Powered by Blogger.
RSS

Dissecting the Ongoing Mass SQL Injection Attack


The ongoing mass SQL injection attack, has already affected over a million web sites. Cybercriminals performing active search engines reconnaissance have managed to inject a malicious script into ASP ASP.NET websites.

From client-side exploits to bogus Adobe Flash players, the campaign is active and ongoing. In this intelligence brief, we'll dissect the campaign and establish a direct connection between the campaign and last March's Lizamoon mass SQL injection attack.

SQL injected domains -- thanks to Dasient's Tufan Demir for the ping:
nbnjki.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
jjghui.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
bookzula.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
bookgusa.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
dfrgcc.com/ur.php - Email: jamesnorthone@hotmailbox.com
statsl.com/ur.php - 111.22.111.111 - Email: jamesnorthone@hotmailbox.com
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com
jhgukn.com/ur.php - Email: jamesnorthone@hotmailbox.com
vovmml.com/ur.php - Email: jamesnorthone@hotmailbox.com
bookvivi.com/ur.php - Email: jamesnorthone@hotmailbox.com

Responding to 146.185.248.3 is also file-dl.com; bookfula.com and bookvila.com - Email: jamesnorthone@hotmailbox.com

Detection rate for urchin.js:
urchin.js - Trojan.JS.Redirector - 17/42 (40.5%)
MD5   : 4387f9be5af4087d21c4b44b969a870f
SHA1  : 8a47842ccf6d642043ee8db99d0530336eef6b99
SHA256: 975e62fe1d9415b9fa06e8f826f776ef851bd030c2c897bc3fbee207519f8351

The redirections take place as follows:
  • bookzula.com/ur.php -> www3.topasarmy.in/?w4q593n= - Email: bill.swinson@yahoo.com -> firstrtscaner.rr.nu
  • nbnjkl.com/urchin.js -> power-wfchecker.in/?1dlia916= - Email: bill.swinson@yahoo.com
bill.swinson@yahoo.com has also been used to register the following scareware-serving domains:
uberble-safe.in
uberate-safe.in
best-jsentinel.in
topantivir-foru.in
personalscannerlg.in
rideusfor.in
hardbsy-network.in
enablesecureum.in
hardynauchecker.in
best-jsentinel.in
smartklhdefense.in
smartaasecurity.in
personal-scan-4u.in
unieve-safe.in
safe-solutionsoft.in
hugeble-cure.in
topsecuritykauu.in
personalcleansoft.in
powerscanercis.in
topksfsecurity.in
hard-antivirbjb.in
strong-guardbxz.in
smart-suiteguard.in
thebestkrearmy.in
smart-guardianro.in
freeopenscanerpo.in
best-networkqjo.in
hard-antivirbjb.in
smartantivir-scanner.in
most-popularsoftcontent.in
bester-msecuriity.in
doneahme.in
strong-checkerwrt.in
safepowerforu.in
safe-securityarmy.in
personal-bpsentinel.in
personalcleansoft.in
ostestsystemri.in
saveinternet-guard.in
just-perfectprotection.in
firstholdermvq.in
just-perfectprotection.in
allcle-safe.in
brawaidme.in
uniind-safe.in
moreaz-fine.in
trueeox-safe.in
safexanet.in
personal-internet-foryou.in



For the time being, the campaing is redirecting to a fake YouTube page enticing users into downloading a bogus Adobe Flash player in order to view the video.

Detection rate for the bogus Adobe Flash player:
scandisk.exe - Backdoor:Win32/Simda.A - 8/43 (18.6%)
MD5   : fb4c93935346d2d8605598535528506e
SHA1  : 0ff7ccd785c0582e33c22f9b21156929ba7abaeb
SHA256: b204586cbac1606637361dd788b691f342cb1c582d10690209a989b040dab632

Upon execution the sample phones back to:
209.212.147.141/chrome/report.html
98.142.243.64/chrome/report.html

update.19runs10q3.com - 65.98.83.115

The same phone back locations have been used in a variety of related malware -- thanks to Kaspersky's David Jacoby for the ping. For instance, in this malware sample that's also phoning back to the same URLs, we have active HOSTS file modification as follows:

See related post:  Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines

www.google.com.=87.125.87.99;
google.com.=87.125.87.103;
google.com.au.=87.125.87.104;
www.google.com.au.=87.125.87.147;
google.be.=77.125.87.148;
www.google.be.=77.125.87.149;
google.com.br.=77.125.87.109;
www.google.com.br.=77.125.87.150;
google.ca.=77.125.87.152;
www.google.ca.=77.125.87.153;
google.ch.=77.125.87.155;
www.google.ch.=77.125.87.158;
google.de.=77.125.87.160;
www.google.de.=77.125.87.161;
google.dk.=92.125.87.123;
www.google.dk.=92.125.87.160;
google.fr.=92.125.87.154;
www.google.fr.=92.125.87.134;
google.ie.=92.125.87.170;
www.google.ie.=92.125.87.177;
google.it.=92.125.87.173;
www.google.it.=92.125.87.147;
google.co.jp.=92.125.87.103;
www.google.co.jp.=84.125.87.147;
google.nl.=84.125.87.103;
www.google.nl.=84.125.87.147;
google.no.=84.125.87.103;
www.google.no.=84.125.87.147;
google.co.nz.=84.125.87.103;
www.google.co.nz.=84.125.87.147;
google.pl.=84.125.87.103;
www.google.pl.=64.125.87.147;
google.se.=64.125.87.103;
www.google.se.=64.125.87.147;
google.co.uk.=64.125.87.103;
www.google.co.uk.=64.125.87.147;
google.co.za.=64.125.87.103;
www.google.co.za.=64.125.87.147;
www.google-analytics.com.=64.125.87.101;
www.bing.com.=92.123.68.97;
search.yahoo.com.=72.30.186.249;
www.search.yahoo.com.=72.30.186.249;
uk.search.yahoo.com.=87.248.112.8;
ca.search.yahoo.com.=100.6.239.84;
de.search.yahoo.com.=87.248.112.8;
fr.search.yahoo.com.=87.248.112.8;
au.search.yahoo.com.=87.248.112.8;
ad-emea.doubleclick.net.=64.125.87.101;
www.statcounter.com.=64.125.87.101;

The Lizamoon mass SQL injection connection

The same email used to register the SQL injected domains jamesnorthone@hotmailbox.com has been used to register the Lizamoon mass SQL injection attack domains extensively profiled here - "Dissecting the Massive SQL Injection Attack Serving Scareware".

Related posts:
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

The following intelligence brief will summarize the findings from a brief analysis performed on two malware campaigns from August, namely, the spamvertised Uniform Traffic Tickets and the FDIC Notification.

_Uniform Traffic Tickets

Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip

Detection rates:
Ticket.exe - Gen:Trojan.Heur.FU.bqW@aK9ebrii -  Detection rate: 37/43 (86.0%)
MD5   : 6361d4a40485345c18473f3c6b4b6609
SHA1  : 50b09bb2e0044aa139a84c2e445a56f01d70c185
SHA256: ca67a14bfed2a7bc2ac8be9c01cb17d5da12b75320b4bad4fe8d8a6759ad9725

Ticket1.exe - Trojan-Downloader.Win32.Small.ccxz - Detection rate: 36/44 (81.8%)
MD5   : e2a2d67b8a52ae655f92779bec296676
SHA1  : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf
SHA256: 50b104c5f8314327e03b01e7f7c2535d8de7cd9f73f8e16d1364c7fd021a90cc

Upon execution the samples phone back to:
sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the same IP is also survey-providers.info) - AS51630 - Email: admin@sdkjgndfjnf.ru
rattsillis.com/ftp/g.php - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com
rattsillis.com/pusk3.exe - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com

DNS emulation of ns1.lemanbrostm.info reveals two domains belidiskalom.com - 178.208.76.175 - Email: admin@belidiskalom.com and lemanbrostm.info - Email: coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at rattsillis.com:
c6dab856705b5dfd09b2adbe10701b05
f167213c6a79f2313995e80a8ac29939
f4764cce5c3795b1d63a299a5329d2e2
dae9e7653573478a6b41a62f7cb99c12
69c983c9dfaf37e346004c9aaf54a3d0
d875b8e32a231405c7fa96b810e9b361
628270c6e44b0fa21ef8e87c6bc36f57
9b69dabd876e967bcd2eb85465175e3b
0434c084dba8626df980c7974d5728e1

Related binaries and associated MD5 modifications:
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0
rattsillis.com/pusk.exe - MD5: 55d8e25bc373a98c5c29284c989953ab; 368c86556e827d898f043a4d5f378fa0; 7411d0d29db91f2625ee36d438eb6ac4; 3ea4e9fd297b3058ebbb360c1581aaac;
rattsillis.com/pusk2.exe - MD5: dae9e7653573478a6b41a62f7cb99c12; b73705c097c9be9779730d801ad098e0; d7952c1e77d7bb250cdfa88e157fb5a8

Known MD5 modifications for pusk3.exe at sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf

sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8; ebf7278a7239378e7d70d426779962ce
sdkjgndfjnf.ru/pusk2.exe - MD5: d9e36e25a3181f574fd5d520cb501d3a
sdkjgndfjnf.ru/pusk.exe - MD5: fce04f7681283207d585561ed91e77b4

sdkjgndfjnf.ru/blood.exe -  MD5: 577cf0b7ca3d5bcbe35764024f241fa8

Detection rate for blood.exe:
blood.exe - Trojan-Spy.Win32.Zbot - 25/44 (56.8%)
MD5   : 577cf0b7ca3d5bcbe35764024f241fa8
SHA1  : 30f542a44d06d9125cdfbdd38d79de778e4c0791
SHA256: 1741ef5d24641ee99b5d78a68109162bebc714c3d19abc37e3d4472f3dcd6f18

_FDIC Notification

Spamvertised attachments: FDIC_Document.zip

Detection rate:FDIC_Document.exe -  Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5%)
MD5   : 7b5a271c58c6bb18d79cd48353127ff6
SHA1  : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a
SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0

Upon execution phones back to:
rattsillis.com/ftp/g.php
rattsillis.com/blood.exe
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0

What's particularly interesting is the fact that both campaigns have been launched by the same cybercriminal, with the same C&C - rattsillis.com also seen in the spamvertised ACH Payment Canceled campaign.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Keeping Money Mule Recruiters on a Short Leash - Part Eleven


The following intelligence brief is part of the Keeping Money Mule Recruiters on a Short Leash series. In it, I'll expose currently active money mule recruitment domains, their domain registration details, currently responding IPs, and related ASs.

Money mule recruitment domains:

ACWOODE-GROUP.COM - 78.46.105.205 - Email: admin@acwoode-group.com   
ACWOODE-GROUP.NET - 78.46.105.205 - Email: admin@acwoode-group.net
ART-GAPSON.COM - 78.46.105.205 - Email: admin@art-gapson.com
CONDOR-LLC-UK.NET - Email: admin@condor-llc-uk.net
CONDORLLC-UK.COM - Email: plods@fxmail.net
DE-DVFGROUP.BE
ELENTY-CO.NET - Email: abcs@mailti.com
ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty-llc.com
fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org
fine-artgroup.com - 209.190.4.91
GAPSONART.NET - 78.46.105.205 - Email: admin@gapsonart.net
gmd-contracting.com - 194.242.2.56 - Email: admin@gmd-contracting.com   
GURU-GROUP.CC - 78.46.105.205 - Email: admin@guru-group.cc
GURU-GROUP.NET - 78.46.105.205 - Email: jj@cutemail.org
INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: uq@mail13.com
ltd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com
NARTEN-ART.COM - 78.46.105.205 - Email: glamor@fxmail.net
NARTENART.NET - 78.46.105.205 - Email: admin@nartenart.net
panart-llc.com - 78.46.105.205 - Email: admin@panart-llc.com
REFINEMENT-ANTIQUE.COM - 78.46.105.205 - Email: xe@fxmail.net
REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: admin@refinementuk-ltd.net
SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: blurs@mailae.com
SKYLINE-LTD.NET - 78.46.105.205 - Email: admin@skyline-ltd.net
techce-group.com - 184.168.64.173 - Email: admin@techce-group.com
TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex-group.net
triad-webs.com - 85.17.24.226

The domains reside within the following ASs: AS24940, HETZNER-AS Hetzner Online AG RZ; AS16265, LeaseWeb B.V. Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, RoadRunner RR-RC-Enet-Columbus.

Name servers of notice:
NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru
NS2.MKNS.SU - 46.4.148.119
NS3.MKNS.SU - 184.82.158.76
NS1.MNAMEDL.SU - 85.25.250.211 - Email: mnamed@yourisp.ru
NS2.MNAMEDL.SU - 46.4.148.118
NS3.MNAMEDL.SU - 184.82.158.75
NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru
NS2.MLDNS.SU - 46.4.148.74
NS3.MLDNS.SU - 184.82.158.74
NS1.NAMESUKNS.CC - Email: pal@bz3.ru
NS2.NAMESUKNS.CC
NS3.NAMESUKNS.CC
NS1.NAMEUK.AT - Email: admin@nameuk.at
NS2.NAMEUK.AT
NS3.NAMEUK.AT
NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne
NS2.UKDNSTART.NET
NS3.UKDNSTART.NET

Monitoring of ongoing money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Ten
Keeping Money Mule Recruiters on a Short Leash - Part Nine
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Keeping Money Mule Recruiters on a Short Leash - Part Ten


The following intelligence brief is part of the Keeping Money Mule Recruiters on a Short Leash series. In it, I'll expose currently active money mule recruitment domains, their domain registration details, currently responding IPs, and related ASs.

Currently active money mule recruitment domains:
ACWOODE-GROUP.COM - 184.168.64.173 - Email: admin@acwoode-group.com
ACWOODE-GROUP.NET - 184.168.64.173 - Email: admin@acwoode-group.net
ART-GROUPINTEGRETED.COM - 78.46.105.205 - Email: admin@art-groupintegreted.com
ARTINTEGRATED-GROUP.NET - 78.46.105.205 - Email: crony@cutemail.org
COMPLETE-ART-GROUP-LTD.COM - 193.105.134.233 - Email: saps@cutemail.org
COMPLETE-ART-UK.NET - 193.105.134.232 - Email: admin@complete-art-uk.net
CONDORLLC-UK.COM - 193.105.134.231 - Email: plods@fxmail.net
CONDOR-LLC-UK.NET - 193.105.134.233 - Email: admin@condor-llc-uk.net
CONTEMP-USAINC.COM - 184.168.64.173 - Email: admin@contemp-usainc.com
CONTEMP-USGROUP.COM - 184.168.64.173 - Email: admin@contemp-usgroup.com
DE-KADEGROUP.CC - 193.105.134.230 - Email: cents@mailae.com
DERWOODE-GROUP.CC - 98.141.220.115 - Email: web@derwoode-group.cc
ELENTY-CO.NET - 184.168.64.173 - Email: abcs@mailti.com
ELENTY-LLC.COM - 184.168.64.173 - Email: admin@elenty-llc.com
GAPSONART.NET - 184.168.64.173 - Email: admin@gapsonart.net
GLACIS-GROUPUK.NET - 78.46.105.205 - Email: admin@glacis-groupuk.net
GURU-GROUP.CC - 184.168.64.173 - Email: admin@guru-group.cc
GURU-GROUP.NET - 184.168.64.173 - Email: jj@cutemail.org
INTECHTODEX-GROUP.COM - 184.168.64.173 - Email: uq@mail13.com
INTEGRATED-EUROPE-IT.NET - 78.46.105.205 - Email: admin@integrated-europe-it.net
ITAGROUP-USA.NET - 98.141.220.117 - Email: admin@itagroup-usa.net
IT-ANALISYS.COM - 98.141.220.115 - Email: yea@mailae.com
ITANALYSISGROUP.NET - 98.141.220.116 - Email: admin@itanalysisgroup.net
KADE-GROUPDE.NET - 78.46.105.205 - Email: zigzag@fxmail.net
MASTERARTUSA.COM - 98.141.220.114 - Email: day@mailae.com
NARTEN-ART.COM - 209.190.4.91 - Email: glamor@fxmail.net
NARTENART.NET - 209.190.4.91 - Email: admin@nartenart.net
quad-groupuk.cc - 78.46.105.205 - Email: prissy@mailae.com
REFINEMENT-ANTIQUE.COM - 184.168.64.173 - Email: xe@fxmail.net
SCAR-BEIINC.COM - 184.168.64.173 - Email: admin@scar-beiinc.com
SKYLINE-ANTIQUE.COM - 209.190.4.91 - Email: blurs@mailae.com
SKYLINE-LTD.NET - 209.190.4.91 - Email: admin@skyline-ltd.net
SMARTLLC-UK.COM - 193.105.134.234 - Email: admin@smartllc-uk.com
SMART-LLC-UK.NET - 193.105.134.233 - Email: pol@mailae.com
SPECIAL-ARTUK.COM - 193.105.134.232 - Email: admin@special-artuk.com
SUBLIMELTD.COM - 98.141.220.118 - Email: admin@sublimeltd.com
TODEX-GROUP.NET - 184.168.64.173 - Email: admin@todex-group.net


The domains reside within the following ASs: AS10297, RoadRunner RR-RC; AS42708; PORTLANE Network; AS26496; GODADDY.com; AS29713, INTERPLEXINC; AS24940, HETZNER-AS Hetzner Online.

Name servers of notice:
NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru
NS2.MKNS.SU - 46.4.148.119
NS3.MKNS.SU - 184.82.158.76
NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru
NS2.MLDNS.SU - 46.4.148.74
NS3.MLDNS.SU -     184.82.158.74
NS1.MNAMEDL.SU - 85.25.250.211 - Email: mnamed@yourisp.ru
NS2.MNAMEDL.SU - 46.4.148.118
NS3.MNAMEDL.SU - 184.82.158.75
NS1.DNSUS.SU -     217.23.15.137 - Email: wifi@yourisp.ru
NS2.DNSUS.SU - 87.118.81.7
NS3.DNSUS.SU - 87.118.81.10
NS1.NAMEUSNS.SU - 217.23.15.138 - Email: lavier@bz3.ru
NS2.NAMEUSNS.SU - 84.19.161.7
NS3.NAMEUSNS.SU - 84.19.161.10
NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free-id.ru
NS2.USDENNS.SU - 84.19.161.7
NS3.USDENNS.SU - 84.19.161.10
NS1.NAMESUKNS.CC - 86.55.210.4 - Email: pal@bz3.ru
NS2.NAMESUKNS.CC - 193.105.134.232
NS3.NAMESUKNS.CC - 193.105.134.237
NS1.NAMEUK.AT - 86.55.210.5 - Email: admin@nameuk.at
NS2.NAMEUK.AT - 193.105.134.233
NS3.NAMEUK.AT - 193.105.134.236
NS1.UKDNSTART.NET - 86.55.210.5 - Email: admin@ukdnstart.net
NS2.UKDNSTART.NET - 193.105.134.233
NS3.UKDNSTART.NET - 193.105.134.236
NS1.DENDRUYOS.NET - 86.55.210.4 - Email: admin@dendruyos.net
NS2.DENDRUYOS.NET - 193.105.134.232
NS3.DENDRUYOS.NET - 193.105.134.237
NS1.DEDNSAUTH.NET - 86.55.210.2 - Email: admin@dednsauth.net
NS2.DEDNSAUTH.NET - 193.105.134.230
NS3.DEDNSAUTH.NET - 193.105.134.239
NS1.DELTOPOOR.AT - 86.55.210.3 - Email: admin@deltopoor.at
NS2.DELTOPOOR.AT - 193.105.134.231
NS3.DELTOPOOR.AT - 193.105.134.238

Monitoring of ongoing money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Nine
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Keeping Money Mule Recruiters on a Short Leash - Part Nine


The following brief summarizes currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds.

Currently active sites residing within AS42708, PORTLANE Network www.portlane.com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online:
ATLANTALTD-UK.CC - 193.105.134.233
ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: admin@atlanta-ltd-uk.net
3ATLANTA-UK.COM - 193.105.134.233
BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: admin@derwart-group.at
5DALI-STYLE.COM - 98.141.220.117
DALISTYLE-GROUP.CC - 98.141.220.118 - Email: tolls@mailti.com
DERWOODE-GROUP.COM - 98.141.220.117
DERWOODE-GROUP.NET - 98.141.220.117
GLACIS-GROUPLLC.COM - 193.105.134.232
1GLACISGROUP-LLC.NET - 193.105.134.233
IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net
ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira-de.com
ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv-de.co
IT-SERVICELTD.BE - 78.46.105.205
KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade-group.com
MASTERART-GROUP.COM - 98.141.220.116 - Email: east@mail13.com
MENDRYLTD.COM - 98.141.220.117 - Email: admin@mendryltd.com
MENZEL-GROUP.TV - 98.141.220.118 - Email: admin@devotion-company.com
MITISSANSERVICE-GROUP-LTD.CC - 98.141.220.117 - Email: berra@cutemail.org
MITISSANSERVICEGROUP-LTD.COM - 98.141.220.117 - Email: alibi@mailae.com
oregonltd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru
PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: admin@parlen-groupllc.com
PARLENGROUPLLC.NET - 98.141.220.114
PARLEN-GROUP-USA.COM - 98.141.220.118
quad-groupuk.cc - 86.55.210.6 - Email: prissy@mailae.com
QUAD-GROUPUK.CC - 86.55.210.6 - Email: prissy@mailae.com
QUAD-IT-GROUP.COM  - 193.105.134.232 - Email: admin@quad-it-group.com
QUINTAGROUP.CC - 98.141.220.117 - Email: cola@mailae.com
QUINTA-GROUPUS.COM - 98.141.220.118 - Email: admin@quinta-groupus.com
QUINTA-LLC.NET - 98.141.220.118 - Email: admin@quinta-llc.net
REXTECHINNOVATION.COM - 98.141.220.118 - Email: admin@rextechinnovation.com
REXTECHLTD.CC - 98.141.220.115 - Email: blurt@fxmail.net
REXTECHLTD-US.COM - 98.141.220.118 - Email: admin@rextechltd-us.com
SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: admin@special-art-ltd.com
SPECIAL-ART-UK.CC - 193.105.134.234
SUBLIME-LTD.NET - 98.141.220.118 - Email: admin@sublime-ltd.net
TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - Email: admin@targetmarketgroup-llc.cc
TAZPROGLTD-US.COM - 98.141.220.117 - Email: admin@tazprogltd-us.co
VNSPROJECT-DE.CC - 78.46.105.205 - Email: admin@vnsproject-de.cc
VORTEXLLC-UK.COM - 193.105.134.232 - Email: admin@vortexllc-uk.com
VORTEX-LLC-UK.NET - 193.105.134.230 - Email: admin@vortex-llc-uk.net


Name servers of notice:
NS1.NAMESUKNS.CC - 178.162.172.48 - Email: pal@bz3.ru
NS2.NAMESUKNS.CC - 69.10.56.131
NS3.NAMESUKNS.CC - 66.199.229.123

NS1.NAMEUK.AT - 178.162.172.57 - Email: admin@nameuk.at
NS2.NAMEUK.AT - 69.10.56.132
NS3.NAMEUK.AT - 66.199.229.124

NS1.UKDNSTART.NET - 178.162.172.40 - Email: admin@ukdnstart.net
NS2.UKDNSTART.NET - 69.10.56.130
NS3.UKDNSTART.NET - 66.199.229.122

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru
NS2.DNSUS.SU - 87.118.81.7
NS3.DNSUS.SU - 87.118.81.10

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: lavier@bz3.ru
NS2.NAMEUSNS.SU - 84.19.161.7
NS3.NAMEUSNS.SU - 84.19.161.10

NS1.USDENNS.SU - 217.23.15.136 -  Email: lipstick@free-id.ru
NS2.USDENNS.SU - 84.19.161.7
NS3.USDENNS.SU - 84.19.161.10

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

A Peek Inside the Vertex Net Loader


It appears that the author of the of the DarkComet RAT has been keeping himself rather busy.

In early-stage development (currently in BETA), the Vertex Net Loader is your typical web-based command and control malware loader, worth keeping an eye on.

More details:
Info on the loader:
This is the small program that will send/retrieve info from/to the web panel , it is like the server part of a RAT. The loader is coded in C++. Size unpacked is ~100kb , compressed is very small and still stable. I choose C++ as the language for this project cause i code C++ since a long time but i never release some security soft, so as a friend said it is a shame to have a knowledge in C++ and don’t use it instead of Delphi all the time. Also C++ is faster and more stable than any other language.

Features of the loader:
- Send message box
- Execute any kind of commands
- close loader process
- Download files and execute them
- Get the process list
- Get the modules list from PID
- Set the keylogger status ON/OFF
- Retrieve the keylogger logs
- Read the file content and retrieve it
- Uninstall the loader
- Httpflood same technologies as i used for DarkComet that is very powerfull
- Remote shell
- Visit any webpage


Upcoming features:
- FWB
- More commands
- Panel Installer
- More possibilities in the webpanel
- User manager in the panel
- Plugins support
- and more.



Monitoring of Vertex Net Loader's development is ongoing.

Related posts:
A Peek Inside a New DDoS Bot - "Snap"
Coding Spyware and Malware for Hire
Will Code Malware for Financial Incentives
E-crime and Socioeconomic Factors
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based


This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT


With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I'll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented group of mule recruiters using identical templates which they've purchased from a vendor of standardized mule recruitment templates.

Domains known to have been participating in money mule recruitment campaigns, currently offine:
allston-groupsec.cc
atca-inc.com
atcanetworks.net
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
BANDS-GROUPSVC.COM
BANDS-INC.COM
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
evolving-inc.com
evolvingsysinc.net
galleogroupnet.net
galleo-inc.com
GIANT-GROUPCO.NET
GIANTGROUPINC.COM
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
HOSTGROUPINC.COM
HOSTGROUP-INC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
ICT-GROUPCO.COM
ICTGROUPINC.COM
ICTGROUPNET.CC
ICT-GROUPSVC.NET
IMPERIALGROUPCO.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
infotechgroup-inc.com
jvc-inc.com
magnet-groupinc.cc
netmarket-inc.com
netmarkettech.net
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC
USIGROUPINC.COM
USIGROUP-INC.COM
USI-GROUPINC.NET
USIGROUPNET.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW

developgroupinc.net - 69.50.199.209 - Email: slows@5mx.ru
develop-inc.com - 69.50.199.209 - Email: etude@qx8.ru
mercygroupnet.net - 69.50.198.218 - Email: bowie@bigmailbox.ru
mercy-inc.com - 69.50.198.221 - Email: spout@freenetbox.ru
solarisgroupinc.com - 69.50.199.209 - Email: slows@5mx.ru
solarisgroupnet.net - 69.50.198.197 - Email: sharp@maillife.ru
jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru
jvcgroupnet.net - 69.50.198.221 - Email: spout@freenetbox.ru

Name servers of notice, historical OSINT for the responding IPs provided:
ns1.kalipso19.cc - 208.110.80.34 - Email: tarts@freenetbox.ru
ns2.kalipso19.cc - 64.85.169.70
ns3.kalipso19.cc - 173.208.132.42

ns1.mamacholi.net - 208.110.80.35 - Email: excess@bigmailbox.ru
ns2.mamacholi.net - 64.85.169.71
ns3.mamacholi.net - 173.208.132.43

ns1.rjevski.com - 208.110.80.34 - Email: low@bigmailbox.ru
ns2.rjevski.com - 64.85.169.70
ns3.rjevski.com - 173.208.132.42

ns1.runlesrun.cc - 208.110.80.37 - Email: frost@bigmailbox.ru
ns2.runlesrun.cc - 64.85.169.73
ns3.runlesrun.cc - 173.208.132.45

ns1.skotinko.net - 208.110.80.38 - Email: info@dnregistrar.ru
ns2.skotinko.net - 64.85.169.74
ns3.skotinko.net - 173.208.132.46

ns1.solojumper.com - 208.110.80.36 - Email: crime@bigmailbox.ru
ns2.solojumper.com - 64.85.169.72
ns3.solojumper.com - 173.208.132.44

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Dissecting the Massive SQL Injection Attack Serving Scareware


A currently ongoing massive SQL injection attack has affected hundreds of thousands of web pages across the Web, to ultimately monetize the campaign through a scareware affiliate program. Such massive SQL injection attempts are usually conducted using mass vulnerability scanning tools, with the help of search engines which have already crawled the vulnerable sites.

What's particularly interesting about this campaign, is the fact that the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis. Let's dissect the campaign, expose the domain portfolios and the entire campaign structure.

UPDATED: Related SQL injected URLs courtsesy of WebSense:
online-stats201.info/ur.php - Email: tik0066@gmail.com
stats-master111.info/ur.php - Email: tik0066@gmail.com
agasi-story.info/ur.php - 91.217.162.45 - Email: tik0066@gmail.com
general-st.info/ur.php - Email: tik0066@gmail.com
extra-service.info/ur.php - Email: tik0066@gmail.com
sol-stats.info/ur.php - Email: tik0066@gmail.com
google-stats49.info/ur.php - Email: tik0066@gmail.com
google-stats45.info/ur.php - Email: tik0066@gmail.com
google-stats50.info/ur.php - Email: tik0066@gmail.com
google-server43.info/ur.php - Email: tik0066@gmail.com
stats-master88.info/ur.php - Email: tik0066@gmail.com
eva-marine.info/ur.php - 109.236.81.28 - Email: tik0066@gmail.com
stats-master99.info/ur.php - Email: tik0066@gmail.com
tzv-stats.info/ur.php - Email: tik0066@gmail.com
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com

SQL injected URLs:
lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
alisa-carter.com/ur.php (220,000 results) - Email: jamesnorthone@hotmailbox.com
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com
t6ryt56.info/ur.php (18 results) - Email: support@ruler-domains.com
tadygus.com/ur.php (100 results) - Email: jamesnorthone@hotmailbox.com
worid-of-books.com/ur.php (334,000 results) - Email: tik0066@gmail.com

Upon successful redirection, the campaign attempts to load the scareware domains defender-nibea.in/scan1b/237 - 46.252.130.200 - Email: jimwei2969@gmail.com

Detection rate:
freesystemscan.exe - Trojan/Win32.FakeAV - Result: 9/ 41 (22.0%)
MD5   : 815d77f8fca509dde1abeafabed30b65
SHA1  : 1b3c35afb76c53cd9507fffee46fb58c29e72bc1
SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c

Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also:
antivirus-1091.co.cc
antivirus-1574.co.cc
antivirus-2051.co.cc
antivirus-2525.co.cc
antivirus-2932.co.cc
antivirus-3654.co.cc
antivirus-3833.co.cc
antivirus-4063.co.cc
antivirus-418.co.cc
antivirus-4303.co.cc
antivirus-4749.co.cc
antivirus-495.co.cc
antivirus-5216.co.cc
antivirus-5676.co.cc
antivirus-5802.co.cc
antivirus-6437.co.cc
antivirus-6703.co.cc
antivirus-7081.co.cc
antivirus-713.co.cc
antivirus-728.co.cc
antivirus-7357.co.cc
antivirus-8072.co.cc
antivirus-9009.co.cc
antivirus-9638.co.cc
antivirus-9667.co.cc
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-aqeu.co.cc
defender-asng.co.cc
defender-atio.in - Email: terriduverger3239@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-bwuy.co.cc
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-eahy.co.cc
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-ewum.co.cc
defender-eyde.co.cc
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-fola.co.cc
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-hjlk.in - Email: jennwrayford2124@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-iibk.co.cc
defender-iies.co.cc
defender-iksl.in - Email: amarasanders9974@gmail.com


defender-isde.co.cc
defender-iyrc.co.cc
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-jihv.co.cc
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-kzwu.co.cc
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-nhei.co.cc
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-qotg.in - Email: franchescaili9704@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-qsko.co.cc
defender-qumf.in - Email: carlaadams@gmail.com
defender-rlag.in - Email: carmichaelmail@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-thga.in - Email: youngantonio6055@gmail.com
defender-ueuv.co.cc
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wtln.co.cc
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-xnnx.in - Email: pavelmayer4891@gmail.com
defender-ykym.co.cc
movie-iirg.in - Email: misslynn8546@gmail.com
movie-pblv.in - Email: judgewright4021@gmail.com
movies-live-tube-jeyq.co.cc
movie-tkhk.in - Email: terrymeally1288@gmail.com
movie-tube-beym.co.cc
movie-tube-juie.co.cc

movie-ueep.in - Email: celinekevin6179@gmail.com
movieway2011.com - Email: contact@privacyprotect.org
movie-xbtb.in - Email: sanfordross9242@gmail.com
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com
softway2011.com - Email: contact@privacyprotect.org
system-scanner-boep.co.cc
system-scanner-eill.co.cc
system-scanner-eopa.co.cc
system-scanner-ewqq.co.cc
system-scanner-iaap.co.cc
system-scanner-ieyx.co.cc
system-scanner-lcyo.co.cc
system-scanner-ouny.co.cc
system-scanner-oypx.co.cc
system-scanner-qeap.co.cc
system-scanner-racv.co.cc
system-scanner-ryes.co.cc
system-scanner-tzii.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
system-scanner-uyxt.co.cc
system-scanner-vpoo.co.cc
system-scanner-xtoi.co.cc
system-scanner-yoyx.co.cc
system-scanner-ytut.co.cc


Rotated scareware domains involved in the campaign, responding to 84.123.115.228 (AS6739; ONO-AS Cableuropa - ONO):
defender-thga.in - Email: youngantonio6055@gmail.com
defender-wqga.in - Email: christodoulosglidden8856@gmail.com
defender-gnva.in - Email: ananddaher7294@gmail.com
defender-rlob.in - Email: vasikaranfreudenburg2690@gmail.com
defender-abcc.in - Email: rubysmart5057@gmail.com
defender-pakc.in - Email: sabrinawheelock7642@gmail.com
defender-keod.in - Email: khashayarbirss4814@gmail.com
defender-xcre.in - Email: pavelmayer4891@gmail.com
defender-qumf.in - Email: rachelalba1891@gmail.com
defender-fmof.in - Email: kamillamartin1237@gmail.com
defender-uvag.in - Email: espenkeck7682@gmail.com
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com
defender-vxgh.in - Email: griseldavelez5369@gmail.com
defender-lcoh.in - Email: timothythomas6924@gmail.com
defender-kwwh.in - Email: tobyboisseau6505@gmail.com
defender-osbi.in - Email: fidelslattum2159@gmail.com
defender-wbui.in - Email: carlosbuntschu1238@gmail.com
defender-vlmj.in - Email: lauriefreeman9930@gmail.com
defender-hjlk.in - Email: lauriefreeman9930@gmail.com
defender-endl.in - Email: adamgaylard1113@gmail.com
defender-jgnl.in - Email: caseyalzen3316@gmail.com
defender-iksl.in - Email: marasanders9974@gmail.com
defender-labm.in - Email: gregorybradford1520@gmail.com
defender-rrin.in - Email: kevincharoenset5321@gmail.com
defender-sxin.in - Email: taloupavlinovich7166@gmail.com
defender-cron.in - Email: lisasuresh9147@gmail.com
defender-vqqn.in - Email: chrisjames4421@gmail.com
defender-dteo.in - Email: giovannaraggio5417@gmail.com
defender-uqko.in - Email: christinakaaikati5574@gmail.com
defender-qpwo.in - Email: carlaadams@gmail.com
defender-atxo.in - Email: celineiebba9266@gmail.com
defender-rlfp.in - Email: latanyamuscatell9507@gmail.com
defender-vflq.in - Email: terriacuna2081@gmail.com
defender-eklq.in - Email: sebastiensheppard8680@gmail.com
defender-ddbr.in - Email: selenajohansson9195@gmail.com
defender-ojbr.in - Email: fucknielsen8675@gmail.com
defender-drnr.in - Email: sumanvcasquez2008@gmail.com
defender-nrpr.in - Email: burtonalba8156@gmail.com
defender-kuts.in - Email: rogerfrancis3322@gmail.com
defender-bcvs.in - Email: martinefinklea5375@gmail.com
defender-grlt.in - Email: anthonygaylard9887@gmail.com
defender-hmfu.in - Email: lynnbone8026@gmail.com
defender-htlu.in - Email: jerihamann4163@gmail.com
defender-aabv.in - Email: leonflanagan7681@gmail.com
defender-ppdw.in - Email: divinakempton5670@gmail.com
defender-wrhw.in - Email: bradsuresh1406@gmail.com
defender-wkiw.in - Email: otisvaladez7778@gmail.com
defender-hipw.in - Email: angiejohansen9730@gmail.com
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com
defender-xnnx.in - Email: sylviawulff2140@gmail.com
defender-xkox.in - Email: ryanmartin7607@gmail.com

The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.

Monitoring of the campaign is ongoing.

Related posts:
This post has been reproduced from Dancho Danchev's blog.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Keeping Money Mule Recruiters on a Short Leash - Part Six


Following my previous post on "Keeping Money Mule Recruiters on a Short Leash - Part Five", in this post we're once again going to expose a portfolio of money mule recruitment domains, their related ASs and name servers of notice, including some additional SpyEye activity within one of the ASs.

What's particularly interesting is the ongoing use of similar templates, including fake "certified by" documents aiming to boost the visitor's confidence in the mule recruitment company. Sample "certified by" documents include:

Money mule recruitment web sites:
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - seen here 
ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info
ARAMATEGROUP-INT.INFO - Email: admin@aramategroup-int.info
art-marketllc.cc - Email: hear@ppmail.ru
ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at
ARTSOLVELTD.CC - Email: admin@artsolveltd.cc
artsolveltd.cc - Email: admin@artsolveltd.cc
ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc
artsolveltdco.at - Email: admin@artsolveltd.cc
ASTECH-GROUPDE.CC - Email: admin@i-compass-group.cc
atlant-groupinc.cc - Email: bombay@yourisp.ru - seen here
Atlant-usainc.net - Email: admin@atlant-usainc.net
BREDGARCORP-ANT.BE
CREATENCE-GROUPLLC.AT - Email: admin@creatence-groupllc.at
CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru
CREATENCEGROUP-LLC.CO - Email: px@bz3.ru
DEVAS-LLC.CO - Email: gate@ppmail.ru
DRYSDALE-ANTCORP.AT - Email: admin@drysdale-antcorp.at
DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale-antcorp.biz
DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru
DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale-antcorp.biz
FINTEC-UKLTD.WS
fintec-ukltd.ws
fourthgroup-ltd.cc - Email: rots@cheapbox.ru
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net
generation-groupltd.cc - Email: jz@ppmail.ru
I-COMPASS-GROUP.AT - Email: admin@i-compass-group.at
katemdutkins.co.cc
LILAC-GROUPLLC.CC - Email: lane@free-id.ru
LILACGROUP-LLC.CO - Email: baggy@bz3.ru
MIMOSA-INCGROUP.INFO - Email: admin@mimosa-incgroup.info
moneyvisual-ukllc.com - Email: admin@moneyvisual-ukllc.com
nimrodltd-uk.net - Email: admin@nimrodltd-uk.net
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net
qead-groupllc.net - Email: admin@qead-groupllc.net
RENAISSANCELLC.BE
renaissancellc.be
renaissance-llc.cc - Email: admin@renaissance-llc.cc
ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru
ROYALTHELMAS-TEAMANT.ASIA - Email: admin@royalthelmas-teamant.asia
SCHWARTZBROTHERSANT-CORP.COM - Email: admin@schwartzbrothersant-corp.com
STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru
THRONE-GROUPLLC.CC - Email: lane@free-id.ru
THRONEGROUP-LLC.CO - Email: floyd@ca4.ru
THRONE-UK.AT - Email: admin@throne-uk.at
TINASSANSERVICEANT-ANTTEAM.NET - Email: admin@tinassanserviceant-antteam.net
TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru
westerntrust.co.uk
westview-art.net - Email: admin@westview-art.net


Domains responding to:
78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG RZ
98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC.
98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC.
114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom Inc.
193.105.134.230 - AS42708, PORTLANE Network
193.105.134.231 - AS42708, PORTLANE Network
193.105.134.232 - AS42708, PORTLANE Network
193.105.134.233 - AS42708, PORTLANE Network
193.105.134.234 - AS42708, PORTLANE Network
195.182.57.84 - AS47311, Cerannics-AS Cerannics llp
195.182.57.91 - AS47311, Cerannics-AS Cerannics llp
204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS-LLC

More malicious activity within AS24940, HETZNER-AS Hetzner Online AG RZ, courtesy of the SpyEye tracker:
188.40.198.185
188.40.87.88
www.privathosting.eu
spl.privathosting.eu
46.4.194.162
188.40.87.91
88.198.36.61


Name servers of notice:
ns1.uknamo.com - 69.10.44.188 - Email: morph@ppmail.ru
ns2.uknamo.com - 178.162.181.11
ns3.uknamo.com - 66.199.236.116
ns1.ukansnami.com - 178.162.181.11 - Email: glide@yourisp.ru
ns2.ukansnami.com - 178.162.181.11
ns3.ukansnami.com - 66.199.236.117
ns3.dnsukrect.com - 66.199.236.118 - Email: code@yourisp.ru
NS1.LIBUNITAU.CC - 178.162.152.76 - Email: ached@yourisp.ru - seen here 
NS2.LIBUNITAU.CC - 66.199.236.115
NS3.LIBUNITAU.CC - 178.162.181.11
NS1.AUSTDEC.CC - 178.162.152.75 - Email: bold@yourisp.ru - seen here
NS2.AUSTDEC.CC - 66.199.236.114
NS3.AUSTDEC.CC - 178.162.181.11
NS1.SURPLUSUSA.CC - 209.159.156.162 - Email: skulk@ppmail.ru - seen here 
NS2.SURPLUSUSA.CC - 76.73.47.26
NS3.SURPLUSUSA.CC - 69.50.192.97
NS1.USABONDS.CC - Email: bart@cheapbox.ru - seen here 
NS2.USABONDS.CC
NS3.USABONDS.CC

The cybercriminals have also switched from using unique emails for registrations to default admin@money-mule-recruitment domain type of structure. Monitoring of their money mule recruitment activities is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS

Keeping Money Mule Recruiters on a Short Leash - Part Five


With money mule recruitment continuing to represent the most actively used risk-forwarding tactic within the cybercrime ecosystem for the purpose of securely distribution fraudulently obtained funds, part five of the "Keeping Money Mule Recruiters on a Short Leash" series are here to stay.

What's particularly interesting about the money mule recruitment domain portfolio that I'll expose, is the logical progression from bogus companies offering financial services, to a diverse set of companies occupying multiple markets/covering different market segments.

-Current trends - Localization and standardization/template-tization
A great example of this trend -- largely driven by the standardization and template-zation of money mule recruitment sites as a service- is Schwartz & Brothers LLC (schwartz-brothers.cc).

"Schwartz & Brothers LLC is the first choice for artists and buyers alike! Schwartz & Brothers LLC is an effective tool for the artist and emerging artist to market and promote their art in a professional and inexpensive manner. We will market your art to the international community of art buyers. Whether you are looking to buy or sell original art, Schwartz & Brothers LLC is the premier art site for those seeking to buy or sell original art online."


From financial services to an entirely new market segment, whereas the entire recruitment process remains pretty static, excluding several time quality assurance oriented details. For instance, every potential mule is required to download a entry level job psychological test, which surprisingly asks directly whether the mule is from Australia, next to automatically choosing Australia as a country of origin at a later stage throughout the registration process.

Moreover, in the context of quality assurance, the recruiters also ask the applicant "Are you/were you convicted?" in an attempt to combine the survey results with other details such the opening date of the bank account, as well as the average daily/weekly/monthly amount transferred.

- The Terms of Service
"DUTIES:
The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to process payments to the Company's partners by Western Union or MoneyGram money transfer system within one (1) day. He/she will report directly to the senior manager and to any other party designated by the senior manager in connection with the performance of the duties under this Agreement and shall fulfill any other duties reasonably requested by the Company and agreed to by the Contractor.

CONFIDENTIALITY:
The Contractor acknowledges that during the engagement he will have access to and become acquainted with various trade secrets, inventions, innovations, processes, information, records and specifications owned or licensed by the Company and/or used by the Company in connection with the operation of its business including, without limitation, the Company's business and product processes, methods, customer lists, accounts and procedures.

The Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, or use any of them in any manner, either during the term of this Agreement or at any time thereafter. All files, records, documents, blueprints, specifications, information, letters, notes, media lists, original artwork/creative, notebooks, and similar items relating to the business of the Company, whether prepared by the Contractor or otherwise coming into his possession, shall remain the exclusive property of the Company.

The Contractor shall not retain any copies of the foregoing without the Company's prior written permission. The Contractor further agrees that he will not disclose his retention as an independent contractor or the terms of this Agreement to any person without the prior written consent of the Company and shall at all times preserve the confidential nature of his relationship to the Company and of the services hereunder.

If the Contractor releases any of the above information to any parties outside of this company, such as personal friend, close relatives or other Financial Institutions such as a Bank or other Financial Firms, such could be considered grounds for immediate termination. If the Contractor is ever in doubt of what information can be released and when, the Contractor will contact their superior right away.

TERMS OF ENGAGEMENT:
The Contractor is engaged by the Company on terms of thirty-days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to AUD 2300 per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary to 3000 USD. The Company has the right to cancel this Agreement at any time within the probationary period or refuse to extend it after that, should the Contractor refuse to fulfill his/her obligations under this Agreement or fulfills them not in good faith.The Contractor has the right to terminate the Agreement at any time on condition that he/she has processed all previous payments and has no new instructions.

COMPENSATION:
The Company undertakes to pay taxes accrued in connection with money transfer.The Company shall also reimburse part of expenses which are incurred in connection with money transfer by Western Union or MoneyGram systems (should money transfer charges exceed 3%, i.e. commission for payment processing operation).The above difference will be automatically added to the base salary of the Contractor and paid once per month together with the base salary.

The Company shall have the right to decrease the Contractor's commission in case the payment processing terms were violated by the Contractor. Should the Contractor delays re-sending money accepted to his bank account for the period exceeding one (1) day without any explicit reason, the Company shall have the right to impose sanctions on the Contractor if only the delay has not been caused by the Force Majeur circumstances and to apply to the arbitration and claim for the reimburse of the amount transferred to his account or for compensation for other damage if any, evicted due to the delay.

The Contractor may take days off at any time and at his/her option upon giving five (5) working days advance notice in writing or three (3) working days advance notice via e-mail or fax to the Company in order that the latter may abstain from charging the Contractor with new instructions. However, salary for each day-off is deducted from the Contractor's base salary.
"

- OSINT data for money mule recruitment sites
The following portfolio of money mule recruitment domains appears to have been registered using automated email registration tools, with the potential for CAPTCHA outsourcing clearly considered by the malicious parties, taking into consideration the even decreasing price for solving CAPTCHA challenges.

4STAR-SOLUTIONS.CC - Email: urge@bz3.ru
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru
ACOONGROUP-LLC.CO - Email: jx@ppmail.ru
AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: aryan@ppmail.ru
AMINA-GROUPCO.CO - Email: beige@ca4.ru
AMINA-GROUPINC.CC - Email: zowie@yourisp.ru
AMINAORG.CC - Email: range@ppmail.ru
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru
ARPHISGOLDGROUP-INC.CO - Email: ira@bz3.ru
AUS-FINANCE.CC - Email: ours@ca4.ru
BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru
CESISGROUP-LLC.CC - Email: flip@free-id.ru
CESIS-GROUPLLC.CO - Email: our@ca4.ru
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru
CORES-GROUP.CC - Email: jaunt@cheapbox.ru
CORESGROUP-INC.CO - Email: yule@cheapbox.ru
CORES-GROUPLTD.CO - Email: liszt@bz3.ru
CRAFT-GROUPNET.CC - Email: room@yourisp.ru
DILIGENCE-GROUP.CO - Email: twig@ppmail.ru
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru
FARLINE-FIN.CO - Email: pecks@free-id.ru
FARLINE-FININC.CC - Email: cynic@free-id.ru
FILEGROUP-LLC.CO - Email: knelt@ca4.ru
FINTEC-LTD.CC - Email: w@yourisp.ru
FINTEC-UK.CO - Email: sons@bz3.ru


GLEICHFALLS-GROUPINC.CO - Email: tents@ppmail.ru
I-COMPASS-GROUP.CO - Email: wolf@ca4.ru
IM-SYSGROUP.CO - Email: truce@free-id.ru
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru
INCOGROUP-USA.CO - Email: beams@free-id.ru
JOURNEY-FINANCIAL.CC - Email: lulu@ca4.ru
LBMGROUPCO.CC - Email: dreamy@ppmail.ru
LBM-GROUPINC.CO - Email: coma@ca4.ru
LCD-FIN.CO - Email: salt@free-id.ru
LCD-FINANCE.CC - Email: fritz@bz3.ru
MACROTECHINC.CC - Email: cv@yourisp.ru
MACROTECH-UK.CO - Email: curl@cheapbox.ru
MALLOW-GROUP.CC - Email: cues@ppmail.ru
MALLOW-GROUPINC.CO - Email: hn@bz3.ru
MONEY-VISUALUK.CC - Email: hn@bz3.ru
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru
MARFYGROUP.CC - Email: thorny@cheapbox.ru
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru
ONLINE-SOLUTIONSLLC.CC - Email: coma@ca4.ru
PEGASLTDUNION.cc - Email: prim@bz3.ru
PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru
RADIUM-GROUP.CC - Email: spy@yourisp.ru
RADIUMUK-LTD.CC - Email: socks@cheapbox.ru
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru
SANTORINI-FIN.CC - Email: gill@cheapbox.ru
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru
SCHWARTZ-BROTHERS.cc - Email: oozed@bz3.ru
SILVERSUNGROUP-INC.CC - Email: cp@ca4.ru
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru
SOLUTIONSLTD.CC - Email: h2o@ca4.ru
STILE-GROUPLLC.CC - Email: ma@free-id.ru
SUNRISEPR-GROUPLTD.CC - Email: cough@ppmail.ru
TECHADVINC.CC - Email: chance@cheapbox.ru
TECHADV-INC.CC - Email: chance@cheapbox.ru
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru
USGROUP-AMINA.CO - Email: cap@ca4.ru
USGROUP-REIGN.CO - Email: w@ppmail.ru
YESGROUP-LLC.CO - Email: twig@ppmail.ru

Name servers of notice:
NS1.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: ached@yourisp.ru
NS1.NNSQUE.CC - Email: amok@cheapbox.ru
NS1.OLIVAU.CC - Email: bop@cheapbox.ru
NS1.PAGEREDNS.CC - 178.162.152.77 (AS28753) - Email: freer@free-id.ru
NS1.SURPLUSUSA.CC - 209.159.156.162 (AS19318) - Email: skulk@ppmail.ru
NS1.TVSILVAU.CC - Email: fact@ppmail.ru
NS1.UKNSSPACE.CC - 69.10.44.190 (AS19318) - Email: gravy@ca4.ru
ns1.uksource.cc - 69.10.44.189 (AS19318) - Email: liver@cheapbox.ru
NS1.USABONDS.CC - Email: bart@cheapbox.ru
NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: bold@yourisp.ru
NS2.COUKSNS.CC - 122.70.148.179 (AS55462) - Email: preen@ppmail.ru
ns2.gbtrade.cc - 66.199.236.114 (AS15149) - Email: ct@yourisp.ru
NS2.OLIVAU.CC - Email: bop@cheapbox.ru
NS2.RINGTONS.CC - 66.199.236.115 (AS15149) - Email: aaron@cheapbox.ru
NS2.TVSILVAU.CC - Email: fact@ppmail.ru
NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: tile@yourisp.ru
NS2.ZONENSUK.CC - 178.162.181.11 (AS28753) - Email: rooms@ppmail.ru
NS3.AUSTDEC.CC - 178.162.181.11 (AS28753) - Email: bold@yourisp.ru
NS3.FOLOWDNS.CC - 178.162.181.11 (AS28753) - Email: dyed@bz3.ru
NS3.SDNSAU.CC - Email: level@cheapbox.ru
NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: skulk@ppmail.ru
NS3.TVSILVAU.CC - Email: fact@ppmail.ru
NS3.UKCCONS.CC - 178.162.181.11 (AS28753) - Email: ted@cheapbox.ru
NS3.UKDNS.CC - 66.199.236.116 (AS15149) - Email: append@free-id.ru
ns3.ukearnings.cc - 178.162.181.11 (AS28753) - Email: bf@free-id.ru

ASs of notice using standart ns1;ns2; ns3 structure:
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE
AS19318 - NJIIX-1 NJIIX.net 110B Meadowlands Pkwy Secaucus, NJ 07094 +1.201.605.1425
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE
AS15149 - EZZI-101-BGP EZZI

- Long term trends - "from mule inventory to transactions inventory"
With the localization and standardization/template-tization of the entire money mule recruitment process an every day's reality, quality assurance and diversification of the markets/market segments in order to increase the probability of successful social engineering attack, will start taking place. Moreover, the current template driven recruitment ecosystem will inevitably start taking advantage of basic concepts such as geolocation and content cloaking, in order to once again increase the probability for converting a web site visitor into a mule.

At an invite-only conference that I attended in September, 2010, someone from the audience asked me a rather interesting question. Does it really matter how many mules are recruited by a particular syndicate, and most importantly, can we talk about average number of days/weeks/hours by the time the mule gets busted, and can no longer offer his/her services?

In the long term, we're inevitably going to witness the migration from building inventories of mules to transaction-driven mule recruitment model where the capability-driven mentality surpasses the mule inventory building one. The number of possible transactions with success rates based on historical performance, combined with an infinite loop of recruitment is what will drive the entire mule recruitment ecosystem.

Related posts:
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS