In a cybercrime ecosystem dominated by DIY (do-it-yourself) malware/botnet generating releases, populating multiple market segments on a systematic basis, cybercriminals continue seeking new ways to acquire and efficiently monetize fraudulently obtained accounting data, for the purpose of achieving a positive ROI (Return on Investment) on their fraudulent operations. In a series of blog posts, we’ve been detailing the existence of commercially available server-based malicious script/iframe injecting/embedding releases/platforms utilizing legitimate infrastructure for the purpose of hijacking legitimate traffic, ultimately infecting tens of thousands of legitimate users.
We’ve recently spotted a long-run Web-based managed malicious/iframe injecting/embedding service relying on compromised accounting data for legitimate traffic acquisition purposes. Let’s discuss the managed service, its features, and take a peek inside the (still running) malicious infrastructure behind it.
In terms of Q&A (Quality Assurance), the key differentiation features of the service include: automatic URL AV/blacklist detection through a third-party managed service, (compromised) legitimate Web site page rank checker, metrics based statistical system, IM notifications, as well as (compromised) login validation.
Affected CMS platforms:
Simple Machines Forum (SMF)
Contao Open Source CMS
The managed service is currently priced at $250 on a monthly basis, $1,500 for six months, and $2,500 for one year subscription. It’s capable of maintaining up to 500 simultaneous threads. Let’s take a peek inside the fraudulent infrastructure behind it.
Known to have responded to the same IP (18.104.22.168; 22.214.171.124) as the original hosting location are also the following fraudulent/typosquatted domains:
Known to have phoned back to the same IP (126.96.36.199) as also the following malicious MD5s:
Once executed MD5: 35908d4fb26949b2431849d3d8165740 phones back to:
Related malicious MD5s known to have phoned back to the same C&C server (188.8.131.52):
Known to have phoned back to the same IP (184.108.40.206) as the original hosting location are also the following fraudulent domains:
Webroot SecureAnywhere users are proactively protected from these threats.