Friday, August 30, 2013

Summarizing Webroot's Threat Blog Posts for August


The following is a brief summary of all of my posts at Webroot's Threat Blog for August, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


01. ‘Malware-infected hosts as stepping stones’ service offers access to hundreds of compromised U.S based hosts
02. New ‘Hacked shells as a service’ empowers cybercriminals with access to high page rank-ed Web sites
03. Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware
04. Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to client-side exploits and malware
05. Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware
06. One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training to potential customers
07. Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware
08. Newly launched managed ‘malware dropping’ service spotted in the wild
09. Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity
10. From Vietnam with tens of millions of harvested emails, spam-ready SMTP servers and DIY spamming tools
11. DIY Craigslist email collecting tools empower spammers with access to fresh/valid email addresses
12. Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open since 2009
13. DIY automatic cybercrime-friendly ‘redirectors generating’ service spotted in the wild
14. Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase
15. Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, August 29, 2013

Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking Money Mule Recruitment Scheme

Over the years, I've been actively researching the money mule recruitment epidemic, providing actionable (real-time/historical) intelligence on their activities, exposing their DNS infrastructure, offering exclusive peek inside the Administration Panels utilized by money mules, emphasizing on current and emerging tactics applied by the individuals orchestrating the final stages of a fraudulent operation - the cash out process through basic risk-forwarding.

Catch up with previous research on the money mule recruitment problem:
In this post, I'll profile a novel money mule recruitment scheme, that involves high profit margins -- of course for the ones organizing the scheme -- through a direct, and most importantly, (pseudo) legal brand-jacking of a gullible business owner's brand name, enticing him/her into opening a merchant account for processing E-commerce transactions, coming from more gullible and socially engineered mules.

It all begins with an email coming from a non-existent "environmental enterprise", that in this particular case is abusing Google's brand in an attempt to increase the probability of a successful interaction with the socially engineered business owners:

Sample email:
Environmental enterprise searching for representation internationally
5% commission on 200K cash flow originated from promotion and sales of proprietary research articles

Necessary conditions:
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper execution of all planned undertakings

In case if being interested, please provide:
-  Name and Surname - Age - Telephone number (including country code) - City and Country - Email

Please answer to: NAME@googleapp-consult.com

Faithfully yours,
HR dept


Those who reply are kindly asked to open a merchant bank account using their own company data, and assured that, despite the fact that the Web site which will be selling the bogus 'research articles' will be using their (legitimate) business brand's name and contact details, they will still receive their 5% commission on a 200,000/250,000 EUR in anticipated revenue, which would naturally be coming directly from other mules participating in the fraudulent scheme. Moreover, despite that a business owner will have his company brand, logo, contact information listed at the Web site, he/she will have zero visibility to the non-existent purchasing process of this research, as "all customer service, sales, technical logistics, etc. are to be handled by us."

Why would a potential cybercrime syndicate want a socially engineered business owner to open a merchant bank account using his/her own data? Pretty simple. In my previous research on the standardization of the money mule recruitment process, I emphasized on how money mules are often vetted through online-based surveys, which always ask important from a mule recruiter's perspective question, such as - when did you you first open your bank account, and do you have any limitations on incoming/ongoing monetary transactions on it?

However, an established company would always benefit from the trust it has already established with its financial institution/service of choice, meaning that, it will not only get its merchant account open, but also, will successfully pass the majority of verification protection mechanisms for high volume transactions put into the place by the financial institution/service in place.

Sample reply email:
Thank you for your reply.

We are a company involved in development, branding and launching of several web media and IT projects involved in consulting on green technology, renewables and alternative energy sources. Several of the projects are being currently launched online and each one will need to have a card payment interface. This collaboration refers to opening a merchant account for online credit card acceptance (E-commerce).

We would need your company to open a merchant account for card acceptance and handle the receivables derived from the sales generated by each project. A bank/payment provider will facilitate data needed for website integration with their E-commerce payment gateway. We will handle the technical side of such integration in full.

We will brand the website under your company, therefore the administrative company data listed on the website will be yours, but all customer service, technical logistics and sales are to be handled by us. The products sold will be proprietary research articles and information packages on green technology, renewables and alternative energy sources.

Incoming proceedings from sales will be settled by the bank (or the payment provider) into your business bank account on a time scale defined by the bank (or the payment provider).
These sale proceedings will be transferred to us, minus your commission and expenses incurred. The volume of monthly payments processed through the merchant account will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. The expected rise is roughly 5-6% every month. The commission proposed to you stands at 5% of the mentioned volume.

All the expenses related to the operation including the banking and transactions fees and the merchant account setup and related fees are to be covered by us. If you agree in principle, I will provide the contract draft to define the legal terms of our collaboration.
 

Yours sincerely,

Michael Torti
General Manager
ECOFIN Projects (Gibraltar)
Tel/Fax: +350 2006 1287


Who are ECOFIN Projects (ecofinservices.net - 50.63.220.106) ? Nothing more than a cybercrime-friendly "marketing agency" at its best.






Sample About Us description:
Ecofin is offering outstanding solutions which are useful in maximizing revenues that are generated through a wide range of investment sectors and global assets. A wide range of services and financial opportunities are being offered for manufacturers, developers, owners as well as financial investors interested in our niche investment portfolios and services.

We are operating as a globally safe company as well as involving risk and integrity management expertise that brings together practical experience along with cutting edge, innovative engineering and technologies. The company is research based which is primarily focused on environmental sectors, alternative energy, infrastructure, as well as utility all around the globe.

The firm is practicing a fundamental and basic approach while it comes to managing its clientele assets. Ecofin is useful in developing, branding as well as launching exclusive information sales podiums based on alternative, as well as green technological sources along with IT and web media themes. The company is dedicated to providing its clients with the highest levels of quality services and investment returns within the niche industries that we focus upon.


Contact details:
+350 200 67911 (Gibraltar)
+852 5808 2461 (Hong Kong)
+54 11 5984 1154 (Buenos Aires)
+44 20 3051 6249 (London)
Skype: ecofin2013
Suite 4, 209 Main Street
Gibraltar GBZ 1AA


A potentially socially engineered business owner would then be contacted with a similar email:
Please find the Contract draft attached, review and confirm your agreement with every point of it. The next step would be to provide the proper company data to be put in the contract and produce the final version for the signing.

Please review the showcase website:

This site will be copied into a new domain reflecting your company name and your company data.
As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You would need to open a merchant account for online credit card acceptance (E-commerce).

The customers will be from all over the world. All the issues related to sales, marketing, customer service, supply, logistics, etc. are to be handled by us. You will be required to open a merchant account for online credit card acceptance, receive the funds and transfer us the proceedings, as indicated in the contract draft with detail. No capital or any upfront payments from your side are required. If it is necessary to cover any upfront fees for the merchant account establishment, we will transfer such fees to you beforehand.


Sample Web Site Template offered as an example of how a socially engineered business owner's company branded Web site, would look like (greentechidea.com - 50.63.39.1):




Sample copy of the Contract:







Sample domains from the mule recruitment campaigns spamvertised over email:
googleapp-consult.com
googleapps-euro.com
worlds-trade.com
trades-consult.com
worlds-diploms.com


Sample name servers involved in the campaign:
NS1.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 184.82.204.70 - Email: shanghaiherald32@yahoo.com
NS2.ELCACAREO.NET - 6.87.78.121

The same email (shanghaiherald32@yahoo.com) is also known to have also been used to register the following fraudulent/malicious domains:
badstylecorps.com
tvblips.net
viperlair.net


"The only green is money".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking Money Mule Recruitment Scheme

Over the years, I've been actively researching the money mule recruitment epidemic, providing actionable (real-time/historical) intelligence on their activities, exposing their DNS infrastructure, offering exclusive peek inside the Administration Panels utilized by money mules, emphasizing on current and emerging tactics applied by the individuals orchestrating the final stages of a fraudulent operation - the cash out process through basic risk-forwarding.

Catch up with previous research on the money mule recruitment problem:
In this post, I'll profile a novel money mule recruitment scheme, that involves high profit margins -- of course for the ones organizing the scheme -- through a direct, and most importantly, (pseudo) legal brand-jacking of a gullible business owner's brand name, enticing him/her into opening a merchant account for processing E-commerce transactions, coming from more gullible and socially engineered mules.

It all begins with an email coming from a non-existent "environmental enterprise", that in this particular case is abusing Google's brand in an attempt to increase the probability of a successful interaction with the socially engineered business owners:

Sample email:
Environmental enterprise searching for representation internationally
5% commission on 200K cash flow originated from promotion and sales of proprietary research articles

Necessary conditions:
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper execution of all planned undertakings

In case if being interested, please provide:
-  Name and Surname - Age - Telephone number (including country code) - City and Country - Email

Please answer to: NAME@googleapp-consult.com

Faithfully yours,
HR dept


Those who reply are kindly asked to open a merchant bank account using their own company data, and assured that, despite the fact that the Web site which will be selling the bogus 'research articles' will be using their (legitimate) business brand's name and contact details, they will still receive their 5% commission on a 200,000/250,000 EUR in anticipated revenue, which would naturally be coming directly from other mules participating in the fraudulent scheme. Moreover, despite that a business owner will have his company brand, logo, contact information listed at the Web site, he/she will have zero visibility to the non-existent purchasing process of this research, as "all customer service, sales, technical logistics, etc. are to be handled by us."

Why would a potential cybercrime syndicate want a socially engineered business owner to open a merchant bank account using his/her own data? Pretty simple. In my previous research on the standardization of the money mule recruitment process, I emphasized on how money mules are often vetted through online-based surveys, which always ask important from a mule recruiter's perspective question, such as - when did you you first open your bank account, and do you have any limitations on incoming/ongoing monetary transactions on it?

However, an established company would always benefit from the trust it has already established with its financial institution/service of choice, meaning that, it will not only get its merchant account open, but also, will successfully pass the majority of verification protection mechanisms for high volume transactions put into the place by the financial institution/service in place.

Sample reply email:
Thank you for your reply.

We are a company involved in development, branding and launching of several web media and IT projects involved in consulting on green technology, renewables and alternative energy sources. Several of the projects are being currently launched online and each one will need to have a card payment interface. This collaboration refers to opening a merchant account for online credit card acceptance (E-commerce).

We would need your company to open a merchant account for card acceptance and handle the receivables derived from the sales generated by each project. A bank/payment provider will facilitate data needed for website integration with their E-commerce payment gateway. We will handle the technical side of such integration in full.

We will brand the website under your company, therefore the administrative company data listed on the website will be yours, but all customer service, technical logistics and sales are to be handled by us. The products sold will be proprietary research articles and information packages on green technology, renewables and alternative energy sources.

Incoming proceedings from sales will be settled by the bank (or the payment provider) into your business bank account on a time scale defined by the bank (or the payment provider).
These sale proceedings will be transferred to us, minus your commission and expenses incurred. The volume of monthly payments processed through the merchant account will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. The expected rise is roughly 5-6% every month. The commission proposed to you stands at 5% of the mentioned volume.

All the expenses related to the operation including the banking and transactions fees and the merchant account setup and related fees are to be covered by us. If you agree in principle, I will provide the contract draft to define the legal terms of our collaboration.
 

Yours sincerely,

Michael Torti
General Manager
ECOFIN Projects (Gibraltar)
Tel/Fax: +350 2006 1287


Who are ECOFIN Projects (ecofinservices.net - 50.63.220.106) ? Nothing more than a cybercrime-friendly "marketing agency" at its best.






Sample About Us description:
Ecofin is offering outstanding solutions which are useful in maximizing revenues that are generated through a wide range of investment sectors and global assets. A wide range of services and financial opportunities are being offered for manufacturers, developers, owners as well as financial investors interested in our niche investment portfolios and services.

We are operating as a globally safe company as well as involving risk and integrity management expertise that brings together practical experience along with cutting edge, innovative engineering and technologies. The company is research based which is primarily focused on environmental sectors, alternative energy, infrastructure, as well as utility all around the globe.

The firm is practicing a fundamental and basic approach while it comes to managing its clientele assets. Ecofin is useful in developing, branding as well as launching exclusive information sales podiums based on alternative, as well as green technological sources along with IT and web media themes. The company is dedicated to providing its clients with the highest levels of quality services and investment returns within the niche industries that we focus upon.


Contact details:
+350 200 67911 (Gibraltar)
+852 5808 2461 (Hong Kong)
+54 11 5984 1154 (Buenos Aires)
+44 20 3051 6249 (London)
Skype: ecofin2013
Suite 4, 209 Main Street
Gibraltar GBZ 1AA


A potentially socially engineered business owner would then be contacted with a similar email:
Please find the Contract draft attached, review and confirm your agreement with every point of it. The next step would be to provide the proper company data to be put in the contract and produce the final version for the signing.

Please review the showcase website:

This site will be copied into a new domain reflecting your company name and your company data.
As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You would need to open a merchant account for online credit card acceptance (E-commerce).

The customers will be from all over the world. All the issues related to sales, marketing, customer service, supply, logistics, etc. are to be handled by us. You will be required to open a merchant account for online credit card acceptance, receive the funds and transfer us the proceedings, as indicated in the contract draft with detail. No capital or any upfront payments from your side are required. If it is necessary to cover any upfront fees for the merchant account establishment, we will transfer such fees to you beforehand.


Sample Web Site Template offered as an example of how a socially engineered business owner's company branded Web site, would look like (greentechidea.com - 50.63.39.1):




Sample copy of the Contract:







Sample domains from the mule recruitment campaigns spamvertised over email:
googleapp-consult.com
googleapps-euro.com
worlds-trade.com
trades-consult.com
worlds-diploms.com


Sample name servers involved in the campaign:
NS1.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 184.82.204.70 - Email: shanghaiherald32@yahoo.com
NS2.ELCACAREO.NET - 6.87.78.121

The same email (shanghaiherald32@yahoo.com) is also known to have also been used to register the following fraudulent/malicious domains:
badstylecorps.com
tvblips.net
viperlair.net


"The only green is money".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID Cards

Continuing the series of blog posts profiling the most recent underground market propositions for high quality fake passports/IDs/documents, in this post, I'll emphasize on a cybercrime-friendly vendor that's exclusively targeting the U.S market.

Go through previous research into the market for fake passports/IDs/documents:
Offering fake plastic driving licenses for over 25+ U.S States, including student IDs for major U.S Universities for a static price of $150, the vendor not just currently outperforms competing vendors in terms of quality in this particular market segment -- within the cybercrime-friendly community in question -- but also, is already receiving recommendations from other cybercriminals to raise the price of his underground market 'asset', indicating penetration pricing in action.

Payment methods accepted? Bitcoin, Western Union and Moneygram.

Sample underground market ad:
[VENDOR's NAME REDACTED] has over 25+ states on tap, along with 'secondaries' to offer, all of of which and are high quality, meaning in-state without issue, in most cases. All IDs contain UV (where applicable as some states don't), multispec-hologram, 1D/2D barcode and/or magstripe that will scan/swipe to read DMV/AAMVA license standard.

The vendor is requiring the following data from his potential customers:
Name - First, MI, Last
Address
DOB
Sex
Hair Color
Height
Weight
Eye color
Driver License number - if a number isn't provided one will be randomly generated
Endorsements and/or Restrictions - if not included these will be left blank
Scanned signature - if not provided you will receive a generic font signature


*****More\Less info may be required depending on the state requested

Scanned passport picture - no webcam pictures can be accepted.

If you cannot get a real passport picture and have a decent camera, please take a pic from the chest up against a white background/drywall with the flash 'ON'. I will handle the cropping aspect. Also try to have good lighting and when scanning use high resolution. You may also upload a signature. I ask that this be written using a black sharpie style pen to achieve the best results.

You may upload this info to sendspace.com or the file-sharing site of your choosing and forward me the download link. I will confirm reception via email and you order will begin processing. All IDs are 150USD with incentive to group buys. Payment can be made via BTC, WU, Moneygram. Payment will be collected upon completion and approval of your order.


Sample screenshots of the service's current 'inventory':































































































































The market for fake passports/IDs/documents is prone to flourish, as more cybercriminals demand both, scanned, and plastic fake IDs to be later one abused in related fraudulent schemes. Naturally, the market is quick to supply, and those who excel in their Operational Security and quality of the underground market 'assets', will begin occupying a decent market share within this underground market segment.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.