Monday, November 26, 2012

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
  • A Black Hat (SEO) Search Engine Optimization related service/product
  • Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com


How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.


Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru


Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.


Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:
Second screenshot of a sample page displayed to affected U.K users:
Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:
Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, October 26, 2012

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.

As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.

According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.

The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.


Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A

Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.

Sample screenshots of the Multiboom.me's GUI:





With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.

When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.

Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.

Updates will be posted as soon as new intel becomes available.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Friday, September 28, 2012

Dissecting 'Operation Ababil' - an OSINT Analysis

Provoked by a questionable online video posted on YouTube, Muslims from the around the world united in an apparent opt-in botnet crowdsourcing campaign aiming to launch a DDoS (denial of service attack) against YouTube for keeping the video online, and against several major U.S banks and financial institutions.

Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters , the campaign appear to have had a limited, but highly visible impact on the targeted web sites. Just like in every other crowdsourced opt-in botnet campaign such as the "Coordinated Russia vs Georgia cyber attack in progress", the "Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites", the "Electronic Jihad v3.0 - What Cyber Jihad Isn't" campaign, and the "The DDoS Attack Against CNN.com" campaign, political sentiments over the attribution element seem to have orbited around the notion that it was nation-sponsored by the Iranian government.

What's so special about this attack? Did the individuals behind it poses sophisticated hacking or coding abilities? Was the work of hacktivists crowdsourcing bandwidth, or was it actually sponsored by the Iranian government? Can we even talk about attack attribution given that the group claiming responsibility for the attacks doesn't have a strong digital fingerprint?

In this post, I'll perform an OSINT (open source intelligence) analysis aiming to expose one of the individuals part of the group that organized the campaign, spread their propaganda message to as many Muslim Facebook groups as possible, and actually claim responsibility for the attacks once they took place.

The campaign originally began with a message left on Pastebin.com by the Qassam Cyber Fighters group announcing "Operation Ababil":


The original message left is as follows:
"Operation Ababil, The second weekIn the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the insulting country's credit and financial centers.Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the operation was not deal to insults but it had other intentions. 

The officials claimed that certain countries have taken these measures to solve their internal problems.We strongly reject the American officials' insidious attempts to deceive public opinion. We declare that the kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than their violent anger be deflected and controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). 

So as we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet.Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the specific organization is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day. 

We repeat again the attacks will continue for sure till the removal of that sacrilegious movie.We invite all cyberspace workers to join us in this Proper Act. If America's arrogant government do not submit, the attack will be large and larger and will include other evil countries like Israel, French and U.Kingdom indeed.Tuesday 9/25/2012 : attack to Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site, www.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning for the next week' attacks.Mrt. Izz ad-Din al-Qassam Cyber Fighters"

Periodically, the group also released update notes for the campaigns currently taking place:


The original message published is as follows:
"Operation Ababil" started over BoA :http://pastebin.com/mCHia4W5 http://pastebin.com/wMma9zyGIn the second step we attacked the largest bank of the united states, the "chase" bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.The site "www.chase.com" is down and also Online banking at "chaseonline.chase.com" is being decided to be Offline !Down with modern infidels.### Cyber fighters of Izz ad-din Al qassam ###"

Second statement released by the group:


The original message published is as follows:
"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary to stop spreading this movie. 

We will attack them for this insult with all we have.All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult.We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type. Down with modern infidels."

Clearly, the group behind the campaigns aimed to deliver concise propaganda to prospective Internet connected users who would later on be instructed on how to participate in the DDoS attacks. Let's assess the potential of the distributed DDoS tool that was used in the campaign.

Sample screenshot of the DDoS script in Arabic:


Inside the .html file, we can see that there are only three web addresses that will be targeted in their campaign:


Detection rate for the DDoS script:
youtube.html - MD5: c3fd7601b4aefe70e4a8f6d73bf5c997
Detected by 6 out of 43 antivirus scanners as HTool-Loic; Hacktool.Generic; TROJ_GEN.F47V0924

Originally, the attack relied on a static recruitment message which included links to the DIY DDoS script located on 4shared.com and Mediafire.com. What's particularly interesting is the fact that the files were uploaded by a user going under the handle of "Marzi Mahdavi II". It's important to point out that these static links were distributed as part of the recruitment campaign across multiple Muslim-friendly Facebook groups.
Thanks to this fact, we could easily identify the user's Facebook account, and actually spot the original message seeking participation in the upcoming attacks.

Marzi Mahdavi II's Facebook account:


Sample shared Wall post seeking participation in the upcoming DDoS campaign:


Sample blog post enticing users to participate:


Marzi Mahdavi II has once referenced a link pointing to the same blog, clearly indicating that he's following the ongoing recruitment campaigns across multiple Web sites:

Second blog post enticing users to participate in the DDoS campaign:


This very latest example of Iran's hacktivist community understanding of the cyber operations, once again lead me to the conclusion that what we've got here is either the fact that Iran's hacktivist community is lacking behind with years compared to sophisticated Eastern European hacking teams and cybercrime-friendly communities, or that Iran is on purposely demonstrating low cyber operation capabilities in an attempt to trick the Western world into thinking that it's still in a "catch up mode" with the rest of the world when it comes to offensive cyber operations.

Did these coordinated DDoS campaigns actually had any impact on the targered web sites? According to data from the Host-Tracker, they seem to have achieved limited, but visible results, a rather surprising fact given the low profile DDoS script released by the campaigners.

Sample Host-Tracker report for a targeted web site during the campaign:


Second Host-Tracker report for a targeted web site during the campaign:





Third Host-Tracker report for a targeted web site during the campaign:
 


Fourth Host-Tracker report for a targeted web site during the campaign:





Fifth Host-Tracker report for a targeted web site during the campaign: 

  

Is the Iranian government really behind this campaign, or was it actually the work of amateurs with outdated and virtually irrelevant technical skills? Taking into consideration the previous DDoS campaign launched by Iranian hacktivists in 2009, in this very latest one we once again see a rather limited understanding of cyber operations taking into consideration the centralized nature of the chain of command in this group.

What's also worth pointing out is the fact that this is the first public appearance of the group that claims responsibility for these attacks. Considering this and the lack of a strong digital fingerprint for the group in question, virtually anyone on the Internet can engineer cyber warfare tensions between Iran and the U.S, by basically impersonating a what's believed to be an Iranian group.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, May 08, 2012

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

The Lizamoon mass SQL injection attacks gang is continuing to efficiently inject malicious code on hundreds of thousands of legitimate sites, for the purpose of serving fake security software -- also known as scareware -- and client-side exploits.

The latest round of the campaign is serving client-side exploits through multiple redirections taking place once the end user loads the malicious script embedded on legitimate sites. In comparison, in the past the gang used to monetize the hijacked traffic by serving scareware and bogus Adobe Flash Players.

What are some of the currently SQL injected malicious domains? How does the redirection take place? Did they take into consideration basic QA (quality assurance) tactics into place? Let's find out.


Currrently injected malicious domains are parked at 31.210.100.242 (AS42926, RADORE Hosting), with the following domains currently responding to that IP:
skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com
njukol.com/r.php - Email: jamesnorthone@hotmailbox.com
hnjhkm.com/r.php - Email: jamesnorthone@hotmailbox.com
nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com
hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com
uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com
uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com
werlontally.net/r.php - Email: jamesnorthone@hotmailbox.com

March's round of malicious domains was hosted at 91.226.78.148 (AS56697, LISIK-AS OOO “Byuro Remontov “FAST”).

The redirection takes us to these two domains: www3.topcumaster.com - 75.102.21.120 (AS23352, SERVERCENTRAL)

Parked at 75.102.21.120 are also the following domains:
www3.personal-scanera.com - Email: benji.rubes@yahoo.com
www3.personalvoguard.com - Email: benji.rubes@yahoo.com
www3.hard-zdsentinel.com - Email: benji.rubes@yahoo.com
www3.bestbxcleaner.com - Email: benji.rubes@yahoo.com
www3.topcumaster.com - Email: benji.rubes@yahoo.com
www3.safe-defensefu.com - Email: benji.rubes@yahoo.com

and www1.safe-wnmaster.it.cx - 217.23.8.123 (AS49981, WorldStream)

Parked on 217.23.8.123 are also the following client-side exploits serving domains part of the Lizamoon mass SQL injection attacks:
www1.thebestscannerdc.it.cx/i.html
www1.safebh-defense.it.cx/i.html
www1.strongdkdefense.it.cx/i.html
www2.best-czsuite.it.cx/i.html
www1.smartmasterf.it.cx/i.html
www1.simplescanerei.it.cx/i.html
www1.bestic-network.it.cx/i.html
www1.topqonetwork.it.cx/i.html
www2.topasnetwork.it.cx/i.html
www1.powerynetwork.it.cx/i.html
www1.simplemasterzk.it.cx/i.html
www1.powerneholder.it.cx/i.html
www1.personalkochecker.it.cx/i.html
www1.smarthdschecker.it.cx/i.html
www1.safebacleaner.it.cx/i.html
www1.strongzkcleaner.it.cx/i.html
www1.topumcleaner.it.cx/i.html
www1.topgdscanner.it.cx/i.html
www1.smartwoscanner.it.cx/i.html
www1.safe-wnmaster.it.cx/i.html
www1.powervmaster.it.cx/i.html
www1.top-armyvs.it.cx/i.html
www2.saveocsoft.it.cx/i.html
www1.top-zjsoft.it.cx/i.html
www1.powerdefensekt.it.cx/i.html
www1.best-scanersw.it.cx/i.html
www1.powermb-security.it.cx/i.html
www1.strongxd-security.it.cx/i.html
www1.strongbtsecurity.it.cx/i.html

Client side exploits, CVE-2010-0188 and CVE-2012-0507 in particular are served through the i.html file located on these hosts. In order for the client-side exploitation process to take place, the redirection chain must be correct, if not the server will return a "404 Error Message" when requesting a specific file part of the campaign. There are no HTTP referrer checks in place, at least for the time being. What's particularly interesting about the current campaign, is that during a period of time, it will on purposely serve a "404 Error Message" no matter what happens.

Updates will be posted, as soon as new developments emerge.

Related posts:
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, January 09, 2012

Who's Behind the Koobface Botnet? - An OSINT Analysis

In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure -- now offline or migrated to a different place -- of Koobface 1.0.
The analysis is based on a single mistake that the botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.

Let's start from the basics. Here's an excerpt from a previous research conducted on the Koobface botnet:

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax.com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

The Koobface botnet master's biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master's personal email address. In this case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off".

The same email krotreal@gmail.com was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007:

The following telephone belonging to Anton was provided - +79219910190. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW:


Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infrastructure to host zaebalinax.com Email: krotreal@gmail.com:


Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко). Here are more details of this online activities:

Real name: Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:
+79219910190
+380505450601
050-545-06-01
ICQ - 444374
Emails: krotreal@yahoo.com
krotreal@gmail.com
krotreal@mail.ru
krotreal@livejournal.com
newfider@rambler.ru
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal; @Real_Koobface
Flickr account: KrotReal
Vkontakte.ru Account: KrotReal; tonystarx 
Foursquare Account: KrotReal

Also, a chat log from 2003, identifies KrotReal while he's using the following IP -  krotreal@ip-534.dialup.cl.spb.ru

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? By personalizing cybercrime.

Go through previous research conducted on the Koobface botnet:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
10 things you didn't know about the Koobface gang
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, January 03, 2012

Profiling a Vendor of Visa/Mastercard Plastics and Holograms

What is it that cybercriminals needs once they have obtained access to stolen financial data? Next to money mules, that's empty plastic cards in which they will later on embed the stolen financial data.

Let's profile a vendor of empty Visa/Mastercard plastic cards and holograms in order to gain a better picture at just how easy it is to obtain such plastic cards.

Associated nickname: pizzA
Associated ICQ: 496-872-531
Associated email: plastics@safe-mail.net

Translated vendor's proposition:
Below you have prices and samples of my products.

Plastics - Blanks:
1-50 = 15each
51-100 = 14 each
101+ = 13 each
201+ = 12 each

Plastics - Embossed
1 and up = 20each
101+ = 18each
201+ = 17each

Minimum order: 200USD
Shipping to: USA, International orders(min $800 + shipping)
Plastics have UV Security print on Front and Back.

Holograms Stickers and Heatpress:
VISA - Silver/Gold
VISA mini - Silver/Gold 
MasterCard - Silver/Gold
Minimum order on stickers: 500pcs
Minimum order on Heatpress: 1000pcs

$0.8 per hologram

PAYMENT:
Liberty Reserve (Prefered)
Western Union (500usd minimum + 8% WU fee)

RULES: 
- Any order, question feel free to ask in ICQ.
- Shipping time 24-48 after the money is picked up.
- PLEASE USE THIS TOPIC ONLY FOR FEEDBACK, ANY QUESTION AND ORDERS in ICQ.
- If you buy from me it means you agreed my rules.

Screenshots of his inventory of Visa and Mastercard plastics and holograms:

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.