Posts Tagged: webmoney


29
Nov 12

Online Service Offers Bank Robbers for Hire

An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise.

The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York. These associates are not mere “money mules,” unwitting and inexperienced Americans tricked and cajoled into laundering money after being hired for bogus work-at-home jobs. Rather, as the title of the ad for this service makes clear, the “foreign agents” available through this network are aware that they will be assisting in illegal activity (the ad refers to them as неразводные “nerazvodni” or “not deceived”). Put simply: These are mules that can be counted on not to freak out or disappear with the cash.

These complicit “foreign agents” in the U.S. can be hired to launder funds stolen through cyberheists and tax fraud.

The rest of the ad reads:

“We provide convenient service to our partners:

  • Unique administrative interface – fast response
  • We will react momentarily to any new task
  • Adapt every action of a money mule to client’s requirements
  • Timely payments via WebMoney/Liberty Reserve/Western Union, cash conversion with WU/MG
  • Cashout of tax return, D + P (dump & PIN, cashout of debit cards stolen via skimming)
  • Receive over mail or expensive merchandise pick up in a store
  • Mules are available for other interesting transactions

We work only by reference.”

The proprietors of this service say it will take 40-45 percent of the value of the theft, depending on the amount stolen. In a follow-up Q&A with potential buyers, the vendors behind this service say it regularly moves $30,000 – $100,000 per day for clients. Specifically, it specializes in cashing out high-dollar bank accounts belonging to hacked businesses, hence the mention high up in the ad of fraudulent wire transfers and automated clearinghouse or ACH payments (ACH is typically how companies execute direct deposit of payroll for their employees).

Continue reading →


22
Oct 12

Service Sells Access to Fortune 500 Firms

An increasing number of services offered in the cybercrime underground allow miscreants to purchase access to hacked computers at specific organizations. For just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks.

The service I examined for this post currently is renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010. All of the machines for sale have been set up by their legitimate owners to accept incoming connections via the Internet, using the Remote Desktop Protocol (RDP), a service built into Microsoft Windows machines that gives the user graphical access to the host PC’s desktop. Businesses often turn on RDP for server and desktop systems that they wish to use remotely, but if they do so using a username and password that is easily guessed, those systems will soon wind up for sale on services like this one.

Pitching its wares with the slogan, “The whole world in one service,” Dedicatexpress.com advertises hacked RDP servers on several cybercrime forums. Access is granted to new customers who contact the service’s owner via instant message and pay a $20 registration fee via WebMoney, a virtual currency. The price of any hacked server is calculated based on several qualities, including the speed of its processor and the number of processor cores, the machine’s download and upload speeds, and the length of time that the hacked RDP server has been continuously available online (its “uptime”).

Though it is not marketed this way, the service allows users to search for hacked RDP servers by entering an Internet address range, an option that comes in handy if you are looking for computers inside of specific organizations. For instance, I relied on a list of the IP address ranges assigned to the companies in the current Fortune 500 listing (special thanks to online banking security vendor Greenway Solutions for their help on this front).

I made it about halfway through the list of companies in the Fortune 100 with names beginning in “C” when I found a hit: A hacked RDP server at Internet address space assigned to networking giant Cisco Systems Inc. The machine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55 (see screenshot below). You’ll never guess the credentials assigned to this box: Username: “Cisco,”; password: “Cisco”. Small wonder that it was available for sale via this service. A contact at Cisco’s security team confirmed that the hacked RDP server was inside of Cisco’s network; the source said that it was a “bad lab machine,” but declined to offer more details.

A hacked Win 2003 Server installation at Cisco Systems was on sale for $4.55.

Continue reading →


10
Sep 12

Donkey Express: Mules Take Over the Mail

This blog has featured several stories on reshipping scams, which recruit willing or unwitting U.S. citizens (“mules”) to reship abroad pricey items that are paid for with stolen credit cards. Today’s post highlights a critical component of this scheme: the black-market sale of international shipping labels fraudulently purchased from the U.S. Postal Service.

A service that automates creation of carded USPS labels.

USPS labels that are purchased via card fraud, known in the Underweb as simply “cc labels,” are an integral part of any reshipping scheme. So it should be no surprise that the leading proprietors in this obscure market run Atlanta Alliance, one of the largest and most established criminal reshipping rackets in the underground.

The service, at fe-ccshop.com, makes it simple for any reshipping scam operator to purchase international shipping labels at a fraction of their actual cost. For example, USPS Express Mail International labels for items 20 pounds or less that are headed from the United States to Russia start at about $75, but this service sells them for just $14. The same label for an item that weighs 25 pounds would cost upwards of $150 at the Post Office, but can be had through this service for just $19.

Customers fund their accounts with a virtual currency such as Liberty Reserve, and then enter the reshipping mule’s address in the “from” section and the fraudster’s in the “to:” field. Clicking the “make label” button causes the label to be paid for with a stolen credit card, and lets the customer print or save digital images of usable and new USPS international shipping labels.

Continue reading →


6
Aug 12

Harvesting Data on the Xarvester Botmaster

In January of this year, I published the results of an investigation into the identity of the man behind the once-infamous Srizbi spam botnet. Today’s post looks at an individual likely involved in running the now-defunct Xarvester botnet, a spam machine that experts say appeared shortly after Srizbi went offline and shared remarkably similar traits.

In this screenshot from Spamdot.biz, Ronnie chats with “Tarelka” the Spamdot nickname used by the Rustock botmaster. The two are discussing an M86 report on the world’s top botnets.

Srizbi was also known in the underground as “Reactor Mailer,” and customers could register to spam from the crime machine by logging into accounts at reactormailer.com. That domain was registered to a mserver@mail.ru, an address that my reporting indicates was used by a Philipp Pogosov. More commonly known by his nickname SPM, Pogosov was a top moneymaker for SpamIt, a rogue online pharmacy affiliate program that was responsible for a huge percentage of junk email over the past half-decade.

When reactormailer.com was shuttered, Srizbi customers were instructed to log in at a new domain, reactor2.com. Historic WHOIS records show reactor2.com was registered by someone using the email address ronnich@gmail.com. As I wrote in January, leaked SpamIt affiliate records show that the ronnich@gmail.com address was used by a SpamIt affiliate named Ronnie who was referred to the program by SPM.

The Srizbi botnet would emerge as perhaps the most important casualty of the McColo takedown at the end of 2008. At the time, all of the servers used to control the giant botnet were hosted at McColo, a crime-friendly hosting facility in Northern California. When McColo’s upstream providers pulled the plug on it, that was the beginning of the end for Srizbi. SPM called it quits on spamming, and went off to focus on his online gaming company.

But according a report released in January 2009 by Trustwave’s M86 Security called Xarvester: The New Srizbi, Xarvester (pronounced “harvester”) was a pharmacy spam machine tied to SpamIt that emerged at about the same time that Srizbi disappeared, and was very similar in design and operation. It appears that SPM may have handed control over his botnet to Ronnie before leaving the spamming scene.

Continue reading →


23
Jul 12

DoItQuick: Fast Domains for Dirty Deeds

A new service offered in the cybercriminal underground is geared toward spammers, scammers and malware purveyors interested in mass-registering dozens of dodgy domains in one go.

DoItQuick offers mass registration of malware domains.

The service — doitquick.net — will auto-register up to 15 domains simultaneously, choosing randomly named domains unless the customer specifies otherwise. DoItQuick sells two classes of domains: “white” domains that are “guaranteed” to stay registered for at least a year; and “black” domains that customers can use for illicit purposes and expect to last between 2 and 30 days before they are canceled.

This service makes it quite clear why customers might prefer the “black” domain registration service: “Domains for black deeds – these domains are registered for limited terms, from 2 to 30 days (average duration is about a week). Such domains are used for black and gray deeds. Low prices, fast registration! It is ideal for redirects, exploit packs, traffic, flood, botnets and other similar stuff. Domain names are checked for getting into blacklists, trackers and Spamhaus.”

Continue reading →


21
Mar 12

Bredolab Botmaster ‘Birdie’ Still at Large

Employee and financial records leaked from some of the world’s largest sponsors of spam provide new clues about the identity of a previously unknown Russian man believed to have been closely tied to the development and maintenance of “Bredolab,” a massive collection of hacked machines that was disassembled in an international law enforcement sweep in late 2010.

Bredolab grew swiftly after Birdie introduced his load system.

In October 2010, Armenian authorities arrested and imprisoned 27-year-old Georg Avanesov on suspicion of running Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers that were used to direct the botnet’s activities.

Dutch and Armenian investigators have long suspected that Avanesov worked closely with an infamous Russian botmaster who used the nickname “Birdie,” but so far they have been unable to learn the Russian’s real identity or whereabouts.

“He was a close associate of Gregory A.,” Pim Takkenberg, team leader of the National High Tech Crime Unit in the Netherlands, said of the hacker known as Birdie. “Actually, we were never able to fully identify him.”

According to records leaked from SpamIt — a pharmacy affiliate program that was the victim of a data breach in 2010 — Birdie was an affiliate with SpamIt along with Avanesov. Neither affiliates earned much from SpamIt directly; they both made far more money selling other spammers access to Bredolab.

Birdie was also the nickname of a top member of Spamdot.biz, a now-defunct forum that once counted among its members nearly all of the big names in Spamit, as well as a dozen competing spam affiliate programs. Birdie’s core offering on Spamdot was the “Birdie Load System,” which allowed other members to buy “installs” of their own malware by loading it onto machines already infected with Bredolab.

So successful and popular was the Birdie Load System among Spamdot members that Birdie eventually had to create a customer queuing system, scheduling new loads days or weeks in advance for high volume customers. According to his own postings on Spamdot, Birdie routinely processed at least 50,000 new loads or installs for customers each day.

“Due to the fact that many of my clients very much hate waiting in line, we’ve begun selling access to weekly slots,” Birdie wrote. “If a ‘slot’ is purchased, independently from other customers, the person who purchased the slot is guaranteed service.”

Using Birdie’s Bredolab load system, spammers could easily re-seed their own spam botnets, and could rely upon load systems like this one to rebuild botnets that had been badly damaged from targeted takedowns by anti-spam activists and/or law enforcement. Bredolab also was commonly used to deploy new installations of the ZeuS Trojan, which has been used in countless online banking heists against consumers and businesses.

Below is a translated version of Birdie’s Dec. 2008 post to Spamdot describing the rules, prices and capabilities of his malware loading machine (click the image below twice for an enlarged version of the Spamdot discussion thread from which this translation was taken). Continue reading →


8
Mar 12

Banking on Badb in the Underweb

Underground Web sites can be a useful barometer for the daily volume of criminal trade in goods like stolen credit card numbers and hijacked PayPal or eBay accounts. And if the current low prices at one of Underweb’s newer and more brazen card shops are indicative of a trend, the market for these commodities has never been more cutthroat.

Visa, Amex cards for sale at Badb.su

Badb.su is distinguishable from dozens of underground carding shops chiefly by its slick interface and tiny domain name, which borrows on the pseudonym and notoriety of the Underweb’s most recognizable carder. It’s difficult to say whether “Badb” himself would have endorsed the use of his brand for this particular venture, but it seems unlikely: The man alleged by U.S. authorities to be Badb — 29-year-old Vladislav Anatolievich Horohorin — has been in a French prison since his arrest there in 2010. Authorities believe Horohorin is one of the founding members of CarderPlanet, a site that helped move millions of stolen accounts. He remains jailed in France, fighting extradition to the United States (more about his case in an upcoming story).

Badb.su’s price list shows that purloined American Express and Discover accounts issued to Americans cost between $2.50 and $3 apiece, with MasterCard and Visa accounts commanding slightly lower prices ($2-$3). Cards of any type issued by banks in the United Kingdom or European Union fetch between $4-$7 each, while accounts from Canadian financial institutions cost between $3 to $5 a pop.

The site also sells verified PayPal and eBay accounts. Verified PayPal accounts with credit cards and bank accounts attached to them go for between 2-3$, while the same combination + access to the account holder’s email inbox increases the price by $2. PayPal accounts that are associated with bank and/or credit accounts and include a balance are sold for between 2 and 10 percent of the available balance. That rate is considerably lower than the last PayPal underground shop I reviewed, which charged 8 to 12 percent of the total compromised account balance.

Verified PayPal accounts with positive balances sell for between 2-10% of the available balance.

Ebay auction accounts are priced according to the number of positive “feedback” points that each victim account possesses (feedback is the core of eBay’s reputation system, whereby members evaluate their buying and selling experiences with other members). eBay accounts with fewer than 75 feedback history sell for $2 each, while those with higher levels of feedback command prices of $5 and higher apiece, because these accounts are more likely to be perceived as trustworthy by other eBay members.

But don’t count on paying for any of these goods with a credit card; Badb.su accepts payment only through virtual currencies such as Liberty Reserve and WebMoney.

Badb.su, like many other card shops, offers an a-la-carte, card-checking service that allows buyers to gauge the validity of stolen cards before or after purchasing them. Typically, these services will test stolen card numbers using a hijacked merchant account that initiates tiny charges or so-called pre-authorization checks against the card; if the charge or pre-auth clears, the card-checking service issues a “valid” response for the checked card number.

Continue reading →


1
Feb 12

Who’s Behind the World’s Largest Spam Botnet?

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released –  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!” Continue reading →


26
Jan 12

Mr. Waledac: The Peter North of Spamming

Microsoft on Monday named a Russian man as allegedly responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from a huge spam affiliate program suggests that the driving force behind Kelihos is a different individual who commanded a much larger spam empire, and who is still coordinating spam campaigns for hire.

Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used novel legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.

On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.

“It’s the same code with modifications,” said Brett Stone-Gross, a security analyst who came into possession of the Kelihos source code last year and has studied the two malware families extensively.

Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.

WHO IS SEVERA?

A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5). Spamhaus alleged that Severa was the Russian partner of convicted U.S. pump-and-dump stock spammer Alan Ralsky, and indeed Peter Severa was indicted by the U.S. Justice Department in a related and ongoing spam investigation.

It turns out that the connection between Waledac and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. The data also include tantalizing clues about Severa’s real identity.

In multiple instances, Severa gives his full name as “Peter North;” Peter Severa translates literally from Russian as “Peter of the North.” (The nickname may be a nod to the porn star Peter North, which would be fitting given that Peter North the spammer promoted shady pharmacies whose main seller was male enhancement drugs).

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period. He also was a moderator of Spamdot.biz (pictured at right), a vetted-members-only forum that included many of SpamIt’s top earners, as well as successful spammers/malware writers from other affiliate programs such as EvaPharmacy and Mailien.

Severa seems to have made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send 1 million pieces of spam; junk email campaigns touting employment/money mule scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Spamhaus says Severa’s real name may be Peter Levashov. The information Severa himself provided to SpamIt suggests that Spamhaus’s intelligence is not far off the mark.

Severa had his SpamIt earnings deposited into an account at WebMoney, a virtual currency popular in Russia and Eastern Europe. According to a source that has the ability to look up identity information tied to WebMoney accounts, the account was established in 2001 by someone who entered a WebMoney office and presented the Russian passport #454345544. The passport bore the name of a then 26-year-old from Moscow — Viktor Sergeevich Ivashov.

Continue reading →


11
Jan 12

Flying the Fraudster Skies

Given the heightened security surrounding air travel these days, it may be hard to believe that fraudsters would try to board a plane using stolen tickets. But incredibly, there are a number of criminal travel agencies doing business in the underground, and judging from the positive feedback left by patrons, business appears to be booming.

Ad above says: Maldives Turkey Goa Bora-Bora, Carribes, Any country, any hotels and resorts of the world.

The tickets often are purchased at the last minute and placed under the criminal buyer’s real name. The reservations are made using either stolen credit cards or hijacked accounts belonging to independent contractors in the travel industry.  Customers are charged a fraction of the cost of the tickets and/or reservations, typically between 25 and 35 percent of the actual cost.

Criminal travel services are contributing to a recent spike in airline ticket fraud. In December, the Airlines Reporting Corporation, an industry clearinghouse, said it was seeing a marked increase in unauthorized tickets issued. Between August and November of last year, 113 incidents of fraudulently booked tickets were reported to ARC, up from just 18 such incidents reported in all of 2010. The aggregate face value of the unauthorized tickets in 2011 was more than $1 million. The ARC believes the increase in fraud is mainly due to an surge in phishing emails targeting travel agency employees and contractors.

Some of the travel agencies in the criminal underground are full-service, pitching package deals that  include airfare, car rentals and even hotel stays. A hacker using the nickname “Yoshimo” on one prominent fraudster forum offers “80-95 percent working flight tickets in most countries (some restrictions apply),” for 25 percent of the original price, and 40 percent of the price for carded hotel stays and car rentals. He has been offering this service for more than two years, and has at least 275 positive reviews from current and former customers.

Continue reading →