Dear blog readers,
I wanted to take the time and effort and say big thanks to everyone who's been following my work throughout the years and continues to do so. Full video here. My RSS feed here.
Stay tuned!
Continue reading →
NOTE:
I took these screenshots in 2009.
Dear blog readers,I've decided to share with everyone some screenshots of a E-Shop for selling access to compromised PCs.
Largely thanks to a variety of built-in botnet management and control features today's modern botnet masters are fully capable of renting or offering access to malware-infected hosts which could be used for a variety of purposes which include the hosting of rogue and malicious content including the actual use of these hosts to further spread malicious software largely thanks to a variety of segmentation features currently available in a variety of high-profile malicious software and botnet releases.
Sample screenshots include:
Stay tuned!
Continue reading →
I've decided to share with everyone a currently active portfolio of E-Shops selling access to stolen credit cards including the necessary technical information to assist everyone in their cyber attack and cyber campaign attribution efforts.
Continue reading →
Sample screenshot includes:
Sample domains known to have been involved in the campaign include:
hxxp://ccgetmoney.com
hxxp://cvvshop.in
hxxp://cvvshop39.com
hxxp://evilshop.org
hxxp://shopccdumps.com
hxxp://trackgenerator.com
hxxp://validforver.com
hxxp://zunostores.com
hxxp://novlops.com
hxxp://pawnsh0p.com
hxxp://privatecvv.com
hxxp://privateshop1.com
hxxp://privateshop2.com
hxxp://selldumpsshop.com
hxxp://allmybins.com
hxxp://anyccard.com
hxxp://bases-valid.com
hxxp://batch-conf.com
hxxp://yalelodge.com
hxxp://vietnamworm.com
hxxp://freshcvv.com
hxxp://good-cvv.com
hxxp://dumpschecker.com
hxxp://jshop-pro.com
hxxp://dumpscvv2.com
hxxp://trdbz.com
hxxp://cyberxsh0p.net
hxxp://validmarket.biz
hxxp://cvvhack.com
hxxp://bulkcvv.com
Sample personally identifiable email address accounts known to have been involved in the campaign include:
greg2022@mail.ru
philmahre1989@gmail.com
Sample screenshots include:
Sample responding IPs known to have been involved in the campaign include:
hxxp://92.53.77.40
hxxp://92.223.105.218
hxxp://47.254.213.246
hxxp://49.51.135.48
hxxp://78.155.206.161
hxxp://149.129.136.245
hxxp://47.74.235.179
hxxp://92.38.135.246
hxxp://149.129.136.150
hxxp://149.129.225.92
hxxp://37.60.177.31
hxxp://194.87.103.196
hxxp://185.162.131.59
hxxp://149.129.223.249
hxxp://161.117.7.46
hxxp://46.21.248.49
hxxp://47.91.72.137
hxxp://185.185.69.33
hxxp://119.28.41.158
hxxp://85.193.85.119
hxxp://92.53.66.13
hxxp://47.74.176.216
hxxp://95.163.250.153
hxxp://47.74.236.158
hxxp://95.213.252.108
hxxp://49.51.192.130
hxxp://178.154.240.197
hxxp://172.67.144.190
hxxp://27.102.118.142
hxxp://80.87.97.201
hxxp://149.129.219.23
hxxp://185.158.152.31
hxxp://49.51.35.225
hxxp://35.198.119.28
hxxp://108.177.235.227
hxxp://193.187.128.60
hxxp://47.74.186.197
hxxp://92.53.77.90
hxxp://149.129.215.190
hxxp://47.74.137.231
hxxp://45.149.222.144
hxxp://185.167.98.134
hxxp://104.165.20.149
hxxp://47.52.233.0
hxxp://45.34.127.236
hxxp://95.213.252.3
hxxp://143.110.176.81
hxxp://47.88.156.38
hxxp://46.21.249.114
hxxp://159.65.94.111
hxxp://185.223.163.129
hxxp://185.224.212.24
hxxp://185.162.131.61
hxxp://119.28.137.123
hxxp://49.51.85.205
hxxp://194.116.216.254
hxxp://5.188.89.114
hxxp://5.188.89.22
hxxp://194.87.235.166
hxxp://92.38.135.251
hxxp://172.104.104.241
hxxp://95.213.203.64
hxxp://45.63.40.156
hxxp://149.129.216.197
hxxp://47.88.231.35
hxxp://78.155.207.76
hxxp://138.68.70.125
hxxp://185.142.239.239
hxxp://85.119.150.130
Related domains known to have been involved in the campaign include:
hxxp://stdumps.com
hxxp://shopcvvonline.ru
hxxp://golddumps.net
hxxp://hitbtctrading.com
hxxp://try2swipe.shop
hxxp://dumps-cvv.ru
hxxp://dumps-market-cvv.ru
hxxp://carderunion.ru
hxxp://cvv-carder-shop.ru
hxxp://greatdumps.net
hxxp://cvvunion.su
hxxp://dumps55.com
hxxp://okcoin-exchange.com
hxxp://dumpsmall.com
hxxp://vaildcc.su
hxxp://dumpsmall.name
hxxp://cardingmafia.su
hxxp://freshtools.ru
hxxp://http-mshop-metro-cc-ru-shop-authloading.ru
hxxp://cvv-shop.online
hxxp://dumps4free.ru
hxxp://cvvbuyonline.ru
hxxp://n1shop.net
hxxp://cardersvilla.com
hxxp://stdumps.net
hxxp://validcvv.club
hxxp://sellcvv.shop
hxxp://vaultmarket.name
hxxp://swiped1.ru
hxxp://store-best-dump.ru
hxxp://shop-forum-carder.ru
hxxp://carder007.shop
hxxp://crimenetwork.club
hxxp://cvvonlineshops.com
hxxp://verifiedshop.su
hxxp://onlinecvv.ru
hxxp://shalom.pro
hxxp://dump99.com
hxxp://bestcardersforum.ru
hxxp://smartstripe.ru
hxxp://dumps-cvv-market.ru
hxxp://zzxqsc.cn
hxxp://cardingmaestro.com
hxxp://cykkk.com
hxxp://c4rdforallove.com
hxxp://center-vinyl.ru
hxxp://cvvonlineshop.ru
hxxp://cvvshop39.com
hxxp://pack-relocation.com
hxxp://evilshop.org
hxxp://shopccdumps.com
hxxp://trackgenerator.com
hxxp://validforver.com
hxxp://xakerforum.ru
hxxp://legitvendors.su
hxxp://e-obmen.su
hxxp://cardersvilla.ru
hxxp://kimoyo.net
hxxp://prtship-forum.ru
hxxp://ccguru.su
hxxp://dpscc.ru
hxxp://ccgetmoney.com
hxxp://bulkcvv.com
hxxp://cvvshop.in
hxxp://carders-place.com
hxxp://vault-dumps.com
hxxp://cvv2shop.su
hxxp://cproforum.com
hxxp://vppspy.com
hxxp://binswork.biz
hxxp://valid4you.com
hxxp://realjabba.com
hxxp://cardstorm.ru
hxxp://globalccsource.ru
hxxp://ccshoponline.com
hxxp://rafanji.com
hxxp://tonyblack.ru
hxxp://market-dumps-cvv.ru
hxxp://allcarders.info
hxxp://mgmt.niii.in
hxxp://cvvshop39.ru
hxxp://pp24.su
hxxp://approvedcc.com
hxxp://infraud.ws
hxxp://ios.z6xg.cn
hxxp://fraudsmarket.com
hxxp://verifiedcarder.com
hxxp://validfullz.info
hxxp://store-carder-cvv.ru
hxxp://promarket.ws
hxxp://blackamex.ru
hxxp://shopadmin.ru
hxxp://feshop-one.su
hxxp://dumpscheck.ru
hxxp://card-room.cc
hxxp://ccfullz.su
hxxp://dumpschecker.com
hxxp://swipers.ru
hxxp://101blackcard.com
hxxp://stardumps24.ru
hxxp://dumpscvv2.com
hxxp://hackerimpossible.su
hxxp://verifieddumpsshop.ru
hxxp://track2.su
hxxp://worldcvv.com
hxxp://mafiastore.su
hxxp://trdbz.com
hxxp://jnpsgo.bar
hxxp://cyberxsh0p.net
hxxp://vt-professional.com
hxxp://batch-conf.com
hxxp://brocard1.com
hxxp://yalelodge.com
hxxp://verifiedshop.biz
hxxp://vietnamworm.com
hxxp://mymarket.su
hxxp://cc-best.top
hxxp://verifed-cardershop.top
hxxp://fercoamildhubti.cf
hxxp://onlineq-track.top
hxxp://goldplastic.store
hxxp://infraud.name
hxxp://geobiniri.tk
hxxp://kingscard.su
hxxp://validmarket.biz
hxxp://cvvhack.com
hxxp://sellccvs.ru
hxxp://dumpscvvmarket.ru
hxxp://thugcarders.com
hxxp://valid-shop.com
hxxp://shopvl.net
hxxp://ccplaza.club
hxxp://diamonddumps.com
hxxp://lswjsdcf358.com
hxxp://sellz-market.ru
hxxp://approved1.net
hxxp://legitcarders.com
hxxp://darknetw0rk.ru
hxxp://oroboros.su
hxxp://freshstuff.cc
hxxp://bitkonan.net
hxxp://sellz-market.org
hxxp://crimemarket.su
hxxp://myccroom.ru
hxxp://cvv1.me
hxxp://sounic.cc
hxxp://codesellz.com
hxxp://dcshop.su
hxxp://free-cc-dumps.ru
hxxp://brocard2.com
hxxp://zhilem.com
hxxp://pawnsh0p.com
hxxp://kairui999.com
hxxp://privateshop1.com
hxxp://privatecvv.com
hxxp://just-valid.com
hxxp://selldumpsshop.com
hxxp://allmybins.com
hxxp://anyccard.com
hxxp://zunostores.com
hxxp://novlops.com
hxxp://good-cvv.com
hxxp://jshop-pro.com
hxxp://storecardercvv.ru
hxxp://fe-dumps.ru
hxxp://banalitybiz.com
hxxp://privateshop2.com
hxxp://moneyteam24.ru
hxxp://buyvalidcvv.ru
hxxp://bases-valid.com
hxxp://freshcvv.com
hxxp://greatdump.com
hxxp://www.2bcd.su
hxxp://shop-buying-cvv-online.com
hxxp://cvvshopvalid.info
hxxp://realcvvshop.ru
hxxp://wucshop.com
Stay tuned!
Exposing a Portfolio of YaBucks Pay Per Install Affiliate Network Scareware Serving Domains - An Analysis
0
I took these screenshots in 2009.
It used to be a moment in time when scareware and pay per install affiliate-based revenue sharing fraudulent and malicious networks used to dominate the threat landscape as the primary monetization vector courtesy of the bad guys where they've managed to successfully steal basically tens of thousands in fraudulent revenue by enticing users into installing and interacting with rogue and fake security software.
In this post I'll take a deeper look inside the YaBucks rogue and affiliate-network based scareware serving network that managed to affect thousands of users globally largely based on the number of affiliates that participated in it including to also provide technical details on its Internet-connected infrastructure with the idea to assist everyone in their cyber attack and cyber campaign attribution efforts.
Sample screenshots include:
Sample domains known to have been involved in the campaign include:
hxxp://pontesmedia.com - 74.54.241.100
hxxp://matelab.com
hxxp://legochild.com
hxxp://imzee.com
hxxp://mustmake.com
hxxp://ovobundle.com
hxxp://emulehome.com
hxxp://skyaffiliate.com
hxxp://vivosearch.com
hxxp://ovocash.com
hxxp://p2passion.com
hxxp://datingnoon.com
hxxp://profilissimo.com
hxxp://flipero.com
hxxp://adware-help.com
hxxp://spacextender.com
hxxp://mybuckler.com
hxxp://iframr.com
hxxp://glintgames.com
hxxp://justares.com
hxxp://ppitalks.com
hxxp://theinstalls.com
hxxp://adwaredollars.com
hxxp://funtarget.com
hxxp://theimageoutlet.com
hxxp://petduet.com
hxxp://tivisoft.com
hxxp://softpont.com
hxxp://blogency.com
hxxp://wiiactivity.com
hxxp://bnetworks.us
hxxp://gorasoft.us
hxxp://camerabid.net
hxxp://freemediashare.net
hxxp://germek.net
hxxp://imupdates.net
hxxp://allworldstars.net
hxxp://gorasoft.net
Sample responding IPs known to have been involved in the campaign include:
hxxp://54.208.174.161
hxxp://154.72.193.28
hxxp://54.165.156.210
hxxp://54.200.75.96
hxxp://52.72.89.116
hxxp://199.184.144.27
hxxp://74.208.236.241
hxxp://74.208.21.90
hxxp://207.148.248.143
hxxp://50.63.202.104
hxxp://184.168.221.39
hxxp://52.202.22.6
hxxp://54.209.32.212
hxxp://54.208.74.215
hxxp://45.40.140.6
hxxp://68.178.213.203
hxxp://213.186.33.18
hxxp://3.223.115.185
hxxp://52.71.210.200
hxxp://23.20.239.12
hxxp://54.80.72.81
hxxp://34.102.136.180
hxxp://146.112.61.107
hxxp://204.11.56.48
hxxp://23.202.231.167
hxxp://23.217.138.108
hxxp://107.23.198.240
hxxp://35.171.109.224
hxxp://52.7.6.73
hxxp://52.71.185.125
hxxp://54.174.212.152
hxxp://52.6.224.208
hxxp://54.209.58.131
hxxp://3.224.108.191
hxxp://34.206.145.143
hxxp://18.119.154.66
hxxp://217.160.0.202
hxxp://72.32.183.55
hxxp://13.70.194.134
hxxp://52.50.218.98
hxxp://52.19.184.19
hxxp://156.245.122.96
hxxp://154.38.221.164
hxxp://180.215.252.181
hxxp://52.16.207.139
hxxp://192.163.249.115
hxxp://54.183.99.63
hxxp://46.249.46.67
hxxp://146.112.61.106
hxxp://23.202.231.168
hxxp://23.195.69.108
hxxp://185.230.63.171
hxxp://185.230.63.186
hxxp://109.234.109.84
hxxp://192.232.231.38
hxxp://50.63.202.47
hxxp://50.63.202.49
hxxp://50.63.202.59
hxxp://198.105.244.11
hxxp://184.168.221.57
hxxp://185.230.61.173
hxxp://184.168.221.36
hxxp://104.239.213.7
hxxp://34.117.168.233
hxxp://85.13.164.142
hxxp://185.230.60.173
hxxp://199.34.228.59
hxxp://103.224.182.244
hxxp://36.86.63.182
hxxp://184.168.221.65
hxxp://185.205.210.23
hxxp://204.16.144.135
hxxp://172.93.51.245
hxxp://76.223.65.111
hxxp://184.168.221.53
hxxp://218.93.250.18
hxxp://184.168.221.40
hxxp://93.89.226.17
hxxp://54.72.11.253
hxxp://198.105.254.11
hxxp://18.211.9.206
hxxp://185.53.179.7
hxxp://91.237.88.232
hxxp://52.15.160.167
hxxp://3.140.179.210
hxxp://3.141.79.17
hxxp://198.61.166.153
hxxp://69.56.252.44
hxxp://143.95.87.47
hxxp://104.24.126.199
hxxp://50.63.202.43
hxxp://23.246.252.106
hxxp://141.8.226.19
hxxp://3.143.123.90
hxxp://3.138.54.87
Sample malicious MD5s known to have been involved in the campaign include:
MD5: d3081abe4e1c1808e5e8a83a3bc1eaa2
MD5: 1aadbc70670bc05875c04c9e86c0356e
MD5: f18c7a4fed30371a0eba7eef3051234f
MD5: b492493154482d9bb6e24340d8866dec
MD5: 72e5a2dadc0711f36e84f636b7267b1b
MD5: eab74844a9b34edc1b7b3d4e84aab5ec
MD5: 322367ea2f686916a44181bf72c49726
MD5: d9f6bf40003d44ecf7b2fa697a9e73dd
Sample malicious and fraudulent C&C server domains known to have been involved in the campaign include:
hxxp://skyaffiliate.com/count.php
hxxp://funtarget.com/?m&id=61fbd50a-ef75-11e8-bc2f-00c0a8850c2a&ver=9
Stay tuned!
It's a public secret that the majority of today's modern Web sites rely on the use of CAPTCHA for proper user vs bot or automated software detection which in reality is a flawed and an outdated approach to protect a Web site and its visitors as in 2022 we continue to live in a world where CAPTCHA-solving as a service that also includes reCAPTCHA solving as a service continues to proliferate with possible thousands of users across the globe processing hundreds of thousands of CAPTCHAs courtesy of popular CAPTCHA services for the purpose of empowering Russian or international cybercriminals on their way to properly and automatically register new accounts on major Web properties and social networks internationally.
In this post I'll detail the activities of several known CAPTCHA-solving services and discuss in-depth their functionalities with the idea to raise awareness on the concept including the systematic and automatic CAPTCHA solving courtesy of humans and their affiliate-based networks.
Sample URLs known to have been involved in the campaign include:
hxxp://captchasolver.com - 69.172.201.208; 52.73.71.92; 52.73.115.80; 172.64.138.13; 172.67.184.21
hxxp://captchaocr.com - 172.93.194.59; 172.93.194.58; 3.130.204.160; 103.224.212.221; 3.19.116.195
hxxp://typethat.biz - once executed the sample phones back to hxxp://5fc.info - 184.168.192.116; 45.40.164.140; 209.99.40.222; 208.91.199.225; 50.62.160.53
Sample MD5 known to have been involved in the campaign include:
MD5: eb1ef93dcf2e9fd747ea2b80dd0c2619
Related URLs known to have been involved in similar campaigns include:
hxxp://captchasolver.com/
hxxp://216.55.132.15/captchas
hxxp://64.34.161.26:8888/type/typer.html
hxxp://panel.6ew.pl/index.php
hxxp://www.geocities.com/workcaptcha/magic.bolobomb.htm
hxxp://magic.bolobomb.com/lepricon/index.php
hxxp://www.geocities.com/workcaptcha/destination.work.htm
hxxp://nagic.bolobomb.com/lepricon/index.php?A=STATS
hxxp://www.destination-server.com/bulletinpics/entry.cgi
hxxp://www.destination-server.com/bulletinpics/server-slow.cgi
hxxp://74.55.167.90:8546/entry/type.php?
hxxp://www.lovecolony.com/captchasetup.exe
hxxp://www.captchaocr.com/human/index.php
hxxp://bpoworld.awardspace.com/
Stay tuned!
Continue reading →
NOTE:
I wrote this article in 2006.
It's all cyclical, and not a rocket science needing a reverse engineer to explain and dazzle you with advanced Assembly experience.
There are incentives for malware authors to code mobile malware, namely the commercialization of mobile malware itself, which happened in the middle of 2006 with the release of the RedBrowser. Among the key point I indicated in my "Malware - Future Trends" research that I released in the beginning of 2006. The ugliest things are the easiest to emerge as always.
The very nature of a mobile phone's voting and purchasing power, let's not mention could literally provoke your imagination on the possible abuses.
Why would an end user start asking a mobile operator's representative on the availability of mobile anti virus scanners? Because he or she would have been a victim the art of market development, viral
The industry's main points:
- more people have mobile phones then they own a personal computer -- which doesn't mean they're all smart phones running Symbian or Windows Mobile
- over 300 generically detected malware samples, reminds of the concept of a malware family in PC malware world. These are all the Cabir family, spread to code on the Internet and have ordes of script kiddies fueling the FUD while watching Takedown and inspiring themselves to eavesdrop on someone's mobile communication while "commuting" in the park
The reality
- Anti virus vendors suffer from marketing myopia, they've simply fallen in love with their products, and we all know that once you fall in love it's hard to become as pragmatic as you used to be before -- sweet pain
- the majority of known mobile malware comes out of a Cabir Proof of Concept (PoC) publicly available code, that is the spreading routine within. Namely the current threat represents nothing more than a mobile malware family, and there's no such thing as a perfect family
- Malware authors are too busy to efficiently play cat and mouse game and taking advantage of the about to reach 1B world wide Internet population.
- the end user MUST confirm the unknown Bluetooth connection, if she's in discoverable mode, must confirm the execution of the executable from unknown source
- given that Symbian and Windows Mobile dominate the mobile OS space, a vulnerability in the systems is crucial
- Anti virus signatures are basically a reactive security protection
I once argued on the myth of anti virus vendors sharing every malware sample they came across, in between the "usefulness" of virus signatures in today's open source malware, and malware on demand world
How to protect yourself?
- be aware of the basics of mobile malware
- don't install applications from untrusted on-the-go sources
Do you need a personal anti-virus scanner for your mobile phone? No, you don't, but mobile operators need them on the gateway level, the rest is just your mobile operator differentiating its offering, positioning itself as a conscious one, and further fueling growth into the market -- whether revenues are about to get spent on further R&D on mobile malware, or market development with other products is up to the vendors themselves.
It's your network operator who should be responsible for limiting the spread of potential epidemics, and charging a buck for a slight modification of Cabir's PoC spreading module, brings us back to the same old issue with open source malware, or malware of demand and anti virus signatures usefulness and recency of updates. My point, the responsibility for dealing with general and family based mobile malware, the one we're seeing today, should go to my mobile operator, not to myself getting infected and spreading the decease even further.
The average mobile phone user would start enjoying a provider's brand even more, if he's been talked into the huge dangers posed by mobile malware -- from a marketing point of view he would even spread the word further while trying to let the other perceive him/her as a tech savvy individual with a fancy AV scanner on his couple hundred.
Targeted attacks have a huge potential though, while a mass sending of mobile malware would result in the mobile operator directly blocking it, and merely relaying on the end user to take care of their responsibilities. All you need is a wide spread mobile malware dissemination attempt, and then you'll witness your operator using his ownership powers to shock and awe you with its know how.
Wise investments are not always those that seems the most proactive ones, but the ones taking advantage of the momentum.
Remember, the best marketers don't just respond profitably to the consumer's needs, they create new markets. It's the unspoken rule of the game.
What's next? Anti virus software for your gaming device and music player, as well as for your IPv6 compatible fridge? For sure, but in the very, very long run. Meanwhile, be aware, don't panic, and try to base your concerns on objective and unbiased sources only.
Stay tuned!
Continue reading →
I've decided to share a compilation of botnets-in-the-wild screenshots coming straight from the source namely various cybercrime-friendly forums internationally with the idea to raise everyone's situational awareness on the current state of the botnet ecosystem globally in the context of having hundreds of folks out there building and generating these potentially earning tens of thousands of fraudulent revenue in the process.
An image is worth a thousand words.
Sample screenshots of various botnets-in-the-wild obtained using public sources include:
Stay tuned!
Continue reading →
Subscribe to:
Comments (Atom)
RSS Feed