Monday, May 18, 2020

College Students Beware

by Robin Pugh
President, DarkTower

Fraudsters are always quick to leverage a crisis for the purposes of cybercrime, and COVID19 has created a new target demographic of 14 million college students.  As over 1,100 colleges and universities across the United States have closed their doors, forcing students to leave their college housing, many have been actively pursuing a sub-lease of their off-campus housing to try to alleviate the financial burden of a semester now forced to go virtual.

Anatomy of a Rental Fraud
Most campuses have official or unofficial online bulletin boards where students can look for roommates, apartments, sub-lessors, etc., and these places are target-rich environments for fraudsters.  Take the case of my friend whose son, like millions of others, is now living at home, finishing out his semester online.  There’s no refund for his fees, tuition, or meal plan, and to continue to pay for his off-campus housing is yet another financial burden.  So, like millions of others, he and his parents have been looking for someone to sub-lease his apartment.  When they finally got a bite, it was from someone in a Facebook Group where he had posted his apartment for rent.  The person who contacted him was “Anthony S Felix” who did so on behalf of his ‘friend’ Liang—a nice, quiet, single woman with no kids and no pets – who was very interested in his place.  We’re going to call my friend’s son “Austin.”

Figure 1: hxxps://www.facebook[.]com/groups/NCSUOffCampusHousing/

Exactly as “Anthony” promised, his friend Liang texted Austin with her interest in sub-leasing his apartment.  
Figure 2:  Initial contact from Anthony introducing "Liang"

Liang built rapport and trust, sharing details of her job, the timeline of her move, and both her phone number and email address.  Since she is a traveling nurse, she wouldn’t be able to come see the apartment in person, which worked well, since the property managers weren’t allowing in-person showings anyway.  It seemed like a match made in heaven!

Figure 3: First communication from Liang

Liang’s move was being funded by her employer; so, she told Austin she was going to get them to approve her relocation costs and get back to him.  And she did – she committed to sub-leasing the apartment and promised to send her first partial-month’s rent right away.  
Very soon, Liang texted Austin with the tracking number for the rent check, but there was just one little problem.  The check was actually for quite a bit more than just her first partial-month’s rent of $386.  Her employer had mistakenly issued the check for all of her relocation costs, but she trusted Austin completely; so, she just asked that he keep the rent payment, and transfer the rest to her via Zelle.  As a matter of fact, she was so flexible that she didn’t even mind if he broke it into two payments of $1,000 each.

Figure 4: Communication with Liang, continued
          
Figure 5: Liang constructs the fraud


As Liang promised, the check arrived via USPS, and Austin’s parents deposited it into their Bank of America Wealth Management account.  Because they are long-time customers of Bank of America, the funds were available quickly, giving Austin’s parents confidence because a) it was a Cashier’s check, and b) since the funds were available, the check must have cleared.  They kept their end of the bargain, retaining $386 for the partial month’s rent and sending $2,249 via Zelle to the recipient Liang had directed.
A few days later, the bank notified Austin’s parents that the check had NOT, in fact, cleared, and they were now left with no renter, no first month’s rent, and a bank account balance $2,249 less than it should have been.  Due to the fact that Zelle transfers happen within minutes, there was no recourse to retrieve the funds that were now in the scammers hands.

Figure 6: Cashier's Check from Liang

Will the Real Anthony S. Felix Please Stand Up?
A review of Anthony’s Facebook profile shows no public posts since 2017; however, his Facebook URL reveals the name “Osunday Adekunle,” and a Facebook search reveals many profiles under the name Sunday Adekunle.  The “O” could possibly refer to the title “Oba” which, in West Africa, means “Ruler.”  Additionally, there are a few “friendversary” Facebook videos showing Adekunle and his Nigerian friends.  Regardless, his Facebook profile says that he is an employee at Oklahoma State University, living in Seattle, Washington.  That’s quite a commute!  His profile photo is a quote attributed to Bill Gates about his wish to become involved in Network Marketing.  

Figure 7: hxxps://www.facebook[.]com/osundayadekunle

His Likes include sketchy financial investment firms and Nigerian companies.

Figure 8: hxxps://www.facebook[.]com/osundayadekunle/likes

Austin is not alone
From reviewing the interactions between the scammers and Austin, I knew that this wasn’t the scammers’ first rodeo.  They had a well-crafted script that was designed to build trust with the victim until the very last minute when they realized their money had been stolen.  I reached out to the administrator of the Facebook Group “NCSU Off Campus Housing” to see if she’d be willing to speak with us.  While she declined to be interviewed, she allowed me to post in the Group, asking others who had been victimized to reach out to me with details. Within a day of posting, I received another story identical to Austin’s.  Same actors (“Anthony Felix” and “Liang Quain”) and the same story – traveling nurse, won’t be able to see the apartment first, but it’s PERFECT!  And whoops – my company accidentally sent all of my relocation funds to you, so I need you to keep $375 and send the rest to me via Zelle.

Figure 9: Liang texts to Victim 2


From Victim #2 – let’s call her Gabby – we learned a couple additional things.  She had saved a copy of the shipping label from the envelope containing the counterfeit check.  We knew from Austin’s tracking number that the check had been mailed from Newington, Connecticut, but with Gabby’s mailing label, we learned that the shipping label was from a legitimate company located in Hartford.  Fraudsters commonly use stolen shipping labels – it further covers their tracks and keeps their costs down!

Figure 10: Stolen Mailing Label addressed to Victim 2

Further, Gabby had a hard time sending the total amount via Zelle; so, she ended up sending part of the payment through Zelle and then was provided a CashApp ID to send the remainder.  She was given the name Christopher Brown and the associated ID to process the payment.
Because DarkTower has a good working relationship with the team at Early Warning, the owners of Zelle, we immediately reached out with the Zelle ID that the fraudsters were using to move money, and the team was able to notify the associated bank (Citizens Bank) and shut down the account.


Recommendations
Let’s talk briefly about the Facebook Group where these apartment sub-leases were shared.  The Administrator had actually done a very good job of trying to raise awareness in the Group about the fact that fraudsters and scammers would potentially target individuals posting there.  She has an ongoing list of names that she shares with the Group and updates regularly.  She also posted tips about identifying scams, not sending money to someone you don’t know, etc.  The Group requires approval to become a member, and you had to be a member to post.  However, you don’t have to be a member to SEE the posts and the names of the posters.  So, in this case, Anthony Felix could peruse the postings, identify a situation that was ripe for their scam, send a direct message to the poster, and then direct them off-platform to the next step of the scam.
Instant payment platforms are a wonderful thing for transactions with PEOPLE YOU KNOW and trust.  Many of them, including Zelle, even post warnings in their apps about not sending funds to people you don’t know.  Nevertheless, the scammers are really good at building trust with their victims and creating plausible scenarios that give a false comfort level to ignore those warnings and send out funds that can never be recovered.

Sunday, May 03, 2020

More Covid Charity Scammers (hosted by Shinjiru Technologies AS45839)

Last week we shared information about a particularly interesting cluster of scams that focus on their shared use of a set of nameservers where all of the related content seems to be criminal in nature.  Working with CAUCE (The Coalition Against Unsolicited Commercial Email) and the ZETAlytics "Massive Passive DNS" we have continued to monitor the hostnames associated with these DNS servers for additional Covid-19 related fraud.  The criminals certainly did not disappoint!

A Fraudulent GiveDirectly Donations site

The first website that we chose to look at claims to be a 501(c)3 Non-Profit called "GiveDirectly, Inc."  We certainly agree that GiveDirectly is a 501(c)3.  According to their publicly available information, they gave out $59 Million USD in support to those in need during calendar year 2018.  The problem is that THIS website has nothing to do with the actual charity.  The real charity is supported by organizations including NBA Cares, Google.org The Late Show, and the Schusterman Family Foundation and they have provided financial support to 65,600 American families, as well as families in Kenya, Rwanda, Malawi, Morocco, DRC, and Uganda.  Again - the REAL charity is rated 100/100 by Charity Navigator and others.  But this website is NOT the real charity.

The real site: GiveDirectly.org

givedirectly[.]org's Real website - a real charity doing good work!

The FAKE website: givedirectly-covid19-emergency-fund[.]ibonline[.]digital

FAKE website: givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Hitting the "Give Now" button on the fake website transfers the user to a PayPal Donate page - a real PayPal page, but falsely claiming to be funding GiveDirectly.

The Scammer's Paypal page 

eMedia COVID-19 Relief Fund targeted by Scammers

The second fraudulent charity website we see is stealing a campaign from eMedia.  eMedia got a great deal of media attention in South Africa, where many websites, such as "ibusiness.co.za" ran stories like this one:
https://www.ibusiness[.]co[.]za/community/coronavirus/donate-to-the-emedia-covid-19-relief-fund/
The eMedia group's websites all provided a prominent link to the donation page, such as this one found on the homepage of eNCA.com: 
Valid website: eNCA[.]com asks for donations ...
When the Donate page is visited, we find information about donating to the HCI Foundation Trust's covid fund at ABSA Bank.

Directions for donating to the REAL Charity Fund - via ABSA Bank in South Africa - donate.enca[.]com 
The Scammers version of the same page offers both a Bitcoin and a Paypal donation capability, but doesn't mention the real Foundation Bank account.  The URL of the fake website is "emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital" the same domain (ibonline[.]digital) as the other scam above.
Fake Website: www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
The Bitcoin address has thankfully received no payments thus far: 

185M9pKN3wPy86YiAiY5LsMpsfLnEv4XH5

Nameserver MetalDNS and SteelDNS used in more scams

The nameservers in question here, which we continue to monitor, are tied to thousands of suspicious domains.  Here is our evidence that they are being used in the two scams above.  Anyone could imitate our query from a Windows CMD prompt or a Mac/Linus terminal window.  (We've added square brackets around dots for safety, you would remove them to make your own query.)

In the query below, we first set our query type to "ns" to show the authoritative Nameservers for the domain the fraudster is using - ibonline[.]digital.  We then change our query type to show "A Records" (the resolution of a hostname to the IP address where that machine can be found on the Internet.)

nslookup 
set type=ns
> server ns1.metaldns[.]com
Default Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

> ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

ibonline[.]digital        nameserver = ns2.steeldns[.]com
ibonline[.]digital        nameserver = ns1.steeldns[.]com
ibonline[.]digital        nameserver = ns2.metaldns[.]com
ibonline[.]digital        nameserver = ns1.metaldns[.]com
ns1.steeldns[.]com        internet address = 101.99.72[.]47
ns2.steeldns[.]com        internet address = 111.90.144[.]253
ns1.metaldns[.]com        internet address = 111.90.144[.]251
ns2.metaldns[.]com        internet address = 185.70.107[.]110

> set type=A
> www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

Name:    www.emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
Address:  111.90.156[.]73

> givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Server:  ns1.metaldns[.]com
Address:  111.90.144[.]251

Name:    givedirectly-covid19-emergency-fund[.]ibonline[.]digital
Address:  111.90.156[.]73

Readers will recall that "111.90.156.0/24" was the scammy host block where we found the UK Government fake tax refund website in our previous post, "Scam Everything - Opioids, Netflix, Phish, Covid Charities, and Government Refunds in one network neighborhood." 

When we posted the previous article, the Covid-19 charities hostnames resolved, but they did not have any web content yet at that time.  We had found the scammer's site before he finished creating it through the power of Passive DNS!  As you can see, the sites are complete now, and beginning to be used to scam victims who believe they are helping a Covid-19 person in need!

The webserver at 111.90.144[.]251 is also hosting a fake loan services (zocaloans[.]co[.]com) 

That Class C subnet (111.90.144.0/24) is also a mess.  Yesterday Zetalytics saw the first resolution of the webserver "usaid-who[.]org" -- shall we go ahead and take bets on whether that will be a full blown charity fraud website by tomorrow?

Based on recent resolutions, we can also expect to see some HP Fraud here ... new resolutions to 111.90.144[.]67 include hp.support-numberireland[.]com and hp.supportnumbercanada[.]ca and hp.supportnumber[.]com[.]au.  

There are also some interesting websites providing information for completing Wire Transfers, cuh as "onlinebanking[.]su" (su = Soviet Union) with directions for how to do wire transfers to many common American, Canadian, Australian, and European banks!  Again, early DNS is helpful!  One of the other websites that is still being built to help with Wire Fraud holds only a single file - a 40 MB zip file called "onlinebanks.cc.zip" containing all of the web content for creating the website!  

A Reverse Lookup of the Google Analytics code found on that page shows that three other websites using "metalDNS" as their nameserver are using the same Google Analytics code (ua-157551747):

hackertools[.]su 
onlinebanks[.]cc 
wuhancoronavirus[.]me 

What an interesting combination of websites to be created by the same webmaster!

Hackertools[.]su makes this claim about their services:


The website claims that they will wire transfer you funds from one of the thousands of accounts for roughly a 10% commission on the money stolen.  Of course, like most of the scam sites run by these guys, they're just going to pocket the commission and you receive nothing.  Other interesting recent scam sites:
  • anaairlinesfirstclass[.]com - promises 50% discount on first class air from Japan's ANA.
    • related: anacustomerservicecenter[.]com 
    • related: anaairlinesreservationnumber[.]com 
  • expresscards[.]net - claims to sell pre-paid VISA cards purchased with Bitcoin.
  • glosscommercialbk[.]com - phishing site for Gloss Commercial Bank 
  • zabitpharmaceutical[.]com - claims to sell FDA-cleared "rapid platelet analyzers" 
  • and so many many more ...

Thursday, April 23, 2020

Scam Everything - Opioids, NetFlix, Phish, Covid Charities, and Government Refunds in one network neighborhood

There's a famous line in the movie Jerry McGuire where Tom Cruise's character says "Show me the Money!"  In online investigations, I prefer the line "Show me the Data!" This morning I was doing just that and found an interesting cluster of badness.

Dr. Elizabeth Gardner at UAB leads our Forensic Sciences program in the Department of Criminal Justice.  She and I have partnered on many projects in the past by mixing our expertise.  She's a forensic drug chemist, and I chase bad guys on the Internet.  8-).  Our current project follows up on some of the work we shared with the BBC Click episode "Can Technology Solve the Opioid Crisis?"

Last night we threw 586 Opioid and Fentanyl selling websites into our clustering-by-location program that Zack Knight (one of my student malware analysts) had developed for another project.  Our goal was to find clusters of drug-selling websites "in the same place" and then use other tools to explore what else is hosted in the same location.  The tool sorts first by country, then by ASN, and then by NetBlock.  There was a nice cluster that revealed itself, consisting of six websites all on the same Class C NetBlock:

Company: VERDINA Ltd., Autonomous System Number AS201133
111.90.156.117
thepleasantproducts[.]com
111.90.156.170
pharm-rx[.]to
111.90.156.173
globalheadshop[.]com
nembutalonlineshops[.]com
111.90.156.61
richmed-pharma[.]com
111.90.156.64
researchkem[.]com

Why were these sites in our database?  Well, they offer some overtly bad stuff for sale.  Here's an example:
thepleasantproducts[.]com
pharm-rx[.]to

nembutalonlineshops[.]com
You can clearly see why our Opioids project is interested in these sites!  But what we wanted to know was, given that there were six very clearly objectionable sites on the same Class C Subnet, might there be other sites there as well.  That's where the Zetalytics "ZoneCruncher" tool came into place.  We asked ZoneCruncher what other sites were recently resolved to this Netblock, fully expecting it to give us a list back of additional drug sales websites!  What we got back was much more interesting!

111.90.156.0/24 via ZoneCruncher from Zetalytics 
As soon as I saw the results, I knew exactly what scammers were behind these sites, as we were well familiar with the group from the work I've done with the excellent Business Email Compromise researchers at Artists Againt 419 (AA419)!  The "signature" of this group is their reliance on a set of nameservers running on domains "steeldns[.]com" "metaldns[.]com" and "argondns[.]com" hosted on the Malaysian hosting company Shinjiru MSC.  Verdina Ltd. is the owner of this particular netblock, which uses the Autonomous System Number AS201133.

Verdina has a few other Netblocks that we'll be exploring later, but this one has plenty of badness on its own!  Some of the most recent sites we have on this same Netblock include:

A fake Bank of Ireland site, indicating they would like to refund a suspicious transaction to your Visa card:

boi365refunds[.]com 

of course, first you have to login . . . 
An alert that your NETFLIX payment has been declined, which of course also requires a bit more information to "RESTART MEMBERSHIP" ...
netflx9-msg101[.]com 
netflx9-msg101[.]com / alldetails.html 

Many of the sites identified by ZoneCruncher have either already been remedied by security researchers working with registrars, are have not yet been deployed by the scammers.  The domain names themselves indicate the range of their creative scamming:

Covid Charity Scams 
=============================
e-media-covid19-relief[.]ibonline[.]digital
e-media-covid-19-relief-fund-donations[.]ibonline[.]digital
e-media-covid-19-relief-fund-donations-for-food-parcel[.]ibonline[.]digital
emedia-givedirectly-covid-19-reliefprogram[.]ibonline[.]digital
givedirectly-covid19-emergency-fund[.]ibonline[.]digital
www.1covid-19-d[.]com
www.1covid9-cerb[.]com


Netflix Phish
=============================
n3tflix-billupdate1[.]com
netfl1x-accupdate3[.]com
netfloux474[.]com
netflx1-sms98[.]com
netflx9-msg101[.]com

Paypal phish, Scotia Bank phish, RBC phish, ANZ phish
============================
paypai[.]restringido[.]org
paypal[.]restringido[.]org
rbcsecu1ces32[.]com
scotia1ban2k1-info[.]com

"Secure" Messaging portals
====================
msg-integrity[.]com
report-payments[.]net
threessl[.]com

and so many more ... 112 different "scammy" domains were hosted on this single Class C just in the past ten days!

UK Government Refund Scam 

The most interesting of the current batch, however, was this one which was a means to update payment details in order to receive a refund from the UK Government via the website www[.]govuk-proceed-application[.]com, pictured below:

shall we begin the process?  


Give us all your personal data . . . 
Don't worry!  Everything is "secured with 256-BIT SSL Layer!" 

Give us all of your Banking Details!
 
And at the conclusion, you'll get a nice confirmation number!
(before a bit.ly link forwards you to the real UK Government)


Other Examples of Live Badness



Just a few more examples . . . all live as of this writing . . . 
volksign[.]bausp[.]com 

Gold Investing anyone? 

Paypal Phish

Bottom line?  Exploring the Network Neighborhood of a cluster of bad sites can lead to some very interesting findings!  I'm looking forward to learning more from Zetalytics!  They show 19,000+ more domains that were served by "ns1.metaldns.com" and so very many of them look scammy!