Historical OSINT - The "BadB International" Cybercrime Enterprise

BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who eventually got busted in France in 2010. This month, he was sentenced to serve 88 months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of supervised release.

In the wake of these events, I decided to release some raw OSINT data regarding BadB's official Web site, hxxp://badb.biz.

Related URLs: hxxp://badb.biz; hxxp://badb.org; hxxp://dumps.name
Emails: badb4cc@yahoo.com; metaksa_s@yahoo.com; support@agava.com; admin@agava.com; admin@carderplanet.biz
ICQ: 49162552
Phone number: +19522325532 (Working according to BadB in 2009)

IP hosting history for badb.biz from 2005 to 2010 in the format (initial hosting IP -> IP change detected to a new IP):
217.107.212.115 -> 64.202.167.129
64.202.167.129 -> 217.107.212.115
217.107.212.115 -> 217.107.212.9
217.107.212.9 -> 89.108.66.104
89.108.66.104 -> 68.178.232.99
68.178.232.99 -> 89.108.66.104
216.8.177.23 -> 78.109.18.150
78.109.18.150 -> 196.32.222.9
89.108.73.117 - >94.75.221.75
94.75.221.75 -> 92.241.164.92

Sample Abous Us section description from badb.biz:
We are independent e-commerce security investigation group. We are help e-commerce organisations such as Visa, Mastercard, regional processings and other e-commerce structures to understand how vulnerable they are. We are not connected to any crimminal structures, not performing any outlaw actions by ourselves, not selling drugs, not sendinding any spam, not connected to any child porno, not supporting terrorists itselves nor terrorist organisations. If you received any spam from us - this is a fake of our enemies we are never use spam to promote our site. All information you can read here provided "As Is" and only for educational purposes. All articles are copyrighted. If you wish to take any part of information from here - please reffer to origination site. All we do - is we have for sale some dumps, cvvs and cobs - just for experemental purposes of our custommers ;-) We listen and effectively respond to your needs and those of your clients. We are experts at translating those needs into marketing solutions that work, look great and communicate well. Each day brings increased opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or without BadB, the market for stolen credit cards data, continued growing throughout the entire 2011. Then in 2012, we witnessed two law enforcement operations, courtesy of SOCA, and the FBI. However, despite these efforts, the market for stolen credit cards data remains as vibrant as always.

Thanks to the standardization taking place in respect to the money mule recruitment process, as well as the nearly identical online shops for stolen credit cards data, those who cannot "cash out" the balances of the credit cards, will choose to risk-forward the selling process to the buyers of the stolen data. The rest, will basically continue looking for more efficient, automatic, and anonymous ways to get access to the stolen money, continuing to rely on money mules of virtual currencies.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Historical OSINT - The "BadB International" Cybercrime Enterprise

BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who eventually got busted in France in 2010. This month, he was sentenced to serve 88 months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of supervised release.

In the wake of these events, I decided to release some raw OSINT data regarding BadB's official Web site, hxxp://badb.biz.

Related URLs: hxxp://badb.biz; hxxp://badb.org; hxxp://dumps.name
Emails: badb4cc@yahoo.com; metaksa_s@yahoo.com; support@agava.com; admin@agava.com; admin@carderplanet.biz
ICQ: 49162552
Phone number: +19522325532 (Working according to BadB in 2009)

IP hosting history for badb.biz from 2005 to 2010 in the format (initial hosting IP -> IP change detected to a new IP):
217.107.212.115 -> 64.202.167.129
64.202.167.129 -> 217.107.212.115
217.107.212.115 -> 217.107.212.9
217.107.212.9 -> 89.108.66.104
89.108.66.104 -> 68.178.232.99
68.178.232.99 -> 89.108.66.104
216.8.177.23 -> 78.109.18.150
78.109.18.150 -> 196.32.222.9
89.108.73.117 - >94.75.221.75
94.75.221.75 -> 92.241.164.92

Sample Abous Us section description from badb.biz:
We are independent e-commerce security investigation group. We are help e-commerce organisations such as Visa, Mastercard, regional processings and other e-commerce structures to understand how vulnerable they are. We are not connected to any crimminal structures, not performing any outlaw actions by ourselves, not selling drugs, not sendinding any spam, not connected to any child porno, not supporting terrorists itselves nor terrorist organisations. If you received any spam from us - this is a fake of our enemies we are never use spam to promote our site. All information you can read here provided "As Is" and only for educational purposes. All articles are copyrighted. If you wish to take any part of information from here - please reffer to origination site. All we do - is we have for sale some dumps, cvvs and cobs - just for experemental purposes of our custommers ;-) We listen and effectively respond to your needs and those of your clients. We are experts at translating those needs into marketing solutions that work, look great and communicate well. Each day brings increased opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or without BadB, the market for stolen credit cards data, continued growing throughout the entire 2011. Then in 2012, we witnessed two law enforcement operations, courtesy of SOCA, and the FBI. However, despite these efforts, the market for stolen credit cards data remains as vibrant as always.

Thanks to the standardization taking place in respect to the money mule recruitment process, as well as the nearly identical online shops for stolen credit cards data, those who cannot "cash out" the balances of the credit cards, will choose to risk-forward the selling process to the buyers of the stolen data. The rest, will basically continue looking for more efficient, automatic, and anonymous ways to get access to the stolen money, continuing to rely on money mules of virtual currencies. Continue reading →

Summarizing Webroot's Threat Blog Posts for March

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. New DIY IRC-based DDoS bot spotted in the wild
02. Cybercriminals release new Java exploits centered exploit kit
03. Segmented Russian “spam leads” offered for sale
04. New DIY hacked email account content grabbing tool facilitates cyber espionage on a mass scale
05. New DIY unsigned malicious Java applet generating tool spotted in the wild
06. Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted fraudulent campaigns
07. Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware
08. Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit
09. New ZeuS source code based rootkit available for purchase on the underground market
10. Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware
11. Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the wild
12. Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 2004
13. Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit
14. Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
15. Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit Kit
16. ‘ADP Payroll Invoice’ themed emails lead to malware
17. ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit
18. New DIY RDP-based botnet generating tool leaks in the wild
19. A peek inside the EgyPack Web malware exploitation kit

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise

Oops, they did it again!

The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.

Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.

Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php

Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.

Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php

Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188

Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)

Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info

Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com

More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181

The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php

Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise

Oops, they did it again!

The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.

Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.

Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php

Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.

Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php

Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188

Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)

Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info

Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com

More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181

The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php

Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking. Continue reading →

Summarizing Webroot's Threat Blog Posts for February

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

 
01. Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware
02. Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware
03. ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
04. New DIY HTTP-based botnet tool spotted in the wild
05. Mobile spammers release DIY phone number harvesting tool
06. New underground service offers access to thousands of malware-infected hosts
07. Targeted ‘phone ring flooding’ attacks as a service going mainstream
08. Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware
09. Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit
10. Malware propagates through localized Facebook Wall posts
11. Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware
12. New underground E-shop offers access to hundreds of hacked PayPal accounts
13. Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit
14. DIY malware cryptor as a Web service spotted in the wild
15. Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware
16. How mobile spammers verify the validity of harvested phone numbers
17. How much does it cost to buy 10,000 U.S.-based malware-infected hosts?

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Dissecting NBC's Exploits and Malware Serving Web Site Compromise

The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs. The campaign appears to have been launched by the same gang of cybercriminals that's also been recently involved in impersonating Facebook Inc. and Verizon Wireless, in an attempt to trick their users/customers into clicking on links found in hundreds of thousands of spamvertised emails pretending to come from the companies.

Let's dissect the campaign, expose its structure, the dropped malware, and connect the dots on who's behind it.

Observed iFrames in rotation:
hxxp://umaiskhan.com/znzd.html
hxxp://umaiskhan.com/ztuj.html
hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php
hxxp://nikweinstein.com/cl/google.php

Observed redirections leading to:
hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php

Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk.html -> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne.info/987.pdf

Upon successful client-side exploitation, the campaign drops MD5: 4e48ddc2a2481f9ff27113e6395160e1 - detected by 7 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfgj.

Once executed the sample creates the "Xi3FVneIx" Mutex and phones back to:
hxxp://eastsidetennisassociation.com/i.htm?jzd63F1JyFUfMyyf1Q8U9 - 74.220.215.229
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1PNCGTGhPAW16QJ67Bnj - 174.120.29.2 - Email: louis.bouchard@envirsoft.com
hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBzTL8TrY7btwJDVszO - 66.96.145.104 - Email: eddom@yahoo.com
hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96

Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye-sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/aflybing.php?esusvity=785280 where it attempts to exploit CVE-2010-0188.

Malicious domains reconnaissance:
umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a compromised site belonging to someone named "Azhar Mahmood", unless of course you want to believe that Pakistan's cyber warfare unit is behind the campaign, since this is the second time that I come across to this IP. Keep reading!
priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com
erabisnis.net - 74.220.207.161
moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com
jaylenosgarage.com - 80.239.148.217
nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com

mdkline65@yahoo.com is also known to have registered the following domains:
dedirt.com
dogsrit.com
spiritualspice.us
madamerufus.com
herbalstatelegal.com
myauditionsite.com
injurylawyercleveland.info
injurylawyerspringfieldmo.info
injurylawyercolumbus.info
injurylawyerindianapolis.info

Who's behind this campaign and can we connect this malicious activities to previously analyzed malicious campaigns? But, of course.

umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that another domain used in a Facebook Inc. themed campaign was also responding to the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume_facebook.html. The compromised legitimate host back then used to serve client-side exploits through hxxp://gotina.net/detects/sign_on_to_resume.php – 222.238.109.66 – Email: lockwr@rocketmail.com.

Deja vu! We've already seen and profiled this malicious domain in the following assessment "Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware", indicating that both of these campaigns have been launched by the same cybercriminal/gang of cybercriminals. What's also worth emphasizing on is that the same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the following assessment "Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit", where it was used to register the Name Servers used in the campaign.

Someone's multi-tasking. That's for sure.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Dissecting NBC's Exploits and Malware Serving Web Site Compromise

The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs. The campaign appears to have been launched by the same gang of cybercriminals that's also been recently involved in impersonating Facebook Inc. and Verizon Wireless, in an attempt to trick their users/customers into clicking on links found in hundreds of thousands of spamvertised emails pretending to come from the companies.

Let's dissect the campaign, expose its structure, the dropped malware, and connect the dots on who's behind it.

Observed iFrames in rotation:
hxxp://umaiskhan.com/znzd.html
hxxp://umaiskhan.com/ztuj.html
hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php
hxxp://nikweinstein.com/cl/google.php

Observed redirections leading to:
hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php

Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk.html -> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne.info/987.pdf

Upon successful client-side exploitation, the campaign drops MD5: 4e48ddc2a2481f9ff27113e6395160e1 - detected by 7 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfgj.

Once executed the sample creates the "Xi3FVneIx" Mutex and phones back to:
hxxp://eastsidetennisassociation.com/i.htm?jzd63F1JyFUfMyyf1Q8U9 - 74.220.215.229
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1PNCGTGhPAW16QJ67Bnj - 174.120.29.2 - Email: louis.bouchard@envirsoft.com
hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBzTL8TrY7btwJDVszO - 66.96.145.104 - Email: eddom@yahoo.com
hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96

Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye-sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/aflybing.php?esusvity=785280 where it attempts to exploit CVE-2010-0188.

Malicious domains reconnaissance:
umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a compromised site belonging to someone named "Azhar Mahmood", unless of course you want to believe that Pakistan's cyber warfare unit is behind the campaign, since this is the second time that I come across to this IP. Keep reading!
priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com
erabisnis.net - 74.220.207.161
moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com
jaylenosgarage.com - 80.239.148.217
nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com

mdkline65@yahoo.com is also known to have registered the following domains:
dedirt.com
dogsrit.com
spiritualspice.us
madamerufus.com
herbalstatelegal.com
myauditionsite.com
injurylawyercleveland.info
injurylawyerspringfieldmo.info
injurylawyercolumbus.info
injurylawyerindianapolis.info

Who's behind this campaign and can we connect this malicious activities to previously analyzed malicious campaigns? But, of course.

umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that another domain used in a Facebook Inc. themed campaign was also responding to the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume_facebook.html. The compromised legitimate host back then used to serve client-side exploits through hxxp://gotina.net/detects/sign_on_to_resume.php – 222.238.109.66 – Email: lockwr@rocketmail.com.

Deja vu! We've already seen and profiled this malicious domain in the following assessment "Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware", indicating that both of these campaigns have been launched by the same cybercriminal/gang of cybercriminals. What's also worth emphasizing on is that the same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the following assessment "Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit", where it was used to register the Name Servers used in the campaign.

Someone's multi-tasking. That's for sure.

Updates will be posted as soon as new developments take place. Continue reading →

Historical OSINT - Hacked Databases Offered for Sale

In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg.

In this intelligence brief, I'll profile a service that was originally operating throughout the entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, through the direct compromise of their databases, hence, the name of the service - GiveMeDB.

Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru
Secondary URL: hxxp://shopdb.blogspot.com
ICQ: 9348793; 5190451

During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European Backbone of LambdaNet), it then changed IPs to 74.54.82.209 (THEPLANET-AS - ThePlanet.com Internet Services, Inc.). The following domains used to respond to the same IP (83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these IPs are known to have been involved in related malicious/cybercrime-friendly activities? Appreciate my rhetoric.

We've got the following MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP (74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal enterprise that's been using it for years.

The following MD5s are known to have phoned back to the same IP (74.54.82.209):
MD5: d48a7ae9934745964951a704bcc70fe9
MD5: 4626de911152ae7618c9936d8d258577
MD5: ca4b79a33ea6e311eafa59a6c3fffee2
MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4

As well as a recent (2011) Palevo C&C activity. Clearly, they've been multi-tasking on multiple fronts.

The structure of propositions is the following: partial URL of the hacked Web site, country of the Web site, Quantity of records per database, First-time price, Exclusive price. The list of affected Web sites is as follows: 

 
Job/CV Databases:
jobsbazaar.*
availablejobs.*
ecarers.*
fecareers.*
healthmeet.*
youths.*
jobpilot.*
thecareerengineer.*
iauk.*
jobboerse.*
creativepool.*
jobsinkent.*
jobsinthemoney.*
jobup.*
rxcareercenter.* 

 
Dating Databases:
freedating.*
singles-bar.*
muenchner-singles.*
dateclub.*
websingles.*
find-you.*
fitness-singles.*
houstonconnect.*
datingz.*
loveandfriends.*
lovebyrd.*
mydatingplacephx.*
cozydating.*
singletreffen.*
datearea.*
endless-fantasy.* 

 
Financial Databases:
importers.*
money.*
pcquote.*
investorvillage.*
gurufocus.*
individual.*
arabianbusiness.*
ecademy.* 

 
Other Databases:
pokersourceonline.*
wickedcolors.*
salespider.*
busytrade.*
funky.*

Purchasing these hacked databases, immediately improves the competitiveness of a potential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, and money mule recruitment campaigns, at their disposal.

For years, novice cybercriminals or unethical competitors have been on purposely joining closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, in obtaining access to a particular database, or for the "defacement" of a specific Web site. What this service proves is that, the model can actually scale to disturbing proportions, offering access to millions of compromised database records to virtually anyone who pays for them.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Historical OSINT - Hacked Databases Offered for Sale

In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg.

In this intelligence brief, I'll profile a service that was originally operating throughout the entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, through the direct compromise of their databases, hence, the name of the service - GiveMeDB.

Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru
Secondary URL: hxxp://shopdb.blogspot.com
ICQ: 9348793; 5190451

During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European Backbone of LambdaNet), it then changed IPs to 74.54.82.209 (THEPLANET-AS - ThePlanet.com Internet Services, Inc.). The following domains used to respond to the same IP (83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these IPs are known to have been involved in related malicious/cybercrime-friendly activities? Appreciate my rhetoric.

We've got the following MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP (74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal enterprise that's been using it for years.

The following MD5s are known to have phoned back to the same IP (74.54.82.209):
MD5: d48a7ae9934745964951a704bcc70fe9
MD5: 4626de911152ae7618c9936d8d258577
MD5: ca4b79a33ea6e311eafa59a6c3fffee2
MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4

As well as a recent (2011) Palevo C&C activity. Clearly, they've been multi-tasking on multiple fronts.

The structure of propositions is the following: partial URL of the hacked Web site, country of the Web site, Quantity of records per database, First-time price, Exclusive price. The list of affected Web sites is as follows: 

 
Job/CV Databases:
jobsbazaar.*
availablejobs.*
ecarers.*
fecareers.*
healthmeet.*
youths.*
jobpilot.*
thecareerengineer.*
iauk.*
jobboerse.*
creativepool.*
jobsinkent.*
jobsinthemoney.*
jobup.*
rxcareercenter.* 

Dating Databases:
freedating.*
singles-bar.*
muenchner-singles.*
dateclub.*
websingles.*
find-you.*
fitness-singles.*
houstonconnect.*
datingz.*
loveandfriends.*
lovebyrd.*
mydatingplacephx.*
cozydating.*
singletreffen.*
datearea.*
endless-fantasy.* 

Financial Databases:
importers.*
money.*
pcquote.*
investorvillage.*
gurufocus.*
individual.*
arabianbusiness.*
ecademy.* 

 
Other Databases:
pokersourceonline.*
wickedcolors.*
salespider.*
busytrade.*
funky.*

Purchasing these hacked databases, immediately improves the competitiveness of a potential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, and money mule recruitment campaigns, at their disposal.

For years, novice cybercriminals or unethical competitors have been on purposely joining closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, in obtaining access to a particular database, or for the "defacement" of a specific Web site. What this service proves is that, the model can actually scale to disturbing proportions, offering access to millions of compromised database records to virtually anyone who pays for them.

Updates will be posted as soon as new developments take place. Continue reading →

Summarizing Webroot's Threat Blog Posts for January

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware
02. Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit
03. ‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit
04. Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware
05. A peek inside a boutique cybercrime-friendly E-shop – part six
06. Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity
07. Spamvertised AICPA themed emails serve client-side exploits and malware
08. ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit
09. Malicious DIY Java applet distribution platforms going mainstream
10. Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware
11. Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool
12. ‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit
13. Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message’ themed emails, serve malware
14. Leaked DIY malware generating tool spotted in the wild
15. Email hacking for hire going mainstream – part three
16. Android malware spreads through compromised legitimate Web sites
17. Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit
18. Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware
19. Novice cybercriminals experiment with DIY ransomware tools
20. Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit
21. Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit
22. A peek inside a DIY password stealing malware
23. Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing ZDNet's Zero Day Posts for January

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2013. You can subscribe to Zero Day's main feed, or follow me on Twitter:

01. Dutch security researchers dissect the Pobelka botnet
02. ESPN's ScoreCenter for iOS sends passwords in clear-text, susceptible to XSS flaw
03. Report: AutoRun malware infections continue topping the charts
04. Comparative review: Opera leads in browser anti-phishing protection
05. Italian-language page at MSN redirects to Cool Exploit Kit, serves ransomware
06. WordPress releases version 3.5.1, fixes 3 security issues
07. Targeted attack against UAE activist utilizes CVE-2013-0422, drops malware
 
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Summarizing Webroot's Threat Blog Posts for December

The following is a brief summary of all of my posts at Webroot's Threat Blog for December, 2012. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. DIY malicious domain name registering service spotted in the wild
02. Fake ‘FedEx Tracking Number’ themed emails lead to malware
03. Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side exploits and malware
04. Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit
05. A peek inside a boutique cybercrime-friendly E-shop – part five
06. Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit
07. Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
08. Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware
09. Cybercriminals entice potential cybercriminals into purchasing bogus credit cards data
10. Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions
11. Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit
12. Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild
13. Pharmaceutical scammers spamvertise YouTube themed emails, entice users into purchasing counterfeit drugs
14. Cybercriminals resume spamvertising British Airways themed E-ticket receipts, serve malware
15. Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit
16. Webroot’s Threat Blog Most Popular Posts for 2012

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Continue reading →

Raw Historical OSINT - Keeping Money Mule Recruiters on a Short Leash - Part Twelve

In the following (historical) intelligence brief, I'll provide you with some raw domain data of fake companies that are known to have attempted to recruit money mules over the past 2 years.

The domains listed here were registered by the same gang of cybercriminals that I've been extensively profiling in previous "Keeping Money Mule Recruiters on a Short Leash" posts.

Money mule recruitment domains:
compassllc-usa.com
linkllc-uk.com
very-compllc.com
click-n-art.com
infotechgroup-inc.com
amplitude-groupmain.tw
magnet-groupinc.cc
allston-groupsec.cc
DEVELOP-INC.COM
MERCYGROUPNET.NET
MERCY-INC.COM
SOLARISGROUPINC.COM
SOLARISGROUPNET.NET
JVC-INC.COM
JVCGROUPNET.NET
EVOLVINGSYSINC.NET
ATCANETWORKS.NET
ATCA-INC.COM
GALLEOGROUPNET.NET
GALLEO-INC.COM
EVOLVINGSYSINC.NET
EVOLVING-INC.COM
NETMARKET-INC.COM
NETMARKETTECH.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
INFOTECHGROUP-INC.COM
BANDS-GROUPSVC.COM
BANDS-INC.COM
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
ICT-GROUPCO.COM
ICT-GROUPSVC.NET
ICTGROUPINC.COM
ICTGROUPNET.CC
GIANT-GROUPCO.NET
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
GIANTGROUPINC.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
IMPERIALGROUPCO.COM
HOSTGROUP-INC.COM
HOSTGROUPINC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
bands-groupsvc.com
bands-inc.com
bandsgroup-inc.net
bandsgroupnet.cc
cnl-groupsvc.com
cnl-inc.com
cnlgroup-inc.cc
cnlgroupnet.net
giant-groupco.net
giant-groupinc.com
giant-groupnet.cc
giantgroupinc.com
host-groupsvc.net
hostgroup-inc.com
hostgroupinc.com
hostgroupnet.cc
ict-groupco.com
ict-groupsvc.net
ictgroupinc.com
ictgroupnet.cc
imperial-groupinc.com
imperial-groupsvc.net
imperialgroupco.com
infotech-groupco.net
infotech-groupinc.com
infotechgroup-inc.com
itcom-groupco.net
itcom-groupfine.cc
itcom-groupsvc.com
itcomgroup-inc.com
mgm-groupsvc.com
mgmgroup-inc.net
mgmgroupinc.com
mgmgroupnet.cc
usi-groupinc.net
usigroup-inc.com
usigroupinc.com
usigroupnet.cc
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC

Consider going through my previous research into one of the most popular 'risk-forwarding' tactic used by cybercriminals, namely, money mule recruitment.

Related posts on money mule recruitment:
Keeping Money Mule Recruiters on a Short Leash - Part Eleven
Keeping Money Mule Recruiters on a Short Leash - Part Ten
Keeping Money Mule Recruiters on a Short Leash - Part Nine
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Continue reading →

Raw Historical OSINT - Keeping Money Mule Recruiters on a Short Leash - Part Twelve

In the following (historical) intelligence brief, I'll provide you with some raw domain data of fake companies that are known to have attempted to recruit money mules over the past 2 years.

The domains listed here were registered by the same gang of cybercriminals that I've been extensively profiling in previous "Keeping Money Mule Recruiters on a Short Leash" posts.

Money mule recruitment domains:
compassllc-usa.com
linkllc-uk.com
very-compllc.com
click-n-art.com
infotechgroup-inc.com
amplitude-groupmain.tw
magnet-groupinc.cc
allston-groupsec.cc
DEVELOP-INC.COM
MERCYGROUPNET.NET
MERCY-INC.COM
SOLARISGROUPINC.COM
SOLARISGROUPNET.NET
JVC-INC.COM
JVCGROUPNET.NET
EVOLVINGSYSINC.NET
ATCANETWORKS.NET
ATCA-INC.COM
GALLEOGROUPNET.NET
GALLEO-INC.COM
EVOLVINGSYSINC.NET
EVOLVING-INC.COM
NETMARKET-INC.COM
NETMARKETTECH.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
INFOTECHGROUP-INC.COM
BANDS-GROUPSVC.COM
BANDS-INC.COM
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
ICT-GROUPCO.COM
ICT-GROUPSVC.NET
ICTGROUPINC.COM
ICTGROUPNET.CC
GIANT-GROUPCO.NET
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
GIANTGROUPINC.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
IMPERIALGROUPCO.COM
HOSTGROUP-INC.COM
HOSTGROUPINC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
bands-groupsvc.com
bands-inc.com
bandsgroup-inc.net
bandsgroupnet.cc
cnl-groupsvc.com
cnl-inc.com
cnlgroup-inc.cc
cnlgroupnet.net
giant-groupco.net
giant-groupinc.com
giant-groupnet.cc
giantgroupinc.com
host-groupsvc.net
hostgroup-inc.com
hostgroupinc.com
hostgroupnet.cc
ict-groupco.com
ict-groupsvc.net
ictgroupinc.com
ictgroupnet.cc
imperial-groupinc.com
imperial-groupsvc.net
imperialgroupco.com
infotech-groupco.net
infotech-groupinc.com
infotechgroup-inc.com
itcom-groupco.net
itcom-groupfine.cc
itcom-groupsvc.com
itcomgroup-inc.com
mgm-groupsvc.com
mgmgroup-inc.net
mgmgroupinc.com
mgmgroupnet.cc
usi-groupinc.net
usigroup-inc.com
usigroupinc.com
usigroupnet.cc
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC

Consider going through my previous research into one of the most popular 'risk-forwarding' tactic used by cybercriminals, namely, money mule recruitment.

Related posts on money mule recruitment:
Keeping Money Mule Recruiters on a Short Leash - Part Eleven
Keeping Money Mule Recruiters on a Short Leash - Part Ten
Keeping Money Mule Recruiters on a Short Leash - Part Nine
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Continue reading →