Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 24 February 2011

Money mules, downloads and Portlane

As if money mules didn't have enough to worry about, what with the risk of not only upsetting those "using" them, but their getting prosecuted for fraud - they've now got to risk not answering a questionnaire correctly and being rejected (the thought of being rejected as a money mule, due to not answering correctly, is simply, hilarious).

An MDL user pointed me to a few sites running the ever so popular money mule scams. These sites are used purely to recruit the mules, and to manage them (there's a members area once accepted, where the mule is permitted to upload files such as ID scans and whatnot).



There is however, a little difference - the presence of a download;

Below is a test prepared by professional psychologists and is required in order to be considered a competent candidate for the offered position.

After successful completion of your test, you will be asked to register on our web site. If you are not ready to register right away, please wait to take the test at a later time.

To REGISTER, simply run the test and you will be prompted to click on the "Register Now" button at any time and be redirected to the login page, without having to take the test again.

*This test is under development and we are grateful for all comments and suggestions.

Download test

*If you are having trouble running the test and your computer is requesting administrative rights, download the test and simply right-click on the Test icon and select "Run As Administrator" from the menu.


The "download" runs the potential mule through a set of questions, to which they must provide the "correct" questions to be accepted. Once accepted, they're then sent to an acceptance page on the scammers website.



You're also sent an e-mail telling you your registration request has been received;

Dear Jack Anory,
We have accepted your application for PAYMENT PROCESSING AGENT position.
To complete the registration procedure please execute two remaining steps:
• Download the contract: http://fourthgroup-ltd.cc/agreement.pdf
Familiarize yourself with all points of agreement. Pay much attention to the following clauses:, Termination of the Agreement (11), EXHIBIT A. Fill all of the required information in the contract in the highlighted areas (your name must be filled in on the first page, Part 20 must be filled out and you must sign the agreement) and upload a scanned copy of it into your Task Manager account (use your login and password). Should any problems arise please contact our Job Department at job@fourthgroup-ltd.cc. Agreement becomes valid since the moment of your Task Manager account activation. You should be familiar with that the validity of the contract in the electronic form is completely identical to the contract signed at personal presence of both parties.
• To pass the procedure of identity verification in order to prevent fraudulent registrations, you are required to upload a scanned copy of your ID or utility bill into your Task Manager account (use your login and password). In case of any problems please contact our Job Department at job@fourthgroup-ltd.cc.
*We guarantee full confidentiality of your personal information, more details on this matter are available in our Privacy Policy
NOTE: If you're unable to scan the documents please use fax. Here is our number: +44 0208 099 7381
Your TM account will be activated in 2-48 hours after the receipt of necessary information.
Sincerely,

Support Team
Fourth Group Ltd
support@fourthgroup-ltd.cc


This particular e-mail had the following headers;

Return-Path: <scissors@jalpa.websitewelcome.com>
Delivered-To: [REMOVED]
X-Quarantine-ID: <JgUv8YSIJW4B>
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "To"
X-Spam-Flag: NO
X-Spam-Score: -0.81
X-Spam-Level:
X-Spam-Status: No, score=-0.81 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [69.93.106.23])
by mail4.emailconfig.com (Postfix) with SMTP id B65F6398110
for <[REMOVED]>; Fri, 25 Feb 2011 03:20:20 +0000 (GMT)
Received: (qmail 20212 invoked from network); 25 Feb 2011 03:19:32 -0000
Received: from jalpa.websitewelcome.com (174.132.147.98)
by gateway08.websitewelcome.com with SMTP; 25 Feb 2011 03:19:32 -0000
Received: from scissors by jalpa.websitewelcome.com with local (Exim 4.69)
(envelope-from <scissors@jalpa.websitewelcome.com>)
id 1PsoE7-0000Jl-6M; Thu, 24 Feb 2011 21:20:19 -0600
To: [REMOVED]
Subject: Fourth Group Ltd: Your registration request received
X-PHP-Script: 174.132.147.125/~scissors/images.php for 174.132.147.125
Received: from [193.105.134.230] (helo=localhost) by s62 with esmtpa (Exim
4.73) (envelope-from <WUMG_QUEUE@s62>) id 1PsoCd-0007HD-SK for
[REMOVED]; Thu, 24 Feb 2011 22:18:47 -0500
To: [REMOVED]
From: noreply@fourthgroup-ltd.cc
Subject: Fourth Group Ltd: Your registration request received
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 24 Feb 2011 22:20:17 -0500
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Message-ID: <945151.20110224221848@fourthgroup-ltd.cc>
Message-ID: <945151.20110224221848@fourthgroup-ltd.cc>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - jalpa.websitewelcome.com
X-AntiAbuse: Original Domain - it-mate.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [1825 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - jalpa.websitewelcome.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/scissors/public_html/images.php
X-Source-Dir: sherunswithscissors.com:/public_html


However, this download also has a little sting in it's tail - it modifies the mules HOSTS file to include;

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 www.complaintsboard.com
127.0.0.1 complaintsboard.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 www.bobbear.com
127.0.0.1 bobbear.com
127.0.0.1 www.419legal.org
127.0.0.1 419legal.org
127.0.0.1 www.scam.com
127.0.0.1 scam.com
127.0.0.1 www.anti-scam.org
127.0.0.1 anti-scam.org
127.0.0.1 www.consumerfraudreporting.org
127.0.0.1 consumerfraudreporting.org
127.0.0.1 www.ripoffreport.com
127.0.0.1 ripoffreport.com
127.0.0.1 www.tjshome.com
127.0.0.1 tjshome.com
127.0.0.1 www.scamfraudalert.wordpress.com
127.0.0.1 scamfraudalert.wordpress.com
127.0.0.1 www.fraudwatchers.org
127.0.0.1 fraudwatchers.org
127.0.0.1 www.scamfraudalert.com
127.0.0.1 scamfraudalert.com
127.0.0.1 www.emailscammers.com
127.0.0.1 emailscammers.com
127.0.0.1 www.phishbucket.org
127.0.0.1 phishbucket.org
127.0.0.1 www.delphifaq.com
127.0.0.1 delphifaq.com
127.0.0.1 www.flakelist.org
127.0.0.1 flakelist.org
127.0.0.1 www.scamwarners.com
127.0.0.1 scamwarners.com
127.0.0.1 www.harvardbenefits.biz
127.0.0.1 harvardbenefits.biz
127.0.0.1 www.joewein.net
127.0.0.1 joewein.net
127.0.0.1 www.workathometruth.com
127.0.0.1 workathometruth.com
127.0.0.1 www.brainhandles.com
127.0.0.1 www.siteadvisor.com
127.0.0.1 www.fbi.gov
127.0.0.1 fbi.gov
127.0.0.1 forums.careerbuilder.com
127.0.0.1 krebsonsecurity.com
127.0.0.1 whois.domaintools.com
127.0.0.1 domaintools.com
127.0.0.1 www.domaintools.com
127.0.0.1 db.aa419.org
127.0.0.1 www.cybercrimeops.com
127.0.0.1 cybercrimeops.com
127.0.0.1 www.fraud-news.com
127.0.0.1 fraud-news.com
127.0.0.1 forums.moneysavingexpert.com


The sites they've chosen to block, isn't particularly surprising (sorry Brian, they really don't like you), with a few exceptions - why for example, block DomainTools, when there's a plethora of alternatives? Why block delphifaq.com? Why block SiteAdvisor when there's alternatives such as Web of Trust, and alternatives from security vendors such as Norton? Indeed, why aren't they blocking any security vendors? (that in itself is surprising).

Some of the sites identified thus far include;

fourth-ukltd.net/registration/need_quiz/?reg
fourthgroup-ltd.cc/registration/need_quiz/?reg
squitgroup-llc.net/registration/need_quiz/?reg
westview-art.net/registration/need_quiz/?reg
west-view-art.cc/registration/need_quiz/?reg
qead-groupllc.net/registration/need_quiz/?reg
artmarket-llc.net/registration/need_quiz/?reg
art-marketllc.cc/registration/need_quiz/?reg
helby-groupltd.biz/registration/need_quiz/?reg
qead-groupllc.net/registration/need_quiz/?reg
qead-llc.biz/registration/need_quiz/?reg
generationgroup-ltd.net/registration/need_quiz/?reg


And the malicious files housed there;

fourth-ukltd.net/files/fourthukltd.exe
fourthgroup-ltd.cc/files/fourthukltd.exe
squitgroup-llc.net/files/squitgroupllc.exe
westview-art.net/files/westviewart.exe
west-view-art.cc/files/westviewart.exe
qead-groupllc.net/files/qeadgroupllc.exe
artmarket-llc.net/files/artmarketllc.exe
art-marketllc.cc/files/artmarketllc.exe
generationgroup-ltd.net/files/qeadgroupllc.exe
helby-groupltd.biz/files/qeadgroupllc.exe
qead-groupllc.net/files/qeadgroupllc.exe
qead-llc.biz/files/qeadgroupllc.exe


The IP ranges they're hosted at seem to be focused on two particularly well known players in the criminal world;

193.105.134.0/24 (Sweden)
AS42708 193.105.134.0/24 PORTLANE Portlane Network

93.114.40.0/24 (Romania)
AS39743 93.114.40.0/21 VOXILITY-AS Voxility SRL

Quite why Portlane still haven't been shut down is beyond me, especially given there isn't a single legit website housed over there, and to my knowledge, there never has been. Needless to say, Portlane are also heavily involved in the fake AV arena, having housed malicious goodness on virtually every single IP on the aforementioned /24, so feel free to blackhole their entire AS.

As for those of you considering a new job as a mule - is it really worth the risk of your being imprisoned away from your family, for money laundering etc?.

/edit 07:40

Few more for you ;o)

acoon-groupllc.cc/files/acoongroupllc.exe
aimic-groupllc.asia/files/aimicgroupllc.exe
aimic-groupllc.at/files/aimicgroupllc.exe
aimic-groupllc.cc/files/aimicgroupllc.exe
aimicgroup-main.asia/files/aimicgroupllc.exe
aramategroup-first.cc/files/aramategroupfirst.exe
artsolveltd.cc/files/artsolveltd.exe
artsolveltdco.at/files/artsolveltd.exe
astech-groupde.cc/files/astechdeltd.exe
atlant-groupinc.cc/files/atlantgroupmain.exe
atlant-usainc.net/files/atlantgroupmain.exe
bredgarcorp-ant.be/files/bredgargroupllc.exe
bredgar-groupllc.cc/files/bredgargroupllc.exe
creatence-groupllc.asia/files/createncegroupllc.exe
creatence-groupllc.at/files/createncegroupllc.exe
creatence-groupllc.cc/files/createncegroupllc.exe
devasteam-ant.ws/files/devasllc.exe
dogo-group.cc/files/dogogroup.exe
dogo-group.net/files/dogogroup.exe
drysdale-antcorp.at/files/drysdalegroupinc.exe
drysdale-group-inc.cc/files/drysdalegroupinc.exe
duncroft-group-inc.cc/files/duncroftgroupinc.exe
fintec-ltd.cc/files/fintecltd.exe
fintec-ukltd.ws/files/fintecltd.exe
gogo-group-inc.cc/files/gogogroupinc.exe
gogo-teamant.com/files/gogogroupinc.exe
lilac-groupllc.cc/files/lilacantique.exe
millennial-artco.biz/files/millennialartco.exe
millennial-maingrop.net/files/millennialartco.exe
mimosa-groupus.cc/files/mimosagroupus.exe
nimrodltd-uk.net/files/nimrodinc.exe
online-solutionsllc.cc/files/onlinesolutionsllc.exe
paultonsgroup-ltd.info/files/paultonsgroupltd.exe
renaissancellc.be/files/renaissancellc.exe
renaissance-llc.cc/files/renaissancellc.exe
royalthelmas-group-llc.cc/files/royalthelmasgroupllc.exe
royalthelmas-teamant.asia/files/royalthelmasgroupllc.exe
stile-groupllc.net/files/stilegroupllc.exe
stilegroup-llc.ws/files/stilegroupllc.exe
techadv-inc.cc/files/techsoftadvinc.exe
techouse-group.cc/files/ukhousegroupnet.exe
throne-groupllc.cc/files/thronegroupllc.exe
throne-uk.at/files/thronegroupllc.exe
tinassanserviceant-antteam.net/files/tinassanservicegroupllc.exe
tinassanservice-groupllc.cc/files/tinassanservicegroupllc.exe
vintage-groupco.biz/files/vintagegroupinc.exe
vintagegroup-inc.com/files/vintagegroupinc.exe
worldofart-ltd.info/files/worldofartltd.exe

acoon-groupllc.cc/registration/need_quiz/?reg
aimic-groupllc.asia/registration/need_quiz/?reg
aimic-groupllc.at/registration/need_quiz/?reg
aimic-groupllc.cc/registration/need_quiz/?reg
aimicgroup-main.asia/registration/need_quiz/?reg
aramategroup-first.cc/registration/need_quiz/?reg
artsolve-ltd.at/registration/need_quiz/?reg
artsolveltd.cc/registration/need_quiz/?reg
artsolveltdco.at/registration/need_quiz/?reg
astech-groupde.cc/registration/need_quiz/?reg
atlant-groupinc.cc/registration/need_quiz/?reg
atlant-usainc.net/registration/need_quiz/?reg
bredgarcorp-ant.be/registration/need_quiz/?reg
bredgar-groupllc.cc/registration/need_quiz/?reg
creatence-groupllc.asia/registration/need_quiz/?reg
creatence-groupllc.at/registration/need_quiz/?reg
creatence-groupllc.cc/registration/need_quiz/?reg
devasteam-ant.ws/registration/need_quiz/?reg
dogo-group.cc/registration/need_quiz/?reg
dogo-group.net/registration/need_quiz/?reg
drysdale-antcorp.at/registration/need_quiz/?reg
drysdale-antcorp.biz/registration/need_quiz/?reg
drysdale-group-inc.cc/registration/need_quiz/?reg
duncroft-group-inc.cc/registration/need_quiz/?reg
fintec-ltd.cc/registration/need_quiz/?reg
fintec-ukltd.ws/registration/need_quiz/?reg
gogo-group-inc.cc/registration/need_quiz/?reg
gogo-teamant.com/registration/need_quiz/?reg
lilac-groupllc.cc/registration/need_quiz/?reg
millennial-artco.biz/registration/need_quiz/?reg
millennial-maingrop.net/registration/need_quiz/?reg
mimosa-groupus.cc/registration/need_quiz/?reg
nimrodltd-uk.net/registration/need_quiz/?reg
oliver-sonsinc.cc/registration/need_quiz/?reg
online-solutionsllc.cc/registration/need_quiz/?reg
paultonsgroup-ltd.info/registration/need_quiz/?reg
pegasltdunion.cc/registration/need_quiz/?reg
renaissancellc.be/registration/need_quiz/?reg
renaissance-llc.cc/registration/need_quiz/?reg
royalthelmas-group-llc.cc/registration/need_quiz/?reg
royalthelmas-teamant.asia/registration/need_quiz/?reg
stile-groupllc.net/registration/need_quiz/?reg
stilegroup-llc.ws/registration/need_quiz/?reg
techadvinc.cc/registration/need_quiz/?reg
techadv-inc.cc/registration/need_quiz/?reg
techouse-group.cc/registration/need_quiz/?reg
throne-groupllc.cc/registration/need_quiz/?reg
throne-uk.at/registration/need_quiz/?reg
tinassanserviceant-antteam.net/registration/need_quiz/?reg
tinassanservice-groupllc.cc/registration/need_quiz/?reg
us-acoongroup.net/registration/need_quiz/?reg
vintage-groupco.biz/registration/need_quiz/?reg
vintagegroup-inc.com/registration/need_quiz/?reg
worldofart-ltd.info/registration/need_quiz/?reg


/edit 26-02-2011 19:44

The servers are extremely slow at present, so struggling to grab samples, but I've been advised of 3 more of these. The URLs are in the same format as previously;

schwartz-brothers-llc.net/registration/need_quiz/?reg
schwartz-brothers-llc.net/files/schwartzbrothersllc.exe

generalabbrialgroup-ltd.net/registration/need_quiz/?reg
generalabbrialgroup-ltd.net/files/generalabbrialgroupltd.exe

generalabbrial-group-ltd.cc/registration/need_quiz/?reg
generalabbrial-group-ltd.cc/files/generalabbrialgroupltd.exe

1 comment:

Conrad Longmore said...

Nice work.. blocked those two /24s. VirusTotal shows only 1/43 detections too.