Wednesday, May 25, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT


With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I'll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented group of mule recruiters using identical templates which they've purchased from a vendor of standardized mule recruitment templates.

Domains known to have been participating in money mule recruitment campaigns, currently offine:
allston-groupsec.cc
atca-inc.com
atcanetworks.net
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
BANDS-GROUPSVC.COM
BANDS-INC.COM
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
evolving-inc.com
evolvingsysinc.net
galleogroupnet.net
galleo-inc.com
GIANT-GROUPCO.NET
GIANTGROUPINC.COM
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
HOSTGROUPINC.COM
HOSTGROUP-INC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
ICT-GROUPCO.COM
ICTGROUPINC.COM
ICTGROUPNET.CC
ICT-GROUPSVC.NET
IMPERIALGROUPCO.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
infotechgroup-inc.com
jvc-inc.com
magnet-groupinc.cc
netmarket-inc.com
netmarkettech.net
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC
USIGROUPINC.COM
USIGROUP-INC.COM
USI-GROUPINC.NET
USIGROUPNET.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW

developgroupinc.net - 69.50.199.209 - Email: slows@5mx.ru
develop-inc.com - 69.50.199.209 - Email: etude@qx8.ru
mercygroupnet.net - 69.50.198.218 - Email: bowie@bigmailbox.ru
mercy-inc.com - 69.50.198.221 - Email: spout@freenetbox.ru
solarisgroupinc.com - 69.50.199.209 - Email: slows@5mx.ru
solarisgroupnet.net - 69.50.198.197 - Email: sharp@maillife.ru
jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru
jvcgroupnet.net - 69.50.198.221 - Email: spout@freenetbox.ru

Name servers of notice, historical OSINT for the responding IPs provided:
ns1.kalipso19.cc - 208.110.80.34 - Email: tarts@freenetbox.ru
ns2.kalipso19.cc - 64.85.169.70
ns3.kalipso19.cc - 173.208.132.42

ns1.mamacholi.net - 208.110.80.35 - Email: excess@bigmailbox.ru
ns2.mamacholi.net - 64.85.169.71
ns3.mamacholi.net - 173.208.132.43

ns1.rjevski.com - 208.110.80.34 - Email: low@bigmailbox.ru
ns2.rjevski.com - 64.85.169.70
ns3.rjevski.com - 173.208.132.42

ns1.runlesrun.cc - 208.110.80.37 - Email: frost@bigmailbox.ru
ns2.runlesrun.cc - 64.85.169.73
ns3.runlesrun.cc - 173.208.132.45

ns1.skotinko.net - 208.110.80.38 - Email: info@dnregistrar.ru
ns2.skotinko.net - 64.85.169.74
ns3.skotinko.net - 173.208.132.46

ns1.solojumper.com - 208.110.80.36 - Email: crime@bigmailbox.ru
ns2.solojumper.com - 64.85.169.72
ns3.solojumper.com - 173.208.132.44

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.