Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines

UPDATED, Friday, July 16, 2010 - Directi has suspended the domains portfolio of the cybercrime-friendly search engines. 

Cybercrime-friendly search engines are bogus search engines, which in between visually social engineering their users, offer fake results leading to client-side exploits, bogus video players dropping more malware, scareware, next to the pharmaceutical scams, and domain farms neatly embedded with Google AdSense scripts for monetization.

In the majority of cases -- whenever blackhat SEO is not an option -- end users are exposed the their maliciousness once they get infected with malware redirecting each and every request to popular search engines such as Google, Yahoo and Bing to the malicious IPs/domains operated by the cybercriminals.

As far as their monetization tactics are concerned, fellow cybercriminals are free to purchase any kind of keyword they want to, for instance "spyware", make it look like the end user is clicking on security-vendor.com's site, whereas upon clicking, based on his physical location a particular type of malicious activity takes place.

Remember the HOSTS file modification taking place courtesy of the malware at AS6851, BKCNET, Sagade Ltd., and in particular the Koobface gang related IP 89.149.210.109? Sampling the malicious activity within the search engines parked/forwarded (DNS recursion) from this IP, results in client-side exploits, bogus video players dropping malware, and scareware, and that in less than 5 minutes of testing.

The cybercrime-friendly domains in question:
searchclick1.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick2.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick3.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick4.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick5.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick6.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick7.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick8.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick9.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchclick10.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753
searchmeup4.com - 78.159.112.46 - AS28753
zetaclicks4.com - 78.159.112.46 - AS28753
websafeclicks.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753

Internal redirections reading to malicious take place through the following domains:
7search.com - 12.171.94.40 - Email: webadmin@7search.com
greatseeking.com, superfindmea.info - 213.174.154.9 - Email: serdukov.art@gmail.com
superseeking.org - 213.174.154.9 - Email: serdukov.art@gmail.com
searching4all.com, pharmc9.com - 66.230.188.68 - Email: abuse@click9.com
syssmessage.com; sysstem-mesage.com; sys-mesage.com; potectmesage.com - 91.188.59.62 -  Email: roroaleksey@gmail.com
xml.click9.com/click.php - 66.230.188.67 - Email: abuse@click9.com
sunday-traffic.com/in.php - 74.52.216.46 - Email: tech@add-manager.com
efindsite.info/search2.php - 74.52.216.46
greatseeking.com/search2.php - 213.174.154.9 - Email: serdukov.art@gmail.com
n-traff.com/clickn.php - 64.111.208.39
going-to-n.com/clickn.php - 64.111.208.38
everytds.tk/in.cgi?3=&ID=19504; onlyscan.tk; pornstaar.tk; dotroot.tk - 94.100.31.26

Internal pharmaceutical redirections take place through the following domains:
medsbrands.com - 74.52.216.46 - Email: tech@add-manager.com
thepillsdiscounts.info - 74.52.216.46 - Email: tech@add-manager.com
yourcatalogonline.biz - 74.52.216.46
bestderden.org - 74.52.216.46

Internal redirections reading to malicious take place through the following IPs:
199.80.55.19/go.php?data=
199.80.55.80/go.php?data=
78.140.141.18/kkk.php
78.140.143.83/go.php
64.111.212.234/c.php
64.111.196.126/c.php
66.230.188.67
68.169.92.61/c.php
68.169.92.60/c.php
68.169.93.242/c.php
68.169.92.55/c.php

Sample malicious activity consists of scareware campaigns, client-side exploits, and bogus video players dropping malware.

Upon visiting the bogus PornTube at vogel-tube.com/xfreeporn.php?id= - 66.197.187.118 (the-real-tube-best.com great-celebs-tube.net parked there) - Email: admin@thenweb.com the use is tricked into manually installing basemultimedia.com/video-plugin.45309.exe - 66.197.154.21 (visualbasismedia.com) - Email: joe@silentringer.com

- Detection rate
video-plugin.45309.exe - Downloader-CEW.b, Result: 6/42 (14.29%)
File size: 113152 bytes
MD5...: 25e644171bf9ee2a052b5fa71f8284e5
SHA1..: e4ac01534c7c1b71d2a38cf480339d31db187ecb

Upon execution, the sample phones back to:
best-arts-2010.com - 216.240.146.119 - Email:
hello-arts.com - 64.191.44.73 - Email:
youngfinearts.com - 64.20.35.3 - Email:
newchannelarts.com - 64.191.64.105 - Email:
vrera.com/oms.php - 208.43.125.180 - Email:
allxt.com/borders.php - 64.191.82.25

Parked at 216.240.146.119, AS7796 are also:
best-arts-2010.com - Email: aurora@seekrevenue.com
crystaldesignlab.com - Email: tamara.watson@chemist.com
homegraphicarts.com - Email: elizabethj@theplate.com
mediaartsplaza.com - Email: darhom@lendingears.com
morefinearts.net - Email: vdickerson37@yahoo.com
photoartsworld.com - Email: margaret_adams@rocketmail.com
pinehousearts.com - Email: jgaron@physicist.net
sunnyartsite.com - Email: jbowker@blader.com
thefanarts.com - Email: keasler@surferdude.com
waycoolart.com - Email: blynch@net-shopping.com
woodsmayart.com - Email: raymo@songwriter.net
garner.funtaff.com - Email: dph@greentooth.net

Parked at 64.191.44.73, AS21788 are also:
auctionhouseart.com - Email: emerynancy@ymail.com
bestmalearts.com - Email: mcfarlin@religions.com
coolcatart.com - Email: pbiron@catlover.com
freesurrealarts.com - Email: ghuertas@rocketmail.com
goldfireart.com - Email: thysell@gardener.com
greatmovieart.com - Email: linger@theplate.com
worldartsguide.com - Email: ghagen@allergist.com
install.netwaq.com - Email: admin@overseedomainmanagement.com

Parked at 64.20.35.3, AS19318 are also:
artscontact.net - Email: mschneider@doctor.com
catbodyart.com - Email: pbiron@catlover.com
feearts.com - Email: breckenridge56@hotmail.com
freeflasharts.com - Email: russell@clubmember.org
gardendesignart.com - Email: jasona@gardener.com
greatflashstudies.com - Email: jdeal@worshipper.com
superlegoarts.com - Email: jdeal@worshipper.com
thedigitalarts.com - Email: hoffman@theaterpillow.com
virginmegaart.com - Email: hoffman@theaterpillow.com

Related malicious domains sharing the same DNS infrastructure:
iransatnews.org
best-arts-2010.com - Email: aurora@seekrevenue.com
mediasite2010.com - Email: webmaster@pullstraws.com
setlamedia.com - Email: monro@eclipsetool.com
doublesetmedia.com - Email: monro@eclipsetool.com
thetestmedia.com - Email: webmaster@maidnews.com
trinitytestmedia.com - Email: webmaster@maidnews.com
i-metodika.com - Email: facovskiy__n__1977@rambler.ru
iffic.com
moviefactinc.com - Email: usa@crystals.com
newdataltd.com - Email: wenzel@techie.com
new-2010-tube.com - Email: fortney@petlover.com
super-world-tube.com - Email: fortney@petlover.com
real-good-tube.com - Email: fortney@petlover.com
green-real-tube.com - Email: sanctim59@yahoo.com
sensual-tube.com - Email: sanctim59@yahoo.com
webfilmoffice.com - Email: pam@skunkalert.com
xxl-tube-home.com
nowsearchonline.com
localmediasearch.com - Email: mega@stockdvds.com
mediaonsearch.com - Email: mega@stockdvds.com
mesghal.com - Email: shahnamgolshany@yahoo.com
niptoon.com
mydvdinfo.com - Email: usa@crystals.com
receptionist-pro.com
hitinto.com
importedfoodscorp.com - Email: apompeo@importedfoodscorp.com
newhavenfiles.com - Email: wenzel@techie.com
walterwagnerassociates.com
excellentutilites.com - Email: wentexkino@ymail.com
pengs.com
livingwithdragons.com - Email: gregory@lamerton.ltd.uk
amigroups.com
iransatnews.com
dvddatadirect.com - Email: friese@toke.com
itlist.com - Email: support@gossimer.biz
gossimer.net - Email: support@gossimer.biz

Following the bogus dropper, the cybercriminals are also directly serving client-side exploits to users seeking for security related content. In this case, the exploits/malware are served from xoxipemej.cn/gr/s1/ - 178.63.170.185 - Email: shiwei_fang77@126.com.

- Detection rate:
.exe - Rootkit.Agent.AJDR, Result: 20/42 (47.62%)
File size: 53760 bytes
MD5...: 23244c5b5b02fab65b3a7ab51005fd51
SHA1..: a5f1a10344378f2c8f13c266dce39247ba3bae5f

Parked on the same IP 178.63.170.185, AS24940 are also:
2011traff.com - Email: MillieDiaz4@aol.com
2011-traff.com - Email: MillieDiaz4@aol.com
bbbinvestigation.org - Email: accounting@moniker.com
best-sofa-choice.com - Email: migray71@yahoo.com
celloffer-2015.com - Email: migray71@yahoo.com
flying-city-2011.com - Email: migray71@yahoo.com
jiujitsufgua.com - Email: varcraft@care2.com
jopaduloz.cn - Email: qing_hongwei@126.com
lokexawan.cn - Email: shiwei_fang77@126.com
mapozeloq.cn - Email: shiwei_fang77@126.com
melonirmonianmonia.com - Email: accounting@moniker.com
mivaqodaz.cn - Email: shiwei_fang77@126.com
nasnedofweiggyt.com - Email: roller_59@hotmail.com
redolopip.cn - Email: shiwei_fang77@126.com
redspot2010.com - Email: migray71@yahoo.com
rohudufoj.cn - Email: qing_hongwei@126.com
sujelodos.cn - Email: qing_hongwei@126.com
traff2011.com - Email: MillieDiaz4@aol.com
traff-2012.com - Email: MillieDiaz4@aol.com
uweyujem.com - Email: resumemolars@live.com
viwuvefot.cn - Email: shiwei_fang77@126.com
wkeuhryyejt.com - Email: excins@iname.com
xoxipemej.cn - Email: shiwei_fang77@126.com

Last, but not least is the scareware infection taking place through www1.warezforyou24.co.cc/?p=p52 - 114.207.244.146; 114.207.244.143; 114.207.244.144; 114.207.244.145. Parked on these IPs is also an extensive portfolio of related scareware domains.

- Detection rate:
packupdate107_231.exe - Suspicious:W32/Malware!Gemini, Result: 3/42 (7.15%)
File size: 238080 bytes
MD5...: 93517875c59ac33dab655bc8432b0724
SHA1..: 774af049406baeef3427b91a2d67ee0250b2b51b

Upon execution the sample phones back to:
update2.cleanupyoursoft.com - 209.222.8.101 - Email: gkook@checkjemail.nl
update1.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl
secure1.smartavz.com - 91.207.192.26 - Email: gkook@checkjemail.nl
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.nl
secure2.smartavz.net - 217.23.5.99 - Email: gkook@checkjemail.nl
update1.free-guard.com - Email: gkook@checkjemail.nl
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl
update1.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.nl

The cybercrime-friendly domains portfolio is in a process of getting suspended.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Exploits, Malware, and Scareware Courtesy of AS6851, BKCNET, Sagade Ltd.

Never trust an AS whose abuse-mailbox is using a Gmail account (piotrek89@gmail.com), and in particular one that you've come across to during several malware campaigns over the past couple of month. It's AS6851, BKCNET "SIA" IZZI I'm referring to, also known as Sagade Ltd.

Let's dissect the currently ongoing malicious activity at that Latvian based AS, expose the exploit/malware/crimeware/scareware serving domain portfolios, sample some of the currently active binaries and emphasize on the hijacking of Google/Yahoo and Bing search engines, as well as take a brief retrospective of AS6851's activities profiled over the past couple of months.

What's so special about AS6851 anyway? It's the numerous times in which the AS popped-up in previously profiled campaigns (see related posts at the bottom of the post), next to a pretty interesting Koobface gang connection. An excerpt from a previous post:

"What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:

• Koobface Botnet's Scareware Business Model
• Koobface Botnet's Scareware Business Model - Part Two

Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php

The same michaeltycoon@gmail.com used to register 1zabslwvn538n4i5tcjl.com, was also profiled in the "Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" assessment."

Related data on AS6851, BKCNET/Sagade Ltd.:
netname:         ATECH-SAGADE
descr:           Sagade Ltd.
descr:           Latvia, Rezekne, Darzu 21
descr:           +371 20034981
remarks:         abuse-mailbox: piotrek89@gmail.com
country:         LV
admin-c:         JS1449-RIPE
tech-c:          JS1449-RIPE
status:          ASSIGNED PA
mnt-by:          AS6851-MNT
source:          RIPE # Filtered
person:          Juris Sahurovs
remarks:         Sagade Ltd.
address:         Latvia, Rezekne, Darzu 21
phone:           +371 20034981
abuse-mailbox:   piotrek89@gmail.com
nic-hdl:         JS1449-RIPE
mnt-by:          ATECH-MNT
source:          RIPE # Filtered

AS6851 advertises 15 prefixes:
* 62.84.0.0/19
* 62.84.22.0/23
* 84.38.128.0/20
* 85.234.160.0/19
* 91.123.64.0/20
* 91.188.32.0/19
* 91.188.41.0/24
* 91.188.44.0/23
* 91.188.46.0/24
* 91.188.48.0/23
* 91.188.50.0/24
* 91.188.52.0/23
* 91.188.56.0/24
* 109.110.0.0/19
* 195.244.128.0/20

Uplink courtesy of:
AS6747, LATTELEKOM Lattelekom
AS5518, TELIALATVIJA Telia Latvija SIA

Currently active exploits/malware/scareware serving domain portfolios within AS6851:
Parked at/responding to 85.234.190.15 are:
anrio.in - Email: Ometovgordey@mail.com
brayx.in - Email: NikitasZoya@mail.com
broyx.in - Email: NikitasZoya@mail.com
brusd.in - Email: LomaevaTatyana@mail.com
butuo.in - Email: erofeevalexey77@gmail.com
butyx.in - Email: NikitasZoya@mail.com
cogoo.in - Email: SamatovNail@mail.com
conyx.in - Email: NikitasZoya@mail.com
eboyx.in - Email: NikitasZoya@mail.com
ederm.in - Email: EvenkoIvan@mail.com
edois.in - Email: EvenkoIvan@mail.com
foryx.in - Email: NikitasZoya@mail.com
liuyx.in - Email: NikitasZoya@mail.com
moosd.in - Email: VasilevaSvetlana@mail.com
oserr.in - Email: skripnikkseniya@live.com
ossce.in - Email: skripnikkseniya@live.com
ostom.in - Email: skripnikkseniya@live.com
purnv.in - Email: BajenovOleg@mail.com
ragew.in - Email: vednerovasvetlana@gmail.com
relsd.in - Email: VasilevaSvetlana@mail.com
retnv.in - Email: BajenovOleg@mail.com
sdali.in - Email: VasilevaSvetlana@mail.com
seedw.in - Email: vednerovasvetlana@gmail.com
shkey.in - Email: FirulevAndrey@mail.com
spkey.in - Email: FirulevAndrey@mail.com
thynv.in - Email: BajenovOleg@mail.com
uitem.in - Email: IvanovEvgeny@mail.com
wakey.in - Email: FirulevAndrey@mail.com
yxial.in - Email: GaevAlexandr@mail.com

Parked at/responding to 85.234.190.4 are:
anrio.in - Email: Ometovgordey@mail.com
antsd.in - Email: IvanovEvgeny@mail.com
appsd.in - Email: IvanovEvgeny@mail.com
arsdh.in - Email: shadrenkovavanda@mail.com
barui.in - Email: RijovAlexandr@mail.com
bkpuo.in - Email: erofeevalexey77@gmail.com
bleui.in - Email: RijovAlexandr@mail.com
brayx.in - Email: NikitasZoya@mail.com
broyx.in - Email: NikitasZoya@mail.com
brusd.in - Email: LomaevaTatyana@mail.com
bryhw.in - Email: matatovayanna@mail.com
butui.in - Email: RijovAlexandr@mail.com
butuo.in - Email: erofeevalexey77@gmail.com
butyx.in - Email: NikitasZoya@mail.com
cirui.in - Email: RijovAlexandr@mail.com
cogoo.in - Email: RijovAlexandr@mail.com
conuo.in - Email: erofeevalexey77@gmail.com
conyx.in - Email: NikitasZoya@mail.com
cusnv.in - Email: SimakovSergey@mail.com
czkey.in - Email: ZaharcevSergey@mail.com
degoo.in - Email: SamatovNail@mail.com
dugoo.in - Email: SamatovNail@mail.com
ecrio.in - Email: Ometovgordey@mail.com
ectuo.in - Email: erofeevalexey77@gmail.com
ederm.in - Email: EvenkoIvan@mail.com
edger.in - Email: EvenkoIvan@mail.com
edimp.in - Email: EvenkoIvan@mail.com
edois.in - Email: EvenkoIvan@mail.com
elrio.in - Email: Ometovgordey@mail.com
enguo.in - Email: erofeevalexey77@gmail.com
eqrio.in - Email: Ometovgordey@mail.com
fibnv.in - Email: SimakovSergey@mail.com
glouo.in - Email: erofeevalexey77@gmail.com
habsd.in - Email: LomaevaTatyana@mail.com
hecuo.in - Email: erofeevalexey77@gmail.com
hekey.in - Email: ZaharcevSergey@mail.com
hygos.in - Email: Hohlunovanika@live.com
imbos.in - Email: Hohlunovanika@live.com
intsd.in - Email: LomaevaTatyana@mail.com
ionnv.in - Email: SimakovSergey@mail.com
jamsd.in - Email: LomaevaTatyana@mail.com
latuo.in - Email: erofeevalexey77@gmail.com
linuo.in - Email: erofeevalexey77@gmail.com
makey.in - Email: ZaharcevSergey@mail.com
oscog.in - Email: Nigmatovaanastasia@hotmail.com
oserr.in - Email: skripnikkseniya@live.com
osmac.in - Email: skripnikkseniya@live.com
osmot.in - Email: skripnikkseniya@live.com
ospor.in - Email: skripnikkseniya@live.com
ossce.in - Email: skripnikkseniya@live.com
ossio.in - Email: skripnikkseniya@live.com
ostab.in - Email: skripnikkseniya@live.com
ostac.in - Email: skripnikkseniya@live.com
ostio.in - Email: skripnikkseniya@live.com
ouned.in - Email: PoleschukovaGalina@mail.com
purnv.in - Email: BajenovOleg@mail.com
pxdmx.in - Email: GaleevDjamil@mail.com
rekey.in - Email: ZaharcevSergey@mail.com
relsd.in - Email: VasilevaSvetlana@mail.com
retnv.in - Email: BajenovOleg@mail.com
scoos.in - Email: Nigmatovaanastasia@hotmail.com
sdali.in - Email: VasilevaSvetlana@mail.com
sdome.in - Email: OsvyanikovaDarya@mail.com
shkey.in - Email: FirulevAndrey@mail.com
spkey.in - Email: FirulevAndrey@mail.com
sydos.in - Email: Nigmatovaanastasia@hotmail.com
thynv.in - Email: BajenovOleg@mail.com
ugiyx.in - Email: UshakovAndrey@mail.com
uirin.in - Email: UshakovAndrey@mail.com
uisap.in - Email: UshakovAndrey@mail.com
uitem.in - Email: IvanovEvgeny@mail.com
uithi.in - Email: IvanovEvgeny@mail.com
uityp.in - Email: IvanovEvgeny@mail.com
uityr.in - Email: IvanovEvgeny@mail.com
varyx.in - Email: GaevAlexandr@mail.com
wakey.in - Email: FirulevAndrey@mail.com
yokey.in - Email: FirulevAndrey@mail.com
yxiac.in - Email: GaevAlexandr@mail.com
yxial.in - Email: GaevAlexandr@mail.com

Parked at/responding to 91.188.60.225 are:
abrie.in - Email: Bodunovanton@mail.com
agros.in - Email: Hohlunovanika@live.com
alldh.in - Email: bondyashovandrey@mail.com
alodh.in - Email: radostovamariya@mail.com
anrio.in - Email: Ometovgordey@mail.com
antsd.in - Email: IvanovEvgeny@mail.com
aoxtv.in - Email: AkulovSergey@mail.com
appsd.in - Email: IvanovEvgeny@mail.com
aquui.in - Email: RijovAlexandr@mail.com
arrie.in - Email: Bodunovanton@mail.com
arsdh.in - Email: shadrenkovavanda@mail.com
balsd.in - Email: IvanovEvgeny@mail.com
barui.in - Email: RijovAlexandr@mail.com
bikey.in - Email: ZaharcevSergey@mail.com
bkpuo.in - Email: erofeevalexey77@gmail.com
bleui.in - Email: RijovAlexandr@mail.com
brayx.in - Email: NikitasZoya@mail.com
broyx.in - Email: NikitasZoya@mail.com
brusd.in - Email: LomaevaTatyana@mail.com
bryhw.in - Email: matatovayanna@mail.com
butui.in - Email: RijovAlexandr@mail.com
butuo.in - Email: erofeevalexey77@gmail.com
butyx.in - Email: NikitasZoya@mail.com
cated.in - Email: PoleschukovaGalina@mail.com
cedhw.in - Email: lopushkoamariya@mail.com
chrie.in - Email: Bodunovanton@mail.com
chrio.in - Email: Ometovgordey@mail.com
cirui.in - Email: RijovAlexandr@mail.com
clrio.in - Email: Ometovgordey@mail.com
cogoo.in - Email: SamatovNail@mail.com
conuo.in - Email: erofeevalexey77@gmail.com
conyx.in - Email: NikitasZoya@mail.com
corie.in - Email: Bodunovanton@mail.com
curie.in - Email: Bodunovanton@mail.com
cusnv.in - Email: SimakovSergey@mail.com
czkey.in - Email: ZaharcevSergey@mail.com
degoo.in - Email: SamatovNail@mail.com
dennv.in - Email: SimakovSergey@mail.com
dugoo.in - Email: SamatovNail@mail.com
eagoo.in - Email: SamatovNail@mail.com
eboyx.in - Email: NikitasZoya@mail.com
ecrio.in - Email: Ometovgordey@mail.co
ectuo.in - Email: erofeevalexey77@gmail.com
edbal.in - Email: VasilevOleg@mail.com
edban.in - Email: VasilevOleg@mail.com
ederc.in - Email: EvenkoIvan@mail.com
ederm.in - Email: EvenkoIvan@mail.com
edger.in - Email: EvenkoIvan@mail.com
edimp.in - Email: EvenkoIvan@mail.com
edois.in - Email: EvenkoIvan@mail.com
elrio.in - Email: Ometovgordey@mail.com
enguo.in - Email: erofeevalexey77@gmail.com
eprio.in - Email: Ometovgordey@mail.com
eqrio.in - Email: Ometovgordey@mail.com
esrie.in - Email: Bodunovanton@mail.com
fakey.in - Email: ZaharcevSergey@mail.com
fegoo.in - Email: SamatovNail@mail.com
fibnv.in - Email: SimakovSergey@mail.com
foryx.in - Email: NikitasZoya@mail.com
franv.in - Email: SimakovSergey@mail.com
fraos.in - Email: Hohlunovanika@live.com
garie.in - Email: Bodunovanton@mail.com
glouo.in - Email: erofeevalexey77@gmail.com
guinv.in - Email: SimakovSergey@mail.com
habsd.in - Email: LomaevaTatyana@mail.com
hecuo.in - Email: erofeevalexey77@gmail.com
hekey.in - Email: ZaharcevSergey@mail.com
humos.in - Email: Hohlunovanika@live.com
hygos.in - Email: Hohlunovanika@live.com
hyrie.in - Email: Bodunovanton@mail.com
imbos.in - Email: Hohlunovanika@live.com
intsd.in - Email: LomaevaTatyana@mail.com
ionnv.in - Email: SimakovSergey@mail.com
jamsd.in - Email: LomaevaTatyana@mail.com
jobos.in - Email: Hohlunovanika@live.com
kykey.in - Email: ZaharcevSergey@mail.com
latuo.in - Email: erofeevalexey77@gmail.com
leunv.in - Email: SimakovSergey@mail.com
linuo.in - Email: erofeevalexey77@gmail.com
liuyx.in - Email: NikitasZoya@mail.com
makey.in - Email: ZaharcevSergey@mail.com
moosd.in - Email: VasilevaSvetlana@mail.com
naios.in - Email: Hohlunovanika@live.com
nvenc.in - Email: BajenovOleg@mail.com
oscog.in - Email: Nigmatovaanastasia@hotmail.com
osenc.in - Email: Nigmatovaanastasia@hotmail.com
oserr.in - Email: skripnikkseniya@live.com
osmac.in - Email: skripnikkseniya@live.com
osmot.in - Email: skripnikkseniya@live.com
ospor.in - Email: skripnikkseniya@live.com
ossce.in - Email: skripnikkseniya@live.com
ossio.in - Email: skripnikkseniya@live.com
ostab.in - Email: skripnikkseniya@live.com
ostac.in - Email: skripnikkseniya@live.com
ostio.in - Email: skripnikkseniya@live.com
ostom.in - Email: skripnikkseniya@live.com
ouned.in - Email: PoleschukovaGalina@mail.com
purnv.in - Email: BajenovOleg@mail.com
pxdmx.in - Email: GaleevDjamil@mail.com
ragew.in - Email: vednerovasvetlana@gmail.com
rekey.in - Email: ZaharcevSergey@mail.com
relsd.in - Email: VasilevaSvetlana@mail.com
retnv.in - Email: BajenovOleg@mail.com
saled.in - Email: VasilevOleg@mail.com
sated.in - Email: VasilevOleg@mail.com
scoos.in - Email: Nigmatovaanastasia@hotmail.com
sdali.in - Email: VasilevaSvetlana@mail.com
sdall.in - Email: VasilevaSvetlana@mail.com
sdayb.in - Email: OsvyanikovaDarya@mail.com
sdaye.in - Email: OsvyanikovaDarya@mail.com
sdayo.in - Email: OsvyanikovaDarya@mail.com
sdene.in - Email: OsvyanikovaDarya@mail.com
sdich.in - Email: OsvyanikovaDarya@mail.com
sdome.in - Email: OsvyanikovaDarya@mail.com
seedw.in - Email: vednerovasvetlana@gmail.com
shkey.in - Email: FirulevAndrey@mail.com
smoed.in - Email: VasilevOleg@mail.com
soted.in - Email: VasilevOleg@mail.com
spios.in - Email: Nigmatovaanastasia@hotmail.com
spkey.in - Email: FirulevAndrey@mail.com
stteop.in - Email: fibra_appl@yahoo.com
sunyx.in - Email: GaevAlexandr@mail.com
sydos.in - Email: Nigmatovaanastasia@hotmail.com
teaed.in - Email: VasilevOleg@mail.com
thynv.in - Email: BajenovOleg@mail.com
ugiyx.in - Email: GaevAlexandr@mail.com
uinei.in - Email: UshakovAndrey@mail.com
uinge.in - Email: UshakovAndrey@mail.com
uiren.in - Email: UshakovAndrey@mail.com
uirin.in - Email: UshakovAndrey@mail.com
uisap.in - Email: UshakovAndrey@mail.com
uisee.in - Email: UshakovAndrey@mail.com
uisma.in - Email: IvanovEvgeny@mail.com
uitem.in - Email: IvanovEvgeny@mail.com
uithi.in - Email: IvanovEvgeny@mail.com
uityp.in - Email: IvanovEvgeny@mail.com
uityr.in - Email: IvanovEvgeny@mail.com
varyx.in - Email: GaevAlexandr@mail.com
veged.in - Email: VasilevOleg@mail.com
wakey.in - Email: FirulevAndrey@mail.com
whasd.in - Email: VasilevaSvetlana@mail.com
wimed.in - Email: VasilevOleg@mail.com
woonv.in - Email: BajenovOleg@mail.com
yokey.in - Email: FirulevAndrey@mail.com
yxiac.in - Email: GaevAlexandr@mail.com
yxial.in - Email: GaevAlexandr@mail.com
yxiam.in - Email: GaevAlexandr@mail.com

Parked at/responding to 91.188.60.3 are:
0checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
10checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
20checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
30checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
40checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
50checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
60checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
70checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
80checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
90checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com
av-scaner-onlinemachine.com - Email: gershatv07@gmail.com
easy-ns-server.org - Email: russell1985@hotmail.com
fast-scanerr-online.org - Email: roberson@hotmail.com
fast-scanneronline.org - Email: roberson@hotmail.com
fastscanner-online.org - Email: roberson@hotmail.com
fastscannerr-online.org - Email: roberson@hotmail.com
myantivirsplus.org - Email: FranciscoPGeorge@hotmail.com
my-antivirsplus.org - Email: FranciscoPGeorge@hotmail.com
my-antivirusplus.org - Email: FranciscoPGeorge@hotmail.com
my-antivirus-plus.org - Email: FranciscoPGeorge@hotmail.com
myprotectonline.org - Email: FranciscoPGeorge@hotmail.com
my-protectonline.org - Email: FranciscoPGeorge@hotmail.com
my-protect-online.org - Email: FranciscoPGeorge@hotmail.com
sysprotectonline.org - Email: FranciscoPGeorge@hotmail.com
sys-protectonline.org - Email: FranciscoPGeorge@hotmail.com
sys-protect-online.org - Email: FranciscoPGeorge@hotmail.com

Parked at/responding to 91.188.59.74 are:
allforil1i.com - Email: lordjok@gmail.com
alltubeforfree.com - Email: lordjok@gmail.com
allxtubevids.net - Email: lordjok@gmail.com
downloadfreenow.in - Email: lordjok@gmail.com
enteri1llisec.in - Email: leshapopovi@gmail.com
freeanalsextubemovies.com - Email: lordjok@gmail.com
freetube06.com - Email: lordjok@gmail.com
freeviewgogo.com - Email: leshapopovi@gmail.com
homeamateurclips.com - Email: lordjok@gmail.com
hot4youxxx.in - Email: lordjok@gmail.com
hotxtube.in - Email: lordjok@gmail.com
hotxxxtubevideo.com
iil10oil0.com
ilio01ili1.com
illinoli1l.in - Email: lordjok@gmail.com
porntube2000.com - Email: welolseeees@gmail.com
porntubefast.com - Email: welolseeees@gmail.com
porn-tube-video.com - Email: welolseeees@gmail.com
viewnowfast.com - Email: lordjok@gmail.com
viewxxxfreegall.net - Email: leshapopovi@gmail.com
viiistifor1.com
xhuilil1ii.com - Email: lordjok@gmail.com
youvideoxxx.com - Email: jonnytrade@gmail.com

Parked at/responding to 85.234.190.16 are:
appsd.in - Email: IvanovEvgeny@mail.com
bikey.in - Email: IvanovEvgeny@mail.com
fibnv.in - Email: SimakovSergey@mail.com
franv.in - Email: SimakovSergey@mail.com
guinv.in - Email: SimakovSergey@mail.com
hekey.in - Email: ZaharcevSergey@mail.com
intsd.in - Email: LomaevaTatyana@mail.com
ionnv.in - Email: SimakovSergey@mail.com
jamsd.in - Email: LomaevaTatyana@mail.com
leunv.in - Email: SimakovSergey@mail.com
nvenc.in - Email: BajenovOleg@mail.com
pxdmx.in - Email: GaleevDjamil@mail.com
uinei.in - Email: GaleevDjamil@mail.com
uinge.in - Email: UshakovAndrey@mail.com
uiren.in - Email: UshakovAndrey@mail.com
uirin.in - Email: UshakovAndrey@mail.com
uisap.in - Email: UshakovAndrey@mail.com
uisee.in - Email: UshakovAndrey@mail.com
woonv.in - Email: BajenovOleg@mail.com
yxiam.in - Email: GaevAlexandr@mail.com

Detection rates for the currently active malware samples, including the HOSTS file modifications on infected hosts, for the purposely of redirecting users to cybercrime-friendly search engines, monetized through traffic trading affiliate programs.

- 78490.jar - Result: 0/42 (0%)
File size: 209 bytes
MD5   : 64a19d9b7f0e81c7a5f6d63853a3ed49
SHA1  : 9f8f208c8cdb854cdc342d43a75a3d8672e87822

- ad3.exe - Result: 41/42 (97.62%)
File size: 2560 bytes
MD5...: 9362a3aee38102dde68211ccb63c3e07
SHA1..: 8758679540f48feba82d2b022b8d71756eb935e7

- a-fast.exe - Result: 36/42 (85.72%)
File size: 979968 bytes
MD5...: 69f3949141073679b77aa4d34e41a3e7
SHA1..: e074de46e4760eef522ab85737790058cc3f2fad

- dm.exe - Result: 37/42 (88.1%)
File size: 83968 bytes
MD5...: b658d9b812454e99b2915ab2e9594b94
SHA1..: 134bfb643ae2f161c99db14c448485e261e96c91

- iv.exe - Result: 8/42 (19.05%)
File size: 86016 bytes
MD5...: f94ed2f9d7a672fe3ff8bf077289b2d5
SHA1..: 2f78a296e1267ae1cf9ebd5c18de5b8d241c1306

- j2_t895.jar - Result: 0/42 (0%)
File size: 211 bytes
MD5...: 4b34618a0499a99e9c98e03aa79d53cf
SHA1..: d109babf78ec48ba8d7798bce784097ed26757db

- movie.exe - Result: 40/42 (95.24%)
File size: 64866 bytes
MD5...: 801f9fa958192b6714a5a4c2e2f92f07
SHA1..: 241bc9d7540d9d53cc1578e3d57c44be9931e418

- tst.exe - Result: 35/42 (83.34%)
File size: 356352 bytes
MD5...: b0ed4701af13f11089de850a1273d24f
SHA1..: 5e98000b60d0ca0b2adbd837feaf05f439f95c87

- wsc.exe - Result: 37/42 (88.1%)
File size: 24576 bytes
MD5...: 80427b754b11de653758dd5e1ba3de1c
SHA1..: 554e1331fdc050bd603f6f3628285008a91cba37
HOSTS file modification:
AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE
89.149.210.109 www.google.com
89.149.210.109 www.google.de
89.149.210.109 www.google.fr
89.149.210.109 www.google.co.uk
89.149.210.109 www.google.com.br
89.149.210.109 www.google.it
89.149.210.109 www.google.es
89.149.210.109 www.google.co.jp
89.149.210.109 www.google.com.mx
89.149.210.109 www.google.ca
89.149.210.109 www.google.com.au
89.149.210.109 www.google.nl
89.149.210.109 www.google.co.za
89.149.210.109 www.google.be
89.149.210.109 www.google.gr
89.149.210.109 www.google.at
89.149.210.109 www.google.se
89.149.210.109 www.google.ch
89.149.210.109 www.google.pt
89.149.210.109 www.google.dk
89.149.210.109 www.google.fi
89.149.210.109 www.google.ie
89.149.210.109 www.google.no
89.149.210.109 search.yahoo.com
89.149.210.109 us.search.yahoo.com
89.149.210.109 uk.search.yahoo.com

- rc.exe - Result: 41/42 (97.62%)
File size: 2560 bytes
MD5...: 9362a3aee38102dde68211ccb63c3e07
SHA1..: 8758679540f48feba82d2b022b8d71756eb935e7
HOSTS file modification:
AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE
89.149.249.196 www.google.com
89.149.249.196 www.google.de
89.149.249.196 www.google.fr
89.149.249.196 www.google.co.uk
89.149.249.196 www.google.com.br
89.149.249.196 www.google.it
89.149.249.196 www.google.es
89.149.249.196 www.google.co.jp
89.149.249.196 www.google.com.mx
89.149.249.196 www.google.ca
89.149.249.196 www.google.com.au
89.149.249.196 www.google.nl
89.149.249.196 www.google.co.za
89.149.249.196 www.google.be
89.149.249.196 www.google.gr
89.149.249.196 www.google.at
89.149.249.196 www.google.se
89.149.249.196 www.google.ch
89.149.249.196 www.google.pt
89.149.249.196 www.google.dk
89.149.249.196 www.google.fi
89.149.249.196 www.google.ie
89.149.249.196 www.google.no
89.149.249.196 www.google.co.in
89.149.249.196 search.yahoo.com
89.149.249.196 us.search.yahoo.com
89.149.249.196 uk.search.yahoo.com

- installer.0028.exe - Result: 9/42 (21.43%)
File size: 43735 bytes
MD5...: a6d7073b8b9bc0dc539605914c853da2
SHA1..: 1940b6a6b2f93b44633ef04eab900e0a9dc6fa64
HOSTS file modification:
AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE
84.16.244.60 www.google.com
84.16.244.60 us.search.yahoo.com
84.16.244.60 uk.search.yahoo.com
84.16.244.60 search.yahoo.com
84.16.244.60 www.google.com.br
84.16.244.60 www.google.it
84.16.244.60 www.google.es
84.16.244.60 www.google.co.jp
84.16.244.60 www.google.com.mx
84.16.244.60 www.google.ca
84.16.244.60 www.google.com.au
84.16.244.60 www.google.nl
84.16.244.60 www.google.co.za
84.16.244.60 www.google.be
84.16.244.60 www.google.gr
84.16.244.60 www.google.at
84.16.244.60 www.google.se
84.16.244.60 www.google.ch
84.16.244.60 www.google.pt
84.16.244.60 www.google.dk
84.16.244.60 www.google.fi
84.16.244.60 www.google.ie
84.16.244.60 www.google.no
84.16.244.60 www.google.de
84.16.244.60 www.google.fr
84.16.244.60 www.google.co.uk
84.16.244.60 www.bing.com

- installer.0022.exe - Result: 9/42 (21.43%)
File size: 43731 bytes
MD5...: 62464b9e367a9edb06541a2a90931157
SHA1..: 425c859a883900ccf5cf7b8a6a5f6bc9279d763c
HOSTS file modification:
AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE
84.16.244.15 www.google.com
84.16.244.15 us.search.yahoo.com
84.16.244.15 uk.search.yahoo.com
84.16.244.15 search.yahoo.com
84.16.244.15 www.google.com.br
84.16.244.15 www.google.it
84.16.244.15 www.google.es
84.16.244.15 www.google.co.jp
84.16.244.15 www.google.com.mx
84.16.244.15 www.google.ca
84.16.244.15 www.google.com.au
84.16.244.15 www.google.nl
84.16.244.15 www.google.co.za
84.16.244.15 www.google.be
84.16.244.15 www.google.gr
84.16.244.15 www.google.at
84.16.244.15 www.google.se
84.16.244.15 www.google.ch
84.16.244.15 www.google.pt
84.16.244.15 www.google.dk
84.16.244.15 www.google.fi
84.16.244.15 www.google.ie
84.16.244.15 www.google.no
84.16.244.15 www.google.de
84.16.244.15 www.google.fr
84.16.244.15 www.google.co.uk
84.16.244.15 www.bing.com

The payment gateway structure+related domains for the scareware campaigns:
- fast-payments.com/index.php?prodid=antus_02_01&afid= - 91.188.59.27 - Email: jclarke980@gmail.com
    - ns1.fastsecurebilling.com - 91.188.59.26 - Email: jclarke980@gmail.com
        - easypayments-online.com - 91.188.59.28 - Email: jclarke980@gmail.com
        - fast-payments.com - 91.188.59.27 - Email: jclarke980@gmail.com
        - billingonline.net - 91.188.59.29 - Email: kevbush@billingonline.net
        - billsolutions.net - 91.188.59.25

In respect to the IPs used in HOSTS file modification, one is of particular interest - 89.149.210.109, as it was first profiled in November, 2009's "Koobface Botnet's Scareware Business Model - Part Two" with MD5: 0fbf1a9f8e6e305138151440da58b4f1 modifying HOSTS file using the same IP, and also phoning back to the Koobface gang's 1.0 hardcore C&C - urodinam.net/8732489273.php

When it comes to cybercrime, there's no such thing as a coincidence. What's static is the interaction between the usual suspects, systematically switching hosting providers, introducing new domains, and conveniently denying their monetization tactics.

You wish.

Profiled AS6851, BKCNET/Sagade Ltd. activity:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the Mass DreamHost Sites Compromise
Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns
Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign
Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Cybercriminals SQL Inject Cybercrime-friendly Proxies Service

Cybercrime ecosystem irony, at its best. Why the irony? Because the cybercrime-friendly proxies service TOS explicitly states that its users cannot launch XSS/SQL injection attacks through it.

A relatively low profile cybercriminal has managed to exploit a remote SQL injection within a popular proxies service, offering access to compromised hosts across the globe for any kind of malicious activities. Based on the video released, he was able to access everyone's password as MD5 hash, next to the emulating of the users of the service, using a trivial flaw in the online.cgi script.

Although his intentions, based on the note left in a readme.txt file featured in the video, was to allow others to use the paid service freely, the potential for undermining the OPSEC of cybercriminals using the service is enormous, as it not only logs their financial transactions, keeps records of their IPs, but most interestingly, allows the "manual feeding" of proxy lists (compromised and freely accessible hosts) within the database.

The service itself, has been in operation since 2004, operating under different brands, with prices starting from $20 to $90 for access to 150, and 1500 hosts on a monthly basis. Some interesting facts from a threat intell/social network analysis perspective, including screenshots (on purposely blurred in order to prevent the ruining of important OSINT sources) of the service obtained from its help file.

• The gang/hacking/script kiddies team operates different business operations online
• They maintain a traffic purchasing program monetizing traffic through cybercrime-friendly search engines
• Whether they are lazy, or just don't care, 4 currently active adult web sites share the same infrastructure as the service itself
• Although the original owners are Russian, they appear to be franchising since once of their brands is offering their services in Indonesian, including a banner for what looks like a Indonesian security conference.
• One of the Indonesian franchisers is known to have been offering root accounts and shells at compromised servers for sale, back in 2007

For years, compromised malware hosts has been widely abused for anything, from direct spamming, to hosting spam/phishing and malware campaigns, but most importantly - to engineer cyber warfare tensions by directly forwarding the responsibility for the malicious actions of the cybercriminal/cyber spy to the host/network/country in question.

Not only do these tactics undermine the currently implemented data retention regulations -- how can you data retain something from a compromised ecosystem that keeps no logs -- but also, they offer a safe heaven for the execution of each and every cybercriminal practice there is.

Related posts:
Should a targeted country strike back at the cyber attackers? 
Malware Infected Hosts as Stepping Stones 
The Cost of Anonymizing a Cybercriminal's Internet Activities 
The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Summarizing Zero Day's Posts for June

The following is a brief summary of all of my posts at ZDNet's Zero Day for June, 2010. You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:

• The security and privacy ramifications of AT&T's iLeak
• The EFF releases new HTTPS Everywhere Firefox extension
• Researchers find 12 zero day flaws, targeting 5 web malware exploitation kits

01. Malware Watch: Free Mac OS X screensavers bundled with spyware
02. Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns
03. Malware Watch: Twitter password reset emails, IRS-themed crimeware, malicious PDFs, and fake YouTube pages
04. The security and privacy ramifications of AT&T's iLeak
05. Malware Watch: Adobe zero day attack, malicious FIFA-themed spam, exploit serving Virus Alerts
06. Malware Watch: Skype exploit, Skype-themed malicious spam campaigns detected
07. The EFF releases new HTTPS Everywhere Firefox extension
08. Researchers find 12 zero day flaws, targeting 5 web malware exploitation kits

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Money Mule Recruiters Trick Mules Into Installing Fake Transaction Certificates

What is more flattering than Ukrainian blackhat SEO gangs using name as redirectors, including offensive messages, the Koobface gang redirecting Facebook's IP space to your blog, or a plain simple danchodanchev admin panel within a Crime Pack kit?

It's the money mule recruiters who modify the HOSTS file of gullible mules to redirect ddanchev.blogspot.com and bobbear.co.uk to 127.0.0.1. Now that's flattering, considering the fact that my public money mule ecosystem related research represents a tiny percentage of the real profiling/activities taking place behind the curtains.







a

Related coverage of money laundering/recruitment in the context of cybercrime:
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Sampling 419 Advance Fee Scams Activity

Lottery Winning Notifications, Western Union payment notifications, dead relatives, advance fee schemes impersonating law enforcement agencies - their arsenal of themes is endless, their IPs, however, aren't, taking into consideration the fact that the majority of 419 scams are not sent using botnets, but manually, and in a targeted fashion.

In fact, some of their spamming techniques (419 scammers using Dilbert.com; 419 scammers using NYTimes.com 'email this feature') are so primitive compared to the financial impact, a successful advance fee has in the long term, that their KISS (Keep it Simple Stupid) mentality reflects the current situation within the cybercrime ecosystem - they all KISS it to a certain extend - "Report: Malicious PDF files comprised 80 percent of all exploits for 2009"; "Reports: SQL injection attacks and malware led to most data breaches".

For the purpose of an experiment, and related reasons. Here's a raw snapshot of some 419-ers that just kept popping up, over and over again.

Persistent 419 advance fee scammers (over the last 7 days), the originating IPs, and the "reply to" email:
- a_chenchen@yahoo.cn - 218.17.239.18
- abdulkadera_maroofomar@hotmail.com - 41.138.180.86
- alfredmorris.m@btinternet.com - 211.101.13.230
- atmdept_serv001@yahoo.cn - 193.252.22.152
- austinalan@wanadoo.co.uk - 193.252.22.190
- avocat_doukoure@yahoo.fr - 78.229.212.4
- barpaulaffum@live.com - 41.210.31.214
- barr.rolandken1@gmail.com - 221.235.112.210
- barristerhenryivanlooconsult02@yahoo.co.jp - 60.48.104.88
- barteddywill01@googlemail.com - 200.13.249.119
- cocacolaofficialprize19@yahoo.com.hk - 194.79.134.37
- courfed@aim.com - 79.123.210.10
- crichardchambers@rediff.com - 212.242.42.50
- curiehenria@yahoo.com, barr09amorisq1@gmail.com - 123.176.96.137
- dr.austenobigwe008@gmail.com - 41.211.228.112
- drabejohn2009@aol.com - 217.72.192.242
- duncan.macdonald@9.cn, barr_duncan_macdonald@yahoo.co.uk - 86.43.60.104
- ecowascounsellordept@gmail.com - 115.242.97.173
- efccantigraft.nigeria077@gmail.com - 24.166.97.40
- Email.jmwilliams66@gmail.com, misteredwin22@gmail.com - 89.144.96.52
- fedex.courerservices1@hotmail.com, richardjohson@live.com - 87.194.255.145
- fedpeters07@aim.com - 81.31.115.2
- henryanthonyloanfirm@gmail.com - 200.40.197.69, 41.219.152.78
- icpcmistrynig@yahoo.com, fedeministrynig@gmail.com - 91.198.227.49
- janefugar2.u@hotmail.com - 82.196.5.120
- jimovia8787@gmail.com - 216.222.201.201
- john_chan3030@yahoo.com.hk - 200.171.215.2
- loannationwide2010@windowslive.com - 222.124.26.155
- mailesq.charlesstanley@gmail.com - 163.20.186.1
- maroofomar_abdulkader@yahoo.com - 62.193.229.238
- martha_ikobopayment@yahoo.com.hk - 41.138.172.81
- microwin2010@hotmail.co.uk - 200.105.120.151
- ministerdeliveryofficer@yahoo.cn - 193.252.22.190
- miss.kajat@googlemail.com - 67.15.16.31
- missblessing@sify.com - 196.28.250.53
- mr.parady700@hotmail.com - 80.200.242.17
- mrabdulhaleem@gmail.com - 66.11.225.183
- MRANNOLDSMITH2010@gmail.com - 82.128.17.211
- mrderekpaulatm405@gmail.com - 86.209.83.68
- Mrperentochaplain@rocketmail.com; Mrperentochalion@gmail.com - 112.110.186.25
- mrsabueke@cantv.net - 200.11.173.131
- niceme1970@yahoo.com - 80.12.242.27
- ntai_jerry7775@yahoo.com.hk - 125.141.17.158
- ochuko_baba1@hotmail.fr - 65.55.111.159
- ochukobaba1@gmail.com - 65.55.111.85
- officereplybackmaill@yahoo.com - 82.128.17.211
- organlotoint39l@yahoo.com.hk - 207.194.87.105
- promoskllotto@rocketmail.com - 90.183.38.130
- realexchanges@aim.com - 212.225.181.101
- rev.sistermaryx31@gmail.com - 41.211.228.112
- robinkelley1967@hotmail.com - 85.214.37.73
- rpatmcard@hotmail.com - 195.83.9.36
- s.leel@yahoo.com, westernunionoffice99@gmail.com - 41.191.85.45
- shopperconsultant@live.co.uk - 195.137.70.240
- talkdelata3@gmail.com, mdelataecobank@gala.net - 116.255.152.124
- thefordfoundation.award0010@yahoo.co.uk - 222.124.9.54
- ubanigeria.nig65@gmail.com - 202.132.123.106
- vex.pressd2009@gmail.com - 66.48.81.131
- waziriefccng@live.com - 193.252.22.191
- worldbpr@9.cn - 41.204.224.19
- www.cn_western_union@w.cn - 41.222.192.82
- zakiawilo101@yahoo.co.uk - 202.132.123.106
- zongo.ben177@gmail.com, mr_hiiu60@msn.com - 212.52.146.118
- bog_officemail@yahoo.co.jp - 82.128.2.78
- atmfinanceibc@web2mail.com - 41.218.237.202
- mrjohnsmith70@hotmail.com - 213.171.218.33
- junhuan9@yahoo.cn - 218.91.39.165

Nothing hurts as much as a decent historical OSINT regarding the activities of any cybercriminal. Moreover, this historical OSINT not only contributes to a more efficient case building, but also, helps to establish some pretty interesting connections within the cybercrime ecosystem. As practice and experience has shown, this very same ecosystem is not necessarily as big as originally assumed.

Consider going through the related fraudulent schemes/malicious campaigns currently taking advantage of FIFA's World Cup - Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the Exploits/Scareware Serving Twitter Spam Campaign

Yesterday's exploits-serving campaign spreading across Twitter, using automatically registered accounts "pinging" random Twitter users with links to the campaign, is worth profiling due to its state of maliciousness - if the end user is exploitable, exploits are served ultimately leading to scareware, and if he isn't, the cybercriminals behind it attempt to monetize through the same network used by the Koobface gang on Mac OS X hosts - zml.com.

Let's dissect the campaign, and once again emphasize on the fact just how small the cybercrime ecosystem could be, given enough historical data is gathered on who's who, who's what, and what's when.

Sample exploitation structure:
- qtoday.info /ttds/doit.php?ckey=12&schema=1&f=wF - 94.228.209.73 (AS47869), 75.125.222.242 (AS21844)
    - qtoday.info /ttds/jump.php
        - fqsmydkvsffz.com /tre/vena.html/RANDOM - 69.174.242.21 (AS13768); 75.125.222.242 (AS21844)

The scareware installed interacts with AS18866:
69.50.197.241 /up/e1.dat
69.50.197.241 /up/e2.dat
69.50.197.241 /data/upd6.dat
69.50.197.241 /data/upd7.dat
69.50.197.241 /data/upd1.dat
69.50.197.241 /data/upd2.dat

Responding to 69.50.197.241 (AS18866) are:
radarixo.com - Email: moldavimo@safe-mail.net - profiled here
cyberduck.ru - Email: samm_87@email.com - profiled here
livejasment.com - Email: moldavimo@safe-mail.net
linksandz.com - Email: moldavimo@safe-mail.net - profiled here

Detection rates:
- e1.dat - 11 on 17 (65%) - Trojan.MulDrop1.21645; Win32/Lukicsel.P
MD5 hash: 2566c11a9cd2226b59d226e76bae9f64
SHA1 hash: 6a1fd405f547ed33f7cfe3abad4f423a33c0e281

- e2.dat - 8 on 17 (47%) - W32/Witkinat.A.gen!Eldorado; Win32/Witkinat.R
MD5 hash: 8daaa96ba059e6b1d5108c314f160175
SHA1 hash: b43d26bb2583d9057cb343c10d5db79c846ed895

- upd1.dat - 11 on 17 (65%) - TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A
MD5 hash: 7b2534536cdf168f50d63845b13af8ba
SHA1 hash: 306f5199c3f91cd28c634914a6478bcbc5c4e9c0

- upd2.dat - 11 on 17 (65%) - TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A
MD5 hash: 323a1a2429467b3891cc20a26b82f851
SHA1 hash: ae3fe6b442521d95631703ab530213e897e4f8ea

- upd6.dat - 9 on 17 (53%) - Win32/Lukicsel.P; Trojan-Dropper.Win32.Delf.frm
MD5 hash: d05d89bdadd8a23c2ceb0b016d49550a
SHA1 hash: 366db3c2cd64a57587376b416c42960ad1f28ea3

- upd7.dat - 11 on 17 (65%) - SHeur3.AAEI; Trojan-Dropper.Win32.Delf.frq
MD5 hash: 1a582b50d82fb57bec036e1962e5da2e
SHA1 hash: 15a9540927f64dec23e625e140dfde7ce3d23df7

The rest of the exploits-serving domains portfolio parked at 69.174.242.21 (AS13768); 75.125.222.242 (AS21844):
danenskgela.com - Email: strohmeiera@yahoo.com
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com
xfgswsoxoxk.com - Email: tavsadr5r5@yahoo.com
directinmixem.com - Email: strohmeiera@yahoo.com
carsmazda6.in - Email: valeriyku@gmail.com
danenskgela.com - Email: strohmeiera@yahoo.com
tfyxffnacsc.com - Email: edb.ri871@gmail.com
sfkemlymeywk.com - Email: admin@overseedomainmanagement.com
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com
aghtdkpaoxk.com - Email: skdhdjfg7s@yahoo.com
aghtdqpaoxk.com - Email: njgf555dfdsa@yahoo.com
dhjftzbdoxk.com - Email: skdhdjfg7s@yahoo.com
dbcyjnudoxk.com - Email: njgf555dfdsa@yahoo.com
mcduimqmoxk.com - Email: fresadmsn7y@yahoo.com
piamlzjpoxk.com - Email: fresadmsn7y@yahoo.com
pfgswlopoxk.com - Email: 7uwy7letel@yahoo.com
qjigaicqoxk.com - Email: 7uwy7letel@yahoo.com
directinmixem.com - Email: strohmeiera@yahoo.com
etyet.com - Email: zubakova2@rambler.ru
grantgarant.com - Email: naumann_heikens@yahoo.it
carsmazda6.in - Email: valeriyku@gmail.com
civichonda.in - Email: valeriyku@gmail.com
drotalflow.in - Email: johns2249@googlemail.com
carsinfinity.in - Email: valeriyku@gmail.com

3m70.cn - Email: abuseemaildhcp@gmail.com - money mule registrations, rubbing shoulders with Koobface
mueypflglvlx.com
mbhcnjyyykpr.com
ozkifomzaaqd.com
dqcnefigaefg.com
vtmxgwnpjvib.com
jcfkprwasnaj.com
qgwyinsxlox.com
tsusiwpmzuqz.com
fqsmydkvsffz.com
qcell.info
q-fever.infovmspl.in
keirun.in
iscobar.in
loncer.in
jcfkprwasnaj.com

The complete list of automatically registered bogus Twitter accounts, now suspended:
twitter.com/AbbottMarleneGY
twitter.com/AnsonJamesJs
twitter.com/BandaPaul51
twitter.com/BarkleyTracy52
twitter.com/BoserJames74
twitter.com/BradleySheilaTt
twitter.com/BravoMartinUT
twitter.com/BrownTammyaM
twitter.com/BurlingameStek2
twitter.com/BurtonPauliC
twitter.com/CallowayEileemb
twitter.com/CardilloLilli8I
twitter.com/CareyJocelynXY
twitter.com/CarpenterJameG1
twitter.com/CarterErnieBj
twitter.com/CarterNanGM
twitter.com/CharltonRober1Y
twitter.com/ClausenJillRC
twitter.com/CochranLindajB
twitter.com/CruzShawnjI
twitter.com/DanielClintonqO
twitter.com/DeanLuigi7B
twitter.com/DeleonChristiDb
twitter.com/DickensRitaS6
twitter.com/EllisonCortezCC
twitter.com/FernandezRobekc
twitter.com/FieldsRichardrx
twitter.com/FryePhilipAx
twitter.com/GarrisonMiltoP9
twitter.com/GilfordSarahqo
twitter.com/GilleyJennifeST
twitter.com/GiordanoHelenxy
twitter.com/GishCharlesCy
twitter.com/GreenDonaldbt
twitter.com/GriffinRay5v
twitter.com/GuzmanEloise5u
twitter.com/HakalaSteve9e

twitter.com/HammonsLeonarW3
twitter.com/HarmonRaymondMH
twitter.com/HartHeatherS0
twitter.com/HaynesCharlesxo
twitter.com/HendricksonKi6F
twitter.com/JonesAndrewUG
twitter.com/JonesNickolasYx
twitter.com/KendallNormaWS
twitter.com/KroegerAngeliu0
twitter.com/LeeJerroldRk
twitter.com/LevittKevin9e
twitter.com/LewisMaryL8
twitter.com/LimonMargaretgn
twitter.com/MarvelThomasaO
twitter.com/McbeeMelissabu
twitter.com/MillerFranceswe
twitter.com/MitchellDeborvl
twitter.com/MooreJoanut
twitter.com/MorrisMary2n
twitter.com/MorrisonJack0s
twitter.com/NealReginaldbH
twitter.com/NickellGloriad8
twitter.com/PhelpsRichardKL
twitter.com/PittsTommyyy
twitter.com/PlummerAthenawn
twitter.com/PowellMarie94
twitter.com/PradoDonaldG8
twitter.com/RealeBernicegR
twitter.com/ReeseVeronicaFx
twitter.com/RievesShirleyYv
twitter.com/RobinsonAprilrI
twitter.com/RobinsonLisa8e
twitter.com/RoblesRicardoWh
twitter.com/RubioLanaj9
twitter.com/SavardAnthonyoU
twitter.com/SayersWendellVc
twitter.com/SchmidtLynnk7
twitter.com/ShankleKathleor
twitter.com/SieversDarlee1D
twitter.com/SmithGeorgieMq
twitter.com/SteinAshleyuQ
twitter.com/StoughKelseyqt
twitter.com/TrejoLisaOO
twitter.com/TullosHowardGo
twitter.com/WeberSteven6r
twitter.com/WhiteMichellevj
twitter.com/WilkinsonPaulTd
twitter.com/WillettErnestCR
twitter.com/WilliamsMichaB1
twitter.com/WoodsThelmay0
twitter.com/WynnRichard4m
twitter.com/YoungMelanieSZ
twitter.com/CooleyFrancescG
twitter.com/SchneiderKim6h
twitter.com/DobsonElsiequ
twitter.com/PeelLouise9q
twitter.com/WhiteYolanda0P
twitter.com/FrostAngeloY2
twitter.com/MorrisMary2n
twitter.com/MillerMaryx1

PDF exploits, binaries streaming from the domain portfolio at 69.174.242.21 (AS13768); 75.125.222.242 (AS21844):
MD5: 5d42bb346601ba456b52edd3c3e59d1b
MD5: ba19c971edefffb22d44e43a91a7d9a9
MD5: e7a354f58bfe21c815ddb8faf00bd08c
MD5: 4a13b96dd056c0075c553588f0211c44
MD5: 29e71e291a31ea8f1cddbf7d96f7de86
MD5: 29e71e291a31ea8f1cddbf7d96f7de86
MD5: 3bb6bdaf8d4e2822da86ef9a614a04ea
MD5: f41470c7b9ad2260625d2a62b6db158f
MD5: 3987c92c20c3f17b5892f84069d816d1
MD5: 87a95ec041b2432727336f0cdeee123a
MD5: 5d497e1841f5627a1b77dbc336da1594
MD5: 5ba1aafcef9ea7516f1ae7082424e83d
MD5: 5268f85902c7064b393bbbb3dbc094f9
SHA1: 79526ca9579420cb46c15fe94b282868c1e7fbbd
SHA1: f70f6a9aa0aa092511894f7c89defc64637504a1
SHA1: 5175b38dfca3dc7dd6ad56bed34a543f14702bea
SHA1: 2f2c88e0b950cd91ad1e49be73e885b07f401f68
SHA1: b92d1268d06c8ba427beefc1ee7b064873694a47
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10
SHA1: 7ecb2679cd23e6c6973c57092b1cae46f60db97e
SHA1: 66ed858043d6d022823b16956f416e3080e618a1
SHA1: 0fdd1de26d5902d4a21b053a212a21c2760d8aee
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10
SHA1: 3a7daa60389f463df795b78f16030dcc6fc1ff23
SHA1: 3054b48186f5e0981c41f200b3492caa0941f889
SHA1: 0e49c7656bec1ed43efb19187541d20c3ecb293b

This isn't the first time Twitter's been abused for malicious purposes, and is definitely not the last. Quick community response and take down actions hit them where it hurts most - the monetization vector.

Related assessments of Twitter malware campaigns:
Twitter Malware Campaign Wants to Bank With You
Dissecting Koobface Worm's Twitter Campaign
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
Dissecting September's Twitter Scareware Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560

A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C&Cs, combined with an indirect connection between this campaign and the "100,000+ Scareware Serving Fake YouTube Pages Campaign", followed by a domain portfolio used in a currently active mass SQL injection attack serving CVE-2007-5659 exploits, parked within the same AS as the Facebook's campaign itself.

What else is missing? The details of course.

DM spamvertised URL: online-photo-albums.org - 77.78.239.4, AS42560, BA-GLOBALNET-AS - Email: protect@privacy.com.ua

Detection rate: album.exe - Win32.DownloaderReno; Backdoor.Win32.Kbot.anj - Result: 12/41 (29.27%)
MD5: d24aa2c364d4b86f75a09362c952a838
SHA1: 3973c547b64d166ae807eec494c373efd53ac04c

Creates 1.exe; 2.exe and the self-destructing 3.exe. Detection rates:
- 1.exe - Result: 0/41 (0.00%)
MD5: fbd0a495d3409123d0e90a9a734cbbc1
SHA1: ce527267f50b433c622e5da0db5515a4d2e4ae9c

- 2.exe - Win32.DownloaderReno; Sus/UnkPacker - Result: 10/41 (24.39%)
MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d
SHA1: 39b280d0d2ec505a94415f7a9468a547fee51c66

with 3.exe phoning back to the following domain, also responding to the original campaign's IP 77.78.239.4
spmfb3309.com /ab/setup.php?act=filters&id=BWKJD0NWLt3pn2Vh6YIhhBe3&ver=2

inetnum:        77.78.239.0 - 77.78.240.255
netname:        MAXIMUS-NET-SERVICES
remarks: ### in case of abuse please contact: godaccs@gmail.com ###
descr:          Maximus hosting services
country:        MD
admin-c:        JB1004
tech-c:         JB1004
status:         ASSIGNED PA
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20100528
source:         RIPE

person:         Jerkovic Bosko
address:        Josipa Vancasa 10
address:        71000 Sarajevo
address:        Bosnia and Herzegovina
phone:          +387 33 221093
e-mail:         bosko@globalnet.ba
nic-hdl:        JB1004
mnt-by:         BA-GLOBALNET
changed:        bosko@globalnet.ba 20070309
source:         RIPE

Surprise, surprise, where do we know that godaccs@gmail.com abuse email from? From the previously profiled "Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign". In particular:

- AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com
- AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com

Responding to 77.78.239.4 (online-photo-albums.org) are also the following domains:
hyporesist.com - Email: Kyle.MoodyAl@yahoo.com - Used to register ever52592g.com; miror-counter.org; mnfrekjivr.com
newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - ZeuS crimeware C&C
online-photo-albums.org - Email: protect@privacy.com.ua
search-static.org - Email: Kyle.MoodyAl@yahoo.com
spmfb2299.com - Email: laycxpqguk@whoisservices.cn
spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn
vostokgear.org - Email: afgjvubuym@whoisservices.cn

Where's the mass SQL injection attack connection? Within AS42560, responding to 77.78.239.56 are also the following domains, part of the campaign:

google-server09.info - Email: kit00066@gmail.com
google-server10.info - Email: kit00066@gmail.com
google-server11.info - Email: kit00066@gmail.com
google-server12.info - Email: kit00066@gmail.com
google-server14.info - Email: kit00066@gmail.com
google-server29.info - Email: kit00066@gmail.com
google-server31.info - Email: kit00066@gmail.com
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
jhuiuhxfgxhtfkjhjth.info - Email: kit00066@gmail.com
jhuluhxfgxhlfkjhjth.info - Email: kit00066@gmail.com
top-teen-porn.info - Email: kit00066@gmail.com

Sample mass injection URLs:
google-server09.info/ urchin.js
google-server10.info/ urchin.js
google-server11.info/ urchin.js
google-server12.info/ urchin.js
google-server14.info/ urchin.js
google-server29.info/ urchin.js
google-server31.info/ urchin.js
jhuiuhxfgxhlfkjhjth.info/ urchin.js
jhuiuhxfgxhtfkjhjth.info/ urchin.js
jhuluhxfgxhlfkjhjth.info/ urchin.js

Detection rate:
- urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)
MD5: 3f2bc50c30ed8e7997b3de3d528d0ed5
SHA1: 66d6edef711516201f20fce676175ad16777e162

Sample exploitation structure from the mass SQL injection campaign:
- google-server31.info /urchin.js
        - Scanner-Album.com/?affid=382&subid=landing - 91.212.127.19, AS49087, Telos-Solutions-AS - Email: systemman_mk@gmail.com
            - websitecoolgo.com/cgi-bin /158 - 91.188.59.220 - AS6851, BKCNET "SIA" IZZI - Email: marcomarcian@hotmailbox.com
                - websitecoolgo.com /cgi-bin/random content leading to CVE-2007-5659

Parked on 91.212.127.19 (Scanner-Album.com), AS49087, Telos-Solutions-AS:
automaticsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com
blacksecurityscan.com - Email: robertwatkins@hotmailbox.com
edscorpor.com - Email: leonschmura@hotmailbox.com
edsctrum.com - Email: admin@edsfiles.com
edsfiles.com - Email: leonschmura@hotmailbox.com
edsfilles.com - Email: leonschmura@hotmailbox.com
edsletter.com - Email: leonschmura@hotmailbox.com
edslgored.com - Email: leonschmura@hotmailbox.com
edsnewter.com - Email: leonschmura@hotmailbox.com
edsogos.com - Email: leonschmura@hotmailbox.com
edsspectr.com - Email: leonschmura@hotmailbox.com
edstoox.com - Email: leonschmura@hotmailbox.com
findsecurityscan.com - Email: robertwatkins@hotmailbox.com
memory-scanner.com - Email: systemman_mk@gmail.com
onefindup.org - Email: JamesHying@xhotmail.net
scanner-album.com - Email: systemman_mk@gmail.com
scanner-definition.com - Email: rutkowski_m3@gmail.com
scanner-hardware.com - Email: systemman_mk@gmail.com
scanner-master.com - Email: systemman_mk@gmail.com
scanner-models.com - Email: systemman_mk@gmail.com
scanner-profile.com - Email: systemman_mk@gmail.com
scanner-programming.com - Email: systemman_mk@gmail.com
scanner-supplies.com - Email: rutkowski_m3@gmail.com
scanner-tips.com - Email: systemman_mk@gmail.com
searchdubles.org - Email: MerleMeisin@xhotmail.net
searchmartiup.org - Email: MerleMeisin@xhotmail.net
searchprasup.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchprodinc.org - Email: MerleMeisin@xhotmail.net
searchtanup.org - Email: MerleMeisin@xhotmail.net

Responding to 91.188.59.220 and 91.188.59.221 (websitecoolgo.com) within AS6851, BKCNET "SIA" IZZI are also the following domains participation in different campaigns:
internetgotours.com - Email: marcomarcian@hotmailbox.com
mediaboomgo.com - Email: paulalameda@hotmailbox.com
mediagotech.com - Email: marcomarcian@hotmailbox.com
mediaracinggo.com - Email: paulalameda@hotmailbox.com
netgozero.com - Email: marcomarcian@hotmailbox.com
nethealthcarego.com - Email: marcomarcian@hotmailbox.com
networkget.com - Email: marcomarcian@hotmailbox.com
networksportsgo.com - Email: marcomarcian@hotmailbox.com
patricknetgo.com - Email: paulalameda@hotmailbox.com
webaliveget.com - Email: paulalameda@hotmailbox.com
webcoolgo.com - Email: paulalameda@hotmailbox.com
webgettraffic.com - Email: paulalameda@hotmailbox.com
webgetwisdom.com - Email: marcomarcian@hotmailbox.com
webgetwise.com - Email: marcomarcian@hotmailbox.com
webgoengine.com - Email: paulalameda@hotmailbox.com
webgosolutions.com - Email: paulalameda@hotmailbox.com
webmagicgo.com - Email: paulalameda@hotmailbox.com
websitecoolgo.com - Email: marcomarcian@hotmailbox.com
websiteget.com - Email: marcomarcian@hotmailbox.com

The rise of custom abuse emails, conveniently offered to cybercrime-friendly dedicated customers?

It's worth pointing out that godaccs@gmail.com a.k.a Complife, Ltd is conveniently responsible for- AS42560, BA-GLOBALNET-AS; AS43134, Donstroy Ltd; and AS42560, MAXIMUS-NET-SERVICES, followed by piotrek89@gmail.com responsible for AS6851, BKCNET "SIA" IZZI (used by the Koobface gang, also seen in the following campaigns Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns; GoDaddy's Mass WordPress Blogs Compromise Serving Scareware).

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →