Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, March 07, 2011

Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads

An exploited web application vulnerability within Cochise County Online University CMS (moodle.cochise.az.gov/user), is currently resulting in a blackhat SEO campaign (1,890 pages) leading to fraudulent Google brand-jacked pharmaceutical pages.

Naturally, once the compromise took place, the cybercriminals started considering the blackhat SEO content farm themed for pharmaceutical scams, as parts of their infrastructure and spamvertised links to it across multiple web forums.

Ther redirection chain is as follows:
- moodle.cochise.az.gov/user - random pharmaceutical content
    - goodmedk.com
        - gooqpilly.com
        - 50.22.28.50

goodmedk.com/whftltyixallwke6hoqstgzsiq.html -     77.67.80.48, AS3257 - Email: jognbroownn@usa.com
goodmedk.com/kavglmapejes7bdfg6mf8d.py
goodmedk.com/hxinlaresbnzbikmnatmck.py
goodmedk.com/huvtleikspann6hoqstgzsiq.html
goodmedk.com/txajlatev0egij9pi-g.pl
goodmedk.com/tldhlaoet8cegh7ng9e.html

Redirectors used:
gooqpilly.com - 77.67.80.42, AS3257 - Email: jognbroownn@usa.com
50.22.28.50/c.php - 50.22.28.50-static.reverse.softlayer.com

Redirects to the following currently active fraudulent online pharmacies:
pillshealthmedsplus.net - 89.114.9.82 - Email: acquit@bz3.ru
allrxtabs.com - 91.212.135.69 - Email: rxrevenue@gmail.com
canadianselect.net - 89.149.196.197 - Email: canadianselect.net@protecteddomainservices.com
worldselectshop.com - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com
generic-pills-online.eu - 95.163.15.207
menhealth-pharmacy.co.uk - 109.237.213.194
4rx.com - 174.127.67.233 - Email: webmaster@4rx.com

The hijacking of a trusted brand such as Google shouldn't be surprising, as it's an inseparable part of social engineering driven abuse of the trust-chain. From Google's name to the visual impersonation of Google Search this campaign demonstrates exactly the same.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Monday, February 28, 2011

Summarizing Zero Day's Posts for February

The following is a brief summary of all of my posts at ZDNet's Zero Day for February. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommend reading:

01. Researcher demos SMS-based smartphone botnet
02. 500,000 stolen email passwords discovered in Waledac's cache
03. Study: US tops ZeuS hosting infrastructure chart
04. Spamvertised Xerox document themed malware campaign spreading
05. New report details the prices within the cybercrime market
06. Report: AV users still get infected with malware
07. Microsoft disables AutoRun on Windows XP/Vista to prevent malware infections
08. Google intros advanced sign-in feature
09. Malware Watch: UPS/FDIC; Mobile app; Infected ambulance dispatch
10. Report: Patched vulnerabilities remain prime exploitation vector
11. Bogus Android apps lead to malware
12. ZeuS crimeware variant targets Symbian and BlackBerry users
13. Researchers spot new Mac OS X malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Monday, February 21, 2011

Sampling 419 Advance Fee Scams Activity - Part Two

Part two of the Sampling 419 Advance Fee Scams Activity series, once again aims to provide actionable real-time threat intelligence on a fraudulent segment that continues tricking hundreds of thousands of average Internet users into thinking that they have pending payments, have won the lottery, or someone is basically interested in doing multi-million dollar business with them.

The format of the data obtained over the past 24 hours, is return email plus the original IP of the sender, most of which can be geolocated to African countries.

hsuehyun@ncut.edu.tw - 116.206.139.254
peterjohnson299@yahoo.co.jp - 41.218.232.158
ekwesa@aol.com - 41.138.164.52
info.hsbcbanktransfer@gmail.com - 41.218.251.239
SarinaJensB@web.de - 77.70.128.160
paulmohammed37@yahoo.com - 41.155.81.129
henriondaniellepaulette@yahoo.fr - 81.91.228.78
mainstreamfirm001@gmail.com - 41.155.72.26
wilson201105@hotmail.com - 187.16.224.70
westernun888union@hotmail.com - 41.191.85.209
bt.telecomsgroup@live.co.uk - 202.137.234.123
eco.bankplc.ecobankpl@gmail.com - 41.216.50.26
kwameowus@aol.com - 41.218.233.50
richardjsphs@yahoo.co.jp - 190.213.185.93
mainstreamfirm001@gmail.com - 212.76.68.39
benardodigor@yahoo.com - 41.211.229.23
groupbanofafrica@hotmail.com - 189.86.87.204
wellcometrustloans@post.com - 182.63.1.192
lindominic04@rediffmail.com - 41.28.113.153
rep_leonbecker@yahoo.cn - 41.218.197.240
agwa_james@yahoo.it - 82.128.1.217
mrsmarriogloria@yahoo.co.jp - 41.66.8.132
ralphkoon@yahoo.co.jp - 124.120.130.145
directorofremittance.centralba@gmail.com - 89.221.175.11
legalclaimsdepartment2@lankaemail.com - 41.58.67.161
drbbs@live.com - 111.172.36.231
pn2812768@gmail.com - 77.246.67.82
husainali40@gmail.com - 212.52.152.113
bensonibori@yahoo.com.hk - 82.128.36.25
mraabull@att.net - 41.210.43.36
info@westernu.co.uk - 199.255.209.74
claim_dptupdate@live.com - 82.128.88.173
alhussein.raisin@yahoo.co.nz - 86.97.120.18
adrianyrann5@att.net - 70.39.119.122
dr_larry_west1970@qatar.io - 41.222.192.89
mrgarypalmercode@gmail.com - 41.71.147.248
diplomaticericb78@globomail.com - 81.91.230.137
treasuryoffice@cantv.net - 41.0.52.62
infoun19@oued.org - 41.189.2.105
fbi_54327@hotmail.com - 82.128.109.76
s.b.mail@web.de - 74.115.3.69
maria200495@hotmail.com - 115.132.173.171
ceckamokai@gmail.com - 41.241.148.81
ff123ff69@yahoo.co.nz - 75.126.137.6
mr.colesify@yahoo.co.uk - 115.118.239.95
benkofi003@aol.com - 41.218.239.140
investigationcommite2011@gmail.com - 41.211.229.26
wiesner.heiko@web.de - 41.138.167.198
kwameowus@aol.com - 41.218.245.220
kamaruddinabdullah@w.cn - 120.141.67.94
benobiego@rediffmail.com - 67.247.201.204

See also:

Historical OSINT remains an inseparable part of the CYBERINT gathering practices, hence the continuation of the Sampling 419 Advance Fee Scams Activity series.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Wednesday, February 16, 2011

Bogus Adult Content SPIM-ed Over ICQ

This summary is not available. Please click here to view the post.

Dancho Danchev

Tuesday, February 15, 2011

A Diverse Portfolio of Fake Security Software - Part Twenty Five

Scarewere continues occupying the top spots for malicious monetization tactics courtesy of the cybercrime ecosystem. Disruption of this monetization chain can take place through multiple processes. For instance:

Share data with the affected ISP whose customers participate in the black hat SEO campaign
Target the payment processing gateways, or inform the legitimate one
Target the the redirector URLs of the campaign
Target the affiliate network itself
Target the "final output" in the form of scareware domains

In this we'll expose a portfolio of scaware domains, and will target the "final output" of the campaign, in between sharing data with community members. As always, what originally looks like a low profile campaign, always turns into a piece of puzzle from the massive blackhat SEO "picture".

- Detecrion rate for systemwrecksavertingsystem.com /scan1/92/freesystemscan.exe
freesystemscan.exe - Trojan.Win32.FakeAV
Result: 17/ 43 (39.5%)
MD5 : a69a7f1992ed4607ac0a163d66984f56
SHA1 : ef089f92881ff6835b76562febdcbc3328340adb
SHA256: 993026853e2bbc8846dbda5a90c4f06a9a18b83c9f97fe7b1557b03975ebeaff

- Detection rate for pornhugevideo.com /video3/88/freevideoplugin.exe
freevideoplugin.exe - Rogue:Win32/FakePAV
Result: 4/ 42 (9.5%)
MD5 : 8a688d6ebb838f66f16720f4066cf6c6
SHA1 : 845e43ad946048346b3d9150ae41fd8f7766ac53
SHA256: db6e3e7a72305d8b36861ed90753555d519bdca5a36aa0581ed363ac264cfbce

Responding to 94.23.105.248 (AS16276): One active ZeuS C&C within the AS monasteriodeboltana.es
accidentspreventingcenter.com - Email: contact@privacyprotect.org
antibreakingsystem.com - Email: contact@privacyprotect.org
antivirusesshield.com - Email: contact@privacyprotect.org
bigvideocams.com - Email: contact@privacyprotect.org
componentsprotector.com - Email: contact@privacyprotect.org
hugebigpornmovie.com - Email: contact@privacyprotect.org
hugebigred.com - Email: contact@privacyprotect.org
hugemoviecams.com - Email: contact@privacyprotect.org
pcactivitydebugger.com - Email: contact@privacyprotect.org
pcautomaticproblemssolver.com - Email: contact@privacyprotect.org
pccustodianutility.com - Email: contact@privacyprotect.org
pcinspectionutility.com - Email: contact@privacyprotect.org
pcprecautionscenter.com - Email: contact@privacyprotect.org
pcprotectionservant.com - Email: contact@privacyprotect.org
pcriskspreventionscenter.com - Email: contact@privacyprotect.org
pcstabilitymaximizer.com - Email: contact@privacyprotect.org
pctroublessolver.com - Email: contact@privacyprotect.org
pcwardingsystem.com - Email: contact@privacyprotect.org
pornhugevideo.com - Email: contact@privacyprotect.org
systemanticrashesutility.com - Email: contact@privacyprotect.org
systemattentionutility.com - Email: contact@privacyprotect.org
systemshieldingutility.com - Email: contact@privacyprotect.org
systemsupervisioncenter.com - Email: contact@privacyprotect.org
systemtasksoptimizer.com - Email: contact@privacyprotect.org
systemwrecksavertingsystem.com - Email: contact@privacyprotect.org
taskstweakingutility.com - Email: contact@privacyprotect.org
tubemovievideo.com - Email: contact@privacyprotect.org

Dancho Danchev

Monday, February 14, 2011

Spamvertised Portfolio of Fraudulent/Pharmaceutical Domains

Just in time for Saint Valentin's days, pharmaceutical scammers have switched their localized templates to a more romantic theme.

The domains have been registered using three separate Yahoo! Mail accounts, and are all responding to a single IP - 115.239.229.196; AS4134, CHINA-TELECOM China Telecom with four currently active ZeuS C&Cs within the same AS - aiyanxinxi.com; wawnet.net; www.zuihouyi.com; nascetur.com.

abpillsw.ru - Email: nikitapetuhov@yahoo.com
alpillsw.ru - Email: nikitapetuhov@yahoo.com
alypillsw.ru - Email: nikitapetuhov@yahoo.com
annpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
asapillsm.ru - Email: alexeycheremisinov@yahoo.com
barpillsw.ru - Email: nikitapetuhov@yahoo.com
bazpillso.ru - Email: muzalevskayaekaterina@yahoo.com
bupillsp.ru - Email: muzalevskayaekaterina@yahoo.com
capillso.ru - Email: muzalevskayaekaterina@yahoo.com
carpillsw.ru - Email: nikitapetuhov@yahoo.com
celpillsw.ru - Email: nikitapetuhov@yahoo.com
chapillsm.ru - Email: alexeycheremisinov@yahoo
chapillso.ru - Email: muzalevskayaekaterina@yahoo.com
chpillso.ru - Email: muzalevskayaekaterina@yahoo.com
cinpillsp.ru - Email: nikitapetuhov@yahoo.com
conpillsw.ru - Email: alexeycheremisinov@yahoo.com
copillsm.ru - Email: alexeycheremisinov@yahoo.com
copillsp.ru - Email: muzalevskayaekaterina@yahoo.com
corpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
crpillsm.ru - Email: alexeycheremisinov@yahoo.com
depillsm.ru - Email: alexeycheremisinov@yahoo.com
depillso.ru - Email: muzalevskayaekaterina@yahoo.com
despillsw.ru - Email: nikitapetuhov@yahoo,cim
dipillsm.ru - Email: alexeycheremisinov@yahoo.com
dipillsw.ru - Email: nikitapetuhov@yahoo.com
duppillsp.ru - Email: muzalevskayaekaterina@yahoo.com
enkpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
estpillsm.ru - Email: alexeycheremisinov@yahoo.com
ethpillsm.ru - Email: alexeycheremisinov@yahoo.com
exapillsw.ru - Email: nikitapetuhov@yahoo.com
flipillso.ru - Email: alexeycheremisinov@yahoo.com
flpillso.ru - Email: alexeycheremisinov@yahoo.com
funpills.ru - Email: muzalevskayaekaterina@yahoo.com
glpillso.ru - Email: alexeycheremisinov@yahoo.com
haupillso.ru - Email: alexeycheremisinov@yahoo.com
hipills.ru - Email: muzalevskayaekaterina@yahoo.com

invpillso.ru - Email: alexeycheremisinov@yahoo.com
isapillsp.ru - Email: muzalevskayaekaterina@yahoo.com
itepillsw.ru - Email: nikitapetuhov@yahoo.com
jopillso.ru - Email: alexeycheremisinov@yahoo.com
kipillsp.ru - Email: muzalevskayaekaterina@yahoo.com
kipillsw.ru - Email: nikitapetuhov@yahoo.com
krpillsw.ru - Email: nikitapetuhov@yahoo.com
lopillso.ru - Email: alexeycheremisinov@yahoo.com
lopillsw.ru - Email: nikitapetuhov@yahoo.com
mapillso.ru - Email: alexeycheremisinov@yahoo.com
marpillsw.ru - Email: nikitapetuhov@yahoo.com
metpillso.ru - Email: alexeycheremisinov@yahoo.com
monpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
nopillsp.ru - Email: muzalevskayaekaterina@yahoo.com
odpillsw.ru - Email: nikitapetuhov@yahoo.com
panpillsw.ru - Email: nikitapetuhov@yahoo.com
phpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
pillsbi.ru - Email: simakovs@yahoo.com
pillsly.ru - Email: alexeycheremisinov@yahoo.com
pillsnk.ru - Email: alexeycheremisinov@yahoo.com
pillsoep.ru - Email: alexeycheremisinov@yahoo.com
pillsoes.ru - Email: alexeycheremisinov@yahoo.com
pillsoff.ru - Email: alexeycheremisinov@yahoo.com
pillsogn.ru - Email: alexeycheremisinov@yahoo.com
pillsois.ru - Email: alexeycheremisinov@yahoo.com
pillsoke.ru - Email: alexeycheremisinov@yahoo.com
pillsokt.ru - Email: alexeycheremisinov@yahoo.com
pillsong.ru - Email: alexeycheremisinov@yahoo.com

pillsont.ru - Email: alexeycheremisinov@yahoo.com
pillsooc.ru - Email: alexeycheremisinov@yahoo.com
pillsopa.ru - Email: alexeycheremisinov@yahoo.com
pillsore.ru - Email: alexeycheremisinov@yahoo.com
pillsosa.ru - Email: alexeycheremisinov@yahoo.com
pillsosl.ru - Email: alexeycheremisinov@yahoo.com
pillsoti.ru - Email: alexeycheremisinov@yahoo.com
pillsouc.ru - Email: alexeycheremisinov@yahoo.com
pillsove.ru - Email: alexeycheremisinov@yahoo.com
pillspba.ru - Email: muzalevskayaekaterina@yahoo.com
pillsper.ru - Email: muzalevskayaekaterina@yahoo.com
pillspiz.ru - Email: muzalevskayaekaterina@yahoo.com
pillspnc.ru - Email: muzalevskayaekaterina@yahoo.com
pillspne.ru - Email: muzalevskayaekaterina@yahoo.com
pillspno.ru - Email: muzalevskayaekaterina@yahoo.com
pillspns.ru - Email: muzalevskayaekaterina@yahoo.com
pillsppp.ru - Email: muzalevskayaekaterina@yahoo.com
pillsppt.ru - Email: muzalevskayaekaterina@yahoo.com
pillspra.ru - Email: muzalevskayaekaterina@yahoo.com
pillspre.ru - Email: muzalevskayaekaterina@yahoo.com
pillsprg.ru - Email: muzalevskayaekaterina@yahoo.com
pillspsa.ru - Email: muzalevskayaekaterina@yahoo.com
pillspss.ru - Email: muzalevskayaekaterina@yahoo.com
pillspst.ru - Email: muzalevskayaekaterina@yahoo.com
pillspti.ru - Email: muzalevskayaekaterina@yahoo.com
pillsqu.ru - Email: alexeycheremisinov@yahoo.com

pillswal.ru - Email: nikitapetuhov@yahoo.com
pillswam.ru - Email: nikitapetuhov@yahoo.com
pillswar.ru - Email: nikitapetuhov@yahoo.com
pillswau.ru - Email: nikitapetuhov@yahoo.com
pillswcu.ru - Email: nikitapetuhov@yahoo.com
pillswed.ru - Email: nikitapetuhov@yahoo.com
pillswep.ru - Email: nikitapetuhov@yahoo.com
pillswer.ru - Email: nikitapetuhov@yahoo.com
pillswet.ru - Email: nikitapetuhov@yahoo.com
pillswey.ru - Email: nikitapetuhov@yahoo.com
pillswis.ru - Email: nikitapetuhov@yahoo.com
pillswng.ru - Email: nikitapetuhov@yahoo.com
pillswol.ru - Email: nikitapetuhov@yahoo.com

See also:

pillswre.ru - Email: nikitapetuhov@yahoo.com
pillswss.ru - Email: nikitapetuhov@yahoo.com
pillswti.ru - Email: nikitapetuhov@yahoo.com
pillswtt.ru - Email: nikitapetuhov@yahoo.com
pillswwa.ru - Email: nikitapetuhov@yahoo.com
pillszva.ru - Email: nikitapetuhov@yahoo.com
pillszzi.ru - Email: nikitapetuhov@yahoo.com
propillsp.ru - Email: muzalevskayaekaterina@yahoo.com
puppillso.ru - Email: alexeycheremisinov@yahoo.com
rempillso.ru - Email: alexeycheremisinov@yahoo.com
repillso.ru - Email: alexeycheremisinov@yahoo.com
sipillsw.ru - Email: nikitapetuhov@yahoo.com
stapillso.ru - Email: alexeycheremisinov@yahoo.com
supillsp.ru - Email: muzalevskayaekaterina@yahoo.com
tilpillso.ru - Email: alexeycheremisinov@yahoo.com
tilpillsw.ru - Email: nikitapetuhov@yahoo.com
towpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
trpillsp.ru - Email: muzalevskayaekaterina@yahoo.com
uncpillso.ru - Email: alexeycheremisinov@yahoo.com
vipillsp.ru - Email: muzalevskayaekaterina@yahoo.com
whapillsw.ru - Email: nikitapetuhov@yahoo.com

Name servers of notice, respoding to 115.239.229.196 (AS4134); 113.23.142.119 (AS38182) and 78.46.105.205 (AS24940 - active SpyEye C&Cs at www.privathosting.eu; spl.privathosting.eu)
ns1.advidns.ru
ns1.alemedicp.ru
ns1.annudns.com
ns1.bacdns.ru
ns1.bacmedicp.ru
ns1.bestworlddns.com
ns1.botedns.com
ns1.boxdns.ru
ns1.camdns.ru
ns1.cashdns.ru
ns1.caulsdns.com
ns1.comtdns.com
ns1.crouadns.ru
ns1.culldns.com
ns1.delmedicv.ru
ns1.dns4work.ru
ns1.dnsbest.ru
ns1.dnsbestfind.com
ns1.dnsoper.com
ns1.dnsorbi.com
ns1.dnsroomo.ru
ns1.dnswork.ru
ns1.doctorci.ru
ns1.doctorngee.ru
ns1.doctorrfix.com
ns1.doctorude.ru
ns1.doctorxst.ru
ns1.doctorxve.ru
ns1.drdoctorx.ru
ns1.dromedicp.ru
ns1.eagreadns.ru
ns1.elmendns.ru
ns1.feldns.ru
ns1.glisdns.com
ns1.gurndns.ru
ns1.hardns.ru
ns1.psidns.com
ns1.rxshopsmor.ru
ns1.sighost.ru
ns1.standns.com
ns1.subrdns.ru
ns1.tiodns.com
ns1.twdoctor.com
ns1.vodoctorx.ru

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Wednesday, February 09, 2011

Whatever the cybercrime marketplace demands, the cybercrime marketplace supplies.

Dancho Danchev

Monday, January 31, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Five

With money mule recruitment continuing to represent the most actively used risk-forwarding tactic within the cybercrime ecosystem for the purpose of securely distribution fraudulently obtained funds, part five of the "Keeping Money Mule Recruiters on a Short Leash" series are here to stay.

What's particularly interesting about the money mule recruitment domain portfolio that I'll expose, is the logical progression from bogus companies offering financial services, to a diverse set of companies occupying multiple markets/covering different market segments.

-Current trends - Localization and standardization/template-tization
A great example of this trend -- largely driven by the standardization and template-zation of money mule recruitment sites as a service- is Schwartz & Brothers LLC (schwartz-brothers.cc).

"Schwartz & Brothers LLC is the first choice for artists and buyers alike! Schwartz & Brothers LLC is an effective tool for the artist and emerging artist to market and promote their art in a professional and inexpensive manner. We will market your art to the international community of art buyers. Whether you are looking to buy or sell original art, Schwartz & Brothers LLC is the premier art site for those seeking to buy or sell original art online."

From financial services to an entirely new market segment, whereas the entire recruitment process remains pretty static, excluding several time quality assurance oriented details. For instance, every potential mule is required to download a entry level job psychological test, which surprisingly asks directly whether the mule is from Australia, next to automatically choosing Australia as a country of origin at a later stage throughout the registration process.

Moreover, in the context of quality assurance, the recruiters also ask the applicant "Are you/were you convicted?" in an attempt to combine the survey results with other details such the opening date of the bank account, as well as the average daily/weekly/monthly amount transferred.

- The Terms of Service

"DUTIES:
The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to process payments to the Company's partners by Western Union or MoneyGram money transfer system within one (1) day. He/she will report directly to the senior manager and to any other party designated by the senior manager in connection with the performance of the duties under this Agreement and shall fulfill any other duties reasonably requested by the Company and agreed to by the Contractor.

CONFIDENTIALITY:
The Contractor acknowledges that during the engagement he will have access to and become acquainted with various trade secrets, inventions, innovations, processes, information, records and specifications owned or licensed by the Company and/or used by the Company in connection with the operation of its business including, without limitation, the Company's business and product processes, methods, customer lists, accounts and procedures.

The Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, or use any of them in any manner, either during the term of this Agreement or at any time thereafter. All files, records, documents, blueprints, specifications, information, letters, notes, media lists, original artwork/creative, notebooks, and similar items relating to the business of the Company, whether prepared by the Contractor or otherwise coming into his possession, shall remain the exclusive property of the Company.

The Contractor shall not retain any copies of the foregoing without the Company's prior written permission. The Contractor further agrees that he will not disclose his retention as an independent contractor or the terms of this Agreement to any person without the prior written consent of the Company and shall at all times preserve the confidential nature of his relationship to the Company and of the services hereunder.

If the Contractor releases any of the above information to any parties outside of this company, such as personal friend, close relatives or other Financial Institutions such as a Bank or other Financial Firms, such could be considered grounds for immediate termination. If the Contractor is ever in doubt of what information can be released and when, the Contractor will contact their superior right away.

TERMS OF ENGAGEMENT:
The Contractor is engaged by the Company on terms of thirty-days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to AUD 2300 per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary to 3000 USD. The Company has the right to cancel this Agreement at any time within the probationary period or refuse to extend it after that, should the Contractor refuse to fulfill his/her obligations under this Agreement or fulfills them not in good faith.The Contractor has the right to terminate the Agreement at any time on condition that he/she has processed all previous payments and has no new instructions.

COMPENSATION:
The Company undertakes to pay taxes accrued in connection with money transfer.The Company shall also reimburse part of expenses which are incurred in connection with money transfer by Western Union or MoneyGram systems (should money transfer charges exceed 3%, i.e. commission for payment processing operation).The above difference will be automatically added to the base salary of the Contractor and paid once per month together with the base salary.

The Company shall have the right to decrease the Contractor's commission in case the payment processing terms were violated by the Contractor. Should the Contractor delays re-sending money accepted to his bank account for the period exceeding one (1) day without any explicit reason, the Company shall have the right to impose sanctions on the Contractor if only the delay has not been caused by the Force Majeur circumstances and to apply to the arbitration and claim for the reimburse of the amount transferred to his account or for compensation for other damage if any, evicted due to the delay.

The Contractor may take days off at any time and at his/her option upon giving five (5) working days advance notice in writing or three (3) working days advance notice via e-mail or fax to the Company in order that the latter may abstain from charging the Contractor with new instructions. However, salary for each day-off is deducted from the Contractor's base salary."

- OSINT data for money mule recruitment sites
The following portfolio of money mule recruitment domains appears to have been registered using automated email registration tools, with the potential for CAPTCHA outsourcing clearly considered by the malicious parties, taking into consideration the even decreasing price for solving CAPTCHA challenges.

4STAR-SOLUTIONS.CC - Email: urge@bz3.ru
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru
ACOONGROUP-LLC.CO - Email: jx@ppmail.ru
AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: aryan@ppmail.ru
AMINA-GROUPCO.CO - Email: beige@ca4.ru
AMINA-GROUPINC.CC - Email: zowie@yourisp.ru
AMINAORG.CC - Email: range@ppmail.ru
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru
ARPHISGOLDGROUP-INC.CO - Email: ira@bz3.ru
AUS-FINANCE.CC - Email: ours@ca4.ru
BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru
CESISGROUP-LLC.CC - Email: flip@free-id.ru
CESIS-GROUPLLC.CO - Email: our@ca4.ru
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru
CORES-GROUP.CC - Email: jaunt@cheapbox.ru
CORESGROUP-INC.CO - Email: yule@cheapbox.ru
CORES-GROUPLTD.CO - Email: liszt@bz3.ru
CRAFT-GROUPNET.CC - Email: room@yourisp.ru
DILIGENCE-GROUP.CO - Email: twig@ppmail.ru
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru
FARLINE-FIN.CO - Email: pecks@free-id.ru
FARLINE-FININC.CC - Email: cynic@free-id.ru
FILEGROUP-LLC.CO - Email: knelt@ca4.ru
FINTEC-LTD.CC - Email: w@yourisp.ru
FINTEC-UK.CO - Email: sons@bz3.ru

GLEICHFALLS-GROUPINC.CO - Email: tents@ppmail.ru
I-COMPASS-GROUP.CO - Email: wolf@ca4.ru
IM-SYSGROUP.CO - Email: truce@free-id.ru
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru
INCOGROUP-USA.CO - Email: beams@free-id.ru
JOURNEY-FINANCIAL.CC - Email: lulu@ca4.ru
LBMGROUPCO.CC - Email: dreamy@ppmail.ru
LBM-GROUPINC.CO - Email: coma@ca4.ru
LCD-FIN.CO - Email: salt@free-id.ru
LCD-FINANCE.CC - Email: fritz@bz3.ru
MACROTECHINC.CC - Email: cv@yourisp.ru
MACROTECH-UK.CO - Email: curl@cheapbox.ru
MALLOW-GROUP.CC - Email: cues@ppmail.ru
MALLOW-GROUPINC.CO - Email: hn@bz3.ru
MONEY-VISUALUK.CC - Email: hn@bz3.ru
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru
MARFYGROUP.CC - Email: thorny@cheapbox.ru
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru
ONLINE-SOLUTIONSLLC.CC - Email: coma@ca4.ru
PEGASLTDUNION.cc - Email: prim@bz3.ru
PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru
RADIUM-GROUP.CC - Email: spy@yourisp.ru
RADIUMUK-LTD.CC - Email: socks@cheapbox.ru
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru
SANTORINI-FIN.CC - Email: gill@cheapbox.ru
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru
SCHWARTZ-BROTHERS.cc - Email: oozed@bz3.ru
SILVERSUNGROUP-INC.CC - Email: cp@ca4.ru
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru
SOLUTIONSLTD.CC - Email: h2o@ca4.ru
STILE-GROUPLLC.CC - Email: ma@free-id.ru
SUNRISEPR-GROUPLTD.CC - Email: cough@ppmail.ru
TECHADVINC.CC - Email: chance@cheapbox.ru
TECHADV-INC.CC - Email: chance@cheapbox.ru
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru
USGROUP-AMINA.CO - Email: cap@ca4.ru
USGROUP-REIGN.CO - Email: w@ppmail.ru
YESGROUP-LLC.CO - Email: twig@ppmail.ru

Name servers of notice:
NS1.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: ached@yourisp.ru
NS1.NNSQUE.CC - Email: amok@cheapbox.ru
NS1.OLIVAU.CC - Email: bop@cheapbox.ru
NS1.PAGEREDNS.CC - 178.162.152.77 (AS28753) - Email: freer@free-id.ru
NS1.SURPLUSUSA.CC - 209.159.156.162 (AS19318) - Email: skulk@ppmail.ru
NS1.TVSILVAU.CC - Email: fact@ppmail.ru
NS1.UKNSSPACE.CC - 69.10.44.190 (AS19318) - Email: gravy@ca4.ru
ns1.uksource.cc - 69.10.44.189 (AS19318) - Email: liver@cheapbox.ru
NS1.USABONDS.CC - Email: bart@cheapbox.ru
NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: bold@yourisp.ru
NS2.COUKSNS.CC - 122.70.148.179 (AS55462) - Email: preen@ppmail.ru
ns2.gbtrade.cc - 66.199.236.114 (AS15149) - Email: ct@yourisp.ru
NS2.OLIVAU.CC - Email: bop@cheapbox.ru
NS2.RINGTONS.CC - 66.199.236.115 (AS15149) - Email: aaron@cheapbox.ru
NS2.TVSILVAU.CC - Email: fact@ppmail.ru
NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: tile@yourisp.ru
NS2.ZONENSUK.CC - 178.162.181.11 (AS28753) - Email: rooms@ppmail.ru
NS3.AUSTDEC.CC - 178.162.181.11 (AS28753) - Email: bold@yourisp.ru
NS3.FOLOWDNS.CC - 178.162.181.11 (AS28753) - Email: dyed@bz3.ru
NS3.SDNSAU.CC - Email: level@cheapbox.ru
NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: skulk@ppmail.ru
NS3.TVSILVAU.CC - Email: fact@ppmail.ru
NS3.UKCCONS.CC - 178.162.181.11 (AS28753) - Email: ted@cheapbox.ru
NS3.UKDNS.CC - 66.199.236.116 (AS15149) - Email: append@free-id.ru
ns3.ukearnings.cc - 178.162.181.11 (AS28753) - Email: bf@free-id.ru

ASs of notice using standart ns1;ns2; ns3 structure:
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE
AS19318 - NJIIX-1 NJIIX.net 110B Meadowlands Pkwy Secaucus, NJ 07094 +1.201.605.1425
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE
AS15149 - EZZI-101-BGP EZZI

- Long term trends - "from mule inventory to transactions inventory"
With the localization and standardization/template-tization of the entire money mule recruitment process an every day's reality, quality assurance and diversification of the markets/market segments in order to increase the probability of successful social engineering attack, will start taking place. Moreover, the current template driven recruitment ecosystem will inevitably start taking advantage of basic concepts such as geolocation and content cloaking, in order to once again increase the probability for converting a web site visitor into a mule.

At an invite-only conference that I attended in September, 2010, someone from the audience asked me a rather interesting question. Does it really matter how many mules are recruited by a particular syndicate, and most importantly, can we talk about average number of days/weeks/hours by the time the mule gets busted, and can no longer offer his/her services?

In the long term, we're inevitably going to witness the migration from building inventories of mules to transaction-driven mule recruitment model where the capability-driven mentality surpasses the mule inventory building one. The number of possible transactions with success rates based on historical performance, combined with an infinite loop of recruitment is what will drive the entire mule recruitment ecosystem.

Related posts:
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Keeping Money Mule Recruiters on a Short Leash - Part Five

Dancho Danchev

Wednesday, January 26, 2011

Spamvertised "Your password has been stolen!" Malware Campaign Circulating

A currently ongoing spamvertised campaign, attempts to impersonate the most popular social networking site, Facebook.

Using a well proven "Your password has been stolen!" theme, the campaign entices the end user into downloading and executing the malware. Social engineering-driven campaigns targeting Facebook, remain among the popular malware campaign spreading techniques due to the ease of execution.

Subject: Facebook Support. Your password has been stolen! ID50888
Message: Good afternoon.

A Spam is sent from your FaceBook account.

Your password has been changed for safety. Information regarding your account and a new password is attached to the letter.Read this information thoroughly and change the password to complicated one. Please do not reply to this email, it's automatic mail notification! Thank you for your attention. Your Facebook!

Spamvertised filedname: Facebook_details_ID76803.zip (32,458 bytes)

Detecrion rate:
Facebook_details.exe - Trojan-Downloader:W32/Koobface.HV - 12/ 43 (27.9%)
MD5 : f0e7a8c264fe14562ca8ac98abb35840
SHA1 : f68d15e66590c69ac75c46a09ae495be8bbf231f
SHA256: 3ca757bfdecbee20ec10d5af770700041f4bc1b17ee3123f4d85acfd19e1bb74

Upon execution, the sample phones back to:
Phones back to:
interviewbuy.ru /forum/document.doc
interviewbuy.ru /forum/load.php?file=0
interviewbuy.ru /forum/load.php?file=1
interviewbuy.ru /forum/load.php?file=2
interviewbuy.ru /forum/load.php?file=3
interviewbuy.ru /forum/load.php?file=4
interviewbuy.ru /forum/load.php?file=5
interviewbuy.ru /forum/load.php?file=6
interviewbuy.ru /forum/load.php?file=7
interviewbuy.ru /forum/load.php?file=8
interviewbuy.ru /forum/load.php?file=9
interviewbuy.ru /forum/load.php?file=ftpgrabber
interviewbuy.ru /forum/load.php?file=pokergrabber

interviewbuy.ru - 91.204.48.96 (AS24965); 124.217.248.229 (AS45839) Email: servman1976@yandex.ru

ZeuS crimeware activity at AS24965 (SPOINT-AS S.Point LTD) as well as SpyEye malicious activity is also observed.

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Saturday, January 22, 2011

Friday, January 21, 2011

Saturday, September 11, 2010

Summarizing 3 Years of Research Into Cyber Jihad

From the "been there, actively researched that" department.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Monday, March 07, 2011

Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads

Monday, February 28, 2011

Summarizing Zero Day's Posts for February

Monday, February 21, 2011

Sampling 419 Advance Fee Scams Activity - Part Two

Wednesday, February 16, 2011

Bogus Adult Content SPIM-ed Over ICQ

Tuesday, February 15, 2011

A Diverse Portfolio of Fake Security Software - Part Twenty Five

Monday, February 14, 2011

Spamvertised Portfolio of Fraudulent/Pharmaceutical Domains

Wednesday, February 09, 2011

Monday, January 31, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Five

Keeping Money Mule Recruiters on a Short Leash - Part Five

Wednesday, January 26, 2011

Spamvertised "Your password has been stolen!" Malware Campaign Circulating

Saturday, January 22, 2011

Top Ten Must-Read Posts at ZDNet's Zero Day for 2010

Friday, January 21, 2011

Top Ten Must-Read DDanchev Posts For 2010

Saturday, September 11, 2010

Summarizing 3 Years of Research Into Cyber Jihad