Cybercriminals who specialize in phishing — or tricking people into giving up usernames and passwords at fake bank and ecommerce sites — aren’t generally considered the most sophisticated crooks, but occasionally they do exhibit creativity and chutzpah. That’s most definitely the case with a phishing gang that calls itself the “Manipulaters Team”, whose Web site boasts that it specializes in brand research and development.
I first learned about the Manipulaters from a source at an Australian bank who clued me in to a phishing group that specializes in targeting Apple’s iCloud services and a whole mess of U.S., European and Asian banks. For whatever reason (probably because they’re proud of their work), these guys leave a calling card of sorts in the WHOIS Web site registration records for most of the phishing domains that they register: According to Domaintools.com, some 329 domains are registered to “admin@manipulaters[dot]com” (complete list of domains: in PDF and CSV).
Manipulaters[dot]com is a pretty amusing site all around. Their home page advises that Mainpulaters “is an institute that caters to brand research & development. We have studied computer related products immensely, and are confident that we can get the job done. The learning never stops for us though, as we are always looking for ways to improve.” Brand research. Yeah, right.
“Our goal is to help each business and brand reach their ultimate potential,” explains the “Our Members” section of the site. “We have contracts with our members that allows us to have guidelines for them to follow on their path to success. We have put these in place for a reason. This provides the stability and direction that companies/brands need to succeed.” Points for brazenness.
Their site advises that interested parties can “become a member” of the Manipulaters Team just by paying a one-time membership fee of $15, and providing a driver’s license/ID card plus a phone or electricity bill. Ah, there’s nothing quite like phishers phishing phishers.
The scary aspect of this fraud gang is that they appear to play in the Web hosting space as well. Most of their phishing pages are in fact hosted on Internet address space that is assigned to Manipulaters[dot]com: Incredibly, the group is listed as the current occupants of an entire Class C range of Internet addresses, from 220.127.116.11 to 18.104.22.168.
One common name across most of the online properties erected by the Manipulators Team is Madih-ullah Riaz, a resident of Pakistan who appears to manage this Manipulaters out of a high-rise apartment building in Karachi. Interestingly, Riaz’s email address — firstname.lastname@example.org — was among those listed as a user of BestRecovery, a phishing and malware deployment service whose user database was hacked last year. Mr. Riaz did not respond to requests for comment.
Mr. Riaz is listed as the founding member on the “About Us” page of the Manipulaters Team, along with a guy named Omer Fareed. Both men also are listed as founders of a software company called Posting Kit, which is a company included in the job history on Riaz’s LinkedIn profile.
The Manipulaters Team likes to use domain name service (DNS) settings from another blatantly fraudulent service called “FreshSpamTools[dot]eu”, a scammer-friendly service offered by a fellow Pakistani that also conveniently sells phishing toolkits targeting a number of popular brands. Manipulators indeed.