Monday, March 14, 2016

Spammers for Donald Trump!

As we all know by now, Donald Trump is all about Winning, and whether you like him or hate him, if you quote him in a news story you are going to generate a lot of traffic.   Apparently spammers are wise to this truth as well.   When we saw spam messages this month imitating CNN talking about Donald Trump, our immediate thought was that this must be a malware campaign, such as the CNN "Royal Baby" spam we blogged about in 2013.

PhishMe's malware analysts took a look and reported back that this was NOT a malware distribution campaign.  So what was it?

The Trump Spam

To start, we looked for spam during the month of March that had "Trump" in the subject line and "CNN" in the sender name, but did not actually get sent from CNN's IP addresses. There were many thousands to choose from, but only thirteen subject lines were used:

Subject: BREAKING:  Trump Explosion Shocks Audience
Subject: BREAKING: Trump Scandal Could End it All...
Subject: CNN: This Time Donald Trump Crossed the Line
Subject: Donald Trump Explodes on Sunday Talk Show
Subject: Donald Trump:  Here is my Secret Weapon
Subject: Donald Trump:  I have a Secret Weapon
Subject: Donald Trump: I'M DONE
Subject: Donald Trumps Reveals His Trump Card
Subject: TRUMP ADMITS: Yes, It's Rigged
Subject: Trump Debate Comment Stops the Show
Subject: Trump Explodes at Debate, Stops the Show
Subject: Trump Explodes on Sunday Talk Show
Subject: Trump Reveals his Knockout Punch

The "sender name" for these spam messages was selected from one of the following:
CNN Breaking News
CNN Breaking Now
CNN Happening Now
CNN News Now
CNN Politics
CNN Sunday
CNN Updates

However, the email addresses had absolutely nothing to do with CNN or its domain name.  The userids were:
   info, news, notification, notify, or update

followed by many different domain names, including:

 allstayclear.com, bestbetterclass.com, childreneveryopen.com, eyealwaysher.com,
followboatstreet.com, gavewantfar.com, heardwerethan.com, intuitivefinally.com,
lessbooksure.com, offunitrain.com, pageobjectsystem.com, placewhenboy.com,
pullamongmight.net, rainwhichcome.com, redanswercontain.com, restverysay.com,
seemfarmlong.com, shegroundminute.com, sixletterwater.com, strongstoodstate.com,
thingwoodscience.com, veryknewworld.com, warmfoundagain.com

These spam messages are from a group of spammers who specialize in using high interest headlines to do a many-level redirection that eventually lands the recipient of the email on a website promising some form of "get rich quick" scheme.

Other Spam From Same IP Addresses (Walgreens, Google, Amazon)

By selecting the thirty most common spam-sending IP addresses for the CNN/Trump campaigns, we are able to learn about other favorite campaigns being run by the same group of spammers during the month of March 2016.

Subject:  (name), Your Walgreens Card is on Hold #(random number)
Subject: Walgreens Pickup Notice (random number)

was popular at the beginning of the month, with
March 1, 2016 From: info@bestbetterclass.com, info@followboatstreet.com,
March 3, 2016 From: info@doneinchyes.com,  info@veryknewworld.com
March 5, 2016 From: info@redanswercontain.com

Beginning on March 8th, a popular "Google is hiring" scam began from the same spamming computers:

Subject: Google Inc. wants to work with you (89k working from home)
Subject: Google Inc. has three positions available - $75.00 (hour)
Subject: (3) New Positions Open With Google Inc. - Salary is 89K for 2016

From: home@heardwerethan.com, home@warmfoundagain.com, home@pullamongmight.net

Then back to Walgreens, From: info@gavewantfar.com,  info@restverysay.com

The Donald Trump / CNN spam was well mixed throughout on March 3, 4, 6, 7, 9, 11, 12

After a brief hard-core sex campaign on March 12th, on March 13, the spammers began an "Amazon shopping voucher" campaign:

Subject: (name) - Ready to use - your Amazon shopping voucher - active today
Subject: (name) - Your Amazon Card
Subject: (name) - So much at your fingertips - activate your Amazon cash voucher now

with sender names of "Amazon.com.Credit, AmazonCard, ShopAmazon, and Amazon-Voucher and From: info@restverysay.com


The Redirection

In each of the spam campaigns, a single IP address was used as the source for each "from domain" and the destination URLs related to that email were all hosted on an oddly named host on the same domain.  Some examples include:

pageobjectsystem.com89.46.63.82mail.pageobjectsystem.com
intuitivefinally.com94.176.163.119b99.intuitivefinally.com
redanswercontain.com72.1.242.15697q.redanswercontain.com
sixletterwater.com76.74.218.30ffoz.sixletterwater.com


Let's take a spam message that redirects us to "smtp.friendroomdiffer.com" as an example.  The URL that we are supposed to has a path that looks similar to this: (we've replaced some characters to break the tracking)

ACRTl5OQU5IB/BIae1TW2BEpk3Z3SL/aLb6+cTbqj6whLaRcBYQTlIE8YcRUNvLS8xh5/zU31q3ruEfD3pXu64wV2NrIhYuwQKpcldGi/CRTw=

When we visit that URL, we are sent to "7roitrack.com" where the string is decoding to show an affiliate ID (who gets paid for any sales that result from this click) and a campaign ID (so they know to show us the "Trump" version of the scam).

That immediately sends us to: "en1-trk.com" which then sends us to "ih-trk.com"  which then sends us to "athome-profits.com" which has a fake "Breaking News" page shown below:



The text of the page tries to convince the gullible email-clicker that Donald Trump believes "Ultimate Home Profits" is the best way to make money from the Internet.  Here's what it says:

"It's time that people realized the amazing potential the American people have to create income for themselves and their families. The truth is, the average American can double or even triple their income today without making any changes to their current lifestyle." Mr. Trump went on.

 (Quote)
The secret, he says, is in taking advantage of the leverage available on the internet.

"It's no secret that I made my fortune in real estate and television, because those were the best opportunities available at the time. But times have changed. Right now, an average American with no special skills and no investment can go out and start earning income online today."


Mr, Trump says the best opportunity available is a new program called Ultimate Home Profits which teaches regular people to take advantage of this massive internet opportunity quickly and easily, and even places them with real online companies that pay them for their time comlpeting simple tasks.
"Emily Hudson is absolutely changing the world with her Ultimate Home Profits program" he said. "Normally, rich people keep the secrets to their wealth to themselves. But Sara, she has found an amazing opportunity, and she is sharing it with everyone. That's incredible."


Trump has not hidden his affection for Ms. Hudson. He has recently been praising her on social media for her efforts to teach regular people how to create amazing wealth in their spare time.

(End Quote)

The scam-page includes a Fake Twitter Endorsement, shown below:

Clicking any of the many links on this page forwards you to the "Ultimate Home Profits" page, which looks like this:


Trump Pills / Trump $100 Gift Cards?

 The "Ultimate Home Profits" spammers are by no means the only spammers that have been abusing Trump's name to peddle their wares (although they are certainly the highest volume spammers of the crowd!)


In this fake Fox News spam (from "FoxNews@newearningreportupdates.eu") the fake headline tells us that "Donald Trump Credits $4 Billion Empire to This Pill".  The URL forwards through "xchangetrak.com" and "tracking.routeoffers.com" and "greathealthychoices.com" before landing at "goodhealthtips.net/donald-trump" (AFFID = 1018).  Spam for this campaign includes sender names such as "Trump Reveals Trick", "Trump's Improve Thinking", "Trump's IQ Booster" and "Trump's Memory Secret", with claims that the email is endorsed by MensHealth, Forbes, CNNHealth, and as shown below, Fox News.

(Quote from "goodhealthtips.net" spam affiliate site)
"Trump is a big fan of creating jobs, reading books, and doing puzzles, but according to O'Reilly, he also credits his success to an IQ boosting, brain pill that helped him with memory, and recall. "This pill is the real magic," says Mr.Trump, referring to CogniMaxx XL.

"This brain booster is not heavily advertised but that's what's great about it-- CogniMaxx XL puts all their money into finding the most organic, pure all natural ingredients and that it, it all goes into the formula, so you kind of have to be 'in the know' to get your hands on it, but I tell everyone I meet my 'secret' so I guess it's not really a secret anymore."
 (End Quote)

  
This spam message promises a $100 Gift Card if you will take a survey related to Trump's chance of winning.  The Trump Gift Cards is just another example of the "Survey on any popular topic that promises a gift card" spam.   In this case the spam goes to "www.loveauthority.org" which redirects through the tracking sites "tump.brandstrendy.com", "prosper202.brandstrendy.com" "trkur5.com" and "a.websponsors.com" before landing at "publicsurveypanel.com".  From there it follows a fairly standard "steal all your public information and never give you a gift card" model that we've described on this blog so often before:  (For a full write-up on how Fake Surveys for Gift Cards works, see the story on this blog about fake Target Gift Cards).

The Spamming IPs?

For the spam-trackers who want to know . . .  those "thirty most popular" IP addresses on the Trump/CNN spam we saw are mostly in the US with a couple each from Canada and Romania, and one in Ireland.  In most cases, the criminal leases a box from a reseller who hosts services at one of these locations, and then spams as hard as possible until they get busted, then they rotate to a new IP and keep going.   Spamhaus has coined the term "Snowshoe spammers" for these people who often do single day, or even single hour, spam campaigns from a location before quickly moving to another location, never settling long enough to be considered a "big problem" for any given host.


71.19.251.180/32   ESECUREDATA - eSecureData,CA  11831  CA 
71.19.251.204/32   ESECUREDATA - eSecureData,CA  11831  CA 
185.24.235.30/32   WEBWORLD-AS Sternforth Ltd t/a Web World Ireland,IE  30900  IE 
94.176.163.119/32   M247 M247 Ltd,GB  9009  RO 
89.46.63.82/32   M247 M247 Ltd,GB  9009  RO 
76.74.218.31/32   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US 
76.74.218.32/32   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US 
64.34.255.210/32   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US 
76.74.218.29/32   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US 
76.74.218.40/32   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US 
76.74.218.30/32   PEER1 - Peer 1 Network (USA) Inc.,US  13768  US 
69.94.156.9/32   DATANOC - Lanset America Corporation,US  16578  US 
69.94.156.32/32   DATANOC - Lanset America Corporation,US  16578  US 
66.35.67.62/32   RAPIDVPS-COM - Infinitum Technologies Inc.,US  17183  US 
172.93.102.75/32   AS-CHOOPA - Choopa, LLC,US  20473  US 
108.61.147.14/32   AS-CHOOPA - Choopa, LLC,US  20473  US 
108.61.147.13/32   AS-CHOOPA - Choopa, LLC,US  20473  US 
172.93.102.78/32   AS-CHOOPA - Choopa, LLC,US  20473  US 
108.61.147.12/32   AS-CHOOPA - Choopa, LLC,US  20473  US 
172.93.102.76/32   AS-CHOOPA - Choopa, LLC,US  20473  US 
64.202.126.28/32   SERVERCENTRAL - Server Central Network,US  23352  US 
205.234.252.203/32   SERVERCENTRAL - Server Central Network,US  23352  US 
72.1.242.154/32   NDCHOST - Network Data Center Host, Inc.,US  33322  US 
72.1.242.156/32   NDCHOST - Network Data Center Host, Inc.,US  33322  US 
72.1.242.148/32   NDCHOST - Network Data Center Host, Inc.,US  33322  US 
198.12.68.166/32   AS-COLOCROSSING - ColoCrossing,US  36352  US 
198.12.68.162/32   AS-COLOCROSSING - ColoCrossing,US  36352  US 
198.12.68.164/32   AS-COLOCROSSING - ColoCrossing,US  36352  US 
104.160.170.173/32   ST-BGP - Sharktech,US  46844  US 
170.178.189.101/32   ST-BGP - Sharktech,US  46844  US 








Sunday, March 06, 2016

"Unlimited" ATM Mastermind Ercan Findikoglu pleads guilty

One of the most fascinating types of cybercrime, in my opinion, is the Unlimited ATM attack.  There have been several such attacks over the years, as we've written about in this blog previously, including:


In an "Unlimited" attack, hackers gain access to the internal systems of a bank or banking network and are either able to "reset" ATM withdrawal limits or eliminate the limits altogether for a card or group of cards.  The magnetic stripe data from these cards are then widely distributed to "cash-out crews" who take responsibility for draining as many ATM cards as possible in their area, while each time a card is used, the hackers "undo" the transaction so that the card appears to have not been used.


33-year old Turkish citizen Ercan Findikoglu was charged with conducting three such Unlimited campaigns.

In February 2011, $10M was withdrawn using the pre-paid debit cards distributed by the American Red Cross to disaster relief victims.  The cards were operated by JPMorgan Chase.  On February 27 and 28, 2011 a total of around 20 pre-paid debit cards were used in approximately 15,000 transactions to withdraw $10M from ATM machines in 18 countries, including ATMs in the Eastern District of New York.

In Findikoglu's second Unlimited attack, pre-paid debit cards for the India-based company ECS, operated by National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates were used.  On December 21 and 22, 2012, approximately 5,000 transactions in at least 20 countries resulted in withdrawal of $5M.

In the largest of his three documented Unlimited campaigns, enStage, a California-based payment processor, suffered an intrusion and had many cards stolen from its internal database.  A group of pre-paid debit cards for Bank Muscat in Oman were selected as the target, and on February 19 and 20, 2013, 36,000 transactions in 24 countries were used to steal $40M.

ERCAN FINDIKOGLU, who called himself "Segate" or "Predator" online, was arrested in December of 2013 while visiting Germany.



He was originally charged with 18 counts:

(1)   CONSPIRACY TO DEFRAUD THE UNITED STATES
(2-4) FRAUD ACTIVITY CONNECTED WITH COMPUTERS
(5-6) ATTEMPT AND CONSPIRACY TO COMMIT MAIL FRAUD
(7)   BANK FRAUD
(8)   ATTEMPTS TO COMMIT AN OFFENSE
(9-14) PRODUCES/TRAFFICS IN COUNTERFEIT DEVICE
(15) MONEY LAUNDERING CONSPIRACY
(16) MONEY LAUNDERING
(17) TAMPERING WITH WITNESS, VICTIM, OR AN INFORMANT
(18) INTIMIDATION OR FORCE AGAINST WITNESS

On June 24, 2015, Ercan was ordered into US detention, having been extradited from Germany.  The German courts in Frankfurt declared that Findikoglu was "the most-wanted computer hacker in the world and may face more than 247 years in prison if convicted of all U.S. charges" (as quoted in Bloomberg's story of 23JUN2015 - "Most-wanted cybercriminal extradited to U.S. from Germany."

As usual, the reality of sentencing varies dramatically from the overblown initial press release.  On March 1, 2016, All parties appeared before the honorable Judge Kiyo A. Matsumoto for a Change of Plea Hearing.    Sentencing is scheduled for July 12, 2016, but according to the BBC, prosecutors have agreed in a plea deal to limit his incarceration for "between 11 and 15 years."  (See "US bank hacker faces long jail time").

Many of the "Cash-out crews" from these operations have been separately arrested and charged, while many others (the vast majority really) remain at large.