Wednesday, May 25, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT


With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I'll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented group of mule recruiters using identical templates which they've purchased from a vendor of standardized mule recruitment templates.

Domains known to have been participating in money mule recruitment campaigns, currently offine:
allston-groupsec.cc
atca-inc.com
atcanetworks.net
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
BANDS-GROUPSVC.COM
BANDS-INC.COM
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
evolving-inc.com
evolvingsysinc.net
galleogroupnet.net
galleo-inc.com
GIANT-GROUPCO.NET
GIANTGROUPINC.COM
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
HOSTGROUPINC.COM
HOSTGROUP-INC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
ICT-GROUPCO.COM
ICTGROUPINC.COM
ICTGROUPNET.CC
ICT-GROUPSVC.NET
IMPERIALGROUPCO.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
infotechgroup-inc.com
jvc-inc.com
magnet-groupinc.cc
netmarket-inc.com
netmarkettech.net
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC
USIGROUPINC.COM
USIGROUP-INC.COM
USI-GROUPINC.NET
USIGROUPNET.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW

developgroupinc.net - 69.50.199.209 - Email: slows@5mx.ru
develop-inc.com - 69.50.199.209 - Email: etude@qx8.ru
mercygroupnet.net - 69.50.198.218 - Email: bowie@bigmailbox.ru
mercy-inc.com - 69.50.198.221 - Email: spout@freenetbox.ru
solarisgroupinc.com - 69.50.199.209 - Email: slows@5mx.ru
solarisgroupnet.net - 69.50.198.197 - Email: sharp@maillife.ru
jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru
jvcgroupnet.net - 69.50.198.221 - Email: spout@freenetbox.ru

Name servers of notice, historical OSINT for the responding IPs provided:
ns1.kalipso19.cc - 208.110.80.34 - Email: tarts@freenetbox.ru
ns2.kalipso19.cc - 64.85.169.70
ns3.kalipso19.cc - 173.208.132.42

ns1.mamacholi.net - 208.110.80.35 - Email: excess@bigmailbox.ru
ns2.mamacholi.net - 64.85.169.71
ns3.mamacholi.net - 173.208.132.43

ns1.rjevski.com - 208.110.80.34 - Email: low@bigmailbox.ru
ns2.rjevski.com - 64.85.169.70
ns3.rjevski.com - 173.208.132.42

ns1.runlesrun.cc - 208.110.80.37 - Email: frost@bigmailbox.ru
ns2.runlesrun.cc - 64.85.169.73
ns3.runlesrun.cc - 173.208.132.45

ns1.skotinko.net - 208.110.80.38 - Email: info@dnregistrar.ru
ns2.skotinko.net - 64.85.169.74
ns3.skotinko.net - 173.208.132.46

ns1.solojumper.com - 208.110.80.36 - Email: crime@bigmailbox.ru
ns2.solojumper.com - 64.85.169.72
ns3.solojumper.com - 173.208.132.44

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment