Tuesday, November 11, 2014

Torrentlocker (Crytolocker) Ransomware Campaign - Oct/Nov 2014


Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.

In mid October, 2014, a ransomware campaign using a new variant of CryptoLocker was launched. At the time of this post, the campaign is still active.

Once a user has unknowingly downloaded and run the malware, all files on their local disk and network drives are encrypted. The user is then presented with the following screen (below), which demands that the victim visit a hidden server to purchase the decryption key using Bitcoin.

This new Crypto-variant appears to be offered as a service to any criminal individual or gang who wants to get involved in the ransomware extortion business.

The malware appears to be delivered via spam e-mail.


WARNING
We have encrypted your files with CryptoLocker




"Buy decryption software and get all your files back"

Victim landing page demanding ransom payment in Bitcoin to decrypt files.


There are at least 10 active campaigns (ransomware 'botnets') utilizing this particular command and control server. From the structure and contents of the directories, it appears to be provided to other criminal individuals or gangs, as a "Ransomware-As-A-Service". The creators of the service provide the server and the malware to criminal clients so they can then run their own ransomware campaigns utilizing the infrastructure and software provided.

Each criminal customer of this ransomware extortion service has its own individual numbered botnets folder, which contains email lists to spam, SMTP servers to spam from, and logs of payments, feedback, etc. from the victims of the operation.

Every individual campaign would be responsible for distributing the ransom malware (spam) and managing user complaints, payments, etc.




Inside one of the individual botnet containers, the directories of this #11 campaign. 


Lists of email addresses to spam and attempt to infect new victims.


Some of the more "successful" campaigns have a feedback directory. This is where the victims can send messages to the crooks, asking for more time before the ransom for their files increases, or asking when they will get their files back.




The 'feedback' directory contains log files for payments and questions. 



Feedback from victims:


Feedback from ransomware victims asking for more time before the ransom increases on their files. 




More "feedback"  from victims: (campaign #13)

[2014-10-15 09:45:52] [6475, petvandam@x.com] 
I payed, but when I enter the transaction detail, tyour page says it already has been used for a payment! How is that possible? 
[2014-10-15 11:35:33] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,

We made a payment of 1364 bitcoins with transaction nr. 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2
If I enter this on your webpage, it tells me that this has already been used, which is not.
Can you please send me the instruction to quickly solve this problem?
With kind regards,
Dennis Huisman
[2014-10-15 11:44:02] [6393, dennis.huis@**REDACTED**.nl] 
Dear Sirs,
We have paid 1.364 bitcoins with transaction id 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2.
If I enter this id, the site tells me this has already been used, which is not!
Please tell me what I can do to fix this.
With kind regards, 
Dennis Huisman
[2014-10-15 13:32:22] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,
We made a payment of 1.364 with tranaction ID 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2. When I fill this in on your webpage, it gives a warning that this has already been used, which isn't.

Can you please tell me what to do?

Thanks in advance for your answer.
Dennis Huisman
[2014-10-17 21:07:34] [8679, muratkazan55@**REDACTED**.com] 
I'm studying at the university. I have homeworks in my pc. Please help me to save them. I need them too much to complete my education. Thank you for your understanding. 
[2014-10-18 14:35:45] [8916, gokhan@**REDACTED**.tc] 
dosyalarımın ÅŸifresini çözmek istiyorum. AÄŸdan 3 adet makinama bulaÅŸtı 1200 tl den daha aÅŸağı olmaz mı? 
[2014-10-18 16:43:03] [8749, mbeykozlu@**REDACTED**.com] 
bitcoin için limit veriyor
ödemeyi yapamıyorum
zaten durumum iyi değil işim gücüm sıkıntıya girdi bittim
bana bi yol söyleyin 1200 tl borç harç göndericem

[2014-10-20 05:32:00] [8371, kelly@**REDACTED**.com.au] 
Hello,
We have deposited the money just waiting for the transfer.
Payment received
Your deposit has been received, your coin transfer will be carried out shortly.
Reference Number 12008
Amount in AUD 752.60
Amount in Bitcons 1.45200000
Email kelly@**REDACTED**.com.au
Wallet Address 1K3Z8tEDyo5FHtsGmxTZ4tbeuJdMMjEE72
We will keep you updated with the progress of the order.


[2014-10-20 09:04:23] [8544, erdogankeklik_88@**REDACTED**.com] 
Öncelikle merhaba benim bilgisayarımda dosyalar ÅŸifrelendi. Yedeklerimin hepsi var. Sadece 1 2 günlük belgeler lazım. Fiyatınız çok yüksek. Yardımcı olur musunuz? 
[2014-10-20 13:38:09] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 13:38:10] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 17:05:12] [8557, adorelguvenlik@**REDACTED**.com] 
aşağıdaki ıd numarası ile ilgili işlem yaptık lütfen sizde gerekeni yaparmısınız lütfen
Id
ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659 
[2014-10-21 08:03:42] [6207, practicombit@**REDACTED**.com] 
Hi,

Last week i paid you for the decrypter software $ 500,- when i have run the software i see that only a few files where decrypted. I paid it whith url: http://3v6e2oe5y5ruimpe.tor4u.net/buy.php?a9q1vi but when i look into my files and folders and click another decrypted_instuctions.html i see that it have another url: http://3v6e2oe5y5ruimpe.tor4u.net/buy.php?a9jme9 maybe thats why not al my files could decrypted. When i click buy i see that you want me to pay $ 1000. Could you send me a file to decrypt my other files because i already have made a payment for it. I hope you can help. I'm not happy to have not al my files back. Hope i get a reply very soon.

The bitcointransaction id is 230dfaa00246c04ca528fb29003542d0eef47c6f5399292f1ed2fffef8b853fa

Hope so you can help.

Yesterday you send me a mail to wait 1-2 hours but did not hear anything from you.
Greetings Mark 
[2014-10-22 07:17:20] [9540, coin.accont@**REDACTED**.com] 
I have made the payment but it keeps coming up with transaction ID already used.

74c5b0d6641baaaf233c80ee72b6cabb57c15a669490adbc9855ca0a4b34bcf4

What can we do now? 
[2014-10-22 09:59:19] [9089, ozansevimligul@**REDACTED**.com] 
merhaba bu yazılım 2 bilgisayarimi etkiledi ve bu kadar param yok odeme yapicak lütfen bana daha uygun bir tutar cikarin ödeyebilmeye gucumun yeticegi bir tutar ve işlemler bir bilgisayar için diyor benim diğer bilgisayarimda Windows xp yuklu onda nasil sifreleri acicam?




Admin Templates:

Templates for criminal admins to manage their campaign. 




Template payments page that victims will be directed to:





Custom ransom pages template uploader:


Settings template:



 Statistics template:



Technical Details:

Sample:

(This particular sample belongs to campaign #14)

508136766c7ea2f26ef44ffd81a63bcb

https://www.virustotal.com/en/file/cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d/analysis/

https://malwr.com/analysis/MjE5MWRhMzczODdkNDk1YjhkNDE3ZDU0NmNkMTcwODg/

hxxp://lebanonwarrior.ru:8080/data/botnets/14/


C&C Server:

lebanonwarrior.ru
46.161.30.19 
inetnum: 46.161.30.0 - 46.161.30.255
netname: KolosokIvan-net
descr: Net for customer ID 12510
country: RU




someone left a note

Monday, November 3, 2014

Perpetrator Profile - Parwez Jabarkhil (Kabul, Afghanistan)

Names/Aliases:
Parwez Jabarkhil
freshfor@yahoo.com
assass

Notes:
One of the first 20 members of RDP-Shop.RU (joined in 2013 and never used according to logs) a shop selling access to hacked servers. He is however a prolific customer of SuperDED.org, another shop selling illegal access to hacked servers for customers to use for shady activities, see below.

,('assass', 'c7296bcf3fcb2aa4f37c89561fd37633', '123456', 'freshfor@yahoo.com', '175.106.52.173', '2013-03-09 16:10:42', '2013-03-09 16:10:51', '0', '0.00', '0', '175.106.52.173', '0', '0', '0', '0')

Location:
Kabul, Afghanistan
(Home DSL connectivity)
inetnum:        175.106.48.0 - 175.106.55.255
netname:        INSTA-KBL-AF
descr:             DSL
country:         AF


Facebook:

An ugly car


Selfies



SuperDED.org Account:
Username: assass


SuperDED.org - A shop selling access to hacked servers, aka "dedicated" or "dedikov" or "dedy"



Purchased access to hacked servers. 



Also he was a registered member of the defunct 'sh0p4you.com' - which used to sell, you guessed it...hacked server access.

http://archive.today/VRVZy
http://pastebin.com/raw.php?i=61VzdHCW

Friday, October 24, 2014

Perpetrator Profile (aceboogie145)

This post is a peek into the private operations of an active carder.

He was found in the database of RDP-Shop.RU where he had been purchasing access to hacked servers. He would then login to the servers and use them as a proxy to conceal his true location while he committed the fraud detailed here. He works with a group of fraudsters to manage 'mules' and 'drops' who are used to withdraw money transfers and to reship goods purchased with stolen credit cards.

Names/Aliases:
Aceboogie145
frank_lucas1017@aol.com
lamborghini_dreams@aol.com

Notes:
Purchased access to hacked RDP servers to use for:
  • Payment card fraud, purchases with stolen credit cards
  • Income tax fraud
  • wire fraud
  • Identity theft

Location:
South Florida, USA
Port Saint Lucie, FL
Hollywood, FL
Miami, FL
(emails from dating websites he had signed up for show him in South Florida in May 2014) 

highest balance on RDP-Shop.RU

select * from 'users' order by 'balance' desc
username password icq email ips regdate lastlogin failedlogin balance checkercredits lastip amount_purchased amount_refunds admin banned
aceboogie145 59b6309e95043752b675f4a86c89158d null frank_lucas1017@aol.com xxx 2014-03-16 10:10:35 2014-09-21 09:21:54 0 53.00 0 xxx 0 0 0 0

just4valid.ru
aceboogie6 sage2323

toolstore.cc
aceboogie145 sage2323


64 hacked RDPs purchased



frank_lucas1017@aol.com
59b6309e95043752b675f4a86c89158d:fs978:sage2323


Inbox


Colorado Department of Revenue - Tax Return Fraud



LexisNexis Corporate Account


Mules. $1900 per week. 
"the others you can do the $2500 a week, 5k a month."


Attachments from emails:

IRS Tax Refund Fraud - $9,190











2x Apple iMac 21.5 inch Desktop
(one for the drop mule to keep, one reship to carder)



Package drop address from above shipment. Miami FL






Other email:
lamborghini_dreams@aol.com
sage2323


Email contact list:

http://pastebin.com/FDUNeJvD


Sunday, October 19, 2014

Hacked: RDP-Shop.RU

RDP-Shop.RU 
"the black online shop"

This shop was selling login credentials to hacked Windows servers (TS/RDP) . 

Criminals usually purchase access to these hacked servers and use them for shady activities such as spamming or to make online shopping purchases with stolen credit cards. It becomes clear only after gaining administrative access to and closely researching some prolific users of this particular black market, that 'traditional' internet fraud activities are being supplemented by more lucrative schemes. 

The crooked customers of this website have been observed committing identity theft, wire/bank transfer fraud, and federal and state income tax fraud by filing an income tax return online and depositing the refund to an account the thieves control. Some prefer to get their stolen refund in the form of VISA debit cards mailed to 'drops' inside the U.S. 

To the fraudsters, the value of using hacked servers in this manner is that it provides a proxy layer for the perpetrator, making it more difficult to attribute activities back to their original source. The true location of the criminal could be somewhere in Lagos or Los Angeles, but they are remotely accessing a computer in another country and using it to disguise their location. The servers are cheap and practically disposable. However, access to the hacked servers is volatile, due to the fact that the real owner of the server could (and usually does) discover the illegal activities.  

There are a handful of shops that sell hacked or stolen digital goods like this one, but they are now becoming more popular venture for enterprising mongers. This trend is likely related to the recent major data breaches that have provided the criminal underground with a wealth of personal information and this paves the way for a cascade effect of fraud and theft.

[ More developments on this research will be posted soon ] 


main login screen 



rdp-shop.ru index page



Users of Lampeduza looking for RDP shops.



'Wino' an admin of rdp-shop.ru



Lulz:



Ok, so after some work we now have administrative access.

Lets look around.


Bitcoin config:
// config Blockchain account
$system = "bitcoin";
$btc = 600;
$guid = 'b6b013ef-62ca-4561-811d-1aa6b2736d43';  // Blockchain account
$main_password = 'Drilonial123.'; // Blockchain pass
$second_password = 'Winoal123..'; // Blockchain pass
$rate = 600;

transactions



MySQL:

The back end of the shop was a MySQL database, (salted password hashes - salt = fs978 )
The database contained the login credentials and IP address for the hacked RDP servers being sold, and user information.

The picture below is a sorted list of the users with the highest balance on the shop. (Users of the shop deposit bitcoin to their shop account, allowing purchases to be made.)

select * from 'users' order by 'balance' desc


RDP-Shop.RU High Roller:

aceboogie145

Read more about this perpetrator here.


Admins:

('drilon', '925a55978b473420d3d07e40bf102941', '123456', 'splet-pasoja@live.com', '41.155.20.61', '2011-10-01 23:03:49', '2014-09-11 06:15:40', '0', '0.00', '0', '178.175.44.127', '5', '0', '1', '0')
,('Wino', '83275c8093a8e9ca03434bc590d2c151', '123456', 'wino@pentagon.al', '178.175.4.95', '2013-03-06 14:48:07', '2014-09-24 19:27:15', '0', '0.00', '0', '46.99.224.7', '0', '0', '1', '0')




Admin Area: 
(update 3/29/15 - forgot to post these admin screenshots)



Admins:




Main Database dump:
if you have a legit need for this, email me.

Support database dump:
if you have a legit need for this, email me.


Plain text user:password list:
sorry, not sharing this data.  
ProTip: Add some code to the login form processor so that it writes the form input to a file before the hashing and voila ..no need to crack hashed passwords ;-)

250+ email addresses from user table:

splet-pasoja@live.com
wino@pentagon.al
gjani.jaha-xx@live.com
aa@hoc.om
richardscott1969@yahoo.com
davtym1@yahoo.com
secsion@yahoo.com
kobbylivingston@yahoo.com
kay_kuku001@yahoo.co.uk
hoodhenry14@yahoo.com
mickfuture001@gmail.com
info@low2.com
aldo_parker@ymail.com
gardarus@gmail.com
tester@live.com
dr_uploader@yahoo.com
tyga@hotmail.com
darahvieh@gmail.com
slimkuta@juno.com
knightrider8620@gmail.com
vavavum88@yahoo.com
m00n81@yahoo.com
vhpoop@gmail.com
freshfor@yahoo.com
shit@shit.com
mirchee14@gmail.com
good_buyers123@yahoo.fr
maartenwydogen@yahoo.com
amine_azri@live.fr
haruncyrbagi@gmail.com
iron.myke@yahoo.com
verycaringangel@yahoo.com
headlimit@hotmail.fr
ianwicks4@gmail.com
paa_kwesi44@yahoo.com
dismalgod@gmail.com
pommediz@hotmail.fr
gameover353@rocketmail.com
zon3@live.com
enohekun@gmail.com
pajsor2k@hotmail.fr
toniduncan56@yahoo.com
nexusabh@yahoo.com
com02444@yahoo.com
comfort.power@yahoo.com
cwcwcw@live.com
rdpshop@ymail.com
alexmiettaux@live.fr
andreev@msn.com
hhl505@hotmail.com
asfdsf@web.de
jimicola@ok.de
odaikakador@yahoo.com
jackice@hotmail.de
eyeyeyeyeye@eyeyeyeyeye.de
elvisglah@gmail.com
entropyideas@gmail.com
alapugacionka@gmail.com
amar175@yahoo.com
cvv_pmrkumo@yahoo.com
delux@live.com
david4garry@yahoo.com
davidlame8@gmail.com
b4ti@gmail.com
monymonylover@yahoo.com
crespim@live.com
donnelwalter00100@gmail.com
k_emergency2012@yahoo.com
getoar.e@gmail.com
ellkops@yahoo.com
singlechrisseeking@yahoo.com
noma.noma1987@hotmail.com
AMISTRAL7@GMAIL.COM
selasiewan@yahoo.com
ug.l0v3@gmail.com
smoothe_hacker@yahoo.com
lolcreelol@gmail.com
kes@msn.com
sniojam@gmail.com
devil_cvv@yahoo.com
cartshop60@hotmail.com
recharge_ve@yahoo.com
tristanb12345@hotmail.com
ayamga@gmail.com
User101@User101.com
wray.harrison@yahoo.com
lckaal@yahoo.com
xplora2007@gmail.com
roer.2@live.com
best1234@yahoo.com
razzmuss312@hotmail.com
khariemshaw@ymail.com
smillinggeorge@yahoo.com
qazbam@yahoo.com
grasstol@hotmail.fr
joeniel56@yahoo.com
ycezayir@yahoo.com
shit@shit.shit
sdffd@yahoo.com
spammtoolssws1@yahoo.com
pauls.kings@yahoo.com
lopac_1@yahoo.com
tomas250519@gmail.com
dcbsod@gmail.com
andini_z@hotmail.com
wubugbanklogins@yahoo.com
lol@live.com
d.harrinson@gmail.com
vcC_sel@hotmail.com
tombui9110@gmail.com
toilaai1806@gmail.com
rocking@live.com
username@gmail.com
oscardevelopments@gmail.com
geshep100@yahoo.com
itr0nic@hushmail.com
needualas3script@yahoo.com
scorpioserver@gmail.com
gouser09@fastmail.fm
viet.phong5@yahoo.com
volfymac@gmail.com
ratibeeh@yahoo.com
jamesbdd4@gmail.com
bgaskin61@hotmail.com
sprayman1@ymail.com
hatgroup2@yahoo.com
ripper.rubber@gmail.com
teodorov666@hotmail.com
greg63042@gmail.com
fcuda@ymail.com
humphreyhumphreydman@yahoo.com
hotbarcaguy19@yahoo.com
cat@liveuks.com
ishipcon11@gmail.com
stepheniewill@yahoo.com
trimii.cool@gmail.com
wendyadams1012@gmail.com
marcelo2kk9@yahoo.com
micheal.sam25@yahoo.com
cambell@yahoo.com
musa@fbi.al
drilonnpajazitii@gmail.com
jaknco@yahoo.com
wm197171@yahoo.com
ilesanmiayo@yahoo.com
felizmoni@yahoo.com
shadowwalker2@ymail.com
sdksk@aol.com
tevo0o@hotmail.com
taner.barila@yahoo.com
mcolbum100@yahoo.com
unlockhack@live.com
see.me144@yahoo.com
kanesangels@yahoo.co.uk
burnstom100@hushmail.com
x2@live.com
sammyjohnson125@yahoo.co.uk
sammyjohnson125@yahoo.com
happymn@yahoo.com
dasharkfan@yahoo.com
benken112@yahoo.com
johnbarracksg@yahoo.com
abcd19886@hotmail.com
agboolasamuellove@yahoo.com
skimmerdoe@gmail.com
phong252@yahoo.com
softdogmedia@gmail.com
andi-.cs@msn.com
Bigbosscity@hotmail.com
netphone86@yahoo.com
anithingbetter@hotmail.com
zoro_spain@hotmail.com
willams9@yahoo.com
mark9gader1966@gmail.com
lanzberis@inbox.com
lana2k@yahoo.com
debbiecaresforyou@rocketmail.c
crlm3@ymail.com
zakink@gmail.com
jnsadasjdn@live.com
janidilda37@yahoo.fr
jose3111@gmail.com
ratyeseng@yahoo.es
hrita117@yahoo.com
madmani@live.com
antoniaff@live.com
hotfile1231@hotmail.com
shittu0147@yahoo.com
johnstak_233fg@yahoo.com
bob4mi@googlemail.com
drakewil101@yahoo.com
azri@live.fr
Shopliker@live.com
ovatimez@yahoo.com
donny.eric@yahoo.com
adms746@aol.com
nguyenquoctien463@gmail.com
manookoro@yahoo.com
rev.jusyicewayne1@yahoo.com
dismalgod@me.com
buomden.sellcvv@yahoo.com
daddyslovelives@gmail.com
comunit@live.com
humancan@yahoo.com
souljah7@live.com
Kosy0090@gmail.com
kenney_reyes@yahoo.com
superdelegate54@yahoo.com
celedonbhz@yahoo.com
farri909@gmail.com
adepop10@gmail.com
p.3n@hotmail.com
leoslovecourt1@yahoo.com
sambranolr@yahoo.com
hi.world.tech@gmail.com
rita.buysth@gmail.com
mayorsworldx1@yahoo.com
drbryn@live.com
dec28728@yahoo.com
big.cc39@yahoo.com
trade_pride@yahoo.com
iksddd@gmail.com
yamazago2@gmail.com
badblack56@gmail.com
asge@yahoo.com
trustmankind@yahoo.com
ocelia_25@hotmail.com
johnnymark90@yahoo.com
ms6al@hotmail.com
tranlonghk@yahoo.com.vn
n33dle_pro@yahoo.com
zq2012@gail.com
it.kurdish@gmail.com
asds@aol.com
magret.canard@free.fr
sada@gmail.com
ajibade12@yahoo.com
akuffo@live.com
woodseric1234@gmail.com
zebi44204@zebi44204.fr
vietkal@yahoo.com
h4k4zworld@yahoo.com
ggggghh6@gmail.com
asasa@as.vn
senxyhrdp@shop.ru
nokiatl79@gmail.com
baget@tormail.org
toine_df@yahoo.com
techsupport025@gmail.com
oluuman@gmail.com
test1@yopmail.com
ivy004@rocketmail.com
dhristo@dr.com
alcane98@yopmail.com
tayson@mail.ru
ht-_-k@hotmail.com
identitydavid@gmail.com
gizobouy@yahoo.com
blessedfellow@msn.com
cvv.lord@yahoo.com
wyzzoo@yahoo.com
m.2g900@yahoo.com
ansahgyimah@yahoo.com
crazycanada@tormail.org
esfahanlove@aol.com
paypal@sdfsd.de
nega@live.com
boss.h43ker@yahoo.com
minch1982@gmail.com
karragerj@yahoo.com
elgenero_55@yahoo.com
drilon-al@live.com
rudethugist@yahoo.com
gimwd@hotmail.com
nagato_ad@hotmail.fr
one-dz@hotmail.com
are@jefw.com
asdasd@yahoo.com
davan.cecile@gmail.com
beulaeq8503@hotmail.com
denis.soto50@yahoo.com
jone4788@yahoo.com
lovegreentea89@gmail.com
paulkaka27@gmail.com
rich_jah@yahoo.com
marciosantos277@yahoo.com.br
cccandy75@yahoo.com
samuelsm79@gmail.com
digit_spamer@yahoo.com
jimmy_brown12345@yahoo.co.uk
iparadise31@yahoo.com
ikwere_baruki001@yahoo.com
sifangerke1@gmail.com
anthonio_debrasky@yahoo.com
mr.cute@talktalk.net
a.matt@live.dk
john.mark654@yahoo.com
fiona1978hk@gmail.com


Drilon (admin) 

Monday, September 15, 2014

ZeuS Botnet - aticiinsaat.org

ZeuS 2.0.8.9 banking trojan botnet hosted on aticiinsaat.org - 159.253.36.219 (Turkey)

aticiinsaat.org. 8878 IN A 159.253.36.219
Domain Name:ATICIINSAAT.ORG
Domain ID: D171358345-LROR
Creation Date: 2014-03-11T11:26:47Z
Updated Date: 2014-05-11T03:46:02Z
Registry Expiry Date: 2015-03-11T11:26:47Z
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
inetnum:        159.253.36.0 - 159.253.36.255
remarks:        INFRA-AW
netname:        NETINTERNET

Admin login:  

Home:
70 bots (many CN, mixed world installs)
13k reports
OS Stats:
We still see WinXP as top OS, however Win7 and Win7 64bit are catching up.



This machine had another ZeuS/Citadel on it as well. You can see it calling home to the gate.php
(This botnet is offline now too)



Example of banking credentials being stolen from a victim. Note the HTTPS in the url.
TLS/SSL does not help here. ZeuS malware has hooked the browser process and stolen the credentials before the TLS/SSL layer. 






Saturday, July 26, 2014

NBCEI Fraud



Bargaining councils 
Bargaining councils are formed by registered trade unions and employers’ organisations. They deal with collective agreements, attempt to solve labour disputes, and make proposals on labour policies and laws. As well, they may administer pension funds, sick pay, unemployment and training schemes, and other such benefits for their members. The Amended Labour Relations Act also notes that these councils are to "extend the services and functions of the bargaining council to workers in the informal sector and home workers."
Source: Wikipedia 



Some enterprising little fucker is administrating instead of the NBCEI


Hosted on 209.148.85.106 (Texas, USA)




Firms:


Payments


Levies




Other links
hxxp://209.148.85.106/bcas//downloads/extract/risk_extract.csv
hxxp://209.148.85.106/bcas//downloads/extract/metro_extract.csv
hxxp://209.148.85.106/bcas//downloads/extract/funeral_disability_extract.csv



I didnt get to spend too much time looking into this but when I checked back to get more screenshots it was closed.

Database Error