Wednesday, November 16, 2011

ACH / WireTransfer Failed spam goes crazy!

Yesterday we saw two HUGE spam campaigns that continue into this morning advertising various alternatives of "your wire transfer failed" as subject lines.

We saw at least 86,197 copies of this spam on November 15th, that I am mentally dividing into "Named Institution / zfin" spam and "random intermediary" spam.

The "zfin" spam was far more prevalent, with 62,331 copies of the 86,197 copies pointing to a URL that contained "zfin.php" in the path.

The "zfin" spam has a mail message that reads something like this:

Dear Account Holder,

Money Transfer sent by you or on your behalf was hold by our bank.

Transaction ID: 17019302204565051
Current status of transaction: on hold

Please review transaction details as soon as possible.

N. B. Abel
Treasury Management

The "non-zfin" email has a message that reads something like this:

Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction: 238006864683285
Current transaction status: Pending

Please review transaction details as soon as possible.

In both versions a very large number of "intermediary" spam domains are used. These are "page forwarders" that have been placed on compromised web servers. The hackers have gathered a very large list of website userids and passwords where they can place new content at will, without the knowledge of the webmaster. They log in as the webmaster, upload their "forwarder" page, and then use that newly created page as the destination in spam messages.

More than 15% of the spam that we saw at the UAB Spam Data Mine yesterday belonged to this pair of campaigns, and the volume is still extremely high this morning.

Many of the emails used the faked "from" domains: 5785 5762 5724 5681 5674 5672 5645 5634 5620 5604 5532 5024

Forty-seven destinations were listed by the "zfin" spam, where a Financial Institution was included in the subject line. These destinations heavily favored Argentinian domain names: /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.html /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php /zfin.php

By mixing a "prefix" with an "institution name" more than 10,000 unique subject lines were created. 702 Financial Institutions have been named so far . . .

The prefix for the subject is selected from this list:

ACH debit transfer was hold by
ACH debit transfer was not accepted by
ACH payroll payment was hold by
ACH payroll payment was not accepted by
ACH Transfer was hold by
ACH Transfer was not accepted by
Bill Payment was hold by
Bill Payment was not accepted by
Domestic Wire Transfer was hold by
Domestic Wire Transfer was not accepted by
Funds transfer was hold by
Funds transfer was not accepted by
Money Transfer was hold by
Money Transfer was not accepted by
Payment was hold by
Payment was not accepted by
Wire Transfer was hold by
Wire Transfer was not accepted by

and then suffixed with a financial institution name from the list found at the end of this email. . . .

The "non-zfin" form of the list uses one of these subjects: (Random number use is notated by #RND#)

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
ACH transfer was hold by our bank
Declined Direct Deposit payment
Direct Deposit payment ID #RND# rejected
Direct Deposit payment was cancelled
Direct Deposit payment was declined
Direct Deposit payment was rejected
Disallowed Direct Deposit payment
Fwd: Wire Transfer (#RND#)
Fwd: Wire Transfer Confirmation
Fwd: Wire Transfer Confirmation (FED #RND#)
Fwd: Your Wire Transfer
Notification about the rejected Direct Deposit payment
Payment ID #RND# rejected
Re: your Direct Deposit payment ID #RND#
Regarding your Direct Deposit via ACH
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Urgent notice about your electronic payments
Your ACH transaction
Your ACH transfer
Your Direct Deposit payment ID #RND# was declined
Your Direct Deposit payment via ACH was declined
Your Direct Deposit payments were disallowed
Your Direct Deposit payments were rejected

These spam messages directed users to one of 1962 unique URLs that all SEEM to be compromised websites, with the exception of some "free hosting" sites, and a handful of URL shortening services. That list is presented below, with the list reduced to 671 instances by eliminating all but a single example URL per host computer: /7o1otl/index.html / / /~kimjw/gigl.php /~assalamt/13xwph/index.html / /~tlariviere/zmtg.html / / / / / /~kenmin/akatx.php / / /~peacock/9f46fnr/index.html / /~playcas/5be1urt/index.html / / / / /~nsmarc1166/gbsmofb.html / / / / / / /~aventureo/1k87cy0/index.html /9Q6 / / /~outdoors/0nnpob/index.html /acjxur.html /deuhgi.html /oduarg705.html /oprirtir.html /bezuvee0.html /nofloudabuse.html /inlcude.html / / /lrosperousneslaa08.html /7as4xe/index.html / / /poadkh.html /leonijii785.html / /contents/index11.html / /noninfecluoufyy45.html /0uktna/index.html / / /pptopwaner.html /shared_files/index11.html /contents/index11.html /pdiasamd.html /pytacinc.html /novdurabbebii57.html / / /pinuda.html /dxocq8/index.html /pammtqqaw.html / / /polivlex.html /phaxa12.html / /~ph_laura/1trr7oh/index.html /petrqeisec.html / /46in4f/index.html /0dt038i/index.html /03ajwnt/index.html /2kejqlu/index.html /~athmajot/995rxv/index.html /4srpft/index.html /0w019w/index.html /1vz1hs/index.html /34n6z2t/index.html / /5s82w4/index.html /0wffuo/index.html /0jlklp6/index.html /nikeuu5.html /rorihigotikano.html /52n8pw/index.html / /7r7hr4p/index.html /2m23xd6/index.html /3sdl39/index.html /inlcude.html / /qbbxnth/index.html /hsldl6/index.html /0pwbvz/index.html / / /8ir8he9/index.html /2jt3oy/index.html /21jrj7g/index.html /nixqczzn.html /jypajpa.html /c2xollw/index.html /nemi5k/index.html /51kk7o/index.html /92usm9/index.html /2pamuex/index.html / /kissnza/index.html / /msp9nc/index.html /echhgst/index.html /~attract/3vpite/index.html /wizim.html /ugisogu.html /inlcude.html /0p4tl4/index.html /~bookmi/726d5mn/index.html /wlrbo.html /aruvivy.html /redberunnez290.html /~peterfur/hqrgv4/index.html /1do876d/index.html /4yeqtja/index.html /paxhokuh.html /2n7a13/index.html / /pgonham.html /3z0ugvx/index.html /sasg0211.html /nisolicoo8933.html /inlcude.html /inlcude.html / / / /496e27 / /yruwevu.html /polairs.html /protenluuu41.html /g5nfpqn/index.html /uxicutov.html /6j3o6e/index.html /iyyvyncqkbpwvhkcwbmpkwtnthwhmyhthfmyfkmynymzmc_lkhdmzdwhjzw.html /5n4uxw/index.html /php/CR/cmregister.php%3Fdata=cR2NA4mi3ED%2B9KZ3KbHZoLUlSJRqo2hCZWTTw7FA86yfesTTa7T5mz8nIfQIsOEJqCYEjlrSL2Kb22pt1bCNT9YgXTqnV9Hq0szMhVjmIj7KYTbpAXf8d9rdvs9EUK7IwIuiNhR4mho%3D /pabter255.html /amematy.html /65q7jj/index.html / /ugisogux.html /f.html /pashtetdqivuz.html /~austraqc/6g6dif/index.html / /uu3920.html /dosf882.html /~planhost/jgf5m7/index.html /onarban303.html / /ofyt745.html / / /79q2h6/index.html /atextn858.html /ruvivyfu.html /04eozwl/index.html / /xqibitaa90.html /inlcude.html /5zn712w/index.html /00kzr4/index.html / /polarbead7610.html / / / /pyia234.html /lromisemyngerii62.html / /noncallapsabmeyy05.html /mikas /nanablelutionuu14.html / /wlsejenro.html /plogmafter111.html / /nokh529.html / /osazatu.html / /jity890.html / /pvopyliticii404.html /paniauu96.html /deipmus.html /7k75p9/index.html / /odbug.html /mttygesyy87.html /opium206.html / /kfhyra.html / /sawv636.html / /wereipacd.html /paradyseii170.html / / /uhezivog.html / /inlcude.html /rushantassdanov.html /~perthbe1/fmkvw3/index.html / /mutmitchell.html /promutzeis.html /rorf.html /olofjolindur.html / /nezivogo.html /6cqmid/index.html /nizibc.html / / /fapux250.html /gacezoo7.html /59ybsd/index.html /sonyxplosivoee56.html /8jz5glg/index.html /1lvsq8k/index.html / /ppoisee90.html /~pin/9es7srf/index.html /urangahoua.html / /nezivog.html /vozalah.html / /inlcude.html / /pbiccehc.html /images/main.html /89fj0g/index.html /nezivog.html /outsmature.html / / /o55zj1/index.html /bpmxh6/index.html /1h0wgog/index.html / /inlcude.html /04y855/index.html / /paracletasiz.html /pumilaoo62.html / / /ppkboris.html /nintwove.html /jordert1711.html /bobico.html /zilku.html /rickaa3447.html / /0xp8fz/index.html / / /nocregs.html /baljk891.html /bonsaa93.html /nurlajidealmarky.html /rutipog.html /2vNBBj /inlcude.html /purtygmress.html /viomondas.html /phantomnrue.html /pajvar.html /edoruvyh.html /alexee94.html /paasoz.html / /gapereno7210.html /owylfrudu.html /qeeml.html /html/main11.html /hrovidableoo414.html /main11.html / /main11.html / /proliderousnyaa88.html /13z229/index.html /rickeskenmop.html /phit47tiz37.html /packran866.html /memgaful8510.html /1wls5te/index.html / / /vsynu.html /pesrul7910.html / /nezivog.html /4ypcij5/index.html / /~palmthre/3dg825m/index.html /~pool/bdw27yh/index.html /j9xiw3/index.html /ugisogu.html / / / / /mipailmironuxko.html /ovyruwev.html /inlcude.html /4fbf35l/index.html / / /7pm4la2/index.html /08e4wt2/index.html /ff843 /site/inlcude.html /ovtorko.html /pallelundttjoeg.html /ugisogu.html /mfyainyy7.html /erygegy.html /oo90rufat.html /2khjpzg/index.html / /images/main11.html / / /2krnil/index.html /69SRA / / / /ubijemat.html /gizazago.html /povuuk.html /nezivog.html /furuser.html /selegaaa0808.html / / /vherzodjor8810.html / / /niskish.html / /inlcude.html /nurdete.html /ditonii1167.html /eqq6911.html /kpqnpk/index.html /ovenhrehv.html /inlcude.html /podvouskiialezj.html /5j4k0ke/index.html / / /oo67ao.html /ssorpuonu1.html /vavilugxa.html /pwuptro.html /5vfe149/index.html / / /pvodateconnection.html /mobodultyy04.html /nyculmoaa0.html /zrooo72000.html /8ffzcx1/index.html /81p88fk/index.html /04x6pt/index.html /~oursdess/fjnopyy/index.html /~outso4/4jz88e/index.html /1vpj9l/index.html /3df0ta/index.html /a3g2pwc/index.html /rmren.html /wubuyukiyndo.html /pc6ypb1/index.html /uurnorld15.html /topcaf881.html /inlcude.html /2sfjyh2/index.html / /njuf.html /d07a0hw/index.html /9f9bp6n/index.html /cvo8xq/index.html /d1mqfg7/index.html /1o1eis/index.html /00vb7md/index.html /7t62aei/index.html /hogm7g/index.html /53412dc/index.html /6t73qt/index.html /1yd59f/index.html /13abr4/index.html /1lt2bt/index.html /2xi5al/index.html /a6c9j6d/index.html /627bqd6/index.html /77j0m9/index.html / /6vgjxor/index.html /0tnx3ta/index.html /t373ygr/index.html /169mdzp/index.html /1fdlwp/index.html /1so14g/index.html /5mgsw8z/index.html / /5c9tin/index.html /5rte95/index.html /o1l5a4/index.html / /3xw40nk/index.html /57tt9o/index.html /bb8yhu/index.html /lkpeam/index.html /~polyverr/74r128/index.html /dogsyd/index.html /95nivmn/index.html /13d4tx/index.html / / /cx52om/index.html /~philippezm/i7nsv9i/index.html /25jy8gd/index.html /9af3v8/index.html /37tyaxa/index.html / /7s4y1p/index.html /4e7h78z/index.html / /~piesedup/f0grdvr/index.html /buluvivy.html /h3fywd/index.html /a9zkq8i/index.html /gvizdikvk.html /4xmbbut/index.html / /~pbxnet/0p9gu8/index.html /93b6jfu/index.html /504mcxt/index.html /4ycljge/index.html / /chu594/index.html /lt7joa/index.html /78gr9so/index.html /1ujn1kg/index.html /4mebwl2/index.html /29e41h/index.html /119976/index.html /frjawen.html /ugisogu.html /2x1gsy/index.html / /260je7o/index.html /6d138g6/index.html /0edicf/index.html / / / /lapwevuu04.html / /abee680.html /ruvyhupa.html /nightshado257.html /ygegysed.html /dcbadur.html /ovehdiligenz.html /xnryy596.html /hhaj.html /fqv2 /3rysoo/index.html /qbohrint.html /nonplatentiluu21.html /nobolybo13.html /ptym2111.html /plaloj.html /prompncyyy42.html / /39zvuv3/index.html /8aOr5 /wuvyhup.html /onioo8.html /1gml2xu/index.html /bursopaff.html /lodugiz.html /3tJR / / /furuser.html / / / / /in11.html /wuvyhupa.html / /restole.html / /difratresutyby / /bepnac / /~periodic/0hfmuib/index.html /2oalgv /2oalwc /gagicyb.html /kejaruv.html / / /9u4ougo/index.html / / /qfoiio6g.html /inlcude.html / /nicolahg.html / /fejkb8e/index.html /uhezivo.html / /kipusyy00.html / / / /12evdr/index.html /edoruvy.html /~polihale/40ht0fa/index.html /nermox.html / /zhavneree1971.html / / / /11 /gudylog.html /_ggeqie /sedejodu.html /aUm4 / / /ivyfurus.html /pictures/main.html /nunes.html / / / /nezivogo.html /rdobyllo.html /1qvkcx5/index.html /trobexso.html /brntschrmnf.html /otakunojoworo.html /heaami.html /ivadpomidorivf.html /2rsl1a/index.html / /irnuschel.html /images/in11.html / /pipkertyn.html / /dia9 /prosencaphalecii21.html /pronessorsii62.html /ldnrkaa5.html /vokolak.html /icutovov.html /images/index11.html / /jl3o9c/index.html /nuhedreampirls.html / / / / /ivefuquw.html /nonspors.html /wroromunticii71.html /bvbiohh/index.html /lodugiz.html /d2gcop/index.html /2858sa/index.html / / /8tc00m/index.html /sluvataxo.html / /ymanibu.html /dystemhakem.html /bx0koa/index.html / /murokchiok.html /4qtmbt/index.html /29ial3/index.html /1tcnzx/index.html /h1hmsp/index.html /wmi34d/index.html / / / / / /t8xfifq/index.html / /13f2em/index.html /~peluang4/sa0hxip/index.html /16e6beb/index.html /1g9wxxn/index.html /28dvhds/index.html / /81ccngg/index.html /3sr31z5/index.html /9a54nqy/index.html /2nktlke/index.html /aojaas/index.html /eoqf7q/index.html /52xxjn/index.html /atb.html /2e0dh9/index.html / / / /iticuto.html / /anrrey216vorkuta.html /avevbroaren.html /cacejodu.html /ejodugiz.html /aanbelochik.html / /mojoqens.html / /demonidi9.html /quak0610.html /pichugana627.html /oruvyhup.html /xubijema.html /uhezivo.html /oxueywro.html /oupslyng.html /mlitvyaj.html /qumusegu.html / /nicsfev.html / /umnyk.html /~pochince/28nz9l/index.html /dimenhofigan.html /bcretkon.html /rvm.html /dmimkac.html

List of Financial Institutions used by the "zfin" spam . . .

1st Bank Yuma
1st Capital Bank
1st Centennial Bank
1st Enterprise Bank
1st National Bank of Scotia
1st Pacific Bank of California
1st Source Bank
Abacus Federal SAvings Bank
ABC International Bank
Abrams Centre National Bank
Affinity Bank
Agriland FCS
Aig Federal SAvings Bank
Alamerica Bank
Aliant Bank
Allegiance Community Bank
Alliance Bank
Alliance Bank of Arizona
Allied Irish Bank
Alta Alliance Bank
Amalgamated Bank of Chicago
Amarillo National Bank
Amcore Bank
Amegy Bank of Texas
Ameriana Bank and Trust
America California Bank
American Bank
American Bank of Commerce
American Bank of Texas
American Business Bank
American Express Bank Limited
American National Bank
American National Bank of Texas
American River Bank
American Riviera Bank
American Savings Bank
American State ABnk
American State Bank
Americas United Bank
Amsouth Bank
Amsterdam Savings Bank
ANZ Bank
Applied Card Systems
Archer Bank
Artisans Bank
Atlantic Bank of New York
Atlantic Pacific Bank
Atlas Savings Bank
Austin Bank
Austin County State Bank
Austin Telco Federal Creit Union
Balboa Thrift and Loan Association
Balcones Bank
Ballston Spa National Bank
Bank Atlantic
Bank Calumet
Bank Independent
Bank of Agriculture and Commerce
Bank of Akron
Bank of Amador
Bank of Baroda
Bank of Castile
Bank of Evergreen
Bank Of Illinois
Bank of India
Bank of Los Altos
Bank of Marin
Bank of Marion
Bank of New York
Bank of Orange County
Bank of Pensacola
Bank of Petaluma
Bank of Pine Hill
Bank of Prattville
Bank of Quincy
Bank of Rantoul
Bank of Rio Vista
Bank of Sacramento
Bank of Santa Barbara
Bank of Santa Clarita
Bank of Springfield
Bank of Stockton
Bank of Tampa
Bank of the Orient
Bank of the Sierra
Bank of the Southwest
Bank of the West
Bank of Tidewater
Bank of Tuscaloosa
Bank of Vernon
Bank of Walnut Creek
Bank of Waukegan
Bank One
Bank United
Bankers Trust Company
BankUnited Express
Barclays Bank
Barrington Bank and Trust
Bay Area Bank
Bay Cities National Bank
Bay Commercial Bank
Beal Bank
Belvidere Bank
Benchmark Bank
Beverly Bank
Bluestem National Bank
Borel Bank
Borrego Springs Bank
Brady National Bank
Brenham National Bank
Brickyard Bank
Bridgehampton National Bank
Broadway Bank
Broadway Federal Bank
Broadway Federal Bank FSB
Broadway National Bank
Brooklyn Federal Savings Bank
Brown Brothers Harriman
Busey Bank
Business Bank of California
Business First National Bank
Butte Community Bank
Caledonian Fund Services
California Bank and Trust
California Community Bank
California Federal Bank
California National Bank
California Oaks State Bank
California State Bank
Canadaigua National Bank and Trust Company
Canyon Community Bank
Canyon National Bank
Capital City Bank
Capital Farm Credit
Cardinal Services Corp
Carlinville National Bank
Carver Federal SAvings Bank
Cathay Bank
Cattaraugus County Bank
Centier Bank
Central California Bank
Central Illinois Bank
Central National Bank of Waco
Central Trust and Savings Bank
Central Valley Community Bank
Century Bank
CFS Bank
Champlain National Bank
Chang Hwa Commercial Bank Ltd
Charlotte State Bank
Charter National Bank
Charter Oak Bank
Chase Manhattan Bank
Chicago Community Bank
Chino Commercial Bank NA
Circle Bank
Citizens Bank
Citizens Bank Baytown
Citizens Bank of Northern California
Citizens Business Bank
Citizens Community Bank
Citizen's Federal Savings Bank
Citizens First Bank
Citizens National Bank
Citizens National Bank of Macomb
Citizens State Bank
Citrus Bank NA
City Bank Lubbock
City National Bank
City National Bank of Florida
City State Bank of Palacios
CivicBank of Commerce
Clarendon Hills Bank
Clay County Bank
Clear Lake National Bank
Coast Commercial Bank
Coast National Bank
Cohen Financial
Cohoes SAvings Bank
Coldwell Banker Commercial PR
Columbia Bank
Commerce Bank of Folsom
Commerce National Bank
Commercial Bank of California
Commercial National Bank
Commonwealth Business Bank
Commonwealth Trust Company
Community 1st Bank
Community Bank
Community Bank and Trust
Community Bank of Elmhurst
Community Bank of Florida
Community Bank of Naples
Community Bank of San Joaquin
Community Bank of Santa Maria
Community Bank of the Bay
Community Bank Texas
Community Banks of Northern California
Community Business Bank
Community Commerce Bank
Community First Bank of Howard County
Community Savings
Community West Bank
Compass Bank
Coppermark Bank
Cornerstone Community Bank
Coronado First Bank
Corus Bank
County Bank
Credit Suisse First Boston
Cross County Federal Savings Bank
Crown Bank
Crystal Lake Bank
DeAnza National Bank
Delaware National Bank
Delta Bank
Delta National Bank
Delta National Bank And Trust Company
Demotte State Bank
Desert Commercial Bank
Deutsche Asset Management
Deutsche Bank
Devon Bank Online
Downers Grove National Bank
Downey Savings
Eagle Bank
East West Bank
Edens Bank
Edgar County Bank and Trust
Effingham State Bank
EFG Capital International Corp
Eisenhower National Bank
El Dorado Savings Bank
El Paseo Bank
Eldorado Bank
Elgin Financial Savings Bank
Elmira Savings Bank FSB
Emerald Coast Bank
Englewood Bank
Esse Hypothekenbank
Eureka Bank
Eurohypo Aktiengesellschaft
European American Bank
Evans National Bank
Evertrust Bank
Excel National Bank
Exchange Bank
Fairport Saving Bank
Falcon International Bank
Far East National Bank
Farm Credit Bank of Texas
Farmers and Merchants Bank
Farmers National Bank
Farmers State Bank of Hoffman
Federal Home Loan Bank
Federal Home Loan Bank of Dallas
Federal Land Bank
Federal Reserve Bank of Chicago
Federal Reserve Bank of Dallas
Federal Reserve Bank of New York
Federal Reserve Bank of San Francisco
Federal Trust Bank
Fidelity Federal Bank
Fidelity Federal Savings Bank
Fifth Third Bank
Fireside Bank
First American Bank
First Bank
First Bank and Trust
First Bank and Trust Company
First Bank of Clewiston
First Bank of San Luis Obispo
First California Bank
First Chicago Capital
First Choice Bank
First Citrus Bank
First City Bank
First Commerce Bank
First Commercial Bank
First Commercial Bank of Florida
First Community Bank
First Convenience Bank
First Federal Bank
First Franklin Bank
First General Bank
First Gulf Bank
First Home Bank
First Indiana Bank
First Internet Bank of Indiana
First Mercantile Bank
First Metro Bank
First Mountain Bank
First National Bank
First National Bank and Trust
First National Bank of Abilene
First National Bank of Ashford
First National Bank of Bellville
First National Bank of Brookfield
First National Bank of Central California
First National Bank of Chillicothe
First National Bank of Danville
First National Bank of Dryden
First National Bank of Eagle Lake
First National Bank of Jasper
First National Bank of Marengo
First National Bank of Mineola Texas
First National Bank of North County
First National Bank of Northern California
First National Bank of Northern New York
First National Bank of Paris
First National Bank of San Benito
First National Bank of Scottsboro
First National Bank of Steeleville
First National Bank of Trenton
First National Bank of Valparaiso
First National Bank of Waterloo
First Navy Bank
First Niagara Bank
First Northern Bank
First of America
First Priority Bank
First Regional Bank
First Savings Bank FSB
First SAvings Bank of Hegewisch
First Southern National Bank
First Standard Bank
First State Bank
First State Bank Frankston
First State Bank of Eldorado
First State Bank of Shallowater
First State Bank of the Florida Keys
First State Bank of Western Illinois
First United Bank
First USA Bank
First Victoria National Bank
FirstBank of Palm Desert
Five Star Bank
Flatbush Federal Savings
FLBA of Texas
Florida Choice Bank
Florida First Bank
Folsom Lake Bank
Foothill Independent Bank
Fort Hood National Bank
Founders Bank
Founders Community Bank
Franklin Bank
Fremont Bank
Frontier Bank
Frost Bank
Frost National Bank
Fullerton Community Bank
Gateway National Bank
Geddes Federal Savings
General Bank
Genesee Regional Bank
Gerard Klauer Mattison
Gibraltar Bank
Global Resource Bank
Golden Security Bank
Goleta National Bank
Grabill Bank
Grand Bank of Florida
Grand National Bank
Grapeland State Bank
Guaranty Bank
Guaranty Bond Bank
Guaranty Federal Bank
Gulf State Community Bank
Habib American Bank
Hanmi Bank
Hardware State Bank
Harris Trust and savings Bank
Hendricks County Bank and Trust
Heritage Bank East Bay
Heritage Bank of Central Illinois
Heritage Bank of Commerce
Heritage Bank South Valley
Heritage Commerce Corp
Heritage Land Bank
Heritage National Bank
Hickory Point Bank and Trust
Highwood Bank
Hinsdale Bank and Trust
Hinsdale Bank Trust Co
Home National Bank
Honda Bank
Horizon Bank
Hudson Valley Bank
Humboldt Bank Merchant Services
Hypo Real Estate Bank International
Illini State Bank
Imperial Bank
Imperial Capital LLC
Independent National Bank
Independent Online
ING Capital LLC
Intercredit Bank
International Bancshares
Interstate Bank of Oak Forest
Invex Grupo Financiero
Irwin Financial Corporation
Israel Discount Bank of New York
Itasca Bank and Trust Co
Jackson County Bank
Jacksonville Savings Bank
Jefferson Heritage Bank
Jefferson State Bank
Jourdanton State Bank
JP Morgan Chase Bank
Key West Bank
Kookmin Bank
Lafayette Bank And Trust
Lafayette Savings Bank
Lake Forest Bank and Trust
Lake Shore SAvings And Loan
Lamar National Bank
Landmark Bank
LaSalle State Bank
Lavine Financial Capital
Legacy Bank of Texas
Lehman Brothers
Liberty Bank
Liberty Federal Bank
Liberty Federal Savings Bank
Libertyville Bank
Lone Star Federal Land Bank Association
Long Island Commercial Bank
Long Island Savings Bank
Los Angeles National Bank
Lubbock National Bank
Luther Burbank Savings
Madison Bank
Malaga Bank
Mansfield Bank
Manufacturers Bank
Marathon National Bank
Marina Bank
Marketplace Bank
Mazon State Bank
Mellon 1st Business Bank
Melon Bank by
Mercantile Bank
Mercantile Trust and Savings Bank
Merchants and Southern Bank
Merchants Bank of California
Merchants Bank of Jackson
Merchants National Bank of Aurora
Meridian Bank
Merrill Lynch
Metropolitan Bank
MFB Financial
Mission Community Bank
Mission Oaks National Bank
Modern Bank
Mohave Community
Mohave State Bank
Monroe County Bank
Montecito Bank and Trust
Moody National Bank
Morgan Stanley
Morton Community Bank
Murphy Wall State Bank
Mutual Federal Savings Bank
Mutual of Omaha Bank
Nara Bank National Association
National Bank
National Bank of California
National City Bank
New Century Bank
New South Federal Savings Bank
Nexity Bank
North Coast Bank
North Community Bank
North County Bank
North County Savings Bank
North Houston Bank
North Valley Bank
Northern Trust Bank
Northern Trust Company
Northfield Savings Bank
NorthShore Trust Saving
NorthStar Bank
Oak Brook Bank
Oak Lawn Bank
Oak Valley Community Bank
Oceanic Bank
Oceanmark Bank
Oceanside Bank of Jacksonville
Old Florida Bank
Old National Bank
Old Second Bancorp
Old Second Bank of Aurora
Ossian State Bank
Oswego Community Bank
our bank
Overton Bank and Trust
Owen County State Bank
Pacesetter Bank
Pacific Crest Bank
Pacific National Bank
Pacific Trust Bank
Palm Desert National Bank
Palmer Bank
Park Avenue Capital
Park National Bank
Partners Bank
PathFinder Bank
Peoples Bank of Graceville
Peoples Bank of Lubbock
Peoples Bank of North Alabama
Peoples National Bank
People's Trust Company
Permanent Federal Savings Bank
Perryton National Bank
Pff Bank Trust
Phillipine National Bank
Pilgrim Bank
Pinnacle Bank
Pioneer Savings Bank
Plains National Bank Financial
Plaza Bank
Plumas Bank
Pna Bank
Pointe Bank
Ponce de Leon Federal Savings Bank
Popular Bank of Florida
Power Project Financing
Premier Valley Bank
Prosperity Bank
Provident Bank
Queens County Savings Bank
Raiffeisen Zentralbank AG
Randolf County Bank
Redding Bank of Commerce
Regents Bank
Reliance Bank
Ridgewood Bank
Ripley County Bank
River City Bank
Riverside National Bank
Robertson Stephens
Rondout Savings Bank
Roseville Banking Center
Roslyn Savings Bank
Royal Oaks Bank
RZB Finance LLC
Salin Bank and Trust Company
San Diego National Bank
San Jose National Bank
Sand Ridge Bank
Santa Barbara Bank and Trust
Santa Monica Bank
Saratoga National Bank
Scott State Bank
Seacoast National Bank
Second Federal Savings
Security Federal Savings Bank
Seneca Federal Savings and Loan
Sierra Vista Bank
Silicon Valley Bank
Silverado Bank
Six Rivers National Bank
Sonoma Valley Bank
South Alabama Bank
South County Bank
South Pointe Bank
Southern California Funding
Southern Security Bank
Southwest Bank
Southwest Bank of Texas
Sovereign Bank
Spencer County Bank
Star Bank
Star Bank of Texas
Star Financial Bank
State Bank of Ashland
State Bank of Countryside
State Bank of India
State Bank of Lizton
State Bank of Long Island
State Bank of Texas
State Bank of The Lakes
State Bank of Waterloo
State Farm
State National Bank of West Texas
Staten Island Savings Bank
Sterling Bank
Sterling National Bank
Stone City Bank
Strategic Partners
Success National Bank
Suffolk County National Bank
Sumitomo Bank of California
Summit Bank
Surety Bank
Synergy Bank
Tallahassee State Bank
TCB Bank
TCF National Bank
Tempo Bank
Terre Haute Savings Bank
Texas Bank
Texas Capital Bank
Texas Champion Bank
Texas First Banks
Texas Independent Bank
Texas Land Bank
Texas State Bank
The Astoria Federal Savings Bank
The Bank
The Bank and Trust
The Carson Medlin Company
The Dime Savings Bank of New York
The First American Investment Banking Corporation
The First National Bank of Hico
The First National Bank of Long Island
The First State Bank of North Dakota
The Foothills Bank
The Gifford State Bank
The Independent Bankers Bank
The Laredo National Bank
The Mechanics Bank
The SAvings Bank of Utica
The South Holland Bank
The State National Bank
The Warwick Savings Bank
TIB Bank of the Keys
Tokai Bank of California
Tompkins County Trust Company
Town North Bank
Tremont SAvings Bank
Troy Bank and Trust
Troy Savings Bank
Ulster Savings Bank
Unicredito Italiano
Union Bank of Arizona
Union Bank of California
Union Federal
Union Federal Savings Bank
Union Planters Bank
Union State Bank
United Bank
United California Bank
United Commercial Bank
United Community Bank
United Fidelity Bank
United Security Bank
United Southern Bank
Universal Bank
Upstate Niagara Cooperative
Valley Business Bank
Valley Commerce Bank
Valley Independent Bank
Valrico State Bank
Vantage Bank of Alabama
Ventura County Business Bank
Viewpoint Bank
Village Banc of Naples
Vineyard Bank
Vintage Bank
Visalia Community Bank
Vista Bank
Walden Savings Bank
Warrington Bank
Washington Federal Bank
Washington Savings and Loan
Wells Fargo Bank
West Coast Bank
West Suburban Bank
Western Financial Bank
Western Security Bank
Western Springs Bank
Western Springs National Bank
Whisperwood National Bank
Wilber National Bank
Wilmington Trust
Wilshire State Bank
Wintrust Financial Corporation
Woodforest National Bank
Worth National Bank
WSFS bank
Yolo Community Bank


Wednesday, November 09, 2011

Operation Ghost Click: DNSChanger Malware Ring Dismantled

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested by the Estonian Police and Border Guard Board were:

Vladimir Tsastsin, age 31
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

Andrey Taame, age 31, Russian, is still at large

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).

The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as, into an IP address, such as For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud

If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "" which the real Apple website where someone can download the iTunes software.

(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "" the user is sent to "" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit So, because you were using the criminal's nameserver, if you typed or clicked on "" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement

The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Antivirus

In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges

All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?

The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business. through through through through through through

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge

The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies

The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (, Onwa Limited (, Lintor Limited ( and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

Other Things You Must Read

TrendMicro's Malware Blog - EstHost Taken Down - Biggest Cybercriminal Takedown in History - An important link that must be pointed out. Vladimir Tsastsin, the CEO of Rove Digital, was also the CEO of EstHost, one of the first registrars to have its ICANN Accreditation pulled because of criminal activity.

TrendMicro: A Cybercrime Hub - this report, in August 2009, laid out the basics of the criminal activity that Trend had been able to identify. Industry contributions such as this are part of the "Partnership for Success" that the FBI spoke about today, and TrendMicro really lead the way on this case!

Brian Krebs authoritative journalism on Vladimir - "EstDomains: A Sordid History and a Storied CEO"

SpamHaus ROKSO file on Rove Digital - ROKSO File (Registry Of Known Spam Offenders) on Rove Digital

Newsweek calls Rove Digital one of the "Top Ten Spammers" -(December 2009).

Friday, November 04, 2011

Duqu: You're safe unless you use TrueType Fonts?

Two of the malware analysts in my lab have been complaining to me that the malware they see everyday is getting boring - the primary attacks that we see in the largest volume are the same thing over and over and over again.

Let's be thankful for that! The big news in the malware world yesterday came when Microsoft announced a work around for Duqu, named by researchers in the CrySyS Lab (the Laboratory for Cryptography and System Security at Budapest University of Technology and Economics) because it prefixes some created filenames with the letters "~DQ".

On October 14, 2011, CrySyS contacted Symantec to get some help analyzing the malware, and Symantec released an extremely informative 67 page PDF report called W32.Duqu: The Precursor to the next Stuxnet. (The link is to version 1.3 of the report, updated on November 1, 2011).

There have been two IP addresses confirmed to be associated with Duqu and serving as Command & Control. The first IP was in India - The second was in Hungary - Traffic flow to either of these IP addresses would be a strong positive indicator of a Duqu infection! Both sites are down now.

The first server was announced to be down on October 31st in stories such as this one -- India Shuts Server Linked to Duqu Computer Virus that shares some details of a server located at 200 employee data center Web Werks.

The second server was at Combell in Belgium -- as described in stories such as this one -- Duqu Hackers Shift to Belgium After India Raid.

Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we've seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Here's a VirusTotal report of the better detected of those pieces of code, which had the MD5 value e1e00c2d5815e4129d8ac503f6fac095. This file is not "Duqu" but is rather "an .exe file related to Duqu" which is a much larger program (this one is only 9k in size).

(Click for VirusTotal Report)

Non "generic" definitions for this malware included:

Avast: Win32:Duqu-F
Emsisoft: Trojan.Win32.Stuxnet!IK
Ikarus: Trojan.Win32.Stuxnet
Microsoft: Trojan:Win32/Duqu.E
NOD32: probably a variant of Win32/Duqu.A
TrendMicro: TROJ_DUQU.AJ

Symantec mentioned MD5s

Wed Jun 01, 03:25:18 2011
Stealing information

Mon Oct 17 17:07:47 2011
Reconnaissance module

Mon Oct 17 16:26:09 2011
Lifespan extender

Tue Aug 09 21:37:39 2011
Stealing information

In each of those above, the link on the MD5 will show you the VirusTotal report. I find it interesting that TrendMicro consistently names these files "TROJ_SHADOW.AG" which makes me wonder if they had independently discovered this malware family prior to the naming as Duqu by the CrySyS team.

Symantec calls attention to the fact that several of these files show compile dates AFTER the public disclosure of the existence of Duqu.

Delivery Mechanism

Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

We now know from Microsoft more about this exploit. On November 3, 2011, Microsoft released this Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

Microsoft has released a work around. The exploit is taking advantage of the fact that there is a problem in one of the DLL's called by TrueType in certain circumstances. If a system denies access to that .DLL, T2EMBED.DLL, then the exploit would fail to work.

The workaround can be executed like this, but Microsoft cautions that applications that rely on EMBEDDED TrueType fonts could then fail to display properly:

(For older Windows versions)
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

(For newer Windows versions)
Takeown.exe /f "%windir%\system32\t2embed.dll"

For more details on the workaround, please see Microsoft Security Advisory: Vulnerability in TrueType font parsing could allow elevation of privileges which offers a "Fix It For Me" button to apply the work around for you.

Duqu Compared to Stuxnet

The Symantec report has 22 or so pages of original Symantec content, and then has as the majority of it's body the report by the CrySyS Lab, which has a section that compares the Duqu and Stuxnet code. In particular, the Decryption function seems to be nearly identical.