Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 10/28/08

Tuesday, October 28, 2008

A Diverse Portfolio of Fake Security Software - Part Eleven

The following portfolio of fake security software appear to have been integrated within traffic redirection doorways during the weekend, consequently redirecting hundreds of thousands of users acquired from blackhat hat SEO, malvertising, email spam and SQL injections, to non-existent security vendors and their non-existent security products. Here's an excerpt from one of the templates that they're using :

"Since its first establishement in 2001, Antivirus V.I.P consistently maintained its position as one of the world's leading companies in antivirus research and product development. Antivirus V.I.P is known mostly for Antivirus V.I.P, its powerful mix of Anti-Malware, Anti-Virus, Anti-Trojan, Anti-Backdoor, Anti-Worm and Anti-PornoDial in one program. Antivirus V.I.P scans and removes trojans and other malware, which can be placed on a computer without the owner's knowledge.

Antivirus V.I.P is a powerful and easy-to-use Trojan horses, Viruses and all types of Malware removal software, which detects and eliminates more than 100'000 Trojan Horses and Spywares. It also detects viruses, trojans, worms, spyware, malicious ActiveX controls and Java applets. The latest version of Antivirus V.I.P features outstanding detection abilities, together with high performance. Antivirus V.I.P creates best anti-virus, anti-trojan and anti-spyware security solutions that protect computer users from ever-increasing cyber threats and all the dangers of the new century."

And the domains and their associated IPs :

antivirus-freescan .com (208.72.169.100)
defendyourpc .com
mycupupdate .com
secureupdatecenter .com
secureupdateserver .com
webscannertools .com
secureyourpayments .com
protection-overview .com

save-my-pc-now .com (84.243.196.136; 89.149.227.196; 89.149.227.232)
antivirus-pcscan .com
hiqualityscan .com
active-scanner .com
perfectscanner .com

livesecurityinfo .com (216.240.134.208)
protection-freescan .com
antvirushelp .com
prosecurity-audit .com

scan-my-pc .com (89.149.251.56)
securedclickhere .com

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Money Mules Syndicate Actively Recruiting Since 2002

Money mules have already been an inseparable part of the underground ecosystem. And while others try to hide their activities by outsourcing their hosting needs to botnet masters partitioning their botnets, the experienced ones apply a decent level of OPSEC (operational security) by establishing a trust based model based on recommendations in order to even consider letting you register for their services. Their geographical location not only reflects the average time it would take to take action against their activities and expose yet another extensive network of fraudulent operations, but also, has the potential to increase or decrease the commissions that the mules take based on the risk factor of getting caught.

There are several different types of money mules, those serving themselves, and those offering their services to others, in this particular case, we have a money mules syndicate that's been operating since 2002, and is only serving the high profile customers. What happens when such a money mule syndicate (naturally) starts vertically integrating by offering value-added services like credit card balance checking and date of birth lookups? Profits apparently increase, since the syndicate is actively recruiting and is currently looking for 20 to 30 mules -- their current staff is said to be approximately 100 people -- to cash out anything from bank account logins, Paypal accounts, to stolen credit card data. Here's a translated description of the service :

"Who we are?

- First place at (cyber crime community) top list of trusted service providers for 2008
- We serve the big guys only since 2002
- We never scam, in business since 2002 without a single scam complaint
- We look for you, you don't look for us
- We offer outstanding working conditions and high commissions

Who you should be?
- Dedicated person with experience in the field
- Have been in the business for at least 6 months
- Have been recommended by at least 1 person from (cybercrime community) and from (cybercrime community)
- You take 45% commission of the processed check, minimal amount is $3000
- You pay a membership fee

In the next two months we draw the command of 20-30 people who will most satisfy our requirements. For the selected team will be Paradise conditions:

- Instant payment (a few hours after delivered)
- Large numbers to drop service in the USA and the UK (30)
- Individual drop in the number of large islands
- 3-5 fresh weekly drop
- Round-the-clock support"

In case some of their customers get scammed -- appreciate the irony here as scammers compensate the scammers getting scammed by the scammer's outsourced personnel -- by some of their money mules, the service is offering compensation for the stolen goods/amount of money, clearly speaking for the revenues it is to prone to be generating. OPSEC (Operational Security) has been taking place across high-profile cybercrime communities during the last quarter, mostly in response to their increasing awareness that in the very same way they keep track of the major anti-fraud features implemented across their services of (ab)use, those implementing them could be monitoring them as well.

Dancho Danchev