MGDPremium,MVM
join:2002-07-31
kudos:9
1 edit | said by Mr Fel:..... That's one machine down, insanely high number left to go. Still curious as to what the vector is in accumulating a diverse group of machines into a nefarious proxy bot. I also wanted to see if your college's IP or other ones from Louisville.edu were still on the list. I initially suspected that the proxy server may be embedded in some app that targets students to willingly download it, though that is pure speculation. Other than the obvious, I have no information as to how Truesocks operates.
I went looking for "muieflooderu" in an attempt to follow up and recheck the status of that Louisville.edu IP. However, there have been no signs of our Phishtrack cyber criminal in the past week or so. No new phish submits could be attributed to his profile. Trolling the virtual cyber streets of Bucharest and Constanta soon picked up the trail of his known profile. His pc "HOME-030E0A73B7" was in global cyber crime mode originating from his usual IP, 79.117.95.47 [79-117-95-47.rdsnet.ro]. His absence on Phishtrack appears to be from the fact that he was for now apparently focusing on Asia and Australia via the US. Though originating from the relative safety and immunity of 79.117.95.47 he was double proxying his outbound connection. First to an IP in North America, then he had selected a Truesocks proxied machine in Las Vegas which he would appear to be originating from:
A sample of the cyber crime activities that he was found to be engaged in. Of particular note to those who detect intrusion attempts and scanning, you can see how difficult it is to know where the attacks are actually originating from. These few observation examples of the cyber criminals ongoing activities demonstrate the futility of identifying the inbound source data as the probable location of the culprit. In these examples, our prolific cyber criminal is originating in Romania, then via a proxy in North America, then a second proxy in a compromised machine in Las Vegas, Nevada. From there he is accessing compromised machines in Korea, China, and Singapore. At those three sites he is then generating mass scanning of IPs in Taiwan for open port 22 availability.
Once the scanning results at APNIC are complete he will then utilize the list for an automated brute force SSH attack in order to gain entry.
As displayed above on initial compromise he downloads root.tgz and mig.tgz from his long term stash on another hijacked machine:
His stash contains a host of exploit tools, including for SQL and XSS exploits, SMTP, FTP, RTS / RDC. If you run a mail server, have open ports for FTP, SSH, RTS or RDC, then this cyber criminal, or the thousands of others like him, will scan your range in short order. If you are using user ids / passwords that are common, you will be owned in no time.
As is typical with most cyber criminals, while his automated scanning and hacking activities are underway, he is involved in multiple cyber crime. In this case our phishtrack phisher was tending to victim data retrieval on one of his operating bank phishing sites. Commonwealth Bank in Australia:
The lookalike Australian bank fraud domain COMMONVVEALTH.COM »whois.domaintools.com/commonvvealth.com (Note the two letters "v" to imitate a "w") was just registered via his usual NAMEBAY.com service to a carded prior phish victim in Kapaau, Hawaii. The fake bank COMMONVVEALTH.COM phishing website is hosted on another of his compromised machines in Korea.
To round out "a day in the life of a prolific cyber criminal" he also prepared the following :
quote:
Re: 50" plasma tv
Hi, I've put the package to be ready for shipping at your shipping address.
You can verify online, the status of the shipping here:
>http://www.air-c-exp.com/
TRACKING NUMBER: P1199720854
I've forgot to announce you that I am not in Australia, I am in UK working here.
All the documents for the Plasma TV are in the box, instructions, warranty.
I can not receive the money thru bank account, you will have to send them to me
thru Western Union at the following details:
Name: BENJAMIN BRADY
Address: 23 IBIS CCT
City: LONDON
Country: UNITED KINGDOM
Zip: SW113BZ
Note: You will have to write the reason you are sending that money to me.
Write the simple word: PAYMENT
Do not forget to specify that the receiver (meaning me) will pickup the money
with ID
Please take the amount of money AU 650.00$ and send it with Western Union Money
Transfer at the details I mentioned before. The tax of the transfer will cost you
around $20-30, pay the tax from the amount of money of AU 650.00$ . Please make
the payment as soon as you have done to read this e-mail because I have to give
those money to the company where I work. You can find the Western Union almost in
any bank. Take a form and write on it my details. After you send the money you will
receive a code (10 numbers) called Money Transfer Control Number and give it to me
so I can pick up the money you've send. You only give the MTCN to me by replying at
e-mail, don't send it to the shipping company,ebay or other companies/persons.
To send money, you will have to take with you your ID.
I am waiting for reply. Thanks.
air-c-exp.com is from the criminal's toolchest of bogus escrow and shipping websites
That message in preparation was destined for the winner of an EBAY.AU auction that he just held for a non existing 50" Plasma TV:
Ref:»cgi.ebay.com.au/ws/eBayISAPI.dll···:AU:1123
The fresh Ebay.AU account was opened in the name and with the banking data of recent phish victim. Again, with the fraud auction being in Australia and the money drop in the UK, one would have no idea as to the true location of the scammer.
His current list of available Truesocks proxys sorted by names and containing .edu:
that Louisville.edu IP was not on it anymore, nor any from there, for that matter. His available list of nefarious proxy machines above showed over 900 available machines in the US at that time. While all the home providers, Comcast, AT&T, Verizon, etc were well represented on there, I again looked for how .edu was represented. There still appears to be a heavy concentration, which might offer some speculation as to what the modus operadi is for turning them into proxy machines. Sorting the cyber criminal's available Truesocks proxy lists by name and pulling the pages with .edu entries yields the following:
I do not believe there is any way to make a reasonable judgement as to how these machines are ending up as proxies for international cyber crime activities. They could soley be just minimally invaded for proxy functions, or could leased from an exixting pool of botted machines. Difficult to tell without hearing back from an analysis done on the inside.
MGD |
·