Tuesday, May 26, 2009

Inside a Money Laundering Group's Spamming Operations

UPDATE: The command and control domain has been taken care of courtesy of the brisk response of OC3 Networks Abuse Team.

Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated the outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self-serving groups of cybercriminals which engage in literally each and every aspect of cybercrime - money mule recruiters in this very specific case.


What do the known money laundering aliases such as Value Trans Financial Group, Inc. (valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Premium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. (eagle-group.net); DBS Group Inc. (dbs-group.cn); FB&B Group Inc. (fbb-groupli.cc); Advance Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common?

It's a 31,000 infected hosts botnet which they use exclusively for spamming.

The money laundering organization describes itself as:
"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial education. The head of the company was Karl Schick. At the very beginning of its business activity the company provided fairly narrow range of services at the investment market. Within 15 years of hard work the company has acquired international standing and managed to develop into a global financial holding with the staff of 3,000 people and headquarters in more than 100 countries of the world."

Interestingly, on the majority of occasions cybercriminals tend to undermine the level of operational security that they could have achieved at the first place, and this is one of those cases where their misconfigured botnet command and control allows other cybercriminals to hijack their botnet, and security researchers to shut it down effectively.

The people behind this money laundering organization are either lazy, or ignorant to the point where the botnet's command and control interface would be using the very same web server that they use for recruitment purposes.

Here are some screenshots of their command and control interface used exclusively for spam campaigns:







The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related and separate money laundering brand portfolios (the quality of the historical CYBERINT on behalf of Bobbear is the main reason why commissioned DDoS attacks were hitting the site last year).

Taking down the group's command and control domain is in progress.

Tuesday, May 19, 2009

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

"In gaz we trust"? I'd rather change GazTranzitStroyInfo's vision to HangUp Team's infamous - "in fraud we trust". It is somehow weird to what lengths would certain cybercriminals go to create a feeling of legitimacy of their enterprise.

AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one of them. Let's "drill" for some malicious activity at GazTranzitStroyInfo, and demonstrate how cybercriminals are converging different hosting providers to increase the lifecycle of their campaigns.

The recent peak of fake codecs (for instance video-info .info and sex-tapes-celebs .com serving softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains, next to AS10929 NETELLIGENT Hosting Services Inc. where the infrastructure of the three hosting providers has converged.

Let's detail some malicious activity found at GazTranzitStroyInfo. The following are redirectors to live exploits/zeus config files/scareware found within AS29371 and pushed through blackhat SEO and web site compromises:

peopleopera .cn - 91.212.41.96
forexsec .cn
vitamingood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
workfuse .cn
schoolh .cn
rainfinish .cn
housevisual .cn
worksean .cn
liteauction .cn
newtransfer .cn
oceandealer .cn
musicdomainer .cn
websiteflower .cn
designroots .cn
islandtravet .cn
litefront .cn
clubmillionswow .cn


softwaresupport-group .com - 91.212.41.91
bestfindahome .cn
dastrealworld .ru
elantrasantrope .ru
borishoffbibi .ru
sandiiegoexpo .ru
nightplayauto .ru
startdontstop .ru


nicdaheb .cn - 91.212.41.119
sehmadac .cn
vavgurac .cn
tixleloc .cn
xidsasuc .cn
cuzlumif .cn
teyrebuf .cn
hifgejig .cn
tukhemaj .cn
rogkadej .cn
wuhwasum .cn
sipcojeq .cn
tixwagoq .cn
silzefos .cn
popyodiw .cn
cakpapaz .cn


Rogue security software:
addedantivirusonline .com - 91.212.41.114
addedantivirusstore .com
addedantiviruslive.com
addedantiviruspro.com
countedantiviruspro.com
myplusantiviruspro.com
easyaddedantivirus.com
yourcountedantivirus.com
bestcountedantivirus.com
yourplusantivirus.com


For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to securityonlinedirect .com/scan.php?affid=02083 which is serving scareware with hosting courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up in the Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com (209.44.126.22) we also have a portfolio of scareware domains:

thestabilityweb .com
securityonlineworld .com
websecuritypolice .com
wwwsafeexamine .com
dynamicstabilityexamine .com
networkstabilityexamine .com
safetyscansite .com
onlinesafetyscansite .com
securityscansite .com
stabilityonlineskim .com
socialsecurityscan .com
securityexamination .com
internetsecuritymetrics .com
onlinebrandsecuritys .com
securityonlinedirect .com
scanstabilityinternet .com
stabilityaudit .com
websecuritybureau .com
safewebsecurity .com
webbrowsersecurity .com
futureinternetsecurity .com
superiorinternetsecurity .com


The fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact downloaded from kir-fileplanet .com - 91.212.65.54 (AS48841; EUROHOST-NET) where more malicious activity is easily detected at:

downloadmax .org - 91.212.65.19
hd-codec .com
shotgol .com
kauitour .com
coecount .com
countbiz .com
videoaaa .net
7stepsmedia .net
ispartof .net
amoretour .net
browardcount .net


trucount3000 .com - 91.212.65.10; 91.212.65.29
trucount3001 .com
trucount3002 .com
antivirus-xppro-2009.com
onlinescanxppp .com
onlinescanxpp .com
onlinescanxp .com
free-webscaners .com


In cybercriminals I don't trust.

Related posts:
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
Lazy Summer Days at UkrTeleGroup Ltd
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Massive Blackhat SEO Campaign Serving Scareware
EstDomains and Intercage VS Cybercrime
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
Malware campaign at YouTube uses social engineering tricks
Poisoned Search Queries at Google Video Serving Malware
Syndicating Google Trends Keywords for Blackhat SEO

Related Russian Business Network coverage:
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network