Thursday, August 26, 2010

Major Fraud Ring Busted in Largest Chinese Cybercrime Operation

Yesterday Taiwanese Criminal Investigation Bureau Commissioner Lin Teh-hua announced the largest cybercrime operation in the history of his organization. (The Criminal Investigation Bureau's report, in Chinese, is here). 548 Taiwanese police officers and 2,720 Chinese police officers took part in the operation which resulted in 450 fraudsters being arrested throughout Taiwan and in the Chinese provinces of Fujian, Huanan, Hubei, Anhui, Guangdong and Guangxi. After a joint operations agreement was signed between Chinese and Taiwanese authorities, more than 16 joint raids have been conducted leading to more than 1,000 arrests.

In this case, the activity particularly focused on telephone fraud and internet auction fraud. The arrests come close on the heels of the break up of a similar fraud ring in Ho Chi Minh City where 99 fraudsters from Taiwan and China were arrested. In the Vietnamese fraud, where 76 Taiwanese and 23 Chinese citizens were arrested, fraudsters would take over entire hotels, booking as many as 30 to 40 hotel rooms for their fraud. They would place randome phone calls, posing as telecom officials, police officers, or prosecutors, and urge people to wire money to specified accounts. Some individuals lost millions of dollars in that fraud. The Ho Chi Minh case made note that on July 1st there had been a related raid where 32 Taiwanese and 14 Chinese were arrested. Major General Huynh Huu Chien of the Ministry of Public Security called it the largest foreign hacker ring ever in Vietnam, saying that they also had been doing ATM fraud, hacking into foreign banks and using ATM card readers to steal from more than 200 foreign bank accounts and financial institutions.

The Vietnam case continued on August 13th, when police arrested eleven Taiwanese men and two women in Can Tho. In that case, the police seized laptops, phones, walkie-talkies, and most intriguingly more than 50 "fraud scripts" that guided the fraudsters through the "play" of imitating a police officer or state agency official in order to further their fraud.

The Taiwanese-Chinese arrests this week seem to be more of the same, as police explain that the groups formed temporary "Telephone Fraud Centers" where the scammers placed calls following elaborate scripts that helped them to perpetrate their frauds. In Taiwan, in addition to the seizure of laptops, cell phones, and fraud manuals, fake courier uniforms were found.

This raid began to be built after a large meeting in China's Fujian Province where police from across China came together in Ningde to address illegal telecom operations, money laundering, impersonation of public agencies for fraud, and online shopping scams, but the case actually originated with the arrest of "Rong Yu" who was arrested back in April when police discovered he had been operating a fraud from the Taizhong Emperor Hotel, pretending to be a Shen Fuwen law clerk. By tracing the criminal contacts of this phony law clerk, more than seven other similar groups were identified, including the identification of the group's headquarters in Hunan Province.

The group was also found to be related to a fake online auction group - the Wuhan Pride network (www.dey100.com). This group, which claimed to be an online trading company, was involved in both the sale of goods that were never actually delivered, but also ATM fraud conducted after stealing banking information from the buyers of those fake goods! Some of the victims report getting very strange deliveries, such as ordering goods online and receiving an empty CD box or a package of soap instead of what they ordered. When they called to complain, this allowed the fraudsters to gather additional personal information about them that allowed further fraud to occur.

I hope more details of this fraud will be revealed in the next few days, but for now, I want to offer congratulations to the investigators who are helping to clean up online crime throughout China and Taiwan!

Saturday, August 21, 2010

"(Famous person) died" spam

According to my spam inbox, today was a horrible day to be a celebrity:

Alicia Keys died
Angelina Jolie died
Beyonce Knowles died
Bon Jovi died
Brad Pitt died
Cameron Diaz died
David Beckham died
Gwen Stefani died
J.K. Rowling died
Jay-Z died
Jennifer Aniston died
Jennifer Lopez died
Johnny Depp died
Justin Timberlake died
Kanye West died
Madonna died
Miley Cyrus died
Nicole Kidman died
Oprah Winfrey died
Ronaldinho died
Tiger Woods died
Tom Cruise died

In the UAB Spam Data Mine we received between 450 and 539 copies of each of these spam messages.

The body of the email has the same text for each, with only the name varying. The name used in the body of the email doesn't necessarily match the name in the subject line. Here's an example:


Cameron Diaz died along with 34 other people when the Air Force CT-43 "Bobcat" passenger plane carrying the group on a trip crashed into a mountainside while approaching the Dubrovnik airport in Croatia during heavy rain and poor visibility.

Please see attachment


The attachment is called "News.html" is "base64" encoded, but if you click on it, it will launch in a web browser.

The HTML is composed of javascript functions which takes substrings of pieces of code and composes them together to make a URL:


new String("hre3y9b".substr(0,3)+"hv5f5hv".substr(3,1))]=
new String("http:P5v".substr(0,5)+ "//panHSOY".substr(0,5)+
"3aPiplusP3a".substr(3,5) + ".com.V4Hq".substr(0,5)+
"mx/1.0Xq".substr(0,5) + "HFkhtmlFHk".substr(3,4))


So, the "hre3y9b" becomes "hre" the "hv5f5hv" becomes an "f" for "href" etc . . .

It eventually turns into:

hxxp://paniplus.com.mx/1.html

(the "xx" instead of "tt" is to prevent this from being live)

That page has two URLs on it, one pointing to the free domain website 'cz.cc':

cetogilco.cz.cc / scanner10 / ?afid=24

This page goes to a fake anti-virus site . . .

The second URL points to:

analyticspool.in / wiki / index.php ?sid=151 &search=ecard &refresh=on


From cetogilco.cz.cc the file "antivirus.exe" is downloaded.

A VirusTotal Report for this malware, showing 18 of 41 detects, is available. The MD5 is cb38da67e9a96afb0b3674eddee26472.

Monday, August 09, 2010

Viagra Spammers as Hackers?

By now you're certainly well aware of the fact that the CAN-SPAM ACT is basically ignored by law enforcement with an occasional exception once or twice a year where someone actually goes to jail.

The question remains, how do we convince the limited resources of law enforcement that a spammer is more than "just another spammer" and is actually someone who should be pursued?

As we were looking through spam clusters on the UAB Spam Data Mine this weekend, one interesting pattern stood out, because it seemed to be an indication that a particular viagra spammer may actually be breaking in to websites (that is, committing violations of Title 18 Section 1030, "Computer Intrusion") in order to avoid being caught as a spammer.

This particular spammer sent us 359,205 spam messages between July 14, 2010 and July 30, 2010. While some were part of the group that uses the pattern:

drug-word first-name ## single-letter.ru

such as:

drugsearlie81n.ru
drugsevered38n.ru
drugsgalen74d.ru
drugshewitt18d.ru
drugsjeffry83k.ru
drugskingsley84h.ru
drugslars14n.ru
drugspembroke96s.ru
drugsriley58y.ru
drugswelby44f.ru
erectemmy70j.ru
erectkendricks53f.ru
erectkipp65u.ru
erectlin78m.ru
erectmateo49r.ru
erectmontague29s.ru
erectnorman26y.ru
erectoates91h.ru
erectrochester45v.ru
erectvirgil32q.ru
erectzebadiah53f.ru
medeugene90r.ru
medhallsy90l.ru
medhaydon28m.ru
medirv71r.ru
medkerr99f.ru
medmarkus92g.ru
medmarve20c.ru
mednathan34i.ru
medorion83c.ru
medrodolfo70p.ru
medstanislas30w.ru
medwright43k.ru
onlinedionysus67o.ru
onlinedomenic30y.ru
onlinedonal35s.ru
onlineevered63q.ru
onlinehiram95x.ru
onlinelennie29g.ru
onlinemichel76v.ru
onlineputnem18s.ru
onlinerex79v.ru
onlineric66x.ru
onlinewashington74m.ru
pharmdennison39g.ru
pharmdmitri100w.ru
pharmduke37h.ru
pharmedvard64m.ru
pharmedward90e.ru
pharmfranky22b.ru
pharmharmon55g.ru
pharmmassimiliano76l.ru
pharmmerv65b.ru
pharmvasilis56n.ru
pharmwillis62s.ru
pilldouglas96s.ru
pillgalvin35u.ru
pillgilles66p.ru
pillnevil74n.ru
pillozzy100m.ru
pillperceval95p.ru
pillrafael62w.ru
pillrand38w.ru
pillrich68f.ru
pilltait46y.ru
pillwylie79b.ru
refilleuell67g.ru
refillgodfry93b.ru
refillhaley40t.ru
refilljeddy66n.ru
refillmikol21g.ru
refillparrnell52y.ru
refillpaxon50v.ru
refillpincus65o.ru
refilltamas79f.ru
refillulberto61u.ru
tabdaven30a.ru
tabdonny22g.ru
tabev81y.ru
tabgeorg44n.ru
tabholly40z.ru
tabiosep71x.ru
tabkillian87i.ru
tablorrie41x.ru
tabmicah54i.ru
tabrutger42l.ru
tabshay90s.ru
tabtitos57s.ru
tabtom34o.ru



I was actually far more interested in another subgroup from this spammer.

The 498 websites listed below are each a pre-existing website which has been hacked in the same manner that a phisher may hack a website. In this case a single file has been placed on each server, and it is that file that is used in the spam messages. Although the spam that I used to generate this group was all from July 14 to July 30, 299 of the websites remain "hacked" as of this writing.

If you are a webmaster for one of the sites listed below, we would be very interested in three facts from you:

1) do you have any log or theory showing how your website was hacked?

2) do you have logs that we could review to count how many people "clicked through" your site?

3) have you experienced other forms of defacement since being hacked by the "viagra hacker?"

Please feel free to email me with this type of information at:

g a r @ c i s . u a b . e d u


s2k.dyndns.org /~administrator/court48.html
homes.ieu.edu.tr /~ayamuc/army41.html
mis.im.tku.edu.tw /~benboy21c/alum38.html
banana3306.maido3.com /~bj1461/jejune21.html
siteground222.com /~bjsa1/kike16.html
home.planet.nl /~boend165/pectic60.html
www.ravangrad.net /~brankovica/behalf19.html
c07.future-shop.jp /~c07develop/blimp15.html
www.muslim.org /~convention/zeal34.html
www.createam.hu /~createam.hu_reckitt/pluck65.html
hoanganh.com.vn /~datsach/spicy86.html
www.island.net /~dkay/barbel70.html
cheap-nursery-furniture.info /~epyzul/solar65.html
pshgroup.net /~eusfellt/soviet52.html
gumpert.maiatech.com /~fgpaguest/tweedy86.html
www.sergipehost.com.br /~fotos/unsaid62.html
ns3.bilgehosting.com /~globalko/waylay19.html
www.telusplanet.net /~grimjack/mind98.html
wzserwis.pl /~het/sludge72.html
www.pateco.ch /~island/sleeve27.html
hosting.czechowice.net.pl /~janusz/nephew74.html
strw.net /~jskim/afresh35.html
k-ow.net /~kostek/slat87.html
blinkb.vn /~live/option62.html
www.lqehv.nl /~lqehv/ketch26.html
sv86.wadax.ne.jp /~m-mobius-co-jp/seraph13.html
www.mtvk.pl /~pietrowska/severe15.html
willow.lunarbreeze.com /~rosar5/follow61.html
stu.ntue.edu.tw /~s109613015/frost15.html
intranet.wahyan.edu.hk /~s21881/ashcan48.html
fs2.just.edu.tw /~s9546135/resin84.html
FTP.simonis-web.org /~simonisw/uncork87.html
strony.toya.net.pl /~szatan13/snoot95.html
www6.ocn.ne.jp /~takajolo/nestle48.html
xserver.dfmk.hu /~tigrincs/fillip73.html
www.jagruktimes.com /~tledgeda/namely13.html
aqua.mech.upatras.gr /~tsinop/fluent99.html
www.pinnaclecad.com /~upload/crook50.html
www.imperialprod.fr /~videolfsm/cliff77.html
www.kolumbus.fi /~w496735/punic90.html
master.pl /~wojts/detest79.html
watt22.hu /accede98.html
www.adrrportal.com.br /acrid33.html
burhan94.www.burhan94.bu.funpic.de /addict83.html
www.adixsprawdz.yoyo.pl /amour85.html
www.mieszkanie-warszawa.info /anchor41.html
www.secretsquirrelsports.com /annul73.html
www.enerbat.com.py /arise33.html
jct.co.in /armful48.html
www.orlandogoinggreen.com /arrow86.html
www.webshree.com /arty90.html
evrikashop.gr /ascend68.html
foliyuentech.com /assort66.html
earthbilisim.org /assort83.html
www.bohemiancharm.com /astray90.html
www.gemuender-park-restaurant.de /aura32.html
911-omsk.ru /baccy80.html
www.cracklsat.com /bade71.html
www.webtasarimyazilim.com /baker14.html
solmed.by.ru /ballot24.html
webactive.qupis.com /banal84.html
paketwebhosting.com /bantam97.html
portal.miele.pt /barbel46.html
foundationtattoo.com /baron32.html
theweddingbutler.com /basics88.html
al7anmoon.com /baste31.html
pftf.w.interia.pl /batik60.html
www.deadeternity.hu /bazaar93.html
www.greenpixel.com.ar /beady58.html
www.isiolcum.com /beery93.html
www.pvcontabil.com.br /behalf24.html
www.cortextra.com /belly81.html
www.japastudionet.com.br /besom49.html
abgirl.com.br /bethel98.html
www.themisstisdale.net /better32.html
kvdeoria.org /bias90.html
www.celebicatering.com /bilk91.html
bossmanautos.com /birch66.html
sch-22.by.ru /blase86.html
www.qtech.com.pk /blot34.html
www.recyklaceplastu.cz /bodily41.html
mucraiova.srw.ro /bony48.html
www.mactabilisarts.com /boom18.html
vaojogar.www.webng.com /boot89.html
www.pccel.com.br /boss53.html
www.sonde2000.nl /bowls20.html
mygold.atspace.com /bowser99.html
acornwarehousestorage.com /breeze21.html
sloniki.by.ru /bright10.html
www.drapak.eu /budget78.html
www.kuantosmesescare.pt /bully67.html
igoraha.by.ru /bungle69.html
www.lagerlokal.nu /bursar23.html
obsidianzero.tweakdsl.nl /bylaw63.html
choisis-ta-vie.com /came97.html
www.puma86.yoyo.pl /cancel55.html
assutech.com /canon13.html
www.swedengoinggreen.com /card10.html
www.mucevhermuzayedesi.com /caste13.html
www.elaynafernandez.com /caster73.html
www.alquimiaperfume.com.br /cavil43.html
takumi1067.sakura.ne.jp /cent65.html
mototribo.com.br /center91.html
sieuthigo.com /chalk52.html
adrenaline.mysite4now.net /cheek63.html
strawberrysquare.com /child39.html
barwex.whshost.com /chop22.html
www.moduhall.com /choral11.html
sprng-worck.by.ru /chrome78.html
www.notcommon.com.br /cite33.html
www.cs-fpg.yoyo.pl /clef29.html
villagenorthwest.org /cocoa28.html
filatelista.prodejce.cz /cocoon21.html
ppapaknorthern.com /codger71.html
www.kosmet-udruzenje.net /coir54.html
atmaxlink.com /cola93.html
gravisenergy.com /comfy87.html
www.musiknytt.se /coop23.html
www.daffodilspreschool.in /corbel76.html
adrianpiatek.w.interia.pl /corny90.html
osiris.userclub.be /corpse88.html
choosingdiamonds.com /covet13.html
aiti.runride.com /creamy72.html
bazzar.t35.com /crock63.html
s186623472.onlinehome.us /crummy28.html
jawa50-typ05.czweb.org /crunch36.html
tumbaiball555.freehostia.com /crutch17.html
safensureindia.com /cubit24.html
www.altunbasinsaat.net /cumber96.html
islaminur.awardspace.biz /cupric89.html
www.48film.co.th /curfew63.html
www.linearunit.com /curtsy29.html
www.washingtongoinggreen.com /cutout18.html
www.taslicayliyiz.biz /cyst42.html
lesovik.euweb.cz /darken97.html
slotha.homepage.dk /days66.html
wl2www911.webland.ch /decor73.html
www.pavelmalon.unas.cz /defeat54.html
www.kohalalhub.com.my /deism33.html
www.diamantschleifer.de /deism80.html
canalsims.awardspace.co.uk /delta87.html
doliveira.com.br /derive73.html
www.mark4polo.ch /devil18.html
www.pracadom.yoyo.pl /devout21.html
www.andrewplynch.com /dogged15.html
bublaci.unas.cz /dogs10.html
www.atelier-epure.ca /donor46.html
ftp2.matsonmultimedia.com /dottle73.html
www.napfenystudio.hu /drafty65.html
www.gumuselbetonboru.com /drag91.html
nuntab.50webs.com /ducat69.html
1300visahelp.com /duffel58.html
www.nail-wire.com /duly53.html
www.cardsolutions.us /earful94.html
macius210.w.interia.pl /earthy52.html
www.pharmdmand.com /eats78.html
danielconsultancy.com /egoism77.html
gluskonline.by.ru /emblem45.html
www.pasa.fr /emboss55.html
akuzmin.100webspace.net /encore66.html
kurumsalofis.com /enjoin86.html
netxplor.3x.ro /enter72.html
12popugaev.vndv.com /entice57.html
rafael.3x.ro /entity59.html
www.alpaltay.com /escort80.html
reklama-spb.by.ru /ethics14.html
www.gizliarkadas.net /evade74.html
cangkal.com /evil23.html
www.enlytetheworld.com /except15.html
www.kiss-mezeskalacs.hu /exhale52.html
www.navkarstationers.in /exhort18.html
katya-nail.by.ru /exhume77.html
www.ayseyildirim.com /eyeful47.html
mechuleyolculuk.com /famed99.html
chevalierglobalng.com /fiasco48.html
airplanegear.com /filter31.html
www.naasty.com /finite99.html
topido.365managed.net /firm92.html
markterlbach-ditib.freewebhostx.com /first64.html
www.ace-online.yoyo.pl /fleecy91.html
surf-roma.by.ru /foeman21.html
olajos.net /folio47.html
www.HolidayClassic.com /follow16.html
gazgaz.by.ru /freak58.html
www.pctools.com /free-antivirus/
www.eliteweb.com.br /frigid65.html
intelligender.com /frond96.html
www.yumurtakabugu.com /frothy99.html
www.dewfrm.net /gaff81.html
www.cxiome.es /gasman93.html
sistemweb.tk /gent33.html
lockerzinvite.kolgames.us /giggle12.html
gagankalra.vndv.com /girdle89.html
www.teamkreativ.net /gladly87.html
sirokujira.s79.coreserver.jp /glebe63.html
snezhena.by.ru /glide45.html
neaster.bplaced.net /goer74.html
www.unicaro.pt /grate79.html
www.4wd1.com /grey99.html
www.rbmphoto.altervista.org /grin16.html
www.bioplastica.it /grouse72.html
novah.by.ru /growl35.html
myped.com.tr /gunnel71.html
xox.awardspace.us /halma11.html
www.2gservis.cz /halve17.html
www.tucsoncondominiumsguide.com /haver48.html
shaoz3.hosting.paran.com /heel17.html
www.hunermund.dk /hereof79.html
www.auto-gric.info /hewn37.html
davetiyeniz.net /hewn51.html
webart.unas.cz /hippy95.html
erkeh.com /hoary69.html
www.enginerge.com /hobo23.html
www.dj-alih.fr /homily41.html
ferdiii.vndv.com /homing82.html
mujtaba316.www.mujtaba316.webng.com /husky74.html
seslinur.com /ikon10.html
amorequartet.com /impair93.html
kamadokura.com /impose72.html
www.tcskolkata.com /inert67.html
www.mgfsrl.it /input63.html
www.mobiliaria.com.br /inside49.html
www.nti.nagaloka.org /insult85.html
myhotels.com.my /intent54.html
coleqa.www.coleqa.co.funpic.de /inward75.html
golonka.unas.cz /italic58.html
www.kaderkarakus.tk /item56.html
lkw7854.com.ne.kr /jabber50.html
www.cle-is.be /jaunty26.html
bioedem.gr /jersey38.html
www.karproduksiyon.com /jigger60.html
shent.kbs.seoul.kr /joyous14.html
lingua-dz.com /karate21.html
www.rajaahaider.com /khan89.html
detalirovka.ru /kidney94.html
read4us.50webs.com /kilo91.html
alphabtech.com /kinky25.html
akj-sbk-production.com /kitten33.html
www.rainmakerfg.com /kneel50.html
samsam.wippiespace.com /late12.html
www.cognitoconcepts.com /launch64.html
hammermap.by.ru /leech83.html
rangelmuebles.mx /leek89.html
teplograd.by.ru /leer31.html
www.bware.se /letup92.html
ilios.pl /liable65.html
tuga-information.frag-power.com /lights23.html
rsanacona.bplaced.net /lilac35.html
www.lsac.com /lint37.html
pridehomecare.com /lisle70.html
www.genyas123.chat.ru /lisp91.html
www.sardunyabar.com /lobby92.html
teplieokna.by.ru /lobe45.html
www.tsdpierron.es /locker89.html
zajosi.borec.cz /lollop18.html
www.expressodasnove.pt /lusty88.html
michaelastastna.euweb.cz /malt37.html
www.offre-emploi-php.fr /mantle29.html
www.roti4u.com /maraud76.html
eonlinecash.50webs.com /marmot29.html
www.4652323.com /marvel94.html
gim5.by.ru /masked69.html
www.4thirds.co.za /mason86.html
carrieall.com /medic25.html
newteknik.com /meed78.html
www.tesfe.yoyo.pl /menses75.html
www.sabitkanat.com /merge38.html
unmicrc.org /midway47.html
www.kubzavod.com /mimosa13.html
www.newarkgoinggreen.com /mingle81.html
www.crin.es /mingy35.html
www.creativeplacement.org /misled28.html
lpg.sml.by /mock52.html
www.savethelight.wz.cz /moiety61.html
www.cruzdasalmas.ba.gov.br /mores15.html
bskdou27.by.ru /mouser59.html
inventosweb.freehostia.com /mugger88.html
www.foxmind.yoyo.pl /mulch52.html
trojka.s3.pl /mullah16.html
voyrising.com /mumble54.html
www.ewebvision.co.in /munch83.html
poortal.ru /musky91.html
musegallery.co.il /muted56.html
www.villederigaud.com /nabob97.html
www.saribekir.com /napalm59.html
cleaningcontractor.com.au /napalm93.html
phonies.cz /nibs38.html
qlkt39a.com /niter51.html
leandromauricio.com /noble52.html
heblakostravice.unas.cz /nodal83.html
mob39.by.ru /norman26.html
www.sonodyne.com /notice73.html
botom.piwko.pl /obtain92.html
www.garlandgoinggreen.com /odium81.html
teplovent.by.ru /office19.html
nifia.net /olive82.html
soysaldanismanlik.com /omega68.html
wl31www162.webland.ch /opener76.html
edisongame.com /orgasm67.html
atlanta.webservis.ru /orgy39.html
www.sinaitech.net /other69.html
vensalabs.com /otter10.html
arlabrise.be /ozone26.html
www.polskanet.yoyo.pl /pail72.html
all4mlm.com /pain55.html
hotelhindustaninternational.net /pall42.html
www.mojserwisik.yoyo.pl /palter17.html
zvi.by.ru /pansy88.html
temptingcareers.com.sg /panty12.html
www.wwqccertifications.com /parry79.html
www.judgesworld.de /parse13.html
bettymude.h800051.serverkompetenz.net /passim82.html
www.haixingbaby.com /pasty11.html
www.hoteldemunck.com /pasty95.html
www.lifestyleweightmanagement.com /patter26.html
www.gateway-riga.com /pawn66.html
www.lumutwaterfrontvilla.com /peahen41.html
finodezhda.ru /pebble45.html
mahacandu.com /peek92.html
sola2379.avafreehost.com /perk16.html
strempacklaw.com /pewit91.html
dmkmusic.by.ru /pick11.html
www.a-d-c.fr /pierce14.html
www.colorschemepainting.com /pivot68.html
www.jasprabh.com /planet40.html
legacy-studios.co.uk /plexus75.html
vsxwebdesign.com /polish66.html
vakum.com.tr /pomade34.html
profit-group.org /pommel87.html
www.eriegoinggreen.com /pommy11.html
www.lorenz-frank-privat.de /pong93.html
agapoll.com /pother64.html
cwr.uz /pram55.html
cyber-work.by.ru /prig62.html
greyhawk.by.ru /prison31.html
arnaldofoto.com.br /prole60.html
apexkarting.com /psych56.html
www.ramatci.com /pukka63.html
kinfo.110mb.com /puny76.html
www.arditech.es /purge79.html
www.svetcollege.com /purify67.html
sweetart-ist.com /python95.html
www.garykonet.com /quaint15.html
aerion.by.ru /quaver48.html
www.pazalocristiano.com /quell43.html
home.netsocius.com /quilt87.html
www.drjoshicancercentre.com /quiz77.html
videorelax.by.ru /rabies33.html
eddieth.info /ragbag98.html
www.gamesjockey.com /rail88.html
www.maxlks.info /rake18.html
www.callbihar.com /rally64.html
kucirkova.borec.cz /rascal34.html
baktianggun.com /ratter25.html
www.bassoy.com /raven45.html
www.legasolv.com /rear40.html
www.rdsfacades.fr /reborn40.html
www.anacatarinamendes.net /redden13.html
www.cevizfidan.com /redden14.html
www.team04.net /redo65.html
krumovgrad.cult.bg /reecho89.html
visual-identity.tv /regime82.html
amerginconsulting.com /rejoin16.html
oportal.czweb.org /relive14.html
ntw.com.vn /remake47.html
npf.dev.mvisolutions.com /repent34.html
www.zacariasdecarvalho.pt /reset14.html
www.subbucmda.com /revers28.html
www.gigiorosapromotions.it /revile54.html
www.bondwest.com.hk /revoke32.html
lepes.com.ar /ribald23.html
virazh-shin.by.ru /ribbed74.html
arora360.com /rigor81.html
www.hkz-zgorzelec.yoyo.pl /ring75.html
www.sanskriti.asia /role87.html
www.homemadeworkshops.nl /rota47.html
software.hso.uk.com /rough14.html
www.jab.com.br /rounds29.html
www.viasae.it /rowdy24.html
stronghold.aspweb.cz /royal56.html
www.piramithouse.com /ruling50.html
www.mystars.by.ru /rumple99.html
www.rikaret.com.tr /rust36.html
dropbox.literacywings.com /sahib60.html
orhanerdem.co.cc /satrap74.html
intimtempmor.racyspace.com /save52.html
www.roubenky.kvalitne.cz /saver47.html
www.novusyapitasarim.com /savoy44.html
asianhotelhcmvn.com /scow49.html
www.decaclub.com.br /scrap42.html
www.clevelandgoinggreen.com /script91.html
www.energieplomberie.fr /second92.html
mmorpgword.altervista.org /sepsis28.html
la155-13.by.ru /shabby69.html
tecompressor.com /shame95.html
interdoors.by.ru /shelf34.html
www.home-interiors.net /shine32.html
sumitelectronic.com /shoe52.html
www.goldsmithinfantschool.co.uk /shore30.html
sdzp.php5.cz /sifter23.html
4bike.cz.cr /silver65.html
www.voteforcars.com /sixths94.html
www.iepse.com.ar /skied30.html
ganyeladim.co.il /skive30.html
model.awardspace.biz /slangy75.html
www.artgemeos.com.br /slime75.html
www.gtamm.yoyo.pl /slip64.html
www.ubranka-karasek.yoyo.pl /slunk65.html
gaelle.100webspace.net /snag46.html
www.sesagold.com /snore42.html
client.sakura.ne.jp /snow70.html
www.ozgurcay.com.tr /soften42.html
www.aquamatik.hu /softy64.html
collection.symmes.ca /sonic74.html
www.xtreamxat.iglu.cz /soot31.html
vivresansetre.fr /sore76.html
a-vt.chytrak.cz /spiky17.html
shelden.by.ru /spill67.html
cibersport.by.ru /spume57.html
hsami.ir /stakes13.html
www.kaplandoors.com /stalls19.html
www.phuromanwojcik.pl /steep59.html
borinqueneers.com /stores43.html
ftpservice.vtsclima.com /strafe58.html
www.esolzdemos.com /stun71.html
transportgodek.home.pl /subtle17.html
www.boonsiriplace.com /suffer98.html
www.e-gmp.home.ro /sulk53.html
www.sunfavorite.com /sulk89.html
www.pibtoledo.org.br /sunray86.html
grze.no.eu.interia.pl /superb22.html
www.cirkusdannebrog.dk /synod29.html
www.kleine-wienker.net /tale38.html
sahyogsociety.com /tampon63.html
preposted.voteplayer.com /tandem40.html
www.amgrafica.it /tansy93.html
www.cambridgegoinggreen.com /tare12.html
www.g5interlinks.com /tattle97.html
waubonsiehockey.com /telfer37.html
hottdotnet.com /tenet16.html
files.fastand.it /that92.html
checkmatepictures.com /thief58.html
rojek.ro.funpic.de /thong34.html
www.ravas.be /thrive31.html
tarjasubory.euweb.cz /thwack31.html
auroraproduccionesdigitales.com.mx /tickle12.html
for-mina.110mb.com /tiepin12.html
www.wetwellsoftware.com /titan54.html
austsecurityfencing.com.au /titter34.html
www.desafioactivia.com.br /togs78.html
tr-al5jal.com /toot39.html
fuzzcats.com /toot89.html
ivms.by.ru /tooth67.html
lesalitedeicampioni.com /topple96.html
softpro.vov.ru /tory36.html
garceslaw.com /tour34.html
www.pattisongc.com /trawl29.html
fejeshangszer.hu /tsar40.html
impresscreations.com /tube21.html
www.asce-ymf.org /tummy12.html
school1115811.web.fc2.com /tumult25.html
www.inz.cz /twang64.html
www.forestgarden.kr /twice11.html
www.italianpeople-lifestyle.com /twine30.html
www.huubdanst.nl /twinge91.html
batya.euro.ru /unison29.html
freelanceblacklist.by.ru /unkind61.html
filonw.w.interia.pl /unless35.html
fsmobility.com.tr /unzip42.html
www.unephoto.fr /uphold75.html
www.smsleaders.com /upland46.html
www.dimextranet.com.br /uptake56.html
abekawamochi.t35.com /user84.html
www.scaraniboats.com /valse64.html
ptberkahcitra.com /veldt68.html
www.okutanayakkabi.com /verb66.html
www.style-polish.co.il /vice85.html
www.gismovitale.com /virgin13.html
www.zoomelece.be /vulgar98.html
raida.s162.coreserver.jp /wart95.html
www.filmyfilmy.yoyo.pl /wave96.html
www.efekorgida.com.tr /weeds15.html
sever7.s277.xrea.com /weedy29.html
clan.grom.eu.interia.pl /week60.html
pousadaserradamantiqueira.com.br /welch75.html
kongsiblog.org /whaler37.html
daythi.69server.net /whites70.html
ceeshunit.atspace.com /whys96.html
vtech.p9.pl /widely56.html
guu-15.by.ru /wigged68.html
hotelconxions.com /wilful18.html
karmabilgisayar.com /will96.html
artvin.tsf.org.tr /winner68.html
rockinsesi.com /wonder83.html
www.as-vclub.com /woozy54.html
gb.comuse.org /wrung18.html
www.cuneytergun.com /yank71.html
wisdommbc.go.ro /yeah13.html
www.magnesat.com.br /yeast50.html

The websites which remain in their "hacked" state redirect to one of the following 35 viagra-sales websites:

count redirection URL
====== ===================================
4 http://bestviagracenter.com:8080/
6 http://bestviagrapills.com:8080/
24 http://buyviagraworld.com:8080/
9 http://chpmedic.com/
4 http://dedcanadadrugs.com/
11 http://esuperviagra.com/
9 http://expressviagraonline.com:8080/
7 http://lemedic.com/
26 http://mybestviagra.com:8080/
8 http://naturalviagraonline.com:8080/
1 http://thenaturalviagra.com:8080/
18 http://theviagrapills.com:8080/
1 http://viagrapriceline.com:8080
23 http://viagrapriceline.com:8080/
107 http://www.czmedicine.com/
2 http://www.fepharmacy.com/
2 http://www.hypharmacy.com/
1 http://www.kepharmacy.com/
8 http://www.litmedic.com/
6 http://www.mamedic.com/
1 http://www.medicineac.com/
2 http://www.medicinecy.com/
1 http://www.medicinegl.com/
1 http://www.medicinelo.com/
2 http://www.medicinelu.com/
2 http://www.medicineor.com/
1 http://www.medicineps.com/
1 http://www.papharmacy.com/
1 http://www.pharmacyan.com/
4 http://www.pharmacydg.com/
2 http://www.pharmacyry.com/
1 http://www.pharmacyth.com/
1 http://www.pharmacytl.com/
1 http://www.phmedicine.com/
1 http://www.tepharmacy.com/

Friday, August 06, 2010

Spam Campaign: Zeus's Greatest Hits spreads malware

Yesterday I had the pleasure of speaking on the subject of phishing to the Association of Certified Fraud Examiners Alabama chapter conference, hosted at the UAB School of Business, where my friend Tommie Singleton teaches Forensic Accounting.

After talking about the traditional phishing, and the statistics that we have about phishing through our UAB Phishing Operations and UAB Phishing Intelligence teams, I shared with the group that while phishing is continuing to be on the rise, compromise of banking credentials through malware is an ever growing threat.

To demonstrate the problem with malware, I opened one of my spam receiving email accounts as a user and clicked on several email messages.

I clicked on an email from July 30th that warned me that "FDIC has officially named your bank failed bank", clicked the attachment, and demonstrated my anti-virus product (on this machine I was using Microsoft Forefront) successfully protected me from the malware.

Then I clicked on an email from July 31st that claimed to have details on "Your order from Amazon.com". Again, my AV popped on the attachment.

Then I clicked on an email from August 2nd with the subject "DHL Tracking number 080231". Pop! Virus!

Then I clicked on an email from August 3rd with the subject "Notice of Underreported Incomeir" - "yeah, Incomeir" not Income. Those guys at IRS apparently don't have a spell-checker. Pop! Virus!

Then I clicked on an email that was about four hours old - "You have received a file from (email) via YouSendIt." No warning. So we unpacked the zip file and sent it to VirusTotal. 11 of 42 detections. Note that at VirusTotal, Microsoft was described as being a product that detected the malware, but VirusTotal was running a slightly newer (by a few hours) version of the AV than my laptop. Symantec and Trend and several other "big players" weren't detecting yet, but I told my audience that really didn't mean one was better than another - it was more or less a shooting of the dice who would be the "first detector."

So, what's going on with all of these new malware attachments? I would describe it as a "Zeus's Greatest Hits" campaign. Some of the most successful "Zbot spreading" spam campaigns are all being re-issued, only as attached-malware spam instead of "sending to website" spam. I've linked previous blog posts about Zeus campaigns to some of the top spam subjects in the list below. If we just look at spam for this week in the UAB Spam Data Mine, we see things like:

515 copies - "An unauthorized transaction billed to your bank account"
16,606 copies - DHL Tracking number #######
353 copies - FDIC has officially named your bank failed bank
17,143 copies - Hello
553 copies - Notice of Underreported Incomeir
10,829 copies - report
2,089 copies - Review your annual Social Security statement
166 copies - SALE OF BUSINESS Document
6,256 copies - Scan from a Xerox WorkCentre Pro N #######
412 copies - Unauthorized ACH transaction
387 copies - Welcome to Friendster
10,852 copies - You have received a file from (email) via YouSendIt.
2,479 copies - You have received an Greeting eCard
1,224 copies - Your Flight Ticket #####
301 copies - Your internet access is going to get suspended
7,513 copies - Your Order with Amazon.com
4736 - YOUR SALE TO CAN PTY LIMITED

How do we know that these emails might be related to one another? The primary reason is how I selected the list that you see above. In the UAB Spam Data Mine, I picked one of the common subjects that are being used to spread this malware, and said "Show me all the email subjects sent from the same IP address as emails which sent me the subject 'You have received an Greeting eCard' and limit myself to only consider emails from August 2010."

All of the subjects in the list above were part of the response. Now, there were also hundreds of thousands of other emails - mostly selling Viagra and watches, but ALL of the subjects above were sent from computers that also sent at least one email with the "You have received an Greeting eCard" email.

What is the malware? If you are "into" MD5s, you can check them out yourself. In the emails above, the technique is to send an executable file within a ZIP file attached to the email. Here are the most popular '.zip' attachments so far in August:

11075 | 21c4690e291dfa09cc2eef89501fd9b9 | dhl_viewer (35)
10415 | 3e11b5374aaf019fc091d51be43bfdfc | yousendit_reader (23)
7403 | a170953b22815478083d4853f7ebfe57 | report (33)
6018 | 3a88a7fdeac36395bd6b1f6185b13b2c | report.document.doc (33)
5332 | 57eaeb400b49774533c45099877911f8 | dhl_viewer (33)
4738 | bae1fff9774a4366ef73247fcf6cb394 | 08-05-2010(10).pdf (30)
3234 | d0c9552a39d20576f50bbcdc692a187c | amazon_invoice_viewer (30)
3212 | 8f025c1c63e1d11d3a5444eaba978ce7 | xerox workcentrereader (31)
2509 | ccf81bcb37af7cc0835904ec2a49c6ce | report (33)
1617 | 347d3c44ba6c3f6501406e697170192c | statement (32)
1099 | d8fbbf60aafaf400f008b3b8f2b32a41 | transaction report (28)
736 | 02154aba2c9ad2e2bcbe80b7a31246f3 | ecard (34)
576 | 4fa198977d4d3a10a7282a71cb315955 | invoice_viewer (30)
563 | 5cbcc4e1a1f1c2c37149e8db953213b0 | statement (29)
421 | 58d62a8c7fc5a690d4ff18c752a20eb6 | doc (27)
409 | 1c4031ae6c0e327f86dc4201a3532468 | facebook_passw_31.07.2010 (21)
393 | 7ce7bdbc4ce52261ba2f8773d2c196e7 | statement (27)
371 | 02857e7260d3e73811093c8826efe37e | tax report (28)
367 | 802871fdc77c47ff398de9bae8548635 | invoice_viewer (32)
362 | d410ba8345407ab17f2f3b0c98b225d0 | invoice_viewer (26)
361 | 8f0e7810523e1f9d715f951150e9c845 | tax statement (29)
341 | 5eab651ded4b0f9f949beac0dda62146 | report (28)
275 | 0acdecd08273284ce26cd99a0beed1fe | tax statement (33)
202 | 83234d04953e4b8e3f5688ec62567fe1 | changelog_30.07.2010 (35)
198 | 9a02b55cb88acf80b840504d672c21da | resume (23)
179 | d747c2928f1205c69e459b308a35fe1e | transaction report (14)
177 | 8b357aca247a729e07f0ee935c578c81 | transaction report (33)
175 | d5083f3dfefe3d6a9dc3ccd9c2fd622f | changelog_30.07.2010 (26)
138 | 3100bc960f80e8b078c3f8dd6d53de7b | dhl_tracking_ (24)
76 | 5e5b596bdf2f39b1fdfeb23821c75f41 | dhl_viewer (2)
73 | 68b13b6ecbb24322c9fe183b064eef9d | financial summary.xls (27)
51 | 5667dba64be7749c23148b564303fd11 | invoice (11)
37 | 5f2515a06e45acf9e3429ed78447e6a7 | core business advice notice ccc[1].doc (12)
33 | bbc7b06a0f0e6b09b8b7b07f3dab3b6b | statement (7)
31 | 489e4d09253414a8884fcf70326c81b9 | 090508 ccc equipment inventory v4.xls (11)
30 | 477a292406bfbbc474c35efdc92462a6 | business report.doc (12)
30 | 5bd1fb667558da6945518c28d485a37d | tax report (31)
28 | aaead684fe45133c628d3388451b7b6e | invoice_viewer (29)

The ones with low counts are mostly going to be the very newest versions (or ones that were sent in July and ended early on August 1st).

Some detects are pretty good ... for instance, that final "invoice_viewer" was first seen on August 5th (yesterday) and currently as 29 of 42 detects at VirusTotal. However, the number of malware detections on VirusTotal - RIGHT NOW - is the number in Parentheses after the malware attachment name. See the 7? and the 11? Remember that these are WORST when the email is FRESH. Some of these are from August 1st.

What about RIGHT NOW?

I'm going to scan the next two email atttached zips that arrive and show you the detections of FRESH email-delivered malware.

Oh - since the three most recent ".zip" attached emails were in this category, I'll mention this here. Another current email-delivered .zip campaign is "Your private photo attached" and contains a zip named with a random word (My last one was "accosting.zip"). It had a zero of 42 detect as a zip file.

That's because it's not malware. Its the "randomly created image" showing that I should buy pills from "yes82.ru".



Here are some of the emails from the campaign above:








Wednesday, August 04, 2010

PhacePhish: New Facebook Attack gives a One-Two Punch

Tonight I had a message from one of my Facebook friends who was concerned that someone may have hacked her Facebook account. She was worried that she might get a virus by looking at the links they had posted on her behalf. I assured her not to worry -- if her Facebook account was sending links to other people's walls, she probably already had a virus. After digging a bit deeper, I'm not so sure.

The "One-Two" punch of this current Facebook attack is similar to some of the spamming malware. Some of the messages it sends are to generate profit for the cybercriminal, and some of the messages are to infect more users to build the criminal's delivery network.

Here is the first type of message -- the "profit" message:



This reminds me of a current "work at home mom" trend that some of my other friends are engaging in. There really is a weight loss multi-level marketing scheme right now where the participants are encouraged to make a website telling about "the plan" and then are told that making money is as easy as following the plan yourself, and posting your weight loss reports to all your Facebook friends. (Hope your happy and skinny, DG, I wouldn't know, I blocked you on facebook as soon as you started that crap!)

What happens if you follow the link? The link doesn't go to my friend's weight loss page. It goes to an Acai Berry affiliate sales "news" page that is supposed to look like a real "news" site that just happens to be featuring a story about the miracle of the Acai Berry.



Clicking anywhere on the "news" page takes you first to an affiliate tracker page:

tracker.cpaprosperity.net/affe?offer_id=500&aff_id=1161

and then to the sales page for their diet plan:

acaioptimum.com/?afil=az1007

The diet scam page is hosted by Black Rock Hosting on the IP address 64.38.201.205.

That was the "One" . . . here comes the "Two" of our One-Two Punch:



What's the other important purpose for Facebook besides getting your friends to join your Multi-Level Marketing Weightloss plan? Sending stupid videos to one another, right? Everyone knows that when one of your friends posts a link, you are required to immediately click on it, and the click the "Like" button. This is how people know that we are their friends. We "Like" all their stupid videos.

(Actually, I'm a big Facebook fan. My family communicates like crazy with it, and I enjoy sharing pictures with my friends and playing Bejeweled Blitz. But this is the part where I'm supposed to be all sarcastic...)

So, when my friend BG posted this message to all of her friends' walls, what would happen if they clicked on it?

The first thing is that it sends you to a website called "securitymeassures3.co.tv". That page is going to call some Javascript to find out what country you are in:



If you are in the US, you then load the webpage "explororjones.com/deel/deeus/"

If you are anywhere else in the world, you then load the webpage "explororjones.com/deel/deeint/"

Either way, the page that loads looks like this:



WAIT! How did I get logged out of Facebook? (you are supposed to say to yourself...) then you quickly type in your userid and password for Facebook on this other page, which is actually at "explororjones.com"

ExplororJones is hosted on that excellent Netherlands hosting company Worldstream. I don't recall Facebook moving their operations there. When a webpage that isn't really the company you are trying to log in to tries to convince you to login on the fake web page we call that phishing.

That's why I'm calling this particular attack "PhacePhish" - most phishing attacks start with a spam message that sends you a scary reason that you really need to log in to your bank RIGHT NOW. This one starts with a spammy Facebook message instead.

Sooo...does my friend have a virus?

No, its very very probable that my friend clicked on a "funny baby" or some other leading video on one of her friends' Facebook posts, believed she was logged out of Facebook, and logged back in, giving her password to the criminals. The criminals then can login as my friend and repost the message on all of their facebook pages. If they fall for it, then they'll tell their friends, and they'll tell their friends, and they'll tell their friends, and pretty soon we'll all be skinny and rich! Happy ending!

I'd call my friend and tell her all of this, but its 3:00 AM. I'll let her sleep a bit more while the criminals spread their message through her Facebook account. Wonder if the Facebook guys are awake . . . hmmmmmmmm....