Tuesday, October 27, 2009

Ongoing FDIC Spam Campaign Serves Zeus Crimeware

UPDATED - Wednesday, October 28, 2009: A "New Facebook Login System" spam campaign is in circulation, launched by the same botnet. Sampled updatetool.exe once again interacts with the Zeus command and control at 193.104.27.42.

Message sample 01: "In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below."

Message sample 02: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"


Participating fast-fluxed domains include:
easder1e.co .uk
easder1g.co .uk
easder1l.co .uk
easder1m.co .uk
easder1q.co .uk
nytre4rt.co .uk
nytre4ru.co .uk
nyuy12qwa.co .uk
nyuy12qwf.co .uk
nyuy12qwg.co .uk
nyuy12qws.co .uk
nyuy12qwz.co .uk
ololii.co .uk
ololiw.co .uk
ololiy.co .uk
ololiz.co .uk
tygerah.co .uk
tygerak.co .uk
tygeraw.co .uk
tygeraz.co .uk
yh1qak.co .uk
yh1qal.co .uk
yh1qao.co .uk
yhaqwe1a.co .uk
yhaqwe1q.co .uk
yhaqwe1r.co .uk
yhaqwi1g.co .uk
yhaqwi1h.co .uk
yhaqwi1l.co .uk
yhaqwi1m.co .uk
yhaqwi1p.co .uk
yhhherasde.co .uk
yhhherasdp.co .uk
yhhheraski.co .uk
yhhheraskog.co .uk
yhhheraskol.co .uk
yhhheraskoy.co .uk


n111sae .eu
n111sak .eu
n111sap .eu
n111saq .eu
n111say .eu
n111saz .eu
nyuh1awa .eu
nyuh1awb .eu
nyuh1awc .eu
nyuh1awd .eu
nyuh1awe .eu
nyuh1awf .eu
nyuh1awg .eu
nyuh1awh .eu
nyuh1awm .eu
nyuh1awn .eu
nyuh1aws .eu
nyuh1awt .eu
nyuh1awv .eu
nyuh1awx .eu
nyuh1awz .eu
nyuy12qwf .eu
nyuy12qwg .eu
nyuy12qws .eu


nyuy12qws .eu
ololii .eu
ololiw .eu
ololiy .eu
ololiz .eu
rrref1aaz .eu
rrref1akz .eu
rrref1okz .eu
rrref1ykz.eu
rrrefjokz .eu
saaasak .eu
saaasav .eu
tygerah .eu
tygerak .eu
tygeraw .eu
ujihkei .eu
ujihkni .eu
ujihkoi .eu
ujihkui .eu
yh1qao .eu
yh1qaz .eu
yy1azsva .eu
yy1azsvq .eu
yy1azsvz .eu
yyy1asvf .eu
yyy1azsy .eu
yyy1azvg .eu
yyy1zsve .eu


New DNS servers of notice:
ns1.a-recruitmnt .com
ns1.applesilver .com
ns1.cheryks .com
ns1.barbaos .net
ns1.laktocountry .net


An ongoing spam campaign impersonating The Federal Deposit Insurance Corporation, is attempting to drop zeus samples by enticing users into installing pdf.exe and word.exe.

"Subject: FDIC has officially named your bank a failed bank

Body: You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage."

Sampled malware obtains a Zeus crimeware from a known command and control location (193.104.27.42), already blacklisted by the Zeus Tracker. The campaign is related to the periodical "Microsoft Outlook Update" campaigns, since both campaigns have been sharing fast-flux infrastructure under the same infected hosts, using identical domains.

Fast-fluxed domains participating in the FDIC spam campaign:
bbttyak.co .uk
bbttyak.org .uk
bbttyam.co .uk
bbttyam.me .uk
bbttyap.co .uk
bbttyap.me .uk
bbttyaz.co .uk
bbttyaz.me .uk
gerrahawa .eu

gerrahowa .eu
gerrakawa .eu
gerrakowa .eu
gerralowa .eu
gerraoowa .eu
gerraoowa .eu
gerrasasa .eu
gerrasase .eu
gerrasasq .eu
h1erfae .eu
h1erfai .eu
h1erfaj .eu
h1erfaq .eu
h1erfar .eu
h1erfat .eu
h1erfau .eu
h1erfaw.eu
h1erfay .eu
heiiikok .eu
heiiikoy .eu
heiiikul .eu
heiiikum .eu

heiiikuv .eu
heiiikuy .eu
idllsit .com
ij1tli .net
immikiut1 .cz
j1t1iil .com
j1t1iil .eu

j1t1iil .net
lj1tli .com
lj1tli .net
lj1tll .com
lj1tll .net
ltlil1 .com
ltlil1 .net
modesftp .eu

nniuji1 .eu
nniujih .eu
nniujo1 .eu
nniukif .eu
nniukih .eu
nniukik .eu
nniukiw .eu
nniukiz .eu
nniuxih .eu
nniuxiw .eu
pouikib .eu
pouikic .eu
pouikie .eu
pouikif .eu
pouikig .eu
pouikir .eu
pouikis .eu
pouikit .eu
pouikiv .eu
pouikiw .eu
pouikix .eu
pouikiy .eu
t1fliil .tc
tj1fiil.co .nz
tj1fiil .com
tj1fiil .net
tj1fiil .tc


DNS servers of notice:
ns1.doctor-tomb .com
ns1.sortyn .com
ns1.asthomes .com
ns1.sunriseliny .com
ns1.racing-space .net
ns1.cerezit .net


The phoneback location 193.104.27.42 at AS12604 maintained by Kamushnoy Vladimir Vasulyovich (info@ctgm.info; vla.kam@ctgm.info with ctgm.info responding to 91.213.72.1) is the second Zeus command and control IP within the netblock, followed by 193.104.27.90.

Related posts:
Fake Microsoft patches themed malware campaigns spreading
Fake Microsoft patch malware campaign makes a comeback
The Multitasking Fast-Flux Botnet that Wants to Bank With You
Money Mule Recruiters use ASProx's Fast Fluxing Services
Managed Fast Flux Provider - Part Two
Managed Fast Flux Provider
Storm Worm's Fast Flux Networks
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

This post has been reproduced from Dancho Danchev's blog.

Wednesday, October 21, 2009

Koobface Botnet Redirects Facebook's IP Space to my Blog



Love me, love me, say that you love me. You know you're cherished when the Koobface botnet redirects Facebook Inc's entire IP space to your blog using HTTP Error 302 - Moved temporarily messages in an attempt to have Facebook's anti-malware crawlers hit my blog every time they visit a Koobface URL posted on the social networking site.


The result? Earlier this morning, I've noticed over 7,000 unique visits coming from Facebook Inc's IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe's Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process. At first, I thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the requests were coming from Facebook's IP space only.

A representative from Facebook's Security Incident Response Team just confirmed the development, and commented that they've added an exception, which is now visible since IPs from Facebook's IP space are no longer visiting my blog:

"Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog."

The compete list of the automatically registered blogspot accounts, of whose existence Google's security team has already been notified are as follows:
1rykutviklingibtvedmongstad-vgnett .blogspot.com/
40-nrg .blogspot.com/
anyauujteykbrlzyt .blogspot.com/
bctdnvxyubozkute336 .blogspot.com/
bjfzibzxpjwfsri.blogspot .com/
bopscfmfdfkdcdk.blogspot .com/
bpucrtkuigcvuzd.blogspot .com/
dcljxlmkdpfyadlmk014.blogspot .com/
driwnhtqcifnewwy.blogspot .com/
fffgxdpmrhzepmwc172.blogspot .com/
frjutygrfzkfmumr.blogspot .com/
gbmasakrnbvduky-mhopomuytpmeo46.blogspot .com/
hmxmjrdpzncnania.blogspot .com/
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/
hxsdrjrbiesmulbp-mp775012.blogspot .com/
hz560607.blogspot .com/
irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot .com/
isaqwpccpkvmmnffx.blogspot .com/
iunvrafuvbgykpap819.blogspot .com/
ixqowmtgwfvkaapq.blogspot .com/
jocdniqudpnszswn936.blogspot .com/
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/
kayaafwlllybvydpu.blogspot .com/
kfddbjhalrqkmqtoa.blogspot .com/
kutlvtfxkxbismwpci.blogspot .com/
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/


kzbcbzhlgcnmmaveusdt2.blogspot .com/
lbwhvnvfmiwqypft-gt34676.blogspot .com/
lgjxsfcwkviythet.blogspot .com/
lvlcauoimpklqoj.blogspot .com/
moruokuamhtobznhwx.blogspot .com/
nfnnialisemtirdcq.blogspot .com/
pfmrjjvolrxsthdl.blogspot .com/
pywkyzxqcslnqyz907.blogspot .com/
qmhbxydgxfitnaosp.blogspot .com/
rfsnkstagwfwlkgr.blogspot .com/
rykutviklingibtvedmongstad-vgnett .blogspot.com/
scjftnvmcqiarvt-ni242558.blogspot .com/
skpjwfruzkzujvw.blogspot .com/
spfymrxnfiotvtrknf.blogspot .com/
sxcfugyjtvtwgxzvi.blogspot .com/
tbgkfbllzdtrcslpc741.blogspot .com/
unrrldfyuanstafa.blogspot .com/
vstikrflawgquztcn.blogspot .com/
wjfpuoiolcjvecszeb.blogspot .com/
wlaafuebvmdkaiavh.blogspot .com/
wnejhokyqkazwpu898.blogspot.com/
wqqcknikrlnowgri.blogspot .com/
xlmwrzdmywbibfwi742.blogspot .com/
yanksroadwinchangesalcsoutlook-mlbcom .blogspot.com/
yeqhabdnabhndbt.blogspot .com/
yzyweidzwor-cxgwufvosfam .blogspot.com/
zafxzlatzsmwysk.blogspot .com/
znfnxeaoiqhxldvmqo-atcsqbrkobwi408 .blogspot.com/
zqsvjeoqccknkfubc.blogspot .com/



The Koobface gang's use of basic blackhat SEO principles such as content cloaking are identical to their previous attempts to cover-up their malicious activities relying on pre-defined sets of http referrers of public search engines, or particular redirectors in order for their infections to take place.

Stay tuned for more developments on the Ali Baba and the 40 thieves LLC front, a.k.a as my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be summarized shortly.

Related posts:
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet Redirects Facebook's IP Space to my Blog


Love me, love me, say that you love me. You know you're cherished when the Koobface botnet redirects Facebook Inc's entire IP space to your blog using HTTP Error 302 - Moved temporarily messages in an attempt to have Facebook's anti-malware crawlers hit my blog every time they visit a Koobface URL posted on the social networking site.

The result? Earlier this morning, I've noticed over 7,000 unique visits coming from Facebook Inc's IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe's Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process. At first, I thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the requests were coming from Facebook's IP space only.

A representative from Facebook's Security Incident Response Team just confirmed the development, and commented that they've added an exception, which is now visible since IPs from Facebook's IP space are no longer visiting my blog:

"Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog."

The compete list of the automatically registered blogspot accounts, of whose existence Google's security team has already been notified are as follows:
1rykutviklingibtvedmongstad-vgnett .blogspot.com/
40-nrg .blogspot.com/
anyauujteykbrlzyt .blogspot.com/
bctdnvxyubozkute336 .blogspot.com/
bjfzibzxpjwfsri.blogspot .com/
bopscfmfdfkdcdk.blogspot .com/
bpucrtkuigcvuzd.blogspot .com/
dcljxlmkdpfyadlmk014.blogspot .com/
driwnhtqcifnewwy.blogspot .com/
fffgxdpmrhzepmwc172.blogspot .com/
frjutygrfzkfmumr.blogspot .com/
gbmasakrnbvduky-mhopomuytpmeo46.blogspot .com/
hmxmjrdpzncnania.blogspot .com/
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/
hxsdrjrbiesmulbp-mp775012.blogspot .com/
hz560607.blogspot .com/
irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot .com/
isaqwpccpkvmmnffx.blogspot .com/
iunvrafuvbgykpap819.blogspot .com/
ixqowmtgwfvkaapq.blogspot .com/
jocdniqudpnszswn936.blogspot .com/
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/
kayaafwlllybvydpu.blogspot .com/
kfddbjhalrqkmqtoa.blogspot .com/
kutlvtfxkxbismwpci.blogspot .com/
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/


kzbcbzhlgcnmmaveusdt2.blogspot .com/
lbwhvnvfmiwqypft-gt34676.blogspot .com/
lgjxsfcwkviythet.blogspot .com/
lvlcauoimpklqoj.blogspot .com/
moruokuamhtobznhwx.blogspot .com/
nfnnialisemtirdcq.blogspot .com/
pfmrjjvolrxsthdl.blogspot .com/
pywkyzxqcslnqyz907.blogspot .com/
qmhbxydgxfitnaosp.blogspot .com/
rfsnkstagwfwlkgr.blogspot .com/
rykutviklingibtvedmongstad-vgnett .blogspot.com/
scjftnvmcqiarvt-ni242558.blogspot .com/
skpjwfruzkzujvw.blogspot .com/
spfymrxnfiotvtrknf.blogspot .com/
sxcfugyjtvtwgxzvi.blogspot .com/
tbgkfbllzdtrcslpc741.blogspot .com/
unrrldfyuanstafa.blogspot .com/
vstikrflawgquztcn.blogspot .com/
wjfpuoiolcjvecszeb.blogspot .com/
wlaafuebvmdkaiavh.blogspot .com/
wnejhokyqkazwpu898.blogspot.com/
wqqcknikrlnowgri.blogspot .com/
xlmwrzdmywbibfwi742.blogspot .com/
yanksroadwinchangesalcsoutlook-mlbcom .blogspot.com/
yeqhabdnabhndbt.blogspot .com/
yzyweidzwor-cxgwufvosfam .blogspot.com/
zafxzlatzsmwysk.blogspot .com/
znfnxeaoiqhxldvmqo-atcsqbrkobwi408 .blogspot.com/
zqsvjeoqccknkfubc.blogspot .com/



The Koobface gang's use of basic blackhat SEO principles such as content cloaking are identical to their previous attempts to cover-up their malicious activities relying on pre-defined sets of http referrers of public search engines, or particular redirectors in order for their infections to take place.

Stay tuned for more developments on the Ali Baba and the 40 thieves LLC front, a.k.a as my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be summarized shortly.

Related posts:
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.

Tuesday, October 20, 2009

Scareware Serving Conficker.B Infection Alerts Spam Campaign

A fake "conficker.b infection alert" spam campaign first observed in April, 2009 (using the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an attempt to trick users into installing "antispyware application", in this case the Antivirus Pro 2010 scareware.

This campaign is directly related to last week's Microsoft Outlook update campaign, with both of these using identical download locations for the scareware.

The following is an extensive list of the domains involved in the campaigns:
abumaso3tkamid .com - Email: drawn@ml3.ru
afedodevascevo .com - Email: sixty@8081.ru
alertonabert .com - Email: flop@infotorrent.ru
alertonbgabert .com - Email: vale@e2mail.ru
alioneferkilo .com - Email: va@blogbuddy.ru
anobalukager .com - Email: chalkov@co5.ru
anobhalukager .com - Email: humps@infotorrent.ru
bufertongamoda .com - Email: kurt@8081.ru
buhafertadosag .com - Email: bias@co5.ru
buhervadonuska .com - Email: vale@e2mail.ru
bulakeskatorad .com - Email: bias@co5.ru
bulerkoseddasko .com - Email: bias@co5.ru
buleropihertan .com - Email: def@co5.ru
celiminerkariota .com - Email: morse@corporatemail.ru
certovalionas .com - Email: kurt@8081.ru
dabertugaburav .com - Email: def@co5.ru
elxolisdonave .com - Email: curb@cheapmail.ru
enkafuleskohuj .com - Email: kerry@freemailbox.ru
ertanueskayert .com - Email: xmas@co5.ru
ertonaferdogalo .com - Email: kerry@freemailbox.ru
ertu6nagertos .com - Email: recipe@isprovider.ru
ertubedewse .com - Email: weak@infotorrent.ru
ertugasedumil .com - Email: chalkov@co5.ru
ertugaskedumil .com - Email: humps@infotorrent.ru
ertunagertos .com - Email: def@co5.ru
erubamerkadolo .com - Email: kerry@freemailbox.ru

fedostalonkah .com - Email: bias@co5.ru
ftahulabedaso .com - Email: raced@corporatemail.ru
gumertagionader .com - Email: seize@e2mail.ru
huladopkaert .com - Email: chute@infotorrent.ru
iobacebauiler .com - Email: roy@corporatemail.ru
itorkalione .com - Email: pygmy@8081.ru
julionejurmon .com - Email: jacob@freemailbox.ru
julionermon .com - Email: pygmy@8081.ru
konitorsabure .com - Email: chalkov@co5.ru
konitorswabure .com - Email: humps@infotorrent.ru
lersolamaderg .com - Email: chalkov@co5.ru
lersolamgaderg .com - Email: humps@infotorrent.ru
linkertagubert .com - Email: kerry@freemailbox.ru
lionglenhrvoa .com - Email: sixty@8081.ru
liposdakoferda .com - Email: leaf@corporatemail.ru
lopastionertu .com - Email: cues@e2mail.ru
nebrafsofertu .com - Email: humps@infotorrent.ru
nuherfodaverta .com - Email: morse@corporatemail.ru
nulerotkabelast .com - Email: dealt@8081.ru
nulkersonatior .com - Email: dealt@8081.ru
obuleskinrodab .com - Email: xmas@co5.ru
ofaderhabewuit .com - Email: kerry@freemailbox.ru
okavanubares .com - Email: chalkov@co5.ru
okaveanubares .com - Email: humps@infotorrent.ru

onagerfadusak .com - Email: cues@e2mail.ru
orav4abustorabe .com - Email: drawn@ml3.ru
oscaviolaner .com - Email: larks@freemailbox.ru
ovuiobvipolak .com - Email: sixty@8081.ru
ovuioipolak .com - Email: bias@co5.ru
paferbasedos .com - Email: chalkov@co5.ru
pafersbasedos .com - Email: humps@infotorrent.ru
polanermogalios .com - Email: dealt@8081.ru
rdafergfvacex .com - Email: jacob@freemailbox.ru
rtugamer5tobes .com - Email: drawn@ml3.ru
rtugamertobes .com - Email: kw@co5.ru
scukonherproger .com - Email: kazoo@isprovider.ru
shuretrobaniso .com - Email: frail@infotorrent.ru
tarhujelafert .com - Email: raced@corporatemail.ru
tavakulio5nkab .com - Email: recipe@isprovider.ru
tavakulionkab .com - Email: def@co5.ru
tertunavogav .com - Email: la@freemailbox.ru
tertunwavogav .com - Email: drawn@ml3.ru
tsabunerkadosa .com - Email: humps@infotorrent.ru

tsarbunerkadosa .com - Email: humps@infotorrent.ru
tubanerdavaf .com - Email: chalkov@co5.ru
tubanerdavjaf .com - Email: halkov@co5.ru
uhajokalesko .com - Email: flop@infotorrent.ru
uhajokvfalesko .com - Email: flop@infotorrent.ru
ulioperdanogad .com - Email: vale@e2mail.ru
uliopewrdanogad .com - Email: kerry@freemailbox.ru
uplaserdunavats .com - Email: dealt@8081.ru
utka3merdosubor .com - Email: drawn@ml3.ru
utkamerdosubor .com - Email: kw@co5.ru
utorganedoskaw .com - Email: kerry@freemailbox.ru
utorgtanedoskaw .com - Email: xmas@co5.ru
uvgaderbotario .com - Email: def@co5.ru
vudermaguliermot .com - Email: leaf@corporatemail.ru
vuilerdomegase .com - Email: leaf@corporatemail.ru
vuilleskomandar .com - Email: seize@e2mail.ru
vulertagulermos .com - Email: dealt@8081.ru
vuretronulevka .com - Email: dealt@8081.ru
weragumasekasuke .com - Email: kazoo@isprovider.ru
werynaherdobas .com - Email: dealt@8081.ru

Despite the comprehensive portfolio of domains used, relying on spam to increase revenue from scareware sales is prone to fail, in this specific case due to the lack of event-based social engineering theme, something that was present in the first campaign.

Related posts:
Conficker's Scareware/Fake Security Software Business Model
Koobface Botnet's Scareware Business Model

This post has been reproduced from Dancho Danchev's blog.

Wednesday, October 14, 2009

Koobface Botnet Dissected in a TrendMicro Report

I'd like to thank the folks at TrendMicro for mentioning the message inserted by the Koobface gang (more love on a first-name basis from them) within their command and control infrastructure for nine days, greeting me for systematically kicking them out of their ISPs, and suspending their command and control domains, in a new report entitled The Heart of Koobface - C&C and Social Network Propagation:

"This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown attempts initiated by Internet service providers (ISPs) and members of the security industry, the KOOBFACE gang realized the need for a more robust C&C infrastructure. 

Thus, on July 19, 2009, the KOOBFACE writers implemented a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of their C&C should another takedown be attempted. A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message (see below) for one of the security researchers tracking the malware’s domain activities.

This message run lasted nine days from July 22 to July 30, 2009. Based on this incident, we can safely assume that the KOOBFACE gang has been monitoring blogs, articles, write-ups, and analyses about their handiwork and was probably also keeping tabs on the various solutions deployed to counter the botnet’s attacks. Second, these people were thus quick to act and fix their creation’s weaknesses, as evidenced by its change in infrastructure. Finally, the botnet’s creators were bold enough to send taunting messages to security researchers.
"

Having the Koobface gang kicked out of their ISPs in 48 hours through close cooperation with China's CERT; BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web Solutions Llc; Telos-Solutions-AS/Telos Solutions LTD, resulted in a single command and control domain which was active and using the services of UKSERVERS-MNT (AS42831), 78.110.175.15 in particular. Simply put, the Koobface botnet and the hundreds of thousands of infected hosts were not just sitting ducks, but ducks who've fallen asleep in the middle of the hunting season.

It's important to point out that the company (UKSERVERS-MNT) on purposely lied that the customer has been taken offline, allowed the Koobface gang to access the server since the gang claimed "it's a compromised customer and needs to clean-up the mess", then on purposely stopped responding to the smoothly going data sharing process, thereby allowing the Koobface gang to put their contingency plan in place.

The bottom line - based on already published and to-be published assessments of this group's activities, the Koobface botnet appears to be only the tip of the iceberg for the Ali baba and the 40 thieves cybercrime enterprise -- a self-describing message included by the Koobface gang. Their activities also prove a point - a single cybercrime enterprise can efficiently and automatically dominate the entire Web 2.0 threatscape, if they want to.

Related posts:
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.

Koobface Botnet Dissected in a TrendMicro Report

I'd like to thank the folks at TrendMicro for mentioning the message inserted by the Koobface gang (more love on a first-name basis from them) within their command and control infrastructure for nine days, greeting me for systematically kicking them out of their ISPs, and suspending their command and control domains, in a new report entitled The Heart of Koobface - C&C and Social Network Propagation:

"This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown attempts initiated by Internet service providers (ISPs) and members of the security industry, the KOOBFACE gang realized the need for a more robust C&C infrastructure. 

Thus, on July 19, 2009, the KOOBFACE writers implemented a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of their C&C should another takedown be attempted. A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message (see below) for one of the security researchers tracking the malware’s domain activities.

This message run lasted nine days from July 22 to July 30, 2009. Based on this incident, we can safely assume that the KOOBFACE gang has been monitoring blogs, articles, write-ups, and analyses about their handiwork and was probably also keeping tabs on the various solutions deployed to counter the botnet’s attacks. Second, these people were thus quick to act and fix their creation’s weaknesses, as evidenced by its change in infrastructure. Finally, the botnet’s creators were bold enough to send taunting messages to security researchers.
"

Having the Koobface gang kicked out of their ISPs in 48 hours through close cooperation with China's CERT; BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web Solutions Llc; Telos-Solutions-AS/Telos Solutions LTD, resulted in a single command and control domain which was active and using the services of UKSERVERS-MNT (AS42831), 78.110.175.15 in particular. Simply put, the Koobface botnet and the hundreds of thousands of infected hosts were not just sitting ducks, but ducks who've fallen asleep in the middle of the hunting season.

It's important to point out that the company (UKSERVERS-MNT) on purposely lied that the customer has been taken offline, allowed the Koobface gang to access the server since the gang claimed "it's a compromised customer and needs to clean-up the mess", then on purposely stopped responding to the smoothly going data sharing process, thereby allowing the Koobface gang to put their contingency plan in place.

The bottom line - based on already published and to-be published assessments of this group's activities, the Koobface botnet appears to be only the tip of the iceberg for the Ali baba and the 40 thieves cybercrime enterprise -- a self-describing message included by the Koobface gang. Their activities also prove a point - a single cybercrime enterprise can efficiently and automatically dominate the entire Web 2.0 threatscape, if they want to.

Related posts:
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.

Tuesday, October 06, 2009

Standardizing the Money Mule Recruitment Process


Ah, deja vu! How is it possible that the Scope Group money mule recruitment group acting as the employer for the interviewed mule has been "set up in 1990 in New York, the USA by three enthusiasts who have financial education" just like AF-GROUP LLC and its portfolio of brands, whose 30k botnet operations I exposed and took down in May, 2009, next to establishing a direct connection between the botnet and an Ukrainian dating scam agency known as "Confidential Connections"?

Pretty simple - just like the efficiency-centered mentality applied in the template-ization of malware, the ongoing standardization of the money mule recruitment business model is resulting in a bogus brand portfolios using identical web site layouts next to the same copy writing materials offered by a single vendor exclusively working with money mule recruitment organizations only. A couple of years ago, the money mule recruitment process was largely inefficient due to the operational security applied - not everyone could become a money mule unless certain criteria was met. A newly launched managed money mule recruitment design agency that I've been monitoring for a while, is poised to help cybercriminals achieve faster recruitment rates based on the cybercriminal-tailored services it's offering.

Whereas it's been operating beneath the radar for several years, exclusively serving known and trusted cybercriminals, it's recent mainstream business model is a great example of a timely underground market proposition due to the fact that the current economic climate best suits the money mule recruitment business model due to its high commissions for processing fraudulently obtained money.

Do you infiltrate the entire assembly line, or do you assess the final product? Appreciate my rhetoric as usual, it's full disclosure time, hence infiltrating the assembly line.

In this post, we'll take a look at five templates offered by the managed money mule recruitment vendor, assess several of their customers currently using them to launch targeted and localized to German spam campaigns aiming to recruit new money mules, expose their entire domains portfolio and associated emails used for correspondence with prospective money mules.

Moreover, we'll actually attempt to becoming a money mule by interacting with their market proposition, obtain the financial agent agreements, and expose little known facts about how sophisticated and social-engineering oriented the entire money mule recruitment process really is.

For starters, here's how the service describes itself, and what type of packages it offers to prospective money mule recruiters. The less sophisticated package is offered for $900 and the corporate version goes for $1700.

The first one offers the following:
- fake company site in English
- template-based correspondence letters for the entire process
- the entire document required for the process, custom forms, contracts, invoice applications etc.
- a teach-yourself manual including advice and recommendations - available in English and Russian
- sample spam letters in TXT and HTML, in English only

The corporate version offers the following:
- fake company site in several languages, for instance, Dutch, German, Bulgarian, Italian etc.
- fake signatures representing the CEO, accounts manager etc.
- multiple spam letters in different languages
- managed domain hosting
- answering machine number as well as a paid Skype subscription as a bonus

The following are some of the templates -- blurred by the vendor in order to protect the bogus brands portfolio - currently offered by the service. Three of the templates are already in circulation, that means active spamming in Italian and German "offering the Moon", and asking for your identity and financial reputation:



 

 

 

 

 

Upon purchasing any of the packages offered, a custom and non-existent brand logo and related company information will be used on the top of the templates currently offered.

Let's expose some of the bogus brands using these campaigns, whose spamming campaigns have been actively recruiting new money mules over the past couple of months. For instance, the last template -- see attached copy of the original one -- is currently being used by a company known as PanIn Real Estate - panestate .com - 194.0.200.15 - Email: disperswave@gmail.com. The site is currently localized to English; Italian (panestate .com/index_it.html); and Spanish (panestate .com/index_sp.html).

It gets even more interesting when we start analyzing their spam campaign, currently localized to German. For instance, it appears that the customer of the managed money mule recruitment service is using their basic package, since 99% of their spam emails are using Gmail accounts, in fact, one of the spam campaigns is relying on the very same email that the domain panestate .com has been registered with - disperswave@gmail.com.

A sample of the spammed recruitment email:
"Liebe Bewerber! Sind Sie schon mude von solchen Briefchen, in dem man Ihnen einen Arbeitsplatz anbietet? Ich weiss das. Deshalb mochte ich zuerst Sie um Verzeihung bitten. Ich habe aber eine freie Vakanz und mochte sie Ihnen anbieten. 

Wenn Sie noch keinen Arbeitsplatz gefunden haben, schreiben Sie bitte mir an meine E-mail Adresse:  Als eine Bestatigung brauche ich auch CV und Ihre Telefonnummer, damit ich mich mit Ihnen in Verbindung setzen konnte. Vielen Dank fur Ihre Zeit und Ihr Interesse! Alle weiteren Informationen bekommen Sie per E-Mail. Mit freundlichen Grusen"

Related Gmail accounts used by PanIn Real Estate money mule recruitment incorporated:
pancorporate @ gmail.com
paninwork @ gmail.com
paninde @ googlemail.com
panamajeld @ gmail.com
paninajob @ gmail.com
pananmakarriere @ gmail.com

The same spam template localized in German is also known to have been used with the following Gmail accounts, again operated by money-mule recruitment organizations:
trzzbuded @ gmail.com
robertojens @ gmail.com
gradtul @ gmail.com
hrmiket @ gmail.com
mike.torhr @ gmail.com
evkoreyds @ gmail.com
mike.torhr @ gmail.com
support @ oplusdevelopment.com -- the only exception

The second template used in the wild -- the site returns a 404 error message -- is called Green Star Services website, with the customer apparently still in a testing phrase.

This cannot be said for yet another customer of the same service standardizing the money mule recruitment process by template-izing it. The fifth template, is actually a bogus company called Brand Image Advertising Agency (internationalbrandimage .com - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com describing itself as:

"Advertising agency “Brand Image” helps its clients to perform their products and services the right way. We never offer you anything additional that we didn’t discuss at the beginning. The motto of our work is honesty and we believe that this is a very important thing in advertising.

We were created to help you in selling products and services. “Brand Image” typically attempts to assist you in building your brand by persuading potential customers to purchase or to consume more of your brand of product or service. It is vivid from the name of our agency that we are doing a lot for your brand. Actually we are constantly working at brand management. It is known that the value of the brand is determined by the amount of profit it generates for the manufacturer. Advertising agency “Brand Image” clearly understands the main principles of brand name and will be glad to help you in choosing the right name for your company.

Advertising agency “Brand Image” proudly presents a great variety of services it provides. The main advantage of our work is that our management staff is always on-line and works 24/7 for your convenience. Moreover, our offices are located all over the Europe and in the USA that makes our work fast and comprehensive. First of all let us introduce you what exactly we offer our clients. However if you happen to have any questions in understanding what this or that service means, you can always find our contacts and use them in communicating with us concerning our advertising offers.
"

Sample spam message localized in Italian used to recruit for Brand Image Advertising Agency:
"Salary: 4,000 Euro; 10% di ciascuna operazione di pagamento - conto personale 10%; 15% di ciascuna operazione di pagamento - conto corporativo 15%; Location: Italy Accettazione dei pagamenti dai clienti nella vostra zona ? Accepting payments from customers in your area? favorire a realizzare gli obiettivi finanziarie di Compagnia.Le condizioni di lavoro. Il lavoro tranne internet - ufficio, e anche con le banche ei sistemi di trasferimenti veloci. Gli interessati ambosessi possono inviare CV con consenso al trattamento dei dati personali (art.13, d.lgs 196/03) e requisiti di contatto al e-mail. Se a Voi interessa questo lavoro, mandate il curriculum alla nostra: judicialHathawayv?@gmail.com Cordialmente, Sincerely, David De Simone David De Simone"

A second template is known known to have been used, this time offering different commission:
"Rappresentante finanziario Informazioni di posti di lavoro Post Date: 12/04/2009 Salario: 3.000 EUR/mese + 5% di ciascuna operazione di bonifico Location: Italia Generale Description Accettazione dei pagamenti dai clienti nella vostra zona e favorire a realizzare gli obiettivi finanziarie di Compagnia. Le condizioni di lavoro Il lavoro tranne internet - ufficio, e anche con le banche e i sistemi di trasferimenti veloci. Contact Details / Apply for this Job Se a Voi interessa questo lavoro, mandate il curriculum alla nostra individualpeoplecapitalgroup7@googlemail.com individualpeople .biz/go.php?sid=7 In attesa di Vostro riscontro, saluti manager HR Robert J. Wilson"

What we've got here is an identical spam template using a template offered by a managed money mule recruitent design vendor, that is advertising another bogus brand, with the domain name itself registered using the same detaisl as Brand Image Advertising Agency (internationalbrandimage .com - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com). In the case of the localized to Italian spam message that's yet another bogus brand Individual People Capital Group, individualpeople .org - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com.

Individual People Capital Group describes itself as:
"The Individual People Capital Group Companies is one of the world's most experienced and successful investment management organizations. Our companies manage investments for millions of individuals and thousands of corporations and institutions.

The Individual People Capital Group's largest components are:
• Individual People Funds, which ranks among the three largest mutual fund families in the U.S. - managed by Individual People Capital Research and Management Company, with assets under management of more than $750 billion
• Individual People Capital Guardian Trust Company and the Individual People Capital International companies — providers of global investment management services for institutional clients, consultants and individuals, with assets under management of approximately $300 billion

For 75 years, we have followed a consistent philosophy and approach to generate consistent long-term investment results for our investors around the world. At the heart of our success is a commitment to a number of core beliefs: the importance of long-term investing, the value of in-depth global research, adherence to a disciplined investment management philosophy, and a code of ethics that emphasizes honesty and integrity.
"

Known Gmail accounts participating in the money mule recruitment and exploit serving process courtesy of Individual People Capital Group:
groupindividualpeople @ gmail.com
newindividualpeople24 @ gmail.com
newworkgroupindividualpeople @ gmail.com
individualpeoplecapitalgroup9 @ googlemail.com
individualpeoplecapitalgroup8 @ googlemail.com
individualpeoplecapitalgroup7 @ googlemail.com
individualpeoplecapitalgroup6 @ googlemail.com
individualpeoplecapitalgr @ googlemail.com

As well as the following emails, once again maintained by the same customer:
individualpeoplecapitalgroup12 @ gmail.com
individualpeoplecapitalgroup13 @ gmail.com
individualpeoplecapitalgroup14 @ gmail.com
individualpeoplecapitalgroup12 @ gmail.com
individualpeoplecapitalgroup13 @ gmail.com
individualpeoplecapitalgroup14 @ gmail.com
individualpeoplecapitalgroup19 @ gmail.com
individualpeople.one @ gmail.com
people.individ @ gmail.com
individ.people @ gmail.com
individualpeople.too @ gmail.com
new.individualpeople @ gmail.com
individual.job.it @ gmail.com
info.individualpeople @ gmail.com
j.wilson.sup @ gmail.com
new.individualpeople @ gmail.com
people.individ @ gmail.com
robert.jwn @ gogglemail.com
robert.wilson.r1 @ gmail.com
robert.wil.r @ gmail.com
rob.wilson.r @ googlemail.com
wilson.wrt @ gmail.com
workgroupindividualpeople @ gmail.com

There are cases when money mule recruiters are interested in plain simple botnet building, case in point is a situation where a spammed money mule spam message advertising individualpeople .biz/go.php?sid=7 was actually serving a malicious PDF, next to linking to the recruitment site itself (individualpeople .org).

In order to further demonstrate the ongoing standardizing of the money mule recruitment process through template-ization, it's time to expose the bogus brands portfolio, and associated domains of a money mule recruitment organization that has been relying on an identical template over the past couple of years. In fact, in May, 2009, a botnet which was used by Ukrainian dating scam agency Confidential Connections was not only found to be directly related to the money mule recruitment gang, but the cybercriminals used one of the recruitment domains as a command and control server for their botnet spamming operations, with the domain itself and one of the sampled dating scam ones registered under the same email.

Brand names for Money Mule Organizations using a standardized template offered by a single vendor, all known to have been "set up in 1990 in New York, the USA by three enthusiasts who have financial education" : Affina Group Inc; Alliance Group Inc; Annuity Group Inc; Archway Group Inc; Armor Group Inc; Assurity Group Co; Assurity Group Inc; BFS Group Inc; CDI Group Inc; Cosco Group Inc; Dove Group Inc; Eagle Group Inc; Entrust Group Inc; Extreme Group Inc; Flat Group Inc; Holding Group Inc; Integrity Group Inc; Invalda Group Inc; Key Group Inc; Liberty Group Inc; Lime Group Inc; Massive Group Inc; Melson Group Inc; MENA Group Inc; O Pm Group Main; OPM Group Inc; Premier Group Inc; Prime Group Inc; Prospera Group Inc; Puritan Group Inc; Reach Group Inc; Redeye Group Inc; Regency Group Inc; Rengo Group Inc; River Group Inc; Saturn Group; Scope Group Inc; Stock Group Inc; Strol Group Inc; Summit Group Inc; Total Group Inc; Trans Group Inc; United Group Inc; Wescom Group Inc

Parked on 222.35.137.237 are the following domains all using the "set up in 1990 in New York, the USA by three enthusiasts who have financial education" template:
affina-groupnet .cn - Email: abuseemaildhcp@gmail.com
affina-groupnet .com - Email: jelly@infotorrent.ru
affina-groupsvc .cc - Email: justin_dickerson@ymail.com
affina-groupsvc .cn - Email: abuseemaildhcp@gmail.com
alliance-groupmain .cc - Email: stiv2009@yahoo.com
annuity-groupnet .cc - Email: justin_dickerson@ymail.com
assurity-groupco .cn - Email: realsupporters@yahoo.com
bfs-groupinc .cc - Email: defrankpo@gmail.com
cdi-groupmain .cn - Email: garry_honn@yahoo.com
cosco-groupmain .com - Email: 20090811112700@antispam.alantron.com
diamond-dream .cc - Email: morgan.greg@yahoo.com
dove-groupli .cn - Email: abuseemaildhcp@gmail.com
dummykeath .cc - Email: morgan.greg@yahoo.com
eagle-groupmain .cn - Email: AntwanHarringtonJI@gmail.com
extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com
extreme-groupinc .com - Email: hell@e2mail.ru
flatgroupfly .cc - Email: steven_lucas_2000@yahoo.com
geniouspartner .cn - Email: morgan.greg@yahoo.com
holding-group .cn - Email: ronny.greg@yahoo.com
integrity-groupinc .cc - Email: justin_dickerson@ymail.com
integrity-groupsvc .cn - Email: abuseemaildhcp@gmail.com
keygroupmain .cn - Email: ErichSullivanKF@gmail.com
libertygroup .cc - Email: LindseyKimSI@gmail.com
lime-groupsvc .cn - Email: abuseemaildhcp@gmail.com
massive-groupsvc .cc - Email: chen.poon1732646@yahoo.com
massivegroupsvc .cn - Email: abuseemaildhcp@gmail.com
melson-groupmain .com - Email: enact@co5.ru
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com
opm-group .cn - Email: AbdulStaffordEP@gmail.com
opm-groupli .com - Email: entrap@namebanana.net
premier-groupinc .cn - Email: abuseemaildhcp@gmail.com
prime-groupco .com - Email: Email: fuzz@ml3.ru
prime-groupinc .cc - Email: chen.poon1732646@yahoo.com
puritan-groupco .cc - Email: justin_dickerson@ymail.com
puritan-groupco .cn - Email: abuseemaildhcp@gmail.com
puritan-groupinc .cn - Email: abuseemaildhcp@gmail.com
reach-group .cc - Email: rick_morris@yahoo.com
redeye-groupinc .cc - Email: chen.poon1732646@yahoo.com
regency-groupco .cn - Email: abuseemaildhcp@gmail.com
regency-groupnet .cc - Email: justin_dickerson@ymail.com
regency-groupnet .cn - Email: abuseemaildhcp@gmail.com
rengo-groupli .com - Email: jaded@co5.ru
saturn-groupco .cn - Email: abuseemaildhcp@gmail.com
scope-group .cc - Email: don.ram@yahoo.com
scope-groupmain .cc - Email: don.ram@yahoo.com
strol-groupli .cn - Email: abuseemaildhcp@gmail.com
summit-groupinc .cc - Email: Gregory.Michell2009@yahoo.com
theblackend .cn - Email: morgan.greg@yahoo.com
vector-groupfine .cn - Email: abuseemaildhcp@gmail.com
vector-groupfly .cc - Email: mr.freeddyy@yahoo.com

Parked on 222.35.137.236:
affina-groupnet .cn - Email: abuseemaildhcp@gmail.com
affina-groupsvc .cc - Email: justin_dickerson@ymail.com
annuity-groupllc .cn - Email: abuseemaildhcp@gmail.com
annuity-groupllc .com - Email: jelly@infotorrent.ru
annuity-groupnet .cc - Email: justin_dickerson@ymail.com
annuity-groupnet .cn - Email: abuseemaildhcp@gmail.com
archway-groupinc .cn - Email: abuseemaildhcp@gmail.com
cosco-groupmain .com - Email: chug@freemailbox.ru
extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com
integrity-groupinc .cc - Email: justin_dickerson@ymail.com
integrity-groupinc .cn - Email: abuseemaildhcp@gmail.com
integrity-groupsvc .com - Email: jelly@infotorrent.ru
invalda-groupmain .cn - Email: rocco_invalda@yahoo.com
lime-groupnet .cn - Email: abuseemaildhcp@gmail.com
massive-groupsvc .cc - Email: chen.poon1732646@yahoo.com


prime-groupco .cn - Email: abuseemaildhcp@gmail.com
prime-groupco .com - Email: fuzz@ml3.ru
prime-groupinc .cn - Email: abuseemaildhcp@gmail.com
puritan-groupinc .com - Email: gone@corporatemail.ru
redeye-groupco .cn - Email: abuseemaildhcp@gmail.com
redeye-groupinc .cc - Email: chen.poon1732646@yahoo.com
regency-groupnet .cc - Email: justin_dickerson@ymail.com
regency-groupnet .cn - Email: abuseemaildhcp@gmail.com
saturn-groupsvc .cn - Email: abuseemaildhcp@gmail.com
saturn-groupsvc .com - Email: jelly@infotorrent.ru
vision-groupinc .cn - Email: abuseemaildhcp@gmail.com
vision-groupsvc .com - Email: abuseemaildhcp@gmail.com

Parked on 222.35.137.235, registered with emails already covered:
affina-groupsvc .cn
annuity-groupnet .cn
archway-groupinc .cn
archway-groupinc .com
cosco-groupmain .cn
extreme-groupinc .cn
extreme-groupinc .com
integrity-groupinc .cc
invalda-groupmain .cn
prime-groupco .com
prime-groupinc .cc
puritan-groupco .cn
puritan-groupinc .cn
redeye-groupco .cn
redeye-groupco .com
redeye-groupinc .cc
regency-groupco .com
regency-groupnet .cn
saturn-groupco .cn
scope-group .cn
scope-groupmain .cn
vision-groupinc .cn

Parked on 222.35.137.234, registered with emails already covered:
affina-groupnet .cn
annuity-groupllc .cn
archway-groupinc .cn
cosco-groupmain .com
integrity-groupinc .cn
integrity-groupsvc .cn
massive-groupsvc .cc
premier-groupinc .cn
premier-groupnet .cn
prime-groupco .cn
prime-groupinc .cn
puritan-groupinc .com
redeye-groupco .cn
redeye-groupinc .cn
regency-groupco .cn
regency-groupco .com
regency-groupnet .cn
saturn-groupsvc .cn
saturn-groupsvc .com
vision-groupinc .cn


DNS servers of notice:
ns2.dummykeath .cc
ns2.theblackend .cn
ns1.full-controll .cc
ns3.geniouspartner .cn
ns3.theblackend .cn
ns1.party-reunite .cc
ns2.bubble-preorder .info
ns1.windcontrol .cc
ns3.diamond-dream .cc
ns.partnergreatest8 .net
one.goldwonderful9 .info
- the command and control server used by the botnet managed by a money mule organization was using the same nameserver in May, 2009

Once the end user falls victim into the recruitment scam, the entire process of registration and communication with the bogus organization takes place through a web-based interface where the potential money mules has to not only provide detailed personal data, but also, as much information as possible that would help the cybercriminals better achieve their objectives. For instance, the template for the money mule registration process includes a self-answered question which even the average user can get suspicious about - Why are you gathering so much information about applicants? Such attention especially to bank account details puts me on guard.

The money mule recruitment organization is sticking to its professional tone, as usual, and explains that:
"In fact that modern financial system is a complex instrument, which controls financial streams. The problem is that any transfer may be delayed (from 1 to 5 days) but it is unacceptable for our business. Transaction should be completed by a financial manager the same day money is deposited into the bank account. Otherwise, we risk to lose money, clients, reputation. Analyzing all the details below we'll be able to prepare tasks for every agent individually. Please fill in all the fields carefully to avoid delays while working with your bank. The success of our cooperation depends on the accuracy of entered details! Please be serious."

It gets even more interesting when the recruitment organization starts starts exposing itself as a cybercrime-facilitating enterprise, asking questions that only such an organization needs to known the answers to, due to operational security (OPSEC) and due to their clear understanding of the time value of money (Microsoft study debunks profitability of the underground economy), well stolen money in particular. For instance, the built-in registration checks speak for themselves:

- We don't work with recently opened accounts. For safery reasons your bank account must be 90+ days
- Average number of operations per week required
- Unfortunately we don't work with prepaid bank accounts
- Maximum amount you can withdraw in branch daily

The recruitment organization is clearly aware of basic quality assurance concepts, due to its surprising tactic used for monitoring the transaction process for each and every money mule working with them. How do they achieve this? By offering a $100 financial incentive as a bonus for each and every money mule that provides the bogus company with access to their online banking account so that the organization can monitor the transaction process remotely. It doesn't take a rocket scientist to conclude that even with a two-factor authentication requirement there are ways in which the organization can hijack the entire financial identity of the money mule without his/her knowledge.

Again, they answer to a common question even the most gullible end user would have - I'm feeling uncomfortable giving you my online banking details. Why do you need it? I'm worrying about unauthorized access to my bank account. A question to which they answer by citing increasing bonus rating within their system, and that your supervisor will be checking your account, thereby improving your trust relationship with the organization:

"We require online banking access to monitor deposits coming from our clients. It saves you much time and increase your rating in our system:
- There is no need to check your bank account every hour during transactions, your personal supervisor will do it instead of you! You'll be informed the same minute funds arrive.
- No need to send us your bank account statement every week (maybe 2-3 times a week).
- We trust you much more, you'll receive money bonuses and more transactions!

It is absolutely safe and legal. We guarantee that all personal details will stay safe. Please read our Privacy Policy. NOTE: IT'S IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE ACCESS. If you have no online access to your bank account, you should contact your bank and activate this service. It will take less than 10 minutes.
"

The very idea that the money mule has reached the tipping point of its gullibility in order to provide the organization with access to their bank account is surreal, but clearly possible since having reached point of the registration process means they have absolutely no idea what they're doing.

The following are sample screenshots from the web interface used by the organization and the money mules themselves:

 
 
 
 
 

Moreover, sample agreement that each and every money mule has to accepted before becoming part of the money mule recruitment network. A second agreement contract containing unique (Photoshop-ed) signing seal for each of the bogus brands has to be also signed, scanned and uploaded through their interface. Both of these agreements, including localized copies in several different languages can be purchased from the managed money mule recruitment vendor from $30 to $70. Here's a sample of the agreement and tag clouds for the company description, the agreement itself and the FAQ:

DUTIES: 
The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to effect payments to the Company's partners by Western Union or MoneyGram money transfer system within one (1) day. He/she will report directly to the senior manager and to any other party designated by the senior manager in connection with the performance of the duties under this Agreement and shall fulfill any other duties reasonably requested by the Company and agreed to by the Contractor.

CONFIDENTIALITY:
The Contractor acknowledges that during the engagement he will have access to and become acquainted with various trade secrets, inventions, innovations, processes, information, records and specications owned or licensed by the Company and/or used by the Company in connection with the operation of its business including, without limitation, the Company's business and product processes, methods, customer lists, accounts and procedures. The Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, or use any of them in any manner, either during the term of this Agreement or at any time thereafter. All les, records, documents, blueprints, specications, information, letters, notes, media lists, original artwork/creative, notebooks, and similar items relating to the business of the Company, whether prepared by the Contractor or otherwise coming into his possession, shall remain the exclusive property of the Company. 


The Contractor shall not retain any copies of the foregoing without the Company's prior written permission. The Contractor further agrees that he will not disclose his retention as an independent contractor or the terms of this. Agreement to any person without the prior written consent of the Company and shall at all times preserve the condential nature of his relationship to the Company and of the services hereunder. If the Contractor releases any of the above information to any parties outside of this company, such as personal friend, close relatives or other Financial Institutions such as a Bank or other Financial Firms, it could be grounds for immediate termination. If the Contractor is ever in doubt of what information can be released and when, the Contractor will contact their superior right away.

TERMS OF ENGAGEMENT
The Contractor is engaged by the Company on terms of thirty days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to 2300 USD per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary up to 3000 USD. The Company has the right to cancel this Agreement at any time within the probationary period or refuse to extend it after that, should the Contractor refuses to fulfill his/her obligations under this Agreement or fulfills them not in good faith. The Contractor has the right to terminate the Agreement at any time on condition that he/she has processed all previous payments and has no new instructions.

COMPENSATION: 

The Company undertakes to pay taxes accrued in connection with money transfer. The Company shall  also reimburse part of expenses which are incurred in connection with money transfer by  Western Union or MoneyGram  systems (should money transfer charges  exceed 3%,  i.e. commission for payment processing operation). The above difference will be automatically added to the basic salary of the Contractor and paid once per month together with the basic salary. All reasonable and approved out-of-pocket expenses which are incurred in connection with the performance of the duties hereunder shall be reimbursed by the Company during the term of this Agreement, against the bill presented by the Contractor. The Company shall have the right to decrease the Contractor's commission in case the payment processing terms were violated by the Contractor. 

Should the Contractor delays re-sending  money accepted to his bank account for the period exceeding  one (1) day without any explicit reason, the Company shall have the right to impose sanctions on the Contractor if only the delay has not been caused by the Force Majeur circumstances and to apply to the arbitration and claim for the reimburse of the amount transferred to his account or for compensation for other damage if any, evicted due to the delay. The Contractor may take days off at any time and at his/her option upon giving five (5) working days advance notice in writing to the Company in order that the latter may abstain from charging the Contractor with new instructions. However, salary for each day-off is deducted from the Contractor's base salary."
 
Sample agreement that each and every potential money mule has to upload through the web interface, interestingly, each and every of the bogus brands has a custom made seal, part of the services offered by the managed vendor:


 
 
 
 

With such a professional attitude towards their work, now a process that's easily outsourced to vendors specializing in quality design and bogus company creation services, their recruitment process is prone to reach new levels of efficiency, which is why standardization was applied at the first place. However, just like in the case of malware and scareware, template-ization undermines their operational security (OPSEC) a process which they're clearly aware, but do not fully utilize since money mule recruitment is currently in efficiency-mode.

Knowing the transactions pattern for a money mule recruitment, one which is clearly visible while going through their agreements, can in fact make it easier for financial institutions to protect their customers from themselves before it gets too late and they unknowingly dive deep into the money mule recruitment business model. 

Related posts:
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002
Inside a Money Laundering Group's Spamming Operations

This post has been reproduced from Dancho Danchev's blog.