Sunday, May 31, 2009

Phishers Try MSN Worms to steal credentials

At the University of Alabama at Birmingham our Computer Forensics students are working on a large number of spam and phishing related projects. One of those includes tracking the Fast Flux nodes related to various botnets. As I was meeting with one of the students this week to talk about a particular phishing botnet we noticed that the hosts were doing something that seemed to be related to MSN.



In this particular botnet, computers take turns hosting the phishing websites for various banks. For instance at the end of this week, the botnet was hosting phishing sites like these:

www.mybank.alliance-leicester24.com
www.mybank.alliance-leicester39.com
www.mybank.alliance-leicester93.com
www.mybank.alliance-leicester01.cn
www.mybank.alliance-leicester98.cn

or these:

mibusinessonlinebanking.mibank.com.dir-27612.ffifjl1.com
mibusinessonlinebanking.mibank.com.dir-4712.fjfl1j.net
mibusinessonlinebanking.mibank.com.dir-7158.f1ifjl1.net

or these:

www.bankofscotlandbusiness.co.uk.session64016.sterrss.com
www.bankofscotlandbusiness.co.uk.session6297.vdsl1.com

or these:

www.bankofamerica.com.srv_28742.idfsre.com
www.bankofamerica.com.srv_1470.nfillil.com.sg
www.bankofamerica.com.srv_31682.fgtsssa.com
www.bankofamerica.com.srv_77000.nfillil.net.sg
www.bankofamerica.com.srv_67075.fjtiili.com
www.bankofamerica.com.srv_7688390.hftiili.be
www.bankofamerica.com.srv_07430.fgtsssa.co.uk
www.bankofamerica.com.srv_26497.nfillil.org.sg
www.bankofamerica.com.srv_92855.idfgtid.cz

The phishers are still doing that, of course, but as we were exploring the IP addresses being used by the botnet for hosting these phishing sites (more than 250 of them since Thursday afternoon), we found some domains that didn't fit this pattern.

my-secret-gallery-download.com



First we checked out the WHOIS information . . .

Registered May 15, 2009 at XIN NET Technologies . . .

Using the nameserver NS1.MY-CHEERFUL-DNS.COM

And oh, look! Our old friend Pan Wei Wei!

Registrant:
Organization : Pan Wei wei
Name : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Email: 127@126.com

Pan Wei Wei has been involved with this particular botnet since at least October, as others have noticed as well. For instance, see Dancho Danchev's blog entry from December. Dancho follows the popular trend of wrongly calling this the "Rock Phisher", but that's a common misperception, and he certainly ACTS like the Rock phisher. We prefer the term "Rock-Like", but that's not the point here. Dancho and many others have good evidence on this guy.

Pan Wei Wei used to prefer his gmail address - escap3@gmail.com or clu3less@gmail.com - but apparently he no longer uses those.

After Googling around a bit and checking the UAB Spam Data Mine, we find that this domain is not being used in spammed email, but is rather being used in an MSN message worm.

Messages are received such as:

damn, saw naked pics of yours or maybe the one in pic is similar to you .... crazy lol http://my-secret-gallery-download.com/pic_gallery.html

or

phewww +o( unbelivable, is that you??? who ever is it...is really similar to you lol ... http://my-secret-gallery-download.com/pic_gallery.html

The criminal needs to update his graphics on this one. What's supposed to happen here is that a graphic is displayed from one of several random ImageShack locations. Above the image are the words:

Click on the image to download the party pictures gallery...
(Click Open or Run when prompted.)

Clicking on the image will actually run this file:

http://my-secret-gallery-download.com/pic_gallery.php

Which causes you to download this file:

image_gallery.scr

File size: 31745 bytes
MD5 : fa0e304fa4c11a89a2345e009ecebf1c

The detection of this file as a virus is actually quite high. 34 out of 40 anti-virus tools now detect this malware, including Microsoft who labels the malware

Microsoft 1.4701 2009.06.01 VirTool:Win32/Obfuscator.FI

Virus Total Analysis here




picy-pictures.com



The next interesting looking website was picy-pictures.com

A WhoIs check confirms that this domain was also created by Pan Wei Wei, although this is more recent - with a created date of May 28, 2009. It also uses the nameserver NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4).



This one is a much clearer phishing attempt. Here we are asked right at the beginning to provide our MSN userid and password in order to view the 35 pictures in our Private Gallery.

Userids and passwords are checked immediately. If you provide fake data, you get "invalid login! please try again..."

If you provide real data, someone will need to tell me what it does, because I don't have an MSN account that I would like to share with the criminals.

It was interesting to me that although they chose to host this site on a botnet, where each computer on the botnet is a potential host to help them anonymize the source, they chose to hard code an IP address of their stylesheets and javascript programs:

69.90.81.132

There are two domain names associated with that IP address:

hotmail-timeout.com

and

pictures-bucket.com

I wonder if those might be similar scams?

Given that they were also both registered by Pan Wei Wei using XIN NET TECHNOLOGY as the registrar, I feel that it might be a safe bet. Hotmail-Timeout.com was registered March 15, 2009. Pictures-bucket.com was registered April 24, 2009.

The last interesting domain we are seeing on this botnet is:

hotmail-live-inbox.com



Registered May 26, 2009 by Pan Wei Wei on XIN NET TECHNOLOGY using Name Servers NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4)

We found a post about this one from Steve Swift at on a Vista Forum.

Steve had received a new email from Haris_Sheikh, which he knew because he had a link sent to him from an offline colleague:

You have received (1) new email from haris_sheikh.
http://www.hotmail-live-inbox.com/?user=haris_sheikh

Clicking on the link gave him a "System Notice" that read like this:

Your Live Account is about to get expired. For further details please visit,
http://www.hotmail-live-inbox.com/

If you've been a victim of any of these type of frauds, you may have bigger problems than you know. We've seen hotmail and live.com accounts used to try to scam the friends who send you email (see our blog article on Traveler Scams.)

For some of them, changing your live.com/hotmail password might help --

https://account.live.com/ChangePassword.aspx

For other support on your hotmail or live.com emails you can visit:

support.live.com

To report possible fraud on your live.com account, you can usethis live.com reporting form.

For others, you probably have malware running on your computer which is being used to send spam and steal your passwords!























http://my-secret-gallery-download.com/pic_gallery.html

Saturday, May 02, 2009

University Spammers, the Shah brothers, arrested

Congratulations to the Assistant US Attorney for Western Missouri, Matthew Wolesky, and the FBI investigators who have arrested and indicted the Shah brothers! The news was released in a Kansas City FBI Press Release on April 29th.

Amir Ahmad Shah, 28, and his brother, Osmaan Ahmad Shah along with their business, I2O, Inc, and their co-collaborators Liu Guang Ming of China, and Paul Zucker, 55, of New Jersey were named in the 51-count indictment.

Both Amir Shah and Osmaan Shah are listed on the Entrepreneur site, "The Rise To The Top", where they are listed as "Experts" on the site, which provides "Entrepreneurship Education for Young Entrepreneurs". (Any guesses on whether they will be there by Monday? haha! Just in case, I've taken screen shots for you here:



original URL: http://www.therisetothetop.com/guest-expert-profile.php?id=22



original URL: http://www.therisetothetop.com/guest-expert-profile.php?id=24

According to "CrunchBase", Osmaan Shah received his BS in Finance & Banking in 2006, and his MBA in 2009, both from the University of Missouri. His profile says:

Osmaan Shah is the co-founder and lead software developer of Noog. In his 7+ years of development experience, he exhibits a passion for dynamic front-end web design (javascript, AJAX/Comet). He specializes in the incubation of creative new products and online portals targeted towards students and young retail consumers. Mr. Shah is also the a Director and co-founder of VistaClick where he serves as the online marketing campaign manager.


Amir Shah's company is VistaClick.


(Original URL: http://www.vistaclick.com)

VistaClick's website describes an Affiliate Program where you could become one of their 17,000 "registered campus affiliates".

I wasn't able to pull the indictment from Pacer myself, as the "CM/ECF System for the Western District of Missouri is currently down for maintenance" (sigh), but someone else had already posted it online. (See indictment for case mowdce 4:2009cr00141, courtesy of Columbia Daily Tribune).

Here's what we can glean from the 59 page indictment:

First, the charges, which are all applied to the Shah brothers and to I2O, Inc. Liu Guang Ming and Paul Zucker are included in charges 1, 7-16, and 43-51.

Count One: 18 USC § 371 (Conspiracy), a Class D Felony, with possible sentence not more than 5 years with not more than $250,000 fine.

Counts Two through Six: 18 USC § 1030(a)(2) (Fraud in Connection with Computers), a Class C Felony, with possible sentence not more than 5 years with not more than $250,000 fine.

Count Seven: 18 USC § 1030(a)(5) (Fraud in Connection with Computers), a Class C Felony, with possible sentence not more than 10 years with not more than $250,000 fine.

Counts Eight through Sixteen: 18 USC § 1037(a)(1) (Fraud in Connection with Email), a Class E Felony, not more than 3 years, with not more than $250,000 fine.

Counts Seventeen through Forty-Two: 18 USC § 1037(a)(2) (Fraud in Connection with Email), not more than 3 years, with not more than $250,000 fine.

Counts Forty-Three through Fifty-One: 18 USC § 1037(a)(3) (Fraud in Connection with Email)

In the indictment, the defendants are said to have developed an email-harvesting program and used the program to harvest email addresses from the University of Missouri and over two thousand other United States universities and colleges. The defendants then used this database, which included more than 8 million email addresses, to send email messages advertising products that were specifically targeted to college students. The indictment covers thirty-one separate spam campaigns sent using this database.

The emails would claim to be sent from their local "campus representatives", and would often refer to the company as being "alumni-owned" in an attempt to make recipients believe their use of the advertised service would somehow benefit their alma mater or its graduates.

Many of the emails were sent from an "Offshore Bullet Proof Hosting" company located in China. Their emailing software falsified email header information and rotated the subject lines, reply-to addresses, message contents, and advertised URLs in an attempt to bypass spam filters. They also used false information when registering domain names.

After being investigated, and having search warrants served against their homes and business in an investigation into spam messages targeted at University of Missouri students, the spammers merely stopped sending email to any of the addresses harvested from the University of Missouri.

The defendants would register as many as sixty unique domain names for a single spam campaign, all pointing at identical content. They also started a social networking site called "noog.com" which also was advertised by spam. More than $4.1 million in product sales came from the defendants' spam campaigns. They attempted to conceal their earnings both through real estate purchases and sending large sums of money out of country.

In a useful part of the indictment that might be copied by others, definitions for the following terms are provided:
Addresses
Botnet
Domain
Domain name
Domain name service
Email harvesting
Email header
Instant messaging
Internet
Internet Protocol address (IP address)
Internet service provider (ISP)
Mail server
Name server
Proxy server
Realtime Blackhole List (RBL)
Server
Spam filter
Viruses
Website
Web Host

Here's how the roles of the defendants are described:

Amir Ahmad Shah - the co-owner and president of I2O, Inc. - the overall leader of the spam operations and the "idea guy".

Osmaan Ahmad Shah - the co-owner of I2O, Inc - the Chief Operating Officer and the "computer guy" in the partnership. He created the email extgractors, administered the websites, designed the websites, and dealt with other programming and implementation matters.

Liu Guang Ming - rented forty servers under his control in China to host websites, send spam, and search for proxies that could be used for sending spam.

Paul Fredric Zucker - a spammer who purchased proxies from the Shahs, and at other times sold proxies to the Shahs. He also leased space from Ming.

Several other unindicted and unnamed co-conspirators are mentioned, included a family member who ran "VistaClick Pakistan" for the Shahs.

Other companies in the conspiracy were DirectPO, VistaClick, Funding Junction, Veridio, OIBA, Textbook Registry, and Your City Development.

The Shahs began their operation "in or before 2001" by harvesting student email addresses. They began working with Ming in or before 2002, conducting conversations via AOL Instant Messenger. The ad they responded to read:


Servers are located in China and run by some of their largest ISPs. Our tech support team manages servers around the clock with constant contact from China to US. We have several sites sending millions of emails per day. Unlike other hosts, you will NOT need to switch domain names or experience periods of downtime. Our uptime guarantee is 90%. If you are serious about bulk mailing, you have come to the right place.


I was able to find a copy of a post by "AMIR SHAH" back on October 11, 2002, advertising "BULLET PROOF CHINA HOSTING" on this URL on sidetrak.com as an example.

In that ad, Amir offers to send messages for $30 per million emails sent. He used the AOL instant messager id "rulubos@aol.com".

Amir Shah also had a twitter account with that same identity, rulubos. He hasn't posted anything there since January 5th, 2009, when his last post was "looking at twitter and wondering if I should just incorporate this feature into Noog."

Amir follows Jianxiong Song. Hmmm...let's look at some more twitter links . . . Jianxiong is following WaqasShah, whose last twitter post is "WaqasShah is relieved" posted on APril 24th. WaqasShah follows noog_com, who was testing bloog mobile, according to their last twitter on April 17th. Noog has an interesting group of Venture Capitalists that he follows, but I won't list them here.

OK, back to the indictment.

In chat logs found on the computers, Zucker trains O. Shah in the art of spamming, and they communicate about how many proxies they would need to send 2 million emails, being disappointed with a rate of only 110,000 per hour. O. Shah later tells Zucker (July 14, 2003) that he can now send 1 million emails per hour with a 65% delivery rate (unblocked/unfiltered). Later, O. Shah tells his brother A. Shah that by plugging directly into the University of Missouri Columbia network "with a cable not using the wireless" he can send 2 million spam messages per hour from the school.

Search warrants were served against the Shah residence in Columbia, Missouri and their business address also in Columbia on February 23, 2005. They found more than 3 million student email addresses harvested from 2002, 5 million harvested from 2003, and 37.5 million AOL email addresses, 33.7 million MSN addresses, 10.8 Hotmail addresses, 5.2 million Yahoo addresses, and more than 4 million United Kingdom email addresses.

The indictment shows that the crew was identifying a ridiculous number of proxy servers which they could use to "bounce mail" from. For a price of $75 per week, Zucker was able to provide them "1500-2500 proxies twice a day". Originally, the transaction had gone the other way, with Shah providing a list of 45,000 proxies to Zucker earlier, receiving payment for his services via Paypal.

Zucker communicated with O. Shah about how to obtain and use the software program "Dark Mailer", and sent Shah a copy of the program on February 3, 2005. They also used the programs Supermailer and "Group Mail".

Bank records showed that the Shahs transferred more than $30,000 to Ming for hosting services.

Other chats showed the brothers discussing ways to make money. For example, they sent spam for a "teeth whitening" service, where they received a commission for successful sales. The brother said "if we need to mail a million or two to get 10,000 kids...then so be it...who cares."

Here's an example of their teeth-whitening emails, from April 1, 2004, which will illustrate how the SHAH brothers took advantage of students trust in their university relationships:

"Each year, several alumni-owned companies offer various specials to our students and faculty. This month, the university has been offered a special discount on custom fitted teeth whitening systems. Alumni-owned, Custom Bright, Inc., is offering its products to students and faculty at significant discounts all this month. We encourage you to visit their website and take advantage of this alumni offer."

This continued all the way through 2009, with messages like this one, sent March 1, 2009:

"As many of you may be aware, our campus has been offered a special discount on professional custom-fitted teeth whitening systems from a company run by our very own alumni. There will be several campus representatives (like myself) giving out more information over the next 2 weeks."

The brothers discussed having "a more forceful message" to encourage registration in a particular textbook system they were spamming:

"With higher tuition and course material costs, we are working to find new ways of saving students money. This semester, we have implemented a new textbook buyback program that will get students better payouts at the semester ending buyback and may also increase used textbook availability. You MUST complete your registration before the end of this week if you wish to be eligible for this semester's buyback."

Other campaigns that used similar spam sold Digital Cameras, iPods, NCAA Basketball merchandise, and Magazine subscriptions.

Some of the many domain names they used:

surveyproject.org
surveydirect.org
campuschange.org
whiteningtoday.com
whiteningnow.com
discoverwhitening.com
myschoolipods.com
studentipods.com
campusipods.com
semestersavings.com
semesterdiscounts.com
saveatcollege.com
collegedecember.com
estudentoffers.com
mycollegedeals.com
collegefuture.com
campusfuture.com
campusinput.com
whiteningservices.com
whiteningovernight.com
whiteninglabs.com
mycampusnanos.com
campusnanos.com
schoolipods.com

The full indictment gives date ranges for these and many other domain names.

Some of the purchases the Shah brothers made include:

a home in Columbia - $191,123.

a luxury lost in St. Louis - $251,861.

paying off a house in St. Louis - $33,698.

a downpayment on a Lexus sedan - $8,800.

The forfeiture of any assets, up to a total of $4,191,966.57 is also requested, which will come from several bank accounts, and the sale of properties at:

1301 Fieldcrest, Columbia, MO
1520 Washington Avenue, Unit #301, St. Louis, MO
a parking space (?)
5417 Idaho Avenue, St. Louis, MO

a 2002 Lexus (Missouri plate: CA9R6B)
a 2001 BMW (Missouri plate: 391ZEP)

Update



Apparently the Shah brothers indictment has shared with other spammers some good tips on this type of spam. Here's a message that one of my students at UAB received on April 30, 2009:

_____________________________________
From: Jenna T. [jenna@OverstockApple.com]
Sent: Thursday, April 30, 2009 2:20 AM
To: (name of my student)
Subject: Student/Faculty Discount

Dear Students/Faculty,

As you may have heard, several alumni-owned companies have teamed up to sponsor a campus-wide gift for our students and faculty. Working with Apple, they have acquired a small quantity of the new iPod Nano Chrome. This limited supply has now been made available to students and faculty at a significant discount. If you were at all interested in getting one of these iPods with this educational discount, please be sure to place your order online before this offer expires NEXT WEEK.

http://www.OverstockApple.com/h/3189094

Have a great summer!

Jenna T.
OverstockApple.com Student Representative



Have you seen a recent spam (after April 24th) from this group, pretending to be offering a discount for products from an "alumni-owned company"? If you can send it to me WITH HEADERS, I'd very much like to see it. Send it to: alumnispam@askgar.com