Wednesday, March 18, 2009

Carders do battle through spam - carder.su

We've seen several cases in the past where Law Enforcement action is triggered by one criminal actively and publicly spreading information (or mis-information) about another criminal's activities.

That seems to be the case in what is happening now, as a spammer is using an existing spam botnet to send messages about the Russian credit card trading site "carder.su".

Beginning on the afternoon of March 16th, the UAB Spam Data Mine began to receive copies of this email message:



So far we have 142 copies of this email, which came from 138 different email addresses, and were sent to 122 of our unique trap accounts. The emails had 13 different subject lines, but were otherwise the same:

Carders attack
Carders here
Carders online
Carders threat
Hazardous site
How is it possible?
Sale Data
Stolen bank accounts
Stolen credit cards
Stolen data
Terrible site
The threat of credit card
Where is the police?

There were also 132 unique IP addresses in the email headers, corresponding to the 132 bot machines which were used to send us this spam. It would be interesting to know what other spam is coming from these same bot machines. Fortunately, when you have a Spam Data Mine sitting around, that's a pretty simple query to make.

(Full list of IPs at the end of this article . . . if you recognize the botnet please let me know.)

Unfortunately, some IP addresses are less helpful than others . . . is it valid to say that these emails came from the same botnet, for example, when we haven't seen other email from them since October?

Emails from 213.25.157.1 (in Poland):

Date Email Subject
-----------+---------------------------------
2008AUG10 | debt consolidation calculator
2008AUG13 | loans for debt consolidation
2008AUG15 | debt consolidation loans
2008AUG21 | unsecured debt consolidation loans
2008AUG31 | credit check
2008SEP06 | a debt consolidation loan
2008SEP06 | debt busters
2008SEP06 | debt consolidation advice
2008SEP09 | profit debt consolidation
2008SEP25 | clear debt
2008SEP29 | help me get out of debt
2008OCT01 | credit cards debt
2008OCT15 | help to get out of debt
2008OCT26 | horses for loan
2008OCT29 | student loan debt

Or these from 212.26.246.161 (in Russia)

Date | Email Subject
-----------+----------------------------------------------------
2008APR30 | Greetings, I have learned an interesting thing
2008MAY06 | Merrill Lynch Business Centre - Changing a website


The next one is far more useful, because although it shows a long history of spam from the computer at 203.197.115.82 (in India), it also has spam from two weeks ago, which we know by the subject is a sign of a Waledac infected computer.


message_id | subject
------------+-------------------------------------------
2008OCT04 | Hi! I wanna chat with you!
2008DEC08 | Watches
2008DEC13 | Hi sweety
2008DEC26 | Swiss Branded Watches
2009JAN01 | Swiss Branded Watches
2009JAN04 | Don't settle for less
2009JAN03 | Swiss Branded Watches
2009JAN04 | Swiss Branded Watches
2009JAN05 | Swiss Branded Watches
2009JAN06 | Attention: Important Information!
2009JAN08 | Re: Miley loves it huge
2009JAN16 | Swiss Branded Watches
2009JAN24 | Pharmacy Discount for (email)
2009JAN21 | Russian queens are waiting.
2009JAN30 | Turn your bedroom life into a volcano of pleasure.
2009FEB05 | Add floors to your skyscraper special offer for (email)
2009FEB14 | Facing a love-making problem? We will solve all yout problems in few minutes.
2009FEB17 | Have you heard about Viagra for women?
2009FEB27 | Pharma Discount for
2009MAR02 | Regards The day of Love
2009MAR06 | Regards The day of Love


Unfortunately, that was the only machine in our pool which seemed to be a Waledac box. Another coincidence only.

While many of the 132 computers were to be found sending other spam in the UAB Spam Data Mine, there were not enough which sent recent spam to draw any definite conclusions on the botnet.


Limiting our interest only to the most recent spam from the pool of IP addresses, we find that recently spammed sites from the same criminal include:

http://2009-film.ru/ - an illegal movie download site listing this contact information:

Tel: +7 (495) 504-14-43
ICQ: 431409065

As well as the Viagra-selling site, US HealthCare Inc, hosted in Korea and using the domain names:
bumpfold.com
blotcare.com
dunknew.com
dealrise.com
wallsdeals.com

A second set of recent Viagra sites, Canadian Healthcare, used Chinese auto-forwarding URLs in their spam, such as:

aqeakteny.giwhohov.cn
yzmjnq.giwhohov.cn

which forwarded to the Israeli hosted website:

maxitiny.com

A third set of pills was available from this Canadian Pharmacy website:

caringflattering.com

What about Carder.su?



What do we actually know about Carder.su? Not a whole lot truthfully. We know its a popular site - at its max there were more than 14,000 members logged in at the same time.

The WHOIS information for the domain says it is registered to "Private Person", but does give a phone number and an email address:

phone: +79164541122
e-mail: cardersu@ya.ru

A peek back at the WHOIS history shows it was originally registered by:

Maria A Ageeva
886824@mail.ru
+79124427798

From at least November 20, 2009 until March 10, 2009, "Private Person" used a gmail account of: cardersu@gmail.com

Their servers are hosted in Moscow on the 2x4.ru network, owned by Pavel Ivanov.
Ivanov has many interesting customers on his network 92.241.168.0/23. Fine folks like:

cyberterrorist.biz
bl4ckc4rd.ws (black card?)
unlimitedhack.cn
drugspurchase.com
seobiz.org
heihachi.net
coderz.ws
abuse-crew.cc
nukeuploads.com
glavforum.ru

I have to say, the 2x4.ru folks have suspended some of the porn sites that drop malware, so maybe they only cater to certain types of criminals. "gigatube.net" and "eroticzzz.info" were suspended for dropping malware, as was "swiss-warez.biz"



Do you recognize this botnet?



41.248.155.122
58.8.172.135
58.9.203.10
59.182.251.171
61.14.3.165
62.140.238.1
62.57.137.76
67.204.146.123
77.236.6.91
77.30.51.182
77.31.4.53
77.31.64.86
78.106.36.221
78.160.216.232
78.162.210.118
78.162.73.40
78.163.200.222
78.165.108.153
78.166.191.79
78.167.164.42
78.167.58.60
78.169.14.70
78.93.197.72
78.93.82.106
78.96.182.134
79.189.49.202
81.214.156.70
83.29.230.20
84.10.79.200
84.139.136.5
84.47.93.42
85.101.110.99
85.103.13.223
85.103.251.189
85.104.58.189
85.105.209.23
85.108.245.33
85.108.253.26
85.110.153.77
85.110.157.133
85.110.171.230
85.198.177.13
85.99.185.187
86.122.165.34
87.0.54.121
87.109.14.12
87.109.14.174
87.109.159.178
87.120.109.249
87.205.244.153
88.224.151.137
88.224.251.96
88.224.44.225
88.224.75.134
88.226.69.100
88.227.248.11
88.228.97.232
88.230.74.81
88.232.153.116
88.234.163.254
88.237.221.48
88.238.89.111
88.242.123.170
88.243.107.145
88.243.217.210
88.245.107.7
88.245.228.14
88.246.96.61
88.252.78.129
88.254.234.140
89.136.79.96
89.228.156.6
89.252.9.126
89.46.136.175
89.76.97.16
90.148.146.140
91.124.23.200
91.201.112.2
92.112.23.168
92.37.151.127
92.44.194.243
92.47.222.107
92.61.238.120
92.82.172.41
93.94.178.187
93.98.37.210
94.44.29.200
94.96.11.241
94.99.184.93
94.99.74.20
95.134.200.103
95.58.142.176
95.78.138.40
113.53.170.179
116.71.2.192
117.197.96.124
118.43.204.82
121.159.184.91
121.242.55.42
124.121.38.204
124.121.85.111
125.136.199.83
188.48.200.177
189.112.85.88
189.114.152.233
189.12.187.224
189.24.135.57
189.27.243.210
189.46.152.128
189.78.253.59
189.82.74.79
189.93.0.162
190.120.140.118
190.135.146.135
190.19.69.90
196.218.55.234
200.121.245.19
200.163.33.130
201.19.24.84
201.24.126.235
201.67.135.232
201.67.186.108
201.76.71.9
203.197.115.82
211.107.153.132
211.247.31.154
212.26.246.161
213.181.170.167
213.25.157.1
217.147.25.250
218.152.226.159
220.253.192.12

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!