GazTransitStroy/GazTranZitStroy Rubbing Shoulders with Petersburg Internet Network LLC

Following the GazTransitStroy/GazTranZitStroy (gaztranzitstroyinfo.ru; 67.15.253.241) coverage, the gang behind the bogus gas company drilling for insecure PCs across the Web has returned to its roots - St. Petersburg, Russia, with routing services courtesy of PIN-AS Petersburg Internet Network LLC (AS44050) (internet-spb.ru) :

"descr: Petersburg Internet Network LLC
address: Sedova 80
address: St.-Petersburg, Russia
e-mail:         support@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 4483863
person:         Metluk Nikolay Valeryevich
address:        korp. 1a 40 Slavy ave.,
address:        St.-Petersburg, Russia
e-mail:         nm@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 2683113
PIN LLC
Sedova 80
+7 812 4483863
support@internet-spb.ru
 

Metluk Nikolay Valeryevich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
nm@internet-spb.ru

Ladoha Anton Vladimirovich
korp. 1a 40 Slavy ave.,
St. Petersburg, Russia
+7 812 4483863
admin@internet-spb.ru

Strukov Evgeny Olegovich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
admin2@internet-spb.ru
e.strukov@pinspb.ru

Prefixes 91.212.41.0/24; 95.215.0.0/22; 194.11.16.0/24; 194.11.20.0/23; 195.2.240.0/23"

What's also worth pointing out that is a huge number of of domains operated by GazTransitStroy's customers, and, of course, GazTranzitStroy themselves not only traceroute back to Petersburg Internet Network LLC's network, but also, there's an evident migration to the legitimate NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS2875, as well as to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255.

Combined with the fact that EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841 remain an inseparable part of GazTransitStroy's info, clearly indicates the presence of a well known cybercrime powerhouse - the RBN itself.

The following domains (crimeware, live exploits, scareware, you name it they engage in it) maintained by GazTranzitStroy have migrated as follows. From 91.212.41.96 to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255:

loshadinet .com
roselambda .cn
use-sena .cn
peopleopera .cn
forexsec .cn
symphonygold .cn
dreamlitediamond .cn
vilihood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
roomsme .cn
vilasse .cn
workfuse .cn
stakeshouse .cn
financeimprove .cn
lifenaming .cn
travetbeach .cn
schoolh .cn
rainfinish .cn
housevisual .cn
kvk.housevisual .cn
xfln.housevisual .cn
worksean .cn
blogtransaction .cn
liteauction .cn
seamodern .cn
smilecasino .cn
newtransfer .cn
oceandealer .cn
pub.oceandealer .cn
musicdomainer .cn
wowregister .cn
websiteflower .cn
travets .cn
designroots .cn
teamwows .cn
startgetaways .cn
moulitehat .cn
caxf.moulitehat .cn
islandtravet .cn
weekendtravet .cn
resorttravet .cn
litefront .cn
palaceyou .cn
youbonusnew .cn
clubmillionswow .cn
rainjukebox .cn
xuyxuyxuy .cn

From 91.212.41.114 to NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS28753, interestingly, the DNS servers for the following domains ns1.pubilcnameserver7.com/ns1.pubilcnameserver7.com are diversifying at 89.149.207.56 and 91.212.41.114:

freeantivirusplus09 .com
realantivirusplus09 .com
getantivirusplus09 .com
smartantivirusplus09 .com
addedantivirusonline .com
addedantivirusstore .com
addedantiviruslive .com
addedantiviruspro .com
countedantiviruspro .com
plusantiviruspro .com
myplusantiviruspro .com
addedantivirus .com
youraddedantivirus .com
bestaddedantivirus .com
easyaddedantivirus .com
yourcountedantivirus .com
bestcountedantivirus .com
yourplusantivirus .com
easyplusantivirus .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
freecoveronline .cn
atioqe .cn
yourguardstore .cn
mycheckdiseasestore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
easyfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
examineillnesslive .cn
exodih .cn
suxpymi .cn
aciazi .cn
yourfriskinfection .cn
easyserviceprotection .cn
easyincomeprotection .cn
easypersonalprotection .cn
easybestprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
ascertaindiseasepro .cn
yourcheckpoisonpro .cn
easycheckpoisonpro .cn
yourfriskviruspro .cn
myascertainviruspro .cn
fegbywo .cn
feptuaq .cn
myexamineillness .cn
exousyt .cn
newguard2u .cn
freedefense2u .cn
bigdefense2u .cn
bestcover2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn
newguard4you .cn
mydefense4you .cn
bestcover4you .cn
yourguardforyou .cn
newguardforyou .cn
myguardforyou .cn
freedefenseforyou .cn
mydefenseforyou .cn
bestcoverforyou .cn

The ongoing affiliation with EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841, and the migration of domains (scareware, live exploits, crimeware etc.) as follows. From 91.212.41.119 to 91.212.65.7 EUROHOST-NET/Eurohost LLC:

nicdaheb .cn
sehmadac .cn
ralcofic .cn
bikpakoc .cn
xidsasuc .cn
koqsuyod .cn
tozxiqud .cn
bowselaf .cn
cuzlumif .cn
porgacig .cn
hifgejig .cn
rogkadej .cn
sipcojeq .cn
silzefos .cn
popyodiw .cn
hayboxiw .cn
peskufex .cn
ridmoyey .cn
cakpapaz .cn

What kind of an ISP be maintaining a permanent Under Construction page and engage in Zeus and live exploit serving activities on the same IP as its web server? EUROHOST-NET/Eurohost LLC is one of them:

"person: Mikhail Ignatyev
address: off. 1, 81 Frunze str.,
phone: +38 093 079 00 32
address: Evpatoria, Crimea, Ukraine
e-mail: ipadmin@eurohost.biz.ua"

At eurohost.biz.ua (91.212.65.5) we also have parked 123-service.ru, serving a deja-vu account suspended message - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." as well as ramshanabc.ru, with another account suspended message despite its previous involvement in Zeus crimeware campaigns in January, 2009 (ramshanabc .ru/ferrari/main.bin; ramshanabc .ru/ferrari/main.bin).

Besides these domains, several others, again registered to kirilboltovnet@yandex.ru are known to have been maintaining running Zeus crimeware campaigns as well:

grafjasqq .ru/kiew/kiew.cfg
heliskamm .ru/kiew5.cfg
mamaloki .ru/dir2.cfg489
mamaloki .ru/kiew3.cfg
nionalku .ru/dir5.cfg
nionalku .ru/kiew6.cfg

Still not convinced in how malicious their intentions really are? The phone number (+7 928 7867612) used in the registrations of these domains was most recently used in a spammed Zeus crimeware campaign impersonating Western Union. Continue reading →

Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

Just like GazTranzitStroyInfo's case, what we've got here is failure to understand that the efforts put into building legitimacy of front-ends to cybercrime, is prone to get undermined upon closer examination of the particular web hosting provider.

Who, and what is Life4you .info - Free Hosting for Live (dirsite .com; 65.98.15.80; Dennis Linkor Email: admin@dirsite.com)?

"We are pleased to announce the launch of dirsite.com, the best ASP.NET host on the web. We currently offer one plan. This plan is entirely free! Free ASP.NET 2.0 hosting*! Unfortunately we have hit our quota for ad free accounts. Every new signup is now required to display a 460x60 banner ad on their content pages. We will be running another ad free promotion soon, so be sure to check back! We are currently experiencing some technical issues that are out of our control. We are suffering some server problems and as a result, slight delays in processing signups. We are working on it, and will have everything resolved as soon as possible. Thank you for your patience."

What's so special about them? Well, for starters, they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered -- CAPTCHA recognition outsourced -- Blogspot accounts since February, 2009.

With the Blogspot campaign still ongoing, let's assess it and expose all the participating scareware domains. Upon automatic generation of the Blogspot accounts, links like the following are included next to the bogus content, all using dirsite.com's pseudo-legitimate hosting services:

goto.dirsite .com/go.php?sid=2&tds-key=erotic+bikini+babes
goto.dirsite .com/go.php?sid=2&tds-key=sexe+amateur+on+my+space
goto.dirsite .com/go.php?sid=2&tds-key=aunt+judy+older+women
goto.dirsite .com/go.php?sid=2&tds-key=view+private+profiles+on+myspace
goto.dirsite .com/go.php?sid=2&tds-key=fullmetal+alchemist+porn
goto.dirsite .com/go.php?sid=2&tds-key=Asian+style+bed+throws
goto.dirsite .com/go.php?sid=2&tds-key=cheerleader+candid+pictures
goto.dirsite .com/go.php?sid=2&tds-key=desisexstories
goto.dirsite .com/go.php?sid=2&tds-key=Hey+Arnold+porno
goto.dirsite .com/go.php?sid=2&tds-key=warcraft+henrai

Upon clicking the users are redirected to tdncgo2009 .com/?uid=68&pid=3 (trdatasft .com; fra22 .net; Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, where the scareware domains are randomly loaded:

virusdoctor-onlinedefender .com - 64.213.140.69 Email: sebarinvert.ivus@gmail.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
virussweeper-scan .net - 206.53.61.76
virusalarm-scanvirus .net - 206.53.61.76
viruscatcher .net - 64.213.140.71 Email: jeannemcpeters@gmail.com
fast-antivirus .com - 64.213.140.68

The scareware attempts to phone back to update1.virusshieldpro .com/ReleaseXP.exe - 206.53.61.75 - Email: unitedisystems@gmail.com and to updvmfnow .cn - 64.86.17.9 Email: oijfsd.sd@gmail.com. ReleaseXP.exe then phones back to the following locations, naturally earning profit for the cybecriminal -

pay-virusshield .cn - 64.213.140.70; Email: unitedisystems@gmail.com; Returning the following message: "Sorry, the operation is currently unavailable, please email our support team from product's site (Error Code #150)"
updvmfnow .cn - 64.86.17.9
updvmfnow .cn/reports/install-report.php (64.86.17.9)
updvmfnow .cn/reports/soft-report.php
updvmfnow .cn/reports/minstalls.php

The phone back location is also hosting more active scarewaredomains:
ultraantivirus2009 .com - 64.86.17.9
virusalarmpro .com
vmfastscanner .com
mysuperviser .com
pay-virusdoctor .com
virusmelt .com
payvirusmelt .com

Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason. Continue reading →

A Diverse Portfolio of Fake Security Software - Part Twenty One

The ongoing abuse of AS10929; NETELLIGENT Hosting Services Inc. for scareware distribution purposes is peaking once again, which combined with the well-proven traffic acquisition tactics the campaigners take advantage of, prompts me to proactively undermine the effectiveness of the campaigns by ruining the monetization factor.

Next to listing the scareware domains currently in circulation, in part twenty one of the Diverse Portfolio of Fake Security Software series, it's time we put the spotlight on the so called payment processors mainted by phony in-house operations.

The following scareware domains are parked exclusively within AS10929; NETELLIGENT Hosting Services Inc's network, 209.44.126.102  in particular :

fanscan4 .com 209.44.126.102 Email: brmargul@gmail.com

rayscan4 .com Email: brmargul@gmail.com
scantop4 .com Email: ansouthe@gmail.com
scanlist6 .com Email: metamant@gmail.com
goscanfine .com Email: chirelqas@gmail.com
goscanone .com Email: canrcnad@gmail.com
scan4note .com Email: ansouthe@gmail.com
in4ck .com Email: taboussybr@gmail.com
goscanwork .com Email: govemati@gmail.com
in4tk .com Email: skeltonrw@gmail.com
goscanatom .com Email: gleyersth@gmail.com
top4scan .com  Email: ansouthe@gmail.com
slot6scan .com  Email: metamant@gmail.com
gometascan .com  Email: ricboin@gmail.com
gopagescan .com Email: tanehen@gmail.com
gofinescan .com Email: alcnafuch@gmail.com
goelitescan .com Email: funully@gmail.com
gorankscan .com Email: canrcnad@gmail.com
goworkscan .com Email: govemati@gmail.com
gogoalscan .com Email: chinrfi@gmail.com
gogenscan .com  Email: tanehen@gmail.com
goautoscan .com Email: tanehen@gmail.com
goflexscan .com Email: alcnafuch@gmail.com
goscanauto .com Email: canrcnad@gmail.com
scan6slot .com  Emaik: telerdomb@gmail.com
in4st .com Email: skeltonrw@gmail.com
scan6list .com Email: telerdomb@gmail.com
goscanflex .com Email: chirelqas@gmail.com

goscankey .com Email: ricboin@gmail.com
scanmeta4 .info Email: sitintu@gmail.com
scannote4 .info Email: sitintu@gmail.com
metascan4 .info Email: finewnrk@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
notescan4 .info Email: finewnrk@gmail.com
miniscan4 .info Email: finewnrk@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
atomscan4 .info Email: finewnrk@gmail.com
fanscan4 .info Email: finewnrk@gmail.com
genscan4 .info Email: finewnrk@gmail.com
autoscan4 .info Email: sitintu@gmail.com
topscan4 .info Email: finewnrk@gmail.com
starscan4 .info Email: finewnrk@gmail.com
fixscan4 .info Email: sitintu@gmail.com
mixscan4 .info Email: finewnrk@gmail.com
luxscan4 .info Email: finewnrk@gmail.com
rayscan4 .info Email: finewnrk@gmail.com
keyscan4 .info Email: sitintu@gmail.com
scangen4 .info Email: sitintu@gmail.com
scanauto4 .info Email: mexnacc@gmail.com

scantop4 .info Email: finewnrk@gmail.com
scanflex4 .info Email: mexnacc@gmail.com
scan4meta .info Email: finewnrk@gmail.com
scan6meta .info Email: donboset@gmail.com
scan4fine .info Email: mexnacc@gmail.com
meta4scan .info Email: finewnrk@gmail.com
note4scan .info Email: finewnrk@gmail.com
gen4scan .info Email: finewnrk@gmail.com
flex4scan .info Email: mexnacc@gmail.com
fix4scan .info Email: sitintu@gmail.com
key4scan .info Email: mexnacc@gmail.com
meta6scan .info Email: donboset@gmail.com
note6scan .info Email: donboset@gmail.com
scan4gen .info Email: finewnrk@gmail.com
scan6gen .info Email: donboset@gmail.com
scan4auto .info Email: sitintu@gmail.com
scan4top .info Email: finewnrk@gmail.com
scan4fix .info Email: sitintu@gmail.com
scan4key .info Email: sitintu@gmail.com
fine4scan .info Email: beelriel@gmail.com
scanmega4 .info Email: bnntnkmn@gmail.com
zonescan4 .info Email: mexnacc@gmail.com
rankscan4 .info Email: mexnacc@gmail.com
scanauto4 .info Email: mexnacc@gmail.com
scan4fine .info Email: mexnacc@gmail.com
way4scan .info Email: bnntnkmn@gmail.com
key4scan .info Email: mexnacc@gmail.com
scan4fan .info Email: myscarbe@gmail.com

Exceptions out of  AS10929; NETELLIGENT Hosting Services Inc.:

ia-pro .com - 194.165.4.41; 200.63.45.224; 209.44.126.104; 200.63.45.224 Email: abuse@domaincp.net.cn
generalantivirus .com Email: compalso@gmail.com
genpayment .com Email: seeingrud@gmail.com
livestopbadware .com Email: producergrom@gmail.com
av-payment .com Email: abuse@domaincp.net.cn
antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52;91.212.65.125; Email: immigration.beijing@footer.cn
antivirus-scanner-v1 .com Email: tareen@yahoo.com
proantivirusscannerv2 .com Email: ecindia@hotmail.com

Who's processing the payments made by the scammed customers? These are the major payment processors of scareware software that have been changing aliases for a while now, with Pandora Software being the most persistent one:

easybillhere .com - 200.63.45.221; Email: myerysin@gmail.com
secure.softwaresecuredbilling .com - 209.8.45.122; Viktor Temchenko Email: TemchenkoViktor@googlemail.com
secure.propayments .org - 78.46.152.8; Oleg Bajenov Email: oleg.bajenov@gmail.com
secure.soft-transaction .com - 77.91.228.155; Riabokon, Igor; rw6rr69n7z2@networksolutionsprivateregistration.com
secure-plus-payments .com - 209.8.25.204; John Sparck; Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124; Live Internet Marketing Limited; pnm-software.com@liveinternetmarketingltd.com
secure.thepaymentonline .com Email: Sergey Ryabov director@climbing-games.com

What is Pandoware Software, and who's behind Pandora Software (pandora-software .com; pandora-software .info; pandoraxxl .com - 209.8.45.121; Live Internet Marketing Limited; Email: pandoraxxl.com@liveinternetmarketingltd.com)?

The payment processor describes itself as :

"PandoraXXL is a company which provides the best adult entertainment online and is the managing company of the adult websites of the group. The concept itself is the carefull creation of websites which are different from the average vanilla adult production. We create them, we run them and we provide customer care to our customers!If You are a customer and would like to know more about our websites please click on Our Websites above. PandoraXXL.com and all sites which listed on PandoraXXL.com owned by Oleg Dvoretskiy Varzinerstr. 127, 44369 Dortmund, Germany"

Upon "doing business" with them they include their very latest domain within the the credit card statement:

"Your credit card statement may show any of the following names: WWW.PANDORAXXL.COM If so , than You have made a purchase on one of our websites! This form on the right will help You to locate these transactions! Absolutely sure You have never ever purchased anything with us? Contact us immediately then! Due to our knowledge we are one of a VERY few adult paysites companies out there providing INHOUSE live support along with telephone support. Please call only when You are sure that this site was not ab to help You with Your transactions. You may call with technical questions as well but You must read all our site's FAQs first."

Going through the terms of service for several scareware domains, there's a contact support image saying "Copyright 2008 Oleg Dvorezky, Dortmund, Germany". Why an image and not a text? Cybercriminals sometimes ensure that sensitive info potentially undermining their OPSEC doesn't get crawled by public search engines. It's gets even more interesting as Oleg Dvorezky, whose activities as payment processor for scareware go beyond the support desk has also included his address - Varzinerstr. 127. 44369 Dortmund, Germany and another phone, again as an image +1(636)549-8103, followed by two more numbers +18669997851 (USA) +33179972633 (France) listed as contact details.

Moreover, despite the fact that they've active affiliates distribution scareware and earning money in the process, next to managing the processing of payments, one should not exclude the possibility that they may also be engaging in customer relationship management for other scareware affiliate partners. For instance, the following support emails are all managed by them :

support@supportdeska.com
support@msantispyware2009.com
support@pandora-software.com
support@pandoraxl.com
support@data-saver.org
support@generalantivirus.com

Fo the time being, scareware remains the single most efficient, managed and high liquidity asset used for monetization cybercrime campaigns. Continue reading →

From Ukrainian Blackhat SEO Gang With Love

UPDATE: My name is now an integral part of the scareware business model.

Yet another redirector used in the ongoing blackhat SEO campaign is using it, this time saying just "hi" - hidancho.mine .nu/login.js redirects to privateaolemail .cn/go.php?id=2010-10&key=b8c7c33ca&p=1 and then to antimalwareliveproscanv3 .com where the scareware is served -- catch up with the Diverse Portfolio of Fake Security Software series.

What's next? The release of Advanced Pro-Danchev Premium Live Mega Professional Anti-Spyware Online Cleaning Scanner 2010?

You know you have a fan club, as well as positive ROI out of your research, when one of the most active blackhat SEO groups for the time being starts cursing you in its multiple redirectors, in this particular case that's seo.hostia .ru/ddanchev-sock-my-dick.php.

Back in 2007, it used to be the polite form of get lost or "ai siktir vee" courtesy of the New Media Malware Gang, a customer of the Russian Business Network.

Upon hijacking legitimate traffic and verifying that the visitor is coming from var se = new Array("google.","msn.","yahoo.","comcast.","aol", the redirector then takes us to macrosoftwarego .com; live-payment-system .com - 83.133.123.140 Email: fabian@ingenovate.com, and to antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 89.47.237.52; 91.212.65.125 Email: immigration.beijing@footer.cn where the scareware is served.

Scareware domains (delegated) part of their campaigns which as of recently diversity to Lycos owned is-the-boss.com:
anti-spyware-scan-v1 .com - ns1.futureselfdeeds .com (78.47.88.217)
malware-live-pro-scanv1 .com
premiumlivescanv1 .com
malwareliveproscanv1 .com
antiviruspcscannerv1 .com
malwareliveproscannerv1 .com
freeantispywarescan2 .com
antiviruspremiumscanv2 .com
proantivirusscanv2 .com
antiviruspaymentsystem .com
macrosoftwarego .com
advanedmalwarescanner .com
advanedpromalwarescanner .com
futureselfdeeds .com
allinternetfreebies .com
liveinternetupdates .com
momentstohaveyou .cn

Rephrasing the Cardigans Love Fool song - Common sense tells me I shouldn't bother, and I ought to stick to another blackhat SEO campaign, a blackhat SEO campaign that surely deserves me, but I think you folks do.

Thanks to Sean-Paul Correll from PandaLabs for the tip. Continue reading →

Summarizing Zero Day's Posts for May

The following is a brief summary of all of my posts at ZDNet's Zero Day for May.

You can also go through previous summaries for April, March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Inside the botnets that never make the news - a gallery; China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities? and The Web's most dangerous keywords to search for.

01. Cybercriminals promoting malware-friendly search engines
02. New Mac OS X email worm discovered
03. China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities?
04. Spammers harvesting emails from Twitter - in real time
05. 56th variant of the Koobface worm detected
06. Study: password resetting 'security questions' easily guessed
07. D-Link router's CAPTCHA flawed, WPA passphrase retrieved
08. Inside the botnets that never make the news - a gallery
09. The Web's most dangerous keywords to search for Continue reading →

Dating Spam Campaign Promotes Bogus Dating Agency - Part Two

Your future template-based wife is here, waiting not only for you, but also, for the hundreds of thousands of spammed gullible future husbands.

Our "dear friends" at Confidential Connections are at it again - spamming out bogus dating profiles, introducing new domains and inevitably exposing the phony company's connections with managed spam services operated by money mules, and sharing DNS servers with more cybercrime-facilitating parties.

As in their previous campaigns, they're spamming from LRouen-152-82-6-202.w80-13.abo.wanadoo.fr [80.13.101.202], and here's the most recent portfolio of domains used in the spam campaigns parked at 62.90.136.207:

dating-forin-loved .com - Email: deolserdo@safe-mail.net
matchwithworld .com - Email: esheodin@safe-mail.net
love-f-emale .com - Email: lo3664570460504@absolutee.com
i-amsingle .com - Email: i-3685838623704@absolutee.com
for-you-from-me .com - Email: PabloStantonXW@gmail.com
love-me-long-time .com - Email: lo3685839114104@absolutee.com
destinycombine .com - Email: esheodin@safe-mail.net
you-isnot-alone .com - Email: SamNilsenson@gmail.com
find-some-love .com - Email: SamNilsenson@gmail.com
find-thereal-love .com - Email: deolserdo@safe-mail.net
 

all-hot-love .com - Email: sup3portne3west@safe-mail.net
find-the-reallove .com - Email: fi3653005547304@absolutee.com
sweet-hearts-dating .com - Email: SamNilsenson@gmail.com
my-great-dating .com - Email: SamNilsenson@gmail.com
yourmatchwith .com - Email: esheodin@safe-mail.net
loking-for-aman .com - Email: lo3653004406804@absolutee.com
myloving-heart .com - Email: my3685835605504@absolutee.com
beautiful-prettywoman .com - Email: JosiahMillerTP@gmail.com
buildyour-happylove .net - Email: bu3664569267104@absolutee.com
adorelovewon .com - Email: supportnewest@safe-mail.net
andiloveyoutoo .com - Email: enorst10@yahoo.com
 

myloveamour .com - Email: supportnewest@safe-mail.net
luckyheatrs .com - Email: neujelivsamomdeli@gmail.com
just-waiting-foryou .com - Email: SamNilsenson@gmail.com
dreams-about-lady .com - Email: JosiahMillerTP@gmail.com
inspiredlove .net - Email: antonkovalchukk@gmail.com
make-family .net - Email: JosiahMillerTP@gmail.com
createyourlove .net
fillinglove .net

Let's connect the dots, shall we? Notice some of the registrant's emails, namely supportnewest@safe-mail.net and sup3portne3west@safe-mail.net. It gets even more interesting taking into consideration the fact that the money laundering group's botnet command and control domain was registered to supp3ortnewest@safe-mail.net. Moreover, among the unique usernames used exclusively by this botnet, was in fact the one used in Confidential Connections spam campaigns, confirming their connection.

Naturally, Confidential Connections are also rubbing shoulders with more cybercrime facilitating domains sharing the same DNS infrastructure (ns1.srv .com).

For instance, superfuturebiz .com/maingovermnfer5 .com (Trojan-Spy.Win32.Zbot.uyn) where a Trojan-Spy.Win32.Zbot.uyn is hosted at maingovermnfer5 .com/anyfldr/demo.exe which once executed attempts to download Zeus crimeware from maingovermnfer5 .com/anyfldr/cfg.bin.

Moreover, carder-shop .com which is an ex-Atrivo darling, yourmagicpills .com which is a typical pharmaceutical scam, zaikib .in a malware command and control, and eefs .info which is a phony "East Europe Financial System" and looks like a typical money mule recruitment operation. Continue reading →

3rd SMS Ransomware Variant Offered for Sale

The concept of ransomware is clearly making a comeback. During the past two months, scareware met the ransomware business model in the face of File Fix Professional 2009 and FakeAlert-CO or System Security, followed by two separate SMS-based ransomware variants Trj/SMSlock.A and a modified version of it.

The very latest one is once again offered for sale, with a social engineering theme attempting to trick the infected user that as of 1st of May Microsoft is launching a new anti-pirates initiative, and that unless a $1 SMS is sent in order to receive the deactivation code back, their copy of Windows will remain locked.

Key features:
Support for Windows 98/Vista
- Blocks the entire desktop
- Locks system key combinations attempting to remove it
- Copied to the system folder (the file is almost impossible to find)
- Can be put in the startup
- Launches the blocking system before the desktop appears upon reboot 
- Blocks all windows including the Task Manager
- Upon entering the secret code, the ransomware is removed from the system folder and autorun

The price for a custom-made version with the customer's own SMS data is $10, with $5 per new (undetected) copy, as well as the complete source code available for $50 again from the same vendor.

From a "visual social engineering" perspective, the one that make scareware what it is as product -- a product which would have scaled so fast if it wasn't the distribution channel in the form of web site compromises and blackhat SEO at the first place -- the latest SMS ransomware variant lacks any significant key visual features which can compete with for instance, the DIY fake Windows XP activation trojan and its 2.0 version.

With the emerging localization on demand services offering translations for phishing, spam and malware campaigns into popular international languages, it wouldn't take long before the SMS ransomware starts targeting English-speaking users next to the hardcoded Russian speaking ones for the time being. Continue reading →

Inside a Money Laundering Group's Spamming Operations

UPDATE: The command and control domain has been taken care of courtesy of the brisk response of OC3 Networks Abuse Team.

Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.

What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?

It's a 31,000 infected hosts botnet which they use exclusively for spamming.

The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."

Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.

The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.

Here are some screenshots of their command and control interface used exclusively for spam campaigns:

The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).

Taking down the group's command and control domain is in progress. Continue reading →

Inside a Money Laundering Group's Spamming Operations

UPDATE: The command and control domain has been taken care of courtesy of the brisk response of OC3 Networks Abuse Team.

Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.

What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?

It's a 31,000 infected hosts botnet which they use exclusively for spamming.

The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."

Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.

The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.

Here are some screenshots of their command and control interface used exclusively for spam campaigns:

The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).

Taking down the group's command and control domain is in progress. Continue reading →