We continue to spot new cybercrime ecosystem propositions for spam-ready, cybercrime-friendly SMTP (Simple Mail Transfer Protocol) targeting QA (Quality Assurance) aware cybercriminals looking to gain access to dedicated mail servers with clean IP reputation, ensuring that their campaigns will reach the recipient’s Inbox. Relying on ‘in-house’ built infrastructure or direct outsourcing to bulletproof hosting providers, these services continue empowering prospective customers with managed, popular spam software compatible services, potentially exposing millions of users to fraudulent or malicious email campaigns.
Let’s discuss yet another managed service offering spam-ready SMTP servers, and connect it to malicious campaigns that have directly interacted with the same infrastructure it’s currently hosted on, indicating that it’s already “in business”.
Sample screenshot of the inventory of harvested emails offered by the service:
Sample pricing scheme offered by the spam-ready managed SMTP service in Rubles, based on the number of emails to be delivered:
Sample screenshot of the pricing scheme for high-volume spam customers on a monthly/yearly basis in Rubles:
The Web site of the service currently responds to 220.127.116.11, with the same IP known to have been participating in a multiple malicious client-side exploits serving campaigns.
Not surprisingly, we can easily correlate malicious/spam activity that’s been taking place through related domain that are known to have been responding to the same IP (18.104.22.168) over the past couple of months.
Known to have responded to the same IP are also the following malicious/fraudulent domains:
We’re also aware of the following malicious MD5s that are known to have directly communicated with the same IP (22.214.171.124) over the last couple of months:
In particular the samples have phoned back to the following URLs that are known to have responded to the same IP that the managed SMTP spam service is currently hosted on:
All of these sample establish a UDP communication channel to the following C&C server: 126.96.36.199:8010
How is the actual spamming and acquisition of the spam-ready infrastructure taking place? Through compromised Web sites. Consider going through this assessment of the actual malware used in these campaign courtesy of the fine folks at Abuse.ch.