Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 24 February 2011

Money mules, downloads and Portlane

As if money mules didn't have enough to worry about, what with the risk of not only upsetting those "using" them, but their getting prosecuted for fraud - they've now got to risk not answering a questionnaire correctly and being rejected (the thought of being rejected as a money mule, due to not answering correctly, is simply, hilarious).

An MDL user pointed me to a few sites running the ever so popular money mule scams. These sites are used purely to recruit the mules, and to manage them (there's a members area once accepted, where the mule is permitted to upload files such as ID scans and whatnot).

There is however, a little difference - the presence of a download;

Below is a test prepared by professional psychologists and is required in order to be considered a competent candidate for the offered position.

After successful completion of your test, you will be asked to register on our web site. If you are not ready to register right away, please wait to take the test at a later time.

To REGISTER, simply run the test and you will be prompted to click on the "Register Now" button at any time and be redirected to the login page, without having to take the test again.

*This test is under development and we are grateful for all comments and suggestions.

Download test

*If you are having trouble running the test and your computer is requesting administrative rights, download the test and simply right-click on the Test icon and select "Run As Administrator" from the menu.

The "download" runs the potential mule through a set of questions, to which they must provide the "correct" questions to be accepted. Once accepted, they're then sent to an acceptance page on the scammers website.

You're also sent an e-mail telling you your registration request has been received;

Dear Jack Anory,
We have accepted your application for PAYMENT PROCESSING AGENT position.
To complete the registration procedure please execute two remaining steps:
• Download the contract:
Familiarize yourself with all points of agreement. Pay much attention to the following clauses:, Termination of the Agreement (11), EXHIBIT A. Fill all of the required information in the contract in the highlighted areas (your name must be filled in on the first page, Part 20 must be filled out and you must sign the agreement) and upload a scanned copy of it into your Task Manager account (use your login and password). Should any problems arise please contact our Job Department at Agreement becomes valid since the moment of your Task Manager account activation. You should be familiar with that the validity of the contract in the electronic form is completely identical to the contract signed at personal presence of both parties.
• To pass the procedure of identity verification in order to prevent fraudulent registrations, you are required to upload a scanned copy of your ID or utility bill into your Task Manager account (use your login and password). In case of any problems please contact our Job Department at
*We guarantee full confidentiality of your personal information, more details on this matter are available in our Privacy Policy
NOTE: If you're unable to scan the documents please use fax. Here is our number: +44 0208 099 7381
Your TM account will be activated in 2-48 hours after the receipt of necessary information.

Support Team
Fourth Group Ltd

This particular e-mail had the following headers;

Return-Path: <>
Delivered-To: [REMOVED]
X-Quarantine-ID: <JgUv8YSIJW4B>
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "To"
X-Spam-Flag: NO
X-Spam-Score: -0.81
X-Spam-Status: No, score=-0.81 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ( [])
by (Postfix) with SMTP id B65F6398110
for <[REMOVED]>; Fri, 25 Feb 2011 03:20:20 +0000 (GMT)
Received: (qmail 20212 invoked from network); 25 Feb 2011 03:19:32 -0000
Received: from (
by with SMTP; 25 Feb 2011 03:19:32 -0000
Received: from scissors by with local (Exim 4.69)
(envelope-from <>)
id 1PsoE7-0000Jl-6M; Thu, 24 Feb 2011 21:20:19 -0600
Subject: Fourth Group Ltd: Your registration request received
X-PHP-Script: for
Received: from [] (helo=localhost) by s62 with esmtpa (Exim
4.73) (envelope-from <WUMG_QUEUE@s62>) id 1PsoCd-0007HD-SK for
[REMOVED]; Thu, 24 Feb 2011 22:18:47 -0500
Subject: Fourth Group Ltd: Your registration request received
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 24 Feb 2011 22:20:17 -0500
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Message-ID: <>
Message-ID: <>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [1825 32003] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/scissors/public_html/images.php

However, this download also has a little sting in it's tail - it modifies the mules HOSTS file to include;

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# # source server
# # x client host localhost

The sites they've chosen to block, isn't particularly surprising (sorry Brian, they really don't like you), with a few exceptions - why for example, block DomainTools, when there's a plethora of alternatives? Why block Why block SiteAdvisor when there's alternatives such as Web of Trust, and alternatives from security vendors such as Norton? Indeed, why aren't they blocking any security vendors? (that in itself is surprising).

Some of the sites identified thus far include;

And the malicious files housed there;

The IP ranges they're hosted at seem to be focused on two particularly well known players in the criminal world; (Sweden)
AS42708 PORTLANE Portlane Network (Romania)
AS39743 VOXILITY-AS Voxility SRL

Quite why Portlane still haven't been shut down is beyond me, especially given there isn't a single legit website housed over there, and to my knowledge, there never has been. Needless to say, Portlane are also heavily involved in the fake AV arena, having housed malicious goodness on virtually every single IP on the aforementioned /24, so feel free to blackhole their entire AS.

As for those of you considering a new job as a mule - is it really worth the risk of your being imprisoned away from your family, for money laundering etc?.

/edit 07:40

Few more for you ;o)

/edit 26-02-2011 19:44

The servers are extremely slow at present, so struggling to grab samples, but I've been advised of 3 more of these. The URLs are in the same format as previously;

1 comment:

Conrad Longmore said...

Nice work.. blocked those two /24s. VirusTotal shows only 1/43 detections too.