[SecurityRatty] tag: fraudulent

Romanian pleads guilty to phishing-related charges

Thu, 09 Oct 2008 20:00:00 +0000

A Romanian man pleaded guilty earlier this week to charges related to possession of stolen credit card information obtained from fraudulent Web sites.

A Diverse Portfolio of Fake Security Software - Part Seven

Tue, 30 Sep 2008 12:35:15 +0000

In case you haven't heard - Microsoft and the Washington state are suing a U.S based -- naturally -- "scareware" vendor Branch Software :

"We won't tolerate the use of alarmist warnings or deceptive 'free scans' to trick consumers into buying software to fix a problem that doesn't even exist," Washington Attorney General Rob McKenna said. "We've repeatedly proven that Internet companies that prey on consumers' anxieties are within our reach."

Sadly, Branch Software is the tip of the iceberg on the top of the affiliates participating in different affiliation based programs, which similar to IBSOFTWARE CYPRUS and Interactivebrands, which I've been tracking down for a while, are the aggregators of scareware that popped up on the radars due to their extensive portfolios. These three companies offering software bundles or plain simple fake software, are somewhere in between the food chain of this ecosystem, with the real vendors paying out the commissions on a per installation basis slowly starting to issue invitation codes that they've distributed only across invite-only forums/sections of particular forums.

Behind these brands is everyone that is participating in the franchise and is putting personal efforts into monetizing the high payout rates that the fake security software vendor is paying for successful installation. These high payout rates -- with the financing naturally coming straight from other criminal activities online -- are in fact so high, that I can easily say that the last two quarters we've witnesses the largest increase of such domains ever, and they're only heating up since the typosquatting possibilities are countless and they seem to know that as well.

It's important to point out that their business model of acquiring traffic is outsourced to all the affiliates that do the blackhat SEO, SQL injections, web sessions hijacking of malware infected hosts in order to monetize, so basically, you have an affiliates network whose actions are directly driving the growth into all these areas. Throwing money into the underground marketplace as a "financial injection", is proving itself as a growth factor, and incentive for innovation on behalf of all the participants.

Here are some of the most recent fake security software domains, a "deja vu" moment with a known RBN domain from a "previous life" that is also parked at one of the servers, and evidence that typosquatting for fraudulent purposes is still pretty active with a dozen of Norton Antivirus related domains, some of which have already started issuing "fake security notices" by brandjacking the vendor for traffic acquisition purposes.

Antivirus-Alert .com (203.117.111.47) where pepato .org a domain that was used in the Wired.com and History.com IFRAME injections, which back in March was also hosted at Hostfresh (58.65.238.59).

softload2008name .com (78.157.143.250)
softload2008nm .com
softload2008n .com
softload2008jq .com

microantivir-2009 .com (91.208.0.223)
scanner.microantivir-2009 .com
microantivir2009 .com
microantivirus-2009 .com
microantivirus2009 .com

ms-scan .com (91.208.0.228)
msscanner .com
ms-scanner .com

Personalantispy .com (93.190.139.197)
freepcsecure .com
quickinstallpack .com
quickdownloadpro .com
advancedcleaner .com
performanceoptimizer .com
internetanonymizer .com

ieprogramming .com (92.62.101.83)
uptodatepage .com
fileliveupdate .com
qwertypages .com
sharedupdates .com
ierenewals .com

norton-antivirus-alert .com
norton-anti-virus-2007 .com
norton-antivirus-2007 .com
norton-antivirus2007 .com
nortonantivirus2007 .com
norton-antivirus-2008 .com
nortonantivirus2008 .com
nortonantivirus2008freedownload .com
norton-antivirus-2009 .com
nortonantivirus2009 .com
norton-antivirus-2010 .com
nortonantivirus2010 .com
nortonantivirus360 .com
nortonantivirus8 .com
nortonantivirusa .com
nortonantivirusactivation .com
norton-antivirus-alert .com
nortonantivirusalerts .com
norton--anti-virus .com
norton-anti-virus .com
norton-antivirus .com
nortonanti-virus .com
nortonantivirus.com
nortonantiviruscom .com
nortonantiviruscorporate .com
nortonantiviruscorporateedition .com
nortonantiviruscoupon .com
nortonantivirusdefinition .com
nortonantivirusdefinitions .com
nortonantivirusdirect .com

Fake Antivirus Inc. is not going away as long as the affiliate based model remains active. If the real vendors were greedy enough not to share the revenues with others, they would have been the one popping up on the radar, compared to the situation where it's the affiliate network's participations greed that's increasing their visibility online.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Cybersquatting Symantec's Norton AntiVirus
Cybersquatting Security Vendors for Fraudulent Purposes
Fake Porn Sites Serving Malware - Part Three
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
EstDomains and Intercage VS Cybercrime
Fake Security Software Domains Serving Exploits
Localized Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

For Some, Stealing IDs Means More Than Fast Cash

Thu, 18 Sep 2008 07:54:49 +0000

Over a hundred people in the last few years have been charged with stealing IDs of dead people, in order to evade the law for various reasons — something that could probably be avoided with better computerized ID systems. Granted a hundred out of how many billion in the States is not that many people, however other reasons for ID theft are sometimes overlooked when we talk about scams. Here are some of the details:

Several of the defendants have been convicted of stealing dead people’s identities to cover up their status as illegal immigrants, military deserters or convicted drunken drivers, federal officials said.

Between July 2005 and August of this year, 112 people were charged in federal court as part of the investigation, which federal officials called “Operation Deathmatch.” Authorities seized $650,000 in cash, a Mercedes-Benz, three guns and more than 80 of the fraudulent passports.

For more case studies, read the article in the SF Gate (online version of the Chronicle).

Adult Network of 1448 Domains Compromised

Mon, 15 Sep 2008 03:54:19 +0000

With millions of malware infected PCs participating in a botnet, the probability that a high profile end user whose domain portfolio consisting of over 1,400 high trafficked adult web sites, would end up having his accounting data stolen, is gradually increasing.

That seems to be the case with the CPanel of the Bang Bros network of adult web sites, the accounting data for which was obtained through a botnet in which the administrator seems to have been unknowingly participating in. None of the sites have been embedded with malware so far, however, taking into consideration the high traffic this adult network attracts as well as the fact that he person managing the domains portfolio is part of a botnet, that may change pretty fast.

A single malware infection always triggers the entire malicious effect, from the malware automatically SQL injection vulnerable sites, and providing infrastructure for scams and fraudulent activities, to allowing the botnet master to parse the huge log of stolen accounting data and look for Cpanels and anything allowing him to efficiently compromise a network of sites he wouldn't have been able to compromise if it wasn't the "weakest link" centralizing the entire portfolio in a single location.

And whereas for the time being, propositions for selling compromised CPanel accounts are mostly random, in the long term, fueled by the demand for compromised domains, we may witness the emergence of yet another market segment in the underground economy, with price ranges based on the pagerank of the domain in question, the type of browsers and the traffic sources visiting it. Until then, SQL injections through search engines reconnaissance executed through a botnet, will remain the efficient tactic of choice for abusing legitimate domains as redirectors to malicious ones.

Links List 9.5.08

Fri, 05 Sep 2008 14:52:47 +0000

Sanjay Kumar is singing like a canary from federal prison. Just when you thought it was over, the CA accounting scandal is back and even more juicy. Ex-CEO Kumar is about a year into his 12-year prison term but still busy pointing the finger at everyone else who he says knew about the company’s fraudulent accounting practices that lead to $2.2 billion in misstated revenue. From a former Salomon Brothers vice chairman to a former US senator to company founder Charles Wang, it looks like open season on CA board directors.

Ten days before VMworld and VMware still can’t get good press. First their CEO, Diane Greene, gets ousted, then a high-profile licensing bug is found and now the Director of R&D, Richard Sarwal, leaves his $1.25 million salary after just 7 months. (Note to self: get into R&D) It will be interesting to take the pulse of the VMware community at the show and in person. And in the meantime, Microsoft Hyper-V comes out of the gate with customers already touting its benefits.

The hypervisor is the “new” operating system. If you didn’t think that before, take a look at Red Hat’s purchase of Qumranet for $107 million. With Qumranet, Red Hat gets KVM, described by CTO Brian Stevens as an extension to the Linux kernel that allows it to be used as a bare-metal hypervisor, running directly on the underlying hardware and hosting guest operating systems. But according to Brian Madden, the “press” around the purchase is all focusing on the not-so-interesting part. Along with KVM, the SolidICE product includes Spice, a remote display protocol for VDI.

I wonder if this will be like Symantec buying Altiris or Microsoft buying Softricity, where the portion that we care about sort of loses focus as The Borg concentrates on the parts of the acquired technology that are more relevant to them?

(I’m a sucker for quotes that reference The Borg)

Network World publishes “10 open source companies to watch”. On the list, Qumranet!

Also on the list: Kickfire, Marketcetera, Vyatta, Sonatype, Untangle, XAware, SnapLogic, Acquia and Openmoko. What’s best about the list: Matt Asay gives it a thumbs up.

Amazon's Mechanical Turk Used for Fraudulent Activities

Sat, 30 Aug 2008 11:50:18 +0000

Although these HITs may stop short of being "fraud" in the legal sense of the word, they are certainly dishonest and unsavory. In addition to these spam bookmarking requests, we're also seeing HITs for Diggs, Stumbles, Slashdots, etc. of spammers' web pages and web sites.

Facebook Malware Campaigns Rotating Tactics

Wed, 27 Aug 2008 06:04:51 +0000

Trust is vital, and coming up with ways to multiply the trust factor is crucial for a successful malware campaign spreading across social networks. Excluding the publicly available malware modules for spreading across popular social networking sites, using the presumably, already phished accounts for the foundation of the trust factor, the recent malware campaigns spreading across Facebook and Myspace are all about plain simple social engineering and a combination of tactics.

However, in between combining typosquatting and on purposely introducing longer subdomains impersonating a web application's directory structure, there are certain exceptions. Like this flash file hosted at ImageShack and spammed across Facebook profiles, which at a particular moment in the past few days used to redirect to client-side exploits served on behalf of a shady affiliate network that's apparently geolocating the campaigns based on where the visitors are coming from.

img228.imageshack .us/img228/3238/gameonit4.swf redirects to ermacysoffer .info - (216.52.184.243) and to tracking.profitsource .net (67.208.131.124) that's also responding to p223in.linktrust .com (67.208.131.124). Just for the record, we also have halifax-cnline.co.uk parked at 216.52.184.243, 69.64.145.229 and 69.64.145.229, known badware IPs related to previous fraudulent activity.

Moreover, cross-checking this campaign with another Facebook malware campaign enticing users to visit whitneyganykus.blogspot .com where a javascript obfuscation redirects to absvdfd87 .com and from there to the already known tracking.profitsource .net/redir.aspx?CID=9725&AFID=28836&DID=44292, and given that absvdfd87.com is parked at the now known 69.64.145.229, we have a decent smoking gun connecting the two campaigns.

Facebook is often advising that users stay away from weird URLs, does this mean ignoring ImageShack and Blogspot altogether? The next malware campaign could be taking advantage of DoubleClick and AdSense redirectors - for starters.

Technology Tales from Thailand: KBank Fraud Management

Wed, 20 Aug 2008 03:16:51 +0000

In The Magical ATM Card and SMS Message in Thailand we talked about booking flights and securely paying using a SMS PayCode and ATM transfer, avoiding the possibility of on-line credit card fraud; and in Keyloggers: Why Banks Need Two-Factor Authentication I described how KBank uses SMS-based one-time-passwords (OTP) to authenticate transactions.

In addition to the above services, KBank offers a service that permits users to receive an SMS message that details any change in account balance and/or point-of-sale (POS) transaction with your debit card. I really like this service and the feeling of security knowing when, where and by how much my balance changes or my debit card is used in a transaction. The KBank POS SMS notification is so fast that when I present my card to a merchant I normally receive an SMS message detailing the transaction before the merchant returns for my signature. (There is an unfortunate lag in the balance change notification that can run minutes to hours behind real-time, but the POS VISA debit card notification is real-time).

As the story goes, I should have been using my KBank card and account a few weeks ago and not my US-based VISA debit dard. Why?

My US-based VISA debit card was cloned sometime on or before August 8th. I am really careful with this card, so I was surprised the magnetic strip was cloned at a POS merchant. The fraudster made 7 fraudulent transactions beginning on August 8th for a total of around $2500 USD, mostly on August 11th, before I discovered the fraudulent transactions viewing my account on-line.

This would not have happened with KBank SMS-based transaction notification services.

The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water”). If I was using my KBank card, I would have received an immediate SMS message detailing a POS transaction in Bangkok when I was physically far away from Bangkok in Chiang Mai. I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven.

In addition, KBank offers what they call a Web-Shopping VISA card, where you can go into your on-line account (verified by SMS OTP as mentioned) and request a VISA debit card number (with expiration date, CCV etc). You set the limit from 0 to 500,000 THB (Thai Baht) per day; and you can login to your account and change this anytime (authenticating your transaction with another SMS-based OTP). You can also block or cancel this number anytime and apply for another one.

I am amazed that in Thailand I receive much better anti-fraud prevention and detection services than with banks in the US. I know of no bank or brokerage in the US that offers the same quality of service and security as KBank in Thailand.

Malicious Adobe Flash Ads Hit High-Profile Websites

Mon, 18 Aug 2008 19:17:04 +0000

According to a post on the Bluetack Internet Security Solutions site, Newsweek.com is suspected of running rogue banner advertisements that try to trick visitors into installing fraudulent anti-malware programs. Newsweek.com is one of several high-profile websites accused of exposing its readers to dangerous ads. The malicious ads have been appearing on Newsweek’s website via feeds that [...]

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.