Historical OSINT - The "BadB International" Cybercrime Enterprise

BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who eventually got busted in France in 2010. This month, he was sentenced to serve 88 months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of supervised release.

In the wake of these events, I decided to release some raw OSINT data regarding BadB's official Web site, hxxp://badb.biz.

Related URLs: hxxp://badb.biz; hxxp://badb.org; hxxp://dumps.name
Emails: badb4cc@yahoo.com; metaksa_s@yahoo.com; support@agava.com; admin@agava.com; admin@carderplanet.biz
ICQ: 49162552
Phone number: +19522325532 (Working according to BadB in 2009)

IP hosting history for badb.biz from 2005 to 2010 in the format (initial hosting IP -> IP change detected to a new IP):
217.107.212.115 -> 64.202.167.129
64.202.167.129 -> 217.107.212.115
217.107.212.115 -> 217.107.212.9
217.107.212.9 -> 89.108.66.104
89.108.66.104 -> 68.178.232.99
68.178.232.99 -> 89.108.66.104
216.8.177.23 -> 78.109.18.150
78.109.18.150 -> 196.32.222.9
89.108.73.117 - >94.75.221.75
94.75.221.75 -> 92.241.164.92

Sample Abous Us section description from badb.biz:
We are independent e-commerce security investigation group. We are help e-commerce organisations such as Visa, Mastercard, regional processings and other e-commerce structures to understand how vulnerable they are. We are not connected to any crimminal structures, not performing any outlaw actions by ourselves, not selling drugs, not sendinding any spam, not connected to any child porno, not supporting terrorists itselves nor terrorist organisations. If you received any spam from us - this is a fake of our enemies we are never use spam to promote our site. All information you can read here provided "As Is" and only for educational purposes. All articles are copyrighted. If you wish to take any part of information from here - please reffer to origination site. All we do - is we have for sale some dumps, cvvs and cobs - just for experemental purposes of our custommers ;-) We listen and effectively respond to your needs and those of your clients. We are experts at translating those needs into marketing solutions that work, look great and communicate well. Each day brings increased opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or without BadB, the market for stolen credit cards data, continued growing throughout the entire 2011. Then in 2012, we witnessed two law enforcement operations, courtesy of SOCA, and the FBI. However, despite these efforts, the market for stolen credit cards data remains as vibrant as always.

Thanks to the standardization taking place in respect to the money mule recruitment process, as well as the nearly identical online shops for stolen credit cards data, those who cannot "cash out" the balances of the credit cards, will choose to risk-forward the selling process to the buyers of the stolen data. The rest, will basically continue looking for more efficient, automatic, and anonymous ways to get access to the stolen money, continuing to rely on money mules of virtual currencies.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Historical OSINT - The "BadB International" Cybercrime Enterprise

BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who eventually got busted in France in 2010. This month, he was sentenced to serve 88 months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of supervised release.

In the wake of these events, I decided to release some raw OSINT data regarding BadB's official Web site, hxxp://badb.biz.

Related URLs: hxxp://badb.biz; hxxp://badb.org; hxxp://dumps.name
Emails: badb4cc@yahoo.com; metaksa_s@yahoo.com; support@agava.com; admin@agava.com; admin@carderplanet.biz
ICQ: 49162552
Phone number: +19522325532 (Working according to BadB in 2009)

IP hosting history for badb.biz from 2005 to 2010 in the format (initial hosting IP -> IP change detected to a new IP):
217.107.212.115 -> 64.202.167.129
64.202.167.129 -> 217.107.212.115
217.107.212.115 -> 217.107.212.9
217.107.212.9 -> 89.108.66.104
89.108.66.104 -> 68.178.232.99
68.178.232.99 -> 89.108.66.104
216.8.177.23 -> 78.109.18.150
78.109.18.150 -> 196.32.222.9
89.108.73.117 - >94.75.221.75
94.75.221.75 -> 92.241.164.92

Sample Abous Us section description from badb.biz:
We are independent e-commerce security investigation group. We are help e-commerce organisations such as Visa, Mastercard, regional processings and other e-commerce structures to understand how vulnerable they are. We are not connected to any crimminal structures, not performing any outlaw actions by ourselves, not selling drugs, not sendinding any spam, not connected to any child porno, not supporting terrorists itselves nor terrorist organisations. If you received any spam from us - this is a fake of our enemies we are never use spam to promote our site. All information you can read here provided "As Is" and only for educational purposes. All articles are copyrighted. If you wish to take any part of information from here - please reffer to origination site. All we do - is we have for sale some dumps, cvvs and cobs - just for experemental purposes of our custommers ;-) We listen and effectively respond to your needs and those of your clients. We are experts at translating those needs into marketing solutions that work, look great and communicate well. Each day brings increased opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or without BadB, the market for stolen credit cards data, continued growing throughout the entire 2011. Then in 2012, we witnessed two law enforcement operations, courtesy of SOCA, and the FBI. However, despite these efforts, the market for stolen credit cards data remains as vibrant as always.

Thanks to the standardization taking place in respect to the money mule recruitment process, as well as the nearly identical online shops for stolen credit cards data, those who cannot "cash out" the balances of the credit cards, will choose to risk-forward the selling process to the buyers of the stolen data. The rest, will basically continue looking for more efficient, automatic, and anonymous ways to get access to the stolen money, continuing to rely on money mules of virtual currencies.

Summarizing Webroot's Threat Blog Posts for March

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. New DIY IRC-based DDoS bot spotted in the wild
02. Cybercriminals release new Java exploits centered exploit kit
03. Segmented Russian “spam leads” offered for sale
04. New DIY hacked email account content grabbing tool facilitates cyber espionage on a mass scale
05. New DIY unsigned malicious Java applet generating tool spotted in the wild
06. Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted fraudulent campaigns
07. Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware
08. Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit
09. New ZeuS source code based rootkit available for purchase on the underground market
10. Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware
11. Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the wild
12. Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 2004
13. Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit
14. Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
15. Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit Kit
16. ‘ADP Payroll Invoice’ themed emails lead to malware
17. ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit
18. New DIY RDP-based botnet generating tool leaks in the wild
19. A peek inside the EgyPack Web malware exploitation kit

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise

Oops, they did it again!

The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.

Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.

Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php

Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.

Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php

Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188

Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)

Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info

Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com

More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181

The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php

Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise

Oops, they did it again!

The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.

Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.

Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php

Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.

Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php

Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188

Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)

Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info

Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com

More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181

The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php

Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking.

Summarizing Webroot's Threat Blog Posts for February

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

 
01. Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware
02. Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware
03. ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
04. New DIY HTTP-based botnet tool spotted in the wild
05. Mobile spammers release DIY phone number harvesting tool
06. New underground service offers access to thousands of malware-infected hosts
07. Targeted ‘phone ring flooding’ attacks as a service going mainstream
08. Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware
09. Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit
10. Malware propagates through localized Facebook Wall posts
11. Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware
12. New underground E-shop offers access to hundreds of hacked PayPal accounts
13. Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit
14. DIY malware cryptor as a Web service spotted in the wild
15. Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware
16. How mobile spammers verify the validity of harvested phone numbers
17. How much does it cost to buy 10,000 U.S.-based malware-infected hosts?

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.