Ten Years of Cybercrime & Doing Time

On October 10, 2006 while I was sitting in my office at Energen I decided to start a blog.  I had been an InfraGard member for five years at that time, and was realizing based on the feedback I was getting from other InfraGard members around the country that while many people knew about Cyber Security, very few knew about CyberCrime.  I was working on a daily basis with the FBI Cybercrime Squad in Birmingham, so I had a fairly good view on the topic, so I decided to try to share what I knew by starting this blog.  One year later I had taken things to a whole new level by quitting my job at the Oil & Gas company and moving to the University of Alabama at Birmingham to dedicate the next decade to training new cybercrime fighters!

While the blog has seen ups and downs in the regularity of the posts, even being named "Most Popular Security Blog" by SC Magazine back in 2010, overall we've averaged one post per week and have been visited by nearly 3 million readers.

As I tried to decide how to mark the 10th Anniversary of the blog, I thought one way to do it would be to share what has been our most popular stories each year.

One of the strengths of the blog has always been to document "big campaigns" that are attacking people and try to help them understand the nature of the scam so that they could avoid being a victim themselves.  The three most popular stories on the blog have all been of that nature:

1. "More ACH Spam from NACHA" (March 11, 2011) and "ACH Transaction Rejected payments lead to Zeus" (Feb 25, 2011) were both of that type.  Even years later, spikes in visitors to these stories were an indication that someone was imitating NACHA again.   In these spam campaigns, the spammers would claim to be sending email from the  "National Automated Clearing House Association" the organization that handles all electronic payments between American banks.  We later came to call these type of campaigns "Soft-Targeting" as most Americans have never heard of NACHA, but those who are involved in regularly moving money most certainly would have -- making them also the most likely to fall victim to such a spam message.  The first entry in this series, "Newest Zeus = NACHA: The Electronic Payments Association" (November 12, 2009) was also very popular.

2. Coming much later, November 7, 2014, was "Warrant for your Arrest phone scams." It was great to see the heavy traffic to that blog post and receive the emails letting me know that someone had just "proven" to them that they were about to be scammed by sending them a link to the article!

3. During 2014 one of the largest spamming botnets was the ASProx botnet.   This malware blasted out high volume spam campaigns that used a variety of social engineering ploys to make their campaigns convincing, leading to huge victimization rates.   The most popular, based on hits to the blog, was the E-Z Pass Spam.  "E-Z Pass Spam Leads to Location Aware Malware" (July 8, 2014) had tens of thousands of visitors.  A close second, also ASProx, was "Urgent Court Notice from GreenWinick Lawyers delivers malware."   ASProx had been dominate from the holiday season in 2013, when "package delivery failure" messages really hit a profound number of victims.  (See for example "Holiday Delivery Failures Deliver Kuluoz Malware" (December 26, 2013)

Rather than go through the top campaigns in order, I thought it might be more interesting to see the most popular posts for each of our ten years as a blog.

Top Cybercrime & Doing Time Blog Posts of 2016
Vovnenko / Fly / MUXACC1 pleads guilty	24JAN2016
Kelihos botnet delivering Dutch WildFire Ransomware	09JUL2016
Is the Bank of Bangladesh ready for the Global Economy?	23APR2016
Unlimited ATM Mastermind Ercan Findikoglu pleads guilty	06MAR2016

In 2016, two of our four top stories were about arrests of top cybercriminals, which is a trend that I love to say is growing and rising as we see a higher level of cooperation internationally, and a growing ability among our Law Enforcement partners. One of the highest volume spam botnets, Kelihos, is regularly in our blogs and is quite popular with the readers, indicating how often they also see the spam. The Bank of Bangladesh SWIFT theft was also a high interest story!

Top Cybercrime & Doing Time Blog Posts of 2015
Tech Support "pop-ups"	30MAR2015
Hillary"s Email Server and the New York City malware	03OCT2015
Passwords, Password Cracking, and Pass Phrases	29OCT2015
Darkode guilty pleas: Phastman, Loki, & Strife	24AUG2015

In 2015, the Darkode forum was a top story for us. Readers responded well to the Tech Support "pop-up" scams, indicating that they were also seeing it quite a bit! Hillary's email server gave us a chance to show the value of a long-term spam repository. And the story on password cracking seems to be regularly accessed from people teaching others about strong passwords.

Top Cybercrime & Doing Time Blog Posts of 2014
Warrant for Your Arrest phone scams	07NOV2014
E-ZPass Spam leads to Location Aware Malware	08JUL2014
Urgent Court Notice from GreenWinick Lawyers delivers malware	13JUL2014
GameOver Zeus now uses Encryption to bypass Perimeter Security	02FEB2014

The phone scams claiming that a warrant has been issued for your arrest have been popular on a daily basis for most of the two years since this story was first released. EZ Pass and Urgent Court Notice spoke to the popularity of the ASProx botnet. Gameover Zeus was also quite interesting as it changed the way spam-delivered malware defeated perimeter security.

Top Cybercrime & Doing Time Blog Posts of 2013
Holiday Delivery Failures lead to Kuluoz malware	26DEC2013
Vietnamese Carders arrested in MattFeuter.ru case	05JUN2013
When Parked Domains Still Infect - Internet.bs and ZeroPark	10AUG2013
New Spam Attack accounts for 62% of our spam!	10APR2013

Kuluoz, later called ASProx, had its first big Christmas in 2013. One of the first arrests of Vietnamese hackers spoke to internationally cooperation.

Top Cybercrime & Doing Time Blog Posts of 2012
Operation Open Market: The Vendors	25MAR2012
Paypal "You Just Sent a Payment" spam leads to malware	01MAY2012
DNS Changer: Countdown clock reset, but still ticking	28MAR2012
Operation Open Market: Jonathan Vergnetti	17MAR2012

In 2012, the DNS Changer malware was on everyone's minds (we later blogged about the successful prosecution of the leaders of that campaign, all now in prison in New York.) Operation Open Market was the big Forum take-down that year.

Top Cybercrime & Doing Time Blog Posts of 2011
More ACH Spam from NACHA	11MAR2011
ACH Transaction Rejected payments lead to Zeus	25FEB2011
Federal Reserve Spam	14MAR2011
The Epsilon Phishing Model	08APR2011

I've already mentioned the ACH/NACHA spam campaigns that delivered Zeus. The Epsilon Phishing model focused on hacking email delivery services and using validated accounts to deliver phishing and malware. (This is the group that Neil Schwartzman of CAUCE labeled "The Adobers" for the many times their malware claimed to be Adobe software.)

Top Cybercrime & Doing Time Blog Posts of 2010
New York FBI: 17 Wanted Zeus Criminals	30SEP2010
PakBugs Hackers arrested	12JUL2010
Lin Mun Poo: Hacker of the Federal Reserve and ...?	20NOV2010
Iranian Cyber Army returns - target: Baidu.com	12JAN2010

The Iranian Cyber Army, and a variety of international cyber criminals captured the headlines in 2010.

Top Cybercrime & Doing Time Blog Posts of 2009
Newest Zeus = NACHA: The Electronic Payments Association	12NOV2009
The FBI's Biggest Domestic Phishing Bust Ever	08OCT2009
Who is the "Iranian Cyber Army"? Twitter DNS Redirect	18DEC2009
Traveler Scams: Email Phishers Newest Scam	09FEB2009

Our 2009 "Traveler Scams" post was for years the most successful post on the blog, as many people shared the post with their friends to warn about the scam. NACHA was just becoming the leading scam-victim related to Zeus, and the FBI celebrated a huge phishing victory!

Top Cybercrime & Doing Time Blog Posts of 2008
The UAB Spam Data Mine: Looking at Malware Sites	09AUG2008
Anti-Virus Products Still Fail on Fresh Viruses	12AUG2008
ICE: Operation Predator - Solving Intertwined Child Porn cases	05NOV2008
Bank of America Demo Account - DO NOT CLICK	26NOV2008

In 2008, we were just getting seriously up to ability with the UAB Spam Data Mine, and found many interesting malware campaigns using these techniques, which eventually led to the creation of Malcovery Security, later acquired by PhishMe

Top Cybercrime & Doing Time Blog Posts of 2007
Is Your Fifth Grader Smarter Than a Laughing Cat?	15OCT2007
Google Referrer Only malware sites	13DEC2007
AffPower Indictments Scare Affiliates!	06AUG2007
TJX: From Florida to the Ukraine?	04SEP2007

In 2007, the Storm Worm was one of the top spreaders of malware. The Laughing Cat story pointed out that if you share your computer with younger family members, they may very well click on lures that any educated adult would reject. The AffPower case remains one of my favorite law enforcement actions against online pharmaceutical affiliate programs. The TJX story tracked some of the carders involved in the TJX data breach.

Top Cybercrime & Doing Time Blog Posts of 2006
Pump & Dump: SEC gives us a peek!	21DEC2006
Counterfeit Checks? Who cares!	12OCT2006
Birmingham InfraGard - October 2006	10OCT2006
FAL$E HOPE$ @ CHRI$TMA$	22DEC2006

In 2006, our inaugural year, we didn't have a lot of stories, honestly. Pump & Dump spam was interesting that year, and we blogged about some of the holiday scams we were seeing.

Unfortunately, several of the graphics in the older stories are unavailable due to changes in hosting. Hopefully we'll get those recovered eventually. Sorry for any loss of enjoyment that may cause while strolling down Cybercrime Memory Lane with me!

Looking forward to another Ten Years informing the public about Cybercrime & Doing Time!

Thanks to all of my friends and students who encouraged this blog along the way, and helped through their dedication to fighting Cybercrime and sharing in the analysis we did together. While there have been tons of great contributors in the lab, with regards to things that ended up in the blog I'd like to especially thank: Heather McCalley, Matthew Grant, Chun Wei, Brad Wardman, Brian Tanner, Tommy Stallings, Sarah Turner, Josh Larkins, Jui Sonwalker, JohnHenri Ewerth, Brendan Griffin, and Kyle Jones.

Thanks also to my inspirations in blogging, Brian Krebs, and Graham Cluley. This amateur blogger is truly grateful for what you guys do and share!

Urgent Court Notice from GreenWinick Lawyers delivers malware

I spent some time yesterday in the Malcovery Security Spam Data Mine looking at the E-Z Pass malware campaign. The ASProx spammers behind that campaign have moved on to Court Notice again . . .

Subjects like these:

• Hearing of your case in Court No#
• Notice of appearance
• Notice of appearance in court No#
• Notice to Appear
• Notice to Appear in Court
• Notice to appear in court No#
• Urgent court notice
• Urgent court Notice No#

(All of the subjects that have "No#" are followed by a four digit integer.)

(click to enlarge)

As normal, the spammers for these "Court Appearance" spam campaigns have just grabbed an innocent law firm to imitate. No indication of any real problem at Green Winick, but I sure wish one or more of these abused law firms would step up and file a "John Doe" lawsuit against these spammers so we could get some civil discovery going on!

These are the same criminals who have Previously imitated other law firms including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on! Let's go get these spammers and the malware authors that pay them!

We've seen 88 destination hosts between July 10th and this morning (list below) but it is likely there are many more!

When malware spammers use malicious links in their email instead of attachments, they tend to have a much better success rate if they deliver unique URLs for every recipient. That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content.

Four patterns in the path portion of the URL are better indicators as we believe there will be MANY more destination hosts.

• tmp/api/…STUFF…=/notice
• components/api/…STUFF…=/notice
• wp-content/api/…STUFF…=/notice
• capitulo/components/api/…STUFF...=/notice

where "...STUFF..." is an encoding that we believe is related to the original recipient's email address, but have been unable to confirm at this time.

http:// arhiconigroup.com / wp-content / api / pwCYg4Ac5gk0WlQIVFEkRSPGL2E7vZhP8Qh4LMGbbAk= /notice

(to protect the spam donor, the pwCYg... string above has been slightly altered. If you want to work on de-coding, let me know and I'm happy to provide a couple hundred non-altered strings.)

Just like with last week's E-Z Pass spam campaign, visiting the destination website results in a uniquely geo-coded drop .zip file that contains a .exe file.

As an example, when downloading from my home in Birmingham Alabama where my zip code is 35242, the copy I received was named:

Notice_Birmingham_35242.zip

which contained

Notice_Birmingham_35242.exe, which is icon'ed in such a way that it appears to be a Microsoft Word document.

The MD5 of my '.exe' was: 5c255479cb9283fea75284c68afeb7d4

The VirusTotal report for my .exe is here:

VirusTotal Report (7 of 53 detects)

Extra credit points to Kaspersky and Norman for useful and accurate naming !

Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP

Each of the 88 destination websites that we observed was likely compromised to host the malware. We do not believe these are necessarily "Bad Websites" but they either have a vulnerability or have had the webmaster credentials stolen by criminals.

If these are YOUR website - look for one of those directories I mentioned ...

/tmp/api/
/components/api/
/wp-content/api/
/capitulo/components/api/

www.metcalfplumbing.com
www.mikevanhattum.nl
www.mieszkaniaradomsko.pl
www.millionairemakeovertour.com
www.mkefalas.com
www.moldovatourism.ro
www.mobitrove.com
www.modultyp.com
www.mommyabc.com
www.monsterscalper.com
www.myconcilium.de
www.nellalongari.com
www.northsidecardetailers.com.au
www.parasitose.de
www.paulruminski.eu
www.petitecoach.com
www.phasebooks.net
www.plr-content.com
www.profimercadeo.com
www.propertyumbrellablueprint.com
www.proviewhomeservices.com
www.puntanews.com.uy
www.qifc.ir
www.rado-adventures.com
www.rantandraveweddingplanning.com
www.registrosakasicos.es
www.rimaconsulting.com
www.romiko.pl
www.saffronelectronics.co.uk
www.sasregion.com
www.saxonthewall.com
www.sealscandinavia.se
www.stkatharinedrexel.org
www.tecza.org
www.theanimationacademy.com
www.thehitekgroup.com
www.tusoco.com
www.urmasphoto.com
www.vicmy.net
www.viscom-online.com
www.vtretailers.com
www.warp.org.pl
www.webelonghere.ca
www.weihnachten-total.de
www.wesele.eu
www.whistlereh.com
www.wicta.nl
www.widitec.com.br
www.wonderlandinteractive.dk
www.wpprophet.com
www.xin8.org
www.zabytkowe.net
www.zeitgeistportugal.org
www.zmianywpodatkach.pl
www.znamsiebie.pl
www.zuidoost-brabant.nl
www.zs1grodzisk.pl
yourmentoraffiliatemarketing.com
atenea.edu.ec
comopuedoblanquearmisdientes.com
arhiconigroup.com
chris-coupe.com
drnancycooper.com
ian-mcconnell.com
izkigolf.com
kalemaquil.com
kingdommessengernetwork.com

Malcovery Examines GameOver Zeus

What is this graphic about? Read on, Gentle Reader!

Malcovery: Email Based Threat Intelligence and GameOver Zeus

At Malcovery Security we have become EXTREMELY familiar with GameOver Zeus. Our malware analysts create multiple reports each day documenting the top Email-based threats, and as the FBI's news releases (covered earlier this week in this blog, see Is it GameOver for GameOver Zeus? document, the criminals behind GameOver Zeus have been devastatingly thorough in compromising computers. Unlike some sandboxes, when Malcovery reports on a piece of malware, we actually report on "the activity that would result on a computer compromised by this malware" in a holistic view that we call Contextual Analysis. The goal of Malware Contextual Analysis is to help answer questions like:

• How would one of my users likely be infected by this malware?
• What email subjects or messages may have sent this malware?
• Did that spam campaign deliver other malicious attachment or malicious URLs?
• If one of my users were compromised by this malware, what network activity may result?
• What additional malicious files might be downloaded by a computer compromised with this malware?
• . . . and other questions, depending on the nature of the malware

Malcovery's main Malware Threat Intelligence analyst, Brendan Griffin, has shared a special report called The Many Faces of GameOver Zeus that examines many of the ways the malware has been delivered via spam campaigns. In this blog post, I'll be focusing on the Prominent IP addresses associated with the "Encrypted Drop" version of GameOver Zeus distribution.

GameOver Zeus's Encrypted Drop Sites

Back in February, Malcovery reported that GameOver Zeus was being prominently loaded by means of UPATRE malware downloading an Encrypted file from the Internet, and then executing that file. (See our post: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security) With GameOver Zeus possibly taking a significant hit due to the coordinated law enforcement and researcher efforts, I wanted to look at the network infrastructure that we have been warning about in our T3 reports, and just illustrate how the T3 reports can be used to alert you to activity not just from the current day's malware, but for malware that touches any part of the extensive shared infrastructure of GameOver Zeus.

Since that initial post, we've seen GameOver Zeus-related encrypted files drop from more than 200 different internet locations, get decrypted by the Dropper malware, and execute themselves to begin communicating with the Peer to Peer GameOver Zeus infrastructure. The full list of many of those URLs, with the date on which we saw the spam campaign, the brand, item or company being imitated in that spam campaign, and the URLs where the GOZ binary were accessed, is available at the end of this article. Here is a sampling of some of the most recent ones for now to help understand the process...

2014-05-13	Xerox	url::moraza.com.my/images/1305UKdp.zip
2014-05-13	NatWest	url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip
2014-05-14	Microsoft	url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc
2014-05-14	Sage	url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc
2014-05-14	Intuit	url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-14	NatWest	url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc
2014-05-14	ADP	url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-15	eFax	url::factoryrush.com/test/1505UKmp.zip
2014-05-15	UK Ministry of Justice	url::sugarlandrx.com/media/css/1505UKdp.zip
2014-05-15	eFax	url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15	Fidelity	url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15	Dun & Bradstreet	url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-16	Bank of America	url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar
2014-05-19	Santander	url::paperonotel.com/Scripts/heap170id2.exe
2014-05-19	Wells Fargo	url::mersinprefabrik.com/Css/1905USmw.dct
2014-05-20	HSBC	url::task-team.com/css/2005UKmw.zip
2014-05-20	NYC Govt	url::lospomos.org/images/button/2005USmw.zip
2014-05-20	UPS	url::alamx.com/images/RCH2005.zip
2014-05-20	UPS	url::evedbonline.com/images/RCH2005.zip
2014-05-20	Royal Bank of Scotland	url::lospomos.org/images/button/2005UKmw.zip
2014-05-20	LexisNexis	url::evedbonline.com/images/RCH2005.zip
2014-05-21	Credit Agricole	url::eleanormcm.com/css/2105UKdp.rar
2014-05-21	HSBC	url::cedargrill.sg/css/2105UKdw.rar
2014-05-21	HSBC	url::chezalexye.com/css/2105UKdw.rar
2014-05-21	JP Morgan	url::footballmerch.com/media/css/Targ-2105USmw.tar
2014-05-27	Hewlett-Packard	url::lotwatch.net/images/2705UKdp.rar
2014-05-27	Xerox	url::auracinematics.com/acc/b02.exe
2014-05-29	Visa	url::qadindunyasi.az/images/Targ-2905USmp.tar
2014-05-30	Sky	url::3dparsian.com/images/banners/3005UKdp.rar
2014-05-30	HSBC	url::bag-t.com/css/3005UKmw.rar
2014-05-30	HSBC	url::seminarserver.com/html/3005UKmw.rar

For each of the campaigns above, Brendan, Wayne, and J, our malware analysis team, pushed out both an XML and STIX version of the machine readable T3 reports so that our customers could update themselves with information about the spam campaign, the IP addresses that sent that spam to us, the hashes of the spam attachment, the hostile URLs, and the IP addresses associated not only with the GameOver Zeus traffic, but whatever other malware was dropped in the same campaign. As the FBI indicated, it was extremely common for GameOver Zeus infected computers to ALSO become infected with CryptoLocker.

T3: Protection for Today and Tomorrow

But how often did we see "re-use" of network infrastructure? We like to say that Malcovery's T3 report, which stands for Today's Top Threat, is really "T3: Protection for Today and Tomorrow". To illustrate this, I did some data mining in Malcovery's Threat Intelligence database.

First - I isolated network activity for the 92 distinct spam campaigns illustrated above. (There were many more GameOver Zeus campaigns than that, but I was sticking to those samples that used the "encrypted file decrypted by the dropper" version that I had written about in February, so this is a sampling ...)

For each IP address that showed up in network traffic within those 92 campaigns, ranging from February 6, 2014 to May 30, 2014, I counted how many distinct campaigns that indicator had been seen in. Fifty-six IP addresses showed up in ten or more of those campaigns.

I took those IP addresses, and asked the Malcovery Threat Intelligence Database "which spam campaigns delivered malware that caused traffic to those IP addresses?" and was surprised to see not just the original 92 campaign I started with, but 360 distinct spam campaigns!! I culled that down by eliminating the campaigns that only touched ONE of those 56 IP addresses of high interest. The remaining 284 campaigns could be placed into 103 groups based on what they were imitating. Most of the top brands should be familiar to you from Malcovery's Top 10 Phished Brands That Your Anti-Virus is Missing report.

Brand Imitated in Spam	# of Campaigns Seen
Ring Central	30 campaigns
HMRC	15 campaigns
HSBC	13 campaigns
Royal Bank of Scotland	14 campaigns
NatWest	11 campaigns
eFax	11 campaigns
Sage	10 campaigns
Lloyds Bank	8 campaigns
UK Government Gateway	8 campaigns
Xerox	8 campaigns
ADP	6 campaigns
Companies House	6 campaigns
IRS	6 campaigns
New Fax	5 campaigns
Paypal	5 campaigns
Sky	5 campaigns
UPS	5 campaigns
Amazon	4 campaigns
Bank of America	4 campaigns
BT.com	4 campaigns
Microsoft	4 campaigns
QuickBooks	4 campaigns
Wells Fargo	4 campaigns
WhatsApp	4 campaigns

I threw the data into IBM's i2 Analyst Notebook, my favorite tool for getting a quick visualization of data, and did some arrangement to try to show the regionality of the data. I know the graph is too dense to see what is in the interior, but let me explain it here:

On the left are IP addresses that are owned by Microsoft. They are arranged by Netblock, with the size of the Computer icon representing how many malware campaigns that IP was linked to. Top to bottom numerically by Netblock, these are from the 23.96 / 23.98 / 137.116, 137.135, 138.91, 168.61, 168.63, 191.232 blocks. The Microsoft traffic only started appearing in late April, so it is possible this is traffic related to "sinkholing" or attempting to enumerate the botnet as part of the investigation. I have no insider knowledge of any such activity, just stating what we observed. We *DID* go back and look at the packet captures for these runs (we keep all of our PCAPs) and the traffic was exactly like the other Peer to Peer chatter for GameOver Zeus.

On the top are IP addresses in APNIC countries. Flag test: Japan, Hong Kong, China

On the right are IP addresses in ARIN countries. (Canada, USA)

In the bottom right corner is one LACNIC IP. (Venezuela)

And on the bottom are RIPE countries. (Netherlands, Moldova, Switzerland, Great Britain, Ukraine, Sweden, Belgium, France, and Austria)

The IP addresses on the chart above are also included here in tabular form:

Prominent IP addresses Associated with GameOver Zeus and associated malware

Country	ASN#	ASN Organization	IP
CN	4837	CHINA169-BACKBONE CNCGROUP China169 Backbone,CN	221.193.254.122
HK	4515	ERX-STAR PCCW IMSBiz,HK	113.28.179.100
HK	9269	HKBN-AS-AP Hong Kong Broadband Network Ltd.,HK	61.244.150.9
HK	4760	HKTIMS-AP PCCW Limited,HK	218.103.240.27
JP	9365	ITSCOM its communications Inc.,JP	101.111.248.177
JP	45687	MCT-INTERNET Minamikyusyu CableTV Net Inc.,JP	27.54.110.77
JP	38628	WINK-NET HIMEJI CABLE TELEVISION CORPORATION,JP	115.126.143.176
JP	9617	ZAQ KANSAI MULTIMEDIA SERVICE COMPANY,JP	125.4.34.229
CA	577	BACOM - Bell Canada,CA	174.89.110.91
US	36352	AS-COLOCROSSING - ColoCrossing,US	172.245.217.122
US	22773	ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc.,US	98.162.170.4
US	7018	ATT-INTERNET4 - AT&T Services, Inc.,US	75.1.220.146
US	7018	ATT-INTERNET4 - AT&T Services, Inc.,US	99.73.173.219
US	33588	BRESNAN-AS - Charter Communications,US	184.166.114.48
US	6128	CABLE-NET-1 - Cablevision Systems Corp.,US	68.197.193.98
US	6128	CABLE-NET-1 - Cablevision Systems Corp.,US	75.99.113.250
US	33490	COMCAST-33490 - Comcast Cable Communications, Inc.,US	67.168.254.65
US	7015	COMCAST-7015 - Comcast Cable Communications Holdings, Inc,US	73.182.194.83
US	6939	HURRICANE - Hurricane Electric, Inc.,US	50.116.4.71
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	137.116.225.57
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	137.116.229.40
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	137.117.197.214
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	137.117.72.241
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	137.135.218.230
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	138.91.18.14
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	138.91.187.61
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	138.91.49.30
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	168.61.80.142
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	168.61.87.1
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	168.63.154.114
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	168.63.211.182
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	168.63.62.72
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	23.96.34.43
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	23.97.133.13
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	23.98.41.229
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	23.98.42.224
US	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	23.98.64.182
BR	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	191.234.43.118
BR	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	191.234.52.206
BR	8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US	191.236.85.223
VE	8048	CANTV Servicios, Venezuela,VE	190.37.198.162
AT	8437	UTA-AS Tele2 Telecommunication GmbH,AT	81.189.6.76
BE	5432	BELGACOM-SKYNET-AS BELGACOM S.A.,BE	194.78.138.100
CH	15600	FINECOM Finecom Telecommunications AG,CH	77.239.59.243
FR	16276	OVH OVH SAS,FR	94.23.32.170
GB	2856	BT-UK-AS BTnet UK Regional network,GB	109.153.212.95
GB	2856	BT-UK-AS BTnet UK Regional network,GB	213.120.146.245
GB	2856	BT-UK-AS BTnet UK Regional network,GB	86.159.38.32
MD	31252	STARNET-AS StarNet Moldova,MD	89.28.59.166
NL	1103	SURFNET-NL SURFnet, The Netherlands,NL	130.37.198.100
NL	1103	SURFNET-NL SURFnet, The Netherlands,NL	130.37.198.90
SE	39287	FLATTR-AS Flattr AB,SE	95.215.16.10
UA	13188	BANKINFORM-AS TOV _Bank-Inform_,UA	37.57.41.161
UA	21219	DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_,UA	195.114.152.188
UA	42471	FALSTAP-AS OOO TRK Falstap,UA	85.198.156.189
UA	29688	VOSTOKLTD VOSTOK Ltd.,UA	31.42.75.203

Encrypted GameOver Zeus URLs seen by Malcovery

2014-02-06	UK Govt Gateway	url::newz24x.com/wp-content/uploads/2014/02/pdf.enc
2014-02-06	UK Govt Gateway	url::oilwellme.com/images/banners/pdf.enc
2014-02-06	TNT UK	url::newz24x.com/wp-content/uploads/2014/02/pdf.enc
2014-02-06	TNT UK	url::oilwellme.com/images/banners/pdf.enc
2014-02-10	UK2fax	url::agrimarsystem.pe/images/10UKrh.enc
2014-02-10	UK2fax	url::pro-viewer.com/images/10UKrh.enc
2014-02-12	Royal Bank of Scotland	url::buzzers.in/media/catalog/category/12UKp.mp3
2014-02-12	Royal Bank of Scotland	url::erp.zebronics.com/images/12UKp.mp3
2014-02-18	RingCentral	url::iatablet.com/oc-content/uploads/HTML/al1402.pic
2014-02-18	RingCentral	url::vietdongatravel.com/image/data/logo/al1402.pic
2014-03-05	Standard Chartered Bank	url::broadproductz.zapto.org/ndu/guru/config.bin
2014-03-05	Standard Chartered Bank	url::broadproductz.zapto.org/ndu/guru/gate.php
2014-03-06	RingCentral	url::thebaymanbook.com/wp-content/uploads/2014/03/al2602.big
2014-03-06	RingCentral	url::dominionfoodie.com/images/al2602.big
2014-03-06	Adobe	url::cdn.cmatecdnfast.us/os/js/OfferScreen_240_EN.zip
2014-03-06	Adobe	url::cdn.cmatecdnfast.us/os/js/OfferScreen_260_EN.zip
2014-03-06	Adobe	url::cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip
2014-03-06	Adobe	url::cdn.eastwhitecoal.us/Advertisers/FlashPlayer_Installer.exe
2014-03-06	Adobe	url::downloadupdates.in/MB1/downloadupdate.in/style.css
2014-03-06	Adobe	url::downloadupdates.in/MB1/flash_thankyou.php
2014-03-06	French Government	url::adultagencyads.com/images/2010/0603UKp.big
2014-03-06	French Government	url::trudeausociety.com/images/flash/0603UKp.big
2014-03-18	Citi	url::jswcompounding-usa.com/images/TARGT.tp
2014-03-18	Citi	url::thesymptomatologynetwork.com/images/TARGT.tp
2014-03-20	BankofAmerica	url::lovestogarden.com/images/general/TARGT.tpl
2014-03-20	BankofAmerica	url::villaveronica.it/gallery/TARGT.tpl
2014-03-21	Companies House	url::fidaintel.com/images/2103UKp.qta
2014-03-21	Companies House	url::premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta
2014-03-21	New Fax	url::gulf-industrial.com/images/2103USa.qta
2014-03-21	QuickBooks	url::bodyfriend.co.uk/images/2103USp.qta
2014-03-21	QuickBooks	url::overtonsheepfair.co.uk/wp-content/uploads/2012/06/2103USp.qta
2014-03-27	Banque Populaire	url::myeapp.com/wp-content/uploads/2014/03/TARG1.git
2014-03-27	Banque Populaire	url::ramirezcr.com/images/TARG1.git
2014-03-27	HSBC	url::knockoutsecrets.com/wp-content/uploads/2014/03/2703UKc.git
2014-03-27	HSBC	url::vequi.com/images/2703UKc.git
2014-03-28	Sky	url::hardmoneylenderslosangeles.com/abc/2803UKd.wer
2014-03-28	Sky	url::igsoa.net/Book/2803UKd.wer
2014-03-28	Sage	url::hardmoneylenderslosangeles.com/abc/2803UKd.wer
2014-03-28	Sage	url::igsoa.net/Book/2803UKd.wer
2014-03-31	Voicemail Message	url::albergolarese.com/css/3103UKm.rih
2014-03-31	Voicemail Message	url::direttauto.com/scripts/3103UKm.rih
2014-03-31	Lloyds Bank	url::bormanns-wetter.de/scripts/3103UKd.rih
2014-03-31	Lloyds Bank	url::brucewhite.org/images/3103UKd.rih
2014-04-01	RingCentral	url::atlantafloorinstallation.com/wp-content/plugins/akismet/index.zpi
2014-04-01	RingCentral	url::ayat.onlinewebshop.net/img/index.zpi
2014-04-01	Royal Bank of Scotland	url::miss-loly.com/Scripts/0104UKd.bis
2014-04-01	Royal Bank of Scotland	url::photovolt.ro/script/0104UKd.bis
2014-04-01	eFax	url::apacsolutions.com/test/Targ-0104USr.bis
2014-04-01	eFax	url::cfklc.com/downloads/Targ-0104USr.bis
2014-04-01	Wells Fargo	url::all-products.biz/css/Targ-0104USd.bis
2014-04-01	Wells Fargo	url::smokeylegend.com/css/Targ-0104USd.bis
2014-04-01	Xerox	url::atifmalikmd.org/css/Targ-0104USm.bis
2014-04-01	Xerox	url::contactdbinc.com/css/Targ-0104USm.bis
2014-04-07	New Fax	url::abwidiyantoro.com/images/0804UKm.jpi
2014-04-07	New Fax	url::kworldgroup.com/css/0804UKc.jpi
2014-04-07	New Fax	url::rainda.com/css/0804UKc.jpi
2014-04-07	New Fax	url::robertcairns.co.uk/wp-content/uploads/2014/04/0804UKm.jpi
2014-04-07	NY Dept of Taxation and Finance	url::gisticinc.com/wp-content/uploads/2014/04/0804UKr.jpi
2014-04-07	NY Dept of Taxation and Finance	url::vtiger.gisticinc.com/test/logo/0804UKr.jpi
2014-04-08	Swiftpage, Inc	url::isapport.com/Images/n0804UKm.dim
2014-04-08	Swiftpage, Inc	url::metek-mkt.com/images/scripts/n0804UKm.dim
2014-04-09	HSBC	url::musicbanda.com/css/0904UKd.rar
2014-04-09	HSBC	url::sunsing.com.sg/images/0904UKd.rar
2014-04-09	New Fax	url::renaissancepmc.com/scripts/0904US.rar
2014-04-09	New Fax	url::thegrandbasant.com/img/icons/0904US.rar
2014-04-10	Xerox	url::ebazari.com/uploads/brands/Targ-1004USr.enc
2014-04-10	Xerox	url::rollonskips.com/images/banners/Targ-1004USr.enc
2014-04-14	Santander	url::vv-international.eu/food/1404UKd.rar
2014-04-17	PayPal	url::artncraftemporio.com/media/css/1704UKd.rar
2014-04-17	PayPal	url::hrprovider.com/img/img/1704UKd.rar
2014-04-17	PayPal	url::artncraftemporio.com/media/css/1704UKd.rar
2014-04-17	PayPal	url::hrprovider.com/img/img/1704UKd.rar
2014-04-17	IRS	url::fergieandco.org/wp-content/uploads/2014/03/Targ-1704USd.rar
2014-04-17	IRS	url::newsilike.in/wp-content/lbp-css/black/Targ-1704USd.rar
2014-04-23	Royal Bank of Scotland	url::aoneteleshop.com/images/payments/s2304UKd.rar
2014-04-23	Royal Bank of Scotland	url::czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar
2014-04-23	Companies House	url::aoneteleshop.com/images/payments/s2304UKd.rar
2014-04-23	Companies House	url::www.czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar
2014-04-24	Generic Voicemail	url::dotspiders.sg/test/clocks/2404UKs.tar
2014-04-24	Generic Voicemail	url::mc-saferentals.com/images/2404UKs.tar
2014-04-25	Unity Messaging System	url::altpowerpro.com/images/stories/highslide/Targ-2404USm.tar
2014-04-25	Unity Messaging System	url::tmupi.com/media/images/icons/team/Targ-2404USm.tar
2014-04-29	Citi	url::capsnregalia.com/download/2904UKpm.zip
2014-04-29	Citi	url::perfumeriaamalia.com/images/stories/2904UKpm.zip
2014-04-30	UK Gov't Gateway	url::factoryrush.com/boxbeat/uploads/3004UKdp.tar
2014-04-30	UK Gov't Gateway	url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar
2014-04-30	Sky	url::factoryrush.com/boxbeat/uploads/3004UKdp.tar
2014-04-30	Sky	url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar
2014-04-30	IRS	url::capsnregalia.com/download/scripts/Targ-3004USmp.tar
2014-04-30	IRS	url::worldbuy.biz/scripts/Targ-3004USmw.tar
2014-05-05	Microsoft	url::iknowstudio.com/scripts/0505USdw.dat
2014-05-05	Microsoft	url::luxesydiseno.com/images/stories/brands/0505USdw.dat
2014-05-06	BT.com	url::BIZ-VENTURES.NET/scripts/0605UKdp.rar
2014-05-06	BT.com	url::realtech-international.com/css/0605UKdp.rar
2014-05-06	HMRC	url::BIZ-VENTURES.NET/scripts/0605UKdp.rar
2014-05-06	HMRC	url::realtech-international.com/css/0605UKdp.rar
2014-05-06	Generic Voicemail	url::oligroupbd.com/images/Targ-0605USmw.enc
2014-05-06	Generic Voicemail	url::touchegolf.com/css/Targ-0605USmw.enc
2014-05-06	US Postal Service	url::eirtel.ci/images/0605USdw.enc
2014-05-06	US Postal Service	url::smartsolutions.ly/css/0605USdw.enc
2014-05-07	Bank of America	url::addcomputers.com/downloads/Targ-0705USmw.enc
2014-05-07	Bank of America	url::mindinstitute.ro/images/Targ-0705USmw.enc
2014-05-07	NYC Govt	url::addcomputers.com/downloads/Targ-0705USmw.enc
2014-05-07	NYC Govt	url::mindinstitute.ro/images/Targ-0705USmw.enc
2014-05-07	BT.com	url::k-m-a.org.uk/images/jquerytree/0705USmp.enc
2014-05-07	BT.com	url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc
2014-05-07	NatWest	url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip
2014-05-07	NatWest	url::generation.com.pk/flash/0705UKmp.zip
2014-05-07	Swiftpage	url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip
2014-05-07	Swiftpage	url::generation.com.pk/flash/0705UKmp.zip
2014-05-07	Swiftpage	url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip
2014-05-07	Swiftpage	url::generation.com.pk/flash/0705UKmp.zip
2014-05-07	QuickBooks	url::k-m-a.org.uk/images/jquerytree/0705USmp.enc
2014-05-07	QuickBooks	url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc
2014-05-08	Companies House	url::accessdi.com/wp-content/uploads/2014/05/0805UKdp.dat
2014-05-08	Companies House	url::mpharmhb.com/images/banners/0805UKdp.dat
2014-05-08	Paychex	url::localalarmbids.com/wp-content/uploads/2012/12/0805USmp.rar
2014-05-08	Paychex	url::pharmaholic.com/images/banners/0805USmp.rar
2014-05-12	NatWest	url::plvan.com/css/1205UKdm.tar
2014-05-12	NatWest	url::srhhealthfoods.com/test/1205UKdm.tar
2014-05-12	ADP	url::datanethosting.com/css/Targ-1205USmp.enc
2014-05-12	ADP	url::distrioficinas.com/fonts/Targ-1205USmp.enc
2014-05-12	Royal Bank of Scotland	url::plvan.com/css/1205UKdm.tar
2014-05-12	Royal Bank of Scotland	url::srhhealthfoods.com/test/1205UKdm.tar
2014-05-13	IRS	url::consumerfed.net/css/1305UKmw.zip
2014-05-13	IRS	url::irishtroutflies.ie/images/1305UKmw.zip
2014-05-13	NYC Govt	url::loquay.com/css/1305UKdp.zip
2014-05-13	NYC Govt	url::moraza.com.my/images/1305UKdp.zip
2014-05-13	Xerox	url::loquay.com/css/1305UKdp.zip
2014-05-13	Xerox	url::moraza.com.my/images/1305UKdp.zip
2014-05-13	NatWest	url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip
2014-05-13	NatWest	url::paulaggg.com/css/1305UKdw.zip
2014-05-14	Microsoft	url::djdawson.com/css/1405UKdw.enc
2014-05-14	Microsoft	url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc
2014-05-14	Sage	url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc
2014-05-14	Sage	url::indoorea.com/webfiles/css/1405UKdp.enc
2014-05-14	Intuit	url::martabrixton.com/css/Targ-rhc1405.dat
2014-05-14	Intuit	url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-14	NatWest	url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc
2014-05-14	NatWest	url::mortgagebidders.ca/fonts/1405UKmp.enc
2014-05-14	ADP	url::martabrixton.com/css/Targ-rhc1405.dat
2014-05-14	ADP	url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-15	eFax	url::factoryrush.com/test/1505UKmp.zip
2014-05-15	eFax	url::techwin.com.pk/css/1505UKmp.zip
2014-05-15	UK Ministry of Justice	url::floworldonline.com/wp-content/uploads/2014/04/1505UKdp.zip
2014-05-15	UK Ministry of Justice	url::sugarlandrx.com/media/css/1505UKdp.zip
2014-05-15	eFax	url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15	eFax	url::entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15	eFax	url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15	Fidelity	url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15	Fidelity	url::entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15	Fidelity	url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15	Dun & Bradstreet	url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15	Dun & Bradstreet	url::entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15	Dun & Bradstreet	url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-16	Bank of America	url::gmdf.net/js/Targ-1605USdw.tar
2014-05-16	Bank of America	url::gmdf.net/js/Targ-1605USdw.tar
2014-05-16	Bank of America	url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar
2014-05-16	Bank of America	url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar
2014-05-16	Bank of America	url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar
2014-05-16	Bank of America	url::malkanat.com/images/Targ-1605USdp.tar
2014-05-16	Bank of America	https://dl.dropboxusercontent.com/s/vfoim5op006sjdv/SecureMessage.zip
2014-05-16	Bank of America	https://dl.dropboxusercontent.com/s/xn26h1fppik5np6/BankofAmerica.scr
2014-05-19	Santander	url::aanchalgroup.com/wp-content/uploads/2013/09/1905UKdp.zip
2014-05-19	Santander	url::albus-capital.com/css/1905UKdp.zip
2014-05-19	Santander	url::paperonotel.com/Scripts/heap170id2.exe
2014-05-19	Wells Fargo	url::mersinprefabrik.com/Css/1905USmw.dct
2014-05-19	Wells Fargo	url::paperonotel.com/Scripts/heap170id2.exe
2014-05-19	Wells Fargo	url::seminarserver.com/css/1905USmw.dct
2014-05-20	HSBC	url::lospomos.org/images/button/2005UKmw.zip
2014-05-20	HSBC	url::task-team.com/css/2005UKmw.zip
2014-05-20	NYC Govt	url::lospomos.org/images/button/2005USmw.zip
2014-05-20	NYC Govt	url::task-team.com/css/2005USmw.zip
2014-05-20	UPS	url::auracinematics.com/christine/Christine/2005USdp.zip
2014-05-20	UPS	url::protecca.com/fonts/2005USdp.zip
2014-05-20	UPS	url::alamx.com/images/RCH2005.zip
2014-05-20	UPS	url::evedbonline.com/images/RCH2005.zip
2014-05-20	Royal Bank of Scotland	url::lospomos.org/images/button/2005UKmw.zip
2014-05-20	Royal Bank of Scotland	url::task-team.com/css/2005UKmw.zip
2014-05-20	LexisNexis	url::alamx.com/images/RCH2005.zip
2014-05-20	LexisNexis	url::evedbonline.com/images/RCH2005.zip
2014-05-21	Credit Agricole	url::eleanormcm.com/css/2105UKdp.rar
2014-05-21	Credit Agricole	url::frizou.org/06-images/2105UKdp.rar
2014-05-21	Credit Agricole	url::paperonotel.com/Scripts/heap170id2.exe
2014-05-21	HSBC	url::cedargrill.sg/css/2105UKdw.rar
2014-05-21	HSBC	url::chezalexye.com/css/2105UKdw.rar
2014-05-21	JP Morgan	url::footballmerch.com/media/css/Targ-2105USmw.tar
2014-05-21	JP Morgan	url::myacoub.com/wp-content/uploads/2014/05/Targ-2105USmw.tar
2014-05-27	Hewlett-Packard	url::flutterhost.com/demo/2705UKdp.rar
2014-05-27	Hewlett-Packard	url::lotwatch.net/images/2705UKdp.rar
2014-05-27	Xerox	url::auracinematics.com/acc/b02.exe
2014-05-27	Xerox	url::feelhomely.com/beta/eshopbox/2705USmp.opt
2014-05-27	Xerox	url::the-dunn.com/css/2705USmp.opt
2014-05-27	Xerox	url::auracinematics.com/acc/b02.exe
2014-05-27	Xerox	url::feelhomely.com/beta/eshopbox/2705USmp.opt
2014-05-27	Xerox	url::the-dunn.com/css/2705USmp.opt
2014-05-29	Visa	url::homerenov.org/wp-content/uploads/2014/05/Targ-2905USmp.tar
2014-05-29	Visa	url::qadindunyasi.az/images/Targ-2905USmp.tar
2014-05-30	Sky	url::3dparsian.com/images/banners/3005UKdp.rar
2014-05-30	Sky	url::kuukaarr01.com/wp-content/themes/twentytwelve/css/3005UKdp.rar
2014-05-30	Sky	url::utraconindia.com/images/social/heapid2.exe
2014-05-30	HSBC	url::bag-t.com/css/3005UKmw.rar
2014-05-30	HSBC	url::seminarserver.com/html/3005UKmw.rar

Interac Phishers try their hand at IRS

Last week Malcovery Security had an interesting phish show up claiming to be related to the IRS. This one turns out to be a great example of the (activate 1940 horror movie narrator voice) The POWER OF CROSS BRAND INTELLIGENCE (/activate). Here's what the website looked like:

Phish from: bursafotograf.com / profiles / interac / RP.do.htm

In this phish, the "big idea" is that you can escalate your IRS Tax Refund if you specify which bank you would like the refund to be deposited into. When you click the bank's logo, you are taken to a phishing site for that brand and asked to provide your Userid and Password, which are then emailed to the phisher. Here's an example of the page you would see if you clicked on the Regions Bank logo (graphic courtesy of PhishTank submission 2254700.)

Things get quite fascinating though when we hide the graphics:

Why would an IRS phish have ALT TEXT including for four of the largest Canadian banks? By looking at the source code for the phishing page, we see that this is a very lightly rebranded Interac phish: First, the website Title is "INTERAC e-Transfer" ...

INTERAC is a very interesting money transfer system used in Canada that allows anyone to send money to anyone else simply by using either their email address or cell phone text messaging service. A Transaction code is texted/emailed from the payer to the recipient, allowing the recipient to login to the Interac service and choose what account, and what bank, they would like to receive the funds into.

The phish has some Javascript at the top that includes variables like "var provinceList = new Array ("Alberta", "British Columbia", "New Brunswick", "Newfoundland and Labrador", "Nova Scotia", "Ontario", "Prince Edward Island", "Saskatchewan");" and a pull down menu with options "Select Institution", "Select Province or Territory" and "Select Credit Union."

As we continue into the table of graphics, we see that the phisher has changed his graphics and links to refer to the American banks, with code such as:

href = chasecustomerprofile
img src = chasecustomerprofile/css/images/chaseNew.gif .... but with "alt=CIBC"

href = navy/index.htm
img src = imgs/nfculogo.png  .... but with "alt=President's Choice Financial"

href = suntrust
img src = imgs/suntrust.png  .... but iwth "alt = RBC Royal Bank"

etc . . . 

Phishing Cross-Brand Intelligence

It seems fairly clear that we should be able to find more phishing sites that used the original Interac code, and of course we can in the Malcovery PhishIQ system.

Here is a phish that was seen on June 21, 2013 on the website freevalwritings.com / wp / interacsessions / RP.do.htm

And another first seen on May 28, 2013 on the website anglaisacote.com / interac / RP.do.htm (note the common path on both of these that matches the current IRS phish = "interac/RP.do.htm" RP.do.htm is used on the REAL Interac website.

Phishing & Spam Cross-Brand Intelligence

An interesting thing about phishing emails that differentiates them from standard spam. While normal spam is often sent via botnets, phishing emails tend to be sent from the same IP address over a period of time. When we use Malcovery PhishIQ to examine the IRS version of the Interac phish, which attempts to steal money from Bank of America, Chase Bank, Navy Federal Credit Union, SunTrust, Regions Bank, Wells Fargo, USAA, and Citi, we see that the originally advertised URL was actually "130.13.122.25 / irsjspmessageKey-IG09210358i /". That URL forwarded visitors to the website "ernursusleme.com / Connections / irsonlinedeposit /" which then forwarded the visitors to "bursafotograf.com / profiles / interac / RP.do.htm" which is where the screenshot at the top of this article was captured.

So, to find spam messages related to this phish, it seems reasonable to search the Malcovery Spam Data Mine for emails that advertised URLs on 130.13.122.25.

We found two sets of spam messages that advertised URLs on that host in our spam collection. One batch from January 8, 2014 and the other batch from January 28th and January 29th, 2014.

The January 28th and January 29th emails claimed to be from "From: USAA (USAA.Web.Services@customer.usaa.com)" with an email subject of "New Insurance Document Online".

Two of the emails were sent from 122.3.92.116 (Philippines) and one email was sent from 70.166.118.54 (Cox). What other emails were sent from those IP addresses?

Here are the emails from 122.3.92.116

Date:	Subject:	From Name	From Email
Dec 13, 2013	Your account has been limited until we hear from you	service@ intl.paypal.com	survey.research-3086@ satisfactionsurvey.com
Dec 13, 2013	Your account has been limited until we hear from you	service@ intl.paypal.com	survey.research-3086@ satisfactionsurvey.com
Dec 14, 2013	Your account has been limited until we hear from you	service@ intl.paypal.com	survey.research-3086@ satisfactionsurvey.com
Dec 16, 2013	Confirmation - personal information update	USAA	USAA.Web.Services@ customermail.usaa.com
Dec 18, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Dec 18, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Dec 18, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Dec 23, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Dec 30, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Dec 31, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Dec 31, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Dec 31, 2013	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 5, 2014	Notification of Limited Account Access	PayPal	PayPal@ abuse.epayments.com
Jan 7, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 7, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 7, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 8, 2014	View Your USAA Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 8, 2014	View Your USAA Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 8, 2014	View Your USAA Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 8, 2014	View Your USAA Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 8, 2014	View Your USAA Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 8, 2014	View Your USAA Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 8, 2014	View Your USAA Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 17, 2014	Canada Tax send you an INTERAC e-Transfer	notify@ payments.interac.ca	notify@ payments.interac.ca
Jan 19, 2014	Your dispute has been ended 01/20/2014: Get your money back	PayPal	paypal.feedback@ email.com
Jan 19, 2014	Your dispute has been ended 01/20/2014: Get your money back	PayPal	paypal.feedback@ email.com
Jan 20, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 20, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 20, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 20, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 20, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 21, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 21, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 21, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 21, 2014	View and Sign Your USAA Insurance Policy	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 21, 2014	Your dispute has been ended 01/20/2014: Get your money back	PayPal	paypal.feedback@ email.com
Jan 28, 2014	New Insurance Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Jan 28, 2014	New Insurance Document Online	USAA	USAA.Web.Services@ customermail.usaa.com
Feb 8, 2014	Canada Revenue send you an INTERAC e-Transfer	TD Canada Trust	notify@ payments.interac.ca

And here are the emails from 70.166.118.54

Date:	Subject:	From Name	From Email
Jan 29, 2014	New Insurance Document Online	USAA	USAA.Web.Services@customermail.usaa.com
Feb 3, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 3, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 3, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 3, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 3, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 3, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 4, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 4, 2014	INTERAC e-Transfer Received	notify@ payments.interac.ca	notify@ payments.interac.ca
Feb 8, 2014	Canada Revenue send you an INTERAC e-Transfer	RBC Royal Bank	notify@ payments.interac.ca
Feb 9, 2014	Canada Revenue send you an INTERAC e-Transfer	RBC Royal Bank	notify@ payments.interac.ca
Feb 11, 2014	Wells Fargo ATM/Debit Card Expires Soon	Wells Fargo Online	alerts@ notify.wellsfargo.com
Feb 11, 2014	Wells Fargo ATM/Debit Card Expires Soon	Wells Fargo Online	alerts@ notify.wellsfargo.com

The Power of Cross-Brand Intelligence

To summarize, we started with a new IRS phish, and through some comparisons in the Phishing and Spam Data Mines, ended with phish for USAA, PayPal, Wells Fargo, and Interac all being linked together. Investigators interested in learning more are encouraged to reach out!