SMS Ransomware Source Code Now Offered for Sale

Remember the ransomware variant that was locking down user's PCs and demanding a premium SMS in order for them to receive the unlocking code?

In an attempt to further monetize the "innovative" practice of converging Windows-based malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version of the ransomware is currently offered for sale for a mere $15.

Here are some of its features:
- When executed presents the uset with a Blue Screen of Death style error message
- A simple auto-loading feature ensuring it will load every time the host is rebooted, completely disables the startup shell in order to become the first application to appear upon reboot
- Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program

The vendor would also like to remind its customers that "the application is for educational purposes only", next to a comment on how all of their current customers are fully satisfied with the money they're making by locking infected user's PCs. This piece of ransomware has been spreading across the Russian web space since April, and with its source code now offered for sale, it's only a matter of time before the error messages get localized to multiple languages courtesy of localization on demand cybercrime-friendly services breaking any language barrier for a spam/malware campaign.

However, from an operational security (OPSEC) perspective which I often emphasize on in order to demonstrate how efficient cybercrime facilitating tactics increase the probability of successfully tracking down the people behind a particular attack, this premium SMS based ransomware tactic is exposing the people behind the campaign much easily due to its reliance on a mobile operator, compared to GPCode's virtual money exchange approach (Who's behind the GPcode ransomware?) which given they put enought efforts, the process can be virtually untraceable.

Despite the fact that vendors have already released unlock code generators for the SMS ransomware, taking into consideration the potential for widespread ransomware campaigns through the now ubiqitous revenue generator in the form of scareware (Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"), the concept is not going away anytime soon.

Related posts:
Mobile Malware Scam iSexPlayer Wants Your Money
New mobile malware silently transfers account credit
New Symbian-based mobile worm circulating in the wild

Dating Spam Campaign Promotes Bogus Dating Agency

From Sweet Sugar Anastasia, Svetlana, Angela, Marino4ka, Irina, Hot Julia, Ane4ka, Nastya, and Yulia, to the Lonely Polina and the malware and exploits serving girls, Russian/Ukrainian dating scams are still pretty active these days.

A recently spammed dating campaign exposes the fraudulent practices of a well known such agency (Confidential Connections) that has been changing its name, typosquatting new domains in order to remain beneath the radar, a bit of an awkward practice given their noisy spamming approach of attracting visitors.

The spam's message:

"Good day, my gentleman!

All love is probationary, a fact which frightens women and exhilarates men. I believe that unarmed truth and unconditional love will have the final word in reality. I was born in a friendly, cultured family and would like to have the same family in my own life. I love nature, flowers, music, dancing. I like to receive guests at home and spend time with friends. I always try to use opportunity to travel and see new places in the world. I have a good, quite and merry character, don't like argues and rows. I hope to meet a white man, Christian, clever. Besides I would like to meet a good person with a good sense of humor, who wants to create a good strong family. If you would be loved, love and be lovable. I am waiting for you http://iam-waiting4love .com/infinity/

Waiting for your mail
Sveetlana B."

The user is then asked to register at hifor-you .com/register.php followed by an email confirmation explaining how the agency/scam at ualadys .com (76.74.250.239 Email: Tyom13@aol.com) works:

"We view ourselves as more of MATCHMAKERS than a mere Introduction Company. We DO NOT BUY OR SELL addresses of Ladies from other agents. Rather, we take the time and effort to meet each Lady referred to us in person, interview her at length, checkout her credentials to make sure her intentions are proper, before she gets hosted as our client. It is this knowledge of the Ladies that allows us to select the right persons to introduce to each man.

 
Compatibility is the KEY. Our formula is simple, yet highly productive:
1. You fill out our profile, same as the Ladies
2. Select the Ladies you would like to meet
3. Until you have a predetermined amount of Ladies reply with a yes
4. During your trip meetings are scheduled on a private, one-on-one setting, with an interpreter to assist you (if you require one) We know that your time is limited when you go on trip. This is a very efficient selections process that saves your time and, in fact, allows you the extra time to really get to know the Ladies. 

All meetings are one-on-one. We do not organize socials that do not work. Our service is usually based upon a male clients access to time and his available budget. The normal procedure is for a client to look through our gallery of Ladies, select the Ladies for pre-qualification, and correspond with them by e-mail or phone, than arrange a one-on-one visit. Still others, after viewing the Ladies, decide that the best overall approach would be to simply go there and meet as many women as we can arrange for them to meet, and spend time with them before making a decision.
 

Also experiencing first-hand their environment and culture gives the man a future understanding of his future bride. OUR PERSONAL INTRODUCTION TRIP HAS BEEN YEILDING A 95% SUCCESS RATE! Again, the reason for this is the growing frustration among the Ladies about the lack of follow through the men, Consequently, many Ladies do not respond to letters, knowing that few ever follow through. They simply wait to meet the men who go there. THUS, THE SITUATION HAS BECOME A DREAM FOR THE MAN WHO ARE SERIOUS.

During our Special Photoshoot Trips (e-mail for dates); you will get an opportunity to watch and meet new Ladies. Many times, clients pick these new Ladies because they are fresh and no one has ever met them before. We have quite a few Ladies who have never made it to the gallery because they got engaged immediately to the men who went no trips."

The agency is also reserving the right to forward the responsibility for any fraudulent activities to the girls, the majority of which do not exist at the first place in the following way:

All scam patterns have similarities that are very easy to spot if you know what to watch out for:

• Usually the contact originates from a personals site where anyone can place his/her ad for free. Most often it was not you who initiated the acquaintance; you received a letter from a lovely Russian female who was interested in you. *Her* description of the partner is always very broad that will fit anybody - "kind intelligent man, age and race don't matter".

• Sometimes *she* places a real nice discription and lovely, INNOCENT pictures, with honest eyes and kind smile. You will initiate the acquaintance.

• It is always email correspondence; and letters are sent regularly, often every day; a new picture is sent with almost every letter.

This is very entertaining since the agency is driving traffic to its domains through spamming. The full list of spammed domains part of the campaign :
love-f-emale .com - 62.90.136.207
i-amsingle .com
for-you-from-me .com
destinycombine .com
with-hope-for-love .com
iam-waiting4love .com
allisloveandlove .com
amourwedding .com
adorelovewon .com
andiloveyoutoo .com
attractive-ladies .com
luckyheatrs .com
sunwants .com
myloving-heart .com
touchmy-heart .com
dreams-about-lady .com
fillinglove .net
createyourlove .net
buildyour-happylove .net
tender-woman .net
make-family .net

There's something "ingenious" about this type of dating scams, since the bogus dating agency can forward the scam responsibility to the non-existent girls at the first place. Moreover, despite the countless number of email credits, flowers and photos that you've purchased by using the agency's commercial services, the non-existent girl can always reserve the right not to meet or interact with you in any way. And even if there are actual girls working for the ad agency on a revenue-sharing basis, the agency silently makes money by reserving its right to ruin your return on investment no matter how much and what you spend on their site.

Now, that's a business model scamming the gullible and the lonely, which from a legal perspective -- excluding the spamming -- can in fact be legal in the country of operation due to the eventual mis-matching of characters.

UPDATE:
The people from "Confidential Connections" have a long history of spamming/scamming activities. Here are more related resources:

A first-person account:

"..ualadies... I work as a guide and translator for guys seeking a wife in Ukraine, and a client just came to me who was due to meet a girl from this agency. Im so wound up by the actions of this agency that i am going to post this thread in every scam forum i know about. Here is a short list of what they did:

1) Put him in a taxi to pick up the girl and take her to the restaurant, then charged him $80 for what should have been a $10 journey
2) Charged him $60 for a one hour translation, saying that they take a minimum charge of 4 hours ($15 an hour)..this they told him only after the meeting
3) After my client had payed (a very steep $50) to meet the girl, he got her address and decided to send her some flowers (at the local rate of 2 dollars for 1 rose, as apposed to 10 dollars a rose at the agency). The agency, upon finding out about this, called him up and shouted at him for daring to send her roses not through them (!)
 

4) It turned out that the girl hadn't written most of the letters the client had shared with her over a period of a year, and in fact that the agency themselves had written them, earning good money in the proccess!
5) The agency lied about the upper age limit for a guy the girl was willing to meet - they put down 60 when she had indicated 40.
6) There is more!...but i think ive written enough for you to get the idea.

Be aware of this agency! In all my time as a guide/translator i have never seen an agency that works so shambolicaly. Agencies like this ruin the reputation of the business, in which there are number of hard working honest agencies that suffer as a result."

More comments from the same person, presumably working there:
"Beware of ualadys. I live in Ukraine and know someone who works in one of the branches. Word has it that they churn out letters factory-style and often write themselves. They do not allow their girls to turn down a man who has requested to communicate with them, even if they dont want to. They did not allow me to go to their office to check them out and ask them questions. They scare the girls so that they dont get in personal contact with a guy or go to another agency. Beware!"

Exclusive photo gallery from what appears to be a scammed customer -- wedding rings are in place. The guy was initially spammed:

"On June 23rd of 2008 (that was 5 months after I gave up my relationship with my ex girlfriend),  I received one email from UAladys which stated it was translated for a lady in Ukraine. Her name is Anastasia R. (ID 5008) Her introduction letter went as follows"

Thankfully, he's preserved the achive of the correspondence, exposing their practices.

Spamvertised Swine Flu Domains - Part Two

Dissecting a Swine Flu Black SEO Campaign

Remember the Ukrainian group of cyber criminals that was responsible for last week's massive blackhat SEO campaign that was serving scareware, followed by the timely hijacking of Mickeyy worm keywords a week earlier to once again serve rogue security software?

They are back with new blackhat SEO farms which they continue monetizing through rogue security software. Time to dissect their latest campaign and expose their malicious practices.

Once having most of their previous domains blacklisted/shut down, the group naturally introduced new ones, and changed the search engine optimization theme to swine flu, in between a variation of their previous one relying on catchy titles such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site.

Upon visiting the site, an obfuscated iFrame statically hosted on all of the participating domains in the form of 2qnews.07x .net/images/menu.js redirects the user to sexerotika2009 .ru/admin/red/en.php (74.54.176.50; Email: rebsdtis@land.ru). Are you noticing the directory structure similarities? Appreciate my rhetoric, it's last month's blackhat SEO gang with a new portfolio of domains.

What follows is the usual referrer check : "var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.");" from where the user is redirected to liveavantbrowser2 .cn/go.php?id=2022&key=4c69e59ac&p=1 (83.133.123.140) acting as central redirection point to the typosquatted portfolio of rogue security software domains.

The original scareware domain vrusstatuscheck .com/1/?id=2022&smersh=a9fd94859&back=%3DjQ51TT1MUQMMI%3DN - (69.4.230.204; 38.99.170.209; 78.47.172.66; 78.47.91.153; 94.76.212.239; 94.102.48.28) is exposing the rest of the scareware (detection rate) portfolio with the following domains parked at these IPs:

antivirusbestscannerv1 .com
antivirus-powerful-scanv2 .com
antivirus-powerful-scannerv2 .com
virusinfocheck .com
vrusstatuscheck .com
adware-removal-tool .com
1quickpcscanner .com
1spywareonlinescanner .com
1computeronlinescanner .com
1bestprotectionscanner .com
securityhelpcenter .com
antivirus-online-pro-scan .com
securedonlinecomputerscan .com
antispywarepcscanner .com
securedvirusscanner .com
virusinfocheck .com
antivirusbestscannerv1 .com
antispywareupdateservice .com
platinumsecurityupdate .com
antispywareupdatesystem .com
onlineupdatessystem .com
softwareupdatessystem .com
securedpaymentsystem .com
infosecuritycenter .com
antispywareproupdates .com
securedsoftwareupdate .cn
securedupdateslive .cn
thankyouforinstall .cn
securityupdatessystem .cn
securedsystemresources .cn
securedosupdates .cn
windowssecurityupdates .cn

Once executed it downloads Microsoft's original thank you note (update.microsoft.com/windowsupdate/v6/thanks.aspx), and confirms the installation so that the blackhat SEO campaigners will receive a piece of the pie at securedliveuploads .com/?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1

Related phone-back locations:
liveavantbrowser2 .cn - (83.133.123.140)
securedliveuploads .com
liveavantbrowser2 .cn
awardspacelooksbig .us
crytheriver .biz
softwareupdatessystem .com
securedsoftwareupdate .cn
securedupdateslive .cn
securedosupdates .cn

Blackhat SEO subdomains at the free web site hosting services:
2qnews.07x .net
2rnews.07x .net
1news.07x .net
1knews.07x .net
1xnews.07x .net
gerandong.07x .net
kort.07x .net
30newsx.07x .net
4dnews.07x .net
4dnews.07x .net
laptop.07x .net
30newsf.07x .net

Blackhat SEO domains participating in the second multi-theme campaign:
01may2009 .us
m1m18test .us
m1m17test .us
m1m21test .us
m1m11test .us
m1m16test .us
m1m20test .us
m1m15test .us
m1m14test .us
m1m13test .us
m1m11test .us
m1m15test .us
m1m19test .us
f9o852test .us
f9o851test .us
f9o87test .us
f9o86test .us
f9o5test .us
f9o8test .us
ff7test5 .us
g2g1test .us

Blackhat SEO domains participating in the third campaign:
greg-page-boxing.6may2009 .com - 212.95.58.156
dualsaw.06may2009 .com
craigslist-killer.5may2009 .com
 
Upon clicking, the user is redirected to berusimcom .com/t.php?s=18&pk=, then to the SEO keyword logger at berusimcom .com/in.cgi?18&seoref=&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=nfl-draft.5may2009 .com&ppckey=, and then exposed to another portfolio of rogue security software (detection rate) at hot-porn-tubes.com/promo3/?aid=1361&vname=antivirus - 78.129.166.166; 91.212.132.12, with the following domains parked at the same IPs:

xxxtube-for-xxxtube .com
youporn-for-free .com
xtube-xmovie .com
free-xxx-central .com
xtube-downloads .com
porn-tube-movies .com
my-fuck-movies .com
niche-tube-videos-here .net
free-tube-video-central .net
tubezzz-boobezzz .net
hot-tube-tuberzzz .net

Persistence must be met with persistence.

Summarizing Zero Day's Posts for April

The following is a brief summary of all of my posts at ZDNet's Zero Day for April. You can also go through previous summaries for March, February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Google's CAPTCHA experiment and the human factor; Conficker's estimated economic cost? $9.1 billion and Twitter hit by multiple variants of XSS worm.

01. Conficker worm's copycat Neeris spreading over IM
02. Paul McCartney's official site serving malware
03. Fake "Conficker Infection Alert" spam campaign circulating
04. Twitter hit by multiple variants of XSS worm
05. Scareware pops-up at FoxNews
06. Waledac botnet spamming fake SMS spying tool
07. Twitter worm author gets a job at exqSoft Solutions
08. Google's CAPTCHA experiment and the human factor
09. Hackers hijack DNS records of high profile New Zealand sites
10. New ransomware locks PCs, demands premium SMS for removal
11. Conficker's estimated economic cost? $9.1 billion
12. Swine flu email scams circulating
13. Online broker CommSec criticised for weak passwords, lack of SSL
14. Survey: 37% of employees would become insiders given the right incentive
15. French hacker gains access to Twitter's admin panel

419 Scam Artists Using NYTimes.com 'Email this' Feature

In times when more and more scammers/spammers are getting DomainKeys verified, others are finding adaptive ways to increase the probability of bypassing antispam filters.

Take for instance this 419s scam artist, that's been pretty active in his scamming attempts as of recently.

Basically, he's exploiting the fact that he's allowed to enter a message within NYTimes.com's 'Email this" feature, whereas it will successfully reach the potential victim based on clean IP reputation of NYTimes - and sadly, he's right since he's already sending scam messages through the following accounts registered at the site:

douglas_999@live.fr
douglas77@live.fr
mamadou_sanou@live.fr
markkabore0@yahoo.fr
abdelk11@hotmail.fr
sulem_musa@live.fr
davidbchirot@hotmail.com

His excuse for using NYTimes.com? - "Based on the bank high sensitiveness and security i have decided to contact you outside the bank's sever IP for a beneficial transaction."

Another scam that I've been tracking for a while is using a new "Hand bag stolen at Barcelona air port" social engineering attempt, and is attaching scanned copies of real baggage loss documents in order to improve the truthfulness of the scam. Pretty catchy if you don't know what advance fee fraud is.