Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 03/10/11

Thursday, March 10, 2011

Compromised University Leads to Fraudulent Pharmaceutical Ads

Continuing the Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads series, yet another university has been compromised by pharmaceutical scammers, part of an affiliate network.

In this very latest example of this tactic, seeking to abuse the high pagerank of the web site in question, the web site of the Department of Mathematics at Rutgers University (math.rutgers.edu/mdnews/) appears to have been compromised by pharmaceutical scammers.

Included URLs:
math.rutgers.edu/mdnews/levitraline.html
math.rutgers.edu/mdnews/levitrastory.html
math.rutgers.edu/mdnews/cialis-pills.html
math.rutgers.edu/mdnews/levitradosage.html
math.rutgers.edu/mdnews/viagra-buy-online.html

Redirects to:
worldselectshop.com/?id=abamos - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com

The same affiliate ID is also active at:
usadrugstorenow.com/products/diflucan.htm?id=abamos - 212.117.185.19 - Email: usadrugstorenow.com@protecteddomainservices.com

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Spamvertised DHL Notification Malware Campaign

A currently spamvertised malware campaign is brand-jacking DHL for malware-serving purposes.

Sample filename: document.zip => DHL_notification.exe
Sample message: Dear customer. The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd - notice the typo.

DHL_notification.exe - Trojan-Spy.Win32.SpyEyes - Result: 27 /43 (62.8%)
MD5   : bda72e57d263241d52b1fe2ef014cba9
SHA1 : fa9dc14b100f1bf5124cd23c322c109b38a70675
SHA256: 199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c914a1edd69a02e3f8a70

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
    - erherg34gsafwe.com/ftp/ftpplug2.dll
    -     erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Keeping Money Mule Recruiters on a Short Leash - Part Six

Following my previous post on "Keeping Money Mule Recruiters on a Short Leash - Part Five", in this post we're once again going to expose a portfolio of money mule recruitment domains, their related ASs and name servers of notice, including some additional SpyEye activity within one of the ASs.

What's particularly interesting is the ongoing use of similar templates, including fake "certified by" documents aiming to boost the visitor's confidence in the mule recruitment company. Sample "certified by" documents include:

Money mule recruitment web sites:
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - seen here
ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info
ARAMATEGROUP-INT.INFO - Email: admin@aramategroup-int.info
art-marketllc.cc - Email: hear@ppmail.ru
ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at
ARTSOLVELTD.CC - Email: admin@artsolveltd.cc
artsolveltd.cc - Email: admin@artsolveltd.cc
ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc
artsolveltdco.at - Email: admin@artsolveltd.cc
ASTECH-GROUPDE.CC - Email: admin@i-compass-group.cc
atlant-groupinc.cc - Email: bombay@yourisp.ru - seen here
Atlant-usainc.net - Email: admin@atlant-usainc.net
BREDGARCORP-ANT.BE
CREATENCE-GROUPLLC.AT - Email: admin@creatence-groupllc.at
CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru
CREATENCEGROUP-LLC.CO - Email: px@bz3.ru
DEVAS-LLC.CO - Email: gate@ppmail.ru
DRYSDALE-ANTCORP.AT - Email: admin@drysdale-antcorp.at
DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale-antcorp.biz
DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru
DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale-antcorp.biz
FINTEC-UKLTD.WS
fintec-ukltd.ws
fourthgroup-ltd.cc - Email: rots@cheapbox.ru
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net
generation-groupltd.cc - Email: jz@ppmail.ru
I-COMPASS-GROUP.AT - Email: admin@i-compass-group.at
katemdutkins.co.cc
LILAC-GROUPLLC.CC - Email: lane@free-id.ru
LILACGROUP-LLC.CO - Email: baggy@bz3.ru
MIMOSA-INCGROUP.INFO - Email: admin@mimosa-incgroup.info
moneyvisual-ukllc.com - Email: admin@moneyvisual-ukllc.com
nimrodltd-uk.net - Email: admin@nimrodltd-uk.net
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net
qead-groupllc.net - Email: admin@qead-groupllc.net
RENAISSANCELLC.BE
renaissancellc.be
renaissance-llc.cc - Email: admin@renaissance-llc.cc
ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru
ROYALTHELMAS-TEAMANT.ASIA - Email: admin@royalthelmas-teamant.asia
SCHWARTZBROTHERSANT-CORP.COM - Email: admin@schwartzbrothersant-corp.com
STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru
THRONE-GROUPLLC.CC - Email: lane@free-id.ru
THRONEGROUP-LLC.CO - Email: floyd@ca4.ru
THRONE-UK.AT - Email: admin@throne-uk.at
TINASSANSERVICEANT-ANTTEAM.NET - Email: admin@tinassanserviceant-antteam.net
TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru
westerntrust.co.uk
westview-art.net - Email: admin@westview-art.net

Domains responding to:
78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG RZ
98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC.
98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC.
114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom Inc.
193.105.134.230 - AS42708, PORTLANE Network
193.105.134.231 - AS42708, PORTLANE Network
193.105.134.232 - AS42708, PORTLANE Network
193.105.134.233 - AS42708, PORTLANE Network
193.105.134.234 - AS42708, PORTLANE Network
195.182.57.84 - AS47311, Cerannics-AS Cerannics llp
195.182.57.91 - AS47311, Cerannics-AS Cerannics llp
204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS-LLC

More malicious activity within AS24940, HETZNER-AS Hetzner Online AG RZ, courtesy of the SpyEye tracker:
188.40.198.185
188.40.87.88
www.privathosting.eu
spl.privathosting.eu
46.4.194.162
188.40.87.91
88.198.36.61