Saturday, March 20, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Three

UPDATED: 7 minutes after notification, EUROACCESS responded that the IPs mentioned within the AS "have been blackholed for the time being until a confirmation of cleanup has been received from the customer."
It's a fact. However, in less than a minute the money mule recruitment gang moved the domains from the now blackholed 85.12.46.241; 85.12.46.242; 85.12.46.243; 85.12.46.244; 85.12.46.245 to 85.12.46.95 and 85.12.46.96.

These, including the crimeware and the scareware IPs, are now also blackholed. Let's see what the gang will do next.

The cybercriminals you know, are better than the cybercriminals you don't know. They can be typosquatting, or changing their hosting providers, but they can't escape.

The money mule recruiters profiled in "Keeping Money Mule Recruiters on a Short Leash" and in "Keeping Money Mule Recruiters on a Short Leash - Part Two" are now switching hosting to AS34305, EUROACCESS Global Autonomous System -- the Koobface gang was also using their services during the Christmas season.

The gang appears to have also purchased new templates using new, but naturally, bogus descriptions of the money mule recruitment companies. It gets even more interesting, when one of the domains (greatuk.org) participating in a Zeus crimeware campaign within AS34305, has been registered to hilarykneber@yahoo.com (The Kneber botnet - FAQ).

An excerpt from The Kneber botnet - FAQ on the Koobface gang connection:
The bogus money mule recruitment companies are using identical templates, describing themselves as follows:
"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing and empowering like outsourcing. Transcending beyond an industry's vertical segments, outsourcing has become the "by default" strategy for all profit conscious organizations that struggle to retain their winning streak and high profitability. Today's scenario in the business world is more competitive than what it was in the past. 

There is a growing realization that wisdom lies in consolidating the core competency functions and outsourcing the supplement. We are an online services marketplace in USA and Australia. Our goal is to empower businesses with the absolute freedom to choose where to outsource their business needs to maximize their competitive advantage. We believe that "money saved due to outsourcing can be effectively and successfully utilized to focus more on strategic and core businesses functions".

Let's expose the domains portfolio, its supporting name servers, and emphasize on the scareware and crimeware activity currently taking place at AS34305, EUROACCESS Global Autonomous System.

Active money mule recruitment domains:
augment-group.com - 85.12.46.245 - Email: mylar@5mx.ru
augmentgroup.net - 85.12.46.245 - Email: glean@fastermail.ru
augment-groupmain.tw - 85.12.46.245 - Email: gutsy@qx8.ru
amplitude-groupmain.net - 85.12.46.245 - Email: tabs@5mx.ru
asperitygroup.net - 85.12.46.241 - Email: cde@freenetbox.ru
asperity-group.com - 85.12.46.244 - Email: okay@qx8.ru
alwyn-groupllc.com - Email: cde@freenetbox.ru
altitude-groupli.com - 85.12.46.244 - Email: mylar@5mx.ru
celeritygroupmain.tw - 85.12.46.242 - Email: gutsy@qx8.ru
celerity-groupmain.net - 85.12.46.243 - cde@freenetbox.ru
celerity-groupmain.tw - 85.12.46.241 - Email: weds@fastermail.ru
impact-groupinc.net - 85.12.46.242 - Email: cde@freenetbox.ru
impact-groupnet.com - 85.12.46.243 - Email: okay@qx8.ru
excel-groupsvc.com - 85.12.46.241 - Email: carlo@qx8.ru

fecunda-group.com - 85.12.46.241 - Email: okay@qx8.ru
fecunda-groupmain.net - 85.12.46.243 - Email: mylar@5mx.ru
fecunda-groupmain.tw - 85.12.46.245 - Email: ti@fastermail.ru
foreaim-group.com - 85.12.46.245 - Email: cde@freenetbox.ru
foreaimgroup.net - 85.12.46.241 - Email: glean@fastermail.ru
golden-gateinc.com - 85.12.46.242 - Email: cde@freenetbox.ru
golden-gateco.net - 85.12.46.242 - Email: carlo@qx8.ru
luxor-groupco.tw - 85.12.46.244 - Email: logic@qx8.ru
luxor-groupinc.tw - 85.12.46.244 - Email: gv@fastermail.ru
synapse-groupinc.tw - 85.12.46.241 - Email: omega@fastermail.ru
synapse-groupfine.net - 85.12.46.245 - Email: okay@qx8.ru
synapsegroupli.com - 85.12.46.243 - Email: tabs@5mx.ru
spark-groupsvc.com - Email: trim@freenetbox.ru
tnmgroupsvc.net - 85.12.46.245 - Email: tabs@5mx.ru
tnmgroupinc.com - 85.12.46.241 - Email: tabs@5mx.ru
westendgroupsvc.net - 85.12.46.241 - Email: mylar@5mx.ru

Name servers:
ns1.maninwhite.cc - 89.248.166.45 - Email: duly@fastermail.ru
ns1.trythisok.cn - 89.248.166.45 - Email: chunk@qx8.ru
ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru
ns1.alwaysexit.com - 92.63.111.146 - Email: sob@bigmailbox.ru
ns1.chinegrowth.cc - 89.248.166.59 - Email: duly@fastermail.ru
ns2.cnnandpizza.cc - 205.234.195.188 - Email: bears@fastermail.ru
ns1.benjenkinss.cn - 89.248.166.59 - Email: chunk@qx8.ru
ns1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru
ns2.uleaveit.com - 204.12.217.253 - Email: plea@qx8.ru
ns3.pesenlife.net - 74.118.194.86 - Email: erupt@qx8.ru
ns1.basilkey.ws - 98.158.171.87

Next to the money mule recruitment domains, there are several active Zeus crimeware active campaigns, using the following domains/IPs. In fact one of them is using a domain registered to Hilary Kneber (The Kneber botnet - FAQ):
greatuk.org - 193.104.22.100 - Email: hilarykneber@yahoo.com
greatan.cn - 193.104.22.100 - Email: AlehnoLopu_@yahoo.com
193.104.22.71
193.104.22.90

What are we missing? Naturally, that's the scareware monetization element. Let's expose one of the currently active scareware domain portfolios there.

Domains responding to 193.104.22.50 - AS34305, EUROACCESS Global Autonomous System:
2009antispyware.net - Email: admin@web-antispyware.com
againstspyware.com - Email: admin@antiviruscenter.net
antispycenterprof.com - Email: admin@antispycenterprof.com
anti-spyware-2010.net - Email: admin@antiviruscenter.net
antispyware24x7.com - Email: admin@antispyware24x7.com
antispywareglobal.com - Email: admin@antiviruscenter.net
antispywareonline.net - Email: admin@antiviruscenter.net
antispywaresnet.com - Email: admin@antispywaresnet.com
antispywarets.com - Email: admin@antispywarets.com
antispywareweb.net - Email: admin@antiviruscenter.net
antispyworldwideint.com - Email: admin@antispyworldwideint.com
antiviruscenter.net - Email: admin@antiviruscenter.net
antivirusexpert.net - Email: admin@antiviruscenter.net
antivirus-live.net - Email: admin@antiviruscenter.net
antiviruslivepro.com - Email: admin@antiviruscenter.net
antiviruslive-pro.com - Email: admin@antiviruscenter.net
antivirus-service.net - Email: admin@antiviruscenter.net
antivirustop.net - Email: admin@antiviruscenter.net
bestantispysoft2010.com - Email: admin@bestantispysoft2010.com

eliminater2009pro.com - Email: admin@eliminater2009pro.com
itsafetyonline.com - Email: admin@itsafetyonline.com
ivirusidentify.com - Email: admin@ivirusidentify.com
myprivatesoft2009.com - Email: admin@myprivatesoft2009.com
netantivirus.net - Email: admin@antiviruscenter.net
onlineantispysoft.com - Email: admin@onlineantispysoft.com
pcdoctorz2010.com - Email: admin@pcdoctorz2010.com
pcprotect2010.com - Email: admin@pcprotect2010.com
pcsafety2009pro.com - Email: admin@pcsafety2009pro.com
protection2010.com - Email: admin@pcsafety2009pro.com
protectorservice.com - Email: admin@antiviruscenter.net
superantivirus.net - Email: admin@antiviruscenter.net
systemprotector.net - Email: admin@antiviruscenter.net
total-defender.com - Email: admin@total-defender.com
virusdetect24.com - Email: admin@antiviruscenter.net
virusremoveonline.com - Email: admin@antiviruscenter.net
worldantispyware1.com - Email: admin@worldantispyware1.com
worldprotection.net - Email: admin@antiviruscenter.net

EUROACCESS has been notified, the post will be updated once/if they take care of the "customers" violating their Terms of Service.

Related coverage of money laundering in the context of cybercrime:
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.