Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Keeping Money Mule Recruiters on a Short Leash

Saturday, March 20, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Three

UPDATED: 7 minutes after notification, EUROACCESS responded that the IPs mentioned within the AS "have been blackholed for the time being until a confirmation of cleanup has been received from the customer."

It's a fact. However, in less than a minute the money mule recruitment gang moved the domains from the now blackholed 85.12.46.241; 85.12.46.242; 85.12.46.243; 85.12.46.244; 85.12.46.245 to 85.12.46.95 and 85.12.46.96.

These, including the crimeware and the scareware IPs, are now also blackholed. Let's see what the gang will do next.

The cybercriminals you know, are better than the cybercriminals you don't know. They can be typosquatting, or changing their hosting providers, but they can't escape.

The money mule recruiters profiled in "Keeping Money Mule Recruiters on a Short Leash" and in "Keeping Money Mule Recruiters on a Short Leash - Part Two" are now switching hosting to AS34305, EUROACCESS Global Autonomous System -- the Koobface gang was also using their services during the Christmas season.

The gang appears to have also purchased new templates using new, but naturally, bogus descriptions of the money mule recruitment companies. It gets even more interesting, when one of the domains (greatuk.org) participating in a Zeus crimeware campaign within AS34305, has been registered to [email protected] (The Kneber botnet - FAQ).

An excerpt from The Kneber botnet - FAQ on the Koobface gang connection:

The name servers used in December, 2009’s DocStoc scareware campaign, were registered using the same email used to register the client-side exploit serving domains part of the Koobface gang’s experiment conducted in November, 2009. Parked on the same IP hosting the domain which was serving the malware in the campaign, was also the a domain registered to [email protected] (search-results .cn) Even more interesting is the fact that the emails used to registered the rest of the domains parked at this IP, are also known to have been used in registering money mule recruitment domains (Standardizing the Money Mule Recruitment Process; Keeping Money Mule Recruiters on a Short Leash)

The bogus money mule recruitment companies are using identical templates, describing themselves as follows:
"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing and empowering like outsourcing. Transcending beyond an industry's vertical segments, outsourcing has become the "by default" strategy for all profit conscious organizations that struggle to retain their winning streak and high profitability. Today's scenario in the business world is more competitive than what it was in the past.

There is a growing realization that wisdom lies in consolidating the core competency functions and outsourcing the supplement. We are an online services marketplace in USA and Australia. Our goal is to empower businesses with the absolute freedom to choose where to outsource their business needs to maximize their competitive advantage. We believe that "money saved due to outsourcing can be effectively and successfully utilized to focus more on strategic and core businesses functions".

Let's expose the domains portfolio, its supporting name servers, and emphasize on the scareware and crimeware activity currently taking place at AS34305, EUROACCESS Global Autonomous System.

Active money mule recruitment domains:
augment-group.com - 85.12.46.245 - Email: [email protected]
augmentgroup.net - 85.12.46.245 - Email: [email protected]
augment-groupmain.tw - 85.12.46.245 - Email: [email protected]
amplitude-groupmain.net - 85.12.46.245 - Email: [email protected]
asperitygroup.net - 85.12.46.241 - Email: [email protected]
asperity-group.com - 85.12.46.244 - Email: [email protected]
alwyn-groupllc.com - Email: [email protected]
altitude-groupli.com - 85.12.46.244 - Email: [email protected]
celeritygroupmain.tw - 85.12.46.242 - Email: [email protected]
celerity-groupmain.net - 85.12.46.243 - [email protected]
celerity-groupmain.tw - 85.12.46.241 - Email: [email protected]
impact-groupinc.net - 85.12.46.242 - Email: [email protected]
impact-groupnet.com - 85.12.46.243 - Email: [email protected]
excel-groupsvc.com - 85.12.46.241 - Email: [email protected]

fecunda-group.com - 85.12.46.241 - Email: [email protected]
fecunda-groupmain.net - 85.12.46.243 - Email: [email protected]
fecunda-groupmain.tw - 85.12.46.245 - Email: [email protected]
foreaim-group.com - 85.12.46.245 - Email: [email protected]
foreaimgroup.net - 85.12.46.241 - Email: [email protected]
golden-gateinc.com - 85.12.46.242 - Email: [email protected]
golden-gateco.net - 85.12.46.242 - Email: [email protected]
luxor-groupco.tw - 85.12.46.244 - Email: [email protected]
luxor-groupinc.tw - 85.12.46.244 - Email: [email protected]
synapse-groupinc.tw - 85.12.46.241 - Email: omega@fastermail.ru
synapse-groupfine.net - 85.12.46.245 - Email: [email protected]
synapsegroupli.com - 85.12.46.243 - Email: [email protected]
spark-groupsvc.com - Email: [email protected]
tnmgroupsvc.net - 85.12.46.245 - Email: [email protected]
tnmgroupinc.com - 85.12.46.241 - Email: [email protected]
westendgroupsvc.net - 85.12.46.241 - Email: [email protected]

Name servers:
ns1.maninwhite.cc - 89.248.166.45 - Email: [email protected]
ns1.trythisok.cn - 89.248.166.45 - Email: [email protected]
ns1.translatasheep.net - 92.63.111.127 - Email: [email protected]
ns1.alwaysexit.com - 92.63.111.146 - Email: [email protected]
ns1.chinegrowth.cc - 89.248.166.59 - Email: [email protected]
ns2.cnnandpizza.cc - 205.234.195.188 - Email: [email protected]
ns1.benjenkinss.cn - 89.248.166.59 - Email: [email protected]
ns1.worldslava.cc - 64.85.174.145 - Email: [email protected]
ns2.uleaveit.com - 204.12.217.253 - Email: [email protected]
ns3.pesenlife.net - 74.118.194.86 - Email: [email protected]
ns1.basilkey.ws - 98.158.171.87

Next to the money mule recruitment domains, there are several active Zeus crimeware active campaigns, using the following domains/IPs. In fact one of them is using a domain registered to Hilary Kneber (The Kneber botnet - FAQ):
greatuk.org - 193.104.22.100 - Email: [email protected]
greatan.cn - 193.104.22.100 - Email: [email protected]
193.104.22.71
193.104.22.90

What are we missing? Naturally, that's the scareware monetization element. Let's expose one of the currently active scareware domain portfolios there.

Domains responding to 193.104.22.50 - AS34305, EUROACCESS Global Autonomous System:
2009antispyware.net - Email: [email protected]
againstspyware.com - Email: [email protected]
antispycenterprof.com - Email: [email protected]
anti-spyware-2010.net - Email: [email protected]
antispyware24x7.com - Email: [email protected]
antispywareglobal.com - Email: [email protected]
antispywareonline.net - Email: [email protected]
antispywaresnet.com - Email: [email protected]
antispywarets.com - Email: [email protected]
antispywareweb.net - Email: [email protected]
antispyworldwideint.com - Email: [email protected]
antiviruscenter.net - Email: [email protected]
antivirusexpert.net - Email: [email protected]
antivirus-live.net - Email: [email protected]
antiviruslivepro.com - Email: [email protected]
antiviruslive-pro.com - Email: [email protected]
antivirus-service.net - Email: [email protected]
antivirustop.net - Email: [email protected]
bestantispysoft2010.com - Email: [email protected]

eliminater2009pro.com - Email: [email protected]
itsafetyonline.com - Email: [email protected]
ivirusidentify.com - Email: [email protected]
myprivatesoft2009.com - Email: [email protected]
netantivirus.net - Email: [email protected]
onlineantispysoft.com - Email: [email protected]
pcdoctorz2010.com - Email: [email protected]
pcprotect2010.com - Email: [email protected]
pcsafety2009pro.com - Email: [email protected]
protection2010.com - Email: [email protected]
protectorservice.com - Email: [email protected]
superantivirus.net - Email: [email protected]
systemprotector.net - Email: [email protected]
total-defender.com - Email: [email protected]
virusdetect24.com - Email: [email protected]
virusremoveonline.com - Email: [email protected]
worldantispyware1.com - Email: [email protected]
worldprotection.net - Email: [email protected]

EUROACCESS has been notified, the post will be updated once/if they take care of the "customers" violating their Terms of Service.

Related coverage of money laundering in the context of cybercrime:
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at [email protected]

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Saturday, March 20, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Three

No comments:

Post a Comment