
Jonni and Jtk0 were identified by Detective Sergeant Simon Williams of the
Metropolitan Police of London.
We'll talk more about this case in another post soon . . .
↧
↧
MULTI-BRAND FRENCH PHISHER USES EDF GROUP FOR ID THEFT
April 28, 2014, 7:54 am
≫ Next: Blackshades RAT leads to 97 Arrests in 16 countries
≪ Previous: Zeus Criminals charged in Omaha, Nebraska
$
0
0
At the end of January last year, French power company EDF advised the public
that they were seeing a significant rise in the number of phishing complaints
they were receiving from their customers. An example story in English from The
Connexion: EDF customers hit in 'phishing' scam, says that an EDF spokesperson
said beginning in August of 2012 they were seeing 20,000 customers per month
complaining about the phish and that in January 2013 it had risen to as many as
40,000 customers per month. As many as 200 to 300 new phishing sites per month
were being created at that time.
This week Malcovery is noticing that the EDF phish are back, with a twist! The
current EDF phish are asking for documents with an enormous value for identity
theft and are targeting many different French banks with the information. Here's
what a currently live phishing site looks like:
Image may be NSFW.
Clik here to view.
Zooming in on the data being requested, we see typical information. Image may be
NSFW.
Clik here to view.
Email, Password, Title, Name, Address, City, Postal Code, and Date of Birth.
While EDF has world-wide operations, a large number of their tens of millions of
utility customers are in France.
Image may be NSFW.
Clik here to view.
The email they receive is likely to be the same one seen in France last year
that advises:
> Votre paîement a été refusée par votre établissement bancaire. […] Pour éviter
> la pénalités de retard, nous vous donnant la possibilité de payer en ligne en
> utilisant votre carte bancaire.
>
> (or in English: "Your payment was declined by your bank ... To avoid late
> fees, we give you the option to pay online using your credit card.
After providing the basic information, they are prompted to choose which bank
issued the credit card they will be using to pay their bill:
Image may be NSFW.
Clik here to view.
Choices are:
Axa Banque
Banque populaire
BNP
Bred
Caisse d’epargne
Credit agricole
Credit mutual
Credit du nord
CIC
HSBC
Societe generale
La banque postale
LCL
Autres
and then enter their Credit Card information:
Image may be NSFW.
Clik here to view.
The most interesting part of the phish, however, is what comes next! The
Phishers then tell them that in order to prove they are really in charge of this
account, they must upload at least two forms of proof of identity!
Image may be NSFW.
Clik here to view.
* Identity Card
* Credit Card
* A copy of a Bank statement
* An invoice proving the address
Whichever documents I attempted to upload, it kept insisting that I needed to
upload additional documents.
Although this case is most accurately described as an EDF phish, there are
actually thirteen targeted banks, and an unlimited number of forms of identity
theft that could occur if some victim were to provide all of the requested
information. Just another example of how the phishers use FEAR (an unpaid
Utility bill that could result in Termination of Service) to steal our credit
card information!
↧
BLACKSHADES RAT LEADS TO 97 ARRESTS IN 16 COUNTRIES
May 22, 2014, 4:34 am
≫ Next: A Social Facebook Phish - is your friend acting strange?
≪ Previous: Multi-Brand French Phisher uses EDF Group for ID Theft
$
0
0
On May 19, 2014, the FBI announced a worldwide coordinated action against
criminals who created, sold, and used a Remote Administration Trojan (RAT) known
as BlackShades. In the FBI's BlackShades Press Release they shared that 40
participating FBI Field Offices had conducted 100 interviews, executed more than
100 e-mail and physical search warrants and seized more than 1,900 domains used
by BlackShades to control victims' computers.
Image may be NSFW.
Clik here to view.
(image from FBI.gov)
The case actually was a spin-off from another major international operation
called "Operation Card Shop" that we wrote about in April 2012 (see SOCA & FBI
seize 36 Criminal Credit Card Stores. As Law Enforcement reviewed the seized
websites from that case, they began to realize the extent of the role of the
BlackShades RAT in the theft of credit card information, but realized also that
it was much larger than they had at first believed. One of those arrested during
Operation Card Shop was Michael Hogue, one of the co-authors of Blackshades, who
agreed to cooperate in unveiling the rest of the BlackShades operation.
BLACKSHADES AND MISS TEEN USA
For many Americans, the first time they heard of Blackshades was in the case of
Miss Teen USA 2013, Cassidy Wolf. In that case, Blackshades customer Jared James
Abrahams, a 20-year-old college student, used Blackshades to begin capturing
video from Cassidy's webcam. The victim, unaware that their webcam is even
recording, goes about their business, including dressing and undressing. Like
most teens, having a laptop on in the bedroom is not unusual, and after
capturing some nude images, Abrahams attempted to extort additional videos in
exchange for not releasing the first images to Cassidy's friends on Facebook.
But Blackshades is able to do so much more than capturing an occasional nude
image! While most commonly used for good old fashioned credential and credit
card theft, Blackshades has also been used to infiltrate Syrian rebel computers,
as first reported by the EFF and with many more details shared by MalwareBytes.
BLACKSHADES COCREATORS HOGUE AND YÜCEL
Michael Hogue, who used the hacker name xVisceral, was originally arrested in
Tucson, Arizona as part of a group of arrests announced by Preet Bharara, the US
Attorney in the Southern District of New York, on June 26, 2012 as part of the
follow-up to Card Shop. In addition to xVisceral/Hogue that sweep grabbed up
404myth (Christian Cangeopol of Lawrencevill, Georgia), Cubby (Mark Caparelli of
San Diego, California), Kabraxis314 (Sean Harper of Albuquerque, New Mexico),
kool+kake (Alex Hatala of Jacksonville, Florida), OxideDox (Joshua Hicks of
Bronx, New York), JoshTheGod (Mir Islam of Manhattan, new York), IwearaMAGNUM
(Peter Ketchum of Pittsfield, Massachusetts), theboner1 (Steven Hansen, who was
already in jail in Wisconsin) as well as 13 others in the UK (6), Bosnia (2),
Bulgaria (1), Norway (1), and Germany. (See: Manhattan U.S. Attorney and FBI
Assistant Director in Charge Announce 24 Arrests in Eight Countries as Part of
International Cyber Crime Takedown).
For a fascinating "how I became a hacker" biography interview, please see The
Rise and Fall of xVisceral which details how as a 17 year old Halo player,
xVisceral first was introduced to hacking as a way to cheat other Halo players,
and a detailed history of how this led to ever-more-advanced hacking tools and
ultimately the creation of Blackshades. (the original source is currently
unavailable, this is an archived copy of an article from:
The Charges against Hogue (filed January 9, 2013) say that "Michael Hogue a/k/a
xVisceral, the defendant, and others known and unknown, willfully and knowingly
combined, conspired, confederated, and agreed together and with each other to
engage in computer hacking in violation of Title 18, USC, Section
1030(a)(5)(A)." It was part of the conspiracy that Hogue and others "did cause
the transmission of a program, information, code and command, and as a result of
such conduct, wouuld and did intentionally cause damage without authorization,
to a protected computer, which would and did cause damage affecting 10 and more
protected computers during a one-year period, in violation of Title 18, USC
Sections 1030(a)(5)(A), 1030(c)(4)(B)(i), and (c)(4)(A)(i)(VI), to wit, HOGUES
used malware to infect computers and sold that malware to others, enabling them
to infect and remotely control victims' computers."
Like most RATs, once a victim has been tricked into clicking on the installer,
the RAT is controlled by connecting to a server used for that purpose. The FBI
was able to learn considerably more about the person being described as the
"co-creator" of BlackShades, Alex YÜCEL, (also spelled Alex Yucel, Alex Yucle,
Alex Yuecel), AKA marjinz, AKA Victor Soltan, by tracking one of his servers. As
they investigated the various domains used to host the servers for the malware.
In one case, Alex contacted a company to lease certain computers for this
purpose (November 8, 2012) paying for them on January 30, 2013. On March 18,
2013, he sent email requesting tech support due to a problem with his servers.
Alex was the administrator of "www.blackshades.ru" and "www.bshades.eu". Alex is
a 24 year old citizen of Sweden, arrested in Moldova and awaiting extradition to
the United States.
Symantec actually has an interesting screenshot from 2011 where Hogue claims to
be resigning from Blackshades and turning full control over to "marjinz" in a
post shared in their article from June 2012 when Hogue was first arrested. The
fact that so many "script kiddie" hackers use Hack Forum may be part of why
Blackshades was so popular:
Image may be NSFW.
Clik here to view.
(Source: www.symantec.com/connect/blogs/w32shadesrat-blackshades-author-arrested
)
A SAMPLE CUSTOMER: KBELLO
A look at the Criminal Complaint against one of his customers may be revealing.
Kyle Fedorek (aka kbello) was charged May 15, 2014 in the Southern District of
New York. On Septmeber 12, 2012, kbello purchased a copy of Blackshades over the
Internet. An undercover FBI agent in New York had also purchased the software on
June 30, 2010 from the same source. The FBI used this criminal complaint to
document the scope and abilities of Blackshades. Between September 12, 2012 and
March 2014, kbello acquired "thousands" of credit card numbers and financial
account numbers through hacking using the RAT. According the the Criminal
Complaint the FBI agent described Blackshades as giving the hacker "Free rein
to, among other things, access and view documents, photographs and other files
on the victim's computer, record all of the keystrokes entered on the victim's
keyboard, steal the passwords to the victim's online accounts, and even activate
the victim's web camera to spy on the victim -- all of which could be done
without the victim's knowledge."
The FBI's investigation has shown that the RAT was purchased by at least several
thousand users in more than 100 countries and used to infect more than half a
million computers worldwide.
After kbello purchased his copy of the RAT, it was used against at least 400
victims, and was also part of a suite of additional malware that he installed on
the victims' computers. After a victim was infected, the hacker could activate
the "Spreader" module on that victim's computer, which would use that victim's
chat programs (AOL/AIM, ICQ, MSN) and any USB devices attached to the computer
to attempt to infect others.
Other modules of the program allowed the hacker to encrypt any files on the
system and share a Ransomware message, demanding that payment be sent to decrypt
the module. The message could be customized per victim, or the same message
could be sent to many victims.
Many other modules were available, including password stealers, webcam capture
tools, DDOS attack tools, and others.
Records from the primary Blackshades server indicate that the program, which
often sold for as little as $40 per copy, had generated $350,000 in direct sales
between September 2010 and April 2014. When a purchase was made, the purchasing
hacker would establish a domain name that he or she would use as their main
"controlling" domain. A custom version of the software was then generated which
would only take infected users to that domain. The logs on the server indicate
there were at least 6,000 Blackshades customer accounts for users in 100
countries, and that at least 1900 domain names had been registered by customers
to control infected computers. All 1900 of these domains have been seized by the
FBI, disabling the RAT from controlling the infected computers any more.
In February 2013, the FBI obtained a warrant to search the email account
"blackshadessupport@hotmail.com" - which Yucel used to communicate with his
employees who were offering technical support and administering his various
infrastructure. The search revealed many email communications requesting
customer support and also contained copies of receipts sent to customers for
various products and services offered by the Blackshades organization.
This search warrant revealed a home address in Stony Point, New York for Kyle
Fedorek when he purchased "Blackshades Remote Controller (R.A.T.) for 40.00
USD". The seized Blackshades Server also provided the information that KBello
had registered the hostnames "kbella.zapto.org" and "kbello.zapto.org" as his
controllers. The IP address to which these names resolved in April and May of
2013 were subscribed to at the Fedorek Residence.
In a subsequent search warrant, executed March 6, 2014, agents seized a laptop
from the bedroom of Kyle Fedorek, where the username of the laptop was Kyle, and
recovered a copy of the Blackshades RAT. The RAT was configured to run the "Form
Grabber" (stealing any information victims typed into a webform, such as a
userid and password prompt box on a banking website). At least 400 victims had
provided information unwittingly to Fedorek through this form grabber. The
laptop also was being used to run other malware schemes, including CARBERP,
Andromeda, and Citadel, and had evidence of having been used to create Phishing
sites as well. DDOS tools, SQL Injection tools were also present. More than
9,000 sets of userids and passwords and 50,000 sets of credit card information
were found on the laptop.
THE UK'S NATIONAL CRIME AGENCY
The UK's National Crime Agency (NCA, formerly SOCA), issued their own press
release. (See Unprecedented UK Operation aids global strike against Blackshades
malware) indicating that 17 Blackshades customers were apprehended in the UK and
that their records suggested that at least 200,000 worldwide victims had their
information harvested by Blackshades customers in the UK.
EUROJUST
The European Union's Judicial Cooperation Unit in The Hague also issued a press
release. (See International operation hits Blackshades users.) They indicated
that at least 359 "house searches" were carried out worldwide and that 97 people
had been arrested. 1100 data storage devices had been seized in those searches,
including computers, mobile phones, external hard drives, and USB memory sticks,
in addition to "substantial quantities" of cash, illegal firearms, and drugs.
DUTCH HIGH TECH CRIME TEAM
The Dutch High Tech Crime Team was able to secure a server in Delft operated by
an 18 year old Black Shades customer. One of their most high-profile Blackshades
customers was a 19 year old man who was controlling more than 2,000 webcams
being used to capture photos and videos of female victims. The Dutch police
seized 96 computers and laptops, 18 mobile phones, and 87 USB sticks and hard
drives during searches on 34 residences. (See: 34 Dutch homes raided in
worldwide crackdown on hacking software.
Dutch High Tech Crimes statement -
www.om.nl/actueel/nieuwsberichten/@162701/wereldwijde-actie/
↧
A SOCIAL FACEBOOK PHISH - IS YOUR FRIEND ACTING STRANGE?
May 29, 2014, 6:53 pm
≫ Next: Is the Game Over for GameOver Zeus?
≪ Previous: Blackshades RAT leads to 97 Arrests in 16 countries
$
0
0
I'm always proud when my students do a great write up on a new attack, and
doubly so when that analysis comes from my nephew, Chris Warner!
Chris was logged in to Facebook today when one of his friends started chatting
with him. It was pretty obvious to Chris that his friend had been the victim of
an Account Takeover (ATO) and thta he was really chatting with a criminal who
was inviting him to visit a Facebook phishing site. Chris gathered up an
evidence package and submitted it to IC3.gov with his analysis prior to
contacting me. With his permission, I'm sharing what he saw (editing his
friend's identity out for her privacy.)
Image may be NSFW.
Clik here to view.
Original URL user sees is of the format:
http://(USER FIRST NAME)-photos.uglyfacebookpeople,commm
URL is intentionally messed up, presumably to avoid detection by Facebook
systems.
URL redirects to
http://accounts.login.userid.266765.facebooclk.com/lp/fbn/?next=http%3A%2F%2F%2videos%2F%3AJ%4ID%1A
Image may be NSFW.
Clik here to view.
Action file is security.php
Following the action file results in visiting
accounts.login.userid.497031.facebooclk.com/blam/
Which directs you to a "Flash Player Update" site that I assume is a virus.
http://198.52.200.49/install_flashplayer13x32_mssd_aaa_aih.ex
There are other files that were on the site, but it is down now.
WHOIS INFO(SAME FOR FACEBOOCLK.COM AND UGLYFACEBOOKPEOPLE.COM):
Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID: DI_36635864
Registrant Name: Dave Brider
Registrant Organization: none
Registrant Street: 505 45th st
Registrant City: new york
Registrant State/Province: New York
Registrant Postal Code: 10003
Registrant Country: US
Registrant Phone: +1.6463392283
Registrant Email: yogurtman7@mail.com
Registry Admin ID: DI_36635864
Admin Name: Dave Brider
Admin Organization: none
Admin Street: 505 45th st
Admin City: new york
Admin State/Province: New York
Admin Postal Code: 10003
Admin Country: US
Admin Phone: +1.6463392283
Admin Email: yogurtman7@mail.com
Happy hunting!
--Chris Warner
--------------------------------------------------------------------------------
Thanks, Chris! You did a great job on that write-up! Hope it helps save someone
from being a victim!!
↧
IS THE GAME OVER FOR GAMEOVER ZEUS?
June 2, 2014, 9:44 pm
≫ Next: Malcovery Examines GameOver Zeus
≪ Previous: A Social Facebook Phish - is your friend acting strange?
$
0
0
Several weeks ago law enforcement friends in Pittsburgh started asking people
not to publish anything too public about GameOver Zeus. When we asked why, we
got a teasing "You'll see!" Now our ISP friends that were participating in the
effort are grinning ear to ear as we may actually have a chance to disrupt Zeus
in a meaningful way. Being a legal geek, I was excited to have the documents
published on the main Justice website today at
www.justice.gov/opa/gameover-zeus.html.
The Complaint against Evgeniy Mikhailovich Bogachev aka Slavik, aka Pollingsoon
was unsealed in court where the Pittsburgh FBI led the investigation into
CryptoLocker and GameOver Zeus. In addition to Bogachev, charges are filed
against several aliases of as-yet-unidentified hackers, "Temp Special", "Ded",
Chingiz (aka Chingiz 911), and Mr.KyKyPyKy. The Complaint charges that
"Together, GOZ and Cryptolocker have infected hundreds of thousands of computers
around the world and have generated losses that exceed $100 million."
Some of the specific cases mentioned in the complaint include:
* A composite materials company in the Western District of Pennsylvania which
lost more than $198,000 from its bank account using credentials stolen by the
Defendants through the use of GOZ; (The Pittsburgh Indictment shares more
details, telling us this was Haysite Reinforced Plastics, whose PNC Bank
account was fraudulently accessed and used to send their money to a Mule
account in the name of Lynch Enterprises, LLC, at SunTrust Bank in Atlanta,
Georgia, after they clicked on a NACHA email informing them their ACH payment
had failed, in October 2011. They also transfered $175,756.91 to an account
belonging to R&R Jewelers, and ATTEMPTED six additional transfers, all on
October 20, 2011. The money in the SunTrust account was quickly moved on
($99,822 of it, anyway) to an HSBC account in London.)
* An Indian tribe in Washington - $277,000
* A corporation managing assisted living facilities in Pennsylvania - $190,800
* A regional bank in Northern Florida - $7 Million
CryptoLocker is described separately as having "first emerged in mid-to-late
2013" and infected "more than 230,000 computers, including more than $120,000 in
the United States.
Just between October 15, 2013 and December 18, 2013, we know that $27 million in
ransom payments were made, just by tracking the ransom payments made using
Bitcoin!
The charges in the criminal complaint are:
Count I: Wire fraud: 18 USC Section 1343 "Having devised a scheme or artifice to
defraud and for obtaining money by means of false or fraudulent pretenses and
transmitting and causing to be transmitted by means of wire communications in
interstate and foreign commerce, writings, signs, and signals for the purpose of
executing such scheme or artifice.
Count II: Bank Fraud: 18 USC Section 1344 "knowingly executing a scheme or
artifice to defraud financial institutions insured by the FDIC and to obtain
moneys under the custody and control of these institutions by means of false and
fraudulent pretenses and representations.
Count III: Unauthorized interception of electronic communications: 18 USC
Section 2511 "intentionally intercepting electronic communications, and
intentionally using and endeavoring to use the contents of the electronic
communications knowing that the information is obtained through the unauthorized
interception of electronic communications."
all of which, according to 18 USC Section 1345(a) and (b) allows Injunctive
Relief to prevent a continuing and substantial injury to the owners and
legitimate users of the infected computers.
An FBI Pittsburgh cyber agent was the affiant in the 28 page Application for
Temporary Restraining Order recounts that while the largest known single wire
transfer was a $6.9 million wire, fraudulent wires in the amount of $1 million
dollars were "very common." A single bank experienced 11 fraudulent wires, with
six being for more than $950,000 and the largest being 2 million dollars!
The GOZ affidavit mentions a few email addresses, Bogachev uses as one email
address, bollinger.evgeniy@yandex.ru, while Chingiz 911 uses
charajiang16@gmail.com. Seeing the nickname "Ded" as one of the members of the
gang, I can't help but recall "Ded Pixto" the nickname for Stanislav Avdeiko the
Koobface malware author.
So how will this "takedown" actually work? First, some hard work by a couple
genius malware reverse engineers at Dell Secure Works and CrowdStrike helped the
Pittsburgh FBI agent to understand the current Command & Control infrastructure
so it could be rendered harmless. The problem though, is that both GOZ and
Cryptolocker have a built-in backup plan in the form of a Domain Generation
Algorithm. The job of a DGA is to allow the botmaster to IN THE FUTURE reconnect
to his bots using infrastructure that neither the bots nor the botmaster have
even created yet. A formula is used to calculate a domain name based on a
timestamp. So, if NONE of the hard-coded IP addresses are able to be reached,
the bot will look up the current date and begin "guessing" domains that the
criminal may have registered for use to update the bot with new hard-coded
addresses. As a few examples, on July 1, 2014, CryptoLocker will try to connect
to 1,000 domains, including:
wncbbejfurrw.net
kbdnkmpgxlxh.biz
aevmpupnouqy.ru
nrwyydvorowj.org
bvgurlkgcwya.co.uk
ojhhbtqhfqfk.info
eqcoayuicfrp.com
fsdnbhyofoiv.net
fimwcppbphaq.biz
gknvdxthsqqw.ru
iygiqgvjjkys.org
jbhhroapmtpy.co.uk
jqqqswqcwmht.info
ksrptfuiavxa.com
klrmfgyihrch.net
xysyolodvgen.biz
mgcjywthscyu.ru
atdvicjchqbb.org
otvgvnajowjk.co.uk
The Temporary Restraining Order (TRO) seeks an Order that:
1) directs four U.S. based internet domain Registries to block access to around
900 PAGES of domain names seemingly the "future" list of DGA-generated domain
names for CryptoLocker and GOZ. The GameOver Zeus domains are listed in Appendix
A while the CryptoLocker domains are listed in Appendix B. Because ICANN only
has jurisdiction over the Generic TLDs, this approach doesn't work for the ".ru"
domains. CryptoLocker also uses ".co.uk" domains, so one would hope that the
British government has asked for a similar favor from their counterpart
registries. The four Registries in the US were, VeriSign, Inc., representing
.com and .net, Neustar, Inc., representing .biz, Affilias USA, Inc.,
representing .info, and Public Interest Registry, representing .org.
Appendix A actually contains 25,937 domains for Game Over Zeus, arranged in ten
columns, with three columns of domains listed on pages 1-69, 70-138, 139-207,
and then a single column on pages 208 to 276. Its actually seven columns of 2594
domains and three columns of 2593 domains or 25,937 domains for Game Over Zeus.
Appendix B has six columns on pp. 1-176, pp.177-352, and then six columns of
various length from 353 to the end of the 704 page document, for a total of
130,421 domains for CryptoLocker.
Affilias, Neustar, Verisign, and Public Interest Registry are ordered to
redirect all of those 156,000 or so domains to use the nameservers
ns1.kratosdns.net and ns2.kratosdns.net, preventing the criminals from using
those domains to re-establish control of their botnet.
2) directs the twenty largest ISPs in America to not allow access from their
networks to the .RU domains that the DGA can make, as the .RU domains are not
under ICANN control. The ISPs named here are:
Cablevision, AT&T, Cox, Comcast, Mediacom, AOL, Frontier, Sprint, Time Warner
Cable, Verizon, Charter, CenturyLink, Suddenlink, Wide Open West, Windstream,
Level 3, Armstrong Group of Companies, Bright House, Earthlink, and NTT America.
Those ISPs are forbidden to allow traffic to the .ru domains listed in Appendix
C.
3) To redirect all traffic intended for one of those domains to .gov controlled
servers
and
4) to seek a Pen Register/Trap and Trace Order that would gather information
about the nodes directed to those replacement boxes, and to share that
information back to the ISPs and victims to help protect themselves. This
"Dialing, Routing, Addressing, and Signaling" data (called DRAS in
telephone-legalese) is to be turned over to the government so that attempts can
be made to clean up these victims computers.
In cooperation with these efforts, McAfee is providing their "Stinger" program
to be used by any victims to clean and remove GameOver Zeus or CryptoLocker
infections.
All of that is now in play ... it is too early to tell if the game is really
over, but best of luck and congratulations to the fine agents and CCIPS lawyers
who made this possible!
↧
↧
MALCOVERY EXAMINES GAMEOVER ZEUS
June 5, 2014, 11:32 am
≫ Next: Microsoft, njRat, and No-IP
≪ Previous: Is the Game Over for GameOver Zeus?
$
0
0
WHAT IS THIS GRAPHIC ABOUT? READ ON, GENTLE READER!
Image may be NSFW.
Clik here to view.
MALCOVERY: EMAIL BASED THREAT INTELLIGENCE AND GAMEOVER ZEUS
At Malcovery Security we have become EXTREMELY familiar with GameOver Zeus. Our
malware analysts create multiple reports each day documenting the top
Email-based threats, and as the FBI's news releases (covered earlier this week
in this blog, see Is it GameOver for GameOver Zeus? document, the criminals
behind GameOver Zeus have been devastatingly thorough in compromising computers.
Unlike some sandboxes, when Malcovery reports on a piece of malware, we actually
report on "the activity that would result on a computer compromised by this
malware" in a holistic view that we call Contextual Analysis. The goal of
Malware Contextual Analysis is to help answer questions like:
* How would one of my users likely be infected by this malware?
* What email subjects or messages may have sent this malware?
* Did that spam campaign deliver other malicious attachment or malicious URLs?
* If one of my users were compromised by this malware, what network activity
may result?
* What additional malicious files might be downloaded by a computer compromised
with this malware?
* . . . and other questions, depending on the nature of the malware
Malcovery's main Malware Threat Intelligence analyst, Brendan Griffin, has
shared a special report called The Many Faces of GameOver Zeus that examines
many of the ways the malware has been delivered via spam campaigns. In this blog
post, I'll be focusing on the Prominent IP addresses associated with the
"Encrypted Drop" version of GameOver Zeus distribution.
GAMEOVER ZEUS'S ENCRYPTED DROP SITES
Back in February, Malcovery reported that GameOver Zeus was being prominently
loaded by means of UPATRE malware downloading an Encrypted file from the
Internet, and then executing that file. (See our post: GameOver Zeus Now Uses
Encryption to Bypass Perimeter Security) With GameOver Zeus possibly taking a
significant hit due to the coordinated law enforcement and researcher efforts, I
wanted to look at the network infrastructure that we have been warning about in
our T3 reports, and just illustrate how the T3 reports can be used to alert you
to activity not just from the current day's malware, but for malware that
touches any part of the extensive shared infrastructure of GameOver Zeus.
Since that initial post, we've seen GameOver Zeus-related encrypted files drop
from more than 200 different internet locations, get decrypted by the Dropper
malware, and execute themselves to begin communicating with the Peer to Peer
GameOver Zeus infrastructure. The full list of many of those URLs, with the date
on which we saw the spam campaign, the brand, item or company being imitated in
that spam campaign, and the URLs where the GOZ binary were accessed, is
available at the end of this article. Here is a sampling of some of the most
recent ones for now to help understand the process...
2014-05-13 Xerox url::moraza.com.my/images/1305UKdp.zip 2014-05-13 NatWest
url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip 2014-05-14 Microsoft
url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc 2014-05-14
Sage
url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc
2014-05-14 Intuit url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat 2014-05-14
NatWest url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc
2014-05-14 ADP url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat 2014-05-15
eFax url::factoryrush.com/test/1505UKmp.zip 2014-05-15 UK Ministry of Justice
url::sugarlandrx.com/media/css/1505UKdp.zip 2014-05-15 eFax
url::dubaimovers.info/scripts/Targ-1505USdp.tar 2014-05-15 Fidelity
url::www.entrepreneurindia.com/css/Targ-1505USdp.tar 2014-05-15 Dun & Bradstreet
url::dubaimovers.info/scripts/Targ-1505USdp.tar 2014-05-16 Bank of America
url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar 2014-05-19
Santander url::paperonotel.com/Scripts/heap170id2.exe 2014-05-19 Wells Fargo
url::mersinprefabrik.com/Css/1905USmw.dct 2014-05-20 HSBC
url::task-team.com/css/2005UKmw.zip 2014-05-20 NYC Govt
url::lospomos.org/images/button/2005USmw.zip 2014-05-20 UPS
url::alamx.com/images/RCH2005.zip 2014-05-20 UPS
url::evedbonline.com/images/RCH2005.zip 2014-05-20 Royal Bank of Scotland
url::lospomos.org/images/button/2005UKmw.zip 2014-05-20 LexisNexis
url::evedbonline.com/images/RCH2005.zip 2014-05-21 Credit Agricole
url::eleanormcm.com/css/2105UKdp.rar 2014-05-21 HSBC
url::cedargrill.sg/css/2105UKdw.rar 2014-05-21 HSBC
url::chezalexye.com/css/2105UKdw.rar 2014-05-21 JP Morgan
url::footballmerch.com/media/css/Targ-2105USmw.tar 2014-05-27 Hewlett-Packard
url::lotwatch.net/images/2705UKdp.rar 2014-05-27 Xerox
url::auracinematics.com/acc/b02.exe 2014-05-29 Visa
url::qadindunyasi.az/images/Targ-2905USmp.tar 2014-05-30 Sky
url::3dparsian.com/images/banners/3005UKdp.rar 2014-05-30 HSBC
url::bag-t.com/css/3005UKmw.rar 2014-05-30 HSBC
url::seminarserver.com/html/3005UKmw.rar
For each of the campaigns above, Brendan, Wayne, and J, our malware analysis
team, pushed out both an XML and STIX version of the machine readable T3 reports
so that our customers could update themselves with information about the spam
campaign, the IP addresses that sent that spam to us, the hashes of the spam
attachment, the hostile URLs, and the IP addresses associated not only with the
GameOver Zeus traffic, but whatever other malware was dropped in the same
campaign. As the FBI indicated, it was extremely common for GameOver Zeus
infected computers to ALSO become infected with CryptoLocker.
T3: PROTECTION FOR TODAY AND TOMORROW
But how often did we see "re-use" of network infrastructure? We like to say that
Malcovery's T3 report, which stands for Today's Top Threat, is really "T3:
Protection for Today and Tomorrow". To illustrate this, I did some data mining
in Malcovery's Threat Intelligence database.
First - I isolated network activity for the 92 distinct spam campaigns
illustrated above. (There were many more GameOver Zeus campaigns than that, but
I was sticking to those samples that used the "encrypted file decrypted by the
dropper" version that I had written about in February, so this is a sampling
...)
For each IP address that showed up in network traffic within those 92 campaigns,
ranging from February 6, 2014 to May 30, 2014, I counted how many distinct
campaigns that indicator had been seen in. Fifty-six IP addresses showed up in
ten or more of those campaigns.
I took those IP addresses, and asked the Malcovery Threat Intelligence Database
"which spam campaigns delivered malware that caused traffic to those IP
addresses?" and was surprised to see not just the original 92 campaign I started
with, but 360 distinct spam campaigns!! I culled that down by eliminating the
campaigns that only touched ONE of those 56 IP addresses of high interest. The
remaining 284 campaigns could be placed into 103 groups based on what they were
imitating. Most of the top brands should be familiar to you from Malcovery's Top
10 Phished Brands That Your Anti-Virus is Missing report.
Brand Imitated in Spam# of Campaigns SeenRing Central 30 campaignsHMRC 15
campaignsHSBC 13 campaignsRoyal Bank of Scotland 14 campaignsNatWest 11
campaignseFax 11 campaignsSage 10 campaignsLloyds Bank 8 campaignsUK Government
Gateway 8 campaignsXerox 8 campaignsADP 6 campaignsCompanies House 6
campaignsIRS 6 campaignsNew Fax 5 campaignsPaypal 5 campaignsSky 5 campaignsUPS
5 campaignsAmazon 4 campaignsBank of America 4 campaignsBT.com 4
campaignsMicrosoft 4 campaignsQuickBooks 4 campaignsWells Fargo 4
campaignsWhatsApp 4 campaigns
I threw the data into IBM's i2 Analyst Notebook, my favorite tool for getting a
quick visualization of data, and did some arrangement to try to show the
regionality of the data. I know the graph is too dense to see what is in the
interior, but let me explain it here:
On the left are IP addresses that are owned by Microsoft. They are arranged by
Netblock, with the size of the Computer icon representing how many malware
campaigns that IP was linked to. Top to bottom numerically by Netblock, these
are from the 23.96 / 23.98 / 137.116, 137.135, 138.91, 168.61, 168.63, 191.232
blocks. The Microsoft traffic only started appearing in late April, so it is
possible this is traffic related to "sinkholing" or attempting to enumerate the
botnet as part of the investigation. I have no insider knowledge of any such
activity, just stating what we observed. We *DID* go back and look at the packet
captures for these runs (we keep all of our PCAPs) and the traffic was exactly
like the other Peer to Peer chatter for GameOver Zeus.
On the top are IP addresses in APNIC countries. Flag test: Japan, Hong Kong,
China
On the right are IP addresses in ARIN countries. (Canada, USA)
In the bottom right corner is one LACNIC IP. (Venezuela)
And on the bottom are RIPE countries. (Netherlands, Moldova, Switzerland, Great
Britain, Ukraine, Sweden, Belgium, France, and Austria)
Image may be NSFW.
Clik here to view.
The IP addresses on the chart above are also included here in tabular form:
PROMINENT IP ADDRESSES ASSOCIATED WITH GAMEOVER ZEUS AND ASSOCIATED MALWARE
CountryASN#ASN OrganizationIP CN 4837 CHINA169-BACKBONE CNCGROUP China169
Backbone,CN 221.193.254.122 HK 4515 ERX-STAR PCCW IMSBiz,HK 113.28.179.100 HK
9269 HKBN-AS-AP Hong Kong Broadband Network Ltd.,HK 61.244.150.9 HK 4760
HKTIMS-AP PCCW Limited,HK 218.103.240.27 JP 9365 ITSCOM its communications
Inc.,JP 101.111.248.177 JP 45687 MCT-INTERNET Minamikyusyu CableTV Net Inc.,JP
27.54.110.77 JP 38628 WINK-NET HIMEJI CABLE TELEVISION CORPORATION,JP
115.126.143.176 JP 9617 ZAQ KANSAI MULTIMEDIA SERVICE COMPANY,JP 125.4.34.229 CA
577 BACOM - Bell Canada,CA 174.89.110.91 US 36352 AS-COLOCROSSING -
ColoCrossing,US 172.245.217.122 US 22773 ASN-CXA-ALL-CCI-22773-RDC - Cox
Communications Inc.,US 98.162.170.4 US 7018 ATT-INTERNET4 - AT&T Services,
Inc.,US 75.1.220.146 US 7018 ATT-INTERNET4 - AT&T Services, Inc.,US
99.73.173.219 US 33588 BRESNAN-AS - Charter Communications,US 184.166.114.48 US
6128 CABLE-NET-1 - Cablevision Systems Corp.,US 68.197.193.98 US 6128
CABLE-NET-1 - Cablevision Systems Corp.,US 75.99.113.250 US 33490 COMCAST-33490
- Comcast Cable Communications, Inc.,US 67.168.254.65 US 7015 COMCAST-7015 -
Comcast Cable Communications Holdings, Inc,US 73.182.194.83 US 6939 HURRICANE -
Hurricane Electric, Inc.,US 50.116.4.71 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 137.116.225.57 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 137.116.229.40 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 137.117.197.214 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 137.117.72.241 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 137.135.218.230 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 138.91.18.14 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 138.91.187.61 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 138.91.49.30 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 168.61.80.142 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 168.61.87.1 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 168.63.154.114 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 168.63.211.182 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 168.63.62.72 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 23.96.34.43 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 23.97.133.13 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 23.98.41.229 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 23.98.42.224 US 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 23.98.64.182 BR 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 191.234.43.118 BR 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 191.234.52.206 BR 8075 MICROSOFT-CORP-MSN-AS-BLOCK -
Microsoft Corporation,US 191.236.85.223 VE 8048 CANTV Servicios, Venezuela,VE
190.37.198.162 AT 8437 UTA-AS Tele2 Telecommunication GmbH,AT 81.189.6.76 BE
5432 BELGACOM-SKYNET-AS BELGACOM S.A.,BE 194.78.138.100 CH 15600 FINECOM Finecom
Telecommunications AG,CH 77.239.59.243 FR 16276 OVH OVH SAS,FR 94.23.32.170 GB
2856 BT-UK-AS BTnet UK Regional network,GB 109.153.212.95 GB 2856 BT-UK-AS BTnet
UK Regional network,GB 213.120.146.245 GB 2856 BT-UK-AS BTnet UK Regional
network,GB 86.159.38.32 MD 31252 STARNET-AS StarNet Moldova,MD 89.28.59.166 NL
1103 SURFNET-NL SURFnet, The Netherlands,NL 130.37.198.100 NL 1103 SURFNET-NL
SURFnet, The Netherlands,NL 130.37.198.90 SE 39287 FLATTR-AS Flattr AB,SE
95.215.16.10 UA 13188 BANKINFORM-AS TOV _Bank-Inform_,UA 37.57.41.161 UA 21219
DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_,UA 195.114.152.188 UA 42471
FALSTAP-AS OOO TRK Falstap,UA 85.198.156.189 UA 29688 VOSTOKLTD VOSTOK Ltd.,UA
31.42.75.203
ENCRYPTED GAMEOVER ZEUS URLS SEEN BY MALCOVERY
2014-02-06 UK Govt Gateway url::newz24x.com/wp-content/uploads/2014/02/pdf.enc
2014-02-06 UK Govt Gateway url::oilwellme.com/images/banners/pdf.enc 2014-02-06
TNT UK url::newz24x.com/wp-content/uploads/2014/02/pdf.enc 2014-02-06 TNT UK
url::oilwellme.com/images/banners/pdf.enc 2014-02-10 UK2fax
url::agrimarsystem.pe/images/10UKrh.enc 2014-02-10 UK2fax
url::pro-viewer.com/images/10UKrh.enc 2014-02-12 Royal Bank of Scotland
url::buzzers.in/media/catalog/category/12UKp.mp3 2014-02-12 Royal Bank of
Scotland url::erp.zebronics.com/images/12UKp.mp3 2014-02-18 RingCentral
url::iatablet.com/oc-content/uploads/HTML/al1402.pic 2014-02-18 RingCentral
url::vietdongatravel.com/image/data/logo/al1402.pic 2014-03-05 Standard
Chartered Bank url::broadproductz.zapto.org/ndu/guru/config.bin 2014-03-05
Standard Chartered Bank url::broadproductz.zapto.org/ndu/guru/gate.php
2014-03-06 RingCentral
url::thebaymanbook.com/wp-content/uploads/2014/03/al2602.big 2014-03-06
RingCentral url::dominionfoodie.com/images/al2602.big 2014-03-06 Adobe
url::cdn.cmatecdnfast.us/os/js/OfferScreen_240_EN.zip 2014-03-06 Adobe
url::cdn.cmatecdnfast.us/os/js/OfferScreen_260_EN.zip 2014-03-06 Adobe
url::cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip 2014-03-06 Adobe
url::cdn.eastwhitecoal.us/Advertisers/FlashPlayer_Installer.exe 2014-03-06 Adobe
url::downloadupdates.in/MB1/downloadupdate.in/style.css 2014-03-06 Adobe
url::downloadupdates.in/MB1/flash_thankyou.php 2014-03-06 French Government
url::adultagencyads.com/images/2010/0603UKp.big 2014-03-06 French Government
url::trudeausociety.com/images/flash/0603UKp.big 2014-03-18 Citi
url::jswcompounding-usa.com/images/TARGT.tp 2014-03-18 Citi
url::thesymptomatologynetwork.com/images/TARGT.tp 2014-03-20 BankofAmerica
url::lovestogarden.com/images/general/TARGT.tpl 2014-03-20 BankofAmerica
url::villaveronica.it/gallery/TARGT.tpl 2014-03-21 Companies House
url::fidaintel.com/images/2103UKp.qta 2014-03-21 Companies House
url::premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta 2014-03-21
New Fax url::gulf-industrial.com/images/2103USa.qta 2014-03-21 QuickBooks
url::bodyfriend.co.uk/images/2103USp.qta 2014-03-21 QuickBooks
url::overtonsheepfair.co.uk/wp-content/uploads/2012/06/2103USp.qta 2014-03-27
Banque Populaire url::myeapp.com/wp-content/uploads/2014/03/TARG1.git 2014-03-27
Banque Populaire url::ramirezcr.com/images/TARG1.git 2014-03-27 HSBC
url::knockoutsecrets.com/wp-content/uploads/2014/03/2703UKc.git 2014-03-27 HSBC
url::vequi.com/images/2703UKc.git 2014-03-28 Sky
url::hardmoneylenderslosangeles.com/abc/2803UKd.wer 2014-03-28 Sky
url::igsoa.net/Book/2803UKd.wer 2014-03-28 Sage
url::hardmoneylenderslosangeles.com/abc/2803UKd.wer 2014-03-28 Sage
url::igsoa.net/Book/2803UKd.wer 2014-03-31 Voicemail Message
url::albergolarese.com/css/3103UKm.rih 2014-03-31 Voicemail Message
url::direttauto.com/scripts/3103UKm.rih 2014-03-31 Lloyds Bank
url::bormanns-wetter.de/scripts/3103UKd.rih 2014-03-31 Lloyds Bank
url::brucewhite.org/images/3103UKd.rih 2014-04-01 RingCentral
url::atlantafloorinstallation.com/wp-content/plugins/akismet/index.zpi
2014-04-01 RingCentral url::ayat.onlinewebshop.net/img/index.zpi 2014-04-01
Royal Bank of Scotland url::miss-loly.com/Scripts/0104UKd.bis 2014-04-01 Royal
Bank of Scotland url::photovolt.ro/script/0104UKd.bis 2014-04-01 eFax
url::apacsolutions.com/test/Targ-0104USr.bis 2014-04-01 eFax
url::cfklc.com/downloads/Targ-0104USr.bis 2014-04-01 Wells Fargo
url::all-products.biz/css/Targ-0104USd.bis 2014-04-01 Wells Fargo
url::smokeylegend.com/css/Targ-0104USd.bis 2014-04-01 Xerox
url::atifmalikmd.org/css/Targ-0104USm.bis 2014-04-01 Xerox
url::contactdbinc.com/css/Targ-0104USm.bis 2014-04-07 New Fax
url::abwidiyantoro.com/images/0804UKm.jpi 2014-04-07 New Fax
url::kworldgroup.com/css/0804UKc.jpi 2014-04-07 New Fax
url::rainda.com/css/0804UKc.jpi 2014-04-07 New Fax
url::robertcairns.co.uk/wp-content/uploads/2014/04/0804UKm.jpi 2014-04-07 NY
Dept of Taxation and Finance
url::gisticinc.com/wp-content/uploads/2014/04/0804UKr.jpi 2014-04-07 NY Dept of
Taxation and Finance url::vtiger.gisticinc.com/test/logo/0804UKr.jpi 2014-04-08
Swiftpage, Inc url::isapport.com/Images/n0804UKm.dim 2014-04-08 Swiftpage, Inc
url::metek-mkt.com/images/scripts/n0804UKm.dim 2014-04-09 HSBC
url::musicbanda.com/css/0904UKd.rar 2014-04-09 HSBC
url::sunsing.com.sg/images/0904UKd.rar 2014-04-09 New Fax
url::renaissancepmc.com/scripts/0904US.rar 2014-04-09 New Fax
url::thegrandbasant.com/img/icons/0904US.rar 2014-04-10 Xerox
url::ebazari.com/uploads/brands/Targ-1004USr.enc 2014-04-10 Xerox
url::rollonskips.com/images/banners/Targ-1004USr.enc 2014-04-14 Santander
url::vv-international.eu/food/1404UKd.rar 2014-04-17 PayPal
url::artncraftemporio.com/media/css/1704UKd.rar 2014-04-17 PayPal
url::hrprovider.com/img/img/1704UKd.rar 2014-04-17 PayPal
url::artncraftemporio.com/media/css/1704UKd.rar 2014-04-17 PayPal
url::hrprovider.com/img/img/1704UKd.rar 2014-04-17 IRS
url::fergieandco.org/wp-content/uploads/2014/03/Targ-1704USd.rar 2014-04-17 IRS
url::newsilike.in/wp-content/lbp-css/black/Targ-1704USd.rar 2014-04-23 Royal
Bank of Scotland url::aoneteleshop.com/images/payments/s2304UKd.rar 2014-04-23
Royal Bank of Scotland
url::czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar 2014-04-23 Companies
House url::aoneteleshop.com/images/payments/s2304UKd.rar 2014-04-23 Companies
House url::www.czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar 2014-04-24
Generic Voicemail url::dotspiders.sg/test/clocks/2404UKs.tar 2014-04-24 Generic
Voicemail url::mc-saferentals.com/images/2404UKs.tar 2014-04-25 Unity Messaging
System url::altpowerpro.com/images/stories/highslide/Targ-2404USm.tar 2014-04-25
Unity Messaging System url::tmupi.com/media/images/icons/team/Targ-2404USm.tar
2014-04-29 Citi url::capsnregalia.com/download/2904UKpm.zip 2014-04-29 Citi
url::perfumeriaamalia.com/images/stories/2904UKpm.zip 2014-04-30 UK Gov't
Gateway url::factoryrush.com/boxbeat/uploads/3004UKdp.tar 2014-04-30 UK Gov't
Gateway url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar 2014-04-30 Sky
url::factoryrush.com/boxbeat/uploads/3004UKdp.tar 2014-04-30 Sky
url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar 2014-04-30 IRS
url::capsnregalia.com/download/scripts/Targ-3004USmp.tar 2014-04-30 IRS
url::worldbuy.biz/scripts/Targ-3004USmw.tar 2014-05-05 Microsoft
url::iknowstudio.com/scripts/0505USdw.dat 2014-05-05 Microsoft
url::luxesydiseno.com/images/stories/brands/0505USdw.dat 2014-05-06 BT.com
url::BIZ-VENTURES.NET/scripts/0605UKdp.rar 2014-05-06 BT.com
url::realtech-international.com/css/0605UKdp.rar 2014-05-06 HMRC
url::BIZ-VENTURES.NET/scripts/0605UKdp.rar 2014-05-06 HMRC
url::realtech-international.com/css/0605UKdp.rar 2014-05-06 Generic Voicemail
url::oligroupbd.com/images/Targ-0605USmw.enc 2014-05-06 Generic Voicemail
url::touchegolf.com/css/Targ-0605USmw.enc 2014-05-06 US Postal Service
url::eirtel.ci/images/0605USdw.enc 2014-05-06 US Postal Service
url::smartsolutions.ly/css/0605USdw.enc 2014-05-07 Bank of America
url::addcomputers.com/downloads/Targ-0705USmw.enc 2014-05-07 Bank of America
url::mindinstitute.ro/images/Targ-0705USmw.enc 2014-05-07 NYC Govt
url::addcomputers.com/downloads/Targ-0705USmw.enc 2014-05-07 NYC Govt
url::mindinstitute.ro/images/Targ-0705USmw.enc 2014-05-07 BT.com
url::k-m-a.org.uk/images/jquerytree/0705USmp.enc 2014-05-07 BT.com
url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc 2014-05-07 NatWest
url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip 2014-05-07 NatWest
url::generation.com.pk/flash/0705UKmp.zip 2014-05-07 Swiftpage
url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip 2014-05-07 Swiftpage
url::generation.com.pk/flash/0705UKmp.zip 2014-05-07 Swiftpage
url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip 2014-05-07 Swiftpage
url::generation.com.pk/flash/0705UKmp.zip 2014-05-07 QuickBooks
url::k-m-a.org.uk/images/jquerytree/0705USmp.enc 2014-05-07 QuickBooks
url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc 2014-05-08
Companies House url::accessdi.com/wp-content/uploads/2014/05/0805UKdp.dat
2014-05-08 Companies House url::mpharmhb.com/images/banners/0805UKdp.dat
2014-05-08 Paychex
url::localalarmbids.com/wp-content/uploads/2012/12/0805USmp.rar 2014-05-08
Paychex url::pharmaholic.com/images/banners/0805USmp.rar 2014-05-12 NatWest
url::plvan.com/css/1205UKdm.tar 2014-05-12 NatWest
url::srhhealthfoods.com/test/1205UKdm.tar 2014-05-12 ADP
url::datanethosting.com/css/Targ-1205USmp.enc 2014-05-12 ADP
url::distrioficinas.com/fonts/Targ-1205USmp.enc 2014-05-12 Royal Bank of
Scotland url::plvan.com/css/1205UKdm.tar 2014-05-12 Royal Bank of Scotland
url::srhhealthfoods.com/test/1205UKdm.tar 2014-05-13 IRS
url::consumerfed.net/css/1305UKmw.zip 2014-05-13 IRS
url::irishtroutflies.ie/images/1305UKmw.zip 2014-05-13 NYC Govt
url::loquay.com/css/1305UKdp.zip 2014-05-13 NYC Govt
url::moraza.com.my/images/1305UKdp.zip 2014-05-13 Xerox
url::loquay.com/css/1305UKdp.zip 2014-05-13 Xerox
url::moraza.com.my/images/1305UKdp.zip 2014-05-13 NatWest
url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip 2014-05-13 NatWest
url::paulaggg.com/css/1305UKdw.zip 2014-05-14 Microsoft
url::djdawson.com/css/1405UKdw.enc 2014-05-14 Microsoft
url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc 2014-05-14
Sage
url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc
2014-05-14 Sage url::indoorea.com/webfiles/css/1405UKdp.enc 2014-05-14 Intuit
url::martabrixton.com/css/Targ-rhc1405.dat 2014-05-14 Intuit
url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat 2014-05-14 NatWest
url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc 2014-05-14
NatWest url::mortgagebidders.ca/fonts/1405UKmp.enc 2014-05-14 ADP
url::martabrixton.com/css/Targ-rhc1405.dat 2014-05-14 ADP
url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat 2014-05-15 eFax
url::factoryrush.com/test/1505UKmp.zip 2014-05-15 eFax
url::techwin.com.pk/css/1505UKmp.zip 2014-05-15 UK Ministry of Justice
url::floworldonline.com/wp-content/uploads/2014/04/1505UKdp.zip 2014-05-15 UK
Ministry of Justice url::sugarlandrx.com/media/css/1505UKdp.zip 2014-05-15 eFax
url::dubaimovers.info/scripts/Targ-1505USdp.tar 2014-05-15 eFax
url::entrepreneurindia.com/css/Targ-1505USdp.tar 2014-05-15 eFax
url::www.entrepreneurindia.com/css/Targ-1505USdp.tar 2014-05-15 Fidelity
url::dubaimovers.info/scripts/Targ-1505USdp.tar 2014-05-15 Fidelity
url::entrepreneurindia.com/css/Targ-1505USdp.tar 2014-05-15 Fidelity
url::www.entrepreneurindia.com/css/Targ-1505USdp.tar 2014-05-15 Dun & Bradstreet
url::dubaimovers.info/scripts/Targ-1505USdp.tar 2014-05-15 Dun & Bradstreet
url::entrepreneurindia.com/css/Targ-1505USdp.tar 2014-05-15 Dun & Bradstreet
url::www.entrepreneurindia.com/css/Targ-1505USdp.tar 2014-05-16 Bank of America
url::gmdf.net/js/Targ-1605USdw.tar 2014-05-16 Bank of America
url::gmdf.net/js/Targ-1605USdw.tar 2014-05-16 Bank of America
url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar 2014-05-16 Bank
of America url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar
2014-05-16 Bank of America
url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar 2014-05-16 Bank
of America url::malkanat.com/images/Targ-1605USdp.tar 2014-05-16 Bank of America
https://dl.dropboxusercontent.com/s/vfoim5op006sjdv/SecureMessage.zip 2014-05-16
Bank of America
https://dl.dropboxusercontent.com/s/xn26h1fppik5np6/BankofAmerica.scr 2014-05-19
Santander url::aanchalgroup.com/wp-content/uploads/2013/09/1905UKdp.zip
2014-05-19 Santander url::albus-capital.com/css/1905UKdp.zip 2014-05-19
Santander url::paperonotel.com/Scripts/heap170id2.exe 2014-05-19 Wells Fargo
url::mersinprefabrik.com/Css/1905USmw.dct 2014-05-19 Wells Fargo
url::paperonotel.com/Scripts/heap170id2.exe 2014-05-19 Wells Fargo
url::seminarserver.com/css/1905USmw.dct 2014-05-20 HSBC
url::lospomos.org/images/button/2005UKmw.zip 2014-05-20 HSBC
url::task-team.com/css/2005UKmw.zip 2014-05-20 NYC Govt
url::lospomos.org/images/button/2005USmw.zip 2014-05-20 NYC Govt
url::task-team.com/css/2005USmw.zip 2014-05-20 UPS
url::auracinematics.com/christine/Christine/2005USdp.zip 2014-05-20 UPS
url::protecca.com/fonts/2005USdp.zip 2014-05-20 UPS
url::alamx.com/images/RCH2005.zip 2014-05-20 UPS
url::evedbonline.com/images/RCH2005.zip 2014-05-20 Royal Bank of Scotland
url::lospomos.org/images/button/2005UKmw.zip 2014-05-20 Royal Bank of Scotland
url::task-team.com/css/2005UKmw.zip 2014-05-20 LexisNexis
url::alamx.com/images/RCH2005.zip 2014-05-20 LexisNexis
url::evedbonline.com/images/RCH2005.zip 2014-05-21 Credit Agricole
url::eleanormcm.com/css/2105UKdp.rar 2014-05-21 Credit Agricole
url::frizou.org/06-images/2105UKdp.rar 2014-05-21 Credit Agricole
url::paperonotel.com/Scripts/heap170id2.exe 2014-05-21 HSBC
url::cedargrill.sg/css/2105UKdw.rar 2014-05-21 HSBC
url::chezalexye.com/css/2105UKdw.rar 2014-05-21 JP Morgan
url::footballmerch.com/media/css/Targ-2105USmw.tar 2014-05-21 JP Morgan
url::myacoub.com/wp-content/uploads/2014/05/Targ-2105USmw.tar 2014-05-27
Hewlett-Packard url::flutterhost.com/demo/2705UKdp.rar 2014-05-27
Hewlett-Packard url::lotwatch.net/images/2705UKdp.rar 2014-05-27 Xerox
url::auracinematics.com/acc/b02.exe 2014-05-27 Xerox
url::feelhomely.com/beta/eshopbox/2705USmp.opt 2014-05-27 Xerox
url::the-dunn.com/css/2705USmp.opt 2014-05-27 Xerox
url::auracinematics.com/acc/b02.exe 2014-05-27 Xerox
url::feelhomely.com/beta/eshopbox/2705USmp.opt 2014-05-27 Xerox
url::the-dunn.com/css/2705USmp.opt 2014-05-29 Visa
url::homerenov.org/wp-content/uploads/2014/05/Targ-2905USmp.tar 2014-05-29 Visa
url::qadindunyasi.az/images/Targ-2905USmp.tar 2014-05-30 Sky
url::3dparsian.com/images/banners/3005UKdp.rar 2014-05-30 Sky
url::kuukaarr01.com/wp-content/themes/twentytwelve/css/3005UKdp.rar 2014-05-30
Sky url::utraconindia.com/images/social/heapid2.exe 2014-05-30 HSBC
url::bag-t.com/css/3005UKmw.rar 2014-05-30 HSBC
url::seminarserver.com/html/3005UKmw.rar
↧
MICROSOFT, NJRAT, AND NO-IP
June 30, 2014, 11:22 pm
≫ Next: Disk57.com, Cutwail, and Tearing Down Offending Infrastructure
≪ Previous: Malcovery Examines GameOver Zeus
$
0
0
Microsoft's Digital Crimes Unit is claiming their 10th major botnet action, this
time targeting the malware known as Bladabindi, or more popularly njRAT, and
Jenxcus, better known as H-worm. To do so, Microsoft filed a lawsuit in Nevada
against three parties:
Naser Al Mutairi, a Kuwait City resident known to be the author of njRAT through
his varias aliases, njq8, xnjq8x, njq8x, and njrat
Mohamed Benabdellah, an Algerian living in or near Mila, Algeria, who uses the
aliases Houdini, houdinisc, and houdini-fx
and Vitalwerks Internet Solutions, LLC, d/b/a No-IP.com, with offices at 5905
South Virginia Street, Suite 200, Reno, Nevada 89502.
The lawsuit is also filed against "John Does 1-500" who are supposedly the 500
priniciple operators of njRAT and H-Worm malware. (H-Worm is a closely related
RAT software, likely based off the same source code). Because they do not yet
know the identities of these RAT operators, the are assigned "John Doe" aliases,
in hopes that the power of discovery granted by the lawsuit can help to reveal
their true identities.
On the other side of this Internet battle is Vitalwerks and their literally
millions of service users. Vitalwerks provides the capability to host an
Internet service despite the fact that your computer may be using DHCP-assigned
IP address. Normally a webserver has to have a permanently assigned IP address
which is listed by a DNS service so that computers on the Internet can find the
service you are offering. With Dynamic DNS services, your computer can link to
the service and constantly update its IP address so that even if your IP changes
many times per day, your service users can find you. In Microsoft's lawsuit,
they agree that "Dynamic DNS is a vital part of the Internet because it allows
anyone to have a domain name even though they have a changing IP address." Their
accusation is found in the next sentence, "However, if not properly managed, a
Dynamic DNS service can be susceptible to abuse."
The lawsuit points out that in April 2013, OpenDNS published an article online
detailing its investigation into Dynamic DNS abuse. In that study,On the Trail
of Malicious Dynamic DNS Domains by my friend Dhia Mahjoub, OpenDNS collected
resolutions of various Dynamic DNS domains, and concluded that during their
study some domains, such as "hopto.org" were used for malicious purposes as
often as 56% of the time! Other highly malicious URLs included:
hopto.org - 56.71%
us.to - 49.45%
myftp.org - 37.50%
myvnc.com - 33.33%
myftp.biz - 20.20%
dlinkddns.com - 12.22%
no-ip.info - 10.70%
no-ip.org - 4.57%
The lawsuit also discusses Symantec reporting about the malware being used on
no-ip. One such Symantec report is: Simple njRAT fueld nascent middle east
Cybercrime Scene. (Microsoft doesn't really mention that basically NOBODY calls
the malware Bladabindi except Microsoft. Just call it njRAT like everyone else,
please!) In that report, from March 2014, Symantec mentions one particular group
that infects as many as 4500 computers per day using their C&C Servers at
njratmoony.no-ip.biz and nrj.no-ip.biz.
This blogger confirmed the complaint firsthand that is made by No-IP themselves.
Although Microsoft was supposedly going to ensure that "legitimate" no-ip
customers were not impacted, for a significant part of the day on June 30, 2014,
large portions of the Internet (including three linux servers that this blogger
uses on three separate networks) had no idea how to find the no-ip domains. The
nameservers were not propagated in such a way that the changes were seamless.
No-IP's Formal Statement on Microsoft Takedown can be found on their website. In
that statement, No-IP claims that "billions of queries" from "millions of
innocent users" were dropped "because of Microsoft's attempt to remediate
hostnames associated with a few bad actors" and implies that Microsoft did not
dedicate enough resources to handle the traffic.
The primary purpose of the court orders was in fact to allow Microsoft to take
matters into their own hands and filter the traffic for 130 pages worth (more
than 18,000 3LDs) that were hosted by NO-IP and were associated with criminal
activity and malware, primarily related to the two RATs, njRAT and H-Worm.
Of course on the other side of that is the fact that Microsoft documents that in
the past twelve months MORE THAN SEVEN MILLION WINDOWS USERS were impacted by
malware hosted on NO-IP domains! If someone's infrastructure is routinely abused
to harm seven million of your customers, don't you have a right to do something
about it? While NO-IP can claim that they have an active abuse desk that deals
with these complaints, dozens of criminal tutorials would not recommend that you
host your malware by setting up a NO-IP address, many of which have lived on
consistent names for MANY MONTHS (as in the names mentioned in the above
Symantec link) unless there was a clear pattern of NOT terminating offending 3LD
(third level domains).
Cisco's fabulous cybercrime fighter, Levi Gundert, who I first worked with while
he was working on the LA Electronic Crimes Task Force, as one of the most
effective U.S. Secret Service cybercrime agents, and who later worked for Team
Cymru, recently wrote a piece for Cisco's blog on Dynamic Detection of Malicious
DDNS. Levi says that Free DDNS services "check all of the necessary attack
boxes" that make the service desirable for criminals. As he explains:
> Free DDNS services, by comparison, check all of the necessary attack boxes.
> Sub-domains can be quickly and easily generated and DNS records are trivially
> changed. For the remote access Trojan (RAT) crowd that are typically
> attempting to spy on female victims and running servers from home, DDNS is a
> natural fit. In fact, searching the web for tutorials on using freely
> available RATs like Black Shades, Dark Comet, or Poison Ivy returns results
> that all instruct RAT attackers to first create DDNS sub-domains in order to
> properly configure the RAT, specifically enabling a “back connect” to the
> attacker. Naturally, one segment of RAT users tend to be less technical,
> relying on tutorials and point and click interfaces to actually launch the
> RAT, which likely contributes significantly to the overall metrics of
> malicious DDNS use.
Levi provides this graph showing how often Cisco's Cloud Web Security blocks
Dynamic DNS third level domains based on the reputation of that service in the
following graph:
Image may be NSFW.
Clik here to view.
(source: blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/ click
image to enlarge )
zapto.org, one of the NO-IP domains, is blocked 100% of the time by users of
Cisco's Cloud Web Service. no-ip.info, no-ip.org, and no-ip.biz are also all
blocked between 50% and 100% of the time based on reputation. Levi next goes on
to show of all the DDNS base domains, "what do the corresponding malware numbers
look like for the DDNS domains most abused by threat actors?"
Image may be NSFW.
Clik here to view.
(source: blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/ click
image to enlarge )
Even after such widespread and published reports of NO-IP being used for malware
abuse, Microsoft observed no significant change in their abuse practices, based
on the malware analysis they performed. Following the February 2014 Cisco
report, Microsoft "continues to see 2,000-3,000 new unique malware samples per
month that are supported by No-IP."
But that doesn't mean No-IP is not responsive. Brian Krebs reported on this
conflict in his article today Microsoft Darkens 4mm Sites in Malware Fight where
he quotes No-IP's Natalie Gogun as saying that of the 18,000 sites mentioned in
the Temporary Restraining Order, only about 2,000 of them were actually still
live. Krebs quotes Crowdstrike's Dmitri Alperovitch mentioning that No-IP has
always been very responsive, and I've seen the same. In fact, immediately
following the Cisco blog above, a member of the No-IP security team was observed
by this blogged on a security researcher mailing list asking if anyone could
help him get the full list so he could make sure they killed all of the domain
names mentioned. (Hi, Kurt!)
The problem here may be the nature of the malware used on these sites. While the
security community regular sees and reports on financial crimes malware, such as
Zeus, or malware that has significant and widespread distribution, in most cases
njRat no-ip domains are being used by small-time botmasters to allow themselves
to spy on a few dozen webcams. In fact, a review of more than 1800 recent URLs
associated with delivering financial crimes malware observed by Malcovery
Security's T3 product, NONE of the No-IP domains were seen to be used. Financial
crime malware does not seem to be heavily associated with No-IP. While njRat
certainly has the capability to be used for more significant crimes (including
installing any additional malware desired by the criminals, and famously being
used by the Syrian government to spy on the rebels) its primary reputation is as
a tool for online perverts. Their typical victims tend to lack the
Internet-savvy that allows corporate, industry, and government malware victims
to report malware victimization to No-IP to receive a response. Sophisticated
financial crimes malware criminals are very unlikely to link their malware back
to dynamic DNS hosts that they personally control and are much more likely to
use "more permanent" hosting in the form of hacked or leased servers.
Image may be NSFW.
Clik here to view. The Microsoft complaint mentions YouTube, and we were able to
quickly find many similar njRAT tutorials. There were also njRAT groups hosted
on Facebook where botmasters were openly trading photographs of victims and
offering to "trade slaves" (as they refer to the pretty girls whose webcams they
control.) We reported three such groups to Facebook Security who took quick
action to kill the groups which had a combined membership of more than 16,000
users!
Some examples of these creeps work might help illustrate the type of crimes
committed by the typical njRat botmaster:
Farid shows a screenshot boasting of 200 simultaneously online njRAT victims.
Image may be NSFW.
Clik here to view.
Farid frequently posts photos of his conquests:
Image may be NSFW.
Clik here to view.
Others do the same:
Image may be NSFW.
Clik here to view.
Here's the Before and After of Farid's njrat group . . .
Image may be NSFW.
Clik here to view.
and after we reported the group to Facebook Security . . .
Image may be NSFW.
Clik here to view.
Conclusions?
I can't really take sides on this one. Do we need to do something more to help
the victims of this kind of malware? Absolutely. Was it necessary to seize 22
domains at No-IP? I can't argue with Microsoft wanting to prevent infections to
more than 7 million Windows victims, but I certainly can understand the great
frustration experienced by the No-IP folks.
↧
Search
RSSing.com
--------------------------------------------------------------------------------
DISK57.COM, CUTWAIL, AND TEARING DOWN OFFENDING INFRASTRUCTURE
July 8, 2014, 9:37 pm
≫ Next: E-ZPass Spam leads to Location Aware Malware
≪ Previous: Microsoft, njRat, and No-IP
$
0
0
Sometimes I am so impressed by the things my employees at Malcovery discover as
they work through the various email-based threats we process and report about
for our customers. Brendan, Wayne, and J evaluate and document hundreds of
malware threats each week from our Spam Data Mine and because of their daily
interactions with so much malware notice patterns that others miss. I've been
asking them to be especially mindful of what the Cutwail spammers are moving to
next as the GameOver Zeus era moves to a close, and Brendan did a great job of
covering that over on the Malcovery Blog in the article How Spammers Are Filling
the Gameover Zeus Void.
JUNE 16 - DISK57.COM FIRST SIGHTED
On June 16, 2014, Brendan and the team noticed three malware campaigns
distribution spam campaigns that were all pushing the same malware. The email
subjects were:
Subject: USPS - Missed package delivery
Subject: You have received a new fax
Subject: Scanned Image from a Xerox WorkCentre
The files attached to those messages included:
USPS1758369.zip - (22,331 bytes) - MD5: 73c4758a84c4a0e24e4f34db69584d26
(VirusTotal results at report time: 3/54)
Scan.zip - (22,329 bytes) - MD5: cbfb3f1e40b30d01f4dda656d7f576e7
(VirusTotal results at report time: 3/54)
IncomingFax.zip - 22,329 bytes - MD5: 048dcc8c9639d2e8ccea362fdb5f7d3e
(VirusTotal results at report time: 3/54)
All three of those .zip files contained the same binary, with the varying names,
USPS06162014.scr, Scan.scr, and IncomingFax.scr.
(40,960 bytes) - MD5: 36e264de2cb3321756a511f6c90510f5
(VirusTotal results at report time: 0/54)
By a week later, the detection rate was up to 38 of 46 AV products detecting
this as malware, but at the time of the spam campaign, only Sophos and K7 had
signature-based detection for the malware, though some vendors may have offered
other types of protection.
Whichever of the three versions you downloaded, the SCR file was actually a
PE-executable which would contact the site "disk57.com" in order to "check in"
by hitting the file "gate.php" on that server. The Ukrainian server in question,
188.190.117.93, (AS197145, Kharkiv Infium LLC) had been seen previously
communicating with malware on March 26 and March 27 using the domain name
"malidini.com".
The registry was modified so that a copy of the .scr file (now named as an .exe)
would be executed on the next start up due to a Policy statement located in
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\818107311"
This resulted in the downloaded of a 7200 byte ".mod" file
MORE DISK57.COM SIGHTINGS
Disk57.com was also used as part of the malware infrastructure for malware
samples distributed by the following spam campaigns:
June 16 - Wells Fargo
June 17 - USPS
June 18 - HSBC
June 18 - Xerox
June 18 - New Fax
June 30 - HSBC - Subject: Avis de Paiement
June 30 - New Fax - Subject: You have received a new fax message
June 30 - Scanned Document - Subject: Scan de
July 1 - BanquePopulaire
July 1 - French government
July 3 - Xerox
July 3 - UPS
July 3 - Wells Fargo
On June 30th, we saw the same technique used as in the June 16th campaigns.
Three different .zip files, each containing a .scr file that was named
differently, but where all samples had the same MD5 hash (MD5:
66dcf2e32aa902e2ffd4c06f5cb23b43 - VirusTotal detection 11/54 at report time.)
As on June 16th, executing the .scr file resulted in an exchange with the
"gate.php" file on disk57.com on 188.190.117.93, resulting in a 7200 byte ".mod"
file being downloaded.
On June 30th, however, this exchange resulted in a copy of the Cutwail binary,
b02.exe, being downloaded from jasongraber.com on the path /css/b02.exe. (IP
192.64.181.14). b02.exe had a file size of 41,472 bytes - MD5:
84822121b11cce3c8a75f27c1493c6bb with a VirusTotal report of 2/54 at report
time.
UPATRE UPDATED
On July 3rd, spam campaigns imitating Xerox, UPS, and Wells Fargo used this same
technique again with email subjects:
Subject: Scan from a Xerox WorkCentre - seen 1209 times by Malcovery
Subject: New Fax: # pages - seen 288 times by Malcovery
Subject: IMPORTANT - Confidential documents - seen 88 times by Malcovery
Subject: UPS - Credit Card Billing Adjustment. Ref#(random) - seen 178 times by
Malcovery
1,941 messages were sent to our Spam Data Mine from 1,037 different sending IP
addresses.
The .zip files still contained .scr files that were all the same
file size (23,040 bytes) MD5: 870c63c4420b6f187066a94ef6c56dc6 - VirusTotal
report: 1/53 at report time.
However this time there were three very different URLs downloaded as a result of
the initial click. The downloaded malware behaved almost exactly like the UPATRE
samples that were used to distribute the encrypted version of GameOver Zeus that
we wrote about back in February. (See: GameOver Zeus Now Uses Encryption to
Bypass Perimeter Security.)
UPATRE UPDATE
The UPATRE malware that was signature detected only by Sophos (as the useful
name Mal/Generic-S) on July 3rd now has 43 detections at VirusTotal, although
most are crap as usual, with regards to the usefulness of the names chosen by
the vendors. Zbot.LDQ, Trojan/Win32.Zbot (but it clearly isn't Zeus, it's just a
tiny downloader, which is what several vendors call it (Trojan.Win32.Tiny.bNKP).
Several other vendors call it Ransomware or Crypto something or another
(Trojan-Ransom.Win32.Cryptodef.oq, Win32/Ransom.ABOQAMB, TROJ_CRYPWALL.JER,
Trojan.Win32.A.Cryptodef.23040). Only Microsoft called it Upatre
(TrojanDownloader:Win32/Upatre.AA) although that is clearly the consensus of the
AV analysts we have discussed the sample with. In this case the job of UPATRE is
to download files that CLAIM to be PDF files, "convert/unpack/decrypt" them into
.exe files, and then launch those .EXE files.
Three touches to the OVH (AS16276) IP address 94.23.247.202 resulted in three
files so-called PDF files being downloaded from repele.net on IP address
82.220.34.132, each with the name "css/agreement.pdf". UPATRE did its magic,
converting each of these files into another binary executable:
agreement.pdf = 131,173 bytes - MD5: 354283b80cc9e63d872475175d20f14d
(became CryptoWall Encryption ransomware, (in our case, named 09acd07.exe and
located in a directory 09acd07 - 183,296 bytes - MD5:
6238af3e78f3316ea5f0192cb8cf3167 - VirusTotal reports detection of 14/53 at
report time
which made connection to three C&C servers:
- vivatsaultppc.com - 194.58.101.96 in Russia (AS39134)
- bolizarsospos.com - 194.58.101.3 in Russia (AS39134)
- covermontislol.com - 31.31.204.59 in Russia (AS12695)
After encrypting files, the victim is shown the following text, with a timer
counting down from 168 hours:
> Your files are encrypted. To get the key to decrypt the files you have to pay
> 750 USD/EUR. If payment is not made before 10/07/14 - 15:37 the cost of
> decrypting files will increase 2 times and will be 1500 USD/EUR
(Other files found in that subdirectory included, DECRYPT_INSTRUCTION.HTML,
DECRYPT_INSTRUCTION.TXT, and DECRYPT_INSTRUCTION.URL.)
agreement-2.pdf = 51,266 bytes - MD5: 06a16a7701c748467a0b8bc79feb7f35
(became Cutwail spamming botnet malware, mshvsk.exe (random file name) - 39,936
bytes - MD5: c1cc8b5eaf7f25449cfda0c6cd98b553 - VirusTotal reports detection of
1/54 at report time.
which then began communications to seven separate C&C servers:
- 91.217.90.125 in Russia (AS48031)
- 93.171.172.129 in Russia (AS29182)
- 93.170.104.81 in Netherlands (AS50245)
- 148.251.94.182 in Germany (AS24940)
- 91.237.198.93 in Russia (AS198681)
- 91.234.33.125 in Ukraine (AS56485)
- 91.221.36.184 in Russia (AS51724 - FLYNET)
agreement-3.pdf = 27,811 bytes - MD5: 19a1986f6fd0f243b02bba6cb77e9522
(became Andromeda botnet malware: gqxse.exe (random file name) - 23,150 bytes -
MD5: 8e6c9e794739e67969c6f81a5786d9e7 VirusTotal reports detection of 0/54.
which then called out to disk57.com / gate.php)
WHAT TO DO?
First and foremost, we need to get rid of Cutwail. This will be difficult as
Russia continues to harbor their cyber criminals, allow them to bribe themselves
out of prison and into government offices and contracts, and seems to treat
their rampant theft of American and European wealth as a form of Economic
Development.
In the meantime, we need to begin smashing their infrastructure at every chance
we can get. Seize the hardware if we can, disable the routing of the traffic if
we can't, and DEFINITELY block that infrastructure within our homes and
companies!
Do yourself and your company a favor by sharing a link to this blog and
recommending that your IT Security staff block the addresses shared above. If
you live in a country where you can help, please do so!
↧
E-ZPASS SPAM LEADS TO LOCATION AWARE MALWARE
July 8, 2014, 11:33 pm
≫ Next: Roman Seleznev (AKA Bulba, AKA Track2, AKA NCUX) appears in US Court in
Guam
≪ Previous: Disk57.com, Cutwail, and Tearing Down Offending Infrastructure
$
0
0
If you drive in a city with toll roads, you are familiar with the E-Z Pass
System. If you are, you may have been tempted to click on an email that looked
like this:
Image may be NSFW.
Clik here to view.
A quick search in the Malcovery Security Spam Data Mine revealed these related
emails:
date | subject | sender_name
------------+---------------------------------------+---------------------------------
2014-07-08 | In arrears for driving on toll road | E-ZPass Collection Agency
2014-07-08 | In arrears for driving on toll road | E-ZPass Info
2014-07-08 | In arrears for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | In arrears for driving on toll road | E-ZPass Info
2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebted for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebted for driving on toll road | E-ZPass Info
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Pay for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
2014-07-08 | Payment for driving on toll road | E-ZPass Info
But the destination websites are certainly not on E-Z Pass's domains!
machine | path
---------------------------+-------------------------------------------------------------------
www.federalparts.com.ar | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
www.fiestasnightclub.com | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
www.fleavalley.com | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
www.frazeryorke.com | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
www.fsp-ugthuelva.org | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
www.fyaudit.eu | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
www.giedrowicz.pl | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
www.gostudy.ca | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
www.graphiktec.com | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
www.h2oasisinc.com | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
www.habicher.eu | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
www.grupoancon.com | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
www.happymaree.com.au | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
www.headspokerfest.com | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
www.headspokerfest.com | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll
When we visit one of the URLs, we are prompted to download a .zip file,
containing a .exe file.
Both are conveniently named for the City and ZIP Code from which we are
connected.
For example:
Image may be NSFW.
Clik here to view.
When we run this malware, it attempts to make contact with the following C&C
locations:
76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080
At Malcovery Security, we've been tracking the ASProx botnet for some time. Most
of these IP addresses were already known to belong to the ASProx botnet for some
time. This is the same botnet that sent the Holiday Delivery Failure spam
imitating Walmart, CostCo, and BestBuy over the holidays and that send the Court
Related Malware through the early months of 2014.
Whatever it wants to do next, it must do very quietly. Perhaps I'm in the wrong
ZIP code for the next steps?
↧
↧
ROMAN SELEZNEV (AKA BULBA, AKA TRACK2, AKA NCUX) APPEARS IN US COURT IN GUAM
July 9, 2014, 9:43 pm
≫ Next: New GameOver Zeus Variant uses FastFlux C&C
≪ Previous: E-ZPass Spam leads to Location Aware Malware
$
0
0
The media is buzzing about the arrest of hacker and stolen credit card vendor
Roman Seleznev who has appeared in court in the US territory of Guam after being
arrested in the Maldives. The story is growing into an international diplomatic
spat as a Russian politician and member of the Duma, Valery Seleznev, is the
father of the cyber criminal. In a statement from the Russian Foreign Ministry,
the Russians accuse Maldives of ignoring their Bilateral Treaty of 1999 on
Mutual Assistance in Criminal Matters. The statement says this is the third
recent case of a similar situation, citing the examples of Viktor Bout and K.V.
Yaroshenko as other recent cases where the US has forcibly taken a Russian
citizen from a third country to stand trial in the United States. I strongly
agree with the statement at the close of their statement, where they "strongly
encourage our countryment to pay attention to the cautions posted by the Russian
Foreign Ministry on their website about the risks associated with foreign
travel, if there is a suspicion that U.S. law enforcement agencies can charge
them with any crime." Who are these others who are mentioned? Viktor Bout
(Виктор Анатольевич Бут) was arrested in Thailand in 2008 and extradited in 2010
to stand trial for terrorism charges for delivering anti-aircraft missiles to
FARC in Colombia. He was convicted by a jury in Manhattan (More from The
Guardian) Konstantin Yaroshenko was arrested in May 2010 in Liberia as a cocaine
smuggler pilot when he landed his plane in Monrovia, Liberia and was arrested by
the DEA as he tried to negotiate a contract for $4.5 million to deliver 5 tons
of cocaine from Colombia to West Africa. Yaroshenko was knowingly working with
smugglers who were raising funds for the Colombian terror group FARC. (See
Superseding Indictment
While I wouldn't put Seleznev on the same scale as Bout and Yaroshenko, he is
definitely not small potatoes either. We wrote about Seleznev as part of the
RICO racketeering case against the owners and operators of the Carder.su
website. (See The Carder.su indictment: United States v. Kilobit et. al.) but
that was only the first part of Seleznev's trouble.
In the Kilobit indictment, the charges are that Seleznev did "Participate in a
Racketeer Influenced Corrupt Organization [RICO]" and "Participated in a
Conspiracy to Engage in a Racketeer Influenced Corrupt Organization."
The whole group are described in the indictment like this:
"The defendants herein, and others known and unknown, are members of, employed
by, and associates of a criminal organization, hereafter referred to as "the
Carder.su organization," whose members engage in acts of identity theft and
financial fraud, including, but not limited to, acts involving trafficking in
stolen means of identification; trafficking in, production and use of couterfeit
identification documents; identity theft; trafficking in, production and use of
unauthorized and counterfeit access devices; and bank fraud; and whose members
interfere with interstate and foreign commerce through acts of identity theft
and financial fraud. Members and associates of the Carder.su organization
operate principally in Las Vegas, Nevada, and elsewhere.
The important thing to understand about RICO is that as PART OF THE CORRUPT
ORGANIZATION all of the charged members are sentenced as if the whole group did
all of the crimes.
What does that mean to Seleznev? In Las Vegas, Nevada, Seleznev is being charged
with being part of a RICO group that is credited with directly causing, in
actual measured and aggregated fraudulent transaction losses, $50,893,166.35!!
But before Vegas gets their hands on him, Seleznev will face charges in the
Western District of Washington for Case # 2:11-cr-0070-RAJ-1.
In that case, Roman Seleznev, AKA TRACK2, AKA Roman Ivanov, AKA Ruben Samvelich,
AKA nCuX, AKA Bulba, AKA bandysli64, AKA smaus, AKA Zagreb, AKA shmak is charged
with:
(Counts 1-5) Bank Fraud 18:1344 & 2
(6-13) Intentional Damage to a Protected Computer 18:1030(a)(5)(A) & 1030(c)(4)(B)(i) & 2
(14-21) Obtaining InformationFrom a Protected Computer 18:1030(a)(2) & 1030(c)(2)(ii) & 2
(22) Possession of Fifteen or More Unauthorized Access Devices 18:1029(a)(3) & 1029(c)(1)(A)(i) & 2
(23-24) Trafficking in Unauthorized Access Devices 18:1029(a)(2) & 1029(c)(1)(A)(i) & 2
(25-29) Aggravated Identity Theft 18:1028(a)(1) & 2
This 27 page indictment, filed March 3, 2011, was just unsealed on July 6, 2014
when Seleznev appeared in court in Guam.
Washington charges that Seleznev "knowingly and willfully devised and executed
and aided and abetted a scheme and artifice to defraud various financial
institutions, including, but not limited to, Boeing Employees' Credit Union,
Chase Bank, Capital One, Citibank, and Keybank, and to obtain moneys, funds, and
credits under the custody and control of the banks by means of material false
and fraudulent pretenses, representations and promises, as further described
below."
Seleznev would:
1. hack into retail businesses,
2. install malicious computer code onto those hacked computers,
3. and use the malware to steal credit card numbers from the victim businesses'
customers
4. market and sell the stolen credit card numbers on "criminally inspired"
websites
5. thus allowing these cards and the associated accounts to be used for
fraudulent purposes by the customers of his service.
Seleznev's malware primarily was controlled from a server named shmak.fvds.ru or
smaus.fvds.ru at the IP address 188.120.225.66. A collection of malware found at
the root site of that website, including malware named shmak, shmak2, kameo,
hameo, zameo, dtc, dtc2, dtc4, rsca, remcomsvc, and others.
Seleznev's websites for selling cards were primarily bulba.cc, secure.bulba.cc,
Track2.name, and secure.Track2.name.
The targeted businesses usually had several "point of sale" terminals "up front"
and a "back of the house computer" which may have been a server or perhaps even
just the manager's computer.
Some of Seleznov's victims included: The Broadway Grill - 32,000 unique credit
card numbers from Dec 1, 2009 to Oct 22, 2010
Grand Central Baking Company in Seattle, WA
four Mad Pizza restaurants (three in Seattle, one in Tukwila, WA)
Village Pizza in Anacortes, WA
Casa Mia Italian in Yelm, WA.
Schlotsky's Deli in Coeur d'Alene, Idaho
Active Networks in Frostburg, MD
Days Jewelry in Waterville, Maine
Latitude Bar and Grill, NY, NY
Mary's Pizza Shack in Sonoma, CA
City News Stand in Chicago and Evanston, IL
Bulba would advertise when he had new cards for sale, claiming as many as 17,000
"Fresh Dumps" (newly stolen and never before used for fraud) cards and offering
guarantees, including free card replacement for cards that were declined.
Seleznev/Bulba had such high quality, that the owners of the popular crdsu.su
and carder.biz allowed Seleznev and others to assume Monopoly status as the
preferred card vendors for their boards, which were extremely prevalent in the
underground.
According to the newly unsealed indictment, Seleznev personally stole (through
his malware) more than 200,000 cards, and succesfully sold over 140,000 of those
cards through his websites bulba.cc and Track2.name between November 15, 2010
and February 22, 2011, generating direct illicit profits in excess of $2,000,000
USD.
Just the cards stolen by Seleznev at the Broadway Grill have been associated
with $79,317 in fraudulent charges, and all of the cards stolen by Seleznev are
responsible for actual fraud charges of at least $1,175,217.37.
November 15-16, 2010, $83,490 in charges were made against Boeing Employees
Credit Union cards.
Jan 31-Feb 1, 2011, $30,716 in charges against BECU.
Seleznev will have a hearing in Guam on July 22, and then be transferred to the
Seattle courts.
↧
NEW GAMEOVER ZEUS VARIANT USES FASTFLUX C&C
July 11, 2014, 5:53 am
≫ Next: Urgent Court Notice from GreenWinick Lawyers delivers malware
≪ Previous: Roman Seleznev (AKA Bulba, AKA Track2, AKA NCUX) appears in US Court
in Guam
$
0
0
Over on the Malcovery Security Blog yesterday we covered a new version of
GameOver Zeus (see: GameOver Zeus Mutates, Launches Attack ) that was
distributed in three spam campaigns on July 10, 2014. At the bottom of that blog
post, we're sharing a detailed "T3 Report" by analysts Brendan Griffin and Wayne
Snow that gives all the details. In our reporting yesterday we mentioned that
the new bot is using a Fast Flux Command & Control structure and that it is
using a Domain Generation Algorithm to allow the malware distributed in the spam
to locate and connect to the Command & Control servers.
I wanted to geek that a bit deeper for those who want more details on both of
those subjects. First, let's look at the Fast Flux.
FAST FLUX COMMAND & CONTROLLED BOTNET
Fast Flux is a technique that allows a criminal who controls many servers to
obfuscate the true location of his server by building a tiered infrastructure.
Sometimes there are additional "tiers" or levels of misdirection. We don't yet
know how many layers there are in this newGOZ botnet.
Image may be NSFW.
Clik here to view.
(click to enlarge)
Here's the flow . . .
1. the newGOZ criminal pays the Cutwail spammers to send out emails to infect
new victims
2. the Cutwail spammer sends out his emails. On July 10th, they were "Essentra
Past Due" and emails imitating M&T Bank and NatWest Bank
3. while many people delete the emails, ignore the emails, or have them
blocked by spam, SOME people click on the emails
4. the ".scr" email attachment infects their computer and starts generating
"Domain Generation Algorithm" domains.
5. each domain is queried for. the Bot computers say "Hey, Internet! Does this
domain exist?"
6. on July 10th, cfs50p1je5ljdfs3p7n17odtuw.biz existed ... "the Internet"
said "Yes, this exists and NS1.ZAEHROMFUY.IN is the Nameserver that can
tell you where it is."
7. When most nameservers tell the address of a computer, they give a "Time To
Live" that says "The answer I'm giving you is probably good for 24 hours"
or 2 days, or a week, or whatever. But the Nameserver used in a FastFlux
Bot, like, NS1.ZAEHROMFUY.IN, usually gives a "Time To Live" answer that
says "The answer I'm giving you is only good for about 5 minutes. After 5
minutes, you need to ask me again in case the address has changed."
8. NS1.ZAEHROMFUY.IN receives constant updates from "newGOZ Criminal" of
servers all over the world (but mostly in Ukraine) that have been hacked.
Almost every time you ask the nameserver "Where is the newGOZ domain?" it
will give you a different answer.
9. the "FastFlux C&C" boxes are now running nginx proxy software that says
"Whatever you ask me, I will ask the servers at the Evil Lair of newGOZ.
Whatever the Evil Lair of newGOZ wants to say, I will pass back to you.
10. Updates from the Evil Lair get passed back THROUGH the FastFlux Proxy and
give the newGOZ bots new malware or commands
11. All traffic to and from the newGOZ bot, whether it is the bot "checking in"
or the criminal pushing an "update" goes through one of the proxies, which
are constantly changing.
FAST FLUX NEWGOZ RESOLUTIONS
All of the servers (or workstations) in this table were used as Fast Flux C&C
nodes last night by the newGOZ botnet. We'll keep tracking this with friends
from ShadowServer, DissectCyber.com and others and sharing this information with
our trusted partners, but I wanted to throw out this example. If you have
ability to look at "Net Flow" for any of these computers, you may be able to
help us locate "The Evil Lair of the newGOZ Criminal." (Which sounds like a lot
more fun than just looking at packet dumps, doesn't it? Sorry, this isn't my
job, it is my passion. Geeks have to convince themselves they are Fighting Evil
or we would get bored. Since the first GOZ enabled the theft of $100 Million or
so ( for more see as an example Crooks Seek Revival of GameOver Zeus Botnet
where Brian even shares the FBI Wanted Poster of the guy who is thought to be
behind Zeus.
2014-07-10 20:37:10-05 92.248.160.157 92.248.128.0/17 OLYMPUS-NSP-AS ZAO
_AKADO-Ekaterinburg_,RU 30868 RU ripencc 2014-07-10 20:38:04-05 108.20.219.49
108.20.0.0/16 UUNET - MCI Communications Services, Inc. d/b/a Verizon
Business,US 701 US arin 2014-07-10 20:38:36-05 113.163.13.252 113.163.0.0/19
VNPT-AS-VN VNPT Corp,VN 45899 VN apnic 2014-07-10 20:39:03-05 114.46.251.46
114.46.0.0/16 HINET Data Communication Business Group,TW 3462 TW apnic
2014-07-10 20:39:24-05 176.108.15.141 176.108.0.0/19 KADRTV-AS Cadr-TV LLE
TVRC,CZ 57800 UA ripencc 2014-07-10 20:40:39-05 178.150.136.252 178.150.136.0/22
BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-10 20:40:52-05
37.25.4.162 37.25.0.0/19 BELCOMUA-AS ZAO _Belcom_,UA 25385 UA ripencc 2014-07-10
20:41:05-05 69.143.45.75 69.143.0.0/16 CMCS - Comcast Cable Communications,
Inc.,US 33657 US arin 2014-07-10 20:41:18-05 77.242.172.30 77.242.172.0/24
UHT-AS UHT - Ukrainian High Technologies Ltd.,UA 30955 UA ripencc 2014-07-10
20:41:31-05 85.29.179.7 85.29.179.0/24 ORBITA-PLUS-AS ORBITA-PLUS Autonomous
System,KZ 21299 KZ ripencc 2014-07-10 20:47:43-05 24.101.46.15 24.101.32.0/19
ACS-INTERNET - Armstrong Cable Services,US 27364 US arin 2014-07-10 20:47:56-05
37.115.246.222 37.115.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 20:48:10-05 67.68.99.137 67.68.96.0/22 BACOM - Bell Canada,CA 577 CA
arin 2014-07-10 20:48:23-05 70.24.225.245 70.24.224.0/22 BACOM - Bell Canada,CA
577 CA arin 2014-07-10 20:48:43-05 75.76.166.8 75.76.128.0/17 WOW-INTERNET -
WideOpenWest Finance LLC,US 12083 US arin 2014-07-10 20:48:57-05 76.127.161.112
76.127.128.0/17 COMCAST-7015 - Comcast Cable Communications Holdings, Inc,US
7015 US arin 2014-07-10 20:49:21-05 91.197.171.38 91.197.168.0/22 INTRAFFIC-AS
Intraffic LLC,UA 43658 UA ripencc 2014-07-10 20:49:44-05 99.248.110.218
99.224.0.0/11 ROGERS-CABLE - Rogers Cable Communications Inc.,CA 812 CA arin
2014-07-10 20:50:02-05 100.44.184.18 100.44.160.0/19 WAYPORT - Wayport, Inc.,US
14654 US arin 2014-07-10 20:52:54-05 109.207.127.59 109.207.112.0/20 TELELAN-AS
Teleradiocompany TeleLan LLC,UA 196740 UA ripencc 2014-07-10 21:07:24-05
178.214.223.104 178.214.192.0/19 UOS Ukraine Optical Systems LLC,UA 42546 UA
ripencc 2014-07-10 21:07:56-05 212.22.192.224 212.22.192.0/24 FREENET-AS Freenet
Ltd.,UA 31148 UA ripencc 2014-07-10 21:08:11-05 31.133.118.121 31.133.118.0/24
ENTERRA-AS Private Enterprise _Enterra_,UA 48964 UA ripencc 2014-07-10
21:08:24-05 37.229.149.56 37.229.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA
ripencc 2014-07-10 21:08:45-05 46.119.77.105 46.119.0.0/16 KSNET-AS _Kyivstar_
PJSC,UA 15895 UA ripencc 2014-07-10 21:09:21-05 98.14.34.141 98.14.0.0/16
SCRR-12271 - Time Warner Cable Internet LLC,US 12271 US arin 2014-07-10
21:09:37-05 98.109.164.97 98.109.0.0/16 UUNET - MCI Communications Services,
Inc. d/b/a Verizon Business,US 701 US arin 2014-07-10 21:12:28-05 109.162.0.21
109.162.0.0/18 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-10
21:12:41-05 178.140.183.193 178.140.0.0/16 NCNET-AS OJSC Rostelecom,RU 42610 RU
ripencc 2014-07-10 21:13:42-05 178.158.135.20 178.158.134.0/23 ISP-EASTNET-AS
EAST.NET Ltd.,UA 50780 UA ripencc 2014-07-10 21:28:15-05 192.162.118.118
192.162.116.0/22 ANOXIN FIZICHNA OSOBA-PIDPRIEMEC ANOHIN IGOR VALENTINOVICH,UA
39056 UA ripencc 2014-07-10 21:28:18-05 208.120.58.109 208.120.0.0/18 SCRR-12271
- Time Warner Cable Internet LLC,US 12271 US arin 2014-07-10 21:28:18-05
213.111.221.67 213.111.192.0/18 MAINSTREAM-AS PP MainStream,UA 44924 UA ripencc
2014-07-10 21:28:18-05 24.207.209.129 24.207.128.0/17 CHARTER-NET-HKY-NC -
Charter Communications,US 20115 US arin 2014-07-10 21:28:18-05 46.181.215.20
46.180.0.0/15 ELIGHT-AS E-Light-Telecom,RU 39927 RU ripencc 2014-07-10
21:28:19-05 68.45.64.5 68.44.0.0/15 CMCS - Comcast Cable Communications, Inc.,US
33659 US arin 2014-07-10 21:28:19-05 75.131.252.100 75.131.224.0/19
CHARTER-NET-HKY-NC - Charter Communications,US 20115 US arin 2014-07-10
21:28:19-05 91.196.60.108 91.196.60.0/22 ARHAT-AS PE Bondar TN,UA 50204 UA
ripencc 2014-07-10 21:28:19-05 91.243.218.157 91.243.192.0/19 ID-TELECOM-AS
Intellect Dnepr Telecom LLC,UA 59567 UA ripencc 2014-07-10 21:28:19-05
96.246.91.160 96.246.0.0/17 UUNET - MCI Communications Services, Inc. d/b/a
Verizon Business,US 701 US arin 2014-07-10 21:28:19-05 134.249.11.2
134.249.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-10
21:49:21-05 188.190.5.162 188.190.0.0/19 ASINTTEL Inttel Ltd.,UA 56370 UA
ripencc 2014-07-10 21:49:22-05 5.248.110.252 5.248.0.0/16 KSNET-AS _Kyivstar_
PJSC,UA 15895 UA ripencc 2014-07-10 21:49:22-05 31.43.162.96 31.43.160.0/19
KRASNET-UA-AS Krasnet ltd.,UA 50576 UA ripencc 2014-07-10 21:49:22-05
31.135.144.54 31.135.144.0/22 Technical Centre Radio Systems Ltd.,UA 20539 UA
ripencc 2014-07-10 21:49:22-05 37.112.195.140 37.112.192.0/22 KRSK-AS CJSC
_ER-Telecom Holding_,RU 50544 RU ripencc 2014-07-10 21:49:22-05 46.119.181.97
46.118.0.0/15 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-10
21:49:22-05 50.83.36.2 50.83.32.0/21 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom
Communications Corp,US 30036 US arin 2014-07-10 21:49:23-05 176.8.92.131
176.8.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-10 21:49:23-05
176.98.12.218 176.98.0.0/19 CRYSTAL-AS Crystal Telecom Ltd,CZ 49889 UA ripencc
2014-07-10 21:49:23-05 178.137.8.215 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA
15895 UA ripencc 2014-07-10 22:08:06-05 95.110.45.151 95.110.0.0/17 JSCBIS-AS
OJSC _Bashinformsvyaz_,RU 28812 RU ripencc 2014-07-10 22:08:08-05 176.8.21.85
176.8.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-10 22:08:08-05
178.150.89.211 178.150.89.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA
ripencc 2014-07-10 22:08:08-05 188.231.191.140 188.231.191.0/24 FREENET-AS
Freenet Ltd.,UA 31148 UA ripencc 2014-07-10 22:08:08-05 80.66.79.74
80.66.76.0/22 RISS-AS LLC _Ris-Tel_,RU 20803 RU ripencc 2014-07-10 22:08:09-05
81.200.148.6 81.200.144.0/20 ARTEM-CATV-AS JSC Artemovskoye Interaktivnoe
Televidenie,RU 41070 RU ripencc 2014-07-10 22:08:09-05 95.46.219.178
95.46.219.0/24 VITEBSK-TV-ISP-AS OAO Vitebskiy Oblastnoy Techno-Torgoviy Center
Garant,BY 50528 CZ ripencc 2014-07-10 22:08:09-05 95.78.166.17 95.78.128.0/18
ERTH-CHEL-AS CJSC _ER-Telecom Holding_,RU 41661 RU ripencc 2014-07-10
22:29:38-05 178.214.169.234 178.214.160.0/19 LUGANET-AS ARTA Ltd,UA 39728 UA
ripencc 2014-07-10 22:29:38-05 188.16.223.225 188.16.192.0/18 USI OJSC
Rostelecom,RU 6828 RU ripencc 2014-07-10 22:29:38-05 194.246.105.173
194.246.104.0/23 ASN-FUJILINE Trade House _Inet_ Ltd,UA 31000 UA ripencc
2014-07-10 22:29:39-05 70.75.230.0 70.75.0.0/16 SHAW - Shaw Communications
Inc.,CA 6327 CA arin 2014-07-10 22:29:39-05 78.137.17.91 78.137.0.0/19 MCLAUT-AS
LLC _McLaut-Invest_,UA 25133 UA ripencc 2014-07-10 22:29:39-05 176.117.86.162
176.117.80.0/20 LURENET-AS PP _Lurenet_,UA 50643 UA ripencc 2014-07-10
22:48:09-05 213.111.163.205 213.111.128.0/18 ALNET-AS PP SKS-Lugan,UA 35804 UA
ripencc 2014-07-10 22:48:10-05 99.249.29.20 99.249.0.0/16 ROGERS-CABLE - Rogers
Cable Communications Inc.,CA 812 CA arin 2014-07-10 22:48:10-05 109.254.35.236
109.254.0.0/16 DEC-AS Donbass Electronic Communications Ltd.,UA 20590 UA ripencc
2014-07-10 22:48:10-05 136.169.151.67 136.169.128.0/19 UBN-AS OJSC _Ufanet_,RU
24955 RU ripencc 2014-07-10 22:48:10-05 176.102.209.127 176.102.192.0/19 KUTS-AS
Center for Information Technologies _Fobos_ Ltd.,UA 39822 UA ripencc 2014-07-10
22:48:10-05 178.141.160.202 178.141.0.0/16 MTS-KRV-AS MTS OJSC,RU 44677 RU
ripencc 2014-07-10 22:48:10-05 178.213.191.181 178.213.184.0/21 SKYNET-UA-AS FOP
Shoruk Andriy Olexanderovich,UA 196777 UA ripencc 2014-07-10 22:48:10-05
184.152.102.159 184.152.0.0/16 SCRR-12271 - Time Warner Cable Internet LLC,US
12271 US arin 2014-07-10 22:48:10-05 213.110.137.77 213.110.128.0/19 SUNNET-AS
PE Gritcun Oleksandr Viktorovich,UA 47889 UA ripencc 2014-07-10 23:08:56-05
91.219.254.25 91.219.254.0/24 MONOLITH-AS LLC MONOLITH.NET,UA 48230 UA ripencc
2014-07-10 23:08:58-05 109.87.83.213 109.87.80.0/22 BANKINFORM-AS TOV
_Bank-Inform_,UA 13188 UA ripencc 2014-07-10 23:09:00-05 178.137.176.9
178.137.128.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-10
23:09:00-05 78.109.46.210 78.109.46.0/24 SIBRON-AS Closed Joint Stock Company
COMSTAR-Regiony,RU 13155 RU ripencc 2014-07-10 23:09:00-05 80.70.71.41
80.70.64.0/20 ENERGYTEL Energytel LLC,UA 51317 UA ripencc 2014-07-10 23:27:45-05
71.75.52.101 71.75.0.0/16 SCRR-11426 - Time Warner Cable Internet LLC,US 11426
US arin 2014-07-10 23:27:45-05 176.8.72.36 176.8.0.0/16 KSNET-AS _Kyivstar_
PJSC,UA 15895 UA ripencc 2014-07-10 23:27:45-05 178.74.214.94 178.74.192.0/18
EVEREST-AS _Everest_ Broadcasting Company Ltd,UA 49223 UA ripencc 2014-07-10
23:27:45-05 178.141.9.72 178.141.0.0/16 MTS-KRV-AS MTS OJSC,RU 44677 RU ripencc
2014-07-10 23:27:45-05 188.230.87.17 188.230.80.0/21 ABUA-AS LLC AB Ukraine,UA
43266 UA ripencc 2014-07-10 23:27:45-05 37.229.79.59 37.229.0.0/16 KSNET-AS
_Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-10 23:27:45-05 62.16.38.131
62.16.32.0/19 FPIC-AS CJSC _COMSTAR-regions_,RU 15640 RU ripencc 2014-07-10
23:49:05-05 176.113.227.109 176.113.224.0/19 LUGANET-AS ARTA Ltd,UA 39728 UA
ripencc 2014-07-10 23:49:05-05 193.106.184.92 193.106.184.0/22 BOSPOR-AS
Bospor-Telecom LLC,UA 42238 UA ripencc 2014-07-10 23:49:05-05 46.172.231.154
46.172.224.0/19 TOPHOST-AS SPD Kurilov Sergiy Oleksandrovich,UA 45043 UA ripencc
2014-07-10 23:49:05-05 74.129.235.88 74.128.0.0/12 SCRR-10796 - Time Warner
Cable Internet LLC,US 10796 US arin 2014-07-10 23:49:05-05 77.121.129.181
77.121.128.0/21 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA
ripencc 2014-07-10 23:49:05-05 78.27.159.112 78.27.128.0/18 DOMASHKA-AS
Domashnya Merezha LLC,UA 15683 UA ripencc 2014-07-10 23:49:05-05 91.196.55.7
91.196.52.0/22 KOMITEX-AS PP KOM i TEX,UA 30886 UA ripencc 2014-07-10
23:49:06-05 94.153.23.170 94.153.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA
ripencc 2014-07-10 23:49:06-05 109.87.222.148 109.87.222.0/24 BANKINFORM-AS TOV
_Bank-Inform_,UA 13188 UA ripencc 2014-07-11 00:07:17-05 178.215.178.112
178.215.176.0/20 FENIXVT-AS Private Enterprise Firma Fenix VT,RU 39399 UA
ripencc 2014-07-11 00:07:19-05 195.90.130.19 195.90.128.0/18 ROSNET-AS OJSC
Rostelecom,RU 6863 RU ripencc 2014-07-11 00:07:19-05 37.25.118.55 37.25.96.0/19
WILDPARK-AS ISP WildPark, Ukraine, Nikolaev,UA 31272 UA ripencc 2014-07-11
00:07:19-05 37.229.215.18 37.229.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA
ripencc 2014-07-11 00:07:19-05 87.244.34.238 87.244.32.0/21 SUNLINK-AS Sunlink
Telecom ISP, Tula, Russia,RU 35401 RU ripencc 2014-07-11 00:07:19-05
91.219.233.40 91.219.232.0/22 REALWEB-AS Private Enterprise RealWeb,UA 41161 UA
ripencc 2014-07-11 00:07:20-05 173.95.149.72 173.92.0.0/14 SCRR-11426 - Time
Warner Cable Internet LLC,US 11426 US arin 2014-07-11 00:07:20-05 178.150.221.2
178.150.220.0/23 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11
00:07:20-05 178.151.165.182 178.151.165.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA
13188 UA ripencc 2014-07-11 00:28:03-05 109.87.42.122 109.87.40.0/21
BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11 00:28:04-05
109.200.228.156 109.200.224.0/19 BREEZE-NETWORK TOV TRK _Briz_,UA 34661 UA
ripencc 2014-07-11 00:28:04-05 31.135.226.91 31.135.224.0/20 TRYTECH-AS Trytech
Ltd.,RU 44056 RU ripencc 2014-07-11 00:28:04-05 46.172.145.109 46.172.128.0/19
UTEAM-AS Uteam LTD,UA 49125 UA ripencc 2014-07-11 00:49:18-05 109.229.198.37
109.229.192.0/19 PRONET_LV SIA _PRONETS_,LV 43075 LV ripencc 2014-07-11
00:49:20-05 178.165.98.17 178.165.64.0/18 CITYNET-AS Maxnet Autonomous System,UA
34700 UA ripencc 2014-07-11 00:49:20-05 195.114.145.69 195.114.144.0/20
DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_,UA 21219 UA ripencc 2014-07-11
00:49:20-05 5.58.15.61 5.58.0.0/18 NOLAN-AS Lanet Network Ltd,UA 43120 UA
ripencc 2014-07-11 00:49:20-05 46.147.186.225 46.147.184.0/22 NEOLINK CJSC
_ER-Telecom Holding_,RU 34590 RU ripencc 2014-07-11 00:49:20-05 46.219.50.56
46.219.50.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc 2014-07-11
00:49:20-05 89.185.24.218 89.185.24.0/21 TVCOM-AS TVCOM Ltd.,UA 34092 UA ripencc
2014-07-11 00:49:20-05 94.158.73.89 94.158.64.0/20 BIGNET-AS PE Yuri
Stanislavovich Demenin,UA 43668 UA ripencc 2014-07-11 00:49:20-05 95.47.151.247
95.47.148.0/22 TKS-AS Sumski Telecom Systems Ltd,UA 41967 CZ ripencc 2014-07-11
01:09:51-05 71.227.196.156 71.227.128.0/17 COMCAST-33650 - Comcast Cable
Communications, Inc.,US 33650 US arin 2014-07-11 01:09:52-05 87.224.164.135
87.224.128.0/17 TELENET-AS OJSC Rostelecom,RU 35154 RU ripencc 2014-07-11
01:09:52-05 93.127.60.17 93.127.60.0/23 ALKAR-AS PRIVATE JOINT-STOCK COMPANY
_FARLEP-INVEST_,RU 6703 UA ripencc 2014-07-11 01:09:52-05 109.227.127.25
109.227.96.0/19 MCLAUT-AS LLC _McLaut-Invest_,UA 25133 UA ripencc 2014-07-11
01:09:52-05 178.151.9.221 178.151.9.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA
13188 UA ripencc 2014-07-11 01:09:52-05 178.151.154.233 178.151.154.0/24
BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11 01:09:52-05
194.187.108.182 194.187.108.0/22 TERABIT TERABIT LLC,UA 29491 UA ripencc
2014-07-11 01:09:52-05 37.229.149.148 37.229.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA
15895 UA ripencc 2014-07-11 01:09:52-05 46.118.151.246 46.118.0.0/16 KSNET-AS
_Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-11 01:09:52-05 46.219.77.143
46.219.77.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc 2014-07-11
01:28:30-05 178.137.232.234 178.137.128.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895
UA ripencc 2014-07-11 01:28:31-05 178.150.177.83 178.150.176.0/23 BANKINFORM-AS
TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11 01:28:31-05 178.151.14.223
178.151.14.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11
01:28:31-05 178.151.227.102 178.151.227.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA
13188 UA ripencc 2014-07-11 01:28:31-05 188.231.170.228 188.231.170.0/24
FREENET-AS Freenet Ltd.,UA 31148 UA ripencc 2014-07-11 01:28:31-05 5.34.112.211
5.34.0.0/17 SATELCOM-AS SA-Telcom LLP,KZ 35566 KZ ripencc 2014-07-11 01:28:31-05
46.56.64.196 46.56.64.0/19 MTSBY-AS Mobile TeleSystems JLLC,BY 25106 BY ripencc
2014-07-11 01:28:31-05 46.173.171.188 46.173.168.0/22 BEREZHANY-AS Galitski
Telekommunications Ltd,UA 49183 UA ripencc 2014-07-11 01:28:31-05 176.215.86.177
176.215.84.0/22 KRSK-AS CJSC _ER-Telecom Holding_,RU 50544 RU ripencc 2014-07-11
01:49:53-05 31.202.226.233 31.202.224.0/22 FORMAT-TV-AS MSP Format Ltd.,UA 6712
UA ripencc 2014-07-11 01:49:53-05 46.33.59.6 46.33.56.0/22 BLACKSEA TV Company
_Black Sea_ Ltd,UA 31593 UA ripencc 2014-07-11 01:49:53-05 46.149.179.87
46.149.179.0/24 ISP-KIM-NET Kalush Information Network LTD,UA 197522 UA ripencc
2014-07-11 01:49:53-05 82.112.53.75 82.112.32.0/19 KTEL-AS K Telecom Ltd.,RU
48642 RU ripencc 2014-07-11 01:49:53-05 95.133.181.160 95.133.128.0/18 UKRTELNET
JSC UKRTELECOM,UA 6849 UA ripencc 2014-07-11 01:49:53-05 109.86.112.170
109.86.112.0/22 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11
01:49:53-05 124.197.73.68 124.197.64.0/18 MOBILEONELTD-AS-AP MobileOne Ltd.
Mobile/Internet Service Provider Singapore,SG 4773 SG apnic 2014-07-11
01:49:54-05 178.137.97.155 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA
ripencc 2014-07-11 01:49:54-05 217.112.220.202 217.112.208.0/20 TELEPORTSV
PrivateJSC DataGroup,UA 15785 UA ripencc 2014-07-11 02:08:05-05 94.76.127.113
94.76.127.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc 2014-07-11
02:08:05-05 213.231.6.9 213.231.0.0/18 BREEZE-NETWORK TOV TRK _Briz_,UA 34661 UA
ripencc 2014-07-11 02:08:05-05 37.57.203.171 37.57.200.0/21 BANKINFORM-AS TOV
_Bank-Inform_,UA 13188 UA ripencc 2014-07-11 02:29:13-05 31.40.33.46
31.40.32.0/19 GORSET-AS Gorodskaya Set Ltd.,RU 49776 RU ripencc 2014-07-11
02:29:13-05 37.53.73.152 37.52.0.0/14 6849 6877 UA ripencc 2014-07-11
02:29:14-05 46.119.213.230 46.119.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA
ripencc 2014-07-11 02:29:14-05 46.175.73.188 46.175.64.0/20 MEDIANA-AS Mediana
ltd.,UA 56347 UA ripencc 2014-07-11 02:29:14-05 176.73.87.120 176.73.0.0/17
CAUCASUS-CABLE-SYSTEM Caucasus Online Ltd.,GE 20771 GE ripencc 2014-07-11
02:29:14-05 178.219.91.40 178.219.90.0/23 ASDNEPRONET Dnepronet Ltd.,UA 51069 UA
ripencc 2014-07-11 02:29:14-05 185.14.102.108 185.14.102.0/24 ORBITA-PLUS-AS
ORBITA-PLUS Autonomous System,KZ 21299 KZ ripencc 2014-07-11 02:29:14-05
195.225.147.101 195.225.144.0/22 UA-LINK-AS NPF LINK Ltd.,UA 34359 UA ripencc
2014-07-11 02:50:03-05 46.150.74.97 46.150.64.0/19 VIVANET-AS Vivanet Ltd,UA
44728 UA ripencc 2014-07-11 02:50:04-05 46.150.91.162 46.150.64.0/19 VIVANET-AS
Vivanet Ltd,UA 44728 UA ripencc 2014-07-11 02:50:04-05 76.14.215.195
76.14.192.0/18 WAVE-CABLE - Wave Broadband,US 32107 US arin 2014-07-11
02:50:04-05 82.193.220.254 82.193.192.0/19 VODATEL-AS Metronet telekomunikacije
d.d.,HR 25528 HR ripencc 2014-07-11 02:50:04-05 178.136.227.61 178.136.226.0/23
ALKAR-AS PRIVATE JOINT-STOCK COMPANY _FARLEP-INVEST_,RU 6703 UA ripencc
2014-07-11 02:50:04-05 178.137.69.209 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA
15895 UA ripencc 2014-07-11 02:50:04-05 194.28.176.201 194.28.176.0/22
KUZNETSOVSK-AS FOP Chaika Nadija Jakivna,UA 197073 UA ripencc 2014-07-11
02:50:04-05 212.87.183.197 212.87.160.0/19 EDN-AS Online Technologies LTD,UA
45025 UA ripencc 2014-07-11 02:50:04-05 213.231.12.80 213.231.0.0/18
BREEZE-NETWORK TOV TRK _Briz_,UA 34661 UA ripencc 2014-07-11 02:50:04-05
46.119.175.13 46.119.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 03:09:01-05 46.33.50.175 46.33.48.0/21 LIS Telecompany LiS LTD,UA
35588 UA ripencc 2014-07-11 03:09:04-05 46.98.237.27 46.98.0.0/16 FREGAT-AS ISP
_Fregat_ Ltd.,UA 15377 UA ripencc 2014-07-11 03:09:04-05 46.185.73.100
46.185.64.0/18 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-11
03:09:04-05 79.164.171.236 79.164.0.0/16 CNT-AS OJSC Central telegraph,RU 8615
RU ripencc 2014-07-11 03:09:04-05 91.244.137.151 91.244.128.0/20 PERVOMAYSK-AS
PP _SKS-Pervomaysk_,UA 44798 UA ripencc 2014-07-11 03:09:05-05 109.86.234.51
109.86.232.0/21 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11
03:09:05-05 109.207.121.193 109.207.112.0/20 TELELAN-AS Teleradiocompany TeleLan
LLC,UA 196740 UA ripencc 2014-07-11 03:09:05-05 176.108.235.203 176.108.232.0/22
SKM-AS PE Yaremenko O.V.,UA 39422 UA ripencc 2014-07-11 03:09:05-05
193.106.82.45 193.106.80.0/22 DATAGROUP PRIVATE JOINT STOCK COMPANY
_DATAGROUP_,UA 21219 UA ripencc 2014-07-11 03:09:05-05 31.129.65.152
31.129.64.0/19 ASDNEPRONET Dnepronet Ltd.,UA 51069 UA ripencc 2014-07-11
03:09:05-05 37.232.181.13 37.232.160.0/19 INTERNET-CENTER-AS Net By Net Holding
LLC,RU 42420 RU ripencc 2014-07-11 03:29:59-05 109.201.240.84 109.201.224.0/19
VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc 2014-07-11
03:30:00-05 141.101.11.69 141.101.0.0/19 WILDPARK-AS ISP WildPark, Ukraine,
Nikolaev,UA 31272 UA ripencc 2014-07-11 03:30:00-05 188.230.1.99 188.230.0.0/21
ABUA-AS LLC AB Ukraine,UA 43266 UA ripencc 2014-07-11 03:30:01-05 46.119.134.13
46.118.0.0/15 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-11
03:30:01-05 77.79.140.237 77.79.128.0/18 UBN-AS OJSC _Ufanet_,RU 24955 RU
ripencc 2014-07-11 03:30:01-05 77.121.125.112 77.121.96.0/19 VOLIA-AS Kyivski
Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc 2014-07-11 03:30:01-05
77.123.241.141 77.123.224.0/19 IVC IVC-Donbass Ltd,UA 48169 UA ripencc
2014-07-11 03:48:03-05 213.231.4.163 213.231.0.0/18 BREEZE-NETWORK TOV TRK
_Briz_,UA 34661 UA ripencc 2014-07-11 03:48:03-05 5.248.133.146 5.248.0.0/16
KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-11 03:48:03-05
81.163.136.160 81.163.128.0/19 DIDAN-AS Didan Group LTD,UA 47694 UA ripencc
2014-07-11 03:48:03-05 91.244.232.200 91.244.232.0/22 VITA-AS Teleradiokompaniya
Vizit-A Limited Liability Company,UA 197175 UA ripencc 2014-07-11 03:48:03-05
176.112.17.229 176.112.0.0/19 MAINSTREAM-AS PP MainStream,UA 44924 UA ripencc
2014-07-11 03:48:03-05 176.124.1.31 176.124.0.0/19 DIDAN-AS Didan Group LTD,UA
47694 UA ripencc 2014-07-11 03:48:03-05 193.93.238.13 193.93.236.0/22 STAVSET-AS
Kvartal Plus Ltd,RU 49325 RU ripencc 2014-07-11 04:09:03-05 46.118.136.44
46.118.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-11
04:09:05-05 46.172.128.249 46.172.128.0/19 UTEAM-AS Uteam LTD,UA 49125 UA
ripencc 2014-07-11 04:09:05-05 94.41.219.215 94.41.192.0/18 UBN-AS OJSC
_Ufanet_,RU 24955 RU ripencc 2014-07-11 04:09:05-05 109.162.59.249
109.162.0.0/18 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-11
04:09:05-05 178.45.188.246 178.45.160.0/19 OJSC Rostelecom,RU 15500 RU ripencc
2014-07-11 04:09:05-05 178.88.215.41 178.88.0.0/16 KAZTELECOM-AS JSC
Kazakhtelecom,KZ 9198 KZ ripencc 2014-07-11 04:09:05-05 188.163.29.68
188.163.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc 2014-07-11
04:09:05-05 5.14.25.76 5.12.0.0/14 RCS-RDS RCS & RDS SA,RO 8708 RO ripencc
2014-07-11 04:09:05-05 5.248.99.163 5.248.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA
15895 UA ripencc 2014-07-11 04:27:48-05 178.151.23.241 178.151.22.0/23
BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11 04:27:50-05
31.169.23.129 31.169.20.0/22 DTVKZ-AS JSC Kazakhtelecom,KZ 39725 KZ ripencc
2014-07-11 04:27:50-05 77.122.235.167 77.122.192.0/18 VOLIA-AS Kyivski
Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc 2014-07-11 04:27:50-05
78.62.94.153 78.62.80.0/20 TEOLTAB TEO LT AB Autonomous System,LT 8764 LT
ripencc 2014-07-11 04:27:50-05 89.209.96.231 89.209.0.0/16 MTS MTS OJSC,RU 8359
UA ripencc 2014-07-11 04:27:50-05 93.79.143.194 93.79.128.0/17 VOLIA-AS Kyivski
Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc 2014-07-11 04:27:50-05
176.8.79.228 176.8.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 04:27:50-05 178.141.98.171 178.141.0.0/16 MTS-KRV-AS MTS OJSC,RU
44677 RU ripencc 2014-07-11 04:49:18-05 176.113.146.32 176.113.144.0/20
BELICOM-AS FOP Bilenkiy Olexander Naumovich,UA 44010 UA ripencc 2014-07-11
04:49:21-05 178.137.109.91 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA
ripencc 2014-07-11 04:49:21-05 213.111.226.174 213.111.192.0/18 MAINSTREAM-AS PP
MainStream,UA 44924 UA ripencc 2014-07-11 04:49:21-05 217.73.84.131
217.73.80.0/21 INFOMIR-NET Infomir JSC,UA 44291 UA ripencc 2014-07-11
04:49:21-05 5.20.162.237 5.20.160.0/19 CGATES-AS UAB _Cgates_,LT 21412 LT
ripencc 2014-07-11 04:49:21-05 5.105.1.241 5.105.0.0/16 CDS-AS Cifrovye
Dispetcherskie Sistemy,UA 43554 UA ripencc 2014-07-11 04:49:21-05 77.122.193.42
77.122.192.0/18 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA
ripencc 2014-07-11 04:49:21-05 91.225.162.98 91.225.160.0/22 ASSPDCHERNEGA SPD
Chernega Aleksandr Anatolevich,UA 56400 UA ripencc 2014-07-11 04:49:21-05
91.236.249.33 91.236.248.0/22 SNAK-AS IP-Connect LLC,UA 57944 UA ripencc
2014-07-11 04:49:21-05 91.244.139.49 91.244.128.0/20 PERVOMAYSK-AS PP
_SKS-Pervomaysk_,UA 44798 UA ripencc 2014-07-11 04:49:21-05 109.86.76.58
109.86.64.0/20 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc 2014-07-11
04:49:21-05 176.36.67.204 176.36.0.0/14 LANETUA-AS Lanet Network Ltd.,UA 39608
UA ripencc 2014-07-11 05:08:15-05 46.46.96.199 46.46.64.0/18 FLAGMAN-AS TOV
_Flagman Telecom_,UA 48045 UA ripencc 2014-07-11 05:08:16-05 46.149.178.203
46.149.176.0/20 ISP-KIM-NET Kalush Information Network LTD,UA 197522 UA ripencc
2014-07-11 05:08:16-05 95.37.213.26 95.37.128.0/17 NMTS-AS OJSC Rostelecom,RU
25405 RU ripencc 2014-07-11 05:08:16-05 178.251.109.168 178.251.104.0/21
DATALINE-AS Dataline LLC,UA 35297 UA ripencc 2014-07-11 05:08:17-05 31.41.128.57
31.41.128.0/21 ANOXIN FIZICHNA OSOBA-PIDPRIEMEC ANOHIN IGOR VALENTINOVICH,UA
39056 UA ripencc 2014-07-11 05:27:32-05 81.90.233.231 81.90.233.0/24 RADIOCOM-AS
RadioCom ISP Autonomous System,UA 25071 UA ripencc 2014-07-11 05:27:32-05
81.162.70.217 81.162.64.0/20 GIGABYTE-AS Private Company Center for Development
Information Technology _Gigabyte_,UA 198293 UA ripencc 2014-07-11 05:27:32-05
89.44.89.68 89.44.88.0/22 DNC-AS IM Data Network Communication SRL,MD 41053 RO
ripencc 2014-07-11 05:27:32-05 91.244.148.241 91.244.144.0/21 PERVOMAYSK-AS PP
_SKS-Pervomaysk_,UA 44798 UA ripencc 2014-07-11 05:27:32-05 188.168.94.122
188.168.0.0/16 TTK-RTL Closed Joint Stock Company TransTeleCom,RU 15774 RU
ripencc 2014-07-11 05:27:32-05 62.80.161.77 62.80.160.0/19 INTERTELECOM-AS PJSC
Inter-Telecom,UA 25386 UA ripencc 2014-07-11 05:30:03-05 198.105.254.240
198.105.254.0/24 SGINC - Search Guide Inc,US 36029 US arin 2014-07-11
05:30:03-05 198.105.244.240 198.105.244.0/24 SGINC - Search Guide Inc,US 36029
US arin
↧
URGENT COURT NOTICE FROM GREENWINICK LAWYERS DELIVERS MALWARE
July 13, 2014, 6:31 am
≫ Next: .pif files, Polish spam from Orange, and Tiny Banker (Tinba)
≪ Previous: New GameOver Zeus Variant uses FastFlux C&C
$
0
0
I spent some time yesterday in the Malcovery Security Spam Data Mine looking at
the E-Z Pass malware campaign. The ASProx spammers behind that campaign have
moved on to Court Notice again . . .
Subjects like these:
* Hearing of your case in Court No#
* Notice of appearance
* Notice of appearance in court No#
* Notice to Appear
* Notice to Appear in Court
* Notice to appear in court No#
* Urgent court notice
* Urgent court Notice No#
(All of the subjects that have "No#" are followed by a four digit integer.)
Image may be NSFW.
Clik here to view.
(click to enlarge)
As normal, the spammers for these "Court Appearance" spam campaigns have just
grabbed an innocent law firm to imitate. No indication of any real problem at
Green Winick, but I sure wish one or more of these abused law firms would step
up and file a "John Doe" lawsuit against these spammers so we could get some
civil discovery going on!
These are the same criminals who have Previously imitated other law firms
including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells
(hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on!
Let's go get these spammers and the malware authors that pay them!
We've seen 88 destination hosts between July 10th and this morning (list below)
but it is likely there are many more!
When malware spammers use malicious links in their email instead of attachments,
they tend to have a much better success rate if they deliver unique URLs for
every recipient. That is what is happening in this case, and what always happens
in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in
the path portion of the URL, which is combined with rotating through hundreds of
'pre-compromised' websites to host their malicious content.
Four patterns in the path portion of the URL are better indicators as we believe
there will be MANY more destination hosts.
* tmp/api/…STUFF…=/notice
* components/api/…STUFF…=/notice
* wp-content/api/…STUFF…=/notice
* capitulo/components/api/…STUFF...=/notice
where "...STUFF..." is an encoding that we believe is related to the original
recipient's email address, but have been unable to confirm at this time.
http:// arhiconigroup.com / wp-content / api /
pwCYg4Ac5gk0WlQIVFEkRSPGL2E7vZhP8Qh4LMGbbAk= /notice
(to protect the spam donor, the pwCYg... string above has been slightly altered.
If you want to work on de-coding, let me know and I'm happy to provide a couple
hundred non-altered strings.)
Just like with last week's E-Z Pass spam campaign, visiting the destination
website results in a uniquely geo-coded drop .zip file that contains a .exe
file.
As an example, when downloading from my home in Birmingham Alabama where my zip
code is 35242, the copy I received was named:
Notice_Birmingham_35242.zip
which contained
Notice_Birmingham_35242.exe, which is icon'ed in such a way that it appears to
be a Microsoft Word document.
The MD5 of my '.exe' was: 5c255479cb9283fea75284c68afeb7d4
The VirusTotal report for my .exe is here:
VirusTotal Report (7 of 53 detects)
Extra credit points to Kaspersky and Norman for useful and accurate naming !
Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP
Each of the 88 destination websites that we observed was likely compromised to
host the malware. We do not believe these are necessarily "Bad Websites" but
they either have a vulnerability or have had the webmaster credentials stolen by
criminals.
If these are YOUR website - look for one of those directories I mentioned ...
/tmp/api/
/components/api/
/wp-content/api/
/capitulo/components/api/
www.metcalfplumbing.com
www.mikevanhattum.nl
www.mieszkaniaradomsko.pl
www.millionairemakeovertour.com
www.mkefalas.com
www.moldovatourism.ro
www.mobitrove.com
www.modultyp.com
www.mommyabc.com
www.monsterscalper.com
www.myconcilium.de
www.nellalongari.com
www.northsidecardetailers.com.au
www.parasitose.de
www.paulruminski.eu
www.petitecoach.com
www.phasebooks.net
www.plr-content.com
www.profimercadeo.com
www.propertyumbrellablueprint.com
www.proviewhomeservices.com
www.puntanews.com.uy
www.qifc.ir
www.rado-adventures.com
www.rantandraveweddingplanning.com
www.registrosakasicos.es
www.rimaconsulting.com
www.romiko.pl
www.saffronelectronics.co.uk
www.sasregion.com
www.saxonthewall.com
www.sealscandinavia.se
www.stkatharinedrexel.org
www.tecza.org
www.theanimationacademy.com
www.thehitekgroup.com
www.tusoco.com
www.urmasphoto.com
www.vicmy.net
www.viscom-online.com
www.vtretailers.com
www.warp.org.pl
www.webelonghere.ca
www.weihnachten-total.de
www.wesele.eu
www.whistlereh.com
www.wicta.nl
www.widitec.com.br
www.wonderlandinteractive.dk
www.wpprophet.com
www.xin8.org
www.zabytkowe.net
www.zeitgeistportugal.org
www.zmianywpodatkach.pl
www.znamsiebie.pl
www.zuidoost-brabant.nl
www.zs1grodzisk.pl
yourmentoraffiliatemarketing.com
atenea.edu.ec
comopuedoblanquearmisdientes.com
arhiconigroup.com
chris-coupe.com
drnancycooper.com
ian-mcconnell.com
izkigolf.com
kalemaquil.com
kingdommessengernetwork.com
↧
Remove ADS
Viewing all 265 articles
First Page Page 2 Page 3 Page 4 Page 5 Page 6 ... Last Page
Browse latest View live
--------------------------------------------------------------------------------
Search
RSSing.com
--------------------------------------------------------------------------------
* RSSing>>
* Latest
* Popular
* Top Rated
* Trending
© 2024 //www.rssing.com