Money Mule Recruiters use ASProx's Fast Fluxing Services

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc.  ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information."

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk

With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Money Mule Recruiters use ASProx's Fast Fluxing Services

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc.  ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.



2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.



3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information."

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :



ns10.cashtransfers.tk

ns11.cashtransfers.tk

ns1.cashtransfers.tk

ns12.cashtransfers.tk

ns2.cashtransfers.tk

ns13.cashtransfers.tk

ns3.cashtransfers.tk

ns14.cashtransfers.tk

ns4.cashtransfers.tk

ns15.cashtransfers.tk

ns5.cashtransfers.tk

ns16.cashtransfers.tk

ns6.cashtransfers.tk

ns17.cashtransfers.tk

ns7.cashtransfers.tk

ns8.cashtransfers.tk



With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.



Related posts:

Storm Worm's Fast Flux Networks

Managed Fast Flux Provider

Fast Flux Spam and Scams Increasing

Fast Fluxing Yet Another Pharmacy Spam

Obfuscating Fast Fluxed SQL Injected Domains

Storm Worm Hosting Pharmaceutical Scams

Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Money Mule Recruiters use ASProx's Fast Fluxing Services

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc.  ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information."

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk

With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

The Ayyildiz Turkish Hacking Group VS Everyone

Certain hacktivist groups often come and go by the time the momentum of their particular cause is long gone. Excluding the hardcore hacktivists who are obliged to defend their country's infrastructure and reputation on the international scene, smart enough to do on one front, there are certain hacktivist groups who ensure their future existence by declaring war and every single country that has ever made statements in contradiction with their vision. Quite a stimulating factor for ensuring the future of your script kiddies group, isn't it?



One of these groups is the AYYILDIZ TEAM, a group of Turkish script kiddies who've been pretty active as of recently, targeting everyone, everywhere, leaving statements like the following :

"Me, as AYT-Admin Barbaros, swear to everything which is lovely and holy to me, that you will pay for your actions. We, AYT, as a Cyber Attacking Army will make it sure. Read right, what will we do:



* The government websites will be inaccessible an all lawsuits will be manipulated

* We will infiltrate the server of inland revenues for the manipulation of the data which are there.

* At the same time we will insist into the server of banks and will care for chaos

* Websites of the press will be extinguished.

* If the offence of our prophet (s.a.v.) called your press freedom, we will show you this press freedom

* Websites of divers shops will be hacked. Databank information's and the dates which are there, for example credit card dates, will be policed in this page. (Don't worry, we wouldn't taste one cent of your moneys, we aren't thieves like you. However we don't take care of what happens, if other hackers see this dates and empty your account)"

While this may sound inspiring, some of the group's members are also involved in SQL injections in between the web site defacements, which are naturally done by exploiting web application vulnerabilities. For instance, right after the defacement messages, they are also injecting the following fast-fluxed domains, part of the latest wave of SQL injections attacks.



bkpadd.mobi /ngg.js

usaadw.com /ngg.js

cliprts.com /ngg.js



They are monetizing their defacements by either compiling lists of sites known to be SQL injectable since they've managed to defaced them, then reselling these to the SQL injectors, or are in fact part of the whole process in this scammy ecosystem. Speaking of SQL injections, here's the most recent list of fast-fluxed SQL injected domains participating in the last wave that I've been keeping track of for a while :



pyttco .com/ngg.js

butdrv .com/ngg.js

gitporg .com/ngg.js

brcporb .ru/ngg.js

korfd .ru/ngg.js

adwnetw .com/ngg.js

wowofmusiopl .com.cn/456.js

adwbn .ru/ngg.js

btoperc .ru/ngg.js

nudk .ru/ngg.js

bkpadd .mobi/ngg.js

cliprts .com/ngg.js

adwr .ru/ngg.js

bnrc .ru/ngg.js

adpzo .com/ngg.js

iogp .ru/ngg.js

lodse .ru/ngg.js

usabnr .com/ngg.js

vcre .ru/ngg.js

sdkj .ru/ngg.js

rcdplc .ru/ngg.js

7maigol .cn/ri.js

j8heisi .cn/ri.js

usaadp .com/ngg.js

gbradp .com/ngg.js

cdrpoex .com/ngg.js

rrcs .ru/ngg.js

gbradw .com/ngg.js

hiwowpp .cn/ri.js

cdport .eu/ngg.js

nopcls .com/ngg.js

loopadd .com/ngg.js

tertad .mobi/ngg.js

gbradde .tk/ngg.js

tctcow .com/ngg.js

ausbnr .com/ngg.js

movaddw .com/ngg.js

grtsel .ru/ngg.js

sslwer .ru/ngg.js

destad .mobi/ngg.js

hdrcom .com/ngg.js

addrl .com/ngg.js

porttw .mobi/ngg.js

bnsdrv .com/ngg.js

drvadw .com/ngg.js

crtbond .com/ngg.js

usaadw .com/ngg.js



What used to be plain simple cooperating among every single participant in the underground marketplace, seems to be evolving into long-term business relationships.



Related posts:

Monetizing Compromised Web Sites

Monetizing Web Site Defacements

Underground Multitasking in Action

Right Wing Israeli Hackers Deface Hamas's Site

Pro-Serbian Hacktivists Attacking Albanian Web Sites

The Rise of Kosovo Defacement Groups

A Commercial Web Site Defacement Tool

Phishing Tactics Evolving

Web Site Defacement Groups Going Phishing

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists