Tuesday, April 20, 2010

The DNS Infrastructure of the Money Mule Recruitment Ecosystem

What's the most static element of the vibrant money mule recruitment ecosystem? It's the DNS infrastructure that the the cybercriminals behind the campaigns repeatedly use to push new scams.

This post aims to expose the name servers involved, the associates ASs, using the research previously conducted on their recruitment campaigns, and their affiliations with multiple other cybercrime activities.

Moreover, it's main objective is the emphasize on the fact that - cybercrime should stop being treated as a country/region specific problem, instead it should be treated as an international problem, with each and every country having its own share of cybercrime activity.
  • "The whole is greater than the sum of its parts" - Aristotle
With money mule recruitment available as-a-service (Standardizing the Money Mule Recruitment Process) the post will only detail the activities of what's referred to as a "mule recruitment syndicate", in short, one of the most prolific syndicates with direct connections to numerous related cybercrime campaigns profiled over the past 6 months.

What makes an impression is the geographical distribution of the name servers. 11 of them are based in the Netherlands, another 11 are based in China, followed by 11 more based in the United States. Here's the list of the related ASs and their occurrences:
  • AS34305, EUROACCESS Global Autonomous System - The Netherlands - 11 name servers
  • AS38356, TimeNet - China - 11 name servers
  • AS46664, VolumeDrive - United States - 11 name servers
  • AS30517, Great Lakes Comnet, Inc. - United States - 9 name servers
  • AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity - United States - 9 name servers
  • AS29182, ISPSYSTEM-AS ISPsystem Autonomous System - Belgium - 8 name servers
  • AS31103, KEYWEB-AS Keyweb AG - Germany - 1 name servers

Moreover, this persistent money mule recruitment syndicate has a domain registrar of choice in the face of the Turkish,  ALATRON BLTD., which is seen in the majority of domain registrations.

The following active name servers have been gathered from the money mule recruitment campaigns profiled in previous posts:

ns1.alwaysexit.com - 92.63.111.146 - Email: sob@bigmailbox.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet


ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.benjenkinss.cn - 222.35.143.112 - AS38356, TimeNet


ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.bizrestroom.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.bizrestroom.cc - 222.35.143.234 - AS38356, TimeNet



ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet


ns1.cnnandpizza.cc - 87.118.81.75 - Email: bears@fastermail.ru - AS31103, KEYWEB-AS Keyweb AG
ns2.cnnandpizza.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.cnnandpizza.cc - 222.35.143.236 - AS38356, TimeNet


ns1.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.greezly.net - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.greezly.net - 204.124.182.151 - AS46664, VolumeDrive


ns1.maninwhite.cc - 92.63.111.146 - Email: duly@fastermail.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.maninwhite.cc - 85.12.46.3 - AS34305, EUROACCESS Global Autonomous System
ns3.maninwhite.cc - 222.35.143.234 - AS38356, TimeNet


ns1.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.partytimee.cn - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet


ns1.sandhouse.cc - 64.85.174.146 - Email: taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, Great Lakes Comnet, Inc.
ns2.sandhouse.cc - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.sandhouse.cc - 74.118.194.82 - AS46664, VolumeDrive


ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.translatasheep.net - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.translatasheep.net - 222.35.143.112 - AS38356, TimeNet


ns1.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.trythisok.cn - 222.35.143.235 - AS38356, TimeNet


ns1.viewdreamer.com - 64.85.174.143 - free@freenetbox.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.viewdreamer.com - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.viewdreamer.com - 74.118.194.82 - AS46664, VolumeDrive


ns1.volcanotime.com - 64.85.174.144 - Email: hs@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.volcanotime.com - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.volcanotime.com - 74.118.194.88 - AS46664, VolumeDrive


ns1.weathernot.net - 64.85.174.145 - Email: bowls@5mx.ru - AS30517, Great Lakes Comnet, Inc.
ns2.weathernot.net - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.weathernot.net - 74.118.194.89 - AS46664, VolumeDrive


ns1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.worldslava.cc - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.worldslava.cc - 74.118.194.84 - AS46664, VolumeDrive


ns1.jockscreamer.net - 64.85.174.144 - Email: free@freenetbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.jockscreamer.net - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.jockscreamer.net - 74.118.194.83 - AS46664, VolumeDrive


ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.uleaveit.com - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.uleaveit.com - 74.118.194.85 - AS46664, VolumeDrive


ns1.bergamoto.com - 74.118.194.84 - Email: nine@freenetbox.ru - AS46664, VolumeDrive
ns2.bergamoto.com - 222.35.143.235 - AS38356, TimeNet
ns3.bergamoto.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System

ns1.diunar.cc - 74.118.194.82 - Email: yuck@maillife.ru - AS46664, VolumeDrive
ns2.diunar.cc - 222.35.143.112 - AS38356, TimeNet
ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System


ns1.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.pesenlife.net - 204.12.217.254 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.pesenlife.net - 74.118.194.86 - AS46664, VolumeDrive

The business model if this syndicate can be easily compared to the business model of the much hyped Russian Business Network in the sense that, they are either managing the infrastructure for someone else as a service, are directly involved in the recruitment and utilization of money mules for their own purposes, or a basically building inventory of mules to offer as a service to a large number of cybercriminals.

The basic fact that these folks are not campaign-centered, but continue maintaining their ecosystem, puts them on the top of watch list for months to come.

Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.