Malcovery Security's malware analyst Brendan Griffin let me know about this new behavior on January 27, 2014, and has seen it consistently since that time.

On February 1st, I reviewed the reports that Malcovery's team produced and decided that this was a trend we needed to share more broadly than just to the subscribers of our "Today's Top Threat" reports. Subscribers would have been alerted to each of these campaigns, often within minutes of the beginning of the campaign. We sent copies of all the malware below to dozens of security researchers and to law enforcement. We also made sure that we had uploaded all of these files to VirusTotal which is a great way to let "the industry" know about new malware.

To review the process, Cutwail is a spamming botnet that since early fall 2013 has been primarily distributing UPATRE malware via Social Engineering. The spam message is designed to convince the recipient that it would be appropriate for them to open the attached .zip file. These .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation.

As our industry became better at detecting these downloads, the criminals have had a slightly more difficult time infecting people. With the change last week, the new detection rate for the Zeus downloads has consistently been ZERO of FIFTY at VirusTotal. (For example, here is the "Ring Central" .enc file from Friday on VirusTotal -- al3101.enc. Note the timestamp. That was a rescan MORE THAN TWENTY-FOUR HOURS AFTER INITIAL DISTRIBUTION, and it still says 0 of 50. Why? Well, because technically, it isn't malware. It doesn't actually execute! All Windows EXE files start with the bytes "MZ". These files start with "ZZP". They aren't executable, so how could they be malware? Except they are.

In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.

I am grateful to William MacArthur of GoDaddy, Brett Stone-Gross of Dell Secure Works, and Boldizsár Bencsáth from CrySys Lab in Hungary who were three researchers who jumped in to help look at this with us. Hopefully others will share insights as well, so this will be an on-going conversation. (UPDATE: Boldizsár has published details of how the encoding works -- the file is first compressed and then XOR'ed with a 32-bit key). Upatre reverses the process to create the .exe file)

UPATRE campaigns that use Encryption to Bypass Security

ALL OF THESE SPAM CAMPAIGNS ARE RELATED TO EACH OTHER! They are all being distributed by the criminals behind the Cutwail malware delivery infrastructure. It is likely that many different criminals are paying to use this infrastructure.

(These three all use the same binaries)

This week they said "spam-delivered Malware is going through the roof!" I was traveling when I got that first report but was able to spend some time in the lab with the analysts yesterday, and they weren't kidding!

The new volume levels started on Wednesday, February 5th, with a campaign imitating Bank of America. On February 6th it changed to Visa/Mastercard, and on February 7th it was imitating FedEx. When we say it was extremely high volume, we mean it!

Microsoft's Security Intelligence Report (volume 15) showed spam message breakdown for the first half of 2013 like this:

Historically, we've only seen one day, either at UAB or at Malcovery, that had a higher percentage of malware-laden spam. April 17, 2013, the day following the Boston Marathon Bombing, broke all the records for heaviest spam campaign that was distributing malware as we wrote about in Boston Marathon Explosion Spam Leads to Malware. Cisco's 2014 Annual Security Report calls attention to that spam campaign as well, saying that it accounted for 40% of all the spam messages delivered worldwide that day. Their report included this caution of "Breaking News" emails ...

Because breaking news spam is so immediate, email users are more likely to believe the spam messages are legitimate. Spammers prey on people’s desire for more information in the wake of a major event. When spammers give online users what they want, it’s much easier to trick them into a desired action, such as clicking an infected link. It’s also much easier to prevent them from suspecting that something is wrong with the message.

Here are some more details about the spam messages that were seen in the past three days:

Computers opening this attachment would try to contact the URLs listed here. The "404.php" is an exploit kit that results in the ".exe" files being dropped: (http is changed to hYYp and spaces added to URLs for your protection)

hYYp://37.139.47.56   /srt/404.php
hYYp://37.139.47.56   /ssd/usa.exe
hYYp://37.139.47.56   /ssd/usa2.exe
hYYp://62.76.187.171   /srt/404.php
hYYp://62.76.187.171   /ssd/usa.exe
hYYp://62.76.187.171   /ssd/usa2.exe
hYYp://62.76.187.221   /ssd/usa.exe
hYYp://62.76.187.221   /ssd/usa2.exe
hYYp://62.76.187.221   /ssd/usa2.exe
hYYp://85.143.166.119   /srt/404.php
hYYp://85.143.166.119   /ssd/usa.exe

hYYp://37.139.47.56    /srt/404.php
hYYp://37.139.47.56    /ssd/usa.exe
hYYp://37.139.47.56    /ssd/usa2.exe
hYYp://37.139.47.56    /ssd/ust2.exe
hYYp://37.139.47.56    /ssd/ust21.exe
hYYp://62.76.179.171    /punta/gae.php
hYYp://62.76.187.171    /srt/404.php
hYYp://62.76.187.171    /ssd/usa.exe
hYYp://62.76.187.171    /ssd/usa2.exe
hYYp://62.76.187.171    /ssd/ust2.exe
hYYp://62.76.187.171    /ssd/ust21.exe
hYYp://62.76.187.221    /ssd/usa.exe
hYYp://62.76.187.221    /ssd/usa2.exe
hYYp://62.76.187.221    /ssd/ust2.exe
hYYp://62.76.187.221    /ssd/ust21.exe
hYYp://62.76.42.144    /punta/gae.php
hYYp://62.76.46.249    /punta/gae.php
hYYp://85.143.166.119    /srt/404.php
hYYp://85.143.166.119    /ssd/usa.exe
hYYp://85.143.166.119    /ssd/usa2.exe
hYYp://85.143.166.119    /ssd/ust2.exe

hYYp://37.139.47.56    /srt/404.php
hYYp://37.139.47.56    /ssd/ust12.exe
hYYp://62.76.187.171    /srt/404.php
hYYp://62.76.187.171    /ssd/ust12.exe
hYYp://85.143.166.119    /srt/404.php
hYYp://85.143.166.175    /ssd/ust12.exe

37.139.47.56 
62.76.179.171
62.76.187.171
62.76.187.221
62.76.42.144
62.76.46.249
85.143.166.119
85.143.166.175

Spamming Computers analysis

5 Intersection 6 = 22,500 shared IPs
6 Intersection 7 = 25,405 shared IPs
5 Intersection 7 = 18,261 shared IPs
16,255 IPs were seen in all three campaign.

107,987 unique IPs were seen if we combine all three campaigns.

Those 107,987 IP addresses sent Malcovery's spam accounts an average of 6.8 emails each and a median of 4 emails each. The two top spamming IP addresses were 86.64.142.28 (France, 158 messages) and 200.123.8.123 (Peru, 142 messages).

I geo-coded those IP addresses that sent more than 10 emails to us, which was a total of 21,955 IP addresses from 141 countries. A very unusual number of IP addresses, more than 45%, are from Spanish-speaking countries, . At some point this botnet probably enlarged itself on Spanish-language spam- or website-based malware

 ES  3052 - Spain
 AR  2148 - Argentina
 US  1841 - United States
 CO  1387 - Colombia
 MX  1374 - Mexico
 IT  1263 - Italy
 DE  1025 - Germany 
 PE  915  - Peru
 RO  876  - Romania
 BR  833  - Brazil
 GB  666  - Great Britain
 CL  634  - Chile
 FR  537  - France
 IL  489  - Israel 
 CA   379  - Canada
 PL  342  - Poland
 TR  325  - Turkey
 BG  267  - Bulgaria
 PT  259  - Portugal
 GR  238  - Greece
 VE  238  - Venezuela
 AT  183  - Austria
 RS  180  - Republic of Serbia
 EC  131  - Ecuador
 CH  118  - Switzerland
 IN  116  - India
 CZ  104  - Czech Republic
 PA  104  - Panama

Phish from: bursafotograf.com / profiles / interac / RP.do.htm

In this phish, the "big idea" is that you can escalate your IRS Tax Refund if you specify which bank you would like the refund to be deposited into. When you click the bank's logo, you are taken to a phishing site for that brand and asked to provide your Userid and Password, which are then emailed to the phisher. Here's an example of the page you would see if you clicked on the Regions Bank logo (graphic courtesy of PhishTank submission 2254700.)

Things get quite fascinating though when we hide the graphics:

Why would an IRS phish have ALT TEXT including for four of the largest Canadian banks? By looking at the source code for the phishing page, we see that this is a very lightly rebranded Interac phish: First, the website Title is "INTERAC e-Transfer" ...

INTERAC is a very interesting money transfer system used in Canada that allows anyone to send money to anyone else simply by using either their email address or cell phone text messaging service. A Transaction code is texted/emailed from the payer to the recipient, allowing the recipient to login to the Interac service and choose what account, and what bank, they would like to receive the funds into.

The phish has some Javascript at the top that includes variables like "var provinceList = new Array ("Alberta", "British Columbia", "New Brunswick", "Newfoundland and Labrador", "Nova Scotia", "Ontario", "Prince Edward Island", "Saskatchewan");" and a pull down menu with options "Select Institution", "Select Province or Territory" and "Select Credit Union."

As we continue into the table of graphics, we see that the phisher has changed his graphics and links to refer to the American banks, with code such as:

href = chasecustomerprofile
img src = chasecustomerprofile/css/images/chaseNew.gif .... but with "alt=CIBC"

href = navy/index.htm
img src = imgs/nfculogo.png  .... but with "alt=President's Choice Financial"

href = suntrust
img src = imgs/suntrust.png  .... but iwth "alt = RBC Royal Bank"

etc . . . 

Phishing Cross-Brand Intelligence

Here is a phish that was seen on June 21, 2013 on the website freevalwritings.com / wp / interacsessions / RP.do.htm

And another first seen on May 28, 2013 on the website anglaisacote.com / interac / RP.do.htm (note the common path on both of these that matches the current IRS phish = "interac/RP.do.htm" RP.do.htm is used on the REAL Interac website.

Phishing & Spam Cross-Brand Intelligence

So, to find spam messages related to this phish, it seems reasonable to search the Malcovery Spam Data Mine for emails that advertised URLs on 130.13.122.25.

We found two sets of spam messages that advertised URLs on that host in our spam collection. One batch from January 8, 2014 and the other batch from January 28th and January 29th, 2014.

The January 28th and January 29th emails claimed to be from "From: USAA (USAA.Web.Services@customer.usaa.com)" with an email subject of "New Insurance Document Online".

Two of the emails were sent from 122.3.92.116 (Philippines) and one email was sent from 70.166.118.54 (Cox). What other emails were sent from those IP addresses?

Here are the emails from 122.3.92.116

The Power of Cross-Brand Intelligence

Apparently WhatsApp has been growing in popularity in other parts of the world, as documented by a survey released in November by OnDevice Research which was headlined as Messenger Wars: How Facebook lost its lead which talked about the top Social Message Apps for mobile devices in five major markets: US, Brazil, South Africa, Indonesia, and China. While Facebook still lead in the US, and WeChat clearly dominates China, WhatsApp was the leading app in Brazil 72%, South Africa (68%), and Indonesia (43%).

But those of us who keep track of spam and email-based threats have been hearing about WhatsUp for several months. As the popularity of WhatsApp grows due to the new acquisition, we believe we will see it become an even more popular spam lure. At least three distinct spamming groups have already used WhatsApp as a lure for their scams.

According to Malcovery Security's Brendan Griffin, WhatsApp was being used as a malware lure since at least September 19, 2013. I asked Brendan to give me a list of days when a WhatsApp spam/malware campaign made Malcovery's "Today's Top Threats" list. This campaign has been solidly in the top ten on:

SEPTEMBER 19, 23, 24, 25, 26
OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25
NOVEMBER 14
JANUARY 9, 13, 15, 20, 28

As Steve Ragan mentioned in his ComputerWorld article on November 8, 2013, WhatsApp was one of our Top Five Imitated Brands for the delivery of malware via spam for the quarter. (See ComputerWorld - Senior executives blamed for a majority of undisclosed security incidents.) Curiously, when I asked Brendan about the email I saw THIS WEEK imitating WhatsApp he said that was an example of spammers using the WhatsApp notoriety to drive traffic to counterfeit pharmaceutical websites!

WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware

We've seen tremendous variety in both the malware being delivered and in the method of delivery over the course of so many spam runs. The first day we made note of the WhatsApp malware, September 19, 2013, we observed 52 different websites being advertised in the emails. Each of these websites had a file called "info.php" that was being called with a very long unique "message" parameter, such as:

Websites used for malware delivery,September 19, 2013

Visiting the link from any of of those websites resulted in code on the server resolving your IP address and creating a customer malware name based on your geographic location. For example, when we visited from Birmingham, Alabama IP addresses, we received a file called "VoiceMail_Birmingham_(205)4581400.zip" - 205 is the Area code for Birmingham, Alabama, so both the city name and the telephone number provided were intended to enhance the believability that this was a "real" VoiceMail message that we should open and listen to!

At the time we received this file, VirusTotal was showing a 7 of 48 detection rate. (When the file was last checked, December 4, 2013, the detection rate had improved to 36 of 48 AV products.)

This malware delivery mechanism, with the geographically labeled secondary malware, is a signature of the ASPROX => Kuluoz malware. Kuluoz, which is also known as DoFoil, is delivered as the second phase of a malware delivery scheme that begins by having computers that are part of the ASProx botnet sending spam. This is the same campaign that delivered Walmart/BestBuy/CostCo delivery messages around the Christmas holiday, and that delivered Courthouse, Eviction, and Energy bill spam. In the more recent VirusTotal report, AntiVir, DrWeb, and Microsoft label this sample as Kuluoz, while Agnitum, CAT-QuickHeal, Kaspersky, NANO-Antivirus, VBA32, and VIPRE call it DoFoil. Zortob is another popular label seen for this malware, and Symantec calls it "FakeAVLock" while Ikarus and Sophos calls it Weelsof. Weelsof is a Ransomware family and this label, as well as the FakeAV label, are likely due to tertiary malware. When secondary malware "drops" (a term that just means that ADDITIONAL malware is downloaded from the Internet after the initial infection) it is common for AntiVirus vendors to apply the label for the "ultimate intention" to all of the malware samples seen in that particular infection chain.

An excellent student paper by Shaked Bar from August 15, 2013, describes Kuluoz's role in dropping additional malware. This diagram is from his paper, Kuluoz: Malware and botnet analysis which was submitted as Mr. Bar's Dissertation for his Masters of Science in Computer Science.

At the time of Shaked Bar's paper, the prominent delivery mechanisms were spam messages imitating UPS and DHL. He also notes an earlier spam campaign from April 2013 imitating American Airlines. Bar's paper is well worth reading as he explains how C&C traffic is XOR'ed with the byte 0x2B to test the ability of the bot to send spam as well as other potential uses. Mr. Bar documents more fully the possible tertiary malware including Zeus (Zbot), ZeroAccess, and FakeAV. The malware uses the commercial geolocation service from MaxMind to identify its location, and the location may be instrumental in determining what additional malware should be installed.

Malcovery Security analysts also called attention in our September 19, 2013 report that the WhatsApp spam, when visited from an Android device, detected the OS and dropped a file called "WhatsApp.apk". .apk files are Android's "application package file" which is used to distribute and install Android apps. Examination of the .APK file confirmed thta this was Fake antivirus for your Android phone, containing descriptions of each supposedly detected malware in both English and Russian, as exhibited by this snip from the .APK file:

The URLs used to drop the infection shifted constantly. For example, these are the URLs from September 24th, each using "app.php" instead of "info.php":

And these were the sites for September 25th:

WhatsApp Spam Used by Cutwail Botnet to deliver Upatre => Zeus Malware

Here is what the Cutwail-delivered version of the WhatsApp spam looked like on January 28, 2014:

This version of Upatre connects to the Internet to download an encoded version of GameOver Zeus to allow safe passage through any blocking and detecting methods. This model of downloading an undetectable version that is then decoded into a fully functional Zeus malware by the Upatre module was documented in this blog in our story GameOver Zeus now uses Encryption to bypass Perimeter Security. In the case of the January 28th WhatsApp malware, the Zeus .enc file came from either:

zubayen . com / up / wav.enc
or from inspireplus . org . uk / images / banners / wav.enc
(spaces added for your safety)

WhatsApp Spam Delivering Canadian Health & Care Mall links?

On February 20th, the advertised spam all redirected to one of more than fifty compromised webservers, each of which then redirected to a Canada Health & Care Mall websites. The advertised URLs have a simple Javascript obfuscation to try to hide the true destination, such as this page:

gjhqv1="\x30";qnnt2="\x68\x74\x74\x70\x3A\x2F\x2F\x74\x68\x65\x64\x69\x65\x74\x70\x68\x61\x72\x6D\x61\x63\x79\x2E\x63\x6F\x6D";setTimeout("\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x71\x6E\x6E\x74\x32\x3B",gjhqv1);

When interpreted as Javascript, the "setTimeout" portion says "make the "window.top.location.href" equal to "gjhqv1". The top portion says "set gjhqv1" equal to thedietpharmacy.com, and do it in "0" milliseconds.

Reviewing 50 URLs of this type, with names such as "reactivates.php" or "bombarding.pl" or "gaelicizes.php", there were only the four redirections: canadavasomax.com
lossdietpharmacy.com
thedietpharmacy.com
wellnessasaletraining.com

each of which looked like this:

Some of the leading members of that network include the Better Business Bureau and the FBI's Internet Crime and Complaint Center (IC3.gov).

You can review the entire 2013 Consumer Sentinel Network Data Book on your own if you want to look up more about your state.

Just like last year, fraud that began by telephone/telemarketing was the top category, but 33% of all Fraud complaints started with an email!

Complaints by category were:

14% - Identity Theft
10% - Debt Collection Fraud
7% - Banks and Lenders
6% - Imposter Scams
6% - Telephone and Mobile Service Scams
4% - Prizes, Sweepstakes and Lottery Scams
4% - Auto-related Fraud
3% - Shop-at-home and Catalog Sales fraud
3% - Television and Electronic Media fraud
2% - Advanced Payment for Credit Services fraud

In the Fraud categories, over 1 million complaints were filed including $1.6 billion in fraud, where the median reported amount paid was $400. (Only 61% of those alleging fraud stated a loss amount.)

Within the category of Identity Theft, the top categories were:

34% - government documents/benefits fraud
17% - Credit Card Fraud
14% - Phone/Utilities Fraud
8% - Bank Fraud
6% - Employment-related Fraud
4% - Loan Fraud

In 2012, there were 369,145 Identity Theft Complaints registered by Consumer Sentinel.
In 2013, there were 290,056 Identity Theft Complaints.

That's a 21.5% reduction in Identity Theft Complaints! Does this indicate that Identity Theft improved from 2012 to 2013? Or does it indicate that Identity Theft has become so common place that people don't get irate and call the Better Business Bureau or the FTC when it occurs?

Wire Transfer Tops the Fraud Losses List

Western Union has Eight Tips at their Knowledge Center:

1. Never send money to people you haven't met in-person
2. Never send money to pay for taxes or fees on lottery or prize winnings
3. Never use a test question as an additional security measure to protect your transaction
4. Never provide your banking information to people you don't know
5. Never send money in advance to obtain a loan or credit card
6. never send money for an emergency situation without verifying that it's a real emergency. (Gee - like a London Traveler Scam?)
7. Never send funds from a check in your account until it officially clears - which can take weeks
8. Never send a money transfer for an online purchase

MoneyGram has a great page called The 11 Most Common Wire Transfer Frauds that include:

1. The Vehicle Purchase Scam
2. The Fake Loan Scam
3. The Lottery or Sweepstakes Scam
4. The Internet Romance Scam
5. The Mystery Shopper Scam
6. The Charity Scam
7. The Relative in Need Scam
8. The Internet Purchase Scam
9. The Newspaper Ads Scam
10. The Check or Money Order Scam
11. The Elder Abuse Scam

Green Dot MoneyPak

How much of this fraud was due to the CryptoLocker and PoliceLock Ransomware? We can't be sure, but this is a PROFOUND shift in fraud loss behavior and a great deal of it is certain to be based on those two malware campaigns. We blogged about CryptoLocker using Greendot late in the year in our story Tracking CryptoLocker with Malcovery and IID, but the FBI's Donna Gregory reported on the malware as far back as this August 2012 FBI Ransomware Story where she said "We’re getting inundated with complaints!" referring to the complaints coming in to the FBI's IC3.gov complaint form, which is one source of Consumer Sentinel Data.

2013 - Top Cities for Identity Theft

13 of top 25 in Florida (16 in 2012)
4 of top 25 in California (0 in 2012)
3 of top 25 in Georgia (6 in 2012)
1 each in Alabama, Arkansas, Michigan, Tenessee, and West Virginia

Alabama Identity Theft: 2012 compared to 2013

In 2012, Alabama's top cities for Identity Theft, and their Per Capita complaints received, were:

#15 - Columbus, GA/AL (205.9 per 100,000)
#16 - Montgomery, AL (203.7 per 100,000)
#42 - Auburn-Opelika, AL (124.1 per 100,000)
#62 - Birmingham-Hoover, AL (111 per 100,000)
#91 - Enterprise-Ozark, AL (97.8 per 100,000)
#97 - Huntsville, AL (95.5 per 100,000)
#100 - Mobile, AL (93.5 per 100,000)
#118 - Anniston-Oxford, AL (90.2 per 100,000)
#125 - Tuscaloosa, AL (88.4 per 100,000)
#132 - Dothan, AL (87.2 per 100,000)
#145 - Gadsden, AL (84.3 per 100,000)
#195 - Decatur, AL (72.8 per 100,000)
#198 - Daphne-Fairhope-Foley, AL (72.4 per 100,000)
#303 - Florence-Muscle Shoals, AL (56.4 per 100,000)

How does that compare to 2013's numbers?

The Columbus, Georgia/Alabama Metro area rose 13 places in the national rank to be the second worst city in America for Identity Theft.
Montgomery, Alabama had a very slight rise in rank (from #16 to #15), although the number of complaints per capita fell, it is still one of the worst cities in America for Identity Theft.
Mobile, Alabama rose in rank by 29 places, moving from #100 to #71.

All other cities in Alabama FELL in their national rank for Identity Theft -- but one must ask, as above, is that because crime is declining? or is apathy increasing? Have we become so desensitized to Identity Theft that we no longer feel the need to complain?

#2 +13 - Columbus, GA-AL (214.7 per 100,000) = +8.8 per 100,000
#15 +1 - Montgomery, AL (132.2) = -71.5 per 100,000
#51 -9 - Auburn-Opelika, AL (98.4) = -25.7 per 100,000
#71 +29 - Mobile, AL (88.6) = -4.9. per 100,000
#117 -55 - Birmingham-Hoover, AL (77.7) = -33.3 per 100,000
#131 +1 - Dothan, AL (74.8) = -12.4 per 100,000
#152 -55 - Huntsville, AL (68.5) = -27 per 100,000
#167 -42! - Tuscaloosa, AL (65.2) = -23.2 per 100,000
#226 -81! - Gadsden, AL (57.5)
#234 -116! - Anniston-Oxford-Jacksonville, AL(56.5)
#268 -70! - Daphne-Fairhope-Foley, AL (52.1)
#316 -121! - Decatur, AL (44.2)
#357 -54! - Florence-MuscleShoals, AL (36.7) -

Do YOU Know How to File an Identity Theft, Fraud, or Phishing Complaint?

But there are some other guidelines as well.

The Federal Trade Commission has two web pages that help you understand what to do if you have been the victim of identity theft:

FTC: What to do if you have been a victim of Identity Theft
FTC: How to file an Identity Theft Complaint with the FTC

FTC: March 2-8 is National Consumer Protection Week - tips and videos you can share with your friends are on this site!

You STILL want to call your local Police to let them know about the crimes against you. If someone stole YOUR identity or scammed you, they are likely targeting others as well! Besides your local law enforcement, it would be helpful if you could take the time to share what happened to you with the FBI Internet Crime & Complaint Center (ic3.gov). This unique center in West Virginia gathers hundreds of thousands of cybercrime complaints per year into a database that can be accessed by law enforcement across the country. Perhaps you will only be another drop in the bucket, but you MAY provide the missing link that ties many smaller losses together into a major investigation!

For PHISHING EMAILS, be sure to report that phish to Malcovery's PhishIQ system! By sending us the address of that suspicious or fake bank website, our automated systems will preserve forensic evidence about the phishing website and work on linking it to other websites that may have been created by the same criminal!

Appendix: The rest of the list (Top Identity Theft Cities by Rank)

We had two primary spam subject lines for this campaign. On March 17, 2014 the Malcovery Spam Data Mine gathered:

468 copies = Subject: Important: Personal Security Key
290 copies = Irregular card activity

The messages were BEAUTIFUL! Here's one:

Isn't that gorgeous? Every single link in that email is actually just another copy of the phishing URL. No matter what you click on, the phishing process starts. And what a process it is! Just in the samples that we had at Malcovery Security, we saw 574 distinct URLs on 77 different web hosts! (the full list is available as amex.urls.txt.

The AmEx Phishing Payload

Just a few minutes ago, I revisited one URL per webhost and found that 40 of the 77 servers were still delivering payload.

What was the payload?

Here's a sample from one of those 40 sites:

A small box containing the words "Connecting to server..." appears, but in the background, the machine is trying to pull content from these scripts (defanged below):

(script) src equals http://theblazingfiddles.com/responsive/rhone.js
(script) src equals http://haus-an-der-treene.de/irrigated/bewaring.js
(script) src equals http://qualifyformedi-cal.com/mortician/amicably.js
(script) src equals http://ufofurniture.com.au/curries/searchlights.js

hxxp:  (slash)   (slash)  nebucom.com (slash) instanced (slash) inconsolable.js
hxxp:  (slash)   (slash)  e-translation.pl (slash) ditty (slash) appetizing.js
hxxp:  (slash)   (slash)  grupovordcab.com (slash) expiration (slash) eddies.js
hxxp:  (slash)   (slash)  user22809.vs.easily.co.uk (slash) healed (slash) pulsation.js
hxxp:  (slash)   (slash)  cescconstructionsupply.com (slash) diminished (slash) somalian.js
hxxp:  (slash)   (slash)  majstri.net (slash) donning (slash) slaved.js
hxxp:  (slash)   (slash)  ohsspiritwear.com (slash) nike (slash) robbing.js
hxxp:  (slash)   (slash)  songingeternally.com (slash) maracaibo (slash) your.js
hxxp:  (slash)   (slash)  03629e3.netsolhost.com (slash) altaic (slash) scarify.js
hxxp:  (slash)   (slash)  mobifone-sy.com (slash) inflated (slash) minstrels.js
hxxp:  (slash)   (slash)  shashwathomes.com (slash) pleader (slash) socialized.js
hxxp:  (slash)   (slash)  www.netpolis.gr (slash) emulate (slash) loved.js
hxxp:  (slash)   (slash)  theblazingfiddles.com (slash) responsive (slash) rhone.js
hxxp:  (slash)   (slash)  haus-an-der-treene.de (slash) irrigated (slash) bewaring.js
hxxp:  (slash)   (slash)  qualifyformedi-cal.com (slash) mortician (slash) amicably.js
hxxp:  (slash)   (slash)  ufofurniture.com.au (slash) curries (slash) searchlights.js
hxxp:  (slash)   (slash)  amerapremier.com (slash) cesar (slash) viewers.js
hxxp:  (slash)   (slash)  www.deacomunicazione.it (slash) doyen (slash) undermining.js
hxxp:  (slash)   (slash)  orbitek.hosting24.com.au (slash) trespasses (slash) earthly.js
hxxp:  (slash)   (slash)  www.mypafamilylawyer.com (slash) desultory (slash) interrelated.js
hxxp:  (slash)   (slash)  blog.myragold.com (slash) hastening (slash) contemporaries.js
hxxp:  (slash)   (slash)  loveworks365.com (slash) howe (slash) corsets.js
hxxp:  (slash)   (slash)  SNC.NO-IP.ORG (slash) drywalls (slash) liquefy.js
hxxp:  (slash)   (slash)  conseguidomaquinaria.com (slash) hollyhocks (slash) propels.js
hxxp:  (slash)   (slash)  034ED86.NETSOLHOST.COM (slash) lodestone (slash) shilled.js
hxxp:  (slash)   (slash)  almesa.gr (slash) furious (slash) zygotes.js
hxxp:  (slash)   (slash)  hosted.proaal.com (slash) enchanted (slash) handel.js
hxxp:  (slash)   (slash)  hnuaaa.org (slash) spitfires (slash) winks.js
hxxp:  (slash)   (slash)  www.tstn.org (slash) churchyard (slash) wealthy.js
hxxp:  (slash)   (slash)  filtron.gr (slash) skited (slash) menages.js
hxxp:  (slash)   (slash)  3914f5c7a46c5f05.lolipop.jp (slash) andre (slash) fastidiously.js
hxxp:  (slash)   (slash)  geeologee.com (slash) bawls (slash) cubbyholes.js
hxxp:  (slash)   (slash)  ghs.boehmenkirch.de (slash) executrix (slash) straps.js
hxxp:  (slash)   (slash)  besttrainer.co.nz (slash) phrasings (slash) vehicle.js
hxxp:  (slash)   (slash)  ftp.fasady-zateplovani.eu (slash) conduces (slash) garrote.js
hxxp:  (slash)   (slash)  sewhot.ca (slash) househusbands (slash) piing.js
hxxp:  (slash)   (slash)  animalspirits-lva.de (slash) instruction (slash) propounds.js
hxxp:  (slash)   (slash)  wildtrackpictures.com (slash) dracula (slash) archenemy.js

The Phish Itself

(Each of those three pages actually had this footer on the bottom! Good to see they included a link to the Fraud page at AmEx!)

When you were finished, you got a friendly thank you . . . letting you know your certificate was all set up . . .

and then got forwarded to the real AmEx page:

Named in the indictment were 39 individuals, all charged with "General Allegations" called:

Count One (Participate in a Racketeer Influenced Corrupt Organization [RICO])
and
Count Two (Conspiracy to Engage in a Racketeer Influenced Corrupt Organization).

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the Carder.su organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the Carder.su organization operate principally in Las Vegas, Nevada, and elsewhere.

Here's the list:

KOSTYUKOV was arrested in Miami from his home at 1100 Washington Avenue, Miami Beach. (He sent a letter to the judge asking for his property back, including his Hookah pipe and his Dr. Dre Beats headphones.

KOSTYUKOV, 27, was arrested in Miami, Florida.
Boozer, 23, was arrested in Detroit, Michigan.
Montecalvo, 20, was arrested in Morgantown, WV.
Jermaine Smith, 31, was arrested in Newark, NJ
Makyl Haggerty, 22, lived in San Francisco,
Qasir Mukhtar, 27, in New York
Shiyang Gou, 27, in New York
Cameron Harrison, 25, in Augusta, GA
Fredrick Thomas, 31, in Orlando, FL
Omar Butt, 28, in New York
Bill Steffey, 33, in Sacramento,
Jason Maclaskey, 32, (at large?)
Derek Carder, 38, Sacramento
Robert Kephart, 38, Sacramento
Heather Dale, 21, Springfield, Orlando
Herbert Morrell, 50, Orlando
Roger Grodesky, 49, Warren, Ohio
John Holsheimer, 53, San Diego

David Ray Camez, a Nevada resident, for example, was convicted and was due to be sentenced today. (You may enjoy reading his Forfeiture document which includes ATM machines, PVC Card Embossers, dozens of phones and computers as well as printers, cameras, and video games. Camez was already serving a seven year sentence in the State of Arizona for fraud charges he was convicted of there.

Back in 2012, ICE agents announced that they had arrested 19 in the US in an operation called "Operation: Open Market."

The event that triggered the unsealing of the indictment was that Cameron Harrison pleaded guilty, WITHOUT BENEFIT OF A PLEA AGREEMENT! His nineteen page guilty plea. In addition to Count One and Count Two above, Cameron plead guilty to:

Count Sixteen: Trafficking in and Production of False Identification Documents and Aiding and Abetting, in violation of 18 U.S.C. § 1028(a)(1), (b)(1)(A)(ii), and (c)(3) and 18 U.S.C. § 2.

The Sentencing Guidelines that the prosecution is asking for are HUGE because they are describing the "Total amount of actual loss involved in the offense as $50,893,166.35" which gives a +24 to the Sentencing guidelines just for the financial losses!

Base Offense Level = 7
+ 24 (offense involved more than $50 Million of actual loss)
+6 (offense involved more than 250 victims)
+2 (offense involved receiving stolen property and the defendant was a person in the business of receiving and selling stolen property)
+2 (fraud committed from outside the US, involving a sophisticated means)
+2 (fraud involving possession of device-making equipment and trafficking in unauthorized and counterfeit access devices)
-3 (Acceptance of Responsibility)

Total Offense Level = 40

Restitutions that are declared in the Plea include:

American Express = $3,299,210.90

Discover Financial Services = $2,202,429.00

Master Card = $15,496,221.00

Visa Inc. = $29,895,305.45

Total = $50,895,305.45

Because this is a RICO case, EACH member of the Conspiracy can be found responsible for the full restitution. The Indictment requests that each have $20 million of their assets seized to help cover the costs. (Most have nowhere near that amount, of course...).

Roles of the Defendants

Administrator = "Roman ZOLOTAREV was the head of Carder.su.

As the head of the governing council, the administrator handles day to day management decisions of the organizatoin, as well as long-term strategic planning for its continued viability. Zolotarev was the leader of the enterprise, appointing moderators, and directing other members and associates of the enterprise in carrying out unlawful and other activities in futherance of the conduct of the enterprise's affiars. In addition, ZOLOTAREV:

• determines which individuals can become and remain members of the Carder.su organization.
• regulates the functions, responsibilities, and levels of access to information accorded to each member.
• bestows the rewards accorded members for their loyalty to the Carder.su organization, and sets the punishments to be meted out to members evidencing disloyalty to the organization.
• decides when, how, and under what circumstances to attack and to retaliate against members of rival criminal organizations and their associated Internet website forums.
• has full access to, and privileges on, the computer servers hosting the Carder.su organization's websites.
• has ultimate responsibility for the administration, maintenance, anonymity and security of ther Carder.su organization's computer servers

These defendants act as leaders of the enterprise, directing other members and associates in carrying out unlawful and other activities in furtherance of the conduct of the enterprise's affairs. Moderators are members of the Carder.su organization's governing counsel. They oversee and manage one or more subject matter specific areas on the Carder.su organization's websites. Their jobs included assisting Zolotarev by:

• monitoring and policing websites by editing and deleting members' posts and mediating disputes among members.
• serve as Reviewers for products or services through the enterprise with which they have expertise.
• Both LOPATIN and MAXXTRO possessed at least 15 counterfeit or unauthorized access devices.

Members are allowed to sell contraband, including counterfeit documents, stolen bank accounts, and credit card information. Reviewers examine and test products and services that members wish to advertise and sell on the websites. A favorable review is a prerequisite to to selling contraband. Any member can be appointed to do a review, although they are usually done by Moderators or the Administrator.

Vendors

Vendors advertise and sell products, services, and other contraband after receiving a favorable review.

Vendors among the defendants included:

Alexander KOSTYUKOV (Temp/Klbs) - a vendor of Cashout services. Cashout vendors remove funds from bank and credit card accounts and receive a fee between 45% and 62% of the funds received.

Maceo BOOZER (XXXSimone / G4 / El Padrino / Mr. Right / mrdc87) is a vendor of dumps. "Dumps" are stolen credit and debit card account data. They sold for between $15 and $150 per card, depending on the quantity purchased and the geographic location. United States cards are least expensive, and European cards are most expensive.

Ray WONG is a vendor of counterfeit plastic. A device-making implement used to produce counterfeit credit cards. WONG sold blank counterfeit plastic cards for $20 to $25 each, with a minimum order of 50 cards. Embossed counterfeit cards were $65 to $75 each with a minimum order of ten. Wong was also a vendor of dumps.

MONTECALVO (N1ghtmare / Tenure44) is a vendor or dumps, but also offered a dump checking service. He had the ability to validate a card against a real financial institution.

Yu Feng WANG (Ibatistuta) is a vendor of counterfeit cards, counterfeit holograms, and signature panels used to manufacture counterfeit credit cards. He sold blanks for $10-$15 each.

Mohamed Amr Mahmoud (AMR Mahmoud / CC--Trader / Kengza) is a vendor of CVV. While dumps are magnetic card stripe reads, CVVs are all of the account holder information - such as Name, DOB, SSN, address, telephone number, mother's maiden name, and the CVV2 code from the back of the card. MAHMOUD also sold Paypal accounts, Fullz (all of the above plus expiration date and PIN), and Enroll/COBs. The latter included all of the previous data, as well as username and password for the account's online access. Depending on the online balance, he would charge $140 to $200 per account.

Jermaine SMITH (Sircharlie57 / Fairbusinessman) is a vendor of plastic and counterfeit cards.

Makyl HAGGERTY (Wave) is a vendor of counterfeit identification documents and counterfeit cards. He sold counterfeit drivers license for between $100 and $200 each, depending on state, including CA, TX, WI, OH, RI, NV, PA, IL, FL, LA, AZ, HA, SC, GA, NJ, as well as BC Canada. He also sold blank counterfeit plastics and embossed cards.

Aladelola Teslim AJAYI is a vendor of counterfeit identification documents, stolen corporate account information, dumps, and counterfeit credit cards.

ALEXANDRUION (Abagnalefrank) is a vendor of dumps. He sells 100 mixed Visa and Master Card accounts for $1,500 or 100 AmEx cards for $1,000.

Jordan GEORGIEVSKI is a vendor of counterfeit credit cards and blank plastic, as well as embossed cards for $75 each.

Roman SELEZNEV (Track2 / Bulba / Neux ) is a vendor of dumps. He sold very large volume product through an automated website where members could load their desired cards into a shopping cart. Accounts sold for $20 each.

Qasir MUKHTAR (Caliber) is a vendor of counterfeit plastics, holograms, and signature panels.

Roy AYAD (Rabie Ayad / Patistota) is a vendor of CVVs, selling through an automated website.

Mina MORRIS (Source) is a vendor of dumps. Morris had an automated website to sell dumps.

Rachid IDAALI (C4rd3r) is a vendor of Fullz.

Liridon MUSLIU (Bowl) is a vendor of CVVs.

Sergei Litvinenko (Dorbik / Matad0r ) is a vendor of Bullet Proof Hosting services and infrastructure for criminal websites. These are ISPs that allow criminals to run illegal websites used for phishing, carding forums, or dump sites.

GRUBER is a vendor of counterfeit identification documents including drivers licenses ranging from $150 to $200 each.

ELIT3 is a vendor of Fullz. He also sells Enroll/COBs.

FOZZY is a vendor of dumps ranging from $12 to $100 each, depending on quantity and location.

VITRUM (Lermentov) is a vendor of dumps.

Andrei BOLOVAN (Panther / Euphoric / Darkmth) is a vendor of dumps.

TM is a vendor of dumps and CVVs, which he sells to members through an automated website.

Zo0mer (Deputat) is a vendor of stolen PayPal accounts, Proxies, Fullz, Credit Card Checking and Information Lookups.

CENTURION is a vendor of dumps.

CONSIGLIORI is a vendor of dumps and blank plastic.

Members

Members must successfully complete a number of security features intended to keep out law enforcement and rival criminal organizations. Teams use a number of Carder.su websites as "virtual clubhouses" to gather with other members in order to share information, solicit and recruit other members and to achieve the common objectives of the enterprise.

Members charged in this conspiracy include:

Michael LOFTON (Killit / Lofeazy

Shiyang GOU (Cder)

David Ray CAMEZ (Bad Man / DoctorSex )

Cameron HARRISON (Kilobit)

Alexsandar BESAROVIC (Qiller)

Duvaughn BUTLER (Mackmann)

Fredrick THOMAS (1STunna )

SENNa071

MORFIY

The Charges

COUNT ONE:

Acts 1 through 15 - Unlawful Trafficking In and Production of False Identification Documents

Acts 16, 17, 19 - Attempt to Unlawfully Produce False Identification Documents

Acts 18, 20, 21 - Conspiracy to Unlawfully Produce False Identification Documents

Act 22 - Conspiracy to Unlawfully Transfer False Identification Documents

Act 23 - Possession of Document-Making Implements

Act 24 - Conspiracy to Unlawfully Transfer, Possess, and Use a Means of Identification

RACKETEERING ACTS 25 through 36

Acts of Wirefraud by MAXXTRO, MAHMOUD, HARRISON, ELIT3, LOFTON, THOMAS, MAHMOUD, ION, AYAD

RACKETEERING ACTS INVOLVING COUNTERFEIT AND UNAUTHORIZED ACCESS DEVICES

Act 37 - Using and Trafficking in Unauthorized Access Devices

Acts 38 through 97 - Possession of 15 or more Unauthorized Access Devices

Acts 98 through 103 - Trafficking In and Possessing Access Device-Making Equipment

Acts 104 through 109 - Conspiracy to Trafficking In and Possess Access Device-Making Equipment

COUNT TWO

Dealing with General Allegations from November 22, 2005 through June 2011. Counts Three Through Seventeen - Trafficking in and Production of False Identification Documents

Count Eighteen - Attempting to Unlawfully Produce False Identification Documents, Aiding and Abetting

Count Nineteen - Conspiracy to Unlawfully Transfer False Identification Documents

Count Twenty - Unlawful Transfer, Possession and Use of a Means of Identification, Aiding and Abetting

Count Twenty-One - Trafficking in and Use of Counterfeit and Unauthorized Access Devices, Aiding and Abetting

Counts Twenty-Two through Fifty-Five - Possession of Fifteen or More Counterfeit and Unauthorized Access Devices, Aiding and Abetting

Counts Fifty-Six through Sixty - Trafficking In and Possessing Access Device-Making Equipment; Aiding and Abetting

Counts Sixty-One and Sixty-Two - Conspiracy to Traffick In and Possess Access Device-Making Equipment

A friend of ours shared a link to a website today that was imitating Centra, a convenience and grocery chain throughout Ireland.

The accompanying spam message promises that they will pay us 150 Euros just for taking their survey!

For the convenience of the consumer, rather than having to wait for a check (cheque) in the mail, you can just enter all of your Credit Card information, and your Date of Birth and some other personal details, and they'll deposit the money right into your credit account!

As we looked at the log files, we found an interesting fact. NONE of the more than 900 visitors to the website had visited the site DIRECTLY. They were all being referred from other URLs. This is our indicator that the spam messages did NOT contain a link to the domain shown above. Instead, they were pointing at websites with Chinese domain names!

...
[10/Apr/2014:01:06:08 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:07:46 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:07:52 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:08:28 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:08:51 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:14 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:24 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:28 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:42 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:45 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:55 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:10:27 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:10:31 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html

...

[11/Apr/2014:00:46:22 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:00:58:02 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:06:46 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:16:22 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:18:38 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:18:48 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:23:23 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:25:27 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:25:49 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
...

When we look at the websites on "asp.sti.com.cn" and "www.jctz.cn" we see that both of them actually consist ONLY of a "FrameSet" that sends us to the location of the CENTRA phish:

The logs ALSO reveal that another brand is being hosted on the same server!

...
[10/Apr/2014:05:19:16 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:20:03 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:20:09 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:28:47 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:30:31 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:37:56 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:48:45 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:50:27 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:53:44 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:57:39 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html

Since most of the time when I'm in the UK I am running dawn to dusk in meetings, Tesco is the only store I've actually ever shopped in, since there is one on every street corner in London. The phishers have correctly updated their currency to use Pounds instead of Euros: "TESCO Supermarkets will add £150 credit to your account just for taking part in our quick survey." but other than that, this is the same phish!

And, as with the other, the actual advertised URL from the spam campaign is hosted in China, and simply updates the content with a Frame SRC = .

Remnants in the logs make it seem likely that this phisher has also targeted Woolworths (many 404 messages in the very early part of the phish for paths with /wps/woolworths/ in the path. Very likely that this is a throw-back to the Woolworths phish from 2012. (Woolworths is a food chain in Australia - they got so many of these scams that they did television news announcements warning about it - see for example: Scam Alert (a Current Affair November 2012). Those spam messages looked like this:

Subject: Customer Satisfaction Survey! Win 150$

Congratulations!

You have been selected by Woolworths Online Department to take part in our quick and easy reward survey. In return we will credit $150 to your account - Just for your time!

Helping us better understand how our members feel, benefits everyone.

With the information collected we can decide to direct a number of changes to improve and expand our services. The information you provide us is all non-sensitive and anonymous. No part of it is handed down to any third party groups. It will be stored in our secure database for maximum of 3 days while we process the results of this nationwide survey.

To access the form, please click on the link below :

We've talked about Zeus in this blog for many years, including some good arrests, such as Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested. But we now have names for the ring leaders of the biggest Zeus case of all time, Operation Trident BreACH. We knew the aliases of the Ring Leaders publicly thanks to Microsoft's work back in 2012 (see Microsoft DCU, FS-ISAC and NACHA vs. Zeus) but who were these mystery men: tank and petr0vich?

Now we know ... more anyway ... Two Ukrainian members of the Jabber Zeus gang stood in federal court in Omaha, Nebraska last week to plead "Not Guilty" after being extradicted from the UK. Yuriy Konovalenko and Yevhen Kulibaba are among the nine people listed in the indictments that have been sealed since August of 2012. The list of defendents is:

• Yvacheslav Igorevich Penchukov, AKA tank, AKA father
• Ivan Viktorvich Klepikov, AKA petr0vich, AKA nowhere
• Alexey Dmitrievich Bron, AKA thehead
• Alexey Tikonov, AKA kusanagi
• Yevhen Kulibaba, AKA jonni
• Yuriy Konovalenko, AKA jtk0
• John Doe #1, AKA lucky12345
• John Doe #2, AKA aqua
• John Doe #3, AKA mricq

DOJ is still seeking four of the named criminals, and still has not publicly acknowledged the names of the three John Does. If you have information on these, please reach out to the FBI!

Tank == Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.

Petr0vich == Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.

TheHead == Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.

Kusunagi== Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.

Although jonni is only now coming to trial in the United States, the Metropolitan Police of London arrested Kulibaba and his wife Karina Kostromina back in October of 2011, as we learned from KrebsOnSecurity in his article ZeuS Trojan Gang Faces Justice. Yuriy Konovalenko, AKA Pavel Klikov, was also in custody in the UK and was "due to be sentenced" according to Krebs' article.

Many of the crimes covered in this indictment are well known to us already, largely due to the work of journalist Brian Krebs. While Krebs was still at the Washington Post writing his Security Fix column, he made Zeus a household name.

Selected Victims:

• Bank of America
• Bullitt County Kentucky - Security Fix, Brian Krebs, July 2009. -- Bullitt County had $415,000 stolen from their accounts after being infected by Zeus.
• Doll Distributing of Des Moines, Iowa
• First Federal Savings Bank of Elizabeth Town, Kentucky
• Franciscan Sisters of Chicago, (Homewood, Illinois)
• Husker AG, LLC of Plainview, Nebraska
• Key Bank of Sylvania, Ohio
• ODAT LLC, d/b/a Air Treatment Company
• Parago, Inc of Lewisville, TX
• Salisbury Bank & Trust of Salisbury, MA
• Town of Egremont, Mass
• Union Bank and Trust of Lincoln, Nebraska
• Union Bankshares of Ruther Glen, VA
• United Dairy, Inc of Martins Ferry, OH

Those chats also showed that the criminals closely follow Brian Krebs! Tank and Aqua are shown discussing his Bullitt County article linked above and saying "They laid out the entire scheme! I'm really pissed! They exposed the entire deal!"

Doll Distributing had $59,222 stolen from them in two occasions. One of those wire transfers went to "Pandora Service, LLC" and to "Kodash Consulting." FBI Agents interviewed Heidi Nelson and Renee Michelli, the proprietors of those organizations who had believed they were acting as "Financial agents" for a Russian software company. In other words, they were money mules.

All of the victims named above were discussed in the chat logs by the criminals charged in this case.

I especially enjoyed learning how TANK was identified by name. In the chat, on July 22, 2009, he announced that his daughter, Miloslava, had been born and gave her birth weight. A records search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day. Her father was Vyacheslav Igorevich Penchokov. This was enough to seize the computers from Tank's home, which confirmed it was the same person!

Petr0vich was discovered because of mentions of the email address "theklutch@gmail.com" in the chat logs. Gmail was subpoenaed to get records for this email account, which showed "92.242.127.198" had been used to log in to that email address at least 790 times. The secondary email for that account, "petr0vich@ua.fm", was given when the account was created November 24, 2004. Several other addresses were used to login to both the petr0vich jabber account on the Incomeet server and the Gmail address, including 209.160.22.135. Similar techniques were then used to find the computers located at those IP addresses. Ivan Viktorovich Klepikov was found to be living in Donetsk, Ukraine.

TheHead stated his real name in the chat, and gave his gmail account as "alexey.bron@gmail.com". He was telling the truth.

Kusunagi gave a phone number in the chat, and found that phone number on a public webpage where Alexey Tikonov's real name and contact information were given. He lived in Tomsk, Russia. He also used his Kusanagi identity to post videos where WHOIS information related to those videos location confirmed his location.

Jonni and Jtk0 were identified by Detective Sergeant Simon Williams of the Metropolitan Police of London.

We'll talk more about this case in another post soon . . .

This week Malcovery is noticing that the EDF phish are back, with a twist! The current EDF phish are asking for documents with an enormous value for identity theft and are targeting many different French banks with the information. Here's what a currently live phishing site looks like:

Zooming in on the data being requested, we see typical information.

Email, Password, Title, Name, Address, City, Postal Code, and Date of Birth.

While EDF has world-wide operations, a large number of their tens of millions of utility customers are in France.

The email they receive is likely to be the same one seen in France last year that advises:

Votre paîement a été refusée par votre établissement bancaire. […] Pour éviter la pénalités de retard, nous vous donnant la possibilité de payer en ligne en utilisant votre carte bancaire.

(or in English: "Your payment was declined by your bank ... To avoid late fees, we give you the option to pay online using your credit card.

After providing the basic information, they are prompted to choose which bank issued the credit card they will be using to pay their bill:

Choices are:

Axa Banque
Banque populaire
BNP
Bred
Caisse d’epargne
Credit agricole
Credit mutual
Credit du nord
CIC
HSBC
Societe generale
La banque postale
LCL
Autres

and then enter their Credit Card information:

The most interesting part of the phish, however, is what comes next! The Phishers then tell them that in order to prove they are really in charge of this account, they must upload at least two forms of proof of identity!

• Identity Card
• Credit Card
• A copy of a Bank statement
• An invoice proving the address

Although this case is most accurately described as an EDF phish, there are actually thirteen targeted banks, and an unlimited number of forms of identity theft that could occur if some victim were to provide all of the requested information. Just another example of how the phishers use FEAR (an unpaid Utility bill that could result in Termination of Service) to steal our credit card information!

(image from FBI.gov)

The case actually was a spin-off from another major international operation called "Operation Card Shop" that we wrote about in April 2012 (see SOCA & FBI seize 36 Criminal Credit Card Stores. As Law Enforcement reviewed the seized websites from that case, they began to realize the extent of the role of the BlackShades RAT in the theft of credit card information, but realized also that it was much larger than they had at first believed. One of those arrested during Operation Card Shop was Michael Hogue, one of the co-authors of Blackshades, who agreed to cooperate in unveiling the rest of the BlackShades operation.

Blackshades and Miss Teen USA

Blackshades CoCreators HOGUE and YÜCEL

For a fascinating "how I became a hacker" biography interview, please see The Rise and Fall of xVisceral which details how as a 17 year old Halo player, xVisceral first was introduced to hacking as a way to cheat other Halo players, and a detailed history of how this led to ever-more-advanced hacking tools and ultimately the creation of Blackshades. (the original source is currently unavailable, this is an archived copy of an article from:

The Charges against Hogue (filed January 9, 2013) say that "Michael Hogue a/k/a xVisceral, the defendant, and others known and unknown, willfully and knowingly combined, conspired, confederated, and agreed together and with each other to engage in computer hacking in violation of Title 18, USC, Section 1030(a)(5)(A)." It was part of the conspiracy that Hogue and others "did cause the transmission of a program, information, code and command, and as a result of such conduct, wouuld and did intentionally cause damage without authorization, to a protected computer, which would and did cause damage affecting 10 and more protected computers during a one-year period, in violation of Title 18, USC Sections 1030(a)(5)(A), 1030(c)(4)(B)(i), and (c)(4)(A)(i)(VI), to wit, HOGUES used malware to infect computers and sold that malware to others, enabling them to infect and remotely control victims' computers."

Like most RATs, once a victim has been tricked into clicking on the installer, the RAT is controlled by connecting to a server used for that purpose. The FBI was able to learn considerably more about the person being described as the "co-creator" of BlackShades, Alex YÜCEL, (also spelled Alex Yucel, Alex Yucle, Alex Yuecel), AKA marjinz, AKA Victor Soltan, by tracking one of his servers. As they investigated the various domains used to host the servers for the malware. In one case, Alex contacted a company to lease certain computers for this purpose (November 8, 2012) paying for them on January 30, 2013. On March 18, 2013, he sent email requesting tech support due to a problem with his servers. Alex was the administrator of "www.blackshades.ru" and "www.bshades.eu". Alex is a 24 year old citizen of Sweden, arrested in Moldova and awaiting extradition to the United States.

Symantec actually has an interesting screenshot from 2011 where Hogue claims to be resigning from Blackshades and turning full control over to "marjinz" in a post shared in their article from June 2012 when Hogue was first arrested. The fact that so many "script kiddie" hackers use Hack Forum may be part of why Blackshades was so popular:

(Source: www.symantec.com/connect/blogs/w32shadesrat-blackshades-author-arrested )

A Sample Customer: kbello

The FBI's investigation has shown that the RAT was purchased by at least several thousand users in more than 100 countries and used to infect more than half a million computers worldwide.

After kbello purchased his copy of the RAT, it was used against at least 400 victims, and was also part of a suite of additional malware that he installed on the victims' computers. After a victim was infected, the hacker could activate the "Spreader" module on that victim's computer, which would use that victim's chat programs (AOL/AIM, ICQ, MSN) and any USB devices attached to the computer to attempt to infect others.

Other modules of the program allowed the hacker to encrypt any files on the system and share a Ransomware message, demanding that payment be sent to decrypt the module. The message could be customized per victim, or the same message could be sent to many victims.

Many other modules were available, including password stealers, webcam capture tools, DDOS attack tools, and others.

Records from the primary Blackshades server indicate that the program, which often sold for as little as $40 per copy, had generated $350,000 in direct sales between September 2010 and April 2014. When a purchase was made, the purchasing hacker would establish a domain name that he or she would use as their main "controlling" domain. A custom version of the software was then generated which would only take infected users to that domain. The logs on the server indicate there were at least 6,000 Blackshades customer accounts for users in 100 countries, and that at least 1900 domain names had been registered by customers to control infected computers. All 1900 of these domains have been seized by the FBI, disabling the RAT from controlling the infected computers any more.

In February 2013, the FBI obtained a warrant to search the email account "blackshadessupport@hotmail.com" - which Yucel used to communicate with his employees who were offering technical support and administering his various infrastructure. The search revealed many email communications requesting customer support and also contained copies of receipts sent to customers for various products and services offered by the Blackshades organization.

This search warrant revealed a home address in Stony Point, New York for Kyle Fedorek when he purchased "Blackshades Remote Controller (R.A.T.) for 40.00 USD". The seized Blackshades Server also provided the information that KBello had registered the hostnames "kbella.zapto.org" and "kbello.zapto.org" as his controllers. The IP address to which these names resolved in April and May of 2013 were subscribed to at the Fedorek Residence.

In a subsequent search warrant, executed March 6, 2014, agents seized a laptop from the bedroom of Kyle Fedorek, where the username of the laptop was Kyle, and recovered a copy of the Blackshades RAT. The RAT was configured to run the "Form Grabber" (stealing any information victims typed into a webform, such as a userid and password prompt box on a banking website). At least 400 victims had provided information unwittingly to Fedorek through this form grabber. The laptop also was being used to run other malware schemes, including CARBERP, Andromeda, and Citadel, and had evidence of having been used to create Phishing sites as well. DDOS tools, SQL Injection tools were also present. More than 9,000 sets of userids and passwords and 50,000 sets of credit card information were found on the laptop.

The UK's National Crime Agency

EuroJust

Dutch High Tech Crime Team

Dutch High Tech Crimes statement - www.om.nl/actueel/nieuwsberichten/@162701/wereldwijde-actie/

Chris was logged in to Facebook today when one of his friends started chatting with him. It was pretty obvious to Chris that his friend had been the victim of an Account Takeover (ATO) and thta he was really chatting with a criminal who was inviting him to visit a Facebook phishing site. Chris gathered up an evidence package and submitted it to IC3.gov with his analysis prior to contacting me. With his permission, I'm sharing what he saw (editing his friend's identity out for her privacy.)

Original URL user sees is of the format:

http://(USER FIRST NAME)-photos.uglyfacebookpeople,commm

URL is intentionally messed up, presumably to avoid detection by Facebook systems.

URL redirects to http://accounts.login.userid.266765.facebooclk.com/lp/fbn/?next=http%3A%2F%2F%2videos%2F%3AJ%4ID%1A

Action file is security.php

Following the action file results in visiting accounts.login.userid.497031.facebooclk.com/blam/

Which directs you to a "Flash Player Update" site that I assume is a virus. http://198.52.200.49/install_flashplayer13x32_mssd_aaa_aih.ex

There are other files that were on the site, but it is down now.

WHOIS INFO(SAME FOR FACEBOOCLK.COM AND UGLYFACEBOOKPEOPLE.COM):

Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID: DI_36635864
Registrant Name: Dave Brider
Registrant Organization: none
Registrant Street: 505 45th st   
Registrant City: new york
Registrant State/Province: New York
Registrant Postal Code: 10003
Registrant Country: US
Registrant Phone: +1.6463392283
Registrant Email: yogurtman7@mail.com
Registry Admin ID: DI_36635864
Admin Name: Dave Brider
Admin Organization: none
Admin Street: 505 45th st  
Admin City: new york
Admin State/Province: New York
Admin Postal Code: 10003
Admin Country: US
Admin Phone: +1.6463392283
Admin Email: yogurtman7@mail.com

--Chris Warner

The Complaint against Evgeniy Mikhailovich Bogachev aka Slavik, aka Pollingsoon was unsealed in court where the Pittsburgh FBI led the investigation into CryptoLocker and GameOver Zeus. In addition to Bogachev, charges are filed against several aliases of as-yet-unidentified hackers, "Temp Special", "Ded", Chingiz (aka Chingiz 911), and Mr.KyKyPyKy. The Complaint charges that "Together, GOZ and Cryptolocker have infected hundreds of thousands of computers around the world and have generated losses that exceed $100 million."

Some of the specific cases mentioned in the complaint include:

• A composite materials company in the Western District of Pennsylvania which lost more than $198,000 from its bank account using credentials stolen by the Defendants through the use of GOZ; (The Pittsburgh Indictment shares more details, telling us this was Haysite Reinforced Plastics, whose PNC Bank account was fraudulently accessed and used to send their money to a Mule account in the name of Lynch Enterprises, LLC, at SunTrust Bank in Atlanta, Georgia, after they clicked on a NACHA email informing them their ACH payment had failed, in October 2011. They also transfered $175,756.91 to an account belonging to R&R Jewelers, and ATTEMPTED six additional transfers, all on October 20, 2011. The money in the SunTrust account was quickly moved on ($99,822 of it, anyway) to an HSBC account in London.)
• An Indian tribe in Washington - $277,000
• A corporation managing assisted living facilities in Pennsylvania - $190,800
• A regional bank in Northern Florida - $7 Million

Just between October 15, 2013 and December 18, 2013, we know that $27 million in ransom payments were made, just by tracking the ransom payments made using Bitcoin!

The charges in the criminal complaint are:

Count I: Wire fraud: 18 USC Section 1343 "Having devised a scheme or artifice to defraud and for obtaining money by means of false or fraudulent pretenses and transmitting and causing to be transmitted by means of wire communications in interstate and foreign commerce, writings, signs, and signals for the purpose of executing such scheme or artifice.

Count II: Bank Fraud: 18 USC Section 1344 "knowingly executing a scheme or artifice to defraud financial institutions insured by the FDIC and to obtain moneys under the custody and control of these institutions by means of false and fraudulent pretenses and representations.

Count III: Unauthorized interception of electronic communications: 18 USC Section 2511 "intentionally intercepting electronic communications, and intentionally using and endeavoring to use the contents of the electronic communications knowing that the information is obtained through the unauthorized interception of electronic communications."

all of which, according to 18 USC Section 1345(a) and (b) allows Injunctive Relief to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers.

An FBI Pittsburgh cyber agent was the affiant in the 28 page Application for Temporary Restraining Order recounts that while the largest known single wire transfer was a $6.9 million wire, fraudulent wires in the amount of $1 million dollars were "very common." A single bank experienced 11 fraudulent wires, with six being for more than $950,000 and the largest being 2 million dollars!

The GOZ affidavit mentions a few email addresses, Bogachev uses as one email address, bollinger.evgeniy@yandex.ru, while Chingiz 911 uses charajiang16@gmail.com. Seeing the nickname "Ded" as one of the members of the gang, I can't help but recall "Ded Pixto" the nickname for Stanislav Avdeiko the Koobface malware author.

So how will this "takedown" actually work? First, some hard work by a couple genius malware reverse engineers at Dell Secure Works and CrowdStrike helped the Pittsburgh FBI agent to understand the current Command & Control infrastructure so it could be rendered harmless. The problem though, is that both GOZ and Cryptolocker have a built-in backup plan in the form of a Domain Generation Algorithm. The job of a DGA is to allow the botmaster to IN THE FUTURE reconnect to his bots using infrastructure that neither the bots nor the botmaster have even created yet. A formula is used to calculate a domain name based on a timestamp. So, if NONE of the hard-coded IP addresses are able to be reached, the bot will look up the current date and begin "guessing" domains that the criminal may have registered for use to update the bot with new hard-coded addresses. As a few examples, on July 1, 2014, CryptoLocker will try to connect to 1,000 domains, including:

wncbbejfurrw.net
kbdnkmpgxlxh.biz
aevmpupnouqy.ru
nrwyydvorowj.org
bvgurlkgcwya.co.uk
ojhhbtqhfqfk.info
eqcoayuicfrp.com
fsdnbhyofoiv.net
fimwcppbphaq.biz
gknvdxthsqqw.ru
iygiqgvjjkys.org
jbhhroapmtpy.co.uk
jqqqswqcwmht.info
ksrptfuiavxa.com
klrmfgyihrch.net
xysyolodvgen.biz
mgcjywthscyu.ru
atdvicjchqbb.org
otvgvnajowjk.co.uk

1) directs four U.S. based internet domain Registries to block access to around 900 PAGES of domain names seemingly the "future" list of DGA-generated domain names for CryptoLocker and GOZ. The GameOver Zeus domains are listed in Appendix A while the CryptoLocker domains are listed in Appendix B. Because ICANN only has jurisdiction over the Generic TLDs, this approach doesn't work for the ".ru" domains. CryptoLocker also uses ".co.uk" domains, so one would hope that the British government has asked for a similar favor from their counterpart registries. The four Registries in the US were, VeriSign, Inc., representing .com and .net, Neustar, Inc., representing .biz, Affilias USA, Inc., representing .info, and Public Interest Registry, representing .org.

Appendix A actually contains 25,937 domains for Game Over Zeus, arranged in ten columns, with three columns of domains listed on pages 1-69, 70-138, 139-207, and then a single column on pages 208 to 276. Its actually seven columns of 2594 domains and three columns of 2593 domains or 25,937 domains for Game Over Zeus.

Appendix B has six columns on pp. 1-176, pp.177-352, and then six columns of various length from 353 to the end of the 704 page document, for a total of 130,421 domains for CryptoLocker.

Affilias, Neustar, Verisign, and Public Interest Registry are ordered to redirect all of those 156,000 or so domains to use the nameservers ns1.kratosdns.net and ns2.kratosdns.net, preventing the criminals from using those domains to re-establish control of their botnet.

2) directs the twenty largest ISPs in America to not allow access from their networks to the .RU domains that the DGA can make, as the .RU domains are not under ICANN control. The ISPs named here are:

Cablevision, AT&T, Cox, Comcast, Mediacom, AOL, Frontier, Sprint, Time Warner Cable, Verizon, Charter, CenturyLink, Suddenlink, Wide Open West, Windstream, Level 3, Armstrong Group of Companies, Bright House, Earthlink, and NTT America.

Those ISPs are forbidden to allow traffic to the .ru domains listed in Appendix C.

3) To redirect all traffic intended for one of those domains to .gov controlled servers

and

4) to seek a Pen Register/Trap and Trace Order that would gather information about the nodes directed to those replacement boxes, and to share that information back to the ISPs and victims to help protect themselves. This "Dialing, Routing, Addressing, and Signaling" data (called DRAS in telephone-legalese) is to be turned over to the government so that attempts can be made to clean up these victims computers.

In cooperation with these efforts, McAfee is providing their "Stinger" program to be used by any victims to clean and remove GameOver Zeus or CryptoLocker infections.

All of that is now in play ... it is too early to tell if the game is really over, but best of luck and congratulations to the fine agents and CCIPS lawyers who made this possible!

What is this graphic about? Read on, Gentle Reader!

Malcovery: Email Based Threat Intelligence and GameOver Zeus

• How would one of my users likely be infected by this malware?
• What email subjects or messages may have sent this malware?
• Did that spam campaign deliver other malicious attachment or malicious URLs?
• If one of my users were compromised by this malware, what network activity may result?
• What additional malicious files might be downloaded by a computer compromised with this malware?
• . . . and other questions, depending on the nature of the malware

GameOver Zeus's Encrypted Drop Sites

Since that initial post, we've seen GameOver Zeus-related encrypted files drop from more than 200 different internet locations, get decrypted by the Dropper malware, and execute themselves to begin communicating with the Peer to Peer GameOver Zeus infrastructure. The full list of many of those URLs, with the date on which we saw the spam campaign, the brand, item or company being imitated in that spam campaign, and the URLs where the GOZ binary were accessed, is available at the end of this article. Here is a sampling of some of the most recent ones for now to help understand the process...

For each of the campaigns above, Brendan, Wayne, and J, our malware analysis team, pushed out both an XML and STIX version of the machine readable T3 reports so that our customers could update themselves with information about the spam campaign, the IP addresses that sent that spam to us, the hashes of the spam attachment, the hostile URLs, and the IP addresses associated not only with the GameOver Zeus traffic, but whatever other malware was dropped in the same campaign. As the FBI indicated, it was extremely common for GameOver Zeus infected computers to ALSO become infected with CryptoLocker.

T3: Protection for Today and Tomorrow

First - I isolated network activity for the 92 distinct spam campaigns illustrated above. (There were many more GameOver Zeus campaigns than that, but I was sticking to those samples that used the "encrypted file decrypted by the dropper" version that I had written about in February, so this is a sampling ...)

For each IP address that showed up in network traffic within those 92 campaigns, ranging from February 6, 2014 to May 30, 2014, I counted how many distinct campaigns that indicator had been seen in. Fifty-six IP addresses showed up in ten or more of those campaigns.

I took those IP addresses, and asked the Malcovery Threat Intelligence Database "which spam campaigns delivered malware that caused traffic to those IP addresses?" and was surprised to see not just the original 92 campaign I started with, but 360 distinct spam campaigns!! I culled that down by eliminating the campaigns that only touched ONE of those 56 IP addresses of high interest. The remaining 284 campaigns could be placed into 103 groups based on what they were imitating. Most of the top brands should be familiar to you from Malcovery's Top 10 Phished Brands That Your Anti-Virus is Missing report.

I threw the data into IBM's i2 Analyst Notebook, my favorite tool for getting a quick visualization of data, and did some arrangement to try to show the regionality of the data. I know the graph is too dense to see what is in the interior, but let me explain it here:

On the left are IP addresses that are owned by Microsoft. They are arranged by Netblock, with the size of the Computer icon representing how many malware campaigns that IP was linked to. Top to bottom numerically by Netblock, these are from the 23.96 / 23.98 / 137.116, 137.135, 138.91, 168.61, 168.63, 191.232 blocks. The Microsoft traffic only started appearing in late April, so it is possible this is traffic related to "sinkholing" or attempting to enumerate the botnet as part of the investigation. I have no insider knowledge of any such activity, just stating what we observed. We *DID* go back and look at the packet captures for these runs (we keep all of our PCAPs) and the traffic was exactly like the other Peer to Peer chatter for GameOver Zeus.

On the top are IP addresses in APNIC countries. Flag test: Japan, Hong Kong, China

On the right are IP addresses in ARIN countries. (Canada, USA)

In the bottom right corner is one LACNIC IP. (Venezuela)

And on the bottom are RIPE countries. (Netherlands, Moldova, Switzerland, Great Britain, Ukraine, Sweden, Belgium, France, and Austria)

The IP addresses on the chart above are also included here in tabular form:

Prominent IP addresses Associated with GameOver Zeus and associated malware

Encrypted GameOver Zeus URLs seen by Malcovery

Naser Al Mutairi, a Kuwait City resident known to be the author of njRAT through his varias aliases, njq8, xnjq8x, njq8x, and njrat

Mohamed Benabdellah, an Algerian living in or near Mila, Algeria, who uses the aliases Houdini, houdinisc, and houdini-fx

and Vitalwerks Internet Solutions, LLC, d/b/a No-IP.com, with offices at 5905 South Virginia Street, Suite 200, Reno, Nevada 89502.

The lawsuit is also filed against "John Does 1-500" who are supposedly the 500 priniciple operators of njRAT and H-Worm malware. (H-Worm is a closely related RAT software, likely based off the same source code). Because they do not yet know the identities of these RAT operators, the are assigned "John Doe" aliases, in hopes that the power of discovery granted by the lawsuit can help to reveal their true identities.

On the other side of this Internet battle is Vitalwerks and their literally millions of service users. Vitalwerks provides the capability to host an Internet service despite the fact that your computer may be using DHCP-assigned IP address. Normally a webserver has to have a permanently assigned IP address which is listed by a DNS service so that computers on the Internet can find the service you are offering. With Dynamic DNS services, your computer can link to the service and constantly update its IP address so that even if your IP changes many times per day, your service users can find you. In Microsoft's lawsuit, they agree that "Dynamic DNS is a vital part of the Internet because it allows anyone to have a domain name even though they have a changing IP address." Their accusation is found in the next sentence, "However, if not properly managed, a Dynamic DNS service can be susceptible to abuse."

The lawsuit points out that in April 2013, OpenDNS published an article online detailing its investigation into Dynamic DNS abuse. In that study,On the Trail of Malicious Dynamic DNS Domains by my friend Dhia Mahjoub, OpenDNS collected resolutions of various Dynamic DNS domains, and concluded that during their study some domains, such as "hopto.org" were used for malicious purposes as often as 56% of the time! Other highly malicious URLs included:

hopto.org - 56.71%
us.to - 49.45%
myftp.org - 37.50%
myvnc.com - 33.33%
myftp.biz - 20.20%
dlinkddns.com - 12.22%
no-ip.info - 10.70%
no-ip.org - 4.57%

This blogger confirmed the complaint firsthand that is made by No-IP themselves. Although Microsoft was supposedly going to ensure that "legitimate" no-ip customers were not impacted, for a significant part of the day on June 30, 2014, large portions of the Internet (including three linux servers that this blogger uses on three separate networks) had no idea how to find the no-ip domains. The nameservers were not propagated in such a way that the changes were seamless. No-IP's Formal Statement on Microsoft Takedown can be found on their website. In that statement, No-IP claims that "billions of queries" from "millions of innocent users" were dropped "because of Microsoft's attempt to remediate hostnames associated with a few bad actors" and implies that Microsoft did not dedicate enough resources to handle the traffic.

The primary purpose of the court orders was in fact to allow Microsoft to take matters into their own hands and filter the traffic for 130 pages worth (more than 18,000 3LDs) that were hosted by NO-IP and were associated with criminal activity and malware, primarily related to the two RATs, njRAT and H-Worm.

Of course on the other side of that is the fact that Microsoft documents that in the past twelve months MORE THAN SEVEN MILLION WINDOWS USERS were impacted by malware hosted on NO-IP domains! If someone's infrastructure is routinely abused to harm seven million of your customers, don't you have a right to do something about it? While NO-IP can claim that they have an active abuse desk that deals with these complaints, dozens of criminal tutorials would not recommend that you host your malware by setting up a NO-IP address, many of which have lived on consistent names for MANY MONTHS (as in the names mentioned in the above Symantec link) unless there was a clear pattern of NOT terminating offending 3LD (third level domains).

Cisco's fabulous cybercrime fighter, Levi Gundert, who I first worked with while he was working on the LA Electronic Crimes Task Force, as one of the most effective U.S. Secret Service cybercrime agents, and who later worked for Team Cymru, recently wrote a piece for Cisco's blog on Dynamic Detection of Malicious DDNS. Levi says that Free DDNS services "check all of the necessary attack boxes" that make the service desirable for criminals. As he explains:

Free DDNS services, by comparison, check all of the necessary attack boxes. Sub-domains can be quickly and easily generated and DNS records are trivially changed. For the remote access Trojan (RAT) crowd that are typically attempting to spy on female victims and running servers from home, DDNS is a natural fit. In fact, searching the web for tutorials on using freely available RATs like Black Shades, Dark Comet, or Poison Ivy returns results that all instruct RAT attackers to first create DDNS sub-domains in order to properly configure the RAT, specifically enabling a “back connect” to the attacker. Naturally, one segment of RAT users tend to be less technical, relying on tutorials and point and click interfaces to actually launch the RAT, which likely contributes significantly to the overall metrics of malicious DDNS use.

Levi provides this graph showing how often Cisco's Cloud Web Security blocks Dynamic DNS third level domains based on the reputation of that service in the following graph:

zapto.org, one of the NO-IP domains, is blocked 100% of the time by users of Cisco's Cloud Web Service. no-ip.info, no-ip.org, and no-ip.biz are also all blocked between 50% and 100% of the time based on reputation. Levi next goes on to show of all the DDNS base domains, "what do the corresponding malware numbers look like for the DDNS domains most abused by threat actors?"

Even after such widespread and published reports of NO-IP being used for malware abuse, Microsoft observed no significant change in their abuse practices, based on the malware analysis they performed. Following the February 2014 Cisco report, Microsoft "continues to see 2,000-3,000 new unique malware samples per month that are supported by No-IP."

But that doesn't mean No-IP is not responsive. Brian Krebs reported on this conflict in his article today Microsoft Darkens 4mm Sites in Malware Fight where he quotes No-IP's Natalie Gogun as saying that of the 18,000 sites mentioned in the Temporary Restraining Order, only about 2,000 of them were actually still live. Krebs quotes Crowdstrike's Dmitri Alperovitch mentioning that No-IP has always been very responsive, and I've seen the same. In fact, immediately following the Cisco blog above, a member of the No-IP security team was observed by this blogged on a security researcher mailing list asking if anyone could help him get the full list so he could make sure they killed all of the domain names mentioned. (Hi, Kurt!)

The problem here may be the nature of the malware used on these sites. While the security community regular sees and reports on financial crimes malware, such as Zeus, or malware that has significant and widespread distribution, in most cases njRat no-ip domains are being used by small-time botmasters to allow themselves to spy on a few dozen webcams. In fact, a review of more than 1800 recent URLs associated with delivering financial crimes malware observed by Malcovery Security's T3 product, NONE of the No-IP domains were seen to be used. Financial crime malware does not seem to be heavily associated with No-IP. While njRat certainly has the capability to be used for more significant crimes (including installing any additional malware desired by the criminals, and famously being used by the Syrian government to spy on the rebels) its primary reputation is as a tool for online perverts. Their typical victims tend to lack the Internet-savvy that allows corporate, industry, and government malware victims to report malware victimization to No-IP to receive a response. Sophisticated financial crimes malware criminals are very unlikely to link their malware back to dynamic DNS hosts that they personally control and are much more likely to use "more permanent" hosting in the form of hacked or leased servers.

The Microsoft complaint mentions YouTube, and we were able to quickly find many similar njRAT tutorials. There were also njRAT groups hosted on Facebook where botmasters were openly trading photographs of victims and offering to "trade slaves" (as they refer to the pretty girls whose webcams they control.) We reported three such groups to Facebook Security who took quick action to kill the groups which had a combined membership of more than 16,000 users!

Some examples of these creeps work might help illustrate the type of crimes committed by the typical njRat botmaster:

Farid shows a screenshot boasting of 200 simultaneously online njRAT victims.

Farid frequently posts photos of his conquests:

Others do the same:

Here's the Before and After of Farid's njrat group . . .

and after we reported the group to Facebook Security . . .

Conclusions?

I can't really take sides on this one. Do we need to do something more to help the victims of this kind of malware? Absolutely. Was it necessary to seize 22 domains at No-IP? I can't argue with Microsoft wanting to prevent infections to more than 7 million Windows victims, but I certainly can understand the great frustration experienced by the No-IP folks.

June 16 - Disk57.com first sighted

Subject: USPS - Missed package delivery
Subject: You have received a new fax
Subject: Scanned Image from a Xerox WorkCentre

The files attached to those messages included:

USPS1758369.zip - (22,331 bytes) - MD5: 73c4758a84c4a0e24e4f34db69584d26
(VirusTotal results at report time: 3/54)

Scan.zip - (22,329 bytes) - MD5: cbfb3f1e40b30d01f4dda656d7f576e7
(VirusTotal results at report time: 3/54)

IncomingFax.zip - 22,329 bytes - MD5: 048dcc8c9639d2e8ccea362fdb5f7d3e
(VirusTotal results at report time: 3/54)

All three of those .zip files contained the same binary, with the varying names, USPS06162014.scr, Scan.scr, and IncomingFax.scr.

(40,960 bytes) - MD5: 36e264de2cb3321756a511f6c90510f5

(VirusTotal results at report time: 0/54)

By a week later, the detection rate was up to 38 of 46 AV products detecting this as malware, but at the time of the spam campaign, only Sophos and K7 had signature-based detection for the malware, though some vendors may have offered other types of protection.

Whichever of the three versions you downloaded, the SCR file was actually a PE-executable which would contact the site "disk57.com" in order to "check in" by hitting the file "gate.php" on that server. The Ukrainian server in question, 188.190.117.93, (AS197145, Kharkiv Infium LLC) had been seen previously communicating with malware on March 26 and March 27 using the domain name "malidini.com".

The registry was modified so that a copy of the .scr file (now named as an .exe) would be executed on the next start up due to a Policy statement located in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\818107311"

This resulted in the downloaded of a 7200 byte ".mod" file

More Disk57.com sightings

June 16 - Wells Fargo 
June 17 - USPS
June 18 - HSBC
June 18 - Xerox
June 18 - New Fax
June 30 - HSBC - Subject: Avis de Paiement
June 30 - New Fax - Subject: You have received a new fax message
June 30 - Scanned Document - Subject: Scan de 
July 1 - BanquePopulaire
July 1 - French government
July 3 - Xerox
July 3 - UPS
July 3 - Wells Fargo

As on June 16th, executing the .scr file resulted in an exchange with the "gate.php" file on disk57.com on 188.190.117.93, resulting in a 7200 byte ".mod" file being downloaded.

On June 30th, however, this exchange resulted in a copy of the Cutwail binary, b02.exe, being downloaded from jasongraber.com on the path /css/b02.exe. (IP 192.64.181.14). b02.exe had a file size of 41,472 bytes - MD5: 84822121b11cce3c8a75f27c1493c6bb with a VirusTotal report of 2/54 at report time.

Upatre Updated

Subject: Scan from a Xerox WorkCentre - seen 1209 times by Malcovery
Subject: New Fax: # pages - seen 288 times by Malcovery
Subject: IMPORTANT - Confidential documents - seen 88 times by Malcovery
Subject: UPS - Credit Card Billing Adjustment. Ref#(random) - seen 178 times by Malcovery

1,941 messages were sent to our Spam Data Mine from 1,037 different sending IP addresses.

The .zip files still contained .scr files that were all the same
file size (23,040 bytes) MD5: 870c63c4420b6f187066a94ef6c56dc6 - VirusTotal report: 1/53 at report time.

However this time there were three very different URLs downloaded as a result of the initial click. The downloaded malware behaved almost exactly like the UPATRE samples that were used to distribute the encrypted version of GameOver Zeus that we wrote about back in February. (See: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security.)

UPATRE Update

Three touches to the OVH (AS16276) IP address 94.23.247.202 resulted in three files so-called PDF files being downloaded from repele.net on IP address 82.220.34.132, each with the name "css/agreement.pdf". UPATRE did its magic, converting each of these files into another binary executable:

agreement.pdf = 131,173 bytes - MD5: 354283b80cc9e63d872475175d20f14d

(became CryptoWall Encryption ransomware, (in our case, named 09acd07.exe and located in a directory 09acd07 - 183,296 bytes - MD5: 6238af3e78f3316ea5f0192cb8cf3167 - VirusTotal reports detection of 14/53 at report time

which made connection to three C&C servers:
- vivatsaultppc.com - 194.58.101.96 in Russia (AS39134)
- bolizarsospos.com - 194.58.101.3 in Russia (AS39134)
- covermontislol.com - 31.31.204.59 in Russia (AS12695)

After encrypting files, the victim is shown the following text, with a timer counting down from 168 hours:

Your files are encrypted. To get the key to decrypt the files you have to pay 750 USD/EUR. If payment is not made before 10/07/14 - 15:37 the cost of decrypting files will increase 2 times and will be 1500 USD/EUR

(Other files found in that subdirectory included, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and DECRYPT_INSTRUCTION.URL.)

agreement-2.pdf = 51,266 bytes - MD5: 06a16a7701c748467a0b8bc79feb7f35

(became Cutwail spamming botnet malware, mshvsk.exe (random file name) - 39,936 bytes - MD5: c1cc8b5eaf7f25449cfda0c6cd98b553 - VirusTotal reports detection of 1/54 at report time.

which then began communications to seven separate C&C servers:
- 91.217.90.125 in Russia (AS48031)
- 93.171.172.129 in Russia (AS29182)
- 93.170.104.81 in Netherlands (AS50245)
- 148.251.94.182 in Germany (AS24940)
- 91.237.198.93 in Russia (AS198681)
- 91.234.33.125 in Ukraine (AS56485)
- 91.221.36.184 in Russia (AS51724 - FLYNET)

agreement-3.pdf = 27,811 bytes - MD5: 19a1986f6fd0f243b02bba6cb77e9522

(became Andromeda botnet malware: gqxse.exe (random file name) - 23,150 bytes - MD5: 8e6c9e794739e67969c6f81a5786d9e7 VirusTotal reports detection of 0/54.

which then called out to disk57.com / gate.php)

What to do?

In the meantime, we need to begin smashing their infrastructure at every chance we can get. Seize the hardware if we can, disable the routing of the traffic if we can't, and DEFINITELY block that infrastructure within our homes and companies!

Do yourself and your company a favor by sharing a link to this blog and recommending that your IT Security staff block the addresses shared above. If you live in a country where you can help, please do so!

    date    |                subject                |           sender_name           
------------+---------------------------------------+---------------------------------
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Pay for driving on toll road          | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info

          machine          |                               path                                
---------------------------+-------------------------------------------------------------------
 www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
 www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
 www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
 www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
 www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
 www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
 www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
 www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
 www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
 www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
 www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
 www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
 www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
 www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
 www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
 www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll

Both are conveniently named for the City and ZIP Code from which we are connected.

For example:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080

Whatever it wants to do next, it must do very quietly. Perhaps I'm in the wrong ZIP code for the next steps?

While I wouldn't put Seleznev on the same scale as Bout and Yaroshenko, he is definitely not small potatoes either. We wrote about Seleznev as part of the RICO racketeering case against the owners and operators of the Carder.su website. (See The Carder.su indictment: United States v. Kilobit et. al.) but that was only the first part of Seleznev's trouble.

In the Kilobit indictment, the charges are that Seleznev did "Participate in a Racketeer Influenced Corrupt Organization [RICO]" and "Participated in a Conspiracy to Engage in a Racketeer Influenced Corrupt Organization."

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the Carder.su organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the Carder.su organization operate principally in Las Vegas, Nevada, and elsewhere.

The important thing to understand about RICO is that as PART OF THE CORRUPT ORGANIZATION all of the charged members are sentenced as if the whole group did all of the crimes.

What does that mean to Seleznev? In Las Vegas, Nevada, Seleznev is being charged with being part of a RICO group that is credited with directly causing, in actual measured and aggregated fraudulent transaction losses, $50,893,166.35!!

But before Vegas gets their hands on him, Seleznev will face charges in the Western District of Washington for Case # 2:11-cr-0070-RAJ-1.

In that case, Roman Seleznev, AKA TRACK2, AKA Roman Ivanov, AKA Ruben Samvelich, AKA nCuX, AKA Bulba, AKA bandysli64, AKA smaus, AKA Zagreb, AKA shmak is charged with:

(Counts 1-5) Bank Fraud 18:1344 & 2
(6-13)  Intentional Damage to a Protected Computer 18:1030(a)(5)(A) & 1030(c)(4)(B)(i) & 2
(14-21) Obtaining InformationFrom a Protected Computer 18:1030(a)(2) & 1030(c)(2)(ii) & 2
(22) Possession of Fifteen or More Unauthorized Access Devices 18:1029(a)(3) & 1029(c)(1)(A)(i) & 2 
(23-24) Trafficking in Unauthorized Access Devices 18:1029(a)(2) & 1029(c)(1)(A)(i) & 2  
(25-29) Aggravated Identity Theft 18:1028(a)(1) & 2

Washington charges that Seleznev "knowingly and willfully devised and executed and aided and abetted a scheme and artifice to defraud various financial institutions, including, but not limited to, Boeing Employees' Credit Union, Chase Bank, Capital One, Citibank, and Keybank, and to obtain moneys, funds, and credits under the custody and control of the banks by means of material false and fraudulent pretenses, representations and promises, as further described below."

Seleznev would:

1. hack into retail businesses,
2. install malicious computer code onto those hacked computers,
3. and use the malware to steal credit card numbers from the victim businesses' customers
4. market and sell the stolen credit card numbers on "criminally inspired" websites
5. thus allowing these cards and the associated accounts to be used for fraudulent purposes by the customers of his service.

Seleznev's websites for selling cards were primarily bulba.cc, secure.bulba.cc, Track2.name, and secure.Track2.name.

The targeted businesses usually had several "point of sale" terminals "up front" and a "back of the house computer" which may have been a server or perhaps even just the manager's computer.

Some of Seleznov's victims included: The Broadway Grill - 32,000 unique credit card numbers from Dec 1, 2009 to Oct 22, 2010

Grand Central Baking Company in Seattle, WA

four Mad Pizza restaurants (three in Seattle, one in Tukwila, WA)

Village Pizza in Anacortes, WA

Casa Mia Italian in Yelm, WA.

Schlotsky's Deli in Coeur d'Alene, Idaho

Active Networks in Frostburg, MD

Days Jewelry in Waterville, Maine

Latitude Bar and Grill, NY, NY

Mary's Pizza Shack in Sonoma, CA

City News Stand in Chicago and Evanston, IL

Bulba would advertise when he had new cards for sale, claiming as many as 17,000 "Fresh Dumps" (newly stolen and never before used for fraud) cards and offering guarantees, including free card replacement for cards that were declined. Seleznev/Bulba had such high quality, that the owners of the popular crdsu.su and carder.biz allowed Seleznev and others to assume Monopoly status as the preferred card vendors for their boards, which were extremely prevalent in the underground.

According to the newly unsealed indictment, Seleznev personally stole (through his malware) more than 200,000 cards, and succesfully sold over 140,000 of those cards through his websites bulba.cc and Track2.name between November 15, 2010 and February 22, 2011, generating direct illicit profits in excess of $2,000,000 USD.

Just the cards stolen by Seleznev at the Broadway Grill have been associated with $79,317 in fraudulent charges, and all of the cards stolen by Seleznev are responsible for actual fraud charges of at least $1,175,217.37.

November 15-16, 2010, $83,490 in charges were made against Boeing Employees Credit Union cards.

Jan 31-Feb 1, 2011, $30,716 in charges against BECU.

Seleznev will have a hearing in Guam on July 22, and then be transferred to the Seattle courts.

I wanted to geek that a bit deeper for those who want more details on both of those subjects. First, let's look at the Fast Flux.

Fast Flux Command & Controlled Botnet

Sometimes there are additional "tiers" or levels of misdirection. We don't yet know how many layers there are in this newGOZ botnet.

(click to enlarge)

Here's the flow . . .

1. the newGOZ criminal pays the Cutwail spammers to send out emails to infect new victims
2. the Cutwail spammer sends out his emails. On July 10th, they were "Essentra Past Due" and emails imitating M&T Bank and NatWest Bank
3. while many people delete the emails, ignore the emails, or have them blocked by spam, SOME people click on the emails
4. the ".scr" email attachment infects their computer and starts generating "Domain Generation Algorithm" domains.
5. each domain is queried for. the Bot computers say "Hey, Internet! Does this domain exist?"
6. on July 10th, cfs50p1je5ljdfs3p7n17odtuw.biz existed ... "the Internet" said "Yes, this exists and NS1.ZAEHROMFUY.IN is the Nameserver that can tell you where it is."
7. When most nameservers tell the address of a computer, they give a "Time To Live" that says "The answer I'm giving you is probably good for 24 hours" or 2 days, or a week, or whatever. But the Nameserver used in a FastFlux Bot, like, NS1.ZAEHROMFUY.IN, usually gives a "Time To Live" answer that says "The answer I'm giving you is only good for about 5 minutes. After 5 minutes, you need to ask me again in case the address has changed."
8. NS1.ZAEHROMFUY.IN receives constant updates from "newGOZ Criminal" of servers all over the world (but mostly in Ukraine) that have been hacked. Almost every time you ask the nameserver "Where is the newGOZ domain?" it will give you a different answer.
9. the "FastFlux C&C" boxes are now running nginx proxy software that says "Whatever you ask me, I will ask the servers at the Evil Lair of newGOZ. Whatever the Evil Lair of newGOZ wants to say, I will pass back to you.
10. Updates from the Evil Lair get passed back THROUGH the FastFlux Proxy and give the newGOZ bots new malware or commands
11. All traffic to and from the newGOZ bot, whether it is the bot "checking in" or the criminal pushing an "update" goes through one of the proxies, which are constantly changing.

Fast Flux newGOZ resolutions