This post aims to expose the name servers involved, the associates ASs, using the research previously conducted on their recruitment campaigns, and their affiliations with multiple other cybercrime activities.
Moreover, it's main objective is the emphasize on the fact that - cybercrime should stop being treated as a country/region specific problem, instead it should be treated as an international problem, with each and every country having its own share of cybercrime activity.
- "The whole is greater than the sum of its parts" - Aristotle
- AS34305, EUROACCESS Global Autonomous System - The Netherlands - 11 name servers
- AS38356, TimeNet - China - 11 name servers
- AS46664, VolumeDrive - United States - 11 name servers
- AS30517, Great Lakes Comnet, Inc. - United States - 9 name servers
- AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity - United States - 9 name servers
- AS29182, ISPSYSTEM-AS ISPsystem Autonomous System - Belgium - 8 name servers
- AS31103, KEYWEB-AS Keyweb AG - Germany - 1 name servers
Moreover, this persistent money mule recruitment syndicate has a domain registrar of choice in the face of the Turkish, ALATRON BLTD., which is seen in the majority of domain registrations.
The following active name servers have been gathered from the money mule recruitment campaigns profiled in previous posts:
- Keeping Money Mule Recruiters on a Short Leash - Part Four
- Keeping Money Mule Recruiters on a Short Leash - Part Three
- Keeping Money Mule Recruiters on a Short Leash - Part Two
- Keeping Money Mule Recruiters on a Short Leash
- Keeping Reshipping Mule Recruiters on a Short Leash
ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet
ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.benjenkinss.cn - 222.35.143.112 - AS38356, TimeNet
ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.bizrestroom.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.bizrestroom.cc - 222.35.143.234 - AS38356, TimeNet
ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet
ns1.cnnandpizza.cc - 87.118.81.75 - Email: bears@fastermail.ru - AS31103, KEYWEB-AS Keyweb AG
ns2.cnnandpizza.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System
ns3.cnnandpizza.cc - 222.35.143.236 - AS38356, TimeNet
ns1.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.greezly.net - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.greezly.net - 204.124.182.151 - AS46664, VolumeDrive
ns1.maninwhite.cc - 92.63.111.146 - Email: duly@fastermail.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.maninwhite.cc - 85.12.46.3 - AS34305, EUROACCESS Global Autonomous System
ns3.maninwhite.cc - 222.35.143.234 - AS38356, TimeNet
ns1.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.partytimee.cn - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System
ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet
ns1.sandhouse.cc - 64.85.174.146 - Email: taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, Great Lakes Comnet, Inc.
ns2.sandhouse.cc - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.sandhouse.cc - 74.118.194.82 - AS46664, VolumeDrive
ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru - 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.translatasheep.net - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.translatasheep.net - 222.35.143.112 - AS38356, TimeNet
ns1.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem Autonomous System
ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns3.trythisok.cn - 222.35.143.235 - AS38356, TimeNet
ns1.viewdreamer.com - 64.85.174.143 - free@freenetbox.ru - 64.85.160.0/20, AS30517, Great Lakes Comnet, Inc.
ns2.viewdreamer.com - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.viewdreamer.com - 74.118.194.82 - AS46664, VolumeDrive
ns1.volcanotime.com - 64.85.174.144 - Email: hs@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.volcanotime.com - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.volcanotime.com - 74.118.194.88 - AS46664, VolumeDrive
ns1.weathernot.net - 64.85.174.145 - Email: bowls@5mx.ru - AS30517, Great Lakes Comnet, Inc.
ns2.weathernot.net - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.weathernot.net - 74.118.194.89 - AS46664, VolumeDrive
ns1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.worldslava.cc - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.worldslava.cc - 74.118.194.84 - AS46664, VolumeDrive
ns1.jockscreamer.net - 64.85.174.144 - Email: free@freenetbox.ru - AS30517, Great Lakes Comnet, Inc.
ns2.jockscreamer.net - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.jockscreamer.net - 74.118.194.83 - AS46664, VolumeDrive
ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.uleaveit.com - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.uleaveit.com - 74.118.194.85 - AS46664, VolumeDrive
ns1.bergamoto.com - 74.118.194.84 - Email: nine@freenetbox.ru - AS46664, VolumeDrive
ns2.bergamoto.com - 222.35.143.235 - AS38356, TimeNet
ns3.bergamoto.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns2.diunar.cc - 222.35.143.112 - AS38356, TimeNet
ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System
ns1.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - AS30517, Great Lakes Comnet, Inc.
ns2.pesenlife.net - 204.12.217.254 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
ns3.pesenlife.net - 74.118.194.86 - AS46664, VolumeDrive
The business model if this syndicate can be easily compared to the business model of the much hyped Russian Business Network in the sense that, they are either managing the infrastructure for someone else as a service, are directly involved in the recruitment and utilization of money mules for their own purposes, or a basically building inventory of mules to offer as a service to a large number of cybercriminals.
The basic fact that these folks are not campaign-centered, but continue maintaining their ecosystem, puts them on the top of watch list for months to come.
Related coverage of money laundering in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
No comments:
Post a Comment