Thursday, March 26, 2020

Following Putin Order, FSB Cracks Down on Russian Credit Card Marketplaces

Earlier this week I was chatting with one of the top experts on Russian Cybercrime (who has asked to remain anonymous here).  We were discussing the news that was released on 24MAR2020 that the FSB had raided 62 addresses in 11 regions of Russia arresting cybercriminals for their involvement in the online sales of stolen credit cards.

There are some GREAT videos of the FSB in action ... this first one from Gazeta.ru


 click to play



According to the Gazeta articles, the FSB arrested 30 members of an online hacking group, including programmers from Ukraine and Lithuania.  Twenty-five were charged with "Illegal circulation of a means of payment," which in Russia is a violation of Section 2 of Article 187.  Region15.ru adds that the raids were conducted at 62 different addresses, including operations in Crimea, North Ossetia, Kaluga, Leningrad, Moscow, Pskov, Samara and Tambov, Moscow, St. Petersburg, and Sevastopol.

An embeddable image (same video) from Kuban.kp.ru shows image after image of those being arrested in the raids ..



More than $1 million USD and 3 million Rubles were seized, as well as computer equipment, firearms, drugs, gold bullion and precious coins.  Many fake identity documents were also seized, including Russian Federation passports and counterfeit law enforcement officer IDs.  Several of those arrested had been previously prosecuted for similar crimes. Russia Today's coverage of the story cites a December 2019 report by Sberbank saying that criminals frequently convince victims to give up their card details through social engineering by telephone.  They also mention that in October at least 60 million Sberbank credit cards were being traded on the black market.  The FSB arrested a criminal who used the name "Anton 2131" and lived in Volgograd with regards to some of that data.

Other coverage by Scandaly.ru indicated that at least 15 men and 1 woman among the arrested were held without bail in a Moscow court, being accused of serious crimes that would have sentences of at least 7 years.  That article also mentioned that most of the 90 criminal marketplaces run by these criminals were taken offline on March 18th and March 19th.  FSB investigators are now going through these servers to identify "wholesalers." They say they are interested in any customers who purchased more than 500 credit cards from the shops.

A CyberCrime Crackdown in Russia?  What Happened?

When I asked my Russian Cybercrime Expert friend what was behind the large volume of raids, his reply was direct:  President Putin.  He shared with me this article from duma.gov.ru:

Вячеслав Володин принял участие в расширенном заседании коллегии Генеральной прокуратуры РФ  (Vyacheslav Volodin took part in an expanded meeting of the board of the Prosecutor General of the Russian Federation)


As President Putin addressed the board of the Ministry of Internal Affairs, he charged them strictly that they needed to pay "constant attention to the Internet" and "work to identify the organizers and instigators who should be deservedly punished" for their crimes.  The Duma article said it like this:

"[President Putin] demanded that law enforcement agencies develop a system to combat cybercrime. Speaking at an enlarged meeting of the board of the Prosecutor General’s Office of the Russian Federation, he noted that in recent years “extremely negative dynamics have been recorded in crimes related to the use of information technology”.

“I’m asking the Prosecutor General’s Office, together with the Ministry of Internal Affairs and other relevant structures, to analyze how efficiently the work in this area has been built, how the available procedural capabilities are being used, and in general I’m asking for a system, a set of measures to reduce the number of such crimes,” the head of state said.

Guess what happens when President Putin orders the Prosecutor General to do something to reduce the number of cybercrimes in Russia?  The FSB gets to work arresting people!

Russian Credit Card Criminals Detained

While the names of those arrested were not listed in any article, it was fairly simple to pull them together, once my Russian colleague showed me the ropes of the "mos-gorsud" site where federal charges are tracked.  By searching for "Article 187 Section 2" and limiting my scope to people arrested in March 2020, I came up with this list of likely players:

  • Шувалов А.В - Shuvalov A.V. -  in court 20MAR2020 - 77RS0027-01-2020-004928-65
  • Светличный Л.И. - Svetlichny L.I. - in court 21MAR2020 - 77RS0027-01-2020-004942-23
  • Малинин М.А. - Malinin M.A. - 20MAR2020 - 77RS0027-01-2020-004935-44
  • Строганов А.Т. -  Stroganov A.T.  - 20MAR2020 - 77RS0027-01-2020-004934-47
  • Ахметов В.А. - Akhmetov V.A. - 21MAR2020 - 77RS0027-01-2020-004946-11
  • Селиванов Г.В. - Selivanov G.V. - 20MAR2020 - 77RS0027-01-2020-004924-77 
  • Карпунин С.В. - Karpunin S.V. - 20MAR2020 - 77RS0027-01-2020-004936-41
  • Федотов И.О. - Fedotov I.O. - 20MAR2020 - 77RS0027-01-2020-004933-50 
  • Галкин А.В. - Galkin A.V. - 20MAR2020 - 77RS0027-01-2020-004929-62 
  • Синицын А.В. - Sinitsyn A.V. - 21MAR2020 - 77RS0027-01-2020-004944-17 
  • Смирнов А.М. - Smirnov A.M. - 21MAR2020 - 77RS0027-01-2020-004937-38 
  • Бобин А.С. - Bobin A.S. - 20MAR2020 - 77RS0027-01-2020-004926-71 
  • Мерлин Э.А. - Merlin E.A. - 21MAR2020 - 77RS0027-01-2020-004925-74 
  • Белай В.В.  - Belay V.V.  - 21MAR2020 - 77RS0027-01-2020-004945-14 
  • Васильев Р.Р.  - Vasiliev R.R. - 21MAR2020 - 77RS0027-01-2020-004943-20
  • Юшковский А.А. - Yushkovsky A.A. - 20MAR2020 - 77RS0027-01-2020-004897-61

Now my challenge, gentle reader, what were the hacker names of these individuals, and what shops did they run?  Please comment below or message me if you have more details!

Updates As We Find Them



Строганов is Alexey Stroganov aka Flint24 according to this post by Brian Krebs - Russians Shut Down Huge Card Fraud Ring

Селиванов is Gerasim Silivanon aka Gabrik according to the same post.

Some of the sites known to be offline now are MrWhite[.]biz, BingoDumps, DumpsKingdom, GoldenDumps, HoneyMoney, and HustleBank. 

Krebs also had the link to the FSB announcement from 24MAR2020


CyberScoop.com's piece, Rare cybercrime enforcement in Russia yields 25 arrests, shutters 'BuyBest' marketplace, mentions Flint24 as well and suggests that wuzzup[.]com, dumpsmania24[.]com were also part of the takedown. BuyBestCC and BuyBestBiz were two of the many mirror sites.

GeminiAdvisory's story "FSB Takes Down Top-Tier Marketplace, Arrests Admins" mentions that Flint24 was a character in Sergey Pavlovich's book, "How to Steal a Milion." They also list a couple additional BuyBest mirrors, BinGo and Yohoho. 

Sunday, March 22, 2020

CAUCE Spamfighters Rally Against Corona Health Fraud Affiliate programs

My email box is full of Coronavirus / COVID-19 frauds and scams.  I have Corona malware disguised as product catalogs.  I have fake World Health Organization emails asking me to donate my Bitcoin to them.  I have more than 30 fake breathing mask selling websites that my friends at ScamSurvivors and AA419 are helping to track.  But you know what makes me REALLY MAD?

The monsters who are using the same fake news websites to drive their affiliate-marketing program scams to sell Immunity Oil to people who are desperate to protect their families and loved ones.  As a member of the CAUCE Board (the Coalition Against Unsolicited Commercial Email) I immediately reached out to Neil Schwartzman, my personal spam fighting hero and the founder of CAUCE.  Even though we both know these are the same snake oil charlatans who have been in the spam business for a decade, perhaps now that they are putting people's lives in true danger someone will finally do something to shut these scammers and spammers down.  (Note, I'm not speaking for CAUCE here, I'm just mentioning that I'm proud to fight spammers with them.)

The first claim we'll face, of course, is that "we don't claim that our product fights the Corona Virus."

My first refutation would be the email subjects being used to spam their products.  The first email I got yesterday was this one, with the subject "Protection From Corona Virus With Immunity Oil"

Delivery-date: Sat, 21 Mar 2020 17:06:42 -0500
Received: from [49.12.47.247] (port=47288 helo=urrmwipzqlpakl.xyz)
From:Miracle Virus Oil 
Subject:Protection From Corona Virus With Immunity Oil
https://malkommal.ams3.digitaloceanspaces.com/immcoronfgdf.htm

Here's the screenshot of the email message I received this afternoon.
Please note the email subject:
"Fight back against the coronavirus outbreak! Pure Herval Total Defense Immunity Blend"



Visiting many spammed URLs will result in 404 pages, because they have to be visited through the correct chain of referring URLs, which is one defensive measure that Spamfighter Schwartzman and I are well accustomed to.

The latter email contains the URL: 

which in turn forwards to 

The "CID" "AFID" and "SID" are the Campaign ID, and the Affiliate ID. Affiliate 428186 is the one who will get paid for this sale, if I were stupid enough to buy it.  The Campaign ID is necessary, because the company is marketing the product with many different labels and "look and feel" packaging.  For example, some of the Immunity Blend claims to be a "CBD Oil" that protects you from Corona Virus because CBD has anti-inflammatory properties ... like this ad, which claims it is a "Corona Mom Advertorial."


No matter which of the fake Immunity Blend appeals you start with, you'll end up (currently anyway) on the website Apusserum.com ... one of my click-throughs had this targeting label set:



Notice the little pop-ups in the bottom left ... messages popping up non-stop about all
of the other customers buying this stuff non-stop!

Clicking through from a different affiliate, I end on a different looking sales page, but clearly the same product being sold in a different bottle.





The claims made on the "orange cap" version are shown here, but short version.  You can clean your counters, purify the air, and "boost your immunity" by using it as a skin cream. The Essential Oil Mommies will love this stuff, it has Cinnamon Leaf, Lemon, Clove Bud, Lime, Eucalyptus Globulus, Rosemary, Peppermint, Spearmint, and Oregano.  None of which, last I checked, are an alcohol based disinfectant, or an anti-viral.

Of course they are carefully saying NOTHING about it treating viruses of any sort on the actual product page.  We'll just put a huge coronavirus image on the page as a pretty medical picture without making any claim about that.

The stuff that sounds like science there is from the same source that was used to sell essential oil / snake oil during the H1N1 flu scare in 2010 (one such product was called "On Guard").  If you'd like to read the article, it's here:  Protective essential oil attenuates influenza virus infection: An in vitro study in MDCK cells. )

Fake Fox News?

No matter which entry point you visit to get started, a link in one of the many spam messages, or a link from social media (we've found sellers on both Twitter and Facebook, and reported them for removal.)  The first site you visit will be a pseudo-news site that SEEMS to be somehow related to Fox News, without EXACTLY saying that ... while it isn't saying you are on Fox News, it is giving the byline for this story to "Janine Puhak | Fox News" and at the bottom of the page, repeats this by providing Janine's Twitter handle -- @JaninePuhak, and beneath the first main photo, it says "Fox News Flash Top Headlines for March 23, 2020" and "Check out what's clicking on FoxNews.com."

www.mynutritionalnews.com/fox_virusout/  or  dailyxhealth.com/us-cv-1/ as examples
(Note that you may need to be "referred" from the right URL for this content to load)
While some of the sites have hidden the Fox News logo, others have not.  This one still has it, for example.
https://www.outbreakliveupdates.com/foxnews_outbreak/  . affid=428139&subid=6606 
Others had gone even further to "De-Fox" themselves:

https://www.healthy-tips.life/healthytips_cor/
Healthy-Tips.life changed the logo and byline to be "World Break News" without changing a single word of the article.

The Second Scam 

The first scam is that you are buying a fake product that you think will help you with Corona Virus.  The second scam is that they are going to bill you more and more frequently than you think, and based on the Better Business Bureau complaints against many other companies run by the same outfit at the same address, this will probably happen to you as well.

The product Terms and Services says that if you don't cancel your order within the allotted time, you'll start being billed $89.95 per month on the credit card you provided at the time of the order.  The company named in the Terms and Services is:

Finest Herbalist
PO Box 534
Pleasant Grove, UT 84062

The "Contact Us" page gives this information:

Contact Us
You can contact Finest Herbalist Customer Service for any questions, comments, or testimonials.

Phone: 1 (844) 899-2977
Email: help@finestherbalist.com
Hours of Operation: 8am to 8pm EST daily


A company named "Herbalist Oils" that coincidentally is also at PO Box 534 in Pleasant Grove, Utah, has an "F" grade from the Better Business Bureau with complaints such as these:


07/20/2019
Herbalist Oils, also known as First Class Herbalist CBD, of 4Bush Holdings, LLC is a scam. They offer a free bottle of CBD oil and latter I found out my bank account to be charged over 200.00 plus 89.99 thereafter for a subscription that I was unaware of for "Deep sleep" roll on. I contact them via email many times and they did not answer. There is nowhere on their website page that states this is a monthly subscription or that one will be charged more than the shipping fee for a free bottle of CBD oil. They ended up sending me 6 bottles of CBD oil. The oil is substandard and does not live up to its claims, however, I thought like some medications one might need to wait a few weeks for it to work....it never did. I then ended up receiving a bottle of deep sleep again and thought that this was another mistake on their behalf. I wrote them an email regarding this but I heard nothing back. After a few more months of this bottle being sent to me and not being able to get a return email from them, I finally called customer service. On the first phone call, I was told the subscription was canceled and my bank was never charged Subscription? this is the first I heard of any subscription. I then reviewed my bank statements and found indeed I was charged monthly as well as being charged over 200.00 initially. I called their customer service again and after some discussion, I was able to get two months of the 89.00 charges refunded. They stated since it's over the 30 day refund time no other refund will be allowed. The refunds never showed up in my bank account.

Curiously, there are even more businesses at PO Box 534 in Pleasant Grove, Utah.  In fact, there are at least 45 Better Business Bureau complaints in the past 3 years for businesses at that address, including:

  • Keto Ultra Diet
  • Manifest Health Plan
  • Primal Pro Wellness
  • Sunshine Heath and Wellness
  • Plant Pure Diet and Beauty
  • Tru Slim Living
A summary of the 45 complaints against them is available from the Better Business Bureau website.  But they all say basically the same thing.  "I thought I was getting a free trial product for $4.95 shipping, but then they charged me $89.95 (or other numbers, up to $200) and I couldn't get them to stop!"


Other businesses at the same address include: 

Keto Trim Diet
Keto Melt & Trim 800 
Keto Pro Diet 
Forskolin Trim Diet 
Body Performa Keto 
Healthy Rapid 
Ansa Naturals Online 

So how does the Affiliate program work?  First, you need to sign up for a slimy affiliate program.  Most of the CoronaVirus spam that you are getting right now probably comes from affiliaXe, an affiliate program that clearly doesn't care whether their affiliates are selling real products or snake oil, and don't mind paying people a commission to get caught in credit card no-refund scams.  Take a look at your CoronaVirus spam ... then look at the products AffiliaXe is marketing.


That's some of my Corona Virus spam for the past day ... big spammers: Breathing masks, Germidin, and Thermosense "touchless" thermometers. Everybody has an affiliate program. H8M8.  Konex. 






Masks, Wipes, Germidin, SafeMasks, UV Cleaners, Smart Sanitizer Pro, Immunity Blend (as above) and the Survival CoronaVirus Pandemic Guide are the top programs looking for spammers (oops! I mean Affiliates!) at AffiliaXe right now ... 

Why so many people pushing Immunity Blend right now?  Well, of all the products at AffiliaXe, its the only one offering a $90 Commission for your first sale!   Compare below:


If you visit the live AffPlus site, each of those lines has a "link" icon appear when you hover over it.  So, yes, we can confirm that clicking the "preview link" on the Immunity Oil affiliate program from AffiliaXe really does take you to the Apus Serum website as above. ( https://apusserum.com/os-immune ).   And since every AffiliaXe affiliate has to upload a photo of their drivers license to join the program, it should be pretty easy for someone who cares about these scammers to shut them down.

Some of those other sites in this affiliate program are:

https://buywowx.com/
https://www.getlifeprotectx.com/
https://www.getsafemask.com/
https://www.getlifeprotectx.com/
https://hyperstech.com/intl_5/order.php?prod=uvcleanizerzoom
https://hyperstech.com/intl_5/order.php?prod=smartsanitizerpro
https://apusserum.com/os-immune
https://shopsafemask.com/
https://hyperstech.com/intl_5/order.php?prod=oxybreathpro
https://offer.premiumslimdiet.com/khs-beach-mcc/



Thursday, March 05, 2020

What sites is Trickbot targeting?

Its been a while since we decoded Trickbot configs to see what banks and organizations were being actively targeted.  While recently most of the news about Trickbot has been how it drops the Ryuk Ransomware, and that is certainly important, we can't forget that Trickbot is first and foremost a Banking Trojan / Infostealer that is designed to steal website credentials from infected users.  While there are many fascinating add-on modules that perform other actions, such as inventorying the network on which an infected machine resides, attempting to dump Windows Domain credentials, and launching remote control backdoors, THE DEFAULT BEHAVIOR IS TO STEAL WEBSITE CREDENTIALS.  Every website where the user types data has the data captured and sent to the Trickbot operators, but certain websites are specified for more nuanced interactions, which could be to only steal data from particular sub-pages, or could be to alter the appearance of the website to request additional data not being asked for by the website.  This latter behavior is called a "Web Inject" and on Trickbot, they are listed in an encrypted file named "dinj" for "Dynamic Injections."

Like many malware researchers, I use the fantastic tools developed by @hasherezade to help decode the configuration files of Trickbot to see what the current collection of URLs in the DINJ file is targeting.

DINJ file breakdown (04MAR2020 by @GarWarner)
The DINJ file for trickbot contain lists of URL patterns labeled with markup tags / .
In the file I used for this analysis, updated from the Command & Control on 04MAR2020, there were 84 "igroups" containing 329 URL patterns, targeting 131 named domains.

In the current DINJ file, the most common target is Japanese banks and financial institutions.  Each of the 41 URLs below were for Japanese organizations:
82bank.co.jpeposcard.co.jplifecard.co.jpshinkin-ib.jp.
aeon.co.jpfukuokabank.co.jpmichinokubank.co.jpshinwabank.co.jp
aeonbank.co.jpgogin.co.jpmiyagin.co.jpshizugin.net
amazon.co.jpgunmabank.co.jpmizuhobank.co.jpshizuokabank.co.jp
anser.ne.jphigobank.co.jpmufg.jpshokochukin.co.jp
awabank.co.jphirogin.co.jpncbank.co.jptominbank.co.jp
bk.mufg.jphokkokubank.co.jporico.co.jptsukubabank.co.jp
chibabank.co.jphokuyobank.co.jppocketcard.co.jpvpass.ne.jp
chugin.co.jpjaccs.co.jprakuten.co.jpyamagatabank.co.jp
chushin.co.jpjuroku.co.jpryugin.co.jp
daishi-bank.co.jpkeiyobank.co.jpsaisoncard.co.jp

US Banks were second in popularity
53.comcitizensbankonline.comiccu.comregions.com
ally.comcu1.orgiconnectdata.comsecureinternetbank.com
amegybank.comdiscover.comkey.comsuntrust.com
americanexpress.comebanking-services.commtb.comusaa.com
bankofamerica.comefirstbank.comnavyfederal.orgusbank.com
bmo.comfirelandsfcu.orgnbarizona.comvancity.com
capitalone.comhuntington.comonlinebank.comvectrabank.com
ccservicing.comibanking-services.compaypal.comzionsbank.com
chase.compnc.com


Followed by German Banks
bawagpsk.comconsorsbank.deing-diba.deraiffeisen.at
berliner-bank.dedeutsche-bank.delzo.comsantander.de
comdirect.dehaspa.denorisbank.desparda.de
commerzbank.deing.depostbank.detargobank.de

Some of the other targets were especially interesting to me.

The Brokerages:
Ameritrade.com, eTrade.com, Schwab.com

The Big Retails:
Amazon.com, BestBuy.com, CostCo.com, eBay.com, Grainger.com, SamsClub.com

The CryptoCurrency Exchanges/Companies:
Binance.com, BitFinex.com, BitStamp.com, Blockchain.com, CoinBase.com, CoinMarketCap.com, CryptoCompare.com, DogeChain.info, Kraken.com, Paxful.com

And two Payroll companies, which may be especially interesting as we are in Tax Season in the USA.  Curiously these two are both part of the same "igroup":
ADP.com and Paychex.com

Especially since they are targeting ADMINISTRATORS of those Payroll systems, based on the strings I'm seeing:
*runpayroll.adp.com/*
myapps.paychex.com/*_remote/*

If you are curious to see more of the current DINJ file, I've shared it as a PasteBin file here:

GarWarner's Trickbot DINJ file 04MAR2020
(updated URL: Pastebin removed the first one, trying again.)

URL Patterns in Trickbot DINJ

Some patterns do not identify a domain, such as the pattern "https://.*.de/privatkunden/*" (which says "we don't care which German Bank we're looking for, but if they have a URL that includes "private customers", go ahead and grab stuff from there.  The pie chart above only maps organizations where a full domain was identified.

Remember that the default is GRAB EVERYTHING, but URLs with specific strings on a site will be sent back to the criminals "tagged for action" making it easier for them to harvest and take action on those pages.  Here's an example of URLs related to NavyFederal:

So, while there may be many other places on the NavyFederal website that request user interaction, three particular URL patters are targeted for prioritized collection.  The "s=" number tells which iGroup the URL belongs to (all of the URLs in 1535723065134935 belong to Navy Federal), the "id=" tells what sub-URL the visitor was on when they submitted this particular data.

The "Ignore-Mask" flag can be used to tell Trickbot not to gather particular data (for example, in the NavyFederal block above, it says Ignore everything related to Javascript and Stylesheet pages), or to say "Don't gather this data as part of the current "LM" because we already got it elsewhere, as seen in this Norris Bank block:

In this iGroup for NorisBank, there are three specific patterns that each extract data to a particular location, so when the generic pattern "*norisbank.de*" is used, it instructs the bot not to include those subURLs that have already been captured separately.

A Bit of Spam Context

As everyone probably knows by now, the top spamming botnet since the death of Kelihos has been Emotet.  Emotet is involved in the distribution of several banking trojans, including TrickBot which is known to be the main source of Ryuk ransomware infections, and Qbot, which often leads to MegaCortex ransomware, and even Dridex, which sometimes leads to BitPaymer ransomware.

There are many great Emotet/Trickbot researchers out there, especially the @Cryptolaemus research group, which shares Emotet Indicators of Compromise regularly, and @pollo290987, who shared this graphic on his Twitter feed:



Trickbot is ALSO distributed by other sources, which Crowdstrike does a great job of illustrating in this diagram that maps out the relationships between spambots and malware payloads:

CrowdStrike Actor Labels for Emotet => Trickbot => Ryuk etc.
In the Crowdstrike worldview, "Mummy Spider" is the actor(s) behind Emotet, who serves his customer "Wizard Spider" by delivering Trickbot for him/them.  Post infection with Trickbot, Wizard Spider may choose to infect with Ryuk Ransomware.  Per Crowstrike, Lunar Spider (the operator of BokBot AKA IcedID) and Scully Spider (the operator of DanaBot) also occasionally are used to distribute Trickbot.  But mostly, its Emotet.