Wednesday, January 09, 2013

Summarizing Webroot's Threat Blog Posts for December

The following is a brief summary of all of my posts at Webroot's Threat Blog for December, 2012. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


01. DIY malicious domain name registering service spotted in the wild
02. Fake ‘FedEx Tracking Number’ themed emails lead to malware
03. Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side exploits and malware
04. Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit
05. A peek inside a boutique cybercrime-friendly E-shop – part five
06. Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit
07. Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
08. Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware
09. Cybercriminals entice potential cybercriminals into purchasing bogus credit cards data
10. Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
11. Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit
12. Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild
13. Pharmaceutical scammers spamvertise YouTube themed emails, entice users into purchasing counterfeit drugs
14. Cybercriminals resume spamvertising British Airways themed E-ticket receipts, serve malware
15. Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit
16. Webroot’s Threat Blog Most Popular Posts for 2012

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, January 07, 2013

Raw Historical OSINT - Keeping Money Mule Recruiters on a Short Leash - Part Twelve

In the following (historical) intelligence brief, I'll provide you with some raw domain data of fake companies that are known to have attempted to recruit money mules over the past 2 years.

The domains listed here were registered by the same gang of cybercriminals that I've been extensively profiling in previous "Keeping Money Mule Recruiters on a Short Leash" posts.

Money mule recruitment domains:
compassllc-usa.com
linkllc-uk.com
very-compllc.com
click-n-art.com
infotechgroup-inc.com
amplitude-groupmain.tw
magnet-groupinc.cc
allston-groupsec.cc
DEVELOP-INC.COM
MERCYGROUPNET.NET
MERCY-INC.COM
SOLARISGROUPINC.COM
SOLARISGROUPNET.NET
JVC-INC.COM
JVCGROUPNET.NET
EVOLVINGSYSINC.NET
ATCANETWORKS.NET
ATCA-INC.COM
GALLEOGROUPNET.NET
GALLEO-INC.COM
EVOLVINGSYSINC.NET
EVOLVING-INC.COM
NETMARKET-INC.COM
NETMARKETTECH.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
INFOTECHGROUP-INC.COM
BANDS-GROUPSVC.COM
BANDS-INC.COM
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
ICT-GROUPCO.COM
ICT-GROUPSVC.NET
ICTGROUPINC.COM
ICTGROUPNET.CC
GIANT-GROUPCO.NET
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
GIANTGROUPINC.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
IMPERIALGROUPCO.COM
HOSTGROUP-INC.COM
HOSTGROUPINC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
bands-groupsvc.com
bands-inc.com
bandsgroup-inc.net
bandsgroupnet.cc
cnl-groupsvc.com
cnl-inc.com
cnlgroup-inc.cc
cnlgroupnet.net
giant-groupco.net
giant-groupinc.com
giant-groupnet.cc
giantgroupinc.com
host-groupsvc.net
hostgroup-inc.com
hostgroupinc.com
hostgroupnet.cc
ict-groupco.com
ict-groupsvc.net
ictgroupinc.com
ictgroupnet.cc
imperial-groupinc.com
imperial-groupsvc.net
imperialgroupco.com
infotech-groupco.net
infotech-groupinc.com
infotechgroup-inc.com
itcom-groupco.net
itcom-groupfine.cc
itcom-groupsvc.com
itcomgroup-inc.com
mgm-groupsvc.com
mgmgroup-inc.net
mgmgroupinc.com
mgmgroupnet.cc
usi-groupinc.net
usigroup-inc.com
usigroupinc.com
usigroupnet.cc
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC


Consider going through my previous research into one of the most popular 'risk-forwarding' tactic used by cybercriminals, namely, money mule recruitment.

Related posts on money mule recruitment:
Keeping Money Mule Recruiters on a Short Leash - Part Eleven
Keeping Money Mule Recruiters on a Short Leash - Part Ten
Keeping Money Mule Recruiters on a Short Leash - Part Nine
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Raw Historical OSINT - Keeping Money Mule Recruiters on a Short Leash - Part Twelve

In the following (historical) intelligence brief, I'll provide you with some raw domain data of fake companies that are known to have attempted to recruit money mules over the past 2 years.

The domains listed here were registered by the same gang of cybercriminals that I've been extensively profiling in previous "Keeping Money Mule Recruiters on a Short Leash" posts.

Money mule recruitment domains:
compassllc-usa.com
linkllc-uk.com
very-compllc.com
click-n-art.com
infotechgroup-inc.com
amplitude-groupmain.tw
magnet-groupinc.cc
allston-groupsec.cc
DEVELOP-INC.COM
MERCYGROUPNET.NET
MERCY-INC.COM
SOLARISGROUPINC.COM
SOLARISGROUPNET.NET
JVC-INC.COM
JVCGROUPNET.NET
EVOLVINGSYSINC.NET
ATCANETWORKS.NET
ATCA-INC.COM
GALLEOGROUPNET.NET
GALLEO-INC.COM
EVOLVINGSYSINC.NET
EVOLVING-INC.COM
NETMARKET-INC.COM
NETMARKETTECH.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
INFOTECHGROUP-INC.COM
BANDS-GROUPSVC.COM
BANDS-INC.COM
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
ICT-GROUPCO.COM
ICT-GROUPSVC.NET
ICTGROUPINC.COM
ICTGROUPNET.CC
GIANT-GROUPCO.NET
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
GIANTGROUPINC.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
IMPERIALGROUPCO.COM
HOSTGROUP-INC.COM
HOSTGROUPINC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
bands-groupsvc.com
bands-inc.com
bandsgroup-inc.net
bandsgroupnet.cc
cnl-groupsvc.com
cnl-inc.com
cnlgroup-inc.cc
cnlgroupnet.net
giant-groupco.net
giant-groupinc.com
giant-groupnet.cc
giantgroupinc.com
host-groupsvc.net
hostgroup-inc.com
hostgroupinc.com
hostgroupnet.cc
ict-groupco.com
ict-groupsvc.net
ictgroupinc.com
ictgroupnet.cc
imperial-groupinc.com
imperial-groupsvc.net
imperialgroupco.com
infotech-groupco.net
infotech-groupinc.com
infotechgroup-inc.com
itcom-groupco.net
itcom-groupfine.cc
itcom-groupsvc.com
itcomgroup-inc.com
mgm-groupsvc.com
mgmgroup-inc.net
mgmgroupinc.com
mgmgroupnet.cc
usi-groupinc.net
usigroup-inc.com
usigroupinc.com
usigroupnet.cc
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC


Consider going through my previous research into one of the most popular 'risk-forwarding' tactic used by cybercriminals, namely, money mule recruitment.

Related posts on money mule recruitment:
Keeping Money Mule Recruiters on a Short Leash - Part Eleven
Keeping Money Mule Recruiters on a Short Leash - Part Ten
Keeping Money Mule Recruiters on a Short Leash - Part Nine
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Saturday, January 05, 2013

Historical OSINT - Profiling an OPSEC-Unaware Vendor of GSM/USB ATM Skimmers and Pinpads


On daily basis, I profile over a dozen of newly advertised (verified) vendors of ATM skimmers, indicating that this market segment is still quite successful, thanks to the overall demand for these 'tools-of-the-trade', allowing potential cybercriminals to enter the world of ATM skimming.

In this post part of the "Historical OSINT" series, I'll profile the underground market proposition of a vendor of GSM/USB ATM Skimmers and Pinpads, that appeared on my radar back in 2008, with an emphasis on the lack of OPSEC (Operational Security) applied by them, and the IP hosting changes of their main domain that took place throughout 2008, in particular, offer evidence of active multi-tasking on behalf of the same gang of cybercriminals.

What's particularly interesting about this vendor is the fact that, instead of advertising across popular and well known cybercrime-friendly Web communities, they themselves created a community around the market proposition, and started pitching their offer across the public Web, a clear indication for a lack of OPSEC (Operational Security) awareness.

On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) was registered using the alsaleh@gawab.com email. On 2009-01-07, the registration email changed to blanerds@hushmail.com. These emails are not known to have been used in previous cybercrime-friendly campaigns.

Throughout 2008, the darkforum.net domain constantly changed IPs. The following is a complete list of the IP changes:
64.74.96.241
69.64.145.229 -
IP already profiled in a previously published analysis
63.251.92.197
216.8.177.23
69.25.142.57
208.73.212.12
87.242.73.96 -
known C&C server
64.208.225.139

The advertised brochure of the vendor:
Overview of the technology involved: Here is how it all works.
Full operating instructions are included with the entire package, this page is here for informative purposes. The Card Reader reads ATM & credit cards and sends the data tracks through SMS to a phone. The pin-pad catches the pushing of the pin number through the keypad and also sends the data through SMS.

SMS data comes to a programmable mobile phone number, which you will set to a safe number of yours. It is advised to connect your phone to a computer, and download the track data to your computer as it arrives. After every 2 message track+pin combo, an SMS is sent from each GSM device with a status update. From your computer, you can keep track of the whole operation.



The GSM Kit comes with an MSR206 device and track writing software. From your computer, you retrieve the track data and pin numbers from SMS messages, and then write the tracks to swipe cards with the cloned ATM/Credit cards, you simply use the pin to cash them out at ATM machines.

Receiving:
Received Data on the computer is encrypted. For the decryption, there is a separate program, which is included on the software DVD. Decrypted data is then ready to be written on cards.

Thus we have a secure working environment. None of your cashiers or crew can get the unencrypted data. Only the user of the software, who controls the operation. This kit is built on brand new technology. We have put a lot of time and money into the development and design. As a result, this is currently the most efficient method of retrieving dumps and pins.

for example the first skimmers were used with a camera, and on the given moment of skimmer it works with the transmission of data on network GSM, with the sending SMS or with the subtraction of data after calling it. In this case the complete reliability of the work of equipment, checked by time and experience of many people. For example now we use the multilayer printed-circuit boards, similar, as are used in the laptop computers or mob telephones, with the silver contacts and the working from the oxidation although previously they were altogether only old boards. Now for the size decrease is necessary to proceed with decent expenditures in order to decrease the sizes and in this case to increase reliability.

Our skimmers were actually originally developed for personal use, not for sale. They were designed with the most robust, smallest and most efficient parts at each stage of the building process.



Why small? Well, it is better to have a small unit, that fits discretely onto the ATM machine. Why GSM? Because it is possible to receive SMS at from a remote location. Nobody has ever been caught by police with a GSM skimmer, to the best of our knowledge. Each day our team is working on the development of newer and newer technologies. From time to time we apply our improvements to our range of products. Thus we from time to time change to new designs of housings; we improve the capability of batteries, or the switching system. For example, the new version of our software has some improvements over previous versions and is regularly updated. Usually clients send on their feature requests and we are frequently building them into our newest kits.

Our skimmers can read a change in the rate of card conduction. For example, if we insert the card slowly, and then accelerate it, our magnetic strip reader will read and correct this. We read both tracks info from both sides of the strip. We read reliably, with a 99.9% correct rate of reading. Sending of SMS occurs from the internal components of two Sony Ericsson 850i units. The batteries, visible in some of the pictures are from Motorola phones. The internal circuitry of the phones is connected to a digital circuit and chip which receive the information from the pinpad and magnetic reader, respectfully. You will need 3 sim cards, pre-paid is recommended. Each reading sends 4 SMS messages, 1 with the track information, 1 with the pin, and 1 from each unit with a status update.

On each sim card, you will have to save the phone number of your home mobile phone's sim card under the name "home". The internal circuitry and interface with the SE850i unit will look to this number to send both the track data and the pin numbers.

The internal processing chip encrypts the data before sending sms to the computer. In the kit, the decoding program in included which with one click will transfer the crypted dump into plain text. On opening this program, it is necessary to enter password. But if password is incorrect that program will close with a system error message, rather than responding with an incorrect password message. This is an obvious security feature. Each unit has an individual serial number and password. The password is included in the full package. It is possible to request that the password be communicated online, rather than be included with the software and package.



I will give couple of working examples of scenarios. If someone attempts to open the program and types an incorrect password, an error message is displayed and the software will "crash". It gives the impression that the software is simply not working. But if the correct password is entered, then it will start. If necessary, it is possible to simple say that the software is just something downloaded from the Internet, but it does not work, and you forgot to remove it. And no specialist will be able to prove what kind of program it is.

The exterior appearance and feel of our devices is built based on the original appearance of the ATM machine. In other words, if in one instrument incorporates smooth lines, and sleek curves, then our device will appear very similar on its exterior housing. It is virtually unnoticeable that there has been a modification to the ATM. The paint, with which we spray our housings is matched to the paint on the original ATMs. Our method of colouring accurately reproduces the originals, while maintaining all the characteristics of colouring, including varying temperature conditions, the angle of incidence of the paint, pressure, time of polymerization, etc.

As such we attained a perfect match of paint, tone of paint, reflection, and nuances with the different angles of incidence of light, feeling of the surface and so forth. On the job, this looks and feels exactly the same as an un-modified ATM. All instruments are powered from Li-on batteries. A charger is included in the complete set. Each battery is sufficient for 2-3 days of work (at a rated temperature of 22 Celsius). We have carried out extensive tests to find the maximum quantity of SMS which can be sent from one battery. Tests showed that we could send 1400 SMS from one battery without a recharge. The majority of the time, the instrument stands in standby mode. Very little power is used until the card is inserted or the pinpad is pressed, when track data is collected, and pins are collected.

The complete set comes with everything you need to run a full operation. However, the batteries need to be fully charged and recharged. This means that it is necessary to give 2-3 complete cycles of charging and discharging. This makes possible for battery to work longer. As a rule by this "warming-up" of the batteries an increase of the length of time they will operate will increase by 30-40%.


Again we stress that we are moving ahead, and developing more advanced devices. The current range for sale has been extensively tested and proven as a reliable kit.

USB Flash memory skimmers: 
We have a cheaper range of non-GSM skimming kit for sale. This is mostly bought by new users, as experienced, wealthy crews will be using the more modern GSM skimmers.

Our range starts with a basic skimmer & hidden camera, pre installed inside a discrete case, with flash storage and timestamps. Our basic skimmers are just as discrete and physically sound as our expensive GSM kit. They contain a 512 mb flash card, and a ROM chip with tiny card writer to record the info to the micro sd card. These kits come with an MSR206 and a multi card reader to retrieve the dumps + pins from both devices.

If you already own an MSR206, it can be removed from the package and a small discount can be given.


Pinpad info
Basic features of our pinpads are:
1. Ultra thin, around 3mm and it looks slimmer because of some design tricks
2. Real Stainless-Steel Material Frame and the keys
3. Exact same size as the actual ATM’s pinpad
4. Special plated Frame and Keys that does not hold any
Fingerprints well
5. Ultra low power consumption
6. Various languages supported


Technical Information on Charging and Communicating:
As usual, you may charge your pinpad through the USB communication cable. Charging is automatic, when you plug the cable into the pinpad, it will start charging. You can communicate with the pinpad while charging. You should charge your pinpad for a minimum 2 hours before operation. Try to use a USB Port on a Desktop Computer instead of a Laptop or USB hub. If u need to use a laptop then make sure you are using laptop with its power adapter connected, otherwise you will try to charge pinpads Battery with laptop’s battery and this will result in poor charging. Remember, you have to check date and time of your pinpad and adjust it if needed before operation. Setting the date/time is very easy using the software provided.

There are some limits on USB Charging. USB Charging is good if your skimming operation last 12-16 hours. If you require your pinpad to last longer then you have to buy Lithium-Polymer(Li-Po) 3.7v Generic charger for charging the battery of your pinpad. We can include this with the full kit for an extra cost. You may contact to us if you bought a Li-Po charger and want to use it with your pinpad.

You must be extremely careful when plugging the cable into the pinpad! There was not enough space in the pinpad for us to place a generic USB socket that eliminates user mistakes when plugging in the cable. We used plain socket that allows user to plug cable in any direction/position. If you plug the cable in the wrong direction/position then your pinpad electronics may be damaged. There also a risk to your battery. So pay special attention when plugging the cable into your pinpad for data transfer and/or charging. Check the picture below for concise instructions on how to plug the cable into your pinpad.

Follow these steps for easy plugging:
1. Identify the Red Wire on the cable’s socket
2. Identify the Red Wire on pinpads Socket
3. Red wire of pinpads socket should always be near the Crystal, and should join with the other red wire.
4. Then plug it like this:

Information on Installing and Removing to/from ATM:

You should use transparent fast glues for glue your Pinpad. You have to be very careful on NOT TO GLUE the Membrane of your Pinpad. You only need to glue the back of the frame of the Pinpad, only places where it touches the ATM. Again, no membrane or keys!!! You should use 2 holes designed for removing Pinpad from the ATM. You may use a small screwdriver or knife or similar.

You have to be very careful when removing the pinpad from the ATM. You should not damage membrane of the pinpad when using screwdriver or knife to remove it. Several practice attempts, on a flat surface are recommended.

You should try with very small amount of glue for your tests to see and understand how it sticks. Then you should decide what amount of glue will be used when you are on the job. Your tests are the key to your success. Test your skimmer on the ATM with no Glue/Less Glue etc. for experience. Never start to skimming before feeling you understand all the logic.



Our Software Description 
To work with a skimmer, a computer is necessary of course. You need to save your dumps (card data tracks) there! We will provide you with software, which can completely control your skimmer. Using this software, you can download dumps from skimmer/input them from SMS, remove them from skimmer unit, etc.

The program saves everything in crypted form. So that you don't have to worry about being ripped off. No one will be able to retrieve your data without the password. The password is included in the complete package, or can be sent separately online for security purposes. Each skimmer is basically a small computer, with a processor, flash storage, the internals of a SE850i mobile(cellular/GSM) phone, through which it sends info, and it has an EEPROM chip which boots up and operates the unit. So that takes care of software and passwords. Software is supplied in the complete set with the equipment directly to the buyer, even if transaction is done through some mediator, and passwords are given only to the buyer. We make so that the mediator cannot obtain both the software and the passwords.



The program does not show dumps on the screen. Also it does not preserve dumps in the open form. With the retention they are ciphered by a serious key. At the start of program it will request your password. But if password is introduced incorrect that it simply closes down and prints a system error on the screen. This creates the impression that the program is simply nonworking. And if you will not input the correct password, there's no way to even know what kind of program it is. This was created so that non-critical people with an attempt at the start would not attempt to select password. Let’s just say suddenly, the police get the laptop, on which the program is installed. Naturally, they will ask you about the password. If you are creative, you will give them a fake password, which they enter it, and the program will simply shut down and writes that an error occurred. This will give the impression that the program is nonworking. And you can boldly tell that the "program never worked, and I just forgot to delete it". The dumps are stored in an encrypted file, which it is not possible to decrypt. There will be no evidence left on your computer, once the police do not get a hold of the password.

The software itself is easy to use. There is no extra options or excess instructions. It is self explanatory, but full instructions are included with the full kit. If you have any other questions we will try our best to answer them from our administration team or our software developers.



Safety:
We are often asked questions about safety when we are working with skimmers. On this page, I will try to give some good safety advice for cashing out and operating a successful skimming operation.

Observation:
It is recommended to observe the target ATM, unobtrusively for 1-2 days before hand. Record at what times the ATM is busy, what times it is quiet, and at what time it is serviced and money is put into the machine, if it is a free standing unit.

Equipment preparation:
It is recommended to check all your equipment before the installation. Make sure that you have practised with some dummy ATM cards before hand and have transferred your own ATM card, or similar into track data, SMS, decrypt, and write to a "white card" with your MSR206 card writer.



Work for the fitter/installer:
The installer must be good with their hands. They must accurately and rapidly carry out his work, and quietly leave the area. Some crews will have their fitter dress up in a uniform to make them appear to be servicing the ATM. This is not such a good idea. Just go to the ATM when it is quiet. Perhaps have an assistant stand a distance away, to distract passers-by or other users of the ATM. The whole process can take less than 30 seconds.

Operation of the device:
Place, and the time of the installation should be selected beforehand. An observation point might be necessary. There should be somewhere to safely park your car from which to observe the operation of the skimmer and pinpad. If you are waiting in a car, it is not recommended that you have a laptop + msr + phone receiving and writing the data. If the operation is busted in this manner, you lose everything. However, if you are at home, you will have at least several hours in which to write the cards and cash them out. Your observation person should have enough food, water, etc to last in the car for the complete duration of the operation if possible. One plan that some crews use now is observation from an apartment or hotel close to the ATM. With this, you can cut down on the number of your crew. But be careful use fake identification if you can.



Full details of the installation are described with pictures in a series of PDF files included on the software and instructions DVD. The fitter/installer should put a card into the machine and reject it quickly when fitting. The receiver, working on the "home" computer, will receive the track, and confirm that it stuck on properly. 99% of the time, it sticks no problem. This is also useful to find that the card is ejecting properly.


When removing equipment, your crew should be trained and ready. Some crews do not risk withdrawing equipment as the average 1-day run will net $20,000-$50,000 USD depending on where you are. However if you are confident about removing it, you should take it to run the operation again. If apprehended while removing the equipment, the remover should protest innocence. They should say that they saw something suspicious, and were trying to take it off the ATM to being to police/bank. The crew member should look and act like a respectable citizen. You do not need a crew of thugs for this operation. You need a well-spoken, relaxed, confident team. It can be done with just 2 people, but 3 is recommended. Observing the guy removing the kit is a good idea, and walkie-talkies are useful. If the observer sees someone approaching the removal guy, he should "squak" his walkie-talkie, and the remover can disappear quickly.



Cashing out the money:
On many ATMs, there is a monitoring camera. Cameras are usually motion activated. We advise that you do not stay at one ATM more than 5 minutes, and do not tie up an ATM if there are people in the queue. Do not always cash out at an ATM belonging to one single bank, nor should you ever cash out your cards on the ATM that you skimmed them on.



Many crews will have several people working on cashing out, and they work 10 cards per person per time, all returning the money to the controller periodically. If you are cashing out at night at a quiet ATM, having hoods up is a good idea to prevent the camera from seeing you.That’s just about everything you need to know to operate a safe, extremely lucrative ATM skimming business.


The Kit includes a software dvd (with full instructions), MSR206, Skimmer + Pinpad, and encryption key to decode dumps which are encrypted on the devices. Note: Only skimmed tracks are encrypted, pins are not encrypted. Rental Schemes are available, where we keep the encryption key for the 1st operation of the skimmer, and provide you with 20 unencrypted dumps + pins. This rental scheme costs €1400 for USB kits, and €2200 for GSM kits.


My initial discovery of this cybercrime-friendly market proposition, coincides with the publication of a related post back in 2008, for the first time ever publicly disclosing important details regarding the emergence of ATM Skimmers with built-in GSM modules.

Nowadays, these are everyday reality.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Historical OSINT - Profiling an OPSEC-Unaware Vendor of GSM/USB ATM Skimmers and Pinpads


On daily basis, I profile over a dozen of newly advertised (verified) vendors of ATM skimmers, indicating that this market segment is still quite successful, thanks to the overall demand for these 'tools-of-the-trade', allowing potential cybercriminals to enter the world of ATM skimming.

In this post part of the "Historical OSINT" series, I'll profile the underground market proposition of a vendor of GSM/USB ATM Skimmers and Pinpads, that appeared on my radar back in 2008, with an emphasis on the lack of OPSEC (Operational Security) applied by them, and the IP hosting changes of their main domain that took place throughout 2008, in particular, offer evidence of active multi-tasking on behalf of the same gang of cybercriminals.

What's particularly interesting about this vendor is the fact that, instead of advertising across popular and well known cybercrime-friendly Web communities, they themselves created a community around the market proposition, and started pitching their offer across the public Web, a clear indication for a lack of OPSEC (Operational Security) awareness.

On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) was registered using the alsaleh@gawab.com email. On 2009-01-07, the registration email changed to blanerds@hushmail.com. These emails are not known to have been used in previous cybercrime-friendly campaigns.

Throughout 2008, the darkforum.net domain constantly changed IPs. The following is a complete list of the IP changes:
64.74.96.241
69.64.145.229 -
IP already profiled in a previously published analysis
63.251.92.197
216.8.177.23
69.25.142.57
208.73.212.12
87.242.73.96 -
known C&C server
64.208.225.139

The advertised brochure of the vendor:
Overview of the technology involved: Here is how it all works.
Full operating instructions are included with the entire package, this page is here for informative purposes. The Card Reader reads ATM & credit cards and sends the data tracks through SMS to a phone. The pin-pad catches the pushing of the pin number through the keypad and also sends the data through SMS.

SMS data comes to a programmable mobile phone number, which you will set to a safe number of yours. It is advised to connect your phone to a computer, and download the track data to your computer as it arrives. After every 2 message track+pin combo, an SMS is sent from each GSM device with a status update. From your computer, you can keep track of the whole operation.



The GSM Kit comes with an MSR206 device and track writing software. From your computer, you retrieve the track data and pin numbers from SMS messages, and then write the tracks to swipe cards with the cloned ATM/Credit cards, you simply use the pin to cash them out at ATM machines.

Receiving:
Received Data on the computer is encrypted. For the decryption, there is a separate program, which is included on the software DVD. Decrypted data is then ready to be written on cards.

Thus we have a secure working environment. None of your cashiers or crew can get the unencrypted data. Only the user of the software, who controls the operation. This kit is built on brand new technology. We have put a lot of time and money into the development and design. As a result, this is currently the most efficient method of retrieving dumps and pins.

for example the first skimmers were used with a camera, and on the given moment of skimmer it works with the transmission of data on network GSM, with the sending SMS or with the subtraction of data after calling it. In this case the complete reliability of the work of equipment, checked by time and experience of many people. For example now we use the multilayer printed-circuit boards, similar, as are used in the laptop computers or mob telephones, with the silver contacts and the working from the oxidation although previously they were altogether only old boards. Now for the size decrease is necessary to proceed with decent expenditures in order to decrease the sizes and in this case to increase reliability.

Our skimmers were actually originally developed for personal use, not for sale. They were designed with the most robust, smallest and most efficient parts at each stage of the building process.



Why small? Well, it is better to have a small unit, that fits discretely onto the ATM machine. Why GSM? Because it is possible to receive SMS at from a remote location. Nobody has ever been caught by police with a GSM skimmer, to the best of our knowledge. Each day our team is working on the development of newer and newer technologies. From time to time we apply our improvements to our range of products. Thus we from time to time change to new designs of housings; we improve the capability of batteries, or the switching system. For example, the new version of our software has some improvements over previous versions and is regularly updated. Usually clients send on their feature requests and we are frequently building them into our newest kits.

Our skimmers can read a change in the rate of card conduction. For example, if we insert the card slowly, and then accelerate it, our magnetic strip reader will read and correct this. We read both tracks info from both sides of the strip. We read reliably, with a 99.9% correct rate of reading. Sending of SMS occurs from the internal components of two Sony Ericsson 850i units. The batteries, visible in some of the pictures are from Motorola phones. The internal circuitry of the phones is connected to a digital circuit and chip which receive the information from the pinpad and magnetic reader, respectfully. You will need 3 sim cards, pre-paid is recommended. Each reading sends 4 SMS messages, 1 with the track information, 1 with the pin, and 1 from each unit with a status update.

On each sim card, you will have to save the phone number of your home mobile phone's sim card under the name "home". The internal circuitry and interface with the SE850i unit will look to this number to send both the track data and the pin numbers.

The internal processing chip encrypts the data before sending sms to the computer. In the kit, the decoding program in included which with one click will transfer the crypted dump into plain text. On opening this program, it is necessary to enter password. But if password is incorrect that program will close with a system error message, rather than responding with an incorrect password message. This is an obvious security feature. Each unit has an individual serial number and password. The password is included in the full package. It is possible to request that the password be communicated online, rather than be included with the software and package.



I will give couple of working examples of scenarios. If someone attempts to open the program and types an incorrect password, an error message is displayed and the software will "crash". It gives the impression that the software is simply not working. But if the correct password is entered, then it will start. If necessary, it is possible to simple say that the software is just something downloaded from the Internet, but it does not work, and you forgot to remove it. And no specialist will be able to prove what kind of program it is.

The exterior appearance and feel of our devices is built based on the original appearance of the ATM machine. In other words, if in one instrument incorporates smooth lines, and sleek curves, then our device will appear very similar on its exterior housing. It is virtually unnoticeable that there has been a modification to the ATM. The paint, with which we spray our housings is matched to the paint on the original ATMs. Our method of colouring accurately reproduces the originals, while maintaining all the characteristics of colouring, including varying temperature conditions, the angle of incidence of the paint, pressure, time of polymerization, etc.

As such we attained a perfect match of paint, tone of paint, reflection, and nuances with the different angles of incidence of light, feeling of the surface and so forth. On the job, this looks and feels exactly the same as an un-modified ATM. All instruments are powered from Li-on batteries. A charger is included in the complete set. Each battery is sufficient for 2-3 days of work (at a rated temperature of 22 Celsius). We have carried out extensive tests to find the maximum quantity of SMS which can be sent from one battery. Tests showed that we could send 1400 SMS from one battery without a recharge. The majority of the time, the instrument stands in standby mode. Very little power is used until the card is inserted or the pinpad is pressed, when track data is collected, and pins are collected.

The complete set comes with everything you need to run a full operation. However, the batteries need to be fully charged and recharged. This means that it is necessary to give 2-3 complete cycles of charging and discharging. This makes possible for battery to work longer. As a rule by this "warming-up" of the batteries an increase of the length of time they will operate will increase by 30-40%.


Again we stress that we are moving ahead, and developing more advanced devices. The current range for sale has been extensively tested and proven as a reliable kit.

USB Flash memory skimmers: 
We have a cheaper range of non-GSM skimming kit for sale. This is mostly bought by new users, as experienced, wealthy crews will be using the more modern GSM skimmers.

Our range starts with a basic skimmer & hidden camera, pre installed inside a discrete case, with flash storage and timestamps. Our basic skimmers are just as discrete and physically sound as our expensive GSM kit. They contain a 512 mb flash card, and a ROM chip with tiny card writer to record the info to the micro sd card. These kits come with an MSR206 and a multi card reader to retrieve the dumps + pins from both devices.

If you already own an MSR206, it can be removed from the package and a small discount can be given.


Pinpad info
Basic features of our pinpads are:
1. Ultra thin, around 3mm and it looks slimmer because of some design tricks
2. Real Stainless-Steel Material Frame and the keys
3. Exact same size as the actual ATM’s pinpad
4. Special plated Frame and Keys that does not hold any
Fingerprints well
5. Ultra low power consumption
6. Various languages supported


Technical Information on Charging and Communicating:
As usual, you may charge your pinpad through the USB communication cable. Charging is automatic, when you plug the cable into the pinpad, it will start charging. You can communicate with the pinpad while charging. You should charge your pinpad for a minimum 2 hours before operation. Try to use a USB Port on a Desktop Computer instead of a Laptop or USB hub. If u need to use a laptop then make sure you are using laptop with its power adapter connected, otherwise you will try to charge pinpads Battery with laptop’s battery and this will result in poor charging. Remember, you have to check date and time of your pinpad and adjust it if needed before operation. Setting the date/time is very easy using the software provided.

There are some limits on USB Charging. USB Charging is good if your skimming operation last 12-16 hours. If you require your pinpad to last longer then you have to buy Lithium-Polymer(Li-Po) 3.7v Generic charger for charging the battery of your pinpad. We can include this with the full kit for an extra cost. You may contact to us if you bought a Li-Po charger and want to use it with your pinpad.

You must be extremely careful when plugging the cable into the pinpad! There was not enough space in the pinpad for us to place a generic USB socket that eliminates user mistakes when plugging in the cable. We used plain socket that allows user to plug cable in any direction/position. If you plug the cable in the wrong direction/position then your pinpad electronics may be damaged. There also a risk to your battery. So pay special attention when plugging the cable into your pinpad for data transfer and/or charging. Check the picture below for concise instructions on how to plug the cable into your pinpad.

Follow these steps for easy plugging:
1. Identify the Red Wire on the cable’s socket
2. Identify the Red Wire on pinpads Socket
3. Red wire of pinpads socket should always be near the Crystal, and should join with the other red wire.
4. Then plug it like this:

Information on Installing and Removing to/from ATM:

You should use transparent fast glues for glue your Pinpad. You have to be very careful on NOT TO GLUE the Membrane of your Pinpad. You only need to glue the back of the frame of the Pinpad, only places where it touches the ATM. Again, no membrane or keys!!! You should use 2 holes designed for removing Pinpad from the ATM. You may use a small screwdriver or knife or similar.

You have to be very careful when removing the pinpad from the ATM. You should not damage membrane of the pinpad when using screwdriver or knife to remove it. Several practice attempts, on a flat surface are recommended.

You should try with very small amount of glue for your tests to see and understand how it sticks. Then you should decide what amount of glue will be used when you are on the job. Your tests are the key to your success. Test your skimmer on the ATM with no Glue/Less Glue etc. for experience. Never start to skimming before feeling you understand all the logic.



Our Software Description 
To work with a skimmer, a computer is necessary of course. You need to save your dumps (card data tracks) there! We will provide you with software, which can completely control your skimmer. Using this software, you can download dumps from skimmer/input them from SMS, remove them from skimmer unit, etc.

The program saves everything in crypted form. So that you don't have to worry about being ripped off. No one will be able to retrieve your data without the password. The password is included in the complete package, or can be sent separately online for security purposes. Each skimmer is basically a small computer, with a processor, flash storage, the internals of a SE850i mobile(cellular/GSM) phone, through which it sends info, and it has an EEPROM chip which boots up and operates the unit. So that takes care of software and passwords. Software is supplied in the complete set with the equipment directly to the buyer, even if transaction is done through some mediator, and passwords are given only to the buyer. We make so that the mediator cannot obtain both the software and the passwords.



The program does not show dumps on the screen. Also it does not preserve dumps in the open form. With the retention they are ciphered by a serious key. At the start of program it will request your password. But if password is introduced incorrect that it simply closes down and prints a system error on the screen. This creates the impression that the program is simply nonworking. And if you will not input the correct password, there's no way to even know what kind of program it is. This was created so that non-critical people with an attempt at the start would not attempt to select password. Let’s just say suddenly, the police get the laptop, on which the program is installed. Naturally, they will ask you about the password. If you are creative, you will give them a fake password, which they enter it, and the program will simply shut down and writes that an error occurred. This will give the impression that the program is nonworking. And you can boldly tell that the "program never worked, and I just forgot to delete it". The dumps are stored in an encrypted file, which it is not possible to decrypt. There will be no evidence left on your computer, once the police do not get a hold of the password.

The software itself is easy to use. There is no extra options or excess instructions. It is self explanatory, but full instructions are included with the full kit. If you have any other questions we will try our best to answer them from our administration team or our software developers.



Safety:
We are often asked questions about safety when we are working with skimmers. On this page, I will try to give some good safety advice for cashing out and operating a successful skimming operation.

Observation:
It is recommended to observe the target ATM, unobtrusively for 1-2 days before hand. Record at what times the ATM is busy, what times it is quiet, and at what time it is serviced and money is put into the machine, if it is a free standing unit.

Equipment preparation:
It is recommended to check all your equipment before the installation. Make sure that you have practised with some dummy ATM cards before hand and have transferred your own ATM card, or similar into track data, SMS, decrypt, and write to a "white card" with your MSR206 card writer.



Work for the fitter/installer:
The installer must be good with their hands. They must accurately and rapidly carry out his work, and quietly leave the area. Some crews will have their fitter dress up in a uniform to make them appear to be servicing the ATM. This is not such a good idea. Just go to the ATM when it is quiet. Perhaps have an assistant stand a distance away, to distract passers-by or other users of the ATM. The whole process can take less than 30 seconds.

Operation of the device:
Place, and the time of the installation should be selected beforehand. An observation point might be necessary. There should be somewhere to safely park your car from which to observe the operation of the skimmer and pinpad. If you are waiting in a car, it is not recommended that you have a laptop + msr + phone receiving and writing the data. If the operation is busted in this manner, you lose everything. However, if you are at home, you will have at least several hours in which to write the cards and cash them out. Your observation person should have enough food, water, etc to last in the car for the complete duration of the operation if possible. One plan that some crews use now is observation from an apartment or hotel close to the ATM. With this, you can cut down on the number of your crew. But be careful use fake identification if you can.



Full details of the installation are described with pictures in a series of PDF files included on the software and instructions DVD. The fitter/installer should put a card into the machine and reject it quickly when fitting. The receiver, working on the "home" computer, will receive the track, and confirm that it stuck on properly. 99% of the time, it sticks no problem. This is also useful to find that the card is ejecting properly.


When removing equipment, your crew should be trained and ready. Some crews do not risk withdrawing equipment as the average 1-day run will net $20,000-$50,000 USD depending on where you are. However if you are confident about removing it, you should take it to run the operation again. If apprehended while removing the equipment, the remover should protest innocence. They should say that they saw something suspicious, and were trying to take it off the ATM to being to police/bank. The crew member should look and act like a respectable citizen. You do not need a crew of thugs for this operation. You need a well-spoken, relaxed, confident team. It can be done with just 2 people, but 3 is recommended. Observing the guy removing the kit is a good idea, and walkie-talkies are useful. If the observer sees someone approaching the removal guy, he should "squak" his walkie-talkie, and the remover can disappear quickly.



Cashing out the money:
On many ATMs, there is a monitoring camera. Cameras are usually motion activated. We advise that you do not stay at one ATM more than 5 minutes, and do not tie up an ATM if there are people in the queue. Do not always cash out at an ATM belonging to one single bank, nor should you ever cash out your cards on the ATM that you skimmed them on.



Many crews will have several people working on cashing out, and they work 10 cards per person per time, all returning the money to the controller periodically. If you are cashing out at night at a quiet ATM, having hoods up is a good idea to prevent the camera from seeing you.That’s just about everything you need to know to operate a safe, extremely lucrative ATM skimming business.


The Kit includes a software dvd (with full instructions), MSR206, Skimmer + Pinpad, and encryption key to decode dumps which are encrypted on the devices. Note: Only skimmed tracks are encrypted, pins are not encrypted. Rental Schemes are available, where we keep the encryption key for the 1st operation of the skimmer, and provide you with 20 unencrypted dumps + pins. This rental scheme costs €1400 for USB kits, and €2200 for GSM kits.


My initial discovery of this cybercrime-friendly market proposition, coincides with the publication of a related post back in 2008, for the first time ever publicly disclosing important details regarding the emergence of ATM Skimmers with built-in GSM modules.

Nowadays, these are everyday reality.

Updates will be posted as soon as new developments take place.

Historical OSINT: OPSEC-Aware Money Mule Recruiters Hire, Host Crimeware and Malvertisements

In the following intelligence brief, I will perform an analysis of the cybercriminal operations involving a group of individuals that operated successfully though 2009/2010, recruiting money mules, hosting ZeuS crimeware, and participating in a malvertising campaign.

Compared to a previous analysis where I profiled the offensive client-side exploitation campaigns launched by money mule recruiters, in this analysis I'll emphasize on yet another OPSEC-aware (Operational Security) gang of cybercriminals, this time blocking access to Google and anti-money laundering Web sites/research, in an attempt to trick the newly recruited mules into thinking that they're working for a legitimate company, preventing them from obtaining info on their new "employer".

Key summary points:
  • The group originally launched its operations in 2009, primary focusing on highly targeted money mule recruitment campaigns
  • Only two of the malicious domains involved in the 2009/2010's campaigns are still active, with the first serving adult content, and the second offering name server services to pharmaceutical scams, indicating they're didn't quite left the cybercrime ecosystem just yet
  • The cybercriminals behind the campaign impersonated the legitimate Sprott Asset Management company, and blocked access to its official site on mule's PCs that executed the malicious SSL Certificate supplied to them as a requirement for joining the fake company
  • Upon execution, the bogus SSL Certificate executable modified the HOSTS file on the affected hosts, blocking access to ddanchev.blogspot.com and to bobbear.co.uk to prevent potential money mules from reaching my "Keeping Money Mule Recruiters on a Short Leash" series, and bobbear's vast archive of collected intelligence on money mule recruitment campaigns
  • The group hosted multiple ZeuS crimeware variants using the same infrastructure as the money mule recruitment campaigns, and also participated in a malvertising campaign
  • Although their initial 2009 operations were launched from (AS39134), they later on migrated to a Kazakhstan-based bulletproof hosting provider (AS50793) that's no longer in operation, although there's a high probability that the Kazakhstan hosting service was part of a franchise, and is currently operating in another part of the world. The Web site of the bulletproof hosting provider was hosted in Ukraine (AS6714), an AS also known to have participated in numerous crimeware campaigns
  • The malicious activity (besides their operation) was found for (AS39134) indicating that they probably got kicked out of the hosting provider for their attempts to recruit money mules
  • The domain name of the Kazakhstan-based bulletproof hosting provider (AS50793) was registered using a GMail account in 2010
  • The Kazakhstan-based bulletproof ISP's domain name is currently registered to an Iranian citizen, two years after the malicious activities took place, with no signs of malicious activity currently taking place there
a

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.