Tuesday, February 09, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Two

With money mule recruitment syndicates continuing to expand their geographically diverse inventories of gullible mules, keeping their operations on a short leash is becoming a tradition. What the non-existent organizations profiled in this post have in common with the non-existent organizations profiled before, is the vendor of money mule recruitment creative, thanks to whose standardization of the recruitment process, everyone willing to invest a modest amount of money can start recruiting.

Despite the ongoing mix of abusing legitimate infrastructure (Web 2.0 services, dedicated hosting within legitimate ISPs - Tweet 1; Tweet 2; Tweet 3; Tweet 4; Tweet 5; Tweet 6) and using purely malicious infrastructure, centralization is cybecrime operations is still an inseparable part of the cybercrime ecosystem.

Case in point is AS47560 - VESTEH-NET-as Vesteh LLC, where the cybercriminals have not only chosen to host their money mule recruitment domain portfolio, but also, the actual Zeus crimeware command and control servers. Pretty convenient indeed, however a minimalistic OPSEC attitude leading to increased exposure.

The newly introduced money mule recruitment domains, rely on the same DIY web interface, and the same "payment processing agent" agreement seen in previous campaigns. What's naturally changing are the web page layouts combined with a new description of the non-existent company. Here's a sample from the currently active ones:

"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing and empowering like outsourcing. Transcending beyond an industry's vertical segments, outsourcing has become the "by default" strategy for all profit conscious organizations that struggle to retain their winning streak and high profitability. Today's scenario in the business world is more competitive than what it was in the past. There is a growing realization that wisdom lies in consolidating the core competency functions and outsourcing the supplement. We are an online services marketplace in USA and Australia. Our goal is to empower businesses with the absolute freedom to choose where to outsource their business needs to maximize their competitive advantage. We believe that "money saved due to outsourcing can be effectively and successfully utilized to focus more on strategic and core businesses functions".

The fact that money mule recruiters aggregate contact details from career building web sites, isn't new -- see "Major career web sites hit by spammers attack". Here are the sample letters emailed to a prospective money mule, which spotted the scam and avoided it:

"After reviewing your resume online we have decided to propose you a Payment Processing Agent vacancy.

My name is Sarah Forbes and I'm working at SUCCESS Group Inc. Our company is a well-known one. It was founded in the USA and deals mainly with recruitment of IT professionals. The job we offer is a part-time position with a flexible schedule. On average the working hours are 2-3 hours a day (Monday through Friday). Our job requirements: Internet access and e-mail. Successful applicants are offered a probationary period (30 days). All agents get a training and online support. We evaluate the employees at least one week prior to the end of their trial period. NOTE: During the probationary period termination can be recommended by the supervisor.

The pay is $2,300 per month during the Trial Period + 8% commission from each successfully handled payment. Total income is about $4,500 per month. After the first 30 days your base salary will be increased up to $3,000 a month. NOTE: After the probationary period you may request additional assignments or proceed a full-time. If you are interested in the offer, please, contact me at success.sarah.forbes@googlemail.com for the details.

First name:______________________
Last name:___________________
Country of residence:___________________
Contact phone:_______________
Preferred catime: _______________

Our representatives will reply within 48 hours. NOTE: This is not a sales position.


Sarah Forbes
Phone: 1-585-267-5988
Fax: 1-585-672-6137"

Let's expose the domain portfolios in question.

Active money mule recruitment sites parked within AS47560 - VESTEH-NET-as Vesteh LLC, at;;;; and in particular:
aurora-groupco .tw - Email: dodo@fastermail.ru
aurora-groupco .ws - Email: info@gtec.ru
aurora-groupinc .tw - Email: cents@qx8.ru
aurora-groupinc .ws - Email: info@gtec.ru
bear-groupco .ws - Email: info@gtec.ru
bear-groupinc .ws - Email: info@gtec.ru
citizen-groupco .tw - Email: sane@qx8.ru
citizen-groupco .ws - Email: info@gtec.ru
citizengroupinc .ws - Email: info@gtec.ru
citizen-groupsvc .tw - Email: frown@fastermail.ru
classic-groupco .ws - Email: info@gtec.ru
classicgroupinc .ws - Email: info@gtec.ru
classic-groupsvc .tw - Email: haste@fastermail.ru
excel-groupco .tw - Email: thaws@bigmailbox.ru
excel-groupinc .tw - Email: thaws@bigmailbox.ru
excel-groupinc .ws - Email: info@gtec.ru
financial-groupco .tw - Email: think@maillife.ru
financial-groupco .ws - Email: info@gtec.ru
financial-groupinc .tw - Email: sane@qx8.ru
financial-groupsvc .ws - Email: info@gtec.ru
market-vision .tw - Email: place@bigmailbox.ru
market-visioninc .ws - Email: info@gtec.ru
measure-groupco .tw - Email: cents@qx8.ru
measure-groupco .ws - Email: info@gtec.ru
measure-groupinc .tw - Email: cents@qx8.ru
measure-groupinc .ws - Email: info@gtec.ru
millennium-groupco .tw - Email: thaws@bigmailbox.ru
millennium-groupinc .ws - Email: info@gtec.ru
millennium-groupsvc .tw - Email: thaws@bigmailbox.ru
millennium-groupsvc .ws - Email: info@gtec.ru
nuris-groupco .tw - Email: rips@fastermail.ru
nuris-groupco .ws - Email: info@gtec.ru
nuris-groupinc .tw - Email: rips@fastermail.ru
nuris-groupinc .ws - Email: info@gtec.ru
render-groupco .tw - Email: muggy@freenetbox.ru
success-groupco .ws - Email: info@gtec.ru

Naturally, it gets even more interesting with AS47560 - VESTEH-NET-as Vesteh LLC acting as a good example of cybercrime-friendly virtual neighborhood. Not only are the cybercriminals hosting the money mule recruitment sites there, but also, a decent number of Zeus crimeware C&Cs, client-side exploit serving campaigns are currently active there.

Zeus C&Cs active at, front pages return "dsfkgjk rgkj" :
justinnew1 .com - Email: 3242dswewrf@yahoo.com
justinnew2 .com - Email: 3242dswewrf@yahoo.com
justinnew3 .com - Email: 3242dswewrf@yahoo.com
justinnew4 .com - Email: 3242dswewrf@yahoo.com
justinnew5 .com - Email: 3242dswewrf@yahoo.com
justinnew6 .com - Email: 3242dswewrf@yahoo.com
justinnew7 .com - Email: 3242dswewrf@yahoo.com
justinnew8 .com - Email: 3242dswewrf@yahoo.com
justinnew9 .com - Email: 3242dswewrf@yahoo.com
justinnew10 .com - Email: 3242dswewrf@yahoo.com
justinnew11 .com - Email: 3242dswewrf@yahoo.com
justinnew12 .com - Email: 3242dswewrf@yahoo.com
justinnew12 .com - Email: 3242dswewrf@yahoo.com
justinnew13 .com - Email: 3242dswewrf@yahoo.com
justinnew14 .com - Email: 3242dswewrf@yahoo.com
justinnew15 .com - Email: 3242dswewrf@yahoo.com
justinnew16 .com - Email: 3242dswewrf@yahoo.com
justinnew17 .com - Email: 3242dswewrf@yahoo.com
justinnew18 .com - Email: 3242dswewrf@yahoo.com
justinnew19 .com - Email: 3242dswewrf@yahoo.com
justinnew20 .com - Email: 3242dswewrf@yahoo.com
justinnew21 .com - Email: 3242dswewrf@yahoo.com
justinnew22 .com - Email: 3242dswewrf@yahoo.com
justinnew23 .com - Email: 3242dswewrf@yahoo.com
justinnew24 .com - Email: 3242dswewrf@yahoo.com

Historical OSINT of live exploit serving, malware phone back locations parked at
abecedarian .in - Email: jobmasterx@yahoo.com
absinthial .in - Email: jobmasterx@yahoo.com
acarine .in - Email: jobmasterx@yahoo.com
aeruginous .in - Email: jobmasterx@yahoo.com
agrestic .in - Email: jobmasterx@yahoo.com
alveolate .in - Email: jobmasterx@yahoo.com
anaclastic .in - Email: jobmasterx@yahoo.com
anatine .in - Email: jobmasterx@yahoo.com
anconoid .in - Email: jobmasterx@yahoo.com
ancoral .in - Email: jobmasterx@yahoo.com
anserine .in - Email: jobmasterx@yahoo.com
archididascalian .in - Email: jobmasterx@yahoo.com
arietine .in - Email: jobmasterx@yahoo.com
babied .in - Email: jobmasterx@yahoo.com
baffled .in - Email: jobmasterx@yahoo.com
banal .in - Email: jobmasterx@yahoo.com
barren .in - Email: jobmasterx@yahoo.com
battle-worn .in - Email: jobmasterx@yahoo.com
bawled .in - Email: jobmasterx@yahoo.com
beatific .in - Email: jobmasterx@yahoo.com
beckoned .in - Email: jobmasterx@yahoo.com
betonomeshalkatraktor .in - Email: ynetsw@gmail.com
fcaliber65 .in - Email: wert32@rambler.ru
humpiii1 .in - Email: wert32@rambler.ru
izyvecheniy0tragladit .in - Email: ynetsw@gmail.com
lifeberyt .in - Email: wert32@rambler.ru
marrychristmasforyou .com - ACTIVE
marrychristmasforyou .net - ACTIVE
my1stdomain .in - Email: wert32@rambler.ru
pingcrews .in - Email: jobmasterx@yahoo.com
razymniygluk .in - Email: ynetsw@gmail.com
rescservuce .in - Email: wert32@rambler.ru

Name servers of notice:
dns1.yekt.net -
ns1.trythisok.cn - - chunk@qx8.ru
ns1.basilkey.ws - - info@gtec.ru
ns2.maninwhite.cc - - duly@fastermail.ru
ns2.mythinregion.ws - Email: info@gtec.ru
ns2.partytimee.cn - - Email: chunk@qx8.ru
ns3.cnnandpizza.cc - - Email: bears@fastermail.ru
ns3.partymorning.ws - - Email: info@gtec.ru

Take a look at the routing graph for a moment. Who do we have here? Our "dear friends" at AS5577 ROOT eSolutions (also seen here; here; here; here; here and here) acting as a node to an ever expanding portfolio of malicious customers, with AS50215 Troyak-as Starchenko Roman Fedorovich part of the Pushdo crimeware and client-side exploit serving campaigns, second in the list.

AS47560 - VESTEH-NET-as Vesteh LLC has been notified, awaiting response/take down reaction. Or the lack of such.

Related coverage of money laundering in the context of cybercrime:
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.